https://github.com/osquery/osquery logo
Powered by
#general
Title
# general
j

Juan Alvarez

12/29/2020, 1:34 PM
Hi guys, has somebody experienced issues when pushing 
disable_tables
config from fleet config yaml? For me, it seems that the value is pushed, since running a query to 
osquery_flags
gives me the right value but the table does not get disabled. For some reason, OSQuery is ignoring it... I could see a similar behavior in https://github.com/osquery/osquery/issues/6041 but it seems like that bug is already fixed (im using OSQuery 4.5.0)
Also, if i put the flag in OSquery´s .flags file, the config works right away
z

zwass

12/29/2020, 4:01 PM
Sounds like probably another bug in osquery. Best to file an issue with as much detail as you can about how to reproduce.
t

theopolis

12/29/2020, 4:39 PM
I am not certain but based on your observation and based on the code here: https://github.com/osquery/osquery/blob/d2d904f59ff37eab20cd79f65a738fa926c71faa/osquery/sql/sqlite_util.cpp#L403 it looks like this flag is only read once (at startup) and that 
disable_tables
should be a flag only (not a configuration option)
z

zwass

12/29/2020, 4:44 PM
I think that is probably the intent. IME folks want to be able to disable tables with a flag file so that those tables can't be accessed from a server like Fleet. If the server could set the config option, that would defeat the mitigation.
t

theopolis

12/29/2020, 4:48 PM
In the case of Fleet and similar orchestrators, is there a RBAC that selects who can issue queries and who can configure flags? If there is a separation of priv there then it would still be an OK mitigation.
e.g., Users of Fleet can issue queries and cannot change flags, and admins of Fleet can change flags
j

Juan Alvarez

12/29/2020, 5:15 PM
i see, based in the conversation in #6041 i was under the impression that it should work from the 
options
2 Views
Powered by