Title
#general
thor

thor

07/05/2018, 3:17 PM
@Rich5 you can change the host identifier to be ephemeral, and that’ll generate a uuid per osquery instance, but then if the daemon restarts you’ll have a new one 😕
r

Rich5

07/05/2018, 3:31 PM
Hmm ok. That could cause some fleet manager issues. Im going to need to think on this more
3:43 PM
@thor what if we use ephemeral for the first run and then turn it off. Would the agent keep the initial uuid from then on?
3:48 PM
Nevermind. I think using specified_identifier=this.is.the.identifier will work
thor

thor

07/05/2018, 4:24 PM
right on. Yeah I am pretty sure that if you run with ephemeral then turn it off, it'll just grab host uuid after it comes back online 😕
r

Rich5

07/05/2018, 4:32 PM
we're testing with specified_identifier right now. Seems like it should work, but you never know
4:42 PM
well so far using something like this doesn't do anything: --host_identifier=specified --specified_identifier=3a3d49c1-b2ef-4cb1-9cdf-d933233e1be0
4:42 PM
we still get the old uuid it generated
4:43 PM
osqueryi "select uuid from system_info;" +--------------------------------------+ | uuid | +--------------------------------------+ | 8B344D56-855F-DEAC-A75F-B2D957C117C7 | +--------------------------------------+
thor

thor

07/05/2018, 4:58 PM
Nice. Yeah whatever works right? 🙂
r

Rich5

07/05/2018, 5:14 PM
well it didn't work from what it seems
5:15 PM
maybe you can double check what I'm seeing here. When the agent enrolls using the tls plugin if calls getHostIdentifier here: https://github.com/facebook/osquery/blob/5aca61375f187fe8b767e186fe2a592749ce1ba7/osquery/remote/enroll/plugins/tls_enroll.cpp#L80
5:16 PM
5:18 PM
but one I don't see ident (which is returned set to the results from getSpecifiedUUID in the getHostIdentifier function
5:20 PM
5:21 PM
which then checks the database first for a uuid and returns that or it generates one by calling generateHostUuid
5:21 PM
which ultimately just uses the uuid located at /sys/class/dmi/id/product_uuid
5:37 PM
ah I see where ident is set. It's passed by reference. Sorry I missed that, but it doesn't appear to be written to the db. So then the system_info table still returns the uuid from the product_uuid file
6:44 PM
so after testing for most of the day using these switches --host_identifier=specified --specified_identifier=3a3d49c1-b2ef-4cb1-9cdf-d933233e1be0 does not appear to do anything. No matter what the agent uses the uuid in product_uuid file
6:44 PM
even ephemeral doesn't seem to generate a new uuid. It's always the product_uuid
thor

thor

07/05/2018, 6:45 PM
Odd... That might be unintended behavior
r

Rich5

07/05/2018, 6:49 PM
yeah I'm running out of ideas
6:49 PM
I've been picking through the code
6:54 PM
it's basically like it's just ignoring those flags
8:35 PM
ugh I think we figured it out. we had two host_identifier lines in the flag file. so the second one was overwriting the first one set to "specified". So annoying. Sorry to bother you
8:38 PM
but it still appears that uuid column in system_info doesn't change if you set the --specified_identifier. Is that by design?
thor

thor

07/05/2018, 10:32 PM
@Rich5 might not be by design, but that makes sense, as the uuid value used for enrollment isn't necessarily the same one returned by system info, but I'm not sure if they're supposed to be.
10:32 PM
Regardless, glad you got it figured out 🙂
r

Rich5

07/05/2018, 11:28 PM
I think we'll end up having an internal flagfile check that shows duplicates or something. I'm not doing that again