Title
#fleet
w

wennan.he

10/13/2022, 3:51 AM
and one more question, if there is any duplicated cfg here to flag file of agent side, which cfg would work?
Keith Swagler

Keith Swagler

10/13/2022, 12:35 PM
FYI file_events and events are configured in the flags, not the config file
12:36 PM
Orbit can configure Flags remotely
12:37 PM
and once you do have them configured you can check with the
osquery_flags
table and monitor those with a policy
w

wennan.he

10/13/2022, 4:27 PM
@Keith Swagler so i cannot config them here?
4:29 PM
can i say all the options mentioned in https://osquery.readthedocs.io/en/stable/installation/cli-flags/#configuration-control-flags cannot be cfg through cfgfile but only by flags?
4:32 PM
the reason i am asking is we want to enable the FIM and dont want to reploy agents, also we dont use orbit. that is what i am looking some way to.change it through cfg plugin.
Kathy Satterlee

Kathy Satterlee

10/13/2022, 4:55 PM
Correct, you cannot set command-line osquery flags through agent options. You'd need to modify those on the hosts. A common way to manage this is to use a flag file with osquery and then push changes using something like Chef or Puppet. https://fleetdm.com/docs/using-fleet/adding-hosts#using-a-flag-file-to-manage-flags
w

wennan.he

10/13/2022, 5:15 PM
@Kathy Satterlee anyone else than --disable_events=false, --enable_file_events=true, --disable_audit=false and --enable_ntfs_event_publisher=true i need to turn on if i want to enable FIM?
Kathy Satterlee

Kathy Satterlee

10/13/2022, 5:21 PM
Here are the osquery docs for FIM, just so that you have everything in one place 🙂 https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/
5:21 PM
But yes, those are the command-line flags that need to be set.
9:33 PM
@wennan.he I’d like to apologize on this one... I saw that those options were called “CLI” flags in the osquery docs, but on further digging, it looks like they aren’t all CLI only flags. I pulled up the osquery help menu to get a definitive list and will get this added to the docs
9:34 PM
osquery command line flags:

