Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
w
wennan.he
10/13/2022, 3:51 AMand one more question, if there is any duplicated cfg here to flag file of agent side, which cfg would work?
k
Keith Swagler
10/13/2022, 12:35 PMFYI file_events and events are configured in the flags, not the config file
Orbit can configure Flags remotely
and once you do have them configured you can check with the
osquery_flagsw
wennan.he
10/13/2022, 4:27 PM@Keith Swagler so i cannot config them here?
can i say all the options mentioned in https://osquery.readthedocs.io/en/stable/installation/cli-flags/#configuration-control-flags cannot be cfg through cfgfile but only by flags?
the reason i am asking is we want to enable the FIM and dont want to reploy agents, also we dont use orbit. that is what i am looking some way to.change it through cfg plugin.
k
Kathy Satterlee
10/13/2022, 4:55 PMCorrect, you cannot set command-line osquery flags through agent options. You'd need to modify those on the hosts. A common way to manage this is to use a flag file with osquery and then push changes using something like Chef or Puppet.
https://fleetdm.com/docs/using-fleet/adding-hosts#using-a-flag-file-to-manage-flags
w
wennan.he
10/13/2022, 5:15 PM@Kathy Satterlee anyone else than --disable_events=false, --enable_file_events=true, --disable_audit=false and --enable_ntfs_event_publisher=true i need to turn on if i want to enable FIM?
k
Kathy Satterlee
10/13/2022, 5:21 PMHere are the osquery docs for FIM, just so that you have everything in one place 🙂
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
But yes, those are the command-line flags that need to be set.
@wennan.he I’d like to apologize on this one... I saw that those options were called “CLI” flags in the osquery docs, but on further digging, it looks like they aren’t all CLI only flags. I pulled up the osquery help menu to get a definitive list and will get this added to the docs
osquery command line flags:
--flagfile PATH Line-delimited file of additional flags
--D Run as a daemon process
--S Run as a shell process
--alarm_timeout VALUE Seconds to allow for shutdown. Minimum is 10
--carver_block_size VALUE Size of blocks used for POSTing data back to remote endpoints
--carver_compression Compress archives using zstd prior to upload (default false)
--carver_continue_endpoint VALUE TLS/HTTPS endpoint that receives carved content after session creation
--carver_disable_function Disable the osquery file carver function (default true)
--carver_expiry VALUE Seconds to store successful carve result metadata (in carves table)
--carver_start_endpoint VALUE TLS/HTTPS init endpoint for forensic carver
--config_accelerated_refresh VALUE Interval to wait if reading a configuration fails
--config_check Check the format of an osquery config and exit
--config_dump Dump the contents of the configuration, then exit
--config_enable_backup Backup config and use it when refresh fails
--config_path VALUE Path to JSON config file
--config_plugin VALUE Config plugin name
--config_refresh VALUE Optional interval in seconds to re-read configuration
--config_tls_endpoint VALUE TLS/HTTPS endpoint for config retrieval
--config_tls_max_attempts VALUE Number of attempts to retry a TLS config request
--daemonize Attempt to daemonize (POSIX only)
--database_dump Dump the contents of the backing store
--database_path VALUE If using a disk-based backing store, specify a path
--disable_carver Disable the osquery file carver (default true)
--disable_enrollment Disable enrollment functions on related config/logger plugins
--disable_extensions Disable extension API
--disable_reenrollment Disable re-enrollment attempts if related plugins return invalid
--disable_tables VALUE Comma-delimited list of table names to be disabled
--disable_watchdog Disable userland watchdog process
--enable_extensions_watchdog Enable userland watchdog for extensions processes
--enable_tables VALUE Comma-delimited list of table names to be enabled
--enroll_always On startup, send a new enrollment request
--enroll_secret_env VALUE Name of environment variable holding enrollment-auth secret
--enroll_secret_path VALUE Path to an optional client enrollment-auth secret
--enroll_tls_endpoint VALUE TLS/HTTPS endpoint for client enrollment
--extensions_autoload VALUE Optional path to a list of autoloaded & managed extensions
--extensions_interval VALUE Seconds delay between connectivity checks
--extensions_require VALUE Comma-separated list of required extensions
--extensions_socket VALUE Path to the extensions UNIX domain socket
--extensions_timeout VALUE Seconds to wait for autoloaded extensions
--force Force osqueryd to kill previously-running daemons
--install Install osqueryd as a service
