Channels
  • t

    Ted Dorosheff

    4 months ago
    I'm using an overrides key in my yaml config, for windows clients. On a test windows machine, i'm seeing an error line in the osqueryd --verbose stdout:
    W0207 12:30:36.535475  6440 options.cpp:101] Cannot set unknown or invalid flag: enable_file_events
    as well as:
    I0207 12:30:47.051750  6440 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
    I0207 12:30:47.113627  6440 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configuration
    both of those event publishers are enabled within the overrides section of my config, and the
    enable_file_events: true
    is set outside by overrides key. So its fleetDM is not respecting the overrides key...
  • zwass

    zwass

    4 months ago
    Possibly misplaced overrides? Can you paste the config (redacted if necessary)?
  • t

    Ted Dorosheff

    4 months ago
    this is what i paste into the agent settings yaml editor:
    config:
      options:
        disable_events: false
        enable_file_events: true
        disable_distributed: false
        distributed_interval: 60
      decorators:
        load:
          - SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;
      file_paths:
        etc:
          - /etc/group
          - /etc/passwd
          - /etc/shadow
          - /etc/services
          - /etc/sudoers
          - /etc/ld.so.preload
          - /etc/ld.so.conf
          - /etc/ld.so.conf.d/%%
          - /etc/pam.d/%%
          - /etc/resolv.conf
          - /etc/modules
          - /etc/hosts
          - /etc/hostname
          - /etc/fstab
          - /etc/rsyslog.conf
        ssh:
          - /root/.ssh/%%
          - /home/%/.ssh/%%
          - /etc/ssh/%%
          - /var/lib/sia/keys/
          - /var/lib/sia/certs/
        logs:
          - /var/log/secure
        docker:
          - /etc/docker/%%
          - /etc/default/docker
          - /etc/docker/daemon.json
          - /usr/bin/containerd
          - /usr/sbin/runc
          - /etc/sysconfig/docker
          - /usr/lib/systemd/system/docker.service
          - /usr/lib/systemd/system/docker.socket
        osquery:
          - /etc/osquery/%%
          - /usr/share/osquery/packs/%%
        firewalls:
          - /etc/sysconfig/iptables
          - /home/y/conf/yakl/%%
          - /etc/yakl/conf/%%
      overrides:
        platforms:
          windows:
            options:
              disable_events: false
              enable_ntfs_event_publisher: true
              enable_powershell_events_subscriber: true
              enable_windows_events_publisher: true
              enable_windows_events_subscriber: true
              disable_distributed: false
              distributed_interval: 60
            decorators:
              load:
                - SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;
            file_paths:
              Users:
                - C:\\Users\\%\\AppData\\Roaming\\%
                - C:\\Users\\%\\AppData\\Local\\%
                - C:\\Users\\%\\AppData\\Local\\temp\\%
                - C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\%
                - C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\%
                - C:\\Users\\%\\Default\\%
              Windows:
                - C:\\Windows\\%
                - C:\\Windows\\Temp\\%
                - C:\\Windows\\System32\\Drivers\\%
                - C:\\Windows\\SysWOW64\\Drivers\\%
                - C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\%
                - C:\\Windows\\System32\\GroupPolicy\\User\\Scripts\\%
                - C:\\Windows\\System32\\Wbem\\%
                - C:\\Windows\\SysWOW64\\Wbem\\%
                - C:\\Windows\\System32\\WindowsPowerShell\\%
                - C:\\Windows\\SysWOW64\\WindowsPowerShell\\%
                - C:\\Windows\\Tasks\\%
                - C:\\Windows\\System32\\Tasks\\%
                - C:\\Windows\\AppPatch\\Custom\\%
                - C:\\Windows\\system32\\DriverStore\\Temp\\%
                - C:\\Windows\\system32\\wbem\\Performance\\%
                - C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%
                - C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%
                - C:\\Windows\\System32\\Tasks\\OfficeSoftwareProtectionPlatform\\SvcRestartTask\\%
              ProgramData:
                - C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\%
                - C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\%

