Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi everyone. Is it possible to disable remote flagfile management that was introduced in 4.21.0? The reason I am asking is because we have `tls_client_cert` and `tls_client_key` set in our environment to enforce mTLS on all API calls the agent makes. However the paths to these certificate files need to change depending on if the host in MacOS or Windows. It doesn't appear to be possible to set multiple values for these config options because according to the docs `command_line_flags` does not support the `overrides` key.

Hey <@U04H9KTU3EK>! Command line flags are only set if you're using Orbit *and* have the `command_line_flags` key present in agent options. If you omit that key, you can continue to manage your flags  manually and don't need to worry about Orit overwriting the existing flags.

Ah ok that makes sense. Thank you for the quick help!

On a side note, it might be best to not automatically add `command_line_flags: {}`  to the agent configs when upgrading from older versions of Fleet. I didn't notice anything in the Changelog that this would be added and that it would wipe the existing config in the flagfiles we have deployed. Just my two cents.

One last question, will it be possible in future versions to use `command_line_flags` with `overrides,` or some other mechanism, to deploy different `comman_line_flags` to different OSs?

Oh, so I think I just found a UI bug with `command_line_flags`. If I delete `command_line_flags: {}` using the UI, save the page, and then refresh, `command_line_flags: {} # requires Fleet's osquery installer` appears again. I can confirm using `fleetctl` that `command_line_flags: {}` is not present in the `agent_options` section. So I believe this is just a UI bug always wanting to render an empty command_line_flags key when it is empty. The bug is probably in this logic where it is trying to add the comment: <https://github.com/fleetdm/fleet/blob/main/frontend/utilities/yaml/index.ts#L22-L38>

Great feedback here, thank you! I'm going to take that feature request for overrides to the team and start some conversation about manually adding the empty set. My understanding is that if that doesn't have content, it shouldn't override existing flags so that may actually be the bug.