osquery #fleet

Ryan

09/16/2021, 4:46 PM

weirdly the subquery returns an error if I execute it directly:

Copy code

mysql> select 1 from host_software hs where hs.software_id=software.id;
ERROR 1054 (42S22): Unknown column 'software.id' in 'where clause'

jake

09/16/2021, 9:14 PM

Mainly just utilizing this to learn, working on deploying a home lab much like CptOfEvilMinions with Ansible. I am actually trying to include the Polylogx via an extension and using overrides to manage the flag files. Which when i query the flags it has everything that is required, except it is not generating the pipe as seen down below. Which the default Fleet Flag that is where it is listed, which I believe is C:\Program Files\Orbit\osquery.em . Is this correct? Or is this something that Orbit will not create from the TLS Configs?

Copy code

\\.\pipe\osquery.em

AndersJ

09/17/2021, 6:56 AM

Hi everyone! I’m currently taking fleet for a spin, but i’m a bit stuck at building Orbit. Using the old deprecated repo of Orbit, everything works fine. But the version of Orbit moved to fleets main repository, have the packaging module located differently. I can’t quite figure out what the new command to build the orbit package would be…

Mystery Incorporated

09/17/2021, 1:02 PM

Why does it only show 3 users when I click on the host but

select * from users

returns all the users used on the device?????

Mystery Incorporated

09/17/2021, 1:04 PM

Also the vulnerabiolity scanner is still broken and showing old vulnerabilities that don't exist anymore

jake

09/19/2021, 9:51 PM

Good afternoon, I just wanted to share my story and see if you all have have any input or advice for a young person thats interested in this field. I spent 13 years in the Marine Corps, 9 years as a Scout Sniper and 4 years as a recruiter. As I went to get out I wanted nothing to be a Pentester. I started diving more into Linux and Pentesting. My daughter who was in the first grade at the time, she asked for a laptop and wanted to start learning Computers and Linux. She would sit next to me for hours trying to figure out CLI. With my wife and her Grandparents telling her that "Woman don't like computers or work in IT" At the time my daughter struggled in Math, Reading, and English. School in general. But after wanting to learn about computers, pushed her to read more, do more math, and try to learn things. My wife and I see how much IT has helped her. Since then we have researched a Woman in IT every week, got her into Girls Who Code; learned Scratch, Python, and is in the process of Learning Go. Fast forward to the 4th grade, for the past year she wanted to learn programming to help Animal Science. You would think most kids, would either want to game or write programs for their own games. My daughter came to me 3 weeks ago asking about Osquery, FleetDM, and tables. We have officially rolled out FleetDM and Osquery. She will be giving her Second Talk for Girls who Code on Tables and SQL because of Osquery next month.

😊 6

Bacarus

09/20/2021, 9:53 AM

Hi all, I don’t understand how host uuid is managed and computed. Here my usecase: I’ve fleet (3.11) up and my pc is connected to the fleet server. My pc has 2 partitions and I use kolide launcher in 2 different OS with the same version of osquery (4.9.0). I also have another instance of osquery installed from osquery.io . • the host_uuid is the same (case insensitive) but it is lowercase in linux os and uppercase windows os, is it a coincidence or there is some rule in osquery? • if I run this query: select uuid from osquery_info; from osqueryi and from fleet the uuid is different, how the host_uuid is computed? does it have a dependency with launcher/osquery ?

Jocelyn Bothe

09/20/2021, 3:07 PM

We're having to roll back FleetDM to an earlier version (much earlier). The detail updates put so much load on our DB it becomes non-functional, even with our actual queries completely turned off. We're using the largest RDS instance AWS has, and it is just completely crushed. It's so bad, we're going to have to start exploring other central management solutions. 😞

Juan Alvarez

09/21/2021, 11:23 AM

Hi all, i have noticed that CPU consumption in FleetDM side is way lower when i put a LB (AWS ALB in this case) between FleetDM and osquery. Have anybody noticed the same behavior? The LB does not terminate TLS so i am trying to understand why CPU consumption differs so much

CptOfEvilMinions

09/21/2021, 4:10 PM

Hey Fleet, I noticed that the Fleet v4.0.0-rc2 release on Github was the last release to include a

fleet.zip

as a release asset. Just a friendly check to ensure this was intended 🙂.

