Any ideas for Joseph?

I've meet the Tailscale guys a couple of times - really smart guys with a good tool. They don't have any device posture right now (as far as I am aware of). So if I used Tailscale that's the first thing I would do is use their device authorization API and pull policy data from Fleet to de-authorize (or automatically authorize) devices with proper posture. https://tailscale.com/kb/1099/device-authorization/

that’s a very nice idea!

Thank you @mikermcneil for posting. thats a good idea, utilizing the tailscale auth api to automatically join or drop devices from the network that meet a config criteria, hmm...I will give that a try!

Love that idea!

Any ideas on what would be the quickest way to establish a device posture for several EC2 instances I spin up as an example? I wanted to know what the simplest possible configuration I could test with - are there any preconfigured EC2 policies?

I am not aware of any. are you accessing resources from these EC2 instances, or accessing the EC2 instances from other devices like laptops? I was thinking Fleet/orbit would be on the laptops before allowing them to connect to your resources protected by Tailscale ?

Yes, that is looking like a base assumption - we have a shell on the machine, we run a service on tailscale that exposes the information from osquery, then use a webhook trigger to check the posture and if it meets criteria, we authorize it and let the machine join the tailnet. Working on the service now.

Seems like this is maybe a general osquery question? Might be better to ask in #general if you need further help along those lines, but by default the socket path is

/var/osquery/osquery.em

. It's configurable by

--extensions_socket

.

I will go there next time, thanks for the heads up. I am still getting a error when I use that path, so I need to look at it a bit more.