I'm using latest versions available. The option `d...
# kolide
I'm using latest versions available. The option
seems ignored by Kolide Fleet. I did tests with osquery binary only and this works as expected but when I use Kolide Fleet, the options is ignored and queries return results. As it works with the osquery binary, the issue seems to be on Kolide Fleet. Is there a bug here or did I miss something? Kolide Fleet might not support it yet?
I did a mistake, I talk about Kolide Launcher
but I use Kolide Fleet on server side
Can you try with regular osqueryd with
--verbose --tls_dump
turned on so you can verify what config it is receiving?
FYI node key should be considered secret.
yes indeed but this is not sensible as this is a test environment. But just in case I will delete the post and re-post it below without the key.
Here is the config reveived :
Copy code
  "decorators": {
    "always": [
      "SELECT user AS username FROM logged_in_users WHERE user \u003c\u003e '' ORDER BY time LIMIT 1;"
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT hostname AS hostname FROM system_info;",
      "SELECT hardware_serial as host_sn FROM system_info;"
  "options": {
    "config_refresh": 120,
    "disable_distributed": false,
    "disable_tables": "dns_resolvers,curl,ulimit_info,user_ssh_keys,wifi_status,wifi_networks,shell_history,logged_in_users",
    "distributed_interval": 10,
    "distributed_plugin": "tls",
    "distributed_tls_max_attempts": 3,
    "distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
    "distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
    "logger_plugin": "tls",
    "logger_snapshot_event_type": true,
    "logger_tls_endpoint": "/api/v1/osquery/log",
    "logger_tls_period": 10,
    "pack_delimiter": "/",
    "utc": true
  "packs": {
    "TEST": {
      "queries": {
        "[compliance] (Unix) Disk encryption status": {
          "query": "SELECT de.encrypted AS compliant FROM mounts m join disk_encryption de ON m.device_alias = de.name WHERE m.path = '/'",
          "interval": 500,
          "platform": "linux",
          "snapshot": true,
          "removed": false
So Fleet is definitely sending the config. Are the tables disabled?
with osquery binary (osqueryd) yes the table are disabled (indicated by the logs and a query on a disabled table does not return results) But with Kolide Launcher there are no logs about that and a query on a disabled table does return results
launcher should just pass that config along. Can you live query the config and see what it looks like?
The query is successfully executed without any error:
Copy code
mars 09 20:01:32 PC-Jerome launcher[16460]: {"caller":"distributed.cpp:117","component":"osquery","level":"stderr","msg":"I0309 20:01:32.340546 16515 distributed.cpp:117] Executing distributed query: kolide_distributed_query_68: SELECT * FROM dns_resolvers","severity":"info","ts":"2020-03-09T19:01:32.34081041Z"}
look at the osquery_flags table.
oh ok I misunderstood, The value returned from the field name
is correct
Then osquery got the config. Not sure why it’s still allowing you to query, I’m not sure how this is a launcher issue. What version of osquery? Are you also setting anything with ther table whitelist option?
no I did not set the parameter
here are the parameters started with Kolide Fleet:
Copy code
  "arg0": "/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd",
  "args": "/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd --pidfile=/var/launcher/fleet.xxx.com-8080/osquery.pid --database_path=/var/launcher/fleet.xxx.com-8080/osquery.db --extensions_socket=/var/launcher/fleet.xxx.com-8080/osquery.sock --extensions_autoload=/var/launcher/fleet.xxx.com-8080/osquery.autoload --extensions_timeout=10 --config_plugin=kolide_grpc --logger_plugin=kolide_grpc --distributed_plugin=kolide_grpc --disable_distributed=false --distributed_interval=5 --pack_delimiter=: --host_identifier=uuid --force=true --disable_watchdog --utc --config_refresh=300 --config_accelerated_refresh=30",
  "caller": "runtime.go:546",
  "msg": "launching osqueryd",
  "severity": "info",
  "ts": "2020-03-09T19:01:11.233209135Z"
When I start osquery with
/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd --flagfile osquery.flags
this works. Here are the flags:
Copy code
osquery version is 4.2.0
If you live query those, are ther results for the osquery_flags table any different? I think that should be authoratiative WRT what options osquery is currently running with
the main different fields are:
Copy code
config_tls_endpoint (this is empty for Kolide Fleet)
Does the extensions could be in cause?
I run osquery with the flags only and no config file (or is there a default one ?)
There are default values, and a default path, but those would appear in the table you're looking at
Do you get different behavior with older osquery?
same results with osquery 4.0.2 and 4.1.2 both standalone and with kolide launcher
That’s pretty weird.
I’d have to dig a bit, I’m not sure why that’s the case
same behavior with
, working as expected with osqueryd standalone but not with kolide launcher
I don't know if this is relevant but
and `enroll_tls_endpoint`are empty when I use Kolide Launcher when I query osquery_flags table
Maybe it has something to do with https://github.com/osquery/osquery/issues/6041 and the parameters are not loaded in the proper order
Do you know when you will have time to dig this? let me know if I need to create an issue on github or/and if you need more info