osquery #kolide

taurian007

04/12/2020, 9:38 PM

will be appreciated

wkleinhenz

04/13/2020, 8:21 PM

hello, im attempting tro build a windows msi for launcher and am having issues with the launcher and osquery version flag, ideally i need to be able to specify either a local path or a different ip

Erich Stoekl

04/14/2020, 6:52 PM

Hi Folks. I'm currently testing to see if Redis is working with distributed queries. I have two different osquery nodes connected to two different fleet servers, which are part of the same cluster. I am able to run commands from one of the fleet servers, and it hits all osquery nodes. Is there a redis-cli command I can use to see the distributed query in redis?

Lee Brotherston

04/14/2020, 6:58 PM

👋 Just wondering if anyone opens their fleet install up to the internet to collect data from laptops on the road, etc? Or do y'all keep it confined to the local network / VPN'd in clients?

Jose

04/14/2020, 9:34 PM

Hey , Im wondering if anyone got a list of all known SQL commands for MacOs

grant seltzer

04/14/2020, 11:26 PM

Hi everyone, I wrote a custom table plugin that’s working with osqueryi locally, but fleet is failing to query that table (returns 0 results, says 1 failed). What’s the best way to debug this?

poisonous97

04/16/2020, 11:09 AM

i have your TUF server and when launcher auto update

Copy code

{
  "caller": "handler.go:26",
  "err": "calling update: refreshing timestamp: signature validation failed for timestamp: signature threshold not met",
  "msg": "tuf updater returned",
  "severity": "info",
  "target": "linux/launcher-stable.tar.gz",
  "ts": "2020-04-16T11:08:24.056948287Z"
}

xiaoliuzi

04/16/2020, 1:55 PM

Need some help！When I add a host to kolide fleet, it appears W0416 21: 53: 25.662704 5443 tls_enroll.cpp: 76] Failed enrollment request to https://192.168.10.101:8080/api/v1/osquery/enroll (Request error: certificate verify failed) retrying ... W0416 21: 53: 26.778743 5443 tls_enroll.cpp: 76] Failed enrollment request to https://192.168.10.101:8080/api/v1/osquery/enroll (Request error: certificate verify failed) retrying ... Why is that? I use a command like this sudo osqueryd \ --enroll_secret_path = / var / osquery / enroll_secret \ --tls_server_certs = / var / osquery / server.pem \ --tls_hostname = 192.168.10.101: 8080 \ --host_identifier = 192.168.10.103 \ --enroll_tls_endpoint = / api / v1 / osquery / enroll \ --config_plugin = tls \ --config_tls_endpoint = / api / v1 / osquery / config \ --config_refresh = 10 \ --disable_distributed = false \ --distributed_plugin = tls \ --distributed_interval = 10 \ --distributed_tls_max_attempts = 3 \ --distributed_tls_read_endpoint = / api / v1 / osquery / distributed / read \ --distributed_tls_write_endpoint = / api / v1 / osquery / distributed / write \ --logger_plugin = tls \ --logger_tls_endpoint = / api / v1 / osquery / log \ --logger_tls_period = 10

Erich Stoekl

04/16/2020, 6:15 PM

I see that you can use a rootCA file... I only have

crt

and

key

files. Can one of these be used?

poisonous97

04/17/2020, 2:40 AM

how to setup notary server same as https://notary.kolide.co. I want to have my notary server to control version when the launcher agents update?

Jose

04/19/2020, 4:16 PM

Do kolide support LDAP ? If No , What is the alternative ?

poisonous97

04/20/2020, 7:58 AM

it is log in my notary. I dont know this url is

/v2/kolide/launcher/_trust/tuf/3.root.json

but `/v2/kolide/launcher/_trust/tuf/root.json`:

