I m trying to set up FIM and I m wondering what are the diff osquery #kolide

I’m trying to set up FIM and I’m wondering what ar...

Seán O'Halloran

03/09/2021, 5:53 PM

I’m trying to set up FIM and I’m wondering what are the different ways it can be scoped to hosts? In my current config I have it scoped to

platforms: darwin

and this works, like so:

Copy code

overrides:
    platforms:
      darwin:
        exclude_paths:
          downloads:
            - /Users/%/Downloads/ignore/%%
        file_paths:
          downloads:
            - /Users/%/Downloads/%%

However I want to have another set of paths targeting CentOS. The centos platform definition doesn’t seem to work for whatever reason. Can you scope FIM any other way, such as by label?

terracatta

03/09/2021, 5:56 PM

Hey Sean you might be referring to Kolide Fleet. We've since retired it. Please see our announcement and rationale here: http://github.com/kolide/fleet A group of folks are continuing to develop fleet at #fleet

terracatta

03/09/2021, 5:57 PM

Our SaaS product does support FIM via a feature called the Log Pipeline. Here is a recent blog post about the FIM on Windows. https://blog.kolide.com/how-to-set-up-windows-file-integrity-monitoring-using-osquery-and-kolide-d5ac09db046b

Seán O'Halloran

03/09/2021, 6:00 PM

Ah thanks Jason!

terracatta

03/09/2021, 6:00 PM

One thing I'll add. If you want more dynamic options one thing you can do is actually write SQL queries as your file paths. In theory you could do more granular OS detection and change the paths accordingly.

4 Views

Open in Slack

Previous Next