👋 I'm new to osquery and trying to learn as much as possible. Let's say I have two roles: Role A and Role B. How can I configure access restrictions so that Role A can only query the

processes

table and Role B can only access the

listening_ports

table? Does fleet management software handle these permissions, or should this be set up directly in osquery? Additionally, suppose admins can submit SQL queries via an API (imagine a web app that consumes SQL queries so admins can monitor their fleet). How can I prevent potential SQL injection attacks? Would really appreciate input on this, thanks in advance 🙂

Osquery does not have any internal access control ideas.

I see so let’s say that I’m trying to deploy it to 100 laptops in an org and then I want to run a query to list the processes running on each laptop. Would the query then be executed on each host machine and then sent back to the admin?

osquery is tool/agent/daemon that runs on a device. It can work interactively of execute a set of queries from a config file and log the results. It supports a remote TLS server, which can send queries, configure logging, etc. This remote TLS server is one of the more common ways to use it. Osquery itself does not distributed a remote server. There are both commercial and open source ones kicking around

Ah I see thank you for explaining

It supports a remote TLS server, which can send queries, configure logging, etc. This remote TLS server is one of the more common ways to use it. Osquery itself does not distributed a remote server. There are both commercial and open source ones kicking around

Is this what fleet management software takes care of like FleetDM or Kolide?

Yes, among others… Though Kolide is a company (and my employer) whose product is designed to integrate into Okta login flows and block access until issues have been remediated. See https://lp.kolide.co/demo (Also, Kolide was acquired by 1password in Feburary)