    --flagfile PATH                                  Line-delimited file of additional flags
    --D                                              Run as a daemon process
    --S                                              Run as a shell process
    --alarm_timeout VALUE                            Seconds to allow for shutdown. Minimum is 10
    --carver_block_size VALUE                        Size of blocks used for POSTing data back to remote endpoints
    --carver_compression                             Compress archives using zstd prior to upload (default false)
    --carver_continue_endpoint VALUE                 TLS/HTTPS endpoint that receives carved content after session creation
    --carver_disable_function                        Disable the osquery file carver function (default true)
    --carver_expiry VALUE                            Seconds to store successful carve result metadata (in carves table)
    --carver_start_endpoint VALUE                    TLS/HTTPS init endpoint for forensic carver
    --config_accelerated_refresh VALUE               Interval to wait if reading a configuration fails
    --config_check                                   Check the format of an osquery config and exit
    --config_dump                                    Dump the contents of the configuration, then exit
    --config_enable_backup                           Backup config and use it when refresh fails
    --config_path VALUE                              Path to JSON config file
    --config_plugin VALUE                            Config plugin name
    --config_refresh VALUE                           Optional interval in seconds to re-read configuration
    --config_tls_endpoint VALUE                      TLS/HTTPS endpoint for config retrieval
    --config_tls_max_attempts VALUE                  Number of attempts to retry a TLS config request
    --daemonize                                      Attempt to daemonize (POSIX only)
    --database_dump                                  Dump the contents of the backing store
    --database_path VALUE                            If using a disk-based backing store, specify a path
    --disable_carver                                 Disable the osquery file carver (default true)
    --disable_enrollment                             Disable enrollment functions on related config/logger plugins
    --disable_extensions                             Disable extension API
    --disable_reenrollment                           Disable re-enrollment attempts if related plugins return invalid
    --disable_tables VALUE                           Comma-delimited list of table names to be disabled
    --disable_watchdog                               Disable userland watchdog process
    --enable_extensions_watchdog                     Enable userland watchdog for extensions processes
    --enable_tables VALUE                            Comma-delimited list of table names to be enabled
    --enroll_always                                  On startup, send a new enrollment request
    --enroll_secret_env VALUE                        Name of environment variable holding enrollment-auth secret
    --enroll_secret_path VALUE                       Path to an optional client enrollment-auth secret
    --enroll_tls_endpoint VALUE                      TLS/HTTPS endpoint for client enrollment
    --extensions_autoload VALUE                      Optional path to a list of autoloaded & managed extensions
    --extensions_interval VALUE                      Seconds delay between connectivity checks
    --extensions_require VALUE                       Comma-separated list of required extensions
    --extensions_socket VALUE                        Path to the extensions UNIX domain socket
    --extensions_timeout VALUE                       Seconds to wait for autoloaded extensions
    --force                                          Force osqueryd to kill previously-running daemons
    --install                                        Install osqueryd as a service
    --logger_mode VALUE                              Octal mode for log files (default '0640')
    --logger_plugin VALUE                            Logger plugin name
    --logger_stderr                                  Write status logs to stderr
    --logtostderr                                    Log messages to stderr in addition to the logger plugin(s)
    --pidfile VALUE                                  Path to the daemon pidfile mutex
    --proxy_hostname VALUE                           Optional HTTP proxy hostname
    --stderrthreshold VALUE                          Stderr log level threshold
    --tls_client_cert VALUE                          Optional path to a TLS client-auth PEM certificate
    --tls_client_key VALUE                           Optional path to a TLS client-auth PEM private key
    --tls_enroll_max_attempts VALUE                  The total number of attempts that will be made to the enroll endpoint if a request fails, 0 for infinite
    --tls_enroll_max_interval VALUE                  Maximum wait time in seconds between enroll retry attempts
    --tls_hostname VALUE                             TLS/HTTPS hostname for Config, Logger, and Enroll plugins
    --tls_server_certs VALUE                         Optional path to a TLS server PEM certificate(s) bundle
    --tls_session_reuse                              Reuse TLS session sockets
    --tls_session_timeout VALUE                      TLS session keep alive timeout in seconds
    --uninstall                                      Uninstall osqueryd as a service
    --watchdog_delay VALUE                           Initial delay in seconds before watchdog starts
    --watchdog_forced_shutdown_delay VALUE           Seconds that the watchdog will wait to do a forced shutdown after a graceful shutdown request, when a resource limit is hit
    --watchdog_latency_limit VALUE                   Override watchdog profile CPU utilization latency limit
    --watchdog_level VALUE                           Performance limit level (0=normal, 1=restrictive, -1=off)
    --watchdog_memory_limit VALUE                    Override watchdog profile memory limit (e.g., 300, for 300MB)
    --watchdog_utilization_limit VALUE               Override watchdog profile CPU utilization limit
9:34 PM
osquery configuration options (set by config or CLI flags):

