Updated flags for osquery 5.11 (#16239)

#16180
osquery flag validation has been updated for osquery 5.11
- new flags have been added to validation
- `table_exceptions` flag has been replaced with
`ignore_table_exceptions`

NOTE: It appears the last time this flow was run on Linux. I moved
several flags from the automatically generated section to the linux
section.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/` or
`orbit/changes/`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality

changes/16180-osquery-flags

@@ -0,0 +1,3 @@
+osquery flag validation has been updated for osquery 5.11
+- new flags have been added to validation
+- `table_exceptions` flag has been replaced with `ignore_table_exceptions`

server/fleet/agent_options.go

@@ -152,7 +152,7 @@ func validateJSONAgentOptionsExtensions(ctx context.Context, ds Datastore, optsE
 // See https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-specification
 //
 // NOTE: Update the following line with the version used for validation.
-// Current version: 5.5.1
+// Current version: 5.11.0
 type osqueryAgentOptions struct {
 	Options osqueryOptions `json:"options"`
 
@@ -211,35 +211,27 @@ type osqueryAgentOptions struct {
 
 // NOTE: generate automatically with `go run ./tools/osquery-agent-options/main.go`
 type osqueryOptions struct {
-	AuditAllowAcceptSocketEvents        bool   `json:"audit_allow_accept_socket_events"`
-	AuditAllowApparmorEvents            bool   `json:"audit_allow_apparmor_events"`
 	AuditAllowConfig                    bool   `json:"audit_allow_config"`
-	AuditAllowFailedSocketEvents        bool   `json:"audit_allow_failed_socket_events"`
 	AuditAllowFimEvents                 bool   `json:"audit_allow_fim_events"`
-	AuditAllowForkProcessEvents         bool   `json:"audit_allow_fork_process_events"`
-	AuditAllowKillProcessEvents         bool   `json:"audit_allow_kill_process_events"`
-	AuditAllowNullAcceptSocketEvents    bool   `json:"audit_allow_null_accept_socket_events"`
 	AuditAllowProcessEvents             bool   `json:"audit_allow_process_events"`
-	AuditAllowSeccompEvents             bool   `json:"audit_allow_seccomp_events"`
-	AuditAllowSelinuxEvents             bool   `json:"audit_allow_selinux_events"`
 	AuditAllowSockets                   bool   `json:"audit_allow_sockets"`
 	AuditAllowUserEvents                bool   `json:"audit_allow_user_events"`
-	AuditBacklogLimit                   int32  `json:"audit_backlog_limit"`
-	AuditBacklogWaitTime                int32  `json:"audit_backlog_wait_time"`
-	AuditForceReconfigure               bool   `json:"audit_force_reconfigure"`
-	AuditForceUnconfigure               bool   `json:"audit_force_unconfigure"`
-	AuditPersist                        bool   `json:"audit_persist"`
 	AugeasLenses                        string `json:"augeas_lenses"`
 	AwsAccessKeyId                      string `json:"aws_access_key_id"`
 	AwsDebug                            bool   `json:"aws_debug"`
+	AwsDisableImdsv1Fallback            bool   `json:"aws_disable_imdsv1_fallback"`
 	AwsEnableProxy                      bool   `json:"aws_enable_proxy"`
 	AwsFirehoseEndpoint                 string `json:"aws_firehose_endpoint"`
 	AwsFirehosePeriod                   uint64 `json:"aws_firehose_period"`
+	AwsFirehoseRegion                   string `json:"aws_firehose_region"`
 	AwsFirehoseStream                   string `json:"aws_firehose_stream"`
+	AwsImdsv2RequestAttempts            uint32 `json:"aws_imdsv2_request_attempts"`
+	AwsImdsv2RequestInterval            uint32 `json:"aws_imdsv2_request_interval"`
 	AwsKinesisDisableLogStatus          bool   `json:"aws_kinesis_disable_log_status"`
 	AwsKinesisEndpoint                  string `json:"aws_kinesis_endpoint"`
 	AwsKinesisPeriod                    uint64 `json:"aws_kinesis_period"`
 	AwsKinesisRandomPartitionKey        bool   `json:"aws_kinesis_random_partition_key"`
+	AwsKinesisRegion                    string `json:"aws_kinesis_region"`
 	AwsKinesisStream                    string `json:"aws_kinesis_stream"`
 	AwsProfileName                      string `json:"aws_profile_name"`
 	AwsProxyHost                        string `json:"aws_proxy_host"`
@@ -254,8 +246,6 @@ type osqueryOptions struct {
 	AwsStsRegion                        string `json:"aws_sts_region"`
 	AwsStsSessionName                   string `json:"aws_sts_session_name"`
 	AwsStsTimeout                       uint64 `json:"aws_sts_timeout"`
-	BpfBufferStorageSize                uint64 `json:"bpf_buffer_storage_size"`
-	BpfPerfEventArrayExp                uint64 `json:"bpf_perf_event_array_exp"`
 	BufferedLogMax                      uint64 `json:"buffered_log_max"`
 	DecorationsTopLevel                 bool   `json:"decorations_top_level"`
 	DisableAudit                        bool   `json:"disable_audit"`
@@ -266,7 +256,6 @@ type osqueryOptions struct {
 	DisableEvents                       bool   `json:"disable_events"`
 	DisableHashCache                    bool   `json:"disable_hash_cache"`
