bhuvaneswari
12/29/2020, 10:53 AMJuan Alvarez
12/29/2020, 1:34 PMdisable_tables
config from fleet config yaml? For me, it seems that the value is pushed, since running a query to osquery_flags
gives me the right value but the table does not get disabled. For some reason, OSQuery is ignoring it...
I could see a similar behavior in https://github.com/osquery/osquery/issues/6041 but it seems like that bug is already fixed (im using OSQuery 4.5.0)KK
12/30/2020, 7:07 AM{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole"
}
]
}
Bacarus
12/30/2020, 10:36 AM"caller":"launcher.go:125","err":"launching osquery instance: starting instance: could not create extension manager server at /tmp/087732583/osquery.sock: waiting for unix socket to be available: /tmp/087732583/osquery.sock: context deadline exceeded","msg":"interrupted","severity":"info","ts":"2020-12-30T10:34:58.929634Z"
ET
12/30/2020, 11:19 AMjavuto
01/01/2021, 12:45 AMBrandon Schmoll
01/05/2021, 3:58 PMVinh Bui
01/05/2021, 11:01 PMCMake Error at /Users/runner/cmake-3.17.5-Darwin-x86_64/CMake.app/Contents/share/cmake-3.17/Modules/FindPackageHandleStandardArgs.cmake:164 (message):
Could NOT find Python3 (missing: Python3_EXECUTABLE Interpreter) (Required
is at least version "3.5")
Reason given by package:
Interpreter: Wrong version for the interpreter "/usr/local/bin/python"
How might I go about fixing this?Jake N
01/06/2021, 4:24 PMtheopolis
Usama Nathani
01/08/2021, 7:30 PM+ /usr/lib/rpm/find-debuginfo.sh -j4 --build-id-seed 4.3.0_1_ga224cbb2-1 --unique-debug-suffix -4.3.0_1_ga224cbb2-1.x86_64 --unique-debug-src-base osquery-4.3.0_1_ga224cbb2-1.x86_64 /home/usama/os/query/osquery/build/_CPack_Packages/Linux/RPM/BUILD/
/usr/lib/rpm/find-debuginfo.sh: line 240: eu-strip: command not found
error: Bad exit status from /var/tmp/rpm-tmp.ol6wPa (%install)
Bad exit status from /var/tmp/rpm-tmp.ol6wPa (%install)
***
CPackRPM:Debug: - /home/usama/os/query/osquery/build/_CPack_Packages/Linux/RPM/rpmbuildosquery.out
CPackRPM:Debug: *** Building target platforms: x86_64
Building for target x86_64
Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.9fDhCc
Executing(%install): /bin/sh -e /var/tmp/rpm-tmp.ol6wPa
extracting debug info from /home/usama/os/query/osquery/build/_CPack_Packages/Linux/RPM/osquery-4.3.0-1-ga224cbb2-1.linux.x86_64/usr/bin/osqueryd
RPM build errors:
***
CMake Error at /usr/local/share/cmake-3.17/Modules/Internal/CPack/CPackRPM.cmake:1808 (message):
RPM package was not generated!
/home/usama/os/query/osquery/build/_CPack_Packages/Linux/RPM
Call Stack (most recent call first):
/usr/local/share/cmake-3.17/Modules/Internal/CPack/CPackRPM.cmake:1879 (cpack_rpm_generate_package)
CPack Error: Error while execution CPackRPM.cmake
CPack Error: Problem compressing the directory
CPack Error: Error when generating package: osquery
make: *** [Makefile:161: package] Error 1
Stefano Bonicatti
01/08/2021, 8:08 PMStefano Bonicatti
01/08/2021, 8:13 PMFaraz Jafri
01/11/2021, 11:30 AMsk4la
01/12/2021, 9:01 AMehrhardt
01/12/2021, 6:39 PMZach Zeid
01/12/2021, 6:41 PMCarlo Miguel Cruz
01/13/2021, 7:44 PM--insecure --insecure_transport
, we get the following error: "err":"enrolling host: transport error in enrollment: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection closed"
. Is this a known problem when connecting to fleetdm behind a load balancer?
