The TLS server may implement an enrollment request approval process that requires manual intervention/approval for each new enrollment request.Īfter enrollment, a node maintains the response node_key for authenticated requests to config and logger TLS endpoints. A protected shared secret is written to disk and osquery reads then posts the content to -enroll_tls_endpoint once during enrollment. Simple shared secret enrollmentĪ deployment key, called an enrollment shared secret, is the simplest tls plugin enrollment authentication method. Note: -proxy_hostname is used to communicate via proxy server.
The node will request the key during an initial enroll step then post the key during subsequent requests for config or logging. The validity of a node_key is determined and implemented in the TLS server. Make config/logger requests while providing node_key as identification/authentication.Receive a node_key and store within the node's persistent storage (RocksDB).Submit an -enroll_secret_path, an -enroll_secret_env, or use TLS-client authentication, to the enroll endpoint.Place your server's root certificate authority's PEM-encoded certificate into a file, for example /path/to/server-root.pem and configure the client to pin to these roots: -tls_server_certs=.Configure a proxy -proxy_hostname (Optional Step).Configure a target -tls_hostname, -enroll_tls_endpoint.Enrollment provides an initial secret to the remote server in order to negotiate a private node secret used for future identification. If you enable either config or logger tls plugins the enrollment plugin will turn on automatically. The initial step is called an "enroll step" and in the case of tls plugins, uses an implicit enroll plugin, also called tls. Machines running osqueryd processes are called nodes and must authenticate to the remote server for every config retrieval and log submission request. The most important differentiator to the filesystem suite of plugins is an authentication (and enrollment) step. The remote settings uses a lot of additional CLI-flags for configuring the osquery clients, they are mostly organized under the Remote Settings heading. It is best to write custom plugins that implement specific web services or integrations. The remote settings and plugins are mostly provided as examples. osquery provides somewhat flexible node (the machine running osquery) authentication and identification though an 'enrollment' concept. The default built-in plugins receive and report via URI endpoints. Osquery's remote configuration and logger plugins are completely optional.
0 kommentar(er)
