https://github.com/osquery/osquery logo
Join Slack
Powered by
<@UB1DCM7C7> you can change the host identifier to...
# general
t
@Rich5 you can change the host identifier to be ephemeral, and that’ll generate a uuid per osquery instance, but then if the daemon restarts you’ll have a new one :/
r
Hmm ok. That could cause some fleet manager issues. Im going to need to think on this more
@thor what if we use ephemeral for the first run and then turn it off. Would the agent keep the initial uuid from then on?
Nevermind. I think using specified_identifier=this.is.the.identifier will work
t
right on. Yeah I am pretty sure that if you run with ephemeral then turn it off, it'll just grab host uuid after it comes back online 😕
r
we're testing with specified_identifier right now. Seems like it should work, but you never know
well so far using something like this doesn't do anything: --host_identifier=specified --specified_identifier=3a3d49c1-b2ef-4cb1-9cdf-d933233e1be0
we still get the old uuid it generated
osqueryi "select uuid from system_info;" +--------------------------------------+ | uuid | +--------------------------------------+ | 8B344D56-855F-DEAC-A75F-B2D957C117C7 | +--------------------------------------+
t
Nice. Yeah whatever works right? 🙂
r
well it didn't work from what it seems
maybe you can double check what I'm seeing here. When the agent enrolls using the tls plugin if calls getHostIdentifier here: https://github.com/facebook/osquery/blob/5aca61375f187fe8b767e186fe2a592749ce1ba7/osquery/remote/enroll/plugins/tls_enroll.cpp#L80
but one I don't see ident (which is returned set to the results from getSpecifiedUUID in the getHostIdentifier function
which then checks the database first for a uuid and returns that or it generates one by calling generateHostUuid
which ultimately just uses the uuid located at /sys/class/dmi/id/product_uuid
ah I see where ident is set. It's passed by reference. Sorry I missed that, but it doesn't appear to be written to the db. So then the system_info table still returns the uuid from the product_uuid file
so after testing for most of the day using these switches --host_identifier=specified --specified_identifier=3a3d49c1-b2ef-4cb1-9cdf-d933233e1be0 does not appear to do anything. No matter what the agent uses the uuid in product_uuid file
even ephemeral doesn't seem to generate a new uuid. It's always the product_uuid
t
Odd... That might be unintended behavior
r
yeah I'm running out of ideas
I've been picking through the code
it's basically like it's just ignoring those flags
ugh I think we figured it out. we had two host_identifier lines in the flag file. so the second one was overwriting the first one set to "specified". So annoying. Sorry to bother you
but it still appears that uuid column in system_info doesn't change if you set the --specified_identifier. Is that by design?
t
@Rich5 might not be by design, but that makes sense, as the uuid value used for enrollment isn't necessarily the same one returned by system info, but I'm not sure if they're supposed to be.
Regardless, glad you got it figured out 🙂
r
I think we'll end up having an internal flagfile check that shows duplicates or something. I'm not doing that again
Open in Slack
PreviousNext
Powered by