Since

osquery

is more of a read only tool to query data, it would be very powerful to target a list of hosts with

ansible

where specific properties are set.

This came to my mind because I need to find hosts that are vulnerable to

CVE-2022-1966

. There is a workaround with a simple

sysctl

option that need to be set in order to make a system resilient.

As a first attempt I simply append a list of the host returned by a

fleet

query to an inventory file in

ini

format:

fleetctl query --labels "All Linux" --query "SELECT * FROM system_controls WHERE name='kernel.unprivileged_userns_clone' AND current_value='1'" | jq '.host' | sed -e 's/"//g' > Desktop/vulnerable.ini

This works fine so far.