https://github.com/osquery/osquery logo
Title
d

Dan Achin

12/02/2020, 11:57 PM
Has anyone here turned query packs into RPMs or other artifacts for distribution and installation? We are thinking we might want to build a query pack pipeline. A primary driver for this would be to allow certain sets of users to create and test packs in non-prod and then push them to prod without needing access to the UI or fleetctl in prod.
s

sundsta

12/03/2020, 12:33 AM
We use different instances of Fleet for this. Different hosts are enrolled to the different instances
👍 1
d

Dan Achin

12/03/2020, 2:08 AM
@sundsta, that's what we are trying to avoid. We want the bare minimum of separation at Fleet itself.
s

sundsta

12/03/2020, 4:39 PM
I’m not sure I follow. Wouldn’t the bare minimum of separation from Fleet be no separation at all?
z

zwass

12/03/2020, 4:44 PM
Richer authorization for actions within Fleet is fairly top of mind in our roadmap plans. This would allow you to define labels (perhaps manual labels would be best for this particular use case) that users are authorized to take actions against.
d

Dan Achin

12/03/2020, 5:53 PM
@sundsta, what I meant was that we only want to separate the Fleet infra if we absolutely must. For example, data from our corporate assets is just too sensitive for most of the company, hence we'll have a separate Fleet infra for those that only our Ops security team will have access to. However, for our production assets, things are much grayer. We are all one Ops org, but we have different business units we support. Are we really OK with Ops from BU A being able to run queries on / see results for systems in BU B? Currently if we wanted to restrict that, we'd need separate Fleet instances.
@zwass - that sounds great, as I noted in the other thread I commented on the git issues 79 link with some feedback. taking action on specific labels would be great. we have our fleet integrated with our CMDB so we can auto-generate labels based on that data which is super handy.