 	DisableLogging                      bool   `json:"disable_logging"`
-	DisableMemory                       bool   `json:"disable_memory"`
 	DistributedDenylistDuration         uint64 `json:"distributed_denylist_duration"`
 	DistributedInterval                 uint64 `json:"distributed_interval"`
 	DistributedLoginfo                  bool   `json:"distributed_loginfo"`
@@ -275,18 +264,21 @@ type osqueryOptions struct {
 	DistributedTlsReadEndpoint          string `json:"distributed_tls_read_endpoint"`
 	DistributedTlsWriteEndpoint         string `json:"distributed_tls_write_endpoint"`
 	DockerSocket                        string `json:"docker_socket"`
-	EnableBpfEvents                     bool   `json:"enable_bpf_events"`
 	EnableFileEvents                    bool   `json:"enable_file_events"`
 	EnableForeign                       bool   `json:"enable_foreign"`
 	EnableNumericMonitoring             bool   `json:"enable_numeric_monitoring"`
-	EnableSyslog                        bool   `json:"enable_syslog"`
 	Ephemeral                           bool   `json:"ephemeral"`
+	EsFimEnableOpenEvents               bool   `json:"es_fim_enable_open_events"`
 	EventsExpiry                        uint64 `json:"events_expiry"`
 	EventsMax                           uint64 `json:"events_max"`
 	EventsOptimize                      bool   `json:"events_optimize"`
+	ExperimentList                      string `json:"experiment_list"`
 	ExtensionsDefaultIndex              bool   `json:"extensions_default_index"`
 	HashCacheMax                        uint32 `json:"hash_cache_max"`
 	HostIdentifier                      string `json:"host_identifier"`
+	IgnoreTableExceptions               bool   `json:"ignore_table_exceptions"`
+	KeychainAccessCache                 bool   `json:"keychain_access_cache"`
+	KeychainAccessInterval              uint32 `json:"keychain_access_interval"`
 	LoggerEventType                     bool   `json:"logger_event_type"`
 	LoggerKafkaAcks                     string `json:"logger_kafka_acks"`
 	LoggerKafkaBrokers                  string `json:"logger_kafka_brokers"`
@@ -307,7 +299,6 @@ type osqueryOptions struct {
 	LoggerTlsMaxLines                   uint64 `json:"logger_tls_max_lines"`
 	LoggerTlsMaxLinesize                uint64 `json:"logger_tls_max_linesize"`
 	LoggerTlsPeriod                     uint64 `json:"logger_tls_period"`
-	LxdSocket                           string `json:"lxd_socket"`
 	Nullvalue                           string `json:"nullvalue"`
 	NumericMonitoringFilesystemPath     string `json:"numeric_monitoring_filesystem_path"`
 	NumericMonitoringPlugins            string `json:"numeric_monitoring_plugins"`
@@ -323,12 +314,7 @@ type osqueryOptions struct {
 	ScheduleSplayPercent                uint64 `json:"schedule_splay_percent"`
 	ScheduleTimeout                     uint64 `json:"schedule_timeout"`
 	SpecifiedIdentifier                 string `json:"specified_identifier"`
-	SyslogEventsExpiry                  uint64 `json:"syslog_events_expiry"`
-	SyslogEventsMax                     uint64 `json:"syslog_events_max"`
-	SyslogPipePath                      string `json:"syslog_pipe_path"`
-	SyslogRateLimit                     uint64 `json:"syslog_rate_limit"`
 	TableDelay                          uint64 `json:"table_delay"`
-	TableExceptions                     bool   `json:"table_exceptions"`
 	ThriftStringSizeLimit               int32  `json:"thrift_string_size_limit"`
 	ThriftTimeout                       uint32 `json:"thrift_timeout"`
 	ThriftVerbose                       bool   `json:"thrift_verbose"`
@@ -347,35 +333,28 @@ type osqueryOptions struct {
 // NOTE: generate automatically with `go run ./tools/osquery-agent-options/main.go`
 type osqueryCommandLineFlags struct {
 	AlarmTimeout                        uint64 `json:"alarm_timeout"`
-	AuditAllowAcceptSocketEvents        bool   `json:"audit_allow_accept_socket_events"`
-	AuditAllowApparmorEvents            bool   `json:"audit_allow_apparmor_events"`
 	AuditAllowConfig                    bool   `json:"audit_allow_config"`
-	AuditAllowFailedSocketEvents        bool   `json:"audit_allow_failed_socket_events"`
 	AuditAllowFimEvents                 bool   `json:"audit_allow_fim_events"`
-	AuditAllowForkProcessEvents         bool   `json:"audit_allow_fork_process_events"`
-	AuditAllowKillProcessEvents         bool   `json:"audit_allow_kill_process_events"`
-	AuditAllowNullAcceptSocketEvents    bool   `json:"audit_allow_null_accept_socket_events"`
 	AuditAllowProcessEvents             bool   `json:"audit_allow_process_events"`
-	AuditAllowSeccompEvents             bool   `json:"audit_allow_seccomp_events"`
-	AuditAllowSelinuxEvents             bool   `json:"audit_allow_selinux_events"`
 	AuditAllowSockets                   bool   `json:"audit_allow_sockets"`
 	AuditAllowUserEvents                bool   `json:"audit_allow_user_events"`
-	AuditBacklogLimit                   int32  `json:"audit_backlog_limit"`
-	AuditBacklogWaitTime                int32  `json:"audit_backlog_wait_time"`
