osquery #fleet

Avik Sengupta

02/09/2022, 10:02 PM

Does anyone have a query or a policy handy that checks if windows defender is enabled on a machine? Thanks!

Ted Dorosheff

02/09/2022, 11:29 PM

could someone confirm that the backslashes in windows file paths need to be the escaped in the yaml config in agent settings? I just did a config_dump=true and it looks like backslashes are already being escaped, so now they're being double escaped.

Copy code

C:\Program Files\osquery>"C:\Program Files\osquery\osqueryd\osqueryd.exe" --flagfile="C:\Program Files\osquery\osquery.flags" --config_dump=true
{"tls_plugin": {"decorators":{"load":["SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname) as hostname FROM system_info;"]},"exclude_paths":{"Windows":["C:\\\\Windows\\\\Prefetch\\\\%"]},"file_paths":{"ProgramData":["C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\%","C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\%"],"Users":["C:\\\\Users\\\\%\\\\AppData\\\\Roaming\\\\%","C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\%","C:\\\\Users\\\\%\\\\AppData\\\\Local\\\\temp\\\\%","C:\\\\Users\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\%","C:\\\\Users\\\\%\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\%","C:\\\\Users\\\\%\\\\Default\\\\%"],"Windows":["C:\\\\Windows\\\\%","C:\\\\Windows\\\\Temp\\\\%","C:\\\\Windows\\\\System32\\\\Drivers\\\\%","C:\\\\Windows\\\\SysWOW64\\\\Drivers\\\\%","C:\\\\Windows\\\\System32\\\\GroupPolicy\\\\Machine\\\\Scripts\\\\%","C:\\\\Windows\\\\System32\\\\GroupPolicy\\\\User\\\\Scripts\\\\%","C:\\\\Windows\\\\System32\\\\Wbem\\\\%","C:\\\\Windows\\\\SysWOW64\\\\Wbem\\\\%","C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\%","C:\\\\Windows\\\\SysWOW64\\\\WindowsPowerShell\\\\%","C:\\\\Windows\\\\Tasks\\\\%","C:\\\\Windows\\\\System32\\\\Tasks\\\\%","C:\\\\Windows\\\\AppPatch\\\\Custom\\\\%","C:\\\\Windows\\\\system32\\\\DriverStore\\\\Temp\\\\%","C:\\\\Windows\\\\system32\\\\wbem\\\\Performance\\\\%","C:\\\\Windows\\\\System32\\\\Tasks\\\\Adobe Acrobat Update Task\\\\%","C:\\\\Windows\\\\System32\\\\Tasks\\\\Adobe Flash Player Updater\\\\%","C:\\\\Windows\\\\System32\\\\Tasks\\\\OfficeSoftwareProtectionPlatform\\\\SvcRestartTask\\\\%"]},"options":{"disable_distributed":false,"disable_events":false,"distributed_interval":60,"enable_ntfs_event_publisher":true,"enable_powershell_events_subscriber":true,"enable_windows_events_publisher":true,"enable_windows_events_subscriber":true},"packs":{"Endpoints_Windows10":{"queries":{"win_end_bios_diff":{"query":"SELECT * FROM wmi_bios_info;","interval":3600,"platform":"windows","removed":false},"win_end_file_events_diff":{"query":"SELECT action, category, old_path, path, file_attributes, time FROM ntfs_journal_events;","interval":60,"platform":"windows"},"win_end_firmware_snapshot":{"query":"SELECT vendor, version, date, address, extra FROM platform_info;","interval":86400,"platform":"windows","snapshot":true},"win_end_hardware_events_diff":{"query":"SELECT hardware_vendor, hardware_model, hardware_version, hardware_serial FROM system_info;","interval":60,"platform":"windows"}}}}}}

ytonui

02/10/2022, 4:02 PM

Hi, any idea what would cause a context to be cancelled? Here's a sample error that's seen:

