https://fleetdm.com logo
Channels
  • j

    Juan Alvarez

    1 year ago
    Hi guys, has somebody experienced issues when pushing 
    disable_tables
    config from fleet config yaml? For me, it seems that the value is pushed, since running a query to 
    osquery_flags
    gives me the right value but the table does not get disabled. For some reason, OSQuery is ignoring it... I could see a similar behavior in https://github.com/osquery/osquery/issues/6041 but it seems like that bug is already fixed (im using OSQuery 4.5.0)
    Also, if i put the flag in OSquery´s .flags file, the config works right away
  • zwass

    zwass

    1 year ago
    Sounds like probably another bug in osquery. Best to file an issue with as much detail as you can about how to reproduce.
  • theopolis

    theopolis

    1 year ago
    I am not certain but based on your observation and based on the code here: https://github.com/osquery/osquery/blob/d2d904f59ff37eab20cd79f65a738fa926c71faa/osquery/sql/sqlite_util.cpp#L403 it looks like this flag is only read once (at startup) and that 
    disable_tables
    should be a flag only (not a configuration option)
  • zwass

    zwass

    1 year ago
    I think that is probably the intent. IME folks want to be able to disable tables with a flag file so that those tables can't be accessed from a server like Fleet. If the server could set the config option, that would defeat the mitigation.
  • theopolis

    theopolis

    1 year ago
    In the case of Fleet and similar orchestrators, is there a RBAC that selects who can issue queries and who can configure flags? If there is a separation of priv there then it would still be an OK mitigation.
    e.g., Users of Fleet can issue queries and cannot change flags, and admins of Fleet can change flags
Join thread in Slack
View count: 1