Channels
#general
Title
# general
t
thor
07/05/2018, 3:17 PM
@Rich5 you can change the host identifier to be ephemeral, and that’ll generate a uuid per osquery instance, but then if the daemon restarts you’ll have a new one :/
r
Rich5
07/05/2018, 3:31 PMHmm ok. That could cause some fleet manager issues. Im going to need to think on this more
@thor what if we use ephemeral for the first run and then turn it off. Would the agent keep the initial uuid from then on?
Nevermind. I think using specified_identifier=this.is.the.identifier will work
t
thor
07/05/2018, 4:24 PM
right on. Yeah I am pretty sure that if you run with ephemeral then turn it off, it'll just grab host uuid after it comes back online 😕
r
Rich5
07/05/2018, 4:32 PMwe're testing with specified_identifier right now. Seems like it should work, but you never know
well so far using something like this doesn't do anything:
--host_identifier=specified
--specified_identifier=3a3d49c1-b2ef-4cb1-9cdf-d933233e1be0
we still get the old uuid it generated
osqueryi "select uuid from system_info;"
+--------------------------------------+
| uuid |
+--------------------------------------+
| 8B344D56-855F-DEAC-A75F-B2D957C117C7 |
+--------------------------------------+
t
thor
07/05/2018, 4:58 PM
Nice. Yeah whatever works right? 🙂
r
Rich5
07/05/2018, 5:14 PMwell it didn't work from what it seems
maybe you can double check what I'm seeing here. When the agent enrolls using the tls plugin if calls getHostIdentifier here: https://github.com/facebook/osquery/blob/5aca61375f187fe8b767e186fe2a592749ce1ba7/osquery/remote/enroll/plugins/tls_enroll.cpp#L80
getHostIdentifier should then call getSpecifiedUUID if the flags are set https://github.com/facebook/osquery/blob/74cee943f30d595e95b01ad557ff23297b1ae337/osquery/core/system.cpp#L258
but one I don't see ident (which is returned set to the results from getSpecifiedUUID in the getHostIdentifier function
and two if we then query select uuid from system_info it calls getHostUUID here https://github.com/facebook/osquery/blob/5aca61375f187fe8b767e186fe2a592749ce1ba7/osquery/tables/system/linux/system_info.cpp#L33
which then checks the database first for a uuid and returns that or it generates one by calling generateHostUuid
which ultimately just uses the uuid located at /sys/class/dmi/id/product_uuid
ah I see where ident is set. It's passed by reference. Sorry I missed that, but it doesn't appear to be written to the db. So then the system_info table still returns the uuid from the product_uuid file
so after testing for most of the day using these switches
--host_identifier=specified
--specified_identifier=3a3d49c1-b2ef-4cb1-9cdf-d933233e1be0
does not appear to do anything. No matter what the agent uses the uuid in product_uuid file
even ephemeral doesn't seem to generate a new uuid. It's always the product_uuid
t
thor
07/05/2018, 6:45 PM
Odd... That might be unintended behavior
r
Rich5
07/05/2018, 6:49 PMyeah I'm running out of ideas
I've been picking through the code
it's basically like it's just ignoring those flags
ugh I think we figured it out. we had two host_identifier lines in the flag file. so the second one was overwriting the first one set to "specified". So annoying. Sorry to bother you
but it still appears that uuid column in system_info doesn't change if you set the --specified_identifier. Is that by design?
t
thor
07/05/2018, 10:32 PM
@Rich5 might not be by design, but that makes sense, as the uuid value used for enrollment isn't necessarily the same one returned by system info, but I'm not sure if they're supposed to be.
Regardless, glad you got it figured out 🙂
r
Rich5
07/05/2018, 11:28 PMI think we'll end up having an internal flagfile check that shows duplicates or something. I'm not doing that again