• Ian Muscat

    Ian Muscat

    1 year ago
    Hey there, I’m running Fleet 3.11.0 and I’m trying to configure Fleet’s FIM options. I noticed that
    spec.config.exclude_paths
    does not work, but
    spec.overrides.platforms.<platform>.exclude_paths
    does work. This seems to be inconsistent with
    spec.config.file_paths
    which seems to work as expected (outside of the
    overrides
    block). Can anyone else replicate this behaviour, and if so, is this intended behaviour? Thanks!
  • zwass

    zwass

    1 year ago
    Perhaps it's a misunderstanding of how the overrides work? See https://github.com/fleetdm/fleet/blob/master/examples/config-many-files/config.yml#L21-L25. If there's anything in a matching overrides block then the values in the config block would be ignored.
  • Ian Muscat

    Ian Muscat

    1 year ago
    Actually my statement about the overrides block working was incorrect. I mis-typed
    rhel
    🤦. Yep, I’m aware of how overrides work. I still can not get
    exclude_paths
    to work though, both in overrides and in the global config. Just for the sake of clarity I’ve tried this config:
    spec:
      config: null
      overrides:
        platforms:
          rhel:
            options:
              disable_audit: false
              disable_events: false
              pack_delimiter: /
              logger_snapshot_event_type: true
            decorators:
              load:
                - select uuid as host_uuid from system_info;
                - select hostname as hostname from system_info;
            file_paths:
              tmp:
                - /tmp/%%
            exclude_paths:
              tmp:
                - /tmp/foo/%%
                - /tmp/tmp.%
  • The following (not using overrides) also doesn’t seem to work for me — i.e. file changes are still being shown in the
    file_events
    table (even after manually restarting
    osqueryd
    ).
    spec:
      config:
        options:
            disable_audit: false
            disable_events: false
            pack_delimiter: /
            logger_snapshot_event_type: true
        decorators:
            load:
            - select uuid as host_uuid from system_info;
            - select hostname as hostname from system_info;
        file_paths:
            tmp:
            - /tmp/%%
        exclude_paths:
            tmp:
            - /tmp/foo/%%
            - /tmp/tmp.%
  • Noah Talerman

    Noah Talerman

    1 year ago
    @Ian Muscat for both configurations you’ve shared in this thread, are all other options being applied as expected? Is it only the
    exclude_paths
    option that is not being applied?
  • zwass

    zwass

    1 year ago
    Can you turn on
    --verbose --tls_dump
    for this host and verify the config that it receives from Fleet?
  • Ian Muscat

    Ian Muscat

    1 year ago
    are all other options being applied as expected Yep, as far as I can tell. I’ll have a closer look tomorrow to make sure Can you turn on 
    --verbose --tls_dump
     for this host I’m assuming you mean as part of the
    osqueryd
    config, right? Will give this a shot, thanks for the tip!
  • zwass

    zwass

    1 year ago
    Yes, with osqueryd. This will let you see exactly what Fleet is sending and is almost always a helpful debugging step to isolate where the issues might be.
  • Ian Muscat

    Ian Muscat

    1 year ago
    Hmm, turning on 
    --verbose --tls_dump
    does show the config being delivered to the host, so maybe this is not a Fleet-related issue after all 🤔. Will have to keep digging, thanks for the help.