Are labels a way to create smart groups of machines Or is it osquery #kolide

Are labels a way to create smart groups of machine...

Seán O'Halloran

04/24/2020, 3:25 PM

Are labels a way to create smart groups of machines? Or is it a “run-once” kind of feature? I set up a label called “Currently connected to USB Device” with the following SQL:

Copy code

SELECT path FROM mounts LEFT JOIN block_devices ON mounts.device = block_devices.name WHERE block_devices.type="USB"

It correctly added my machine to the label, but after removing the USB it hasn’t updated. The wording on your website implies that you can use labels to dynamically detect which machines are running vulnerable software:

zwass

04/24/2020, 3:38 PM

Yes, labels update dynamically. By default this happens every hour (https://github.com/kolide/fleet/blob/master/docs/infrastructure/configuring-the-fleet-binary.md#osquery_label_update_interval).

zwass

04/24/2020, 3:40 PM

Even if you set that to a low interval, you still won't have immediate execution of a query on the machine. The machine has to request a new config again after the label update.

zwass

04/24/2020, 3:40 PM

Is your query resource intensive? Is there a reason you can't schedule it on all machines?

Seán O'Halloran

04/24/2020, 3:46 PM

I’m just trying to plan it out. I was thinking maybe I could do more resource-intensive queries (like hashing every file) if I could limit the blast-radius to just machines violating our USB device policies

sundsta

04/24/2020, 3:54 PM

You can do that with labels

zwass

04/24/2020, 6:47 PM

You may not need labels if you craft the query to only generate hashes of files on removable drives.

Open in Slack

Previous Next