Copy code

{
  "component": "http",
  "err": "timestamp: 2022-02-10T15:42:49Z: error in query ingestion || timestamp: 2022-02-10T15:42:49Z: error in query ingestion || timestamp: 2022-02-10T15:42:49Z: error in query ingestion || getting app config: selecting app config: timestamp: 2022-02-10T15:42:49Z: context canceled",
  "ingestion-err": "ingest detail query: selecting app config: timestamp: 2022-02-10T15:42:49Z: context canceled",
  "ip_addr": "10.16.14.145:57498",
  "level": "error",
  "method": "POST",
  "took": "14.669590338s",
  "ts": "2022-02-10T15:42:49.244372692Z",
  "uri": "/api/v1/osquery/distributed/write",
  "x_for_ip_addr": "10.23.14.12"
}

user

02/10/2022, 4:18 PM

🏗️ New commits pushed to Fleet »

benbass

02/11/2022, 3:36 PM

I have some questions about hosting the urls for the vulnerability scanning. Right now we are mirroring the “https://github.com/fleetdm/nvd/releases” and I am not sure to what depth I should put in as my FLEET_VULNERABILITIES_CPE_DATABASE_URL. The one file that we have there is “…/nvd/releases/download/80f3e7909fed710/cpe-80f3e7909fed710.sqlite.gz”

Avik Sengupta

02/14/2022, 3:35 PM

Anyone have a query/policy for checking that the OS updates are recent on every node? TIA!

Brandon

02/14/2022, 8:11 PM

quick question: does fleetctl hit an API endpoint to retrieve and run queries? I am asking because I cannot find an API endpoint to do this with regular curl line.

zwass

02/14/2022, 8:54 PM

Hi <!here>, announcing the release of Fleet 4.10.0 🎉 Check out our release blog or the full changelog for more information. Also, I'm excited to announce Fleet's $5M seed funding. This was actually announced a few weeks ago, but I don't think it was every sent out in a channel-wide message. 🚀

🥘 1

👍 1

🚀 10

💵 2

🦜 5

zwass

02/14/2022, 9:51 PM

🏗️ New commits pushed to Fleet »

Saulo Guilhermino

02/15/2022, 6:15 PM

Hello everybody! I just upgraded from v4.9.1 to v4.10.0 and notice this little behavior: all Ubuntu Linux hosts are also marked as generic Linux. Is this something expected?

Ojas

02/16/2022, 10:20 AM

Hey, Can we upgrade our osquery agent remotely from fleet? i have 4.* and i need to upgrade it to 5.*.

Ryan

02/16/2022, 5:05 PM

Hi folks, we upgrade to v4.10.0 (from v4.9.1) this afternoon, and it seems to have turned off the software inventory. The

vulnerabilities

key is present in the

fleet.yml

and it was enabled previously. Has anyone else encountered this? Thanks in advance 🙂

Noah Talerman

02/16/2022, 11:02 PM

🏗️ New commits pushed to Fleet »

Ivan

02/17/2022, 2:30 PM

Hello everyone. During installation and configuration, fleet made a mistake and created a certificate with a period of 1 year. Is there a way to replace the server certificate without replacing .pem on the client side?

Scott Blake

02/17/2022, 3:54 PM

Can anyone tell me how long before an API token expires? Specifically on a user/password account? It looks like it creates a new token every time you login and I'm trying to learn more about the underlying process.

Marc Roelofs

02/18/2022, 8:31 AM

Hi, I have a running fleet env in Kubernetes with the provided container image from docker hub , and its running 4.7.0 . I'm about to look for the upgrade , and just wondering if I should do a multistage upgrade or just run the db preb for 4.10 and skip 4.8 and 4.9 , whats the best way to go forward ... I mean its only been 2 months since 4.7 came out and I've been adding hosts in the past weeks to get a proper inventory 😉 . Your updating scheme is very fast 👍

Ivan

02/18/2022, 9:37 AM

Hello! I have error "bad record mac" after certificate on the fleet server is expired. Is it possible to repair connection without changing .pem file on the clients?

