search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.24k stars 360 forks source link

Allow users to override the `users` detail query just for one platform (`windows`, `linux` or `darwin`) #19108

Closed lucasmrod closed 2 days ago

lucasmrod commented 2 weeks ago

Problem

Currently, users can override (or disable) the users query using features.detail_query_overrides (see users: below): https://github.com/fleetdm/fleet/blob/162c9f05951ae700cc03c17f5c16f26b9252cff2/docs/Configuration/configuration-files/README.md?plain=1#L571-L590

Users have no way disable or change the query for a specific platform only only (e.g. https://github.com/fleetdm/fleet/issues/18343, so that I could disable the query for linux hosts only).

Potential solutions

A quick fix is for Fleet to define three queries: users_linux, users_macos and users_windows (which all be the hardcoded to be the same SQL query) instead of the current one users. This way a user can override or disable the users query for a specific platform only:

features:
  detail_query_overrides:
    # null disables the "users_linux" query from running on linux hosts (it will still run on macOS or Windows hosts)
    users_linux: null

PoC branch: https://github.com/fleetdm/fleet/compare/19108-poc-changes

PS: A more involved solution is to allow overrides per platforms for the features key in the yaml, but that's maybe a broader request.

noahtalerman commented 2 weeks ago

Thanks for tracking and putting some work into a POC @lucasmrod!

My gut says we should try to move quickly to get the true fix in: a better users table.

If this is moving too slowly then I think we should add a new local_users table: https://github.com/fleetdm/fleet/issues/18343#issuecomment-2117694007

The overrides feels more like a bandaid solution.

What do you think?

lucasmrod commented 2 weeks ago

The overrides feels more like a bandaid solution.

I agree! Though the bandaid has helped customers in several situations (with non-performing detail queries). This issue makes the bandaid a bit more helpful.

Happy to close if we can wait for osquery or add a fleetd solution for the specific case of the users detail query.

noahtalerman commented 2 days ago

Hey @lucasmrod I think let's go w/ the osquery or fleetd solution (depending on outcome of osquery office hours).

lucasmrod commented 2 days ago

Gotcha. Happy to close if we don't yet see a need for this.

fleet-release commented 2 days ago

Custom queries flow, Windows, Linux, or Mac, Flexibility grows.