you can change the host identifier to be ephemeral

Question

< Rich5> you can change the host identifier to be ephemeral and that ll generate a uuid per osquery instance but then if the daemon restarts you ll have a new one

Rich5 · Answer

Hmm ok That could cause some fleet manager issues Im going to need to think on this more

Rich5 · Answer

< thor> what if we use ephemeral for the first run and then turn it off Would the agent keep the initial uuid from then on

Rich5 · Answer

Nevermind I think using specified identifier=this is the identifier will work

thor · Answer

right on Yeah I am pretty sure that if you run with ephemeral then turn it off it ll just grab host uuid after it comes back online confused

Rich5 · Answer

we re testing with specified identifier right now Seems like it should work but you never know

Rich5 · Answer

well so far using something like this doesn t do anything host identifier=specified specified identifier=3a3d49c1 b2ef 4cb1 9cdf d933233e1be0

Rich5 · Answer

we still get the old uuid it generated

Rich5 · Answer

osqueryi select uuid from system info + + | uuid | + + | 8B344D56 855F DEAC A75F B2D957C117C7 | + +

thor · Answer

Nice Yeah whatever works right slightly smiling face

Rich5 · Answer

well it didn t work from what it seems

Rich5 · Answer

maybe you can double check what I m seeing here When the agent enrolls using the tls plugin if calls getHostIdentifier here <https github com facebook osquery blob 5aca61375f187fe8b767e186fe2a592749ce1ba7 osquery remote enroll plugins tls enroll cpp L80>

Rich5 · Answer

getHostIdentifier should then call getSpecifiedUUID if the flags are set <https github com facebook osquery blob 74cee943f30d595e95b01ad557ff23297b1ae337 osquery core system cpp L258>

Rich5 · Answer

but one I don t see ident which is returned set to the results from getSpecifiedUUID in the getHostIdentifier function

Rich5 · Answer

and two if we then query select uuid from system info it calls getHostUUID here <https github com facebook osquery blob 5aca61375f187fe8b767e186fe2a592749ce1ba7 osquery tables system linux system info cpp L33>

Rich5 · Answer

which then checks the database first for a uuid and returns that or it generates one by calling generateHostUuid

Rich5 · Answer

which ultimately just uses the uuid located at sys class dmi id product uuid

Rich5 · Answer

Rich5 · Answer

ah I see where ident is set It s passed by reference Sorry I missed that but it doesn t appear to be written to the db So then the system info table still returns the uuid from the product uuid file

Rich5 · Answer

so after testing for most of the day using these switches host identifier=specified specified identifier=3a3d49c1 b2ef 4cb1 9cdf d933233e1be0 does not appear to do anything No matter what the agent uses the uuid in product uuid file

Rich5 · Answer

even ephemeral doesn t seem to generate a new uuid It s always the product uuid

thor · Answer

Odd That might be unintended behavior

Rich5 · Answer

yeah I m running out of ideas

Rich5 · Answer

I ve been picking through the code

Rich5 · Answer

it s basically like it s just ignoring those flags

Rich5 · Answer

ugh I think we figured it out we had two host identifier lines in the flag file so the second one was overwriting the first one set to specified So annoying Sorry to bother you

Rich5 · Answer

but it still appears that uuid column in system info doesn t change if you set the specified identifier Is that by design

thor · Answer

< Rich5> might not be by design but that makes sense as the uuid value used for enrollment isn t necessarily the same one returned by system info but I m not sure if they re supposed to be

thor · Answer

Regardless glad you got it figured out slightly smiling face

Rich5 · Answer

I think we ll end up having an internal flagfile check that shows duplicates or something I m not doing that again