https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
s

Seán O'Halloran

03/09/2021, 6:00 PM
I’m trying to set up FIM and I’m wondering what are the different ways it can be scoped to hosts? In my current config I have it scoped to 
platforms: darwin
 and this works, like so:
Copy code
overrides:
    platforms:
      darwin:
        exclude_paths:
          downloads:
            - /Users/%/Downloads/ignore/%%
        file_paths:
          downloads:
            - /Users/%/Downloads/%%
However I want to have another set of paths targeting CentOS. The centos platform definition doesn’t seem to work for whatever reason. Can you scope FIM any other way, such as by label?
Hmm it appears there is a 
linux
platform. Are these documented anywhere? Many of my nodes have 
os_version.platform: rhel
d

Dan Achin

03/09/2021, 7:49 PM
at least is this relates to packs: https://osquery.readthedocs.io/en/latest/deployment/configuration/#packs
darwin
 for macOS hosts • 
freebsd
 for FreeBSD hosts • 
linux
 for any RedHat or Debian-based hosts • 
posix
 for 
darwin
freebsd
, and 
linux
 hosts • 
windows
 for any Windows desktop or server hosts • 
any
 or 
all
 for all, alternatively no platform key selects all
ty 1
s

Seán O'Halloran

03/12/2021, 4:34 PM
There also seems to be 
debian
, 
ubuntu
and 
centos
from what I’ve found
However I tried to create this Linux label and no hosts are responsive:
Copy code
apiVersion: v1
kind: label
spec:
  ID: 0
  description: All Linux hosts 
  label_type: 0
  name: Linux
  platform: linux
  query: SELECT 1;
Spent a long time debugging only to discover that 
platform: linux
does not work, at least on v4.4.0
Another update: it seems 
platform
is treated differently depending on whether it’s applied to a label, pack or option. Not seeing a clear pattern
26 Views
Powered by