Configure following settings on the team's agent options:
```sh
config:
options:
pack_delimiter: /
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/osquery/log
distributed_interval: 10
distributed_tls_max_attempts: 3
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
file_paths:
etc:
- /etc/foobar/%%
command_line_flags:
verbose: true
events_expiry: 3600
disable_events: false
disable_audit: false
audit_persist: true
audit_allow_fim_events: true
audit_allow_config: true
audit_backlog_limit: 60000
audit_allow_process_events: false
audit_allow_sockets: false
audit_allow_user_events: false
audit_allow_selinux_events: false
audit_allow_kill_process_events: false
audit_allow_apparmor_events: false
audit_allow_seccomp_events: false
enable_bpf_events: false
```
Check osquery `command_line_flags` were delivered successfully to the agent:
```sh
sudo cat /opt/orbit/osquery.flags
--audit_allow_apparmor_events=false
--enable_bpf_events=false
--audit_allow_config=true
--audit_backlog_limit=60000
--audit_allow_user_events=false
--audit_allow_seccomp_events=false
--audit_allow_selinux_events=false
--audit_allow_sockets=false
--audit_allow_process_events=false
--audit_persist=true
--audit_allow_fim_events=true
--audit_allow_kill_process_events=false
--disable_audit=false
--verbose=true
--events_expiry=3600
--disable_events=false
```
### About the flags
-`file_paths:` We set `/etc/foobar/%%` as the path to monitor for file changes.
-`verbose: true`: We set this to `true` for troubleshooting purposes only.
-`disable_events: false`: Must be set to `false` to enable evented tables in general.
-`events_expiry: 3600`: The `events_expiry` value is the time it takes for events to be cleared from osquery local storage.
-`disable_audit: false`: Must be set to `false` to enable the audit events.
-`audit_persist: true`: Set to `true` to attempt to retain control of audit.
-`audit_allow_fim_events: true`: Must be set to `true` to generate FIM events (otherwise the `process_file_events` will generate no events). Once this is set correctly, the user should see "Enabling audit rules for the process_file_events table" in the logs.
-`audit_allow_config: true`: Must be set to `true` to allow osquery to configure the audit service (basically set backlog limit and wait time below).
-`audit_backlog_limit: 60000`: Sets the queue length for audit events awaiting transfer to osquery audit subscriber. We set this to a high value first to make sure the table is working, then it should be modified to a better value suited for production.
- The following flags were set to `false` to avoid unnecessary load on the host: `audit_allow_process_events: false`, `audit_allow_sockets: false`, `audit_allow_user_events: false`, `audit_allow_selinux_events: false`, `audit_allow_kill_process_events: false`, `audit_allow_apparmor_events: false`, `audit_allow_seccomp_events: false`, `enable_bpf_events: false`.
## Make sure osquery audit subscriber is working
```sh
auditctl -s
enabled 1
failure 0
pid 21590
rate_limit 0
backlog_limit 60000
lost 1137311
backlog 991
loginuid_immutable 0 unlocked
```
`enabled` should be `1` and `pid`'s value should be the process ID of osquery.
## Modify the test files
```sh
echo "boo" >> /etc/foobar/zoo.txt
rm /etc/foobar/other.txt
```
> Remember: the files must exist before the osquery process is initialized.
> Creating or modifying new files won't generate `process_file_events` events.
## Query the process_file_events table
Run the following live query:
```sql
SELECT * from process_file_events;
```
It should return two events, one with `operation=write` and one with `operation=unlink`.
## Additional notes
Make sure to keep an eye on logs like the following:
```log
auditdnetlink.cpp:354 The Audit publisher has throttled reading records from Netlink for 0.2 seconds. Some events may have been lost.
```
Some events might get lost due to system load or low CPU/memory resources.
