Possible issue with ATC tables in osquery 5.12.1?

[zwass]

Osquery 5.12.1

---

💥  Actual behavior

(Reported from @directionless at Kolide)
Apparently Kolide has found that their ATC tables are no longer registering with osquery 5.12.1. They do some special things with config plugins, so the issue may be isolated to their setup.

🧑‍💻  Steps to reproduce

Not sure exactly, but let's try to reproduce this using the standard way that we configure ATC tables (through agent options). If that works fine, let's close out this issue and let Kolide continue investigating their special case. If we do reproduce the issue let's work with osquery to get things fixed.

🕯️ More info (optional)

N/A

[xpkoala]

@zwass I followed the instructions located here and appear to have been successful. I'll close this out, but please feel free to re-open with further instructions if I've missed something.

[fleet-release]

ATC tables fixed,
Osquery's light unmasked,
Fleet's path, clear as glass.

[zwass]

@xpkoala did you test this with fleetd or plain osquery?

Per discussion in osquery slack (https://osquery.slack.com/archives/C6PNW4528/p1714580512141179?thread_ts=1713984325.377259&cid=C6PNW4528) this may only be triggered if there's a table extension also registered (which would be the case with fleetd but not plain osquery).

[directionless]

FWIW osquery/osquery#8323

[zwass]

@xpkoala can you please re-test with the information discussed in the osquery Slack to try to reproduce?

[xpkoala]

@zwass ahh, sorry for missing this yesterday, I'll jump on it in a moment. FWIW I did test with fleetd originally.

[lucasmrod]

@zwass Given 5.12.2 draft release is out (which just reverts the related change - osquery/osquery@5.12.1...5.12.2), do we still need to reproduce?

[zwass]

I think it's worthwhile to test still as we would want to see whether 5.12.1 actually has issues in our deployments and if 5.12.2 fixes those.

@xpkoala

[xpkoala]

The following was tested with @lucasmrod and no complications were seen getting results from tables created with ATC:

1. spin up local TUF server with binaries created that would load some of our test extensions (hello world, hello mars)
2. modify the agent config (via fleet UI) to load the tcc_system_entries table (via ATC)
3. enroll the host
4. confirmed queries against tcc_system_entries table worked
5. remove the modifications made in the agent config (to remove tcc_system_entries table)
6. confirmed queries against tcc_system_entries were no longer working.
7. repeat adding and removing the ATC entry and making sure I was getting the expected results on queries.

[lucasmrod]

(Another way to try to reproduce: vanilla osquery + fleetd_tables extension.)

[xpkoala]

Closing the bug per this thread. https://fleetdm.slack.com/archives/C019WG4GH0A/p1715278510072879

[fleet-release]

ATC tables fixed,
Like a city in the clouds,
Fleet soars, unimpeded.