From a7aa14fa7604b8ab503d326a10c7188ef6312e58 Mon Sep 17 00:00:00 2001
From: Zach Wasserman <zach@fleetdm.com>
Date: Thu, 9 Dec 2021 09:59:58 -0800
Subject: [PATCH] Enable function-style file carving in Orbit (#3268)

---
 orbit/pkg/osquery/flags.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/orbit/pkg/osquery/flags.go b/orbit/pkg/osquery/flags.go
index 09a089605..f7cfaaff6 100644
--- a/orbit/pkg/osquery/flags.go
+++ b/orbit/pkg/osquery/flags.go
@@ -27,6 +27,9 @@ func FleetFlags(fleetURL *url.URL) []string {
 		"--logger_plugin=tls",
 		"--logger_tls_endpoint=" + path.Join(prefix, "/api/v1/osquery/log"),
 		"--disable_carver=false",
+		// carver_disable_function is separate from disable_carver as it controls the use of file
+		// carving as a SQL function (eg. `SELECT carve(path) FROM processes`).
+		"--carver_disable_function=false",
 		"--carver_start_endpoint=" + path.Join(prefix, "/api/v1/osquery/carve/begin"),
 		"--carver_continue_endpoint=" + path.Join(prefix, "/api/v1/osquery/carve/block"),
 		"--carver_block_size=2000000",