-	AuditForceReconfigure               bool   `json:"audit_force_reconfigure"`
-	AuditForceUnconfigure               bool   `json:"audit_force_unconfigure"`
-	AuditPersist                        bool   `json:"audit_persist"`
 	AugeasLenses                        string `json:"augeas_lenses"`
 	AwsAccessKeyId                      string `json:"aws_access_key_id"`
 	AwsDebug                            bool   `json:"aws_debug"`
+	AwsDisableImdsv1Fallback            bool   `json:"aws_disable_imdsv1_fallback"`
 	AwsEnableProxy                      bool   `json:"aws_enable_proxy"`
+	AwsEnforceFips                      bool   `json:"aws_enforce_fips"`
 	AwsFirehoseEndpoint                 string `json:"aws_firehose_endpoint"`
 	AwsFirehosePeriod                   uint64 `json:"aws_firehose_period"`
+	AwsFirehoseRegion                   string `json:"aws_firehose_region"`
 	AwsFirehoseStream                   string `json:"aws_firehose_stream"`
+	AwsImdsv2RequestAttempts            uint32 `json:"aws_imdsv2_request_attempts"`
+	AwsImdsv2RequestInterval            uint32 `json:"aws_imdsv2_request_interval"`
 	AwsKinesisDisableLogStatus          bool   `json:"aws_kinesis_disable_log_status"`
 	AwsKinesisEndpoint                  string `json:"aws_kinesis_endpoint"`
 	AwsKinesisPeriod                    uint64 `json:"aws_kinesis_period"`
 	AwsKinesisRandomPartitionKey        bool   `json:"aws_kinesis_random_partition_key"`
+	AwsKinesisRegion                    string `json:"aws_kinesis_region"`
 	AwsKinesisStream                    string `json:"aws_kinesis_stream"`
 	AwsProfileName                      string `json:"aws_profile_name"`
 	AwsProxyHost                        string `json:"aws_proxy_host"`
@@ -390,8 +369,6 @@ type osqueryCommandLineFlags struct {
 	AwsStsRegion                        string `json:"aws_sts_region"`
 	AwsStsSessionName                   string `json:"aws_sts_session_name"`
 	AwsStsTimeout                       uint64 `json:"aws_sts_timeout"`
-	BpfBufferStorageSize                uint64 `json:"bpf_buffer_storage_size"`
-	BpfPerfEventArrayExp                uint64 `json:"bpf_perf_event_array_exp"`
 	BufferedLogMax                      uint64 `json:"buffered_log_max"`
 	CarverBlockSize                     uint32 `json:"carver_block_size"`
 	CarverCompression                   bool   `json:"carver_compression"`
@@ -423,7 +400,6 @@ type osqueryCommandLineFlags struct {
 	DisableExtensions                   bool   `json:"disable_extensions"`
 	DisableHashCache                    bool   `json:"disable_hash_cache"`
 	DisableLogging                      bool   `json:"disable_logging"`
-	DisableMemory                       bool   `json:"disable_memory"`
 	DisableReenrollment                 bool   `json:"disable_reenrollment"`
 	DisableTables                       string `json:"disable_tables"`
 	DisableWatchdog                     bool   `json:"disable_watchdog"`
@@ -435,32 +411,35 @@ type osqueryCommandLineFlags struct {
 	DistributedTlsReadEndpoint          string `json:"distributed_tls_read_endpoint"`
 	DistributedTlsWriteEndpoint         string `json:"distributed_tls_write_endpoint"`
 	DockerSocket                        string `json:"docker_socket"`
-	EnableBpfEvents                     bool   `json:"enable_bpf_events"`
 	EnableExtensionsWatchdog            bool   `json:"enable_extensions_watchdog"`
 	EnableFileEvents                    bool   `json:"enable_file_events"`
 	EnableForeign                       bool   `json:"enable_foreign"`
 	EnableNumericMonitoring             bool   `json:"enable_numeric_monitoring"`
-	EnableSyslog                        bool   `json:"enable_syslog"`
 	EnableTables                        string `json:"enable_tables"`
+	EnableWatchdogDebug                 bool   `json:"enable_watchdog_debug"`
 	EnrollAlways                        bool   `json:"enroll_always"`
 	EnrollSecretEnv                     string `json:"enroll_secret_env"`
 	EnrollSecretPath                    string `json:"enroll_secret_path"`
 	EnrollTlsEndpoint                   string `json:"enroll_tls_endpoint"`
 	Ephemeral                           bool   `json:"ephemeral"`
+	EsFimEnableOpenEvents               bool   `json:"es_fim_enable_open_events"`
 	EventsExpiry                        uint64 `json:"events_expiry"`
 	EventsMax                           uint64 `json:"events_max"`
 	EventsOptimize                      bool   `json:"events_optimize"`
+	ExperimentList                      string `json:"experiment_list"`
 	ExtensionsAutoload                  string `json:"extensions_autoload"`
 	ExtensionsDefaultIndex              bool   `json:"extensions_default_index"`
-	ExtensionsInterval                  uint64 `json:"extensions_interval"`
+	ExtensionsInterval                  string `json:"extensions_interval"`
 	ExtensionsRequire                   string `json:"extensions_require"`
 	ExtensionsSocket                    string `json:"extensions_socket"`
