Restrictions
Restrictions allow Kolide administrators to limit access to certain features or agent data sources within Kolide.
Restricting Features
There are two ways to restrict access to features in Kolide.
Globally
When you restrict access to a feature, you disable it for every Kolide administrator regardless of their access level. This means the feature will not be present in the UI and any background capabilities associated with that feature are disabled.
To restrict a feature, follow these steps:
- Click your avatar in the upper-right corner of the app.
- Click Settings.
- Click Restrictions in the left sidebar menu.
- Tick the checkbox next to the feature(s) you wish to disable.
- Click Save (this action will be logged in the audit log).
For A Specific User
Kolide users with Limited Access can either be invited with specific feature restrictions or have features added/removed later.
To restrict a Kolide Admin’s access:
- Click your avatar in the upper-right corner of the app.
- Click Settings.
- Click Users & Access in the left sidebar menu.
- Locate the user you want to restrict and click Edit.
- In the modal that opens, ensure the Restricted Access radio button is selected. This will reveal Feature Restrictions options.
- Tick the checkbox next to the feature(s) you wish to disable.
- Click Save to apply the changes.
Data Source Restrictions
In addition to disabling access to features, you can also control which osquery tables Kolide administrators can query within the Live Query, Log Pipeline, and Custom Checks features.
You may not want your teammates to query certain tables because they may
contain sensitive information or cause performance issues
when queried recklessly (e.g., shell_history).
Kolide Global Blocklist
Due to serious privacy or stability issues, Kolide bans the usage of the following osquery tables:
| Table Name | Reason |
|---|---|
| asl | Returns 100k+ rows per device and is depreciated |
| carves | Kolide does not support file carving |
| dns_cache | Leaks sensitive user information |
| running_apps | Exposes in-focus app on macOS, which we consider a privacy overreach |
| example | Table exposes no functionality |
| kolide_app_icons | Intended for Kolide internal use only |
| kolide_program_icons | Intended for Kolide internal use only |
| kolide_airport_util | Exposes BSSID which can be used to pinpoint a person’s exact location |
| kolide_wifi_networks | Exposes BSSID which can be used to pinpoint a person’s exact location |
| kolide_nmcli_wifi | Exposes BSSID which can be used to pinpoint a person’s exact location |
| windows_eventlog | Causes osquery to hang on Windows when queried |
Kolide Suggested Blocklist
In addition to the globally blocklisted tables, Kolide seeds your organization’s Kolide account with the following suggestions. Unlike the global blocklist, any administrator can remove these restrictions if desired.
| Table Name | Reason |
|---|---|
| shell_history | Often contains clear-text credentials from engineers using CLI API tools |
| process_envs | When run on servers, they can often contain secrets. |
| quicklook_cache | Leaks user sensitive information |
| curl | Can be used to obtain information from a privileged/internal network |
Manage the Blocklist
To manage the osquery table blocklist, follow these steps:
- Click your avatar in the upper-right corner of the app.
- Click Settings.
- Click Restrictions in the left sidebar menu.
- Click Add/Remove Tables.
Adding Tables
To add a table, click Add Table at the bottom of the modal. In the text field that appears, type the name of the table you wish to add to the blocklist, then click Save.
Removing Tables
To remove a table, click the red X next to the table you wish to remove and then click Save.
