Hey all, I need some help with my agent settings y...
# fleett
Ted Dorosheff
11/23/2021, 1:35 PMHey all, I need some help with my agent settings yaml config in fleetdm. We've got the majority of our deployment currently pushed out to linux servers, so in the agent settings we're using the override section to configure the population of windows servers/endpoints, which is currently much smaller.
not sure if this is a fundamentally incorrect way to do this. I've sort of inherited management of agent config for our osquery deployment. This is my first time working with yaml extensively and first time with fleetdm.
When i submit the config in the yaml editor, the config gets changed. I'm curious if the change is: a) intended by the editor, sort of like error correcting, with the fix implemented and i need only click submit again. b) also intended, but showing me where the error i need to fix is, like traditional config error output. c) unintentional and some kind of bug?
those questions are merely a curiosity of mine, and what i really need is to just get this config to work. thanks in advance!
Here is the yaml config before i hit submit.
Copy code
config:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;
file_paths:
etc:
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/services
- /etc/sudoers
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/rsyslog.conf
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
- /etc/ssh/%%
- /var/lib/sia/keys/
- /var/lib/sia/certs/
logs:
- /var/log/secure
docker:
- /etc/docker/%%
- /etc/default/docker
- /etc/docker/daemon.json
- /usr/bin/containerd
- /usr/sbin/runc
- /etc/sysconfig/docker
- /usr/lib/systemd/system/docker.service
- /usr/lib/systemd/system/docker.socket
osquery:
- /etc/osquery/%%
- /usr/share/osquery/packs/%%
firewalls:
- /etc/sysconfig/iptables
- /home/y/conf/yakl/%%
- /etc/yakl/conf/%%
overrides:
platforms:
windows:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;
file_paths:
users:
- C:\users\AppData\Roaming
- C:\users\AppData\Local
- C:\users\AppData\Local\temp
- C:\users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
- C:\users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
- C:\Users\Default
windows:
- C:\Windows
- C:\Windows\temp
- C:\Windows\system32\Drivers
- C:\Windows\SysWOW64\Drivers
- C:\Windows\system32\GroupPolicy\Machine\Scripts
- C:\Windows\system32\GroupPolicy\User\Scripts
- C:\Windows\system32\Wbem
- C:\Windows\SysWOW64\Wbem
- C:\Windows\system32\WindowsPowerShell
- C:\Windows\SysWOW64\WindowsPowerShell
- C:\Windows\Tasks
- C:\Windows\system32\Tasks
- C:\Windows\AppPatch\Custom%
ProgramData:
- C:\ProgramData\Microsoft\Windows\Start Menu
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs
exclude_paths:
windows:
- C:\Windows\system32\DriverStore\Temp\%
- C:\Windows\system32\wbem\Performance%
- C:\$WINDOWS.~BT\Sources\%
- C:\Windows\Installer\%
- C:\Windows\System32\Tasks\Adobe Acrobat Update Task%
- C:\Windows\System32\Tasks\Adobe Flash Player Updater%
- C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask% Copy code
config:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- >-
SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
hostname) as hostname FROM system_info;
file_paths:
etc:
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/services
- /etc/sudoers
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/rsyslog.conf
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
- /etc/ssh/%%
- /var/lib/sia/keys/
- /var/lib/sia/certs/
logs:
- /var/log/secure
docker:
- /etc/docker/%%
- /etc/default/docker
- /etc/docker/daemon.json
- /usr/bin/containerd
- /usr/sbin/runc
- /etc/sysconfig/docker
- /usr/lib/systemd/system/docker.service
- /usr/lib/systemd/system/docker.socket
osquery:
- /etc/osquery/%%
- /usr/share/osquery/packs/%%
firewalls:
- /etc/sysconfig/iptables
- /home/y/conf/yakl/%%
- /etc/yakl/conf/%%
overrides:
platforms:
windows:
options:
events_expiry: 60
config_refresh: 600
host_identifier: instance
distributed_interval: 60
decorators:
load:
- >-
SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
hostname) as hostname FROM system_info;
file_paths:
users:
- 'C:\users\AppData\Roaming'
- 'C:\users\AppData\Local'
- 'C:\users\AppData\Local\temp'
- >-
C:\users\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
- 'C:\users\AppData\Roaming\Microsoft\Windows\Start Menu\Programs'
- 'C:\Users\Default'
windows:
- 'C:\Windows'
- 'C:\Windows\temp'
- 'C:\Windows\system32\Drivers'
- 'C:\Windows\SysWOW64\Drivers'
- 'C:\Windows\system32\GroupPolicy\Machine\Scripts'
- 'C:\Windows\system32\GroupPolicy\User\Scripts'
- 'C:\Windows\system32\Wbem'
- 'C:\Windows\SysWOW64\Wbem'
- 'C:\Windows\system32\WindowsPowerShell'
- 'C:\Windows\SysWOW64\WindowsPowerShell'
- 'C:\Windows\Tasks'
- 'C:\Windows\system32\Tasks'
- 'C:\Windows\AppPatch\Custom%'
ProgramData:
- 'C:\ProgramData\Microsoft\Windows\Start Menu'
- 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs'
exclude_paths:
windows:
- 'C:\Windows\system32\DriverStore\Temp\%'
- 'C:\Windows\system32\wbem\Performance%'
- 'C:\$WINDOWS.~BT\Sources\%'
- 'C:\Windows\Installer\%'
- 'C:\Windows\System32\Tasks\Adobe Acrobat Update Task%'
- 'C:\Windows\System32\Tasks\Adobe Flash Player Updater%'
- >-
C:\Windows\System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask%m
Mystery Incorporated
11/24/2021, 4:13 AMYea it does change the formatting when you save it. You'll get an error if it doesn't parse correctly. I am doing same as you using the global config with platform based config, I think this is the only way to do it unless you upgrade to the paid version and use teams. the teams feature allows you to set config per team I believe.
t
Ted Dorosheff
11/24/2021, 11:44 AMso the way that the config gets changed, the indents on lines 71 and 102, and all the single quotes around the windows paths (but not around the linux paths); all of those changes wont affect kolide and break the config?
I didn't get any error message when i updated it, only "successfully updated" or something to that effect i believe. that being the case, are you saying my config is working correctly? or at least as far as you can tell from the code i posted?
m
Mystery Incorporated
11/29/2021, 11:21 PMIf it changed it and it parses it without error it should be fine. But you’ll know if you are not seeing resposnses with those decorator queries something is up. Just look at your responses if they have the decorators you're good.
👍 1
13 Views