Hi all, what would be the best way of going about “linking” a user (read: person) to their device, as it appears in the result logs? We could have an external list of users and their device UUIDs, then get the UUID in the osquery decorators, but ideally we’d want something less manual than keeping a separate ledger
07/08/2020, 11:15 PM
osquery can pull the device serial, which you can link to your asset management system
07/09/2020, 12:20 AM
We do this in our SaaS product. The user/device association stuff has been super valuable to people, and surprisingly hard.
You can examine all sorts of things on a host, and go through various heuristics. Does the account name match? Can you determine if the user had a authenticated chrome session? Etc.
As K2 (our SaaS offering) is very user focused, we've found that the most reliable is to tie the device back to the user who requested the download.
07/09/2020, 12:23 AM
Yes, it does seem difficult. I think what we’ll do is have the user complete a form to download launcher, such that we can collect the link information there, a bit like (I assume) you do in the SaaS, since the user is logged in at time of package download
07/09/2020, 12:26 AM
For us, that request comes through slack. We do some trickery to make it all work. Given apple's notarization time, we can't build on demand.
07/09/2020, 12:27 AM
Hmm yeah, it did cross my mind of potentially getting something like an email from the launcher installer, but seems a bit a hacky
(which could then be sent with each outputted log)
It works off the filename things were downloaded as
But I would still encourage you to try the SaaS.
07/09/2020, 12:35 AM
I’ve tried the SaaS and it’s great, but we have a requirement of only using open source, don’t worry I did say “hey look this does what we want” haha
07/09/2020, 12:36 AM
That’s an interesting requirement. Can you say more about what drives it?
I don’t think I’ve ever heard that feedback
07/09/2020, 12:40 AM
Yes, some of the agents we are deploying will be to “non-employees” i.e. contractors, associates (should they agree/accept privacy terms), and so it’s sort of a security/trust measure
(hence my inability to link using device management too)
07/09/2020, 12:42 AM
There’s functionality in k2 to handle that — some devices can be marked as private, which exposes vastly less to the admins. . Ultimately, one has to trust Kolide won’t change operations, but we have a pretty strong commitment there.