We have a separate fleetdm server running on an EC2 instance without any load balancers in front and the same launcher installation in the docker container can connect to it just fine. We want to dig deeper and know what is causing the issue.vaar
01/13/2021, 11:04 PMplaintext
01/14/2021, 9:49 PMTASK [Install/Setup Nginx] **************************************************************************************************************************************************************************************
fatal: [192.168.6.130]: FAILED! => {"cache_update_time": 1610659830, "cache_updated": false, "changed": false, "msg": "'/usr/bin/apt-get -y -o \"Dpkg::Options::=--force-confdef\" -o \"Dpkg::Options::=--force-confold\" install 'nginx'' failed: No apport report written because the error message indicates its a followup error from a previous failure.\nE: Sub-process /usr/bin/dpkg returned an error code (1)\n", "rc": 100, "stderr": "No apport report written because the error message indicates its a followup error from a previous failure.\nE: Sub-process /usr/bin/dpkg returned an error code (1)\n", "stderr_lines": ["No apport report written because the error message indicates its a followup error from a previous failure.", "E: Sub-process /usr/bin/dpkg returned an error code (1)"], "stdout": "Reading package lists...\nBuilding dependency tree...\nReading state information...\nThe following additional packages will be installed:\n fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0\n libjpeg-turbo8 libjpeg8 libnginx-mod-http-image-filter\n libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libtiff5\n libwebp6 libxpm4 nginx-common nginx-core\nSuggested packages:\n libgd-tools fcgiwrap nginx-doc ssl-cert\nThe following NEW packages will be installed:\n fontconfig-config fonts-dejavu-core libfontconfig1 libgd3 libjbig0\n libjpeg-turbo8 libjpeg8 libnginx-mod-http-image-filter\n libnginx-mod-http-xslt-filter libnginx-mod-mail libnginx-mod-stream libtiff5\n libwebp6 libxpm4 nginx nginx-common nginx-core\n0 upgraded, 17 newly installed, 0 to remove and 0 not upgraded.\nNeed to get 2431 kB of archives.\nAfter this operation, 7891 kB of additional disk space will be used.\nGet:1 <http://archive.ubuntu.com/ubuntu> focal/main amd64 fonts-dejavu-core all 2.37-1 [1041 kB]\nGet:2 <http://archive.ubuntu.com/ubuntu> focal/main amd64 fontconfig-config all 2.13.1-2ubuntu3 [28.8 kB]\nGet:3 <http://archive.ubuntu.com/ubuntu> focal/main amd64 libfontconfig1 amd64 2.13.1-2ubuntu3 [114 kB]\nGet:4 <http://archive.ubuntu.com/ubuntu> focal-updates/main amd64 libjpeg-turbo8 amd64 2.0.3-0ubuntu1.20.04.1 [117 kB]\nGet:5 <http://archive.ubuntu.com/ubuntu> focal/main amd64 libjpeg8 amd64 8c-2ubuntu8 [2194 B]\nGet:6 <http://archive.ubuntu.com/ubuntu> focal/main amd64 libjbig0 amd64 2.1-3.1build1 [26.7 kB]\nGet:7 <http://archive.ubuntu.com/ubuntu> focal/main amd64 libwebp6 amd64 0.6.1-2 [185 kB]\nGet:8 <http://archive.ubuntu.com/ubuntu> focal/main amd64 libtiff5 amd64 4.1.0+git191117-2build1 [161 kB]\nGet:9 <http://archive.ubuntu.com/ubuntu> focal/main amd64 libxpm4 amd64 1:3.5.12-1 [34.0 kB]\nGet:10 <http://archive.ubuntu.com/ubuntu> focal/main amd64 libgd3 amd64 2.2.5-5.2ubuntu2 [118 kB]\nGet:11 <http://archive.ubuntu.com/ubuntu> focal-updates/main amd64 nginx-common all 1.18.0-0ubuntu1 [37.3 kB]\nGet:12 <http://archive.ubuntu.com/ubuntu> focal-updates/main amd64 libnginx-mod-http-image-filter amd64 1.18.0-0ubuntu1 [14.3 kB]\nGet:13 <http://archive.ubuntu.com/ubuntu> focal-updates/main amd64 libnginx-mod-http-xslt-filter amd64 1.18.0-0ubuntu1 [12.6 kB]\nGet:14 <http://archive.ubuntu.com/ubuntu> focal-updates/main amd64 libnginx-mod-mail amd64 1.18.0-0ubuntu1 [42.3 kB]\nGet:15 <http://archive.ubuntu.com/ubuntu> focal-updates/main amd64 libnginx-mod-stream amd64 1.18.0-0ubuntu1 [66.9 kB]\nGet:16 <http://archive.ubuntu.com/ubuntu> focal-updates/main amd64 nginx-core amd64 1.18.0-0ubuntu1 [425 kB]\nGet:17 <http://archive.ubuntu.com/ubuntu> focal-updates/main amd64 nginx all 1.18.0-0ubuntu1 [3624 B]\nPreconfiguring packages ...