-	ExtensionsTimeout                   uint64 `json:"extensions_timeout"`
+	ExtensionsTimeout                   string `json:"extensions_timeout"`
 	Force                               bool   `json:"force"`
 	HashCacheMax                        uint32 `json:"hash_cache_max"`
 	HostIdentifier                      string `json:"host_identifier"`
+	IgnoreTableExceptions               bool   `json:"ignore_table_exceptions"`
 	Install                             bool   `json:"install"`
-	KeepContainerWorkerOpen             bool   `json:"keep_container_worker_open"`
+	KeychainAccessCache                 bool   `json:"keychain_access_cache"`
+	KeychainAccessInterval              uint32 `json:"keychain_access_interval"`
 	LoggerEventType                     bool   `json:"logger_event_type"`
 	LoggerKafkaAcks                     string `json:"logger_kafka_acks"`
 	LoggerKafkaBrokers                  string `json:"logger_kafka_brokers"`
@@ -485,7 +464,6 @@ type osqueryCommandLineFlags struct {
 	LoggerTlsMaxLinesize                uint64 `json:"logger_tls_max_linesize"`
 	LoggerTlsPeriod                     uint64 `json:"logger_tls_period"`
 	Logtostderr                         bool   `json:"logtostderr"`
-	LxdSocket                           string `json:"lxd_socket"`
 	Nullvalue                           string `json:"nullvalue"`
 	NumericMonitoringFilesystemPath     string `json:"numeric_monitoring_filesystem_path"`
 	NumericMonitoringPlugins            string `json:"numeric_monitoring_plugins"`
@@ -504,12 +482,7 @@ type osqueryCommandLineFlags struct {
 	ScheduleTimeout                     uint64 `json:"schedule_timeout"`
 	SpecifiedIdentifier                 string `json:"specified_identifier"`
 	Stderrthreshold                     int32  `json:"stderrthreshold"`
-	SyslogEventsExpiry                  uint64 `json:"syslog_events_expiry"`
-	SyslogEventsMax                     uint64 `json:"syslog_events_max"`
-	SyslogPipePath                      string `json:"syslog_pipe_path"`
-	SyslogRateLimit                     uint64 `json:"syslog_rate_limit"`
 	TableDelay                          uint64 `json:"table_delay"`
-	TableExceptions                     bool   `json:"table_exceptions"`
 	ThriftStringSizeLimit               int32  `json:"thrift_string_size_limit"`
 	ThriftTimeout                       uint32 `json:"thrift_timeout"`
 	ThriftVerbose                       bool   `json:"thrift_verbose"`
@@ -544,8 +517,34 @@ type osqueryCommandLineFlags struct {
 // osquery. They are exported so they can be used by the
 // tools/osquery-agent-options script.
 type OsqueryCommandLineFlagsLinux struct {
-	MallocTrimThreshold   uint64 `json:"malloc_trim_threshold"`
+	AuditAllowAcceptSocketEvents             bool   `json:"audit_allow_accept_socket_events"`
+	AuditAllowApparmorEvents                 bool   `json:"audit_allow_apparmor_events"`
+	AuditAllowFailedSocketEvents             bool   `json:"audit_allow_failed_socket_events"`
+	AuditAllowForkProcessEvents              bool   `json:"audit_allow_fork_process_events"`
+	AuditAllowKillProcessEvents              bool   `json:"audit_allow_kill_process_events"`
+	AuditAllowNullAcceptSocketEvents         bool   `json:"audit_allow_null_accept_socket_events"`
+	AuditAllowSeccompEvents                  bool   `json:"audit_allow_seccomp_events"`
+	AuditAllowSelinuxEvents                  bool   `json:"audit_allow_selinux_events"`
+	AuditBacklogLimit                        int32  `json:"audit_backlog_limit"`
+	AuditBacklogWaitTime                     int32  `json:"audit_backlog_wait_time"`
+	AuditForceReconfigure                    bool   `json:"audit_force_reconfigure"`
+	AuditForceUnconfigure                    bool   `json:"audit_force_unconfigure"`
+	AuditPersist                             bool   `json:"audit_persist"`
+	BpfBufferStorageSize                     uint64 `json:"bpf_buffer_storage_size"`
+	BpfPerfEventArrayExp                     uint64 `json:"bpf_perf_event_array_exp"`
+	DisableMemory                            bool   `json:"disable_memory"`
+	EnableBpfEvents                          bool   `json:"enable_bpf_events"`
+	EnableSyslog                             bool   `json:"enable_syslog"`
+	ExperimentsLinuxeventsCircularBufferSize uint32 `json:"experiments_linuxevents_circular_buffer_size"`
+	ExperimentsLinuxeventsPerfOutputSize     uint32 `json:"experiments_linuxevents_perf_output_size"`
 	HardwareDisabledTypes                    string `json:"hardware_disabled_types"`
+	KeepContainerWorkerOpen                  bool   `json:"keep_container_worker_open"`
+	LxdSocket                                string `json:"lxd_socket"`
+	MallocTrimThreshold                      uint64 `json:"malloc_trim_threshold"`
+	SyslogEventsExpiry                       uint64 `json:"syslog_events_expiry"`
+	SyslogEventsMax                          uint64 `json:"syslog_events_max"`
+	SyslogPipePath                           string `json:"syslog_pipe_path"`
+	SyslogRateLimit                          uint64 `json:"syslog_rate_limit"`
 }
 
