https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello guys Good morning from Nigeria :flag-ng:. ...
# general
a
Hello guys Good morning from Nigeria ๐Ÿ‡ณ๐Ÿ‡ฌ. Question: Osquery Enrollment 
uuid
logic During the enrollment 
osqueryd
makes a 
POST
request to the 
server: /enroll
in which the request data contains 
uuid:
value is there a specific 
logic
behind this and in what 
probability
will the 
uuid
occur 
once
around the world ๐ŸŒŽ ๐ŸŒ€
j
It depends on the node. I've seen plenty of duplicate UUIDs because of faulty hardware and/or firmware bugs.
a
@John Speno Thanks
Suggestions: UUID management Since there is a high chance of duplicate 
uuid
we can 
generate 32 random characters
to concatenate with the actual 
uuid
uuid+'.'+rand_id
Note: we check the database for any existing 
rand_id
In this case, we split them on our server whenever we want to make use of it.
Copy code
split_uuid[0]
split_uuid[1]
j
I think the issues with UUID stem from how osquery chooses it. If it takes the value from the hardware, then you may encounter the issues I've noted. There's always 
instance_uuid
which might be a better choice. I'd recommend reading the source to see how those things are set.
a
Yeah, good suggestion since it's open-source thanks @John Speno
s
There are configuration options around this behavior:
Copy code
$ osqueryd --help | grep host_identifier
    --host_identifier VALUE                          Field used to identify the host running osquery (hostname, uuid, instance, ephemeral, specified)
    --specified_identifier VALUE                     Field used to specify the host_identifier when set to "specified"
๐Ÿค” 1
๐ŸŒ€ 1
j
That does set the 
hostIdentifier
as sent in the various logs, but it doesn't have any impact on what data is sent during the enroll process, AFAIK.
s
Itโ€™s been awhile since I looked at this code, but Iโ€™d have expexcted it to effect enrollment. Hrm
j
During enrollment, osquery sends the contents of the 
osquery_info
table (among others) which contains both the 
uuid
and 
instance_uuid
. It also sends 
host_identifier
which is affected by the 
--host_identifier
. It would be up to the backend system to determine how to use that data. I only know what Fleet does, which is to use the 
uuid
๐Ÿซถ 1
s
Ah, that fits my expectations โ€” osquery sends it, but itโ€™s up to the servers to use it as they choose.
Open in Slack
PreviousNext
Powered by