Gavin

09/21/2021, 4:29 PM

Before I open an issue, I noticed a strange item which happens in the Fleet UI where two devices have the same Hostname & UDID Use case we normally run multiple OSquery versions on the same host to validate a number of discovery queries. When using select targets in the UI and you attempt to add the same machine twice but different instance it will actually remove the previously selected host vs adding to it. Using labels such as all hosts or a label to capture the same machine is fine. I consider this to be a customer edge case and I wanted to get your opinion as it seems almost a waste of a GH issue.

Saliaga

09/21/2021, 6:33 PM

Any idea on how to fix this permission issue?

Gavin

09/22/2021, 4:15 PM

Really like the vuln management aspect now been playing about with it . currently messing about with JQ to pull out those hard to reach ones like homebrew and choco packages.

Copy code

fleetctl get software --json > vulns.json

jq '.spec[]|select((.vulnerabilities != null) and  (.source=="chocolatey_packages")) | .name , .vulnerabilities ' vulns.json  | sort | uniq

ryan

09/22/2021, 4:17 PM

Anyone had any luck with logging and sending it into other GCP products like BigQuery or Cloud Store? I see documented support for AWS but just Sub/Pub for GCP.

Gavin

09/22/2021, 4:34 PM

QQ Should this filter allow data searching ?

Saliaga

09/23/2021, 5:57 PM

Just checking to see if my steps are correct so far: 1. After Creating a bundle using fleetctl package 2. Installing Debian package and enabling service 3. Confirming host was enrolled into Fleet through the console 4. Was able to run one off queries from the Fleet web console After running the queries, there are no entries within osqueryd.results.log on the endpoint? Would I need to package in some osqueryd.flags to configure logging? Should the results of the queries from the Fleet web console be saved under /logs/osqueryd.results.log (This is logging location set within the docker-compose file)? As mine seems to be empty

benbass

09/23/2021, 7:50 PM

Does logger mode have to be set via the command line flags, or can we manage it with fleet? I am using the filesystem logger and trying to get

set as the permissions on the osquery.results.log on the endpoints. Using tls dump I can see that logger mode is being sent to the endpoint, it just doesn’t look like it is being implemented by osquery (5.0.1).

benbass

09/23/2021, 8:39 PM

Is there a way to correlate the vulnerability data from

fleetctl get software

to specific endpoints? I only have one endpoint with vulnerabilities in my test environment and wasn’t sure if more endpoints with vulnerabilities would change the output.

Martin Pöhlmann

09/27/2021, 1:10 PM

The new "Policies" feature looks really promising 🎉 Something I found, I formulated a simple query that checks whether at least one drive is bitlocker encrypted. While the UI looks great, on my Linux machines I get now warnings that the bitlocker tables are missing. Is it planned to tie checks to labels as it is for packs? Or is there another SQL-workaround that tries to see if the table present / os = win and only then performs the second part of the query (think of the logical

&&

operator that omits evaluating the second part if the 1st fails).

🎉 1

Gavin

09/27/2021, 4:59 PM

I have not dug too deeply into this , Fleet docs suggest mysql 5.7 , I have noticed performance issues around labels , and policies on 5.7 but they’re less prominent on a 8.0 test instance I upgraded to. Is the fleet team developing against 8 or 5.7 ? I have yet to look yet through raw queries etc

Jocelyn Bothe

09/27/2021, 6:50 PM

btw, there's a typo in https://github.com/fleetdm/fleet/blob/main/docs/02-Deploying/02-Configuration.md, should be 1h not 1hr

Copy code

vulnerabilities:
	periodicity: 1hr

CptOfEvilMinions

09/27/2021, 7:10 PM

Question about Fleet's new feature to support MySQL read replicas. Can I spin up Fleet in a different region that only has access to a read-only database replica? Example architecture below for context:

Copy code

AWS Ohio region:
- Fleet instances
- Aurora MySQL read/write
- Redis

AWS London:
- Fleet instances
- Aurora MySQL read-only replica
- Redis

Zach Zeid

09/28/2021, 11:51 AM

I was under the impression I could assign a host to multiple teams, but I don't seem to be able to in the UI either in the host details page or under the teams tab?

