How I solve this two issues in the following: 1.remote error: tls: unknown certificate and 2. http: TLS handshake error from 192.**: local error: tls: bad record MAC

how could i get and set TLS certificate my own linux server?

🏗️ New commits pushed to Fleet »

Hey friends! Is there no way to get device enrolment to work with OAuth on at the moment? (assuming that's why my enrolment is failing going by the following error message)

Could not read SMBIOS memory
I0201 00:31:42.133729  1860 tls.cpp:255] TLS/HTTPS POST request to URI: <https://fleetdm.segment.build/api/v1/osquery/enroll>
I0201 00:31:42.152062  1860 http_client.cpp:420] HTTP(S) request re-directed to: <https://segment.okta.com/oauth2/v1/authorize?client_id=**********************************>
^CW0201 00:31:42.745014  1860 tls_enroll.cpp:101] Failed enrollment request to <https://fleetdm.segment.build/api/v1/osquery/enroll> (Cannot parse JSON: Invalid value. Offset: 0) retrying...

I think I may have found a bug (in 4.9.0). I have a hostname called "vr.home.bogus.net" which appears in the list of hosts, but I am not able to do a specific queries for this host (when I type in the hostname or indeed the fqdn, it does not appear in the list (though the UI will suggest other hosts)).

Curious one, but I spotted this the other day, apparently GitHub are repackaging zip file artifacts, and as a result the checksum changes: https://twitter.com/shs96c/status/1488480089700503558

Hello, sorry if this is noted somewhere, but is it possible to see the current osquery version provided but the default Orbit update server (in the stable branch)? We are testing Fleet, and have Orbit running on clients using the default

fleetctl package

command to build installers. All of the clients are on osquery 5.0.1 which they started with. I would just like to monitor that they update when a new version is specified (my understanding is that this is the default with no special settings).

I’m just looking at adding TLS to our Redis instance used by Fleet, but it uses a self signed certificate. Is it possible to

--tls-skip-verify

for Redis instances? I see the option is available for MySQL, but it’s not listed in the docs for Redis. https://fleetdm.com/docs/deploying/configuration#redis

By the way, exporting query results and attempting to import these into Numbers (Excel, too, perhaps?) result in column mismatches if you include information that contains the (default, unchangeable(?)) delimiter (","); e.g. if your query contains: ["sudo","/bin/sh","-c","whoami"] (json_cmdline) This import will fail because the delimiters aren't escaped, I suppose?

Hi all, I had a quick question about query packs, how does

Frequency

affect certain queries in the packs?

Is there a way to manually kick off a policy check? I'm trying to test automations in more real-time

I'm trying to setup fleetdm login with SAML (SSO), SSO auth passed (as per saml trace) but fleetdm UI still not allowing me to get in. any thoughts ?

Security advisory Fleet 4.9.1 has just been released fixing an SSO vulnerability reported to us. This vulnerability is not easy to exploit, but we still recommend upgrading for anyone using SSO. The 4.9.1 release is available, along with further details on the vulnerability. Consider temporarily enabling a non-SSO admin user before upgrading in case changes to validation will require updating SSO configurations. <!here>

Probably an osquery issue rather than fleet, but it might be good for you to know since you’re suggesting that query.

Hey! Has somebody using rsyslog to forward result logs to remote logging server? I’m using the following configuration in /etc/rsyslog.d/osquery.conf: module(load=“imfile” mode=“inotify”) input(type=“imfile”  File=“/var/log/osquery/result.log”  Tag=“fleet:”  PersistStateInterval=“300"  Severity=“info”  Facility=“local6" ) if $programname == ‘fleet’ then @@ip_adress:518 The problem is that following configuration doesn’t work, however when I change protocol to udp (delete one @ symbol) everything works fine. Any ideas?

Is there a way to update an existing username/password user in Fleet to use SSO instead?