\nFetched 2431 kB in 2s (1445 kB/s)\nSelecting previously unselected package fonts-dejavu-core.\r\n(Reading database ... \r(Reading database ... 5%\r(Reading database ... 10%\r(Reading database ... 15%\r(Reading database ... 20%\r(Reading database ... 25%\r(Reading database ... 30%\r(Reading database ... 35%\r(Reading database ... 40%\r(Reading database ... 45%\r(Reading database ... 50%\r(Reading database ... 55%\r(Reading database ... 60%\r(Reading database ... 65%\r(Reading database ... 70%\r(Reading database ... 75%\r(Reading database ... 80%\r(Reading database ... 85%\r(Reading database ... 90%\r(Reading database ... 95%\r(Reading database ... 100%\r(Reading database ... 114487 files and directories currently installed.)\r\nPreparing to unpack .../00-fonts-dejavu-core_2.37-1_all.deb ...\r\nUnpacking fonts-dejavu-core (2.37-1) ...\r\nSelecting previously unselected package fontconfig-config.\r\nPreparing to unpack .../01-fontconfig-config_2.13.1-2ubuntu3_all.deb ...\r\nUnpacking fontconfig-config (2.13.1-2ubuntu3) ...\r\nSelecting previously unselected package libfontconfig1:amd64.\r\nPreparing to unpack .../02-libfontconfig1_2.13.1-2ubuntu3_amd64.deb ...\r\nUnpacking libfontconfig1:amd64 (2.13.1-2ubuntu3) ...\r\nSelecting previously unselected package libjpeg-turbo8:amd64.\r\nPreparing to unpack .../03-libjpeg-turbo8_2.0.3-0ubuntu1.20.04.1_amd64.deb ...\r\nUnpacking libjpeg-turbo8:amd64 (2.0.3-0ubuntu1.20.04.1) ...\r\nSelecting previously unselected package libjpeg8:amd64.\r\nPreparing to unpack .../04-libjpeg8_8c-2ubuntu8_amd64.deb ...\r\nUnpacking libjpeg8:amd64 (8c-2ubuntu8) ...\r\nSelecting previously unselected package libjbig0:amd64.\r\nPreparing to unpack .../05-libjbig0_2.1-3.1build1_amd64.deb ...\r\nUnpacking libjbig0:amd64 (2.1-3.1build1) ...\r\nSelecting previously unselected package libwebp6:amd64.\r\nPreparing to unpack .../06-libwebp6_0.6.1-2_amd64.deb ...\r\nUnpacking libwebp6:amd64 (0.6.1-2) ...\r\nSelecting previously unselected package libtiff5:amd64.\r\nPreparing to unpack .../07-libtiff5_4.1.0+git191117-2build1_amd64.deb ...\r\nUnpacking libtiff5:amd64 (4.1.0+git191117-2build1) ...\r\nSelecting previously unselected package libxpm4:amd64.\r\nPreparing to unpack .../08-libxpm4_1%3a3.5.12-1_amd64.deb ...\r\nUnpacking libxpm4:amd64 (1:3.5.12-1) ...\r\nSelecting previously unselected package libgd3:amd64.\r\nPreparing to unpack .../09-libgd3_2.2.5-5.2ubuntu2_amd64.deb ...\r\nUnpacking libgd3:amd64 (2.2.5-5.2ubuntu2) ...\r\nSelecting previously unselected package nginx-common.\r\nPreparing to unpack .../10-nginx-common_1.18.0-0ubuntu1_all.deb ...\r\nUnpacking nginx-common (1.18.0-0ubuntu1) ...\r\nSelecting previously unselected package libnginx-mod-http-image-filter.\r\nPreparing to unpack .../11-libnginx-mod-http-image-filter_1.18.0-0ubuntu1_amd64.deb ...\r\nUnpacking libnginx-mod-http-image-filter (1.18.0-0ubuntu1) ...\r\nSelecting previously unselected package libnginx-mod-http-xslt-filter.\r\nPreparing to unpack .../12-libnginx-mod-http-xslt-filter_1.18.0-0ubuntu1_amd64.deb ...\r\nUnpacking libnginx-mod-http-xslt-filter (1.18.0-0ubuntu1) ...\r\nSelecting previously unselected package libnginx-mod-mail.\r\nPreparing to unpack .../13-libnginx-mod-mail_1.18.0-0ubuntu1_amd64.deb ...\r\nUnpacking libnginx-mod-mail (1.18.0-0ubuntu1) ...\r\nSelecting previously unselected package libnginx-mod-stream.\r\nPreparing to unpack .../14-libnginx-mod-stream_1.18.0-0ubuntu1_amd64.deb ...\r\nUnpacking libnginx-mod-stream (1.18.0-0ubuntu1) ...\r\nSelecting previously unselected package nginx-core.\r\nPreparing to unpack .../15-nginx-core_1.18.0-0ubuntu1_amd64.deb ...\r\nUnpacking nginx-core (1.18.0-0ubuntu1) ...\r\nSelecting previously unselected package nginx.\r\nPreparing to unpack .../16-nginx_1.18.0-0ubuntu1_all.deb ...\r\nUnpacking nginx (1.18.0-0ubuntu1) ...\r\nSetting up libxpm4:amd64 (1:3.5.12-1) ...\r\nSetting up nginx-common (1.18.0-0ubuntu1) ...\r\nCreated symlink /etc/systemd/system/multi-user.target.wants/nginx.service -> .....<removed too long>
