SK
04/29/2021, 11:29 AMstable
and edge
channel get triggered to update Osquery when running on-prem Fleet? And how does the update process itself work?Mark Noonan
04/29/2021, 5:19 PMecho "-----------------------------------"
echo "NGINX Config"
echo "-----------------------------------"
cat >/etc/nginx/nginx.conf <<EOF
# the following is for v1.12, prior version, keeping here just in case we need it again
#load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log info;
events {
worker_connections 4096;
}
http {
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
server {
listen 8443 ssl http2 default_server;
server_name _;
#root /opt/socore/html/packages;
#index index.html;
ssl_certificate "xxxx";
ssl_certificate_key "xxxxxx";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass <https://127.0.0.1:8090>;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /api/vi/fleet {
proxy_pass <https://127.0.0.1:8090>;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /api/vi/kolide {
proxy_pass <https://127.0.0.1:8090>;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
}
server {
listen 8080 ssl http2 default_server;
server_name _;
#root /opt/socore/html;
#index blank.html;
ssl_certificate "xxxxx";
ssl_certificate_key "xxxxx";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /api/v1/osquery {
grpc_pass <grpcs://127.0.0.1:8090>;
grpc_set_header Host \$host;
grpc_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_buffering off;
}
}
}
EOF
[1:16 PM] When trying to enroll we get an curl: (52) Empty reply from server
errorEdward
04/29/2021, 10:28 PMdefensivedepth
04/30/2021, 2:50 AMEdward
04/30/2021, 9:45 PMEdward
04/30/2021, 10:35 PMselect * from os_version
would fail (not return any snapshot result) but a query like SELECT * FROM processes
would succeed (returns snapshot result) on a given device when ran at the same time in a query pack?KK
05/05/2021, 9:43 AMarod
05/06/2021, 9:36 PMfleetctl
?
./*fleetctl* apply -f pack-file.yml
They are imported and show up on the fleet UI but they are commented out on the endpoints.demonbhao
05/08/2021, 6:05 AMEdward
05/09/2021, 8:56 PMper_page
field in fleet rest api? for example in a call like this: GET /api/v1/fleet/hosts?page=0&per_page=100&order_key=host_name
Edward
05/09/2021, 9:19 PMGET /api/v1/fleet/hosts?page=0&per_page=100&order_key=host_name
?Heather
05/10/2021, 12:27 PMIan Muscat
05/13/2021, 3:47 PMspec.config.exclude_paths
does not work, but spec.overrides.platforms.<platform>.exclude_paths
does work. This seems to be inconsistent with spec.config.file_paths
which seems to work as expected (outside of the overrides
block). Can anyone else replicate this behaviour, and if so, is this intended behaviour? Thanks!Anoop K V
05/17/2021, 9:55 AMHeather
05/17/2021, 1:26 PMJuan Alvarez
05/17/2021, 5:00 PM--logger_tls_max_lines
using FleetDM? According to osquery help it seems that i should be able to, but the change does not take effect and it seems to let the osquery in a weird status where it stats using a lot of memory but does not output any logs.shailendra manghate
05/18/2021, 6:33 AMHeather
05/18/2021, 9:17 AMKK
05/18/2021, 11:17 AM/api/v1/fleet/queries/run
endpoint. I'm on the fleetdm/fleet:latest docker container pointing to an elasticache redis cluster.
Based on the answer here (https://serverfault.com/questions/812156/redis-cluster-error-moved), my guess is that the redis client in the fleet container is not following the redirection. Has anyone encountered this and has a solution?KK
05/18/2021, 11:23 AMubuntu@ubuntu:~/Desktop$ sudo orbit shell
2021-05-18T04:15:06-07:00 ERR error="download target osqueryd/linux/osqueryd: tuf: unknown target file: osqueryd/linux/osqueryd"
Dan Achin
05/18/2021, 5:41 PMdemonbhao
05/19/2021, 7:06 AMBacarus
05/19/2021, 4:13 PMDavid Edwards
05/19/2021, 9:11 PMsudo make package-builder
go run cmd/make/make.go -targets=deps-go,install-tools
go generate ./pkg/packagekit/... ./pkg/packaging/... ./pkg/osquery/tables/... ./pkg/augeas/...
pkg/packagekit/package_wix.go:21: running "go-bindata": exec: "go-bindata": executable file not found in $PATH
pkg/packagekit/wix/wix_test.go:19: running "go-bindata": exec: "go-bindata": executable file not found in $PATH
pkg/packaging/packaging.go:23: running "go-bindata": exec: "go-bindata": executable file not found in $PATH
pkg/augeas/augeas.go:24: running "go-bindata": exec: "go-bindata": executable file not found in $PATH
make: *** [generate] Error 1
Here's my .bash_profile config:
export GOPATH=/Users/bbadmin/Documents/mycode/go
export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin
Any thoughts as to what I'm doing wrong here?Anoop K V
05/21/2021, 10:07 AMAvi Norowitz
05/21/2021, 2:34 PMosquery_enroll_cooldown
option has the corresponding environmental variable FLEET_ENROLL_COOLDOWN
. However, for consistency, I would have expected the environmental variable to be FLEET_OSQUERY_ENROLL_COOLDOWN
. Is this an error in the docs? Is FLEET_OSQUERY_ENROLL_COOLDOWN
the correct environmental variable? Let me know if I should open an issue on github.Heather
05/21/2021, 2:44 PMAleks
05/21/2021, 6:04 PMwkleinhenz
05/22/2021, 12:28 AMKK
05/24/2021, 11:43 AMError initializing service: initializing osquery logging: create firehose status logger: create Firehose writer: describe stream arn:aws:firehose:xx:xx:deliverystream/test_stream: NoCredentialProviders: no valid providers in chain. Deprecated.
My assumption is that the ECS task will first assume the role provided in FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN
using its default credential, which would be the ECS task role that it was configured to run with. Once assumed, the task will then be able to call DescribeDeliveryStream
using the newly granted role. However, based on the code here, my guess is that the task could not find the default credentials(?). I'd like to avoid passing the access keys to the task, could anyone please take a look and see where I went wrong?
These are the environment variables/actions that I have configured so far:
• `FLEET_OSQUERY_RESULT_LOG_PLUGIN`: firehose
• `FLEET_OSQUERY_STATUS_LOG_PLUGIN`: firehose
• FLEET_FIREHOSE_REGION
: xx
• FLEET_FIREHOSE_RESULT_STREAM
: arn:aws:firehose:xx:xx:deliverystream/test_stream
• FLEET_FIREHOSE_STATUS_STREAM
: arn:aws:firehose:xx:xx:deliverystream/test_stream
• FLEET_FIREHOSE_STS_ASSUME_ROLE_ARN
: arn:aws:iam:xx:role/firehoseRole
• An ECS task role permission to assume the role arn:aws:iam:xx:role/firehoseRole
• A new IAM role arn:aws:iam:xx:role/firehoseRole
with permissions to call firehose:DescribeDeliveryStream
and firehose:PutRecordBatch
against arn:aws:firehose:xx:xx:deliverystream/test_stream