Should osquery be run as root?
We are deploying os...
# fleetj
Jay
04/06/2024, 5:52 AMShould osquery be run as root?
We are deploying osquery but don't have permission to run it as root on Linux. Escalated privileges can be given. Will there be an issue if we run osquery with escalated privileges?
g
Grant Bilstad
04/08/2024, 4:49 PMHey @Jay,
the fleetd agent does expect elevated/root/system permissions. This is also important for script execution. Would expect to be a similar case for plain osquery, otherwise will run into all sorts of table issues and strangeness.
j
Jay
04/14/2024, 1:50 PMThank you @Grant Bilstad. Company policies prohibit root permissions, we can have elevated permissions. Can you point me to some documentation which lists the elevated permissions required for osquery?
l
Lucas Rodriguez
04/16/2024, 2:34 PMHi @Jay!
osquery is designed to be executed as root:
See https://github.com/osquery/osquery/blob/399bc1059f372c03b922586ef585907960974216/ASSURANCE.md?plain=1#L124-L134
j
Jay
04/23/2024, 10:52 AMHi @Lucas Rodriguez
Thank you, this is informative.
It says recommended way is as root. As per our policy, we can have elevated permission but not root. It maybe difficult to get the approval.
Any alternatives? I can have a user with elevated privileges.
l
Lucas Rodriguez
04/23/2024, 2:20 PMHi @Jay! Sorry, Fleet doesn't support running osquery in non-root mode.
As far as I can see in some osquery Github issues, some users manage to run it as non-root but end up having issues with some tables, e.g.: https://github.com/osquery/osquery/issues/6484#issuecomment-664480831
So it really depends on the information/tables you would need to query.
64 Views