https://github.com/osquery/osquery logo
Powered by
Title
i

Ian Muscat

05/13/2021, 3:47 PM
Hey there, I’m running Fleet 3.11.0 and I’m trying to configure Fleet’s FIM options. I noticed that 
spec.config.exclude_paths
does not work, but 
spec.overrides.platforms.<platform>.exclude_paths
does work. This seems to be inconsistent with 
spec.config.file_paths
which seems to work as expected (outside of the 
overrides
block). Can anyone else replicate this behaviour, and if so, is this intended behaviour? Thanks!
z

zwass

05/13/2021, 3:49 PM
Perhaps it's a misunderstanding of how the overrides work? See https://github.com/fleetdm/fleet/blob/master/examples/config-many-files/config.yml#L21-L25. If there's anything in a matching overrides block then the values in the config block would be ignored.
i

Ian Muscat

05/13/2021, 4:09 PM
Actually my statement about the overrides block working was incorrect. I mis-typed 
rhel
🤦. Yep, I’m aware of how overrides work. I still can not get 
exclude_paths
to work though, both in overrides and in the global config. Just for the sake of clarity I’ve tried this config: 
spec:
  config: null
  overrides:
    platforms:
      rhel:
        options:
          disable_audit: false
          disable_events: false
          pack_delimiter: /
          logger_snapshot_event_type: true
        decorators:
          load:
            - select uuid as host_uuid from system_info;
            - select hostname as hostname from system_info;
        file_paths:
          tmp:
            - /tmp/%%
        exclude_paths:
          tmp:
            - /tmp/foo/%%
            - /tmp/tmp.%
The following (not using overrides) also doesn’t seem to work for me — i.e. file changes are still being shown in the 
file_events
table (even after manually restarting 
osqueryd
). 
spec:
  config:
    options:
        disable_audit: false
        disable_events: false
        pack_delimiter: /
        logger_snapshot_event_type: true
    decorators:
        load:
        - select uuid as host_uuid from system_info;
        - select hostname as hostname from system_info;
    file_paths:
        tmp:
        - /tmp/%%
    exclude_paths:
        tmp:
        - /tmp/foo/%%
        - /tmp/tmp.%
n

Noah Talerman

05/13/2021, 6:39 PM
@Ian Muscat for both configurations you’ve shared in this thread, are all other options being applied as expected? Is it only the 
exclude_paths
option that is not being applied?
z

zwass

05/13/2021, 6:43 PM
Can you turn on 
--verbose --tls_dump
for this host and verify the config that it receives from Fleet?
i

Ian Muscat

05/13/2021, 7:48 PM
are all other options being applied as expected
Yep, as far as I can tell. I’ll have a closer look tomorrow to make sure
Can you turn on 
--verbose --tls_dump
 for this host
I’m assuming you mean as part of the 
osqueryd
config, right? Will give this a shot, thanks for the tip!
z

zwass

05/13/2021, 8:13 PM
Yes, with osqueryd. This will let you see exactly what Fleet is sending and is almost always a helpful debugging step to isolate where the issues might be.
i

Ian Muscat

05/14/2021, 7:29 AM
Hmm, turning on 
--verbose --tls_dump
does show the config being delivered to the host, so maybe this is not a Fleet-related issue after all 🤔. Will have to keep digging, thanks for the help.
3 Views
#fleetJoin Slack
Powered by