Joe
08/05/2022, 6:52 PMosqueryi
on a host. I can query the host from Fleet just fine but i find it odd that i get this message.
W0805 11:47:50.721536 1194 tls_enroll.cpp:101] Failed enrollment request to <https://servername> (Cannot parse JSON: Invalid value. Offset: 0) retrying...
Jason
08/05/2022, 7:52 PMAdam Connor
08/06/2022, 5:15 AMIbra
08/06/2022, 11:17 AM<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName <http://it-asset.acme.it|it-asset.acme.it>
ServerAdmin <mailto:postmaster@acme.it|postmaster@acme.it>
#SSLProxyEngine on
ProxyPass / <http://localhost:8443/>
ProxyPassReverse / <http://localhost:8443/>
# <Files ^.\login>
# Order Deny,Allow
# deny from all
# allow from 10.0.63.0
# allow from 10.0.59.0
# </Files>
# only allow acces to these urls from white listed IPs
Options +FollowSymlinks
RewriteEngine on
#the urls that should be checked
RewriteCond %{REQUEST_URI} ^(/login|/dashboard).*$
RewriteCond %{REMOTE_ADDR} !=10\.0\.63\.
# or this ip
RewriteCond %{REMOTE_ADDR} !=10\.0\.59\.
# if not fail
RewriteRule ^.*$ / [F]
# RewriteRule ^.*$ [G,NC]
ErrorLog ${APACHE_LOG_DIR}/fleet-dc-error.log
CustomLog ${APACHE_LOG_DIR}/fleet-dc-access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/it-asset.acme.it/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/it-asset.acme.it/privkey.pem
</VirtualHost>
</IfModule>
Docker compose:
version: '2'
services:
mysql:
restart: always
image: mysql:5.7
volumes:
- /fleet/data:/data
command: mysqld --datadir=/data/mysqldata --slow_query_log=0 --log_output=TABLE --log-queries-not-using-indexes --event-scheduler=ON
environment:
MYSQL_ROOT_PASSWORD: *****************
MYSQL_DATABASE: fleet_db
MYSQL_USER: fleet_user
MYSQL_PASSWORD: ************************
ports:
- "3306:3306"
mailhog:
restart: always
image: mailhog/mailhog:latest
ports:
- "8025:8025"
- "1025:1025"
redis:
restart: always
image: redis:5
ports:
- "6379:6379"
fleet:
restart: always
image: fleetdm/fleet:v4.17.0
volumes:
- /fleet/fleet:/fleet
command: sh -c "echo '\n' | /usr/bin/fleet prepare db && /usr/bin/fleet serve"
environment:
FLEET_MYSQL_ADDRESS: mysql:3306
FLEET_MYSQL_DATABASE: fleet_db
FLEET_MYSQL_USERNAME: fleet_user
FLEET_MYSQL_PASSWORD: *****************
FLEET_REDIS_ADDRESS: redis:6379
FLEET_SERVER_CERT: /etc/letsencrypt/live/it-asset.acme.it/fullchain.pem
FLEET_SERVER_KEY: /etc/letsencrypt/live/it-asset.acme.it/privkey.pem
FLEET_LOGGING_JSON: "true"
FLEET_AUTH_JWT_KEY:
FLEET_SERVER_TLS: 'false'
FLEET_OSQUERY_LABEL_UPDATE_INTERVAL: 5m
FLEET_VULNERABILITIES_PERIODICITY: 60m
ports:
- "8443:8080"
peanut butter
08/06/2022, 1:53 PMZohaib Nasir
08/07/2022, 6:43 AMIbra
08/08/2022, 12:37 PMOjas
08/09/2022, 11:52 AMKathy Satterlee
08/09/2022, 3:55 PMfrederick ferby
08/09/2022, 6:17 PMJoe B
08/09/2022, 9:02 PMOjas
08/10/2022, 6:04 AMDan Achin
08/10/2022, 4:35 PMKathy Satterlee
08/11/2022, 4:02 PMKathy Satterlee
08/11/2022, 4:15 PMZohaib Nasir
08/11/2022, 6:06 PMJL
08/11/2022, 7:53 PMFailed enrollment request to <https://final.test.company.com/api/osquery/enroll> (No node key returned from TLS enroll plugin) retrying...
The same behavior happens without flag --tls_server_cert whats make me think it’s no certificate problem. The certificate was issued in ACM ALB.
When a try to make request via curl and send body everything work’s fine and fleet return the node.