Ryan

09/28/2021, 2:29 PM

We have a lot of custom labels created for internal categories, such as “vendor” (the primary software vendor deployed on the host) or “team” (an internal team identifier all our hosts are labelled with). As a result the new query UI is looking a little bit “busy”. I’m not sure if you have plans to address this, or haven’t considered if an end-user would have so many labels, but I wanted to share a screenshot with you (see thread).

Jocelyn Bothe

09/28/2021, 8:43 PM

Update: I migrated to my v4.3.1 complex this morning, and it has been running smoothly all day. The DB performance is SO much better. It's so much improved that I was able to switch our RDS deployment to smaller instance sizes. VERY happy with it so far 😁

🙌 2

ty 2

Bacarus

09/29/2021, 2:58 PM

Hello, I’m not sure if it is related to fleet or osquery, tell me if I have to move this question into another channel. I’ve this query:

Copy code

SELECT address, mask, type, friendly_name FROM interface_addresses

scheduled by fleet with this config:

Copy code

interval(s): 30, platform: All Version: Any, Logging: +/-

And I’ve found those logs:

Copy code

hostidentifier : "4c4c4544-0051-5310-8032-cac04f595a32"
calendartime : "Mon Sep 27 07:25:53 2021 UTC"
epoch : 1632700800
counter : 0
 columns :
   mask : "255.0.0.0"
   type : "unknown"
   address : "127.0.0.1"
   friendly_name : ""
action: "added"
--------
hostidentifier : "4c4c4544-0051-5310-8032-cac04f595a32"
calendartime : "Mon Sep 27 06:15:33 2021 UTC"
epoch : 1632700800
counter : 0
 columns :
   address : "127.0.0.1"
   friendly_name : ""
   mask : "255.0.0.0"
   type : "unknown"
action: "added"
---------

How is it possible that I’ve 2 added of the same row in the same counter and epoch? This is just an example but I’ve found other logs like that, maybe I didn’t get how scheduled queries works in differential mode. Each row should have the action alternated, am I wrong? the behaviour I expected is something like this:

Copy code

epoch: 1
counter: 0
action: "added"
columns: 
  address: "10.0.0.1"
  ...
---------
epoch: 1
counter: 3
action: "removed"
columns: 
  address: "10.0.0.1"
  ...
---------
epoch: 1
counter: 5
action: "added"
columns: 
  address: 10.0.0.1"
  ...
---------
epoch: 2
counter: 0
action: "added"
columns: 
  address: "10.0.0.1"
  ...
---------
epoch: 2
counter: 10
action: "removed"
columns: 
  address: "10.0.0.1"
  ...
---------
epoch: 4
counter: 7
action: "added"
columns: 
  address: "10.0.0.1"
  ...

Additional info: I’m using fleet 3.11 and osquery 4.9.0 I also have this issue with other scheduled queries

abraham linkolan

09/30/2021, 1:48 PM

hey i created a user in mysql with a diffrent host and gave him select privileges on 1 databse but when i try to log in with him

mysql -u sp -h 10.10.10.1 -p

i get the error message

ERROR 2003 (HY000) : can't connect to mysql server on '10.10.10.1'(110)

dose some know how to solve this problem?

will be very gratefull

Freddy Al

09/30/2021, 2:05 PM

Is there a Slack integration with Fleetdm where if I run a specific query it will give me a result via JSON or CSV?

➕ 2

Jaideep Natu

10/01/2021, 6:18 AM

Hello, I'm getting the error below. What am I doing wrong?

Copy code

# fleetctl setup --email <email> --name <name> --org-name <org> --debug

RoundTrip error: dial tcp 127.0.0.1:8412: connect: connection refusederror setting up Fleet: POST /api/v1/setup: do request: Post "<https://127.0.0.1:8412/api/v1/setup>": dial tcp 127.0.0.1:8412: connect: connection refused

ryan

10/04/2021, 9:08 PM

Upgraded from 4.3.1 to 4.3.2 on Ubuntu 20 and the DB migration hangs. If I kill the process and rerun it I get an error

Copy code

2021/10/04 20:26:53 FAIL 20210927143115_AddPolicyUpdatedAtColumn.go (adding policy_updated_at column: Error 1060: Duplicate column name 'policy_updated_at'), quitting migration.

so I check and it appears it’s an addition to the host table. I altered and drop the column and ran the DB migration again and it continues to hang. I killed it again and started fleet and it’s updating the column so 🤷