I have a question: is it possible for osqueryd to ...
# fleet
I have a question: is it possible for osqueryd to register with two concurrent (but different!) fleetdm backends?
You could run 2 separate instances of osqueryd, each configured for a different fleet server
At the moment, it's not possible to have a single instance talk to multiple backends
@Tor Houghton this is a very interesting use case. I think this has been raised by others in the community in the past. To help the Fleet team understand your use case, why do you want osqueryd to register with two backends ?
So, the use case is really rather simple. I have two different types of users (ops and response) in two different infrastructures. The ops people cannot use tools in the response infrastructure, but osquery is too good to be a tool for responders only (and it is easier to roll out if ops see their use cases taken seriously). (Sorry for the late response!)
And because it is a response infrastructure, it's supposed to be available even if the ops infrastructure is unavailable/can't be trusted, so responders can't rely on the ops tools.
The ops people cannot use tools in the response infrastructure
Is this a non-negotiable requirement? If there’s room for negotiation, the “Observer” role (RBAC feature in Fleet) would allow you to give ops users access to only read data and run pre-designated queries in Fleet. This^ is the intended solution for giving some users restricted access in Fleet. Docs on the specific permissions of the “Observer” role are here: https://fleetdm.com/docs/using-fleet/permissions#permissions
Fortunately (or unfortunately, depending on standpoint), yes.
Ops personnel sit on different clients than responders, and these do not have access to the responder infrastructure, thus have no means of securely accessing the UI.
The ops side (since there are many groups with different responsibilities) would definitely be using teams/RBAC though.