Hello all, in 4.3.1 when I try to open the Policies page I get below error, how can I fix this?

Hi folks, Fleet 4.4.0 is now available 🚀 Check out the changelog on GitHub, and as usual you can find binaries and containers on GitHub and Docker Hub respectively. 🍻 <!here>

Good morning all, Is there a way where I can modify Fleet's host status webhook payload format? I'm thinking of setting the destination URL as a Slack webhook URL such that I receive the messages directly on a slack channel. Slack expects the incoming webhook payload to include certain fields like

text

, but the current host status payload does not, hence the ask.

Hey friends! I have a RDS MySQL DB up and running with a custom username but whenever I run fleet serve command with the username env variable it keeps saying

Unknown database 'fleet'

. Works fine otherwise. Any ideas why?

👋 during an upgrade from 4.1.0 to 4.4.0 we got the following error:

FAIL 20210819131107_AddCascadeToHostSoftware.go (save current host software to a temp table: Error 1787: Statement violates GTID consistency: CREATE TEMPORARY TABLE and DROP TEMPORARY TABLE can only be executed outside transactional context. These statements are also not allowed in a function or trigger because functions and triggers are also considered to be multi-statement transactions.), quitting migration.

Anyone else run into this?

Leaving this policy here if is adds any value. Detect macOS hosts with remote SSH enabled

select 1 from sharing_preferences where remote_login = 0;

Started getting this after 4.4.0 upgrade

"err":["failed to save host software: insert software: Error 1054: Unknown column 'bundle_identifier' in 'field list'"]

and verified that prepare db ran successfully.

Quick question When I try using fleetctl, I get

command not found

, upon chechking using

which fleet

I get the following output,

/usr/bin/which: no fleetctl in (/sbin:/bin:/usr/sbin:/usr/bin)

Yet I have the binary package and fleet.service is active and running. Thanks.

Hey guys did something change with 4.4 and fetching? I have my fetch time to 27 minutes but as you can see I got some wacky fetch times (and most of these hosts are online 24/7)

osquery:
  detail_update_interval: 27m

Does Fleet support TLS for Redis? I see it does for MySQL, but the Redis flags don’t mention it.

I'm trying to update the fleet from version 3.13 to version 4.0 and vice versa that there are some details that need to be revised. like these: • Change configuration option 

server_tlsprofile

 to 

server_tls_compatability

. This options previously had an inconsistent key name. • Replace the use of the 

api/v1/fleet/spec/osquery/options

 with 

api/v1/fleet/config

. In Fleet 4.0.0, "osquery options" are now called "agent options." The new agent options are moved to the Fleet application config spec file and the 

api/v1/fleet/config

 API endpoint. • Enroll secrets no longer have "names" and are now either global or for a specific team. Hosts no longer store the “name” of the enroll secret that was used. Users that want to be able to segment hosts (for configuration, queries, etc.) based on the enrollment secret should use the Teams feature in Fleet Basic. •

auth_jwt_key

 and 

auth_jwt_key_file

 are no longer accepted as configuration. But when trying to access the link "https://github.com/fleetdm/fleet/blob/main/docs/1-Using-Fleet/8-Updating-Fleet.md" it returns 404 Does anyone have a brief tutorial on how to upgrade from 3.13 to 4.0?

Brand new to fleet and osquery in general. I have a test server up using https://github.com/CptOfEvilMinions/FleetDM-Automation. I'm trying to generate an "orbit" package to install the agent on a few nodes using the instructions at the bottom of: https://github.com/fleetdm/fleet/blob/main/docs/01-Using-Fleet/00-Learn-how-to-use-Fleet.md. I get weird errors though.

$ fleetctl package -type pkg
{"level":"debug","path":"/tmp/orbit-package308488698","time":"2021-10-11T23:43:54Z","message":"created temp dir"}
{"level":"debug","error":"stat /tmp/orbit-package308488698/root/var/lib/orbit/bin/osqueryd/macos/stable/osqueryd: no such file or directory","time":"2021-10-11T23:43:55Z","message":"stat file"}
{"level":"debug","path":"/tmp/orbit-package308488698/root/var/lib/orbit/bin/osqueryd/macos/stable/osqueryd","time":"2021-10-11T23:43:58Z","message":"got osqueryd"}
{"level":"debug","error":"stat /tmp/orbit-package308488698/root/var/lib/orbit/bin/orbit/macos/stable/orbit: no such file or directory","time":"2021-10-11T23:43:58Z","message":"stat file"}
{"level":"debug","path":"/tmp/orbit-package308488698/root/var/lib/orbit/bin/orbit/macos/stable/orbit","time":"2021-10-11T23:43:59Z","message":"got orbit"}
build pkg: cpio Payload: wait cpio: exit status 1

$ fleetctl package -type deb
{"level":"debug","path":"/tmp/orbit-package219856153","time":"2021-10-11T23:46:16Z","message":"created temp dir"}
{"level":"debug","error":"stat /tmp/orbit-package219856153/root/var/lib/orbit/bin/osqueryd/linux/stable/osqueryd: no such file or directory","time":"2021-10-11T23:46:18Z","message":"stat file"}
initialize updates: failed to get osqueryd: exec new version: : fork/exec /tmp/orbit-package219856153/root/var/lib/orbit/staging/osqueryd: no such file or directory

That makes it look like osquery needs to be separately installed inside of the container image?

I’m noticing filesystem logging stopped working for all my MAC systems after the 4.4.0 upgrade. The packs appear to be running based on the webgui and when I run fleet in debug mode but my result.log doesn’t contain anything but the Linux system I have.