 type OsqueryCommandLineFlagsWindows struct {
@@ -555,8 +554,17 @@ type OsqueryCommandLineFlagsWindows struct {
 	GroupsServiceInterval            uint64 `json:"groups_service_interval"`
 	EnableNtfsEventPublisher         bool   `json:"enable_ntfs_event_publisher"`
 	EnablePowershellEventsSubscriber bool   `json:"enable_powershell_events_subscriber"`
+	EnableProcessEtwEvents           bool   `json:"enable_process_etw_events"`
 	EnableWindowsEventsPublisher     bool   `json:"enable_windows_events_publisher"`
 	EnableWindowsEventsSubscriber    bool   `json:"enable_windows_events_subscriber"`
+	EtwKernelTraceBufferSize         uint32 `json:"etw_kernel_trace_buffer_size"`
+	EtwKernelTraceFlushTimer         uint32 `json:"etw_kernel_trace_flush_timer"`
+	EtwKernelTraceMaximumBuffers     uint32 `json:"etw_kernel_trace_maximum_buffers"`
+	EtwKernelTraceMinimumBuffers     uint32 `json:"etw_kernel_trace_minimum_buffers"`
+	EtwUserspaceTraceBufferSize      uint32 `json:"etw_userspace_trace_buffer_size"`
+	EtwUserspaceTraceFlushTimer      uint32 `json:"etw_userspace_trace_flush_timer"`
+	EtwUserspaceTraceMaximumBuffers  uint32 `json:"etw_userspace_trace_maximum_buffers"`
+	EtwUserspaceTraceMinimumBuffers  uint32 `json:"etw_userspace_trace_minimum_buffers"`
 	NtfsEventPublisherDebug          bool   `json:"ntfs_event_publisher_debug"`
 	WindowsEventChannels             string `json:"windows_event_channels"`
 	UsnJournalReaderDebug            bool   `json:"usn_journal_reader_debug"`
@@ -577,6 +585,7 @@ type OsqueryCommandLineFlagsMacOS struct {
 type OsqueryCommandLineFlagsHidden struct {
 	AlsoLogToStderr               bool   `json:"alsologtostderr"`
 	EventsStreamingPlugin         string `json:"events_streaming_plugin"`
+	IgnoreRegistryExceptions      bool   `json:"ignore_registry_exceptions"`
 	LogBufSecs                    int32  `json:"logbufsecs"`
 	LogDir                        string `json:"log_dir"`
 	MaxLogSize                    int32  `json:"max_log_size"`

