Title
#kolide
k

Kyle

07/08/2020, 11:08 PM
Hi all, what would be the best way of going about “linking” a user (read: person) to their device, as it appears in the result logs? We could have an external list of users and their device UUIDs, then get the UUID in the osquery decorators, but ideally we’d want something less manual than keeping a separate ledger
sundsta

sundsta

07/08/2020, 11:15 PM
osquery can pull the device serial, which you can link to your asset management system
s

seph

07/09/2020, 12:20 AM
We do this in our SaaS product. The user/device association stuff has been super valuable to people, and surprisingly hard.
12:21 AM
You can examine all sorts of things on a host, and go through various heuristics. Does the account name match? Can you determine if the user had a authenticated chrome session? Etc.
12:22 AM
As K2 (our SaaS offering) is very user focused, we've found that the most reliable is to tie the device back to the user who requested the download.
k

Kyle

07/09/2020, 12:23 AM
Yes, it does seem difficult. I think what we’ll do is have the user complete a form to download launcher, such that we can collect the link information there, a bit like (I assume) you do in the SaaS, since the user is logged in at time of package download
s

seph

07/09/2020, 12:26 AM
For us, that request comes through slack. We do some trickery to make it all work. Given apple's notarization time, we can't build on demand.
k

Kyle

07/09/2020, 12:27 AM
Hmm yeah, it did cross my mind of potentially getting something like an email from the launcher installer, but seems a bit a hacky
12:28 AM
(which could then be sent with each outputted log)
s

seph

07/09/2020, 12:31 AM
The launcher installer has some magic to support this. It’s alluded to in the https://github.com/kolide/launcher/pull/530 ( feel like i”m dangling carrots here)
12:33 AM
It works off the filename things were downloaded as
12:34 AM
But I would still encourage you to try the SaaS.
k

Kyle

07/09/2020, 12:35 AM
I’ve tried the SaaS and it’s great, but we have a requirement of only using open source, don’t worry I did say “hey look this does what we want” haha
s

seph

07/09/2020, 12:36 AM
That’s an interesting requirement. Can you say more about what drives it?
12:37 AM
I don’t think I’ve ever heard that feedback
k

Kyle

07/09/2020, 12:40 AM
Yes, some of the agents we are deploying will be to “non-employees” i.e. contractors, associates (should they agree/accept privacy terms), and so it’s sort of a security/trust measure
12:41 AM
(hence my inability to link using device management too)
s

seph

07/09/2020, 12:42 AM
There’s functionality in k2 to handle that — some devices can be marked as private, which exposes vastly less to the admins. . Ultimately, one has to trust Kolide won’t change operations, but we have a pretty strong commitment there.
12:42 AM
Same agent, if that wasn’t clear.