🏗️ New commits pushed to Fleet »

orbit: 2022-02-03T132824-08:00 INF update failed error="update metadata: update metadata: tuf: failed to download 2.root.json: Get \"https://tuf.fleetctl.com/2.root.json\": x509: certificate has expired or is not yet valid: current time 2022-02-03T132824-08:00 is after 2021-09-30T140115Z"

Hi guys, I am new to fleet. I wanted to know: • is there a way to do a query via osquery to see if the machine hosting osquery can reach an external endpoint (like an http server)? • is there a way to deploy via fleet an osquery plugin (developed internally) that can do different operations (like testing external endpoint) and augment Osquery

Hi guys, Could someone please help me to connect osquery agents on Windows Server 2019 with fleet? Here are some points: • I have same configs and deploy scripts both on problem servers and on basic Windows 10 VMs (works fine); • osquery agents successfully passes enrolling, I see it in logs and I see agents in UI, but they are in state "Never fetched" and mostly in "Offline" state; • I checked the debug output of osquery daemon and see only one possible issue:

W0207 18:02:24.934172 4352 watcher.cpp:391] osqueryd worker (560) stopping: Maximum sustainable CPU utilization limit exceeded: 18

close after executing

fleet_detail_query_software_windows

• Adding

--disable_watchdog=false --watchdog_delay=120 --watchdog_level=0 --watchdog_memory_limit=400 --watchdog_utilization_limit=21

was with no luck; And now I have no thoughts..

I'm using an overrides key in my yaml config, for windows clients. On a test windows machine, i'm seeing an error line in the osqueryd --verbose stdout:

W0207 12:30:36.535475  6440 options.cpp:101] Cannot set unknown or invalid flag: enable_file_events

as well as:

I0207 12:30:47.051750  6440 eventfactory.cpp:156] Event publisher not enabled: ntfs_event_publisher: NTFS event publisher disabled via configuration
I0207 12:30:47.113627  6440 events.cpp:70] Skipping subscriber: powershell_events: Required publisher is disabled by configuration

both of those event publishers are enabled within the overrides section of my config, and the

enable_file_events: true

is set outside by overrides key. So its fleetDM is not respecting the overrides key...

🏗️ New commits pushed to Fleet »

Hi - I've made what I thought would be a really simple change to our configuration. I'm just changing the hostname decorator to reflect the computer_name rather than the DNS hostname.... I made this change via fleetctl

agent_options:
    config:
      decorators:
        load:
        - SELECT uuid AS host_uuid FROM system_info;
        - SELECT computer_name AS hostname FROM system_info;

Fleet seems to be logging a lot of lines like this during startup, does anyone know what they mean?

level=error ts=2022-02-08T18:18:27.469599841Z op=QueriesForHost err="load active queries: EOF"

Hey friends! I have a bunch of devices that enroll perfectly fine in Fleet but somehow appear offline right after the enrolment and I can run no queries on them. How do I go about debugging it? 🤔

I have an older fleet install and am looking to enable software, yet not the vulnerability scans. What flags do I need to add to my config file?

The software config info on the landing page points that links to the configs for fleetdm doesn’t have anything about software collection.

Hey guys, I’m reading the doc and in Server installation there is a command used to generate a valid TLS certificate and key for running the Fleet server (self-signed certificate). According to the issue (about TLS performance) ECDSA should be used in order to have better performance. I’ve never used ECDSA before, is the openssl command mentioned in the doc ok? if not, can you suggest me the right command to use ECDSA? (maybe an hint to the documentation can be useful) Thank you for your time

Hi! Anyone have an idea why am i getting 

Error: app_not_configured_for_user

 from google SSO? Was following this instructuions Getting this error for any user: existing/non-existing, with/without SSO enabled

I am looking to grab the vulnerability data (NIST feeds and the NVD DB) and host them on an internal server. I see that the NIST data needs to be the JSON files from /feeds/json/cve/1.1/ for the JSON files, however I am not sure what files should be pulled from https://github.com/fleetdm/nvd/releases. Is Fleet expecting the sqlite.gz, the zip file or the tar.gz? Or is it looking for the decompressed DB itself?