osquery icon indicating copy to clipboard operation
osquery copied to clipboard

Published 20 hours ago verified publisher icon osquery

Minor amendment to `--tls_dump` docs

Open lucasmrod opened this issue 2 years ago • 3 comments

See:

https://github.com/osquery/osquery/blob/abab44c4dab87d7881d3b8a9955fcb1995db2fdd/osquery/remote/transports/tls.cpp#L223-L225 https://github.com/osquery/osquery/blob/abab44c4dab87d7881d3b8a9955fcb1995db2fdd/osquery/remote/transports/tls.cpp#L257-L259 https://github.com/osquery/osquery/blob/abab44c4dab87d7881d3b8a9955fcb1995db2fdd/osquery/remote/transports/tls.cpp#L272-L274

lucasmrod avatar Aug 05 '22 19:08 lucasmrod

Do you think it's more correct to fix the print?

directionless avatar Aug 09 '22 10:08 directionless

Here's the original PR/commit that added the --tls_dump feature: https://github.com/osquery/osquery/commit/95c4d733cc2590e96538e7a9c8dea13a3b5f565b.

IMO it might make more sense to print to stderr as it is printed with the rest of the logging (would provide more context). Also looks like stdout is used more for command line user output, e.g. https://github.com/osquery/osquery/blob/0aff33e467cc8290d9a81bd91426c592c231ae4e/osquery/core/init.cpp#L221-L249

PS: And maybe using VLOG(1) instead of fprintf to provide more context (like timestamp) to the request/response dump.

Am all ears.

lucasmrod avatar Aug 09 '22 11:08 lucasmrod

I don't know the history of this feature. As you point out -- the initial PR is inconsistent between the docs (stderr) and the code (stdout). For unix utilities in general, it's common to send extra debugging to stderr, so that stdout remains whatever the normal stuff is. For daemons like osquery that's less important.

I think any of the things you outline seems reasonable. (This PR, updating to use stderr, or updating to use VLOG). I probably have a slight bias towards VLOG? But can be convinced otherwise.

directionless avatar Aug 09 '22 14:08 directionless

I probably have a slight bias towards VLOG? But can be convinced otherwise.

Just realized during some dummy tests that the use of VLOG in tls.cpp is not a good idea. If we dump the request/response body to VLOG then it will be buffered and, if --logger_plugin is set to tls, it will be eventually sent via TLS to the logger endpoint, which in turn will also cause the logger request body to be dumped to VLOG, buffered, and then sent on the next log period, etc.

So, if we really want to log to stderr then I'd say we just change fprintf(stdout, ...) to fprintf(stderr, ...).

lucasmrod avatar Aug 11 '22 13:08 lucasmrod

Well, I guess not VLOG. Dunno if it merits a comment or if this PR is enough.

I'd probably still bias to stderr but can be persuaded.

directionless avatar Aug 11 '22 19:08 directionless

I'd probably still bias to stderr but can be persuaded.

Done.

lucasmrod avatar Aug 11 '22 19:08 lucasmrod