Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Osctrl assumes self-signed #250

Open
CptOfEvilMinions opened this issue Apr 1, 2022 · 1 comment
Open

Osctrl assumes self-signed #250

CptOfEvilMinions opened this issue Apr 1, 2022 · 1 comment
Labels
enrollment Enrollment related issue osquery osquery related issues

Comments

@CptOfEvilMinions
Copy link
Collaborator

CptOfEvilMinions commented Apr 1, 2022
edited

Osctrl assumes self-signed certificate for Osquery deployment but that is not the case. Since we are using AWS LB with ACMs certs, our certs are signed by a trusted authority. Therefore, we don't need to provide a cert to Osquery with --tls_server_certs and we can simply omit providing a file and this flag. When Osquery attempts to connect to osctrl it will use the OSes root cert store to verify the cert.

In addition, since ACM certs are only valid for 1 year this means we don't have to manage rotating secrets on clients.
@CptOfEvilMinions
Copy link
Collaborator Author

One option is to have a CLI flag so the user can decide if they want to pin a certificate or not.

@javuto javuto added enrollment Enrollment related issue osquery osquery related issues labels Apr 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enrollment Enrollment related issue osquery osquery related issues
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@javuto @CptOfEvilMinions