fleet icon indicating copy to clipboard operation
fleet copied to clipboard

Published 20 hours ago verified publisher icon fleetdm

Possible issue with ATC tables in osquery 5.12.1?

Open zwass opened this issue 10 months ago • 9 comments

Osquery 5.12.1

💥  Actual behavior

(Reported from @directionless at Kolide) Apparently Kolide has found that their ATC tables are no longer registering with osquery 5.12.1. They do some special things with config plugins, so the issue may be isolated to their setup.

🧑‍💻  Steps to reproduce

Not sure exactly, but let's try to reproduce this using the standard way that we configure ATC tables (through agent options). If that works fine, let's close out this issue and let Kolide continue investigating their special case. If we do reproduce the issue let's work with osquery to get things fixed.

🕯️ More info (optional)

N/A

zwass avatar Apr 23 '24 17:04 zwass

@zwass I followed the instructions located here and appear to have been successful. I'll close this out, but please feel free to re-open with further instructions if I've missed something.

image

xpkoala avatar Apr 24 '24 18:04 xpkoala

ATC tables fixed, Osquery's light unmasked, Fleet's path, clear as glass.

fleet-release avatar Apr 24 '24 18:04 fleet-release

@xpkoala did you test this with fleetd or plain osquery?

Per discussion in osquery slack (https://osquery.slack.com/archives/C6PNW4528/p1714580512141179?thread_ts=1713984325.377259&cid=C6PNW4528) this may only be triggered if there's a table extension also registered (which would be the case with fleetd but not plain osquery).

zwass avatar May 01 '24 18:05 zwass

FWIW https://github.com/osquery/osquery/issues/8323

directionless avatar May 01 '24 20:05 directionless

@xpkoala can you please re-test with the information discussed in the osquery Slack to try to reproduce?

zwass avatar May 02 '24 20:05 zwass

@zwass ahh, sorry for missing this yesterday, I'll jump on it in a moment. FWIW I did test with fleetd originally.

xpkoala avatar May 02 '24 20:05 xpkoala

@zwass Given 5.12.2 draft release is out (which just reverts the related change - https://github.com/osquery/osquery/compare/5.12.1...5.12.2), do we still need to reproduce?

lucasmrod avatar May 09 '24 17:05 lucasmrod

I think it's worthwhile to test still as we would want to see whether 5.12.1 actually has issues in our deployments and if 5.12.2 fixes those.

@xpkoala

zwass avatar May 09 '24 18:05 zwass

The following was tested with @lucasmrod and no complications were seen getting results from tables created with ATC:

  1. spin up local TUF server with binaries created that would load some of our test extensions (hello world, hello mars)
  2. modify the agent config (via fleet UI) to load the tcc_system_entries table (via ATC)
  3. enroll the host
  4. confirmed queries against tcc_system_entries table worked
  5. remove the modifications made in the agent config (to remove tcc_system_entries table)
  6. confirmed queries against tcc_system_entries were no longer working.
  7. repeat adding and removing the ATC entry and making sure I was getting the expected results on queries.

xpkoala avatar May 09 '24 21:05 xpkoala

(Another way to try to reproduce: vanilla osquery + fleetd_tables extension.)

lucasmrod avatar May 10 '24 14:05 lucasmrod

Closing the bug per this thread. https://fleetdm.slack.com/archives/C019WG4GH0A/p1715278510072879

xpkoala avatar May 13 '24 14:05 xpkoala

ATC tables fixed, Like a city in the clouds, Fleet soars, unimpeded.

fleet-release avatar May 13 '24 14:05 fleet-release