Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
r
Rafa
02/15/2023, 4:17 PMHello! I would like to setup Mac (darwin) File Integrity Monitoring and because of that I changed the Agent options in fleet to this:
config:
options:
pack_delimiter: /
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/osquery/log
distributed_interval: 10
distributed_tls_max_attempts: 3
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
overrides:
platforms:
darwin:
options:
disable_audit: false
disable_events: false
file_paths:
etc:
- /etc/%%
homes:
- /Volumes/%%
users:
- /Users/%/Library/%%
- /Users/%/Documents/%%
command_line_flags: {} # requires Fleet's osquery installerBut the query
SELECT action, DATETIME(time, 'unixepoch') AS datetime, vendor, mounts.path FROM disk_events LEFT JOIN mounts ON mounts.device = disk_events.device;c
charles
02/16/2023, 1:56 AMyou might wanna check file_events and make sure that osqueryd has full disk access perms on macbooks
k
Kathy Satterlee
02/16/2023, 2:24 PMA good way to check if permissions are the issue is to test the query locally with
sudo orbit osqueryd