Hi, carrying out some security checks into fleet v:3.13 we realized session management once logged is not well handled regarding some features. For example, using a non-privileged account it was possible not only to check the content returned by /settings/osquery URI but also change it.  As non-priv user from web UI that information was not accesible, but using an intermediate proxy it could be seen that server responses included that content

I’m trying to generate a Windows MSI package using fleetctl. However I get this error if try it on Linux, and I get the following error if I try it on Windows inside VM:

>fleetctl package --type msi --fleet-url=<url>:8412 --insecure --enroll-secret=<secret

{"level":"debug","path":"C:\\Users\\<user>\\AppData\\Local\\Temp\\2\\orbit-package743500111","time":"2021-10-13T10:47:05-07:00","message":"created temp dir"}

initialize updates: failed to update metadata: update metadata: open file store: File C:\Users\<user>\AppData\Local\Temp\2\orbit-package743500111\root\tuf-metadata.json already exists with mode 666 instead of the expected 600

Need help to figure out what is wrong

Guys! First thanks for this awesome project. I have some questions/points about Vulnerabilty Processing: 1-) What OS is being supported ? I saw some matching for rpm_packages and none for deb_packages. Is it working for Windows and MacOS ? 2-) Using API query is working ? I tried query=instance_hostname

/api/v1/fleet/software?query

and it returned all information even if I use any value. https://fleetdm.com/docs/using-fleet/rest-api#example108 3-) Documentation (https://fleetdm.com/docs/using-fleet/vulnerability-processing#setup ) tells to change config in wrong place

vulnerabilities:

and correct seems like

vulnerability_settings:

Hi, how can we get vulnerable software per host not using the UI? Is it possible?

Hi, trying to run the preview:

cd preview/osquery
ENROLL_SECRET=***** FLEET_SERVER=172.17.42.1:8412 docker-compose up -d

Fails to connect to the server:

I1016 14:15:29.949494  1232 smbios_tables.cpp:252] Could not read SMBIOS memory
I1016 14:15:29.952227  1232 tls.cpp:254] TLS/HTTPS POST request to URI: <https://172.17.42.1:8412/api/v1/osquery/enroll>
W1016 14:15:29.973161  1232 tls_enroll.cpp:77] Failed enrollment request to <https://172.17.42.1:8412/api/v1/osquery/enroll> (Request error: certificate verify failed) retrying...

Doing some clean up work on my vm builds and i was wondering if it was possible/recommended to install launcher as part of my template build, will there be any issues with registration or identification on the server side

I want to store the list of queries that have been enabled for a Fleet observer user to run in a yaml configuration file. I saw that this is controlled by the

observer_can_run

variable internally. Is this variable controllable from a yaml document? If so, could you kindly give an example of how I can use it in a yaml file?

Has anyone had a host just not pickup a query pack? So like it's been assigned into the MS Windows label, but it's not being given the query pack for windows hosts...

@Mystery Incorporated Beware that osquery on macOS does not uninstall 4.9.0 when installing version 5.x. SO you have version 5.x in a new place and the 4.9.0 binary stays in /usr/local/bin next to the linked osqueryi and osqueryctl which map back to 5.X in /opt/.

Feeling the waters out here has anyone seen performance issues on 4.4.0 and greater , we’re saw increased mysql load , we have “Fixed” the issue by clearing down the

label_membership

history.

Hello, after i added more hosts to fleet. The following errors began to appear in the logs

fleet[79147]: 2021/10/19 10:28:18 http: Accept error: accept tcp [::]:8412: accept4: too many open files; retrying in 5ms

I set max connections in mysql

/usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid --max-connections=1000

I set max connections in fleet

--mysql_max_idle_conns=1000 --mysql_max_open_conns=1000

But errors still occur periodically.

After a network hiccup we are seeing thousands of these errors:

fleet[7390]: {"component":"http","err":"authentication error: find host","level":"info","path":"/api/v1/osquery/log"

We are running 4.4.0 and we had policies running but removed them as the DB became unresponsive but now we have these errors, what can we do to solve this?

Hi, I'm interested in using Fleet for compliance auditing and it looks great but there seems to be something I'm missing. In order to verify basic things like 'installed software is up to date' I need to check not only what software packages and os version are installed, but also compare this to the expected versions. There can be hundreds on software packages on a computer so this is not a trivial task. It seems like there should be a list available of e.g. latest ubuntu package versions, mac and windows software version etc which can easily be updated periodically in order to compare against. Has anything like this been implemented with Fleet? Another approach might be to confirm that the os updates has been run in sat last 24 hours, but I can't see a way to check this. What about utilising the published CVE list. That would be similar but a negative check to show that no vulnerable software is installed. Is anything implemented or on the roadmap for this?

I feel like it could be named better as

osquery.jitter

suggests jitter for all osquery things. Maybe it would be better in the logger area as

logger_tls_period_jitter

in that case?

Interesting discovery regarding the automated vulnerability scanning - we have some Oracle Enterprise Linux hosts (don’t ask), and several vulnerabilities have been detected, we set up yum-cron and they got patched, however the vulnerability count hasn’t changed for the hosts in Fleet. Interestingly Fleet shows them as RedHat Enterprise Linux, which is what Oracle Linux is based on, and in fact the hosts themselves report that in

/etc/redhat-release

. How does the vulnerability scanner determine if a package is vulnerable or not? Is it based on the distro it thinks it is running?

Apologies in advance if I am asking a question that has been answered before but was unable to find. In a scenario where the

osquery.flags

file on the host has

--disable_carver=true

but fleet global options has

--disable_carver=false

, which one wins?

If I'm running fleetctl preview how do I configure the log output to a specific filepath whenever I run scheduled queries?