Hi guys has somebody experienced issues when pushing `disabl

Question

Hi guys has somebody experienced issues when pushing `disable tables` config from fleet config yaml For me it seems that the value is pushed since running a query to `osquery flags` gives me the right value but the table does not get disabled For some reason OSQuery is ignoring it I could see a similar behavior in <https github com osquery osquery issues 6041> but it seems like that bug is already fixed im using OSQuery 4 5 0

Juan Alvarez · Answer

Also if i put the flag in OSquery s flags file the config works right away

zwass · Answer

Sounds like probably another bug in osquery Best to file an issue with as much detail as you can about how to reproduce

theopolis · Answer

I am not certain but based on your observation and based on the code here <https github com osquery osquery blob d2d904f59ff37eab20cd79f65a738fa926c71faa osquery sql sqlite util cpp L403> it looks like this flag is only read once at startup and that `disable tables` should be a flag only not a configuration option

zwass · Answer

I think that is probably the intent IME folks want to be able to disable tables with a flag file so that those tables can t be accessed from a server like Fleet If the server could set the config option that would defeat the mitigation

theopolis · Answer

In the case of Fleet and similar orchestrators is there a RBAC that selects who can issue queries and who can configure flags If there is a separation of priv there then it would still be an OK mitigation

theopolis · Answer

e g Users of Fleet can issue queries and cannot change flags and admins of Fleet can change flags

Juan Alvarez · Answer

i see based in the conversation in 6041 i was under the impression that it should work from the `options`