Hi guys, has somebody experienced issues when pushing

disable_tables

config from fleet config yaml? For me, it seems that the value is pushed, since running a query to

osquery_flags

gives me the right value but the table does not get disabled. For some reason, OSQuery is ignoring it... I could see a similar behavior in https://github.com/osquery/osquery/issues/6041 but it seems like that bug is already fixed (im using OSQuery 4.5.0)

Sounds like probably another bug in osquery. Best to file an issue with as much detail as you can about how to reproduce.

I am not certain but based on your observation and based on the code here: https://github.com/osquery/osquery/blob/d2d904f59ff37eab20cd79f65a738fa926c71faa/osquery/sql/sqlite_util.cpp#L403 it looks like this flag is only read once (at startup) and that

disable_tables

should be a flag only (not a configuration option)

I think that is probably the intent. IME folks want to be able to disable tables with a flag file so that those tables can't be accessed from a server like Fleet. If the server could set the config option, that would defeat the mitigation.

In the case of Fleet and similar orchestrators, is there a RBAC that selects who can issue queries and who can configure flags? If there is a separation of priv there then it would still be an OK mitigation.

i see, based in the conversation in #6041 i was under the impression that it should work from the

options