https://github.com/osquery/osquery logo
Join Slack
Powered by
hello everyone.  I think this question belongs her...
# general
d
hello everyone.  I think this question belongs here vs #C01DXJL16D8, but could go either way I guess.  After watching one of the presentations at osquery@scale (Reliable osquery deployment for the paranoid), we have decided that we are going to manage our osquery config at our clients (via puppet mostly) vs setting the config centrally at Fleet (which we do currently).  Current config in our flags file (minus anything sensitive), some of which is already being overridden by Fleet: 
--enroll_secret_path=
--tls_hostname=
--host_identifier=
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=3600
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=60
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
I'd just like to confirm the recommended approach to do that would be to remove the following settings from our osquery.flags file (and remove the config we are setting at Fleet - the stuff in osquery options / fleetctl get options): 
--config_refresh
--config_plugin
--config_tls_endpoint
Anything else?
c
You may want to evaluate 
--logger_plugin
. If you want to send logs/results to Fleet then leave it as is. If you want to store the logs on disk set it to 
filesystem
or both 
tls,filesystem
.
d
Thanks @CptOfEvilMinions, we do want to send the logs to Fleet still. We may or may not decide to keep them locally as well.
c
Just my 2 cents. When it’s appropriate I like to store logs on the device if I can. Just incase the logging pipeline goes down and events are missed they still exist on the host for investigation
d
Right, that makes total sense.
I'm trying to recall why our security team wasn't jazzed on having them local as well. 🙂
c
Possible because it gives attackers insight into what you’re logging? Another possibility is things like command line logging can contain secrets.
d
possibly
g
You say that but the config and queries are on disk so it's not always the most difficult to reverse
4 Views
Open in Slack
PreviousNext
Powered by