Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Agent options: allow vmodule command line flag #25838

Open
11 of 25 tasks
noahtalerman opened this issue Jan 28, 2025 · 7 comments
Open
11 of 25 tasks

Agent options: allow vmodule command line flag #25838

noahtalerman opened this issue Jan 28, 2025 · 7 comments
Assignees
@sharon-fdm
Labels
#g-orchestration Orchestration product group :product Product Design department (shows up on 🦢 Drafting board) story A user story defining an entire feature

Comments

@noahtalerman
Copy link
Member

noahtalerman commented Jan 28, 2025
edited by xpkoala
Loading

Goal

User story
As a security engineer on the Agent options page in Fleet,
I want to add vmodule to the command_line_flags object
so that I can limit the amount of noise while debugging osquery issues.

Key result

Small UX improvements

Original requests

Context

Changes

Product

  • UI changes: On the Settings > Organization settings > Agent options page, allow the user to add vmodule under command_line_flags
  • CLI (fleetctl) usage changes: When using fleetctl apply -f agent-options.yml, allow the user to add vmodule under command_line_flags.
  • YAML changes: In agent_options, allow the user to add vmodule under command_line_flags.
  • REST API changes: In the PATCH /config API endpoint, allow the user to add vmodule under command_line_flags. Make sure the website is updated.
  • Fleet's agent (fleetd) changes: No changes.
  • Activity changes: No changes.
  • Permissions changes: No changes.
  • Changes to paid features or tiers: Fleet Free and Fleet Premium
  • Transparency changes: No changes.
  • First draft of test plan added
  • Other reference documentation changes: No changes.
  • Once shipped, requester has been notified
  • Once shipped, dogfooding issue has been filed

Engineering

  • Test plan is finalized
  • Feature guide changes: no need
  • Database schema migrations: no need
  • Load testing: no need

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

@xpkoala , please approve/complete the risk and test-plan sections and remove the TODOs

  • Requires load testing: Yes
  • Risk level: Low
  • Risk description: This is built-in, though minimally documented, osquery functionality and not new tooling. We will want to be aware of this change during load testing as we should see an increase in logging.

Test plan

  • In the Settings > Organization settings > Agent options page, add vmodule under command_line_flags and click the Save button. Agent options should save successfully.
  • Run fleetctl apply -f agent-options.yml, with vmodule under command_line_flags. Agent options should be updated successfully.
  • Using Fleet's YAML (GitOps), in agent_options, add vmodule under command_line_flags.
  • REST API changes: Using the PATCH /config API endpoint, add vmodule under command_line_flags.
    • @noahtalerman: How do we check that the vmodule was actually added? Let's chat about this during user story review.
  • Check the fleetd logs to verify that the vmodule was set. Setting the flag with vmodule=init=1 should produce additional osquery logs. I do not have specific examples at this time, but a snippet of logs with and without the flag enabled can be diffed to confirm the flag is working as intended.

Testing notes

This conversation shows use-case in the wild.

Confirmation

  1. Engineer: Added comment to user story confirming successful completion of test plan.
  2. QA: Added comment to user story confirming successful completion of test plan.
@noahtalerman noahtalerman added #g-orchestration Orchestration product group :product Product Design department (shows up on 🦢 Drafting board) story A user story defining an entire feature labels Jan 28, 2025
@noahtalerman noahtalerman mentioned this issue Jan 28, 2025
Open
@noahtalerman noahtalerman self-assigned this Jan 28, 2025
@noahtalerman
Copy link
Member Author

@dantecatalfamo what does the vmodule do? I think we want to add vmodule with a short description to the osquery_flags table.

@noahtalerman noahtalerman added Epic DO NOT USE. Auto-created by ZenHub, cannot be disabled. and removed Epic DO NOT USE. Auto-created by ZenHub, cannot be disabled. labels Jan 28, 2025
@dantecatalfamo
Copy link
Member

Hey @noahtalerman. My understanding is that the vmodule flag gives you fine-grain control over which osquery internal systems output logs. It's an undocumented flag and there's very little information about it outside of a small source code comment. The osquery_flags table is controlled by osquery itself and only shows non-hidden flags, so I don't think there's much we can do to make it display information about it.

