search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.98k stars 413 forks source link

Possible issue with ATC tables in osquery 5.12.1? #18490

Closed zwass closed 4 months ago

zwass commented 5 months ago

Osquery 5.12.1

💥  Actual behavior

(Reported from @directionless at Kolide) Apparently Kolide has found that their ATC tables are no longer registering with osquery 5.12.1. They do some special things with config plugins, so the issue may be isolated to their setup.

🧑‍💻  Steps to reproduce

Not sure exactly, but let's try to reproduce this using the standard way that we configure ATC tables (through agent options). If that works fine, let's close out this issue and let Kolide continue investigating their special case. If we do reproduce the issue let's work with osquery to get things fixed.

🕯️ More info (optional)

N/A

xpkoala commented 5 months ago

@zwass I followed the instructions located here and appear to have been successful. I'll close this out, but please feel free to re-open with further instructions if I've missed something.

image

fleet-release commented 5 months ago

ATC tables fixed, Osquery's light unmasked, Fleet's path, clear as glass.

zwass commented 5 months ago

@xpkoala did you test this with fleetd or plain osquery?

Per discussion in osquery slack (https://osquery.slack.com/archives/C6PNW4528/p1714580512141179?thread_ts=1713984325.377259&cid=C6PNW4528) this may only be triggered if there's a table extension also registered (which would be the case with fleetd but not plain osquery).

directionless commented 5 months ago

FWIW https://github.com/osquery/osquery/issues/8323

zwass commented 5 months ago

@xpkoala can you please re-test with the information discussed in the osquery Slack to try to reproduce?

xpkoala commented 5 months ago

@zwass ahh, sorry for missing this yesterday, I'll jump on it in a moment. FWIW I did test with fleetd originally.

lucasmrod commented 4 months ago

@zwass Given 5.12.2 draft release is out (which just reverts the related change - https://github.com/osquery/osquery/compare/5.12.1...5.12.2), do we still need to reproduce?

zwass commented 4 months ago

I think it's worthwhile to test still as we would want to see whether 5.12.1 actually has issues in our deployments and if 5.12.2 fixes those.

@xpkoala

xpkoala commented 4 months ago

The following was tested with @lucasmrod and no complications were seen getting results from tables created with ATC:

  1. spin up local TUF server with binaries created that would load some of our test extensions (hello world, hello mars)
  2. modify the agent config (via fleet UI) to load the tcc_system_entries table (via ATC)
  3. enroll the host
  4. confirmed queries against tcc_system_entries table worked
  5. remove the modifications made in the agent config (to remove tcc_system_entries table)
  6. confirmed queries against tcc_system_entries were no longer working.
  7. repeat adding and removing the ATC entry and making sure I was getting the expected results on queries.
lucasmrod commented 4 months ago

(Another way to try to reproduce: vanilla osquery + fleetd_tables extension.)

xpkoala commented 4 months ago

Closing the bug per this thread. https://fleetdm.slack.com/archives/C019WG4GH0A/p1715278510072879

fleet-release commented 4 months ago

ATC tables fixed, Like a city in the clouds, Fleet soars, unimpeded.