Nathaniel Strauss

02/18/2022, 10:12 PM

🏗️ New commits pushed to Fleet »

Nicolas

02/20/2022, 7:39 AM

Hi guys, I see that kafka is supported via kafka_restproxy plugin. I was wondering: why kafka_restproxy, and not kafka standalone? Are you open to contribution to add a direct kafka plugin? (with also the possibility to add "decoration" to the message. In particular a "tenant" field for example)

onel1ner

02/20/2022, 11:23 PM

Is there a trick to getting windows extensions working with Orbit/Fleet? I have verbose logging on and the orbit-osquery.log shows

Found autoloadable extension: C:\Program Files\Orbit\extensions\test.ext.exe

but it never runs the extension or registers the tables. If I run

.\osqueryi.exe --flagfile="C:\Program Files\Orbit\osquery.flags"

it loads fine. Is there a setting in Fleet I need to toggle to allow extension loading?

mikermcneil

02/21/2022, 4:10 PM

Hi! I have attempted to deploy fleet inside GCP - unfortunately I did not had any luck with the methods described in the public documentation and even https://holdmybeersecurity.com/2021/01/07/getting-started-with-fleetdm-v3-6-0/ (faced issues with MySQL, config files which where supposed to be edited but did not exist (fleetdm.yml), couldnt connect to the WebUI regardless of Firewall settings). Is there anything else I can refer to, to safely deploy fleet inside GCP?

Tor Houghton

02/22/2022, 8:23 AM

FYI, I noticed a counting error in the UI (I am running 4.10.0)? In /software/manage fleetdm reports 53 hosts vulnerable to a piece of software (this is nearly twice as many as I have registered in fleet) , but when I click "view all hosts" for that particular software entry, fleetdm appears to show the correct number of hosts (32):

dram

02/22/2022, 9:35 PM

Does anyone have idea these errors in windows environment ? 2022-02-20T024050-08:00 INF start osqueryd cmd="C:\\Program Files\\Orbit\\bin\\osqueryd\\windows\\stable\\osqueryd.exe --pidfile=C:\\Program Files\\Orbit\\osquery.pid --database_path=C:\\Program Files\\Orbit\\osquery.db --extensions_socket=\\\\.\\pipe\\orbit-osquery-extension --force --flagfile C:\\Program Files\\Orbit\\osquery.flags" W0220 024058.727219 4492 init.cpp:616] Error reading config: config file does not exist: \Program Files\osquery\osquery.conf E0220 024058.735734 4492 shutdown.cpp:75] Cannot activate filesystem logger plugin: Could not create file: \Program Files\osquery\log\osqueryd.results.log E0220 024100.122013 268 shutdown.cpp:75] Worker returned exit status I used below commands to build the package fleetctl package --type=msi --fleet-url= https://feet.xya.com --enroll-secret=fgdfgsg

Tilman Bender

02/24/2022, 1:56 PM

Has anyone experienced problems with Windows Defender SmartScreen and the .msi generated using fleetclt?

Tilman Bender

02/24/2022, 2:12 PM

Also: Are there signed windows binaries available for orbit?

Tilman Bender

02/24/2022, 4:28 PM

anyone know how I can export my policies?

Keith Swagler

02/24/2022, 7:25 PM

Anyone know anything about the migration_status_data and migration_status_tables? I'm getting

Missing migrations: tables=[20211216131203 20211221110132], data=[].

When running prepare db

Tilman Bender

02/25/2022, 10:25 AM

Is there a migration path from Fleet Free to Fleet Premium?

Tilman Bender

02/25/2022, 10:26 AM

I'd like to start with a prototype of Fleet Free to show value and then migurate to Premium for features like RBAC. Will I have to redo my setup or how does it work?

Tilman Bender

02/25/2022, 7:05 PM

🏗️ New commits pushed to Fleet »