--logger_mode VALUE Octal mode for log files (default '0640')
--logger_plugin VALUE Logger plugin name
--logger_stderr Write status logs to stderr
--logtostderr Log messages to stderr in addition to the logger plugin(s)
--pidfile VALUE Path to the daemon pidfile mutex
--proxy_hostname VALUE Optional HTTP proxy hostname
--stderrthreshold VALUE Stderr log level threshold
--tls_client_cert VALUE Optional path to a TLS client-auth PEM certificate
--tls_client_key VALUE Optional path to a TLS client-auth PEM private key
--tls_enroll_max_attempts VALUE The total number of attempts that will be made to the enroll endpoint if a request fails, 0 for infinite
--tls_enroll_max_interval VALUE Maximum wait time in seconds between enroll retry attempts
--tls_hostname VALUE TLS/HTTPS hostname for Config, Logger, and Enroll plugins
--tls_server_certs VALUE Optional path to a TLS server PEM certificate(s) bundle
--tls_session_reuse Reuse TLS session sockets
--tls_session_timeout VALUE TLS session keep alive timeout in seconds
--uninstall Uninstall osqueryd as a service
--watchdog_delay VALUE Initial delay in seconds before watchdog starts
--watchdog_forced_shutdown_delay VALUE Seconds that the watchdog will wait to do a forced shutdown after a graceful shutdown request, when a resource limit is hit
--watchdog_latency_limit VALUE Override watchdog profile CPU utilization latency limit
--watchdog_level VALUE Performance limit level (0=normal, 1=restrictive, -1=off)
--watchdog_memory_limit VALUE Override watchdog profile memory limit (e.g., 300, for 300MB)
--watchdog_utilization_limit VALUE Override watchdog profile CPU utilization limitosquery configuration options (set by config or CLI flags):
--audit_allow_config Allow the audit publisher to change auditing configuration
--audit_allow_fim_events Allow the audit publisher to install filesystem-related rules
--audit_allow_process_events Allow the audit publisher to install process-related rules
--audit_allow_sockets Allow the audit publisher to install socket-related rules
--audit_allow_user_events Allow the audit publisher to install user-related rules
--augeas_lenses VALUE Directory that contains augeas lenses files
--aws_access_key_id VALUE AWS access key ID
--aws_debug Enable AWS SDK debug logging
--aws_enable_proxy Enable proxying of HTTP/HTTPS requests in AWS client config
--aws_firehose_endpoint VALUE Custom Firehose endpoint
--aws_firehose_period VALUE Seconds between flushing logs to Firehose (default 10)
--aws_firehose_stream VALUE Name of Firehose stream for logging
--aws_kinesis_disable_log_status Disable status logs processing
--aws_kinesis_endpoint VALUE Custom Kinesis endpoint
--aws_kinesis_period VALUE Seconds between flushing logs to Kinesis (default 10)
--aws_kinesis_random_partition_key Enable random kinesis partition keys
--aws_kinesis_stream VALUE Name of Kinesis stream for logging
--aws_profile_name VALUE AWS profile for authentication and region configuration
--aws_proxy_host VALUE Proxy host for use in AWS client config
--aws_proxy_password VALUE Proxy password for use in AWS client config
--aws_proxy_port VALUE Proxy port for use in AWS client config
--aws_proxy_scheme VALUE Proxy HTTP scheme for use in AWS client config (http or https, default https)
--aws_proxy_username VALUE Proxy username for use in AWS client config
--aws_region VALUE AWS region
--aws_secret_access_key VALUE AWS secret access key
--aws_session_token VALUE AWS STS session token
--aws_sts_arn_role VALUE AWS STS ARN role
--aws_sts_region VALUE AWS STS region
--aws_sts_session_name VALUE AWS STS session name
--aws_sts_timeout VALUE AWS STS assume role credential validity in seconds (default 3600)
--buffered_log_max VALUE Maximum number of logs in buffered output plugins (0 = unlimited)
--decorations_top_level Add decorators as top level JSON objects
--disable_audit Disable receiving events from the audit subsystem
--disable_caching Disable scheduled query caching
--disable_database Disable the persistent RocksDB storage
--disable_decorators Disable log result decoration
--disable_distributed Disable distributed queries (default true)
--disable_endpointsecurity Disable receiving events from the EndpointSecurity subsystem
--disable_endpointsecurity_fim Disable file events from the EndpointSecurity subsystem
--disable_events Disable osquery publish/subscribe system
--disable_hash_cache Cache calculated file hashes, re-calculate only if inode times change
--disable_logging Disable ERROR/INFO logging
--distributed_denylist_duration VALUE Seconds to denylist distributed queries (default 1 day)
--distributed_interval VALUE Seconds between polling for new queries (default 60)
--distributed_loginfo Log the running distributed queries name at INFO level