    --audit_allow_config                             Allow the audit publisher to change auditing configuration
    --audit_allow_fim_events                         Allow the audit publisher to install filesystem-related rules
    --audit_allow_process_events                     Allow the audit publisher to install process-related rules
    --audit_allow_sockets                            Allow the audit publisher to install socket-related rules
    --audit_allow_user_events                        Allow the audit publisher to install user-related rules
    --augeas_lenses VALUE                            Directory that contains augeas lenses files
    --aws_access_key_id VALUE                        AWS access key ID
    --aws_debug                                      Enable AWS SDK debug logging
    --aws_enable_proxy                               Enable proxying of HTTP/HTTPS requests in AWS client config
    --aws_firehose_endpoint VALUE                    Custom Firehose endpoint
    --aws_firehose_period VALUE                      Seconds between flushing logs to Firehose (default 10)
    --aws_firehose_stream VALUE                      Name of Firehose stream for logging
    --aws_kinesis_disable_log_status                 Disable status logs processing
    --aws_kinesis_endpoint VALUE                     Custom Kinesis endpoint
    --aws_kinesis_period VALUE                       Seconds between flushing logs to Kinesis (default 10)
    --aws_kinesis_random_partition_key               Enable random kinesis partition keys
    --aws_kinesis_stream VALUE                       Name of Kinesis stream for logging
    --aws_profile_name VALUE                         AWS profile for authentication and region configuration
    --aws_proxy_host VALUE                           Proxy host for use in AWS client config
    --aws_proxy_password VALUE                       Proxy password for use in AWS client config
    --aws_proxy_port VALUE                           Proxy port for use in AWS client config
    --aws_proxy_scheme VALUE                         Proxy HTTP scheme for use in AWS client config (http or https, default https)
    --aws_proxy_username VALUE                       Proxy username for use in AWS client config
    --aws_region VALUE                               AWS region
    --aws_secret_access_key VALUE                    AWS secret access key
    --aws_session_token VALUE                        AWS STS session token
    --aws_sts_arn_role VALUE                         AWS STS ARN role
    --aws_sts_region VALUE                           AWS STS region
    --aws_sts_session_name VALUE                     AWS STS session name
    --aws_sts_timeout VALUE                          AWS STS assume role credential validity in seconds (default 3600)
    --buffered_log_max VALUE                         Maximum number of logs in buffered output plugins (0 = unlimited)
    --decorations_top_level                          Add decorators as top level JSON objects
    --disable_audit                                  Disable receiving events from the audit subsystem
    --disable_caching                                Disable scheduled query caching
    --disable_database                               Disable the persistent RocksDB storage
    --disable_decorators                             Disable log result decoration
    --disable_distributed                            Disable distributed queries (default true)
    --disable_endpointsecurity                       Disable receiving events from the EndpointSecurity subsystem
    --disable_endpointsecurity_fim                   Disable file events from the EndpointSecurity subsystem
    --disable_events                                 Disable osquery publish/subscribe system
    --disable_hash_cache                             Cache calculated file hashes, re-calculate only if inode times change
    --disable_logging                                Disable ERROR/INFO logging
    --distributed_denylist_duration VALUE            Seconds to denylist distributed queries (default 1 day)
    --distributed_interval VALUE                     Seconds between polling for new queries (default 60)
    --distributed_loginfo                            Log the running distributed queries name at INFO level
    --distributed_plugin VALUE                       Distributed plugin name
    --distributed_tls_max_attempts VALUE             Number of times to attempt a request
    --distributed_tls_read_endpoint VALUE            TLS/HTTPS endpoint for distributed query retrieval
    --distributed_tls_write_endpoint VALUE           TLS/HTTPS endpoint for distributed query results
    --docker_socket VALUE                            Docker UNIX domain socket path
    --enable_file_events                             Enables the file_events publisher
    --enable_foreign                                 Enable no-op foreign virtual tables
    --enable_keyboard_events                         Enable listening for keyboard events
    --enable_mouse_events                            Enable listening for mouse events
    --enable_numeric_monitoring                      Enable numeric monitoring system
    --ephemeral                                      Skip pidfile and database state checks
    --es_fim_mute_path_literal VALUE                 Comma delimited list of path literals to be muted for FIM