@dantecatalfamo
Copy link
Member

There are a number of other hidden flags we support that don't show up in --help or osquery_flags as well

fleet/server/fleet/agent_options.go

Lines 288 to 307 in 9e5ecfb

// those osquery flags are not OS-specific, but are also not visible using
// osqueryd --help or select * from osquery_flags, so they can't be generated
// by the osquery-agent-options script.
type OsqueryCommandLineFlagsHidden struct {
AlsoLogToStderr bool `json:"alsologtostderr"`
EventsStreamingPlugin string `json:"events_streaming_plugin"`
IgnoreRegistryExceptions bool `json:"ignore_registry_exceptions"`
LogBufSecs int32 `json:"logbufsecs"`
LogDir string `json:"log_dir"`
MaxLogSize int32 `json:"max_log_size"`
MinLogLevel int32 `json:"minloglevel"`
StopLoggingIfFullDisk bool `json:"stop_logging_if_full_disk"`
AllowUnsafe bool `json:"allow_unsafe"`
TLSDump bool `json:"tls_dump"`
AuditDebug bool `json:"audit_debug"`
AuditFIMDebug bool `json:"audit_fim_debug"`
AuditShowPartialFIMEvents bool `json:"audit_show_partial_fim_events"`
AuditShowUntrackedResWarnings bool `json:"audit_show_untracked_res_warnings"`
AuditFIMShowAccesses bool `json:"audit_fim_show_accesses"`
}

@noahtalerman
Copy link
Member Author

There are a number of other hidden flags we support that don't show up in --help or osquery_flags as well

fleet/server/fleet/agent_options.go

Lines 288 to 307 in 9e5ecfb

// those osquery flags are not OS-specific, but are also not visible using
// osqueryd --help or select * from osquery_flags, so they can't be generated
// by the osquery-agent-options script.
type OsqueryCommandLineFlagsHidden struct {
AlsoLogToStderr bool `json:"alsologtostderr"`
EventsStreamingPlugin string `json:"events_streaming_plugin"`
IgnoreRegistryExceptions bool `json:"ignore_registry_exceptions"`
LogBufSecs int32 `json:"logbufsecs"`
LogDir string `json:"log_dir"`
MaxLogSize int32 `json:"max_log_size"`
MinLogLevel int32 `json:"minloglevel"`
StopLoggingIfFullDisk bool `json:"stop_logging_if_full_disk"`
AllowUnsafe bool `json:"allow_unsafe"`
TLSDump bool `json:"tls_dump"`
AuditDebug bool `json:"audit_debug"`
AuditFIMDebug bool `json:"audit_fim_debug"`
AuditShowPartialFIMEvents bool `json:"audit_show_partial_fim_events"`
AuditShowUntrackedResWarnings bool `json:"audit_show_untracked_res_warnings"`
AuditFIMShowAccesses bool `json:"audit_fim_show_accesses"`
}

@dantecatalfamo got it! I'm going to file a separate user story to expose these in osquery_flags.

This user story (#25838) is just about allowing the user to set vmodule in Fleet.

@noahtalerman
Copy link
Member Author

@sharon-fdm just a reminder that this research user story is ready to spec. Can you please complete the TODOs in the "Engineering" section to get this one ready for estimation?

@sharon-fdm
Copy link
Collaborator

Hey team! Please add your planning poker estimate with Zenhub @dantecatalfamo @lucasmrod @sgress454

@sharon-fdm
Copy link
Collaborator

Please add your planning poker estimate with Zenhub @jacobshandling

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sharon-fdm sharon-fdm

Labels
#g-orchestration Orchestration product group :product Product Design department (shows up on 🦢 Drafting board) story A user story defining an entire feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dantecatalfamo @noahtalerman @sharon-fdm