From 1675b4ee736b3c312bb659528039814aac1368c2 Mon Sep 17 00:00:00 2001
From: Rachael Shaw <r@rachael.wtf>
Date: Wed, 27 Mar 2024 12:52:05 -0500
Subject: [PATCH] Update agent options for canary team (#17901)

- This is to explore queries for
https://github.com/fleetdm/fleet/issues/16899
---
 it-and-security/teams/workstations-canary.yml | 26 ++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/it-and-security/teams/workstations-canary.yml b/it-and-security/teams/workstations-canary.yml
index d2c42b0cd7..e5ad3636eb 100644
--- a/it-and-security/teams/workstations-canary.yml
+++ b/it-and-security/teams/workstations-canary.yml
@@ -9,7 +9,31 @@ team_settings:
   secrets:
     - secret: $DOGFOOD_WORKSTATIONS_CANARY_ENROLL_SECRET
 agent_options:
-  path: ../lib/agent-options.yml
+  config:
+    decorators:
+      load:
+        - SELECT uuid AS host_uuid FROM system_info;
+        - SELECT hostname AS hostname FROM system_info;
+    options:
+      disable_distributed: false
+      distributed_interval: 10
+      distributed_plugin: tls
+      distributed_tls_max_attempts: 3
+      logger_tls_endpoint: /api/osquery/log
+      logger_tls_period: 10
+      pack_delimiter: /
+  overrides:
+      platforms:
+        darwin:
+          auto_table_construction:
+            tcc:
+              path: /Library/Application Support/com.apple.TCC/TCC.db
+              query: 'select service, client, auth_value, auth_reason from access'
+              columns:
+                - service
+                - client
+                - auth_value
+                - auth_reason
 controls:
   enable_disk_encryption: true
   macos_settings: