Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Is there a way to have osquery endpoints to send tokens of some sort or custom headers so we can look for those on our reverse proxy? to get some better validation that just letting anything hit the /v1/api/osquery/* endpoint?

There is a node key that is sent along with requests from osquery that is used to authenticate the transaction on the Fleet side.

is there an easy way to acquire all the node keys of our enrolled hosts?

also, where exactly in the requests made by the hosts should we be expecting the node-key?

The node key is is present in the request body:

<https://osquery.readthedocs.io/en/stable/deployment/remote/#:~:text=%7B%0A%20%20%22node_key%22%3A%20%22...%22%2C%20//%20Optionally%20blank%0A%20%20%22log_type%22%3A%20%22result%22%2C%20//%20Either%20%22result%22%20or%20%22status%22%0A%20%20%22data%22%3A%20%5B%0A%20%20%20%20%7B...%7D%20//%20Each%20result%20event%2C%20or%20status%20event%0A%20%20%5D%0A%7D|https://osquery.readthedocs.io/en/stable/deployment/remote/#:~:text=%7B%0A%20%20%22node_key%22%3A%20%2[…]%2C%20or%20status%20event%0A%20%20%5D%0A%7D>

In Fleet, the node keys are stored in the MySQL database, but they aren't necessarily immutable and will change any time a host needs to re-enroll, which can happen for a number of reasons (the agent is re-installed, there's an error in Fleet during the authentication, issues with the osquery database, hosts that are removed in Fleet due to host expiry, etc).

Is there concern about that authentication not being sufficient?

its more so just how my deployment is architected. the fleet server is being hosted internally. and im using a reverse proxy/api gateway to allow hosts that leave the network to still check-in

i would rather auth them sooner (at the edge) instead of waiting for them to get all the way to the fleet server (which has nginx in front of it too)

so gonna look into the info you just gave me and see if i can use that to authenticate hosts that send over a valid node key as a means of authing only my actually enrolled hosts coming from public IP space

Looking in to the Headers option as well... I'm not seeing a way to modify the headers, but it may be doable.

yeah was just thinking passing some relatively static token (kinda like the enrollment token) across all hosts would be nice, vs me trying to dump all of the node keys which may change and figuring that out.

Where are you terminating TLS? If you're using a proxy that supports mTLS, you can <https://osquery.readthedocs.io/en/1.8.2/deployment/remote/#:~:text=enroll_secret_env%3DNAME_OF_VARIABLE.-,TLS%20client%2Dauth%20enrollment,-If%20the%20node|deploy a client certificate to osquery>

atm internally tls is terminated on nginx. i'm using the fleetdm-automation docker community project

im sort of building onto that, by wanting to let hosts still check in when they leave our network (off-vpn) so im using apigee (acting as another proxy) to broker the comms from outside/public IP space and forwarding them to the internal setup