--distributed_plugin VALUE Distributed plugin name
--distributed_tls_max_attempts VALUE Number of times to attempt a request
--distributed_tls_read_endpoint VALUE TLS/HTTPS endpoint for distributed query retrieval
--distributed_tls_write_endpoint VALUE TLS/HTTPS endpoint for distributed query results
--docker_socket VALUE Docker UNIX domain socket path
--enable_file_events Enables the file_events publisher
--enable_foreign Enable no-op foreign virtual tables
--enable_keyboard_events Enable listening for keyboard events
--enable_mouse_events Enable listening for mouse events
--enable_numeric_monitoring Enable numeric monitoring system
--ephemeral Skip pidfile and database state checks
--es_fim_mute_path_literal VALUE Comma delimited list of path literals to be muted for FIM
--es_fim_mute_path_prefix VALUE Comma delimited list of path prefxes to be muted for FIM
--events_expiry VALUE Timeout to expire event subscriber results
--events_max VALUE Maximum number of event batches per type to buffer
--events_optimize Optimize subscriber select queries (scheduler only)
--extensions_default_index Enable INDEX on all extension table columns (default true)
--hash_cache_max VALUE Size of LRU file hash cache
--host_identifier VALUE Field used to identify the host running osquery (hostname, uuid, instance, ephemeral, specified)
--logger_event_type Log scheduled results as events
--logger_kafka_acks VALUE The number of acknowledgments the leader has to receive (0, 1, 'all')
--logger_kafka_brokers VALUE Bootstrap broker(s) as a comma-separated list of host or host:port (default port 9092)
--logger_kafka_compression VALUE Compression codec to use for compressing message sets ('none' or 'gzip')
--logger_kafka_topic VALUE Kafka topic to publish logs under
--logger_min_status VALUE Minimum level for status log recording
--logger_min_stderr VALUE Minimum level for statuses written to stderr
--logger_numerics Use numeric JSON syntax for numeric values
--logger_path VALUE Directory path for ERROR/WARN/INFO and results logging
--logger_rotate Use filesystem log rotation
--logger_rotate_max_files VALUE Max number of files to keep in rotation
--logger_rotate_size VALUE Size for each filesystem log in bytes
--logger_snapshot_event_type Log scheduled snapshot results as events
--logger_syslog_facility VALUE Syslog facility for status and results logs (0-23, default 19)
--logger_syslog_prepend_cee Prepend @cee: tag to logged JSON messages
--logger_tls_compress GZip compress TLS/HTTPS request body
--logger_tls_endpoint VALUE TLS/HTTPS endpoint for results logging
--logger_tls_max_lines VALUE Max number of logs to send per period
--logger_tls_max_linesize VALUE Max size in bytes allowed per log line
--logger_tls_period VALUE Seconds between flushing logs over TLS/HTTPS
--nullvalue VALUE Set string for NULL values, default ''
--numeric_monitoring_filesystem_path VALUE File to dump numeric monitoring records one per line. The format of the line is <PATH><TAB><VALUE><TAB><TIMESTAMP>.
--numeric_monitoring_plugins VALUE Comma separated numeric monitoring plugins names
--numeric_monitoring_pre_aggregation_time VALUE Time period in seconds for numeric monitoring pre-aggregation buffer.
--pack_delimiter VALUE Delimiter for pack and query names
--pack_refresh_interval VALUE Cache expiration for a packs discovery queries
--read_max VALUE Maximum file read size
--schedule_default_interval VALUE Query interval to use if none is provided
--schedule_epoch VALUE Epoch for scheduled queries
--schedule_lognames Log the running scheduled query name at INFO level
--schedule_max_drift VALUE Max time drift in seconds
--schedule_reload VALUE Interval in seconds to reload database arenas
--schedule_splay_percent VALUE Percent to splay config times
--schedule_timeout VALUE Limit the schedule to a duration in seconds, 0 for no limit
--specified_identifier VALUE Field used to specify the host_identifier when set to "specified"
--table_delay VALUE Add an optional microsecond delay between table scans
--table_exceptions Allow tables to throw exceptions
--thrift_string_size_limit VALUE Sets the maximum string size allowed in a thrift message, use 0 for unlimited
--thrift_timeout VALUE Timeout for thrift socket operations
--thrift_verbose Enable the thrift log handler
--tls_disable_status_log Disable sending status logs
--verbose Enable verbose informational messages
--worker_threads VALUE Number of work dispatch threads
--yara_delay VALUE Time in ms to sleep after scan of each file (default 50) to reduce memory spikesw
wennan.he
10/13/2022, 9:38 PMso you mean i can set them up in fleet ui?
like --disable_events=false, --enable_file_events=true, --disable_audit=false