server/fleet/agent_options_test.go

@@ -119,6 +119,13 @@ func TestValidateAgentOptions(t *testing.T) {
 				"yara_malloc_trim": true
 			}
 		}}`, true, `unknown field "yara_malloc_trim"`},
+		{
+			"option added in osquery 5.11.0", `{"config":{
+			"options": {
+				"keychain_access_cache": true
+			}
+		}}`, true, ``,
+		},
 		{"valid command-line flag", `{"command_line_flags":{
 			"alarm_timeout": 1
 		}}`, true, ``},

tools/osquery-agent-options/README.md

@@ -6,6 +6,8 @@ It prints the resulting Go code to stdout (the `osqueryOptions` and the `osquery
 
 Note that the latest version of osquery should be installed for this tool to work properly (`osqueryd` and `osqueryi` must be in your $PATH).
 
+The system that you use to run this on makes a difference. On 5.11.0, this flow was run on macOS.
+
 ## OS-specific flags
 
 Some osquery flags are OS-specific and will not show up either with `osqueryd --help` or with the `osqueryi` query, depending on the OS you're running those on. In the code (in `server/fleet/agent_options.go`), those OS-specific flags are defined in the `OsqueryCommandLineFlags{Linux,MacOS,Windows}` structs, and the `osquery-agent-options` tool will automatically ignore from its generated struct any flag already defined as part of one of the OS-specific structs.
@@ -15,7 +17,7 @@ It can be hard to even know what OS-specific flags exist, because of the fact th
 ```
 # ag is the Silver Searcher, a grep alternative, but it should work with grep too, maybe
 # with some small adjustments to the flags.
-$ ag --nofilename -o 'FLAGS_[a-z0-9_]+' | sort | uniq | cut -d _ --complement -f 1
+$ ag --nofilename -o 'FLAGS_[a-z0-9_]+' ./osquery/ ./plugins/ | sort | uniq | gcut -d _ --complement -f 1
 ```
 