    --es_fim_mute_path_prefix VALUE                  Comma delimited list of path prefxes to be muted for FIM
    --events_expiry VALUE                            Timeout to expire event subscriber results
    --events_max VALUE                               Maximum number of event batches per type to buffer
    --events_optimize                                Optimize subscriber select queries (scheduler only)
    --extensions_default_index                       Enable INDEX on all extension table columns (default true)
    --hash_cache_max VALUE                           Size of LRU file hash cache
    --host_identifier VALUE                          Field used to identify the host running osquery (hostname, uuid, instance, ephemeral, specified)
    --logger_event_type                              Log scheduled results as events
    --logger_kafka_acks VALUE                        The number of acknowledgments the leader has to receive (0, 1, 'all')
    --logger_kafka_brokers VALUE                     Bootstrap broker(s) as a comma-separated list of host or host:port (default port 9092)
    --logger_kafka_compression VALUE                 Compression codec to use for compressing message sets ('none' or 'gzip')
    --logger_kafka_topic VALUE                       Kafka topic to publish logs under
    --logger_min_status VALUE                        Minimum level for status log recording
    --logger_min_stderr VALUE                        Minimum level for statuses written to stderr
    --logger_numerics                                Use numeric JSON syntax for numeric values
    --logger_path VALUE                              Directory path for ERROR/WARN/INFO and results logging
    --logger_rotate                                  Use filesystem log rotation
    --logger_rotate_max_files VALUE                  Max number of files to keep in rotation
    --logger_rotate_size VALUE                       Size for each filesystem log in bytes
    --logger_snapshot_event_type                     Log scheduled snapshot results as events
    --logger_syslog_facility VALUE                   Syslog facility for status and results logs (0-23, default 19)
    --logger_syslog_prepend_cee                      Prepend @cee: tag to logged JSON messages
    --logger_tls_compress                            GZip compress TLS/HTTPS request body
    --logger_tls_endpoint VALUE                      TLS/HTTPS endpoint for results logging
    --logger_tls_max_lines VALUE                     Max number of logs to send per period
    --logger_tls_max_linesize VALUE                  Max size in bytes allowed per log line
    --logger_tls_period VALUE                        Seconds between flushing logs over TLS/HTTPS
    --nullvalue VALUE                                Set string for NULL values, default ''
    --numeric_monitoring_filesystem_path VALUE       File to dump numeric monitoring records one per line. The format of the line is <PATH><TAB><VALUE><TAB><TIMESTAMP>.
    --numeric_monitoring_plugins VALUE               Comma separated numeric monitoring plugins names
    --numeric_monitoring_pre_aggregation_time VALUE  Time period in seconds for numeric monitoring pre-aggregation buffer.
    --pack_delimiter VALUE                           Delimiter for pack and query names
    --pack_refresh_interval VALUE                    Cache expiration for a packs discovery queries
    --read_max VALUE                                 Maximum file read size
    --schedule_default_interval VALUE                Query interval to use if none is provided
    --schedule_epoch VALUE                           Epoch for scheduled queries
    --schedule_lognames                              Log the running scheduled query name at INFO level
    --schedule_max_drift VALUE                       Max time drift in seconds
    --schedule_reload VALUE                          Interval in seconds to reload database arenas
    --schedule_splay_percent VALUE                   Percent to splay config times
    --schedule_timeout VALUE                         Limit the schedule to a duration in seconds, 0 for no limit
    --specified_identifier VALUE                     Field used to specify the host_identifier when set to "specified"
    --table_delay VALUE                              Add an optional microsecond delay between table scans
    --table_exceptions                               Allow tables to throw exceptions
    --thrift_string_size_limit VALUE                 Sets the maximum string size allowed in a thrift message, use 0 for unlimited
    --thrift_timeout VALUE                           Timeout for thrift socket operations
    --thrift_verbose                                 Enable the thrift log handler
    --tls_disable_status_log                         Disable sending status logs
    --verbose                                        Enable verbose informational messages
    --worker_threads VALUE                           Number of work dispatch threads
    --yara_delay VALUE                               Time in ms to sleep after scan of each file (default 50) to reduce memory spikes
w

wennan.he

10/13/2022, 9:38 PM
so you mean i can set them up in fleet ui?
9:39 PM
like --disable_events=false, --enable_file_events=true, --disable_audit=false