The various Agent Options settings are now validated based on their data type, but reading the osquery documentation about those settings indicates that there are a number of settings that have restrictions that go beyond their data type. That is, a value may be correct for the required data type of a setting, but may still be invalid for osquery. While we don't currently validate those extra restrictions (it might be very hard to cover them all and keep them up to date on each release), we should at least document them as much as we can, as clear as we can.
Goal
Extracted from #5222 (see https://github.com/fleetdm/fleet/issues/5222#issuecomment-1251096271).
The various Agent Options settings are now validated based on their data type, but reading the osquery documentation about those settings indicates that there are a number of settings that have restrictions that go beyond their data type. That is, a value may be correct for the required data type of a setting, but may still be invalid for osquery. While we don't currently validate those extra restrictions (it might be very hard to cover them all and keep them up to date on each release), we should at least document them as much as we can, as clear as we can.
Some examples of such restrictions:
query
should be valid SQL, theplatform
should represent valid platform labels and be comma-separated if it has more than one,shard
is meant to be a percentage between 1-100.file_paths
in the YARA section must match those in the top-levelfile_paths
key, it must also refer to a valid signature name from thesignatures
array, the signatures must be valid file paths.urls
must be valid urls.interval
section's keys must be numbers (as strings), and those numbers must be divisible by 60 as they represent minute intervals. "Anything not divisible by 60 will generate a warning, and will not run."FIM
options (such asexclude_paths
) are only mentioned in this FIM-specific doc page, and not in the generalconfiguration
page.As you can see, there are many such restrictions that can be found.
How?
Frontend
No impact on frontend, purely a documentation change.
Backend
No impact on backend, purely a documentation change.