 This finds all flags defined in the osquery codebase (assuming all flags are built the same way). It is then possible to run a diff of this list with the list from the `osqueryi` query (e.g. `osqueryi --list 'select name from osquery_flags;'`), and the missing ones are _possibly/likely_ OS-specific. It's not an automatable task, as some judgement and manual code inspection may be necessary (some flags may be just in a test file, there may be some false-positives like `FLAGS_start` and `FLAGS_end` that are only sentinel values, the code line may be commented-out, etc.), but at least it gives a list of potential such flags.

tools/osquery-agent-options/osquery_5.11.0_codeflags.txt

@@ -29,14 +29,20 @@ audit_show_untracked_res_warnings
 augeas_lenses
 aws_access_key_id
 aws_debug
+aws_disable_imdsv1_fallback
 aws_enable_proxy
+aws_enforce_fips
 aws_firehose_endpoint
 aws_firehose_period
+aws_firehose_region
 aws_firehose_stream
+aws_imdsv2_request_attempts
+aws_imdsv2_request_interval
 aws_kinesis_disable_log_status
 aws_kinesis_endpoint
 aws_kinesis_period
 aws_kinesis_random_partition_key
+aws_kinesis_region
 aws_kinesis_stream
 aws_profile_name
 aws_proxy_host
@@ -87,7 +93,6 @@ disable_endpointsecurity_fim
 disable_enrollment
 disable_events
 disable_extensions
-disable_forensic
 disable_hash_cache
 disable_logging
 disable_memory
@@ -111,23 +116,36 @@ enable_mouse_events
 enable_ntfs_event_publisher
 enable_numeric_monitoring
 enable_powershell_events_subscriber
+enable_process_etw_events
 enable_syslog
+enable_watchdog_debug
 enable_windows_events_publisher
 enable_windows_events_subscriber
 enable_yara_string
-end
 enroll_always
 enroll_secret_env
 enroll_secret_path
 enroll_tls_endpoint
 ephemeral
+es_fim_enable_open_events
 es_fim_mute_path_literal
 es_fim_mute_path_prefix
+etw_kernel_trace_buffer_size
+etw_kernel_trace_flush_timer
+etw_kernel_trace_maximum_buffers
+etw_kernel_trace_minimum_buffers
+etw_userspace_trace_buffer_size
+etw_userspace_trace_flush_timer
+etw_userspace_trace_maximum_buffers
+etw_userspace_trace_minimum_buffers
 events_enforce_denylist
 events_expiry
 events_max
 events_optimize
 events_streaming_plugin
+experiment_list
+experiments_linuxevents_circular_buffer_size
+experiments_linuxevents_perf_output_size
 extension
 extension_only
 extensions_autoload
@@ -136,10 +154,8 @@ extensions_interval
 extensions_require
 extensions_socket
 extensions_timeout
-filename
 flag
 flagfile
-foo
 force
 groups_service_delay
 groups_service_interval
@@ -148,14 +164,18 @@ hash_cache_max
 hash_delay
 header
 host_identifier
+ignore_registry_exceptions
+ignore_table_exceptions
 install
 json
 json_pretty
 keep_container_worker_open
+keychain_access_cache
+keychain_access_interval
 line
 list
-logbufsecs
 log_dir
+logbufsecs
 logger_event_type
 logger_kafka_acks
 logger_kafka_brokers
@@ -184,8 +204,6 @@ logtostderr
 lxd_socket
 max_log_size
 minloglevel
-no
-nono
 ntfs_event_publisher_debug
 nullvalue
 numeric_monitoring_filesystem_path
@@ -196,14 +214,11 @@ pack_delimiter
 pack_refresh_interval
 pidfile
 planner
-plist_iterations
-port
 profile
 profile_delay
 proxy_hostname
 read_max
 regex_max_size
-registry_exceptions
 rocksdb_background_flushes
 rocksdb_buffer_blocks
 rocksdb_merge_number
@@ -220,7 +235,6 @@ separator
 shell_only
 shell_only_alias
 specified_identifier
-start
 stderrthreshold
 stop_logging_if_full_disk
 syslog_events_expiry
@@ -228,7 +242,6 @@ syslog_events_max
 syslog_pipe_path
 syslog_rate_limit
 table_delay
-table_exceptions
 test_double
 test_double_alias
 test_int32
@@ -269,7 +282,5 @@ watchdog_level
 watchdog_max_delay
 watchdog_memory_limit
 watchdog_utilization_limit
-whatever
 windows_event_channels
-xxx
 yara_delay