Title
#kolide
Seán O'Halloran

Seán O'Halloran

03/09/2021, 5:53 PM
I’m trying to set up FIM and I’m wondering what are the different ways it can be scoped to hosts? In my current config I have it scoped to
platforms: darwin
and this works, like so:
overrides:
    platforms:
      darwin:
        exclude_paths:
          downloads:
            - /Users/%/Downloads/ignore/%%
        file_paths:
          downloads:
            - /Users/%/Downloads/%%
However I want to have another set of paths targeting CentOS. The centos platform definition doesn’t seem to work for whatever reason. Can you scope FIM any other way, such as by label?
terracatta

terracatta

03/09/2021, 5:56 PM
Hey Sean you might be referring to Kolide Fleet. We've since retired it. Please see our announcement and rationale here: http://github.com/kolide/fleet A group of folks are continuing to develop fleet at #fleet
5:57 PM
Our SaaS product does support FIM via a feature called the Log Pipeline. Here is a recent blog post about the FIM on Windows. https://blog.kolide.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide-d5ac09db046b
Seán O'Halloran

Seán O'Halloran

03/09/2021, 6:00 PM
Ah thanks Jason!
terracatta

terracatta

03/09/2021, 6:00 PM
One thing I'll add. If you want more dynamic options one thing you can do is actually write SQL queries as your file paths. In theory you could do more granular OS detection and change the paths accordingly.