https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
r

Rafa

02/15/2023, 4:17 PM
Hello! I would like to setup Mac (darwin) File Integrity Monitoring and because of that I changed the Agent options in fleet to this:
Copy code
config:
  options:
    pack_delimiter: /
    logger_tls_period: 10
    distributed_plugin: tls
    disable_distributed: false
    logger_tls_endpoint: /api/osquery/log
    distributed_interval: 10
    distributed_tls_max_attempts: 3
  decorators:
    load:
      - SELECT uuid AS host_uuid FROM system_info;
      - SELECT hostname AS hostname FROM system_info;
overrides:
  platforms:
    darwin:
      options:
        disable_audit: false
        disable_events: false
      file_paths:
        etc:
          - /etc/%%
        homes:
          - /Volumes/%%
        users:
          - /Users/%/Library/%%
          - /Users/%/Documents/%%
command_line_flags: {} # requires Fleet's osquery installer
But the query
Copy code
SELECT action, DATETIME(time, 'unixepoch') AS datetime, vendor, mounts.path FROM disk_events LEFT JOIN mounts ON mounts.device = disk_events.device;
always return nothing... Am I doing something wrong?
c

charles

02/16/2023, 1:56 AM
you might wanna check file_events and make sure that osqueryd has full disk access perms on macbooks
k

Kathy Satterlee

02/16/2023, 2:24 PM
A good way to check if permissions are the issue is to test the query locally with 
sudo orbit osqueryd
.
Powered by