Channels
  • j

    Juan Alvarez

    1 year ago
    Hi guys, has somebody experienced issues when pushing
    disable_tables
    config from fleet config yaml? For me, it seems that the value is pushed, since running a query to
    osquery_flags
    gives me the right value but the table does not get disabled. For some reason, OSQuery is ignoring it... I could see a similar behavior in https://github.com/osquery/osquery/issues/6041 but it seems like that bug is already fixed (im using OSQuery 4.5.0)
    Also, if i put the flag in OSquery´s .flags file, the config works right away
  • zwass

    zwass

    1 year ago
    Sounds like probably another bug in osquery. Best to file an issue with as much detail as you can about how to reproduce.
  • theopolis

    theopolis

    1 year ago
    I am not certain but based on your observation and based on the code here: https://github.com/osquery/osquery/blob/d2d904f59ff37eab20cd79f65a738fa926c71faa/osquery/sql/sqlite_util.cpp#L403 it looks like this flag is only read once (at startup) and that
    disable_tables
    should be a flag only (not a configuration option)
  • zwass

    zwass

    1 year ago
    I think that is probably the intent. IME folks want to be able to disable tables with a flag file so that those tables can't be accessed from a server like Fleet. If the server could set the config option, that would defeat the mitigation.
  • theopolis

    theopolis

    1 year ago
    In the case of Fleet and similar orchestrators, is there a RBAC that selects who can issue queries and who can configure flags? If there is a separation of priv there then it would still be an OK mitigation.
    e.g., Users of Fleet can issue queries and cannot change flags, and admins of Fleet can change flags