01/30/2021, 12:59 AM
I really ^ want better control of options config. I want to be able to target options at labels, as well as platform, osquery version, kernel version. Why labels? To target different types of systems (e.g., prod vs stg; AWS vs Azure, workstation vs server) Why osquery version / kernel version? On Linux (< 4.18) or osquery < 4.16.0, enable process_events tables (and other audit options). On Linux 4.18+ & osquery 4.16.0+, enable bpf events in options and disable audit settings. Currently - this sort of thing just can't be done in fleet, so I have to work around it by not setting it at all through fleet and configuring through the flagfiles of systems. I'd much rather be able to control this through fleet!
👍 1


02/01/2021, 5:41 AM
Thanks for the background Brendan. I went ahead and set up an issue here: https://github.com/fleetdm/fleet/issues/255