My osquery.flag is configured with
--force=true
--host_identifier=instance
--verbose=true
--debug
--tls_dump=true
--tls_server_certs=/etc/osquery/fleet.crt
--enroll_secret_env=ENROLL_SECRET
--enroll_tls_endpoint=/api/osquery/enroll
--config_plugin=tls
--config_tls_endpoint=/api/osquery/config
--config_refresh=10
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=10
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/api/osquery/distributed/read
--distributed_tls_write_endpoint=/api/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/api/osquery/log
--logger_tls_period=10
--disable_carver=false
--carver_start_endpoint=/api/osquery/carve/begin
--carver_continue_endpoint=/api/osquery/carve/block
--carver_block_size=2000000
JL
08/11/2022, 7:56 PMAdam Connor
08/12/2022, 3:38 AMAdam Connor
08/12/2022, 3:51 AMJerome
08/12/2022, 12:53 PMdocker run -v "$(pwd):/build" fleetdm/fleetctl package --type=msi
but I'm facing errors with all types
With deb
:
Error: initialize updates: failed to get osqueryd: download "osqueryd/linux/stable/osqueryd": exec check failed "/tmp/orbit-package2691724252/root/opt/orbit/staging/osqueryd": exec new version: : fork/exec /tmp/orbit-package2691724252/root/opt/orbit/staging/osqueryd: no such file or directory
With `pkg`:
Error: build pkg: cpio Payload: wait cpio: exit status 1
With `msi`:
Error: package root files: heat failed: exec: "docker": executable file not found in $PATH
Do I miss a step or something?
Because if I use fleetctl binary directly and run fleetctl package --type=deb --fleet-desktop --fleet-url=<https://fleet.test.com:8090> --enroll-secret=secret
, it works well for all platform typesSaulo Onze
08/13/2022, 1:53 AMalessandrogario
roberto
08/16/2022, 11:25 AMMike M
08/16/2022, 8:29 PM/Library/LaunchDaemons/com.fleetdm.orbit.plist
The file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>ORBIT_ENROLL_SECRET_PATH</key>
<string>/opt/orbit/secret.txt</string>
<key>ORBIT_FLEET_URL</key>
<string><https://example.com></string>
<key>ORBIT_ORBIT_CHANNEL</key>
<string>stable</string>
<key>ORBIT_OSQUERYD_CHANNEL</key>
<string>stable</string>
<key>ORBIT_UPDATE_URL</key>
<string><https://example.com></string>
<key>ORBIT_FLEET_DESKTOP</key>
<string>true</string>
<key>ORBIT_DESKTOP_CHANNEL</key>
<string>stable</string>
<key>ORBIT_UPDATE_INTERVAL</key>
<string>15m0s</string>
</dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.fleetdm.orbit</string>
<key>ProgramArguments</key>
<array>
<string>/opt/orbit/bin/orbit/orbit</string>
<string>--</string>
<string>--disable_events=false</string>
<string>--enable_file_events</string>
<string>--disable_endpointsecurity=false</string>
<string>--disable_endpointsecurity_fim=false</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>/var/log/orbit/orbit.stderr.log</string>
<key>StandardOutPath</key>
<string>/var/log/orbit/orbit.stdout.log</string>
<key>ThrottleInterval</key>
<integer>10</integer>
</dict>
</plist>
Unfortunately adding ProgramArguments and restarting the agent has no effect:
<key>ProgramArguments</key>
<array>
<string>/opt/orbit/bin/orbit/orbit</string>
<string>--</string>
<string>--disable_events=false</string>
<string>--enable_file_events</string>
<string>--disable_endpointsecurity=false</string>
<string>--disable_endpointsecurity_fim=false</string>
</array>
I also tried modifying /opt/orbit/osquery.flag
file that did not work either. I’m newer to fleet/orbit so I may be not understanding what needs to be done at package/built time vs what can be configured at runtime.Vlad Previn
08/17/2022, 5:42 AMOjas
08/17/2022, 9:42 AMroberto
08/17/2022, 12:37 PMIbra
08/17/2022, 7:14 PMversion: '2'
services:
mysql:
restart: always
image: mysql:5.7
volumes:
- /fleet/data:/data
command: mysqld --datadir=/data/mysqldata --slow_query_log=0 --log_output=TABLE --log-queries-not-using-indexes --event-scheduler=ON
environment:
MYSQL_ROOT_PASSWORD: *****************
MYSQL_DATABASE: fleet_db
MYSQL_USER: fleet_user
MYSQL_PASSWORD: ************************
ports:
- "3306:3306"
mailhog:
restart: always
image: mailhog/mailhog:latest
ports:
- "8025:8025"
- "1025:1025"
redis:
restart: always
image: redis:5
ports:
- "6379:6379"
fleet:
restart: always
image: fleetdm/fleet:v4.17.0
volumes:
- /fleet/fleet:/fleet
command: sh -c "echo '\n' | /usr/bin/fleet prepare db && /usr/bin/fleet serve"
environment:
FLEET_MYSQL_ADDRESS: mysql:3306
FLEET_MYSQL_DATABASE: fleet_db
FLEET_MYSQL_USERNAME: fleet_user
FLEET_MYSQL_PASSWORD: *****************
FLEET_REDIS_ADDRESS: redis:6379
FLEET_SERVER_CERT: /etc/letsencrypt/live/it-asset.acme.it/fullchain.pem
FLEET_SERVER_KEY: /etc/letsencrypt/live/it-asset.acme.it/privkey.pem
FLEET_LOGGING_JSON: "true"
FLEET_AUTH_JWT_KEY:
FLEET_SERVER_TLS: 'false'
FLEET_OSQUERY_LABEL_UPDATE_INTERVAL: 5m
FLEET_VULNERABILITIES_PERIODICITY: 60m
ports:
- "8443:8080"
Ibra
08/17/2022, 7:14 PM