Title
#kolide
j

Jerome

03/09/2020, 3:32 PM
I'm using latest versions available. The option
disable_tables
seems ignored by Kolide Fleet. I did tests with osquery binary only and this works as expected but when I use Kolide Fleet, the options is ignored and queries return results. As it works with the osquery binary, the issue seems to be on Kolide Fleet. Is there a bug here or did I miss something? Kolide Fleet might not support it yet?
3:49 PM
I did a mistake, I talk about Kolide Launcher
3:49 PM
but I use Kolide Fleet on server side
zwass

zwass

03/09/2020, 5:06 PM
Can you try with regular osqueryd with
--verbose --tls_dump
turned on so you can verify what config it is receiving?
s

seph

03/09/2020, 6:10 PM
FYI node key should be considered secret.
j

Jerome

03/09/2020, 6:28 PM
yes indeed but this is not sensible as this is a test environment. But just in case I will delete the post and re-post it below without the key.
6:28 PM
Here is the config reveived :
{"node_key":"XXX"}
{
  "decorators": {
    "always": [
      "SELECT user AS username FROM logged_in_users WHERE user \u003c\u003e '' ORDER BY time LIMIT 1;"
    ],
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT hostname AS hostname FROM system_info;",
      "SELECT hardware_serial as host_sn FROM system_info;"
    ]
  },
  "options": {
    "config_refresh": 120,
    "disable_distributed": false,
    "disable_tables": "dns_resolvers,curl,ulimit_info,user_ssh_keys,wifi_status,wifi_networks,shell_history,logged_in_users",
    "distributed_interval": 10,
    "distributed_plugin": "tls",
    "distributed_tls_max_attempts": 3,
    "distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
    "distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
    "logger_plugin": "tls",
    "logger_snapshot_event_type": true,
    "logger_tls_endpoint": "/api/v1/osquery/log",
    "logger_tls_period": 10,
    "pack_delimiter": "/",
    "utc": true
  },
  "packs": {
    "TEST": {
      "queries": {
        "[compliance] (Unix) Disk encryption status": {
          "query": "SELECT de.encrypted AS compliant FROM mounts m join disk_encryption de ON m.device_alias = de.name WHERE m.path = '/'",
          "interval": 500,
          "platform": "linux",
          "snapshot": true,
          "removed": false
        }
      }
    }
  }
}
zwass

zwass

03/09/2020, 6:34 PM
So Fleet is definitely sending the config. Are the tables disabled?
j

Jerome

03/09/2020, 6:40 PM
with osquery binary (osqueryd) yes the table are disabled (indicated by the logs and a query on a disabled table does not return results) But with Kolide Launcher there are no logs about that and a query on a disabled table does return results
s

seph

03/09/2020, 6:57 PM
launcher should just pass that config along. Can you live query the config and see what it looks like?
j

Jerome

03/09/2020, 7:04 PM
The query is successfully executed without any error:
mars 09 20:01:32 PC-Jerome launcher[16460]: {"caller":"distributed.cpp:117","component":"osquery","level":"stderr","msg":"I0309 20:01:32.340546 16515 distributed.cpp:117] Executing distributed query: kolide_distributed_query_68: SELECT * FROM dns_resolvers","severity":"info","ts":"2020-03-09T19:01:32.34081041Z"}
s

seph

03/09/2020, 7:05 PM
look at the osquery_flags table.
j

Jerome

03/09/2020, 7:11 PM
oh ok I misunderstood, The value returned from the field name
disable_tablse
is correct
s

seph

03/09/2020, 7:14 PM
Then osquery got the config. Not sure why it’s still allowing you to query, I’m not sure how this is a launcher issue. What version of osquery? Are you also setting anything with ther table whitelist option?
j

Jerome

03/09/2020, 7:18 PM
no I did not set the parameter
enable_tables
here are the parameters started with Kolide Fleet:
{
  "arg0": "/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd",
  "args": "/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd --pidfile=/var/launcher/fleet.xxx.com-8080/osquery.pid --database_path=/var/launcher/fleet.xxx.com-8080/osquery.db --extensions_socket=/var/launcher/fleet.xxx.com-8080/osquery.sock --extensions_autoload=/var/launcher/fleet.xxx.com-8080/osquery.autoload --extensions_timeout=10 --config_plugin=kolide_grpc --logger_plugin=kolide_grpc --distributed_plugin=kolide_grpc --disable_distributed=false --distributed_interval=5 --pack_delimiter=: --host_identifier=uuid --force=true --disable_watchdog --utc --config_refresh=300 --config_accelerated_refresh=30",
  "caller": "runtime.go:546",
  "msg": "launching osqueryd",
  "severity": "info",
  "ts": "2020-03-09T19:01:11.233209135Z"
}
When I start osquery with
/usr/local/launcher/bin/osqueryd-updates/1582883866/osqueryd --flagfile osquery.flags
this works. Here are the flags:
--insecure
--tls_server_certs=/etc/osquery/fleet.xxx.com_8090.pem
--tls_hostname=<http://fleet.xxx.com:8080|fleet.xxx.com:8080>
--enroll_secret_path=/etc/osquery/enrollment_secret
--enroll_tls_endpoint=/api/v1/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/v1/osquery/config
--config_refresh=10
--host_identifier=uuid
7:19 PM
osquery version is 4.2.0
s

seph

03/09/2020, 7:21 PM
If you live query those, are ther results for the osquery_flags table any different? I think that should be authoratiative WRT what options osquery is currently running with
j

Jerome

03/09/2020, 7:56 PM
the main different fields are:
config_tls_endpoint (this is empty for Kolide Fleet)
extensions_autoload
extensions_socket
Does the extensions could be in cause?
7:58 PM
I run osquery with the flags only and no config file (or is there a default one ?)
s

seph

03/09/2020, 8:18 PM
There are default values, and a default path, but those would appear in the table you're looking at
8:22 PM
Do you get different behavior with older osquery?
j

Jerome

03/09/2020, 8:50 PM
same results with osquery 4.0.2 and 4.1.2 both standalone and with kolide launcher
s

seph

03/09/2020, 9:41 PM
That’s pretty weird.
9:41 PM
I’d have to dig a bit, I’m not sure why that’s the case
j

Jerome

03/10/2020, 7:49 AM
same behavior with
enable_tables
, working as expected with osqueryd standalone but not with kolide launcher
8:21 AM
I don't know if this is relevant but
config_tls_endpoint
and enroll_tls_endpointare empty when I use Kolide Launcher when I query osquery_flags table
11:09 AM
Maybe it has something to do with https://github.com/osquery/osquery/issues/6041 and the parameters are not loaded in the proper order
1:08 PM
Do you know when you will have time to dig this? let me know if I need to create an issue on github or/and if you need more info