osctrl icon indicating copy to clipboard operation
osctrl copied to clipboard

Published 20 hours ago verified publisher icon jmpsec

Osctrl assumes self-signed

Open CptOfEvilMinions opened this issue 2 years ago • 1 comments

Osctrl assumes self-signed certificate for Osquery deployment but that is not the case. Since we are using AWS LB with ACMs certs, our certs are signed by a trusted authority. Therefore, we don't need to provide a cert to Osquery with --tls_server_certs and we can simply omit providing a file and this flag. When Osquery attempts to connect to osctrl it will use the OSes root cert store to verify the cert.

In addition, since ACM certs are only valid for 1 year this means we don't have to manage rotating secrets on clients.

CptOfEvilMinions avatar Apr 01 '22 17:04 CptOfEvilMinions

One option is to have a CLI flag so the user can decide if they want to pin a certificate or not.

CptOfEvilMinions avatar Apr 01 '22 17:04 CptOfEvilMinions