Hello I m new to fleetDM I m trying to retrieve different br osquery #fleet

Hello - I'm new to fleetDM. I'm trying to retrieve...

rylie

10/15/2024, 1:17 AM

Hello - I'm new to fleetDM. I'm trying to retrieve different browser history, e.g. chrome, firefox using ATC. To update the fleetDM agent, I believe I need to include these in the

config.yaml

https://fleetdm.com/docs/configuration/agent-configuration#auto-table-construction How should I test it before deploying to all machines? To deploy it, is it just running

fleetctl apply -f config.yaml

Copy code

{
  "auto_table_construction": {
    "quarantine_items": {
      "query": "SELECT LSQuarantineEventIdentifier as id, LSQuarantineAgentName as agent_name, LSQuarantineAgentBundleIdentifier as agent_bundle_identifier, LSQuarantineTypeNumber as type, LSQuarantineDataURLString as data_url,LSQuarantineOriginURLString as origin_url, LSQuarantineSenderName as sender_name, LSQuarantineSenderAddress as sender_address, LSQuarantineTimeStamp as timestamp from LSQuarantineEvent",
      "path": "/Users/%/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2",
      "columns": [
        "id",
        "type",
        "agent_name",
        "agent_bundle_identifier",
        "timestamp",
        "sender_name",
        "sender_address",
        "origin_url",
        "data_url"
      ]
    },
    "chrome_browser_history": {
      "query": "SELECT urls.id id, urls.url url, urls.title title, urls.visit_count visit_count, urls.typed_count typed_count, urls.last_visit_time last_visit_time, urls.hidden hidden, visits.visit_time visit_time, visits.from_visit from_visit, visits.visit_duration visit_duration, visits.transition transition, visit_source.source source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id",
      "path": "/Users/%/Library/Application Support/Google/Chrome/%/History",
      "columns": [
        "path",
        "id",
        "url",
        "title",
        "visit_count",
        "typed_count",
        "last_visit_time",
        "hidden",
        "visit_time",
        "visit_duration",
        "source"
      ],
      "platform": "darwin"
    },
    "chrome_login_keychain": {
      "query": "SELECT origin_url, action_url, username_value, password_element FROM logins",
      "path": "/Users/%/Library/Application Support/Google/Chrome/Default/Login Data",
      "columns": [
        "origin_url",
        "action_url",
        "username_value",
        "password_element"
      ],
      "platform": "darwin"
    },
    "firefox_browser_history": {
      "query": "SELECT id, url, rev_host as reverse_host, title, visit_count, typed, last_visit_date, url_hash, description, preview_image_url FROM moz_places ",
      "path": "/Users/%/Library/Application Support/Firefox/Profiles/%/places.sqlite",
      "columns": [
        "id",
        "url",
        "reverse_host",
        "title",
        "visit_count",
        "typed",
        "last_visit_date",
        "url_hash",
        "description",
        "preview_image_url"
      ],
      "platform": "darwin"
    },
    "brave_browser_history": {
      "query": "SELECT id, url, title, visit_count, typed_count, last_visit_time FROM urls ",
      "path": "/Users/%/Library/Application Support/BraveSoftware/Brave-Browser/Default/History",
      "columns": [
        "id",
        "url",
        "title",
        "visit_count",
        "typed_count",
        "last_visit_date"
      ],
      "platform": "darwin"
    }
  }
}

Rebecca Cowart

10/15/2024, 2:12 PM

Hi @rylie! You can verify that your agent options are valid by using

fleetctl apply

with the

--dry-run

flag. This will report any error and do nothing if the configuration was valid. If you don't use the latest version of osquery, you can override validation using the

--force

flag. This will update agent options even if they are invalid. Does this help? https://fleetdm.com/docs/configuration/agent-configuration#auto-table-construction:~:text=%2D%2Ddry%2Drun,flag

rylie

10/15/2024, 10:52 PM

Thanks @Rebecca Cowart, I had a look at this too. I also have questions do I need update ATC somewhere or that's on the config in the

overrides

section

rylie

10/16/2024, 1:35 AM

I tried running

fleetctl apply -f config.yaml --dry-run

but getting the following error:

Copy code

Error: applying fleet config: PATCH /api/latest/fleet/config received status 400 Bad Request: unsupported key provided: "brave_browser_history"

brave_browser_history

is the new entry that I'm trying to add

Rebecca Cowart

10/16/2024, 1:50 PM

@rylie Could you please share your config file?

rylie

10/16/2024, 10:09 PM

I used

fleetctl get config

to get the current config and added the brave_browser_history

config.yaml

Rebecca Cowart

10/17/2024, 6:38 PM

@rylie Are you able to get any additional information by using the

--verbose

flag while running the command?

Rebecca Cowart

10/17/2024, 7:16 PM

@rylie I just noticed that

brave_browser_history

is indented too far to the right, and this may be causing the key to think it is part of the

safari_browser_history

rylie

10/17/2024, 11:13 PM

Hi Rebecca, you're right! It was the indentation, tysm!!

118 Views

Open in Slack

Previous Next