Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
t
Tor Houghton
05/05/2022, 7:51 AMI have a question: is it possible for osqueryd to register with two concurrent (but different!) fleetdm backends?
m
Michal Nicpon
05/05/2022, 4:33 PMYou could run 2 separate instances of osqueryd, each configured for a different fleet server
At the moment, it's not possible to have a single instance talk to multiple backends
n
Noah Talerman
05/05/2022, 4:44 PM@Tor Houghton this is a very interesting use case. I think this has been raised by others in the community in the past.
To help the Fleet team understand your use case, why do you want osqueryd to register with two backends ?
t
Tor Houghton
05/07/2022, 8:12 PMSo, the use case is really rather simple. I have two different types of users (ops and response) in two different infrastructures. The ops people cannot use tools in the response infrastructure, but osquery is too good to be a tool for responders only (and it is easier to roll out if ops see their use cases taken seriously).
(Sorry for the late response!)
And because it is a response infrastructure, it's supposed to be available even if the ops infrastructure is unavailable/can't be trusted, so responders can't rely on the ops tools.
n
Noah Talerman
05/09/2022, 3:18 PMThe ops people cannot use tools in the response infrastructureIs this a non-negotiable requirement? If there’s room for negotiation, the “Observer” role (RBAC feature in Fleet) would allow you to give ops users access to only read data and run pre-designated queries in Fleet. This^ is the intended solution for giving some users restricted access in Fleet. Docs on the specific permissions of the “Observer” role are here: https://fleetdm.com/docs/using-fleet/permissions#permissions
t
Tor Houghton
05/09/2022, 5:19 PMFortunately (or unfortunately, depending on standpoint), yes.
Ops personnel sit on different clients than responders, and these do not have access to the responder infrastructure, thus have no means of securely accessing the UI.
The ops side (since there are many groups with different responsibilities) would definitely be using teams/RBAC though.