https://github.com/osquery/osquery logo
Powered by
#kolide
Title
# kolide
s

Seán O'Halloran

03/09/2021, 5:53 PM
I’m trying to set up FIM and I’m wondering what are the different ways it can be scoped to hosts? In my current config I have it scoped to 
platforms: darwin
and this works, like so:
Copy code
overrides:
    platforms:
      darwin:
        exclude_paths:
          downloads:
            - /Users/%/Downloads/ignore/%%
        file_paths:
          downloads:
            - /Users/%/Downloads/%%
However I want to have another set of paths targeting CentOS. The centos platform definition doesn’t seem to work for whatever reason. Can you scope FIM any other way, such as by label?
t

terracatta

03/09/2021, 5:56 PM
Hey Sean you might be referring to Kolide Fleet. We've since retired it. Please see our announcement and rationale here: http://github.com/kolide/fleet A group of folks are continuing to develop fleet at #fleet
Our SaaS product does support FIM via a feature called the Log Pipeline. Here is a recent blog post about the FIM on Windows. https://blog.kolide.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide-d5ac09db046b
s

Seán O'Halloran

03/09/2021, 6:00 PM
Ah thanks Jason!
t

terracatta

03/09/2021, 6:00 PM
One thing I'll add. If you want more dynamic options one thing you can do is actually write SQL queries as your file paths. In theory you could do more granular OS detection and change the paths accordingly.
4 Views
Powered by