From 9ee09cd13391d127e5b12857810db7a85c3a30ae Mon Sep 17 00:00:00 2001 From: Sharvil Shah Date: Wed, 7 Dec 2022 13:01:03 +0530 Subject: [PATCH] Document usage of `command_line_flags` (#8398) --- .../Using-Fleet/configuration-files/README.md | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/docs/Using-Fleet/configuration-files/README.md b/docs/Using-Fleet/configuration-files/README.md index 96e9cda94..6b9d33032 100644 --- a/docs/Using-Fleet/configuration-files/README.md +++ b/docs/Using-Fleet/configuration-files/README.md @@ -821,6 +821,51 @@ You can verify that your agent options are valid by using [the fleetctl apply co Existing options will be overwritten by the application of this file. +##### `command_line_flags` option + +> This feature requires [Orbit, the Fleet agent manager](https://fleetdm.com/announcements/introducing-orbit-your-fleet-agent-manager). + +The `command_line_flags` key inside of `agent_options` allows you to remotely manage the osquery command line flags. These command line flags are options that typically require osquery to restart for them to take effect. But with Orbit, you can use the `command_line_flags` key to take care of that. Orbit will write these to the flagfile on the host and pass it to osquery. + +To see the full list of these osquery command line flags, please run `osquery` with the `--help` switch. + +Just like the other `agent_options` above, remove the dashed lines (`--`) for Fleet to successfully update them. + +Here is an example of using the `command_line_flags` key: + +```yaml +apiVersion: v1 +kind: config +spec: + agent_options: + command_line_flags: # requires Fleet's osquery installer + verbose: true + disable_watchdog: false + logger_path: /path/to/logger +``` + +Note that the `command_line_flags` key does not support the `overrides` key, which is documented below. + +You can verfiy that these flags have taken effect on the hosts by running a query against the `osquery_flags` table. + +If you revoked an old enroll secret, this feature won't work for hosts that were added to Fleet using this old enroll secret. This is because Orbit uses the enroll secret to receive new flags from Fleet. For these hosts, all existing features will work as expected. + +For further documentation on how to rotate enroll secrets, please see [this guide](https://fleetdm.com/docs/deploying/faq#how-can-enroll-secrets-be-rotated). + +If you prefer to deploy a new package with the updated enroll secret: + +1. Check which hosts need a new enroll secret by running the following query: `SELECT * FROM orbit_info WHERE enrolled = false`. + +> The hosts that don't have Orbit installed will return an error because the `orbit_info` table doesn't exist. You can safely ignore these errors. + +2. In Fleet, head to the Hosts page and select **Add hosts** to find the fleetctl package command with an active enroll secret. + +3. Copy and run the fleetctl package command to create a new package. Distribute this package to the hosts that returned results in step 1. + +4. Done! + + + > In order for these options to be applied to your hosts, the `osquery` agent must be configured to use the `tls` config plugin and pointed to the correct endpoint. If you are using Orbit to enroll your hosts, this is done automatically. ```