I am deploying osquery and fleet integration for a new initiative at work. At the time of establishing communication between osquery and fleet, osquery host needs the 'enrollsecret' file to register itself with Fleet server. From the security perspective, what are the repercussions if the secret file falls in wrong hands? An immediate answer I could think of - someone else can also register an unintended host with Fleet but thats just it. What else can go wrong? We are trying to estimate the damage that can happen with the file being open in the repository at the moment.

It may increase the attack surface for a denial of service attack, but beyond that, I haven't thought of anything else.

The biggest concern I would have is that someone could use that host to get a picture of the queries you're running. That could give them a leg up in knowing what activity is likely to be caught.

Thanks @John Speno, @Kathy Satterlee for the valuable inputs!

Internally, we use GitHub secrets to handle enroll secrets in our GitOps workflow :)

@Kathy Satterlee: Interested in learning how did you achieve that! Not an expert in the Github space. Is it documented somewhere for my reading?

We've got an example 🙂 https://github.com/fleetdm/fleet-gitops

Hey @John Speno, @Kathy Satterlee - revisiting your replies today specifically for DDoS angle you mentioned. Do you think just the secret file is enough for DDoS? the hacker would also need the fleet certificate right to initiate the attack - these are my thoughts. What do you guys think?

If you mean a client side certificate, then yes.