Channels
  • a

    Artem

    1 month ago
    Hi there! I think I found a bug, but maybe I just need some explanations. If I set
    disable_tables: 'curl'
    osquery option via Fleet UI (inspired by https://www.tenchisecurity.com/abusing-the-osquery-curl-table-for-pivoting-into-cloud-environments/) , it continues to work! It looks like this option only applies after restarting osqueryd service on endpoint. Is it right behavior? Looks strange, but maybe I just do something wrong way…
  • Lucas Rodriguez

    Lucas Rodriguez

    1 month ago
    Hi @Artem! That is correct. Such option requires a restart of osquery to take effect. I was able to reproduce the behavior in Fleet.
  • a

    Artem

    1 month ago
    @Lucas Rodriguez thank you! Got it! Just for future probable feature request, it would be really cool, if it will possible to change such behavior without restarting osquery on endpoints