https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi Folks, I am new to fleet and have it running on...
# fleet
m
Hi Folks, I am new to fleet and have it running on aws using the instructions here - https://fleetdm.com/docs/deploy/deploy-fleet#aws. I have also enrolled a a MacOS host. I am looking for pointers on how to disable sending certain tables from my host to the server. chrome​_extensions is one such example.
r
Hello! There is a 
--disable_tables=table_name1,table_name2
flag that can be used that allows osquery to be launched without certain tables. https://osquery.readthedocs.io/en/latest/installation/cli-flags/
m
thanks, Rebecca. do these flags work with orbit as well?
@Rebecca Cowart after referring to the documentation here - https://github.com/fleetdm/fleet/blob/5b88c7d7543b8decb309e34b357158ffdf5a70cb/docs/Configuration/agent-configuration.md I tried fleetctl apply -f testdata/default.yml --dry-run but getting this error: 
Error: applying fleet config: PATCH /api/latest/fleet/config received status 400 Bad Request: unsupported key provided: "disable_tables"
Here is my yaml file:
Copy code
apiVersion: v1
kind: config
spec:
  agent_options:
    overrides:
      platforms:
        darwin:
          options:
            disable_tables: chrome_extensions
r
Are you using the latest version of osquery? If not, I would suggest updating to the latest version. Otherwise, you could try using the 
--force
flag to update agent options even if they are "invalid." The syntax of your yaml file looks correct to me.
m
yes I am using the latest version. 
--force
flag worked but the chrome_extensions data is still being collected. 
./fleetctl api -X GET /api/v1/fleet/config
Copy code
"agent_options": {
    "overrides": {
      "platforms": {
        "macos": {
          "options": {
            "disable_tables": "chrome_extensions",
            "distributed_interval": 10
          }
        }
      }
    }
  },
I deleted and added the host back just to ensure there is no stale data.
r
That's interesting. What versions of Fleet, osquery, and mysql are you running?
m
Server Version: 4.56.0, MySql - 8.0.mysql_aurora.3.07.1, osquery_version: "5.13.1"
@Rebecca Cowart some more details on versions: Orbit: 1.34.0 Fleet Desktop: 1.34.0
r
Fleet version 4.56 requires MySQL 8.0.36, so I would suggest updating your MySQL version and see if the issue persists.
m
@Rebecca Cowart it is MySQL 8.0.36. I assume that the terraform available on fleet github would pick the correct version. Anyways see attached screenshot and it indeed is 8.0.36. Not sure why AWS shows it differently on different pages.
r
I'm looking into this issue for you and will get back to you soon.
m
thank you
r
By chance, have you tried wrapping the table name in your YAML file inside of single quotes? That may not be necessary, but I'd like to rule out the simplest fixes I can think of before we move to more complex fixes.
m
it didn't help. it almost seems like there is a saved configuration that the server doesn't cleanup. e.g. for this host I had a query to run 
SELECT path, username, description FROM file CROSS JOIN users USING(uid) WHERE path = '/dev/console';
to run everyday. I deleted the host from server and I cleaned up fleetd on host using 
sudo ./orbit/tools/cleanup/cleanup_macos.sh
. When I add the host back the added query comes back. I was expecting that I would have to add the query back again since the host was cleaned up. Is the per host config being saved in RDS?
r
It turns out the 
--disable_tables
flag is command-line only! It can be implemented in your flagfile or via fleetd. Sorry for the issue, and thank you for bringing this to our attention!
m
Thanks. Can you point me to an example of how to do it?
r
I'm sorry, I wasn't clear about the fleetd option. You can still do this in your agent options by finding the 
command_line_flags
key, and beneath that key, you can add your command-line specific flags, such as 
disable_tables
.
We are in the midst of updating the docs to reflect this.
9 Views
Open in Slack
PreviousNext
Powered by