I think adding the User/Group in /etc/systemd/system/multi-user.target.wants/orbit.service under [Service] and ensuring correct ownership to /opt/orbit is the way to do it. Please let me know if there's a better way.
02/14/2023, 6:21 PM
I'm not an expert, but I don't think you'd get full visibility if osqueryd is not running as root.
02/14/2023, 7:01 PM
This sounds like a reasonable approach. Jason is correct that you won't get full visibility though.
Please join us in #fleet if you've got further questions 🙂
02/15/2023, 4:16 AM
Thanks both of you! I need a way for me to prevent osquery to be able to access some directories.