https://github.com/osquery/osquery logo
Powered by
#fleet
Title
# fleet
n

nyanshak

03/09/2021, 9:14 PM
#418 Make enrollment cooldown configurable <thread>
If 
osquery_host_identifier
 is set to 
instance
, is there any benefit to also setting 
osquery_enroll_cooldown
 to anything other than the default (
0
)?
z

zwass

03/09/2021, 9:20 PM
Possibly you could get into a scenario in which an osquery database was copied to multiple hosts and then they are all using the same instance identifier
n

nyanshak

03/09/2021, 9:21 PM
Ah right, that scenario. Well at least it beats the current one.
Do you have any idea where in osquery source the "send this extra info" lives?
I want to try to track down the version
wait, found it, it's in 
osquery/plugins/remote/enroll/tls_enroll.cpp
https://github.com/osquery/osquery/pull/3675 So I think this was in 
2.8.0+
z

zwass

03/09/2021, 9:31 PM
Yeah that looks right to me.
Hopefully 
osquery_enroll_cooldown
is used rarely if ever now. I'm tempted to remove it entirely but it could be a good escape valve if someone ends up in that bad scenario.
n

nyanshak

03/09/2021, 9:47 PM
I actually figured it would be good to have it set (not sure what good value would be) so that you would at least see logs when you get into this scenario.
Like if someone copies osquery db, at least you could know that it's happening.
z

zwass

03/09/2021, 9:48 PM
Ah yes but I think folks were running into issues with it spuriously due to https://github.com/osquery/osquery/issues/6993.
n

nyanshak

03/09/2021, 9:49 PM
😢 what a twisted issue this is
z

zwass

03/09/2021, 9:50 PM
Yeah, 😢 is right
I've been chasing the whole thing in circles for a while now
n

nyanshak

03/09/2021, 9:50 PM
OK, then I will leave cooldown as 0, even though I am disappointed that I won't know about that one specific case.
🤷‍♀️ great work chasing it, pretty frustrating issue
z

zwass

03/09/2021, 9:51 PM
Hopefully we can resolve that osquery issue and then get that cooldown back on
n

nyanshak

03/09/2021, 9:52 PM
Depends on the issue / also requires getting all osquery clients up to date everywhere 😉 Auto-updater will help for this.
Last question and I think I know the answer... osquery ignores fleet's 
--host_identifier
, so even though fleet will have unique values for each osquery host, osquery will still send logs with 
hostIdentifier
set to whatever osquery specifies. So there could still be a bit of confusion when trying to correlate logs to fleet hosts, right? And would the situation be any better if the log destination was set to fleet? I'm assuming not, because it would be processing-intensive operation to parse & rewrite all the logs.
z

zwass

03/09/2021, 10:03 PM
Fleet doesn't try to address that at the moment. If you use 
hostIdentifier
to identify the osquery logs (rather than some decorator value) you'll want to configure it appropriately on the clients regardless of Fleet's value.
n

nyanshak

03/09/2021, 10:08 PM
sorry to ask so many questions about this... what is the advantage of 
instance
over 
uuid
/ why is this the recommended approach? presumably you would never have duplicates for 
uuid
(except maybe if you copy the osquery DB?)
z

zwass

03/09/2021, 10:11 PM
We've seen folks deploy multiple copies of a VM that report the same UUID and that causes a similar issue.
n

nyanshak

03/09/2021, 10:12 PM
Ah right, thanks for all the help
🥳
2 Views
Powered by