    however once i click "update settings" , the editor moves things around, puts single quotes in place of double quotes and also adds the little ">" on lines 20, 28, 31, 53 and 60. not sure if any of that matters, but this is what the yaml looks like after i update:
    config:
      options:
        disable_events: false
        enable_file_events: true
        disable_distributed: false
        distributed_interval: 60
      overrides:
        platforms:
          windows:
            options:
              disable_events: false
              disable_distributed: false
              distributed_interval: 60
              enable_ntfs_event_publisher: true
              enable_windows_events_publisher: true
              enable_windows_events_subscriber: true
              enable_powershell_events_subscriber: true
            decorators:
              load:
                - >-
                  SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
                  hostname) as hostname FROM system_info;
            file_paths:
              Users:
                - 'C:\\Users\\%\\AppData\\Roaming\\%'
                - 'C:\\Users\\%\\AppData\\Local\\%'
                - 'C:\\Users\\%\\AppData\\Local\\temp\\%'
                - >-
                  C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start
                  Menu\\Programs\\Startup\\%
                - >-
                  C:\\Users\\%\\AppData\\Roaming\\Microsoft\\Windows\\Start
                  Menu\\Programs\\%
                - 'C:\\Users\\%\\Default\\%'
              Windows:
                - 'C:\\Windows\\%'
                - 'C:\\Windows\\Temp\\%'
                - 'C:\\Windows\\System32\\Drivers\\%'
                - 'C:\\Windows\\SysWOW64\\Drivers\\%'
                - 'C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\%'
                - 'C:\\Windows\\System32\\GroupPolicy\\User\\Scripts\\%'
                - 'C:\\Windows\\System32\\Wbem\\%'
                - 'C:\\Windows\\SysWOW64\\Wbem\\%'
                - 'C:\\Windows\\System32\\WindowsPowerShell\\%'
                - 'C:\\Windows\\SysWOW64\\WindowsPowerShell\\%'
                - 'C:\\Windows\\Tasks\\%'
                - 'C:\\Windows\\System32\\Tasks\\%'
                - 'C:\\Windows\\AppPatch\\Custom\\%'
                - 'C:\\Windows\\system32\\DriverStore\\Temp\\%'
                - 'C:\\Windows\\system32\\wbem\\Performance\\%'
                - 'C:\\Windows\\System32\\Tasks\\Adobe Acrobat Update Task\\%'
                - 'C:\\Windows\\System32\\Tasks\\Adobe Flash Player Updater\\%'
                - >-
                  C:\\Windows\\System32\\Tasks\\OfficeSoftwareProtectionPlatform\\SvcRestartTask\\%
              ProgramData:
                - 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\%'
                - 'C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\%'
      decorators:
        load:
          - >-
            SELECT COALESCE((select instance_id FROM ec2_instance_metadata),
            hostname) as hostname FROM system_info;
      file_paths:
        etc:
          - /etc/group
          - /etc/passwd
          - /etc/shadow
          - /etc/services
          - /etc/sudoers
          - /etc/ld.so.preload
          - /etc/ld.so.conf
          - /etc/ld.so.conf.d/%%
          - /etc/pam.d/%%
          - /etc/resolv.conf
          - /etc/modules
          - /etc/hosts
          - /etc/hostname
          - /etc/fstab
          - /etc/rsyslog.conf
        ssh:
          - /root/.ssh/%%
          - /home/%/.ssh/%%
          - /etc/ssh/%%
          - /var/lib/sia/keys/
          - /var/lib/sia/certs/
        logs:
          - /var/log/secure
        docker:
          - /etc/docker/%%
          - /etc/default/docker
          - /etc/docker/daemon.json
          - /usr/bin/containerd
          - /usr/sbin/runc
          - /etc/sysconfig/docker
          - /usr/lib/systemd/system/docker.service
          - /usr/lib/systemd/system/docker.socket
        osquery:
          - /etc/osquery/%%
          - /usr/share/osquery/packs/%%
        firewalls:
          - /etc/sysconfig/iptables
          - /home/y/conf/yakl/%%
          - /etc/yakl/conf/%%
  • zwass

    zwass

    4 months ago
    overrides
    needs to be at the same indentation level as
    config
    (not indented)
  • t

    Ted Dorosheff

    4 months ago
    ahhhh okay
    and then everything within overrides follows suit from that indent? So like "platform" is 1 indent from overrides, "windows" would be 1 over from platform, etc etc?
  • zwass

    zwass

    4 months ago
    Yes that's right
  • t

    Ted Dorosheff

    4 months ago
    🥇 for you man
    that fixed it