with the tls config plugin are there expected situations a h osquery #general

with the tls config plugin, are there expected sit...

timb

10/31/2019, 6:35 PM

with the tls config plugin, are there expected situations a host will re-enroll other than receiving an invalid node_key response from the server?

seph

10/31/2019, 6:58 PM

Presumably missing local databases.

timb

10/31/2019, 7:03 PM

huh. so, i went off to take a peek at this; in at least one case the db appears to be there, but it doesn't look like osqueryd has touched it in... awhile

seph

10/31/2019, 7:04 PM

Are you sure it’s using that database?

timb

10/31/2019, 7:07 PM

lsof appears to show it having multiple fds open in the expected folder, at least

seph

10/31/2019, 7:07 PM

Okay then.

seph

10/31/2019, 7:07 PM

I don’t know this corner of the code. I’d believe there are reasons

timb

10/31/2019, 7:07 PM

i've always assumed that the IDENTITY file in osquery.db is related to the node_key; do you know if that's correct?

derwolfe

10/31/2019, 7:57 PM

I don’t think this is true, no. I think the identity file is related to rocks specifically. It helps the system know which SST files to use. Not sure how this plays a role with the manifest

👍 1

derwolfe

10/31/2019, 8:03 PM

see https://github.com/facebook/rocksdb/blob/9bd5fce6e89fcb294a1d193f32f3e4bb2e41d994/file/filename.cc and https://github.com/facebook/rocksdb/blob/979fbdc6968649662ad388984b6a0f288b6c3811/file/filename.h

timb

10/31/2019, 8:38 PM

the short version is that it looks like doing: service osqueryd stop rm -rf $osquery_db is not a great idea; in some cases the worker will still be alive and still have fds open even though the daemon is gone

7 Views

Open in Slack

Previous Next