wave Have a hopefully simple question for folks more knowle osquery #fleet

:wave: Have a hopefully simple question for folks ...

njbiddle

02/27/2025, 4:03 PM

👋 Have a hopefully simple question for folks more knowledgeable than I am -- I have an ask to enable a couple features (

--enable_file_events=true

and

--disable_audit=false

) in osquery from our security team. Trying to understand if this is something that can be applied via MDM config profile for macOS/Windows clients (we use Jamf), or if this is something I can script and add to the launchdaemon? Little unfamiliar with the tool, so apologies for the odd ask thanks

02/27/2025, 4:05 PM

most likely (more than likely?) you are using a config file to which you would add these arguments. also possible but less likely you are passing these config switches via cli, in this case you would update that to include the switches.

02/27/2025, 4:06 PM

https://fleetdm.com/docs/configuration/agent-configuration

njbiddle

02/27/2025, 4:07 PM

Oh interesting - so this is something that's actually set from the fleet portal rather than applied to endpoints via MDM?

njbiddle

02/27/2025, 4:08 PM

Currently I'm deploying a package and a PPPC profile for disk access, but that's it

02/27/2025, 4:08 PM

https://fleetdm.com/docs/configuration/yaml-files#agent-options

02/27/2025, 4:10 PM

within fleet yes you can configure here; https://fleet.yourdomain.com/settings/organization/agents my environment has gone through so many iterations of osquery, kolide, fleet etc, that honestly i can't keep track of what is old and deprecated vs. current and preferred.

njbiddle

02/27/2025, 4:13 PM

Huh okay let me follow up with them - I don't currently have access to our fleet portal. I'm assuming this is also where we'd specify paths to monitor file events for as well.

Open in Slack

Previous Next