Hello is there a configuration parameter that denies osquery osquery #general

Join Slack

Hello, is there a configuration parameter that den...

# general

JanRC

08/16/2023, 10:33 AM

Hello, is there a configuration parameter that denies osquery to use any extensions?

sharvil

08/16/2023, 10:38 AM

there is the

--disable_extensions

flag — which disables the extension APIs in osquery

JanRC

08/16/2023, 10:39 AM

thanks

JanRC

08/16/2023, 10:40 AM

Can access to extension be managed? I mean some extension may provide sensitive data that shouldn't be accessible to anybody performing a query against osquery.

sharvil

08/16/2023, 10:51 AM

Apologies, I am not sure I follow your question exactly..osquery by itself doesn’t bundle or link any extensions. If one is linking other external extensions, then it’s upto the person linking the extension to determine whether it provides any sensitive data

JanRC

08/16/2023, 10:53 AM

as osquery is used by a multitude of applications, you may have several extensions installed on one server, each extension for different app. So the apps shouldn't be allowed to peek into data tables of other apps.

sharvil

08/16/2023, 10:58 AM

as osquery is used by a multitude of applications

that kinda depends on the vendor bundling the osquery inside of their apps

sharvil

08/16/2023, 10:59 AM

if you control the configuration, then you can use the

--disable_extensions

and

--disable_tables

and

--enable_tables

flags to fine tune it

JanRC

08/16/2023, 11:00 AM

i was rather thinking about some authentication mechanism to query particular tables.

sharvil

08/16/2023, 11:02 AM

osquery itself doesn’t have any way to do that

sharvil

08/16/2023, 11:03 AM

the TLS server/manager could potentially have that logic, but again I am not aware of any

JanRC

08/16/2023, 11:16 AM

thanks

seph

08/16/2023, 11:26 AM

Osquery does have have any internal users, acls, rbac, or similar. Access is to everything or nothing.

Open in Slack

Previous Next