I'm using latest versions available. The option

disable_tables

seems ignored by Kolide Fleet. I did tests with osquery binary only and this works as expected but when I use Kolide Fleet, the options is ignored and queries return results. As it works with the osquery binary, the issue seems to be on Kolide Fleet. Is there a bug here or did I miss something? Kolide Fleet might not support it yet?

Can you try with regular osqueryd with

--verbose --tls_dump

turned on so you can verify what config it is receiving?

FYI node key should be considered secret.

yes indeed but this is not sensible as this is a test environment. But just in case I will delete the post and re-post it below without the key.

So Fleet is definitely sending the config. Are the tables disabled?

with osquery binary (osqueryd) yes the table are disabled (indicated by the logs and a query on a disabled table does not return results) But with Kolide Launcher there are no logs about that and a query on a disabled table does return results

launcher should just pass that config along. Can you live query the config and see what it looks like?

The query is successfully executed without any error:

mars 09 20:01:32 PC-Jerome launcher[16460]: {"caller":"distributed.cpp:117","component":"osquery","level":"stderr","msg":"I0309 20:01:32.340546 16515 distributed.cpp:117] Executing distributed query: kolide_distributed_query_68: SELECT * FROM dns_resolvers","severity":"info","ts":"2020-03-09T19:01:32.34081041Z"}

look at the osquery_flags table.

oh ok I misunderstood, The value returned from the field name

disable_tablse

is correct

Then osquery got the config. Not sure why it’s still allowing you to query, I’m not sure how this is a launcher issue. What version of osquery? Are you also setting anything with ther table whitelist option?

no I did not set the parameter

enable_tables

here are the parameters started with Kolide Fleet:

{
  "arg0": "/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd",
  "args": "/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd --pidfile=/var/launcher/fleet.xxx.com-8080/osquery.pid --database_path=/var/launcher/fleet.xxx.com-8080/osquery.db --extensions_socket=/var/launcher/fleet.xxx.com-8080/osquery.sock --extensions_autoload=/var/launcher/fleet.xxx.com-8080/osquery.autoload --extensions_timeout=10 --config_plugin=kolide_grpc --logger_plugin=kolide_grpc --distributed_plugin=kolide_grpc --disable_distributed=false --distributed_interval=5 --pack_delimiter=: --host_identifier=uuid --force=true --disable_watchdog --utc --config_refresh=300 --config_accelerated_refresh=30",
  "caller": "runtime.go:546",
  "msg": "launching osqueryd",
  "severity": "info",
  "ts": "2020-03-09T19:01:11.233209135Z"
}

When I start osquery with

/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd --flagfile osquery.flags

this works. Here are the flags:

--insecure
--tls_server_certs=/etc/osquery/fleet.xxx.com_8090.pem
--tls_hostname=<http://fleet.xxx.com:8080|fleet.xxx.com:8080>
--enroll_secret_path=/etc/osquery/enrollment_secret
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--host_identifier=uuid

If you live query those, are ther results for the osquery_flags table any different? I think that should be authoratiative WRT what options osquery is currently running with

the main different fields are:

config_tls_endpoint (this is empty for Kolide Fleet)
extensions_autoload
extensions_socket

Does the extensions could be in cause?

There are default values, and a default path, but those would appear in the table you're looking at

same results with osquery 4.0.2 and 4.1.2 both standalone and with kolide launcher

That’s pretty weird.

same behavior with

enable_tables

, working as expected with osqueryd standalone but not with kolide launcher