Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
k
Kyle
07/08/2020, 11:08 PMHi all, what would be the best way of going about “linking” a user (read: person) to their device, as it appears in the result logs? We could have an external list of users and their device UUIDs, then get the UUID in the osquery decorators, but ideally we’d want something less manual than keeping a separate ledger
s
sundsta
07/08/2020, 11:15 PMosquery can pull the device serial, which you can link to your asset management system
s
seph
07/09/2020, 12:20 AMWe do this in our SaaS product. The user/device association stuff has been super valuable to people, and surprisingly hard.
You can examine all sorts of things on a host, and go through various heuristics. Does the account name match? Can you determine if the user had a authenticated chrome session? Etc.
As K2 (our SaaS offering) is very user focused, we've found that the most reliable is to tie the device back to the user who requested the download.
k
Kyle
07/09/2020, 12:23 AMYes, it does seem difficult. I think what we’ll do is have the user complete a form to download launcher, such that we can collect the link information there, a bit like (I assume) you do in the SaaS, since the user is logged in at time of package download
s
seph
07/09/2020, 12:26 AMFor us, that request comes through slack. We do some trickery to make it all work. Given apple's notarization time, we can't build on demand.
k
Kyle
07/09/2020, 12:27 AMHmm yeah, it did cross my mind of potentially getting something like an email from the launcher installer, but seems a bit a hacky
(which could then be sent with each outputted log)
s
seph
07/09/2020, 12:31 AMThe launcher installer has some magic to support this. It’s alluded to in the https://github.com/kolide/launcher/pull/530 ( feel like i”m dangling carrots here)
It works off the filename things were downloaded as
But I would still encourage you to try the SaaS.
k
Kyle
07/09/2020, 12:35 AMI’ve tried the SaaS and it’s great, but we have a requirement of only using open source, don’t worry I did say “hey look this does what we want” haha
s
seph
07/09/2020, 12:36 AMThat’s an interesting requirement. Can you say more about what drives it?
I don’t think I’ve ever heard that feedback
k
Kyle
07/09/2020, 12:40 AMYes, some of the agents we are deploying will be to “non-employees” i.e. contractors, associates (should they agree/accept privacy terms), and so it’s sort of a security/trust measure
(hence my inability to link using device management too)
s
seph
07/09/2020, 12:42 AMThere’s functionality in k2 to handle that — some devices can be marked as private, which exposes vastly less to the admins. . Ultimately, one has to trust Kolide won’t change operations, but we have a pretty strong commitment there.
Same agent, if that wasn’t clear.