Hey Fleet folks My team has identified that fleet communication can be blocked by changing the etc/hosts files. We tried it with some other agents like crowdstrike etc and they didnt stop communicating. Maybe they have a backup plan to communicate with IP and not dns. Any solutions to this ?

Use an IP address instead of a domain name?

so instead of querying fleet.*.com query by ip of the server. Have a fallback plan if DNS query dosent work maybe have something on backend to communicate

Well, if you don't control the TLS server osquery uses, I wouldn't recommend the IP address method. You never know if the address will change. Make it a matter of policy that nodes must comply with having osquery installed and configured properly.

It is installed and configured but as you see someone with elevated privs can just stop it by changing etc/hosts yes we cna monitor the changes and yes we can stop file from being changes but there are cases where it would be needed for tested to development etc

Your going to really struggle to stop a privileged user from disabling the agent of any software if thats what they want to do

Yeah, they can uninstall osquery. That's why you need an policy you can enforce also.