Hey Community Wanted to check on a critical issue we have, If one of our agent is installed in a random personal machine of someone and we have no way to delete it. Can that cause us any harm? Can they extract secrets from the agent and talk back to server or something else? From a security stand point how to tackle this?

In theory, if it is a threat actor they can see what queries you are running and attempt to evade those on your endpoints

Hey @Ojas, Secrets are only used at the time of enrollment. This means you can remove the "trouble host" from Fleet and rotate the secret. Your hosts with the old secret will still be checking into Fleet normally. (Could keep the old secret in a vault if ever need to redeploy to your endpoints to save yourself some work).

hey @Grant Bilstad thanks for your input, But i wanted to save the trouble of creating new agent with rotated secret and deploying again. So if i am deleting the agent it comes back online because it’s live and there is nothing like block of or self destruct of agents. With that i wanted to understand if there are any security issues if the agent gets into wrong hands.

Once the agents are enrolled they get a node_secret, and only need the enrollment secret if they don't check in for your expiry period

so how can i rotate the enrollment secret?

Hey @Ojas, It is a bit further down in the doc linked previously, or can set in Fleet Console/UI.

@Grant Bilstad but woulnt that update it on the rouge agent as well? how do i remove that or delete that?

Nothing is changed on the hosts when you rotate an enroll secret in Fleet. Existing enrollments continue to be valid, but no new hosts can enroll with that secret. Once you remove the "rogue" host from Fleet, it will try to check in again and get an "invalid node key" error. This triggers the enrollment process, which will fail because the enroll secret available to it is invalid