https://github.com/osquery/osquery logo
Title
d

Dan Achin

03/08/2021, 6:39 PM
hello everyone.  I think this question belongs here vs #fleet, but could go either way I guess.  After watching one of the presentations at osquery@scale (Reliable osquery deployment for the paranoid), we have decided that we are going to manage our osquery config at our clients (via puppet mostly) vs setting the config centrally at Fleet (which we do currently).  Current config in our flags file (minus anything sensitive), some of which is already being overridden by Fleet:
--enroll_secret_path=
--tls_hostname=
--host_identifier=
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=3600
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=60
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read
--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/v1/osquery/log
--logger_tls_period=10
I'd just like to confirm the recommended approach to do that would be to remove the following settings from our osquery.flags file (and remove the config we are setting at Fleet - the stuff in osquery options / fleetctl get options):
--config_refresh
--config_plugin
--config_tls_endpoint
Anything else?
c

CptOfEvilMinions

03/08/2021, 8:24 PM
You may want to evaluate
--logger_plugin
. If you want to send logs/results to Fleet then leave it as is. If you want to store the logs on disk set it to
filesystem
or both
tls,filesystem
.
d

Dan Achin

03/08/2021, 9:23 PM
Thanks @CptOfEvilMinions, we do want to send the logs to Fleet still. We may or may not decide to keep them locally as well.
c

CptOfEvilMinions

03/08/2021, 9:26 PM
Just my 2 cents. When it’s appropriate I like to store logs on the device if I can. Just incase the logging pipeline goes down and events are missed they still exist on the host for investigation
d

Dan Achin

03/08/2021, 9:54 PM
Right, that makes total sense.
I'm trying to recall why our security team wasn't jazzed on having them local as well. 🙂
c

CptOfEvilMinions

03/08/2021, 10:03 PM
Possible because it gives attackers insight into what you’re logging? Another possibility is things like command line logging can contain secrets.
d

Dan Achin

03/08/2021, 10:16 PM
possibly
g

Gavin

03/08/2021, 10:20 PM
You say that but the config and queries are on disk so it's not always the most difficult to reverse