Title
#kolide
j

Jason W

08/21/2020, 4:09 PM
I would love to second @sanjaykcse’s question - I believe the issue is around getting the feature sponsored, is that correct @zwass ?
zwass

zwass

08/21/2020, 4:15 PM
Yes. Essentially, I work on Fleet when I can. This usually means larger features are only addressed when there is a corporate sponsor.
j

Jason W

08/21/2020, 4:16 PM
Have you ball-parked what the cost of the carving feature would be?
zwass

zwass

08/21/2020, 4:21 PM
I think it would be in the 20-30k range but depends on exactly how it is scoped out.
j

Jason W

08/21/2020, 4:22 PM
thanks - that helps!
sundsta

sundsta

08/21/2020, 4:28 PM
If this happens, I would greatly appreciate adding an argument to the Fleet binary config so we can ensure this is disabled if we don’t want it. (edit: typos)
zwass

zwass

08/21/2020, 4:29 PM
Note that file carving is disabled by default by the osqueryd agent itself
sundsta

sundsta

08/21/2020, 4:30 PM
Thanks, I had forgotten about that.
zwass

zwass

08/21/2020, 4:31 PM
We try to be careful to keep any agent features that may have significant effect on privacy, security, or performance behind flags.
s

seph

08/22/2020, 6:36 PM
It’s a bit fuzzy though, fleet may be able to control whether it’s enabled on the client. Etc.
s

sanjaykcse

08/24/2020, 9:14 AM
@zwass what would be performance penalty of adding "file carving" feature. Suppose in certain config setup ,kolide fleet scales for 300K hosts. Would adding this feature ( file carving) have adverse impact on scaling/performance ?
sundsta

sundsta

08/24/2020, 6:30 PM
@sanjaykcse It would depend on how many files you are carving. It would certainly add a fair amount of network and CPU usage if, for example, you were sending every file saved in each user’s downloads folder for 300k endpoints
s

seph

08/24/2020, 6:31 PM
Conversely, not using it, but having the code path, shouldn’t have any performance penalty.
s

sanjaykcse

08/24/2020, 6:36 PM
file carving is required only for forensics . Intent is not to pull files at regular interval form all the nodes ,but as and when some attack signature is observed, few set of files need to pull in for dipper analysis .
sundsta

sundsta

08/24/2020, 6:41 PM
In that case, the number of endpoints wouldn’t really matter. The number of files pulled would be what causes the resource usage to go up.