Title
#fleet
a

Adrian Junge

11/23/2022, 2:10 PM
Hello everyone, is there any possible way to define policies in fleet comparing eg running processes with a black- or whitelist, but without having to list every entry from the list manually in the specific query?
mikermcneil

mikermcneil

11/23/2022, 5:06 PM
I'm not aware of a way of setting "variables" in the SQL per se (@Guillaumemight have other ideas I'm not aware of. fyi @Mo Zhu) But one trick that comes to mind is you could create a table like
1und1_allowed_processes
and then join against it. The table could just be a static list. That would let you manage it via osquery extension in code and use Fleet to deploy the latest extension whenever you make changes. That said, it's probably easier just to hard-code them into the query, and invest in making the format nice and some SQL comments.
Guillaume

Guillaume

11/23/2022, 5:07 PM
Yeah and keep in mind creating tables on osquery will work but they will not exist when osqueryd next restarts, so I would not recommend that.
mikermcneil

mikermcneil

11/23/2022, 5:08 PM
Yeah and keep in mind creating tables on osquery will work but they will not exist when osqueryd next restarts,
Unless you create a custom osquery extension and add tables that way.
a

Adrian Junge

11/24/2022, 8:57 AM
Thanks for your answers!