plaintext
01/14/2021, 9:49 PMCODE:
- hosts: all
become: yes
become_user: root
tasks:
- name: Vault healthcheck
uri:
url: "<https://127.0.0.1:8080>"
follow_redirects: none
method: GET
validate_certs: 'no'
remote_src: yes
register: _result
- debug: msg="{{_result}}"
TASK [Gathering Facts] ******************************************************************************************************************************************************************************************
ok: [192.168.6.120]
TASK [Vault healthcheck] ****************************************************************************************************************************************************************************************
fatal: [192.168.6.120]: FAILED! => {"changed": false, "connection": "close", "content_length": "42", "content_type": "text/html; charset=utf-8", "date": "Thu, 14 Jan 2021 20:59:30 GMT", "elapsed": 0, "location": "<https://127.0.0.1:8080/setup>", "msg": "Status code was 307 and not [200]: HTTP Error 307: Temporary Redirect", "redirected": false, "status": 307, "url": "<https://127.0.0.1:8080>"}
If I use curl -L (to follow redirect) I got this:
automation@fleetdm:~$ curl -k -L <https://127.0.0.1:8080>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="/assets/bundle-d647bb374238130a2046.css">
<link rel="shortcut icon" href="/assets/favicon.ico">
<title>Fleet for osquery</title>
<script type="text/javascript">
var urlPrefix = "";
</script>
</head>
<body>
<div id="app"></div>
<script async defer src="/assets/bundle-4a09707c77216776a8be.js" onload="this.parentElement.removeChild(this)"></script>
<script>document.addEventListener("touchstart", function() {},false);</script>
</body>
</html>
So I set the follow_redirect to all in the ansible fleetdm.yml but when it's installing nginx I got this error:harroldhino
01/19/2021, 5:00 PMosqueryslackfree
during the ticket registration process: osqueryatscale.comWinMordekaiser
01/20/2021, 10:26 AM--logger_plugin=kafka_producer,filesystem
to store INFO\WARN\ERR
logs on local disk, is there any way to limit osqueryd.results.log
file size? I only want to send osqueryd.results.log
to kafka.Powderman
01/20/2021, 10:28 PMtheopolis
fritz
01/25/2021, 1:42 PMosquery> SELECT * FROM os_version;
+----------+---------+-------+-------+-------+--------+----------+---------------+----------+--------+
| name | version | major | minor | patch | build | platform | platform_like | codename | arch |
+----------+---------+-------+-------+-------+--------+----------+---------------+----------+--------+
| Mac OS X | 10.15.7 | 10 | 15 | 7 | 19H114 | darwin | darwin | | x86_64 |
+----------+---------+-------+-------+-------+--------+----------+---------------+----------+--------+
Once you begin to understand what data osquery can return and how it can be interacted with, you can begin to look at various fleet management solutions, of which there are a number of open-source and paid options. However, I would strongly recommend getting your feet wet with the steps above so that you can better reason about your specific needs and the goals you are trying to achieve using osquery.Artem
01/26/2021, 8:15 AM--watchdog_memory_limit=300
--watchdog_utilization_limit=130
it will be more than default values for Watchdog restrictions for CPU and RAM?
I am asking because we tried to increase these values but got another situation with lot’s of denylisted queries.wtheaker
01/28/2021, 8:11 PMselect result from curl where url = '<http://ipaddr.io>';
allister
01/29/2021, 4:07 AMfritz
01/29/2021, 10:36 PM