Title
#fleet
a

Artem

05/12/2022, 3:47 PM
Hi there! I think I found a bug, but maybe I just need some explanations. If I set
disable_tables: 'curl'
osquery option via Fleet UI (inspired by https://www.tenchisecurity.com/abusing-the-osquery-curl-table-for-pivoting-into-cloud-environments/) , it continues to work! It looks like this option only applies after restarting osqueryd service on endpoint. Is it right behavior? Looks strange, but maybe I just do something wrong way…
Lucas Rodriguez

Lucas Rodriguez

05/13/2022, 12:40 PM
Hi @Artem! That is correct. Such option requires a restart of osquery to take effect. I was able to reproduce the behavior in Fleet.
a

Artem

05/14/2022, 8:10 PM
@Lucas Rodriguez thank you! Got it! Just for future probable feature request, it would be really cool, if it will possible to change such behavior without restarting osquery on endpoints