Copy code

server_1  | {"go.version":"go1.14.1","http.request.host":"notary-server","http.request.id":"64bc02be-80b6-4135-991b-a3a21a8c7397","http.request.method":"GET","http.request.remoteaddr":"172.18.0.1:52594","http.request.uri":"/v2/kolide/launcher/_trust/tuf/3.root.json","http.request.useragent":"Go-http-client/1.1","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"4.580383ms","http.response.status":404,"http.response.written":116,"level":"info","msg":"response completed","time":"2020-04-20T14:33:36Z"}

nle

04/20/2020, 8:33 AM

Hi! I am trying to connect to fleetctl (fleetctl login) from my Ubuntu and unfortunately I get this error:

Copy code

error logging in: POST /api/v1/koilde/login: Post httpsL//<servername>/api/v1/kolide/login: dial tcp <ip>:443: connect: connection timed out

Has anyone come across this problem before? By the way, the UI loads perfectly fine. I can login successfully through the UI, using the same credentials I tried with the fleetctl. Thanks!

Jose

04/21/2020, 4:59 PM

Is there any Step-by-step to connect osquery agent on windows host to kolide server ?

Erich Stoekl

04/21/2020, 5:17 PM

Is it okay to run

fleet prepare db

every time I run fleet? If the db already exists and is prepared, it shouldn't overwrite any existing data, right?

Tim

04/21/2020, 8:14 PM

I'm trying to use yara rules with kolide across my fleet. Has anyone messed around to see if there is a way to do this without having to place all the .sig file on each individual host?

04/22/2020, 8:31 AM

Hey guys, how does fleet handle OSQuery agents in a VDI environment? So on 1 servers there is more than 1 installation of OSQuery as it is installed per VDI and the hostname of the server is the host-identifier in OSQuery. Will there be any registration issues or overwrites in the fleet DB for each OSQuery agent on the same host?

poisonous97

04/22/2020, 8:38 AM

hello, i build my notary server. when I run launcher:

Copy code

{
  "caller": "handler.go:26",
  "err": "calling update: refreshing timestamp: signature validation failed for timestamp: signature threshold not met",
  "msg": "tuf updater returned",
  "severity": "info",
  "target": "linux/launcher-stable.tar.gz",
  "ts": "2020-04-22T15:33:12.085130612Z"
}

Copy code

server_1  | {"go.version":"go1.14.1","http.request.host":"notary-server","http.request.id":"8b4d82b5-2c71-4fbb-aa90-dcc9e17c1d49","http.request.method":"GET","http.request.remoteaddr":"172.18.0.1:50722","http.request.uri":"/v2/kolide/launcher/_trust/tuf/3.root.json","http.request.useragent":"Go-http-client/1.1","kolide/launcher":"gun","level":"info","msg":"404 GET root role","time":"2020-04-22T15:33:12Z"}
server_1  | {"go.version":"go1.14.1","http.request.host":"notary-server","http.request.id":"8b4d82b5-2c71-4fbb-aa90-dcc9e17c1d49","http.request.method":"GET","http.request.remoteaddr":"172.18.0.1:50722","http.request.uri":"/v2/kolide/launcher/_trust/tuf/3.root.json","http.request.useragent":"Go-http-client/1.1","level":"info","msg":"metadata not found: You have requested metadata that does not exist.: No record found","time":"2020-04-22T15:33:12Z"}
server_1  | {"go.version":"go1.14.1","http.request.host":"notary-server","http.request.id":"8b4d82b5-2c71-4fbb-aa90-dcc9e17c1d49","http.request.method":"GET","http.request.remoteaddr":"172.18.0.1:50722","http.request.uri":"/v2/kolide/launcher/_trust/tuf/3.root.json","http.request.useragent":"Go-http-client/1.1","http.response.contenttype":"application/json; charset=utf-8","http.response.duration":"551.28µs","http.response.status":404,"http.response.written":116,"level":"info","msg":"response completed","time":"2020-04-22T15:33:12Z"}
server_1  | {"go.version":"go1.14.1","http.request.host":"notary-server","http.request.id":"cdef1c1b-760d-4ead-8344-b81481b2ac16","http.request.method":"GET","http.request.remoteaddr":"172.18.0.1:50734","http.request.uri":"/v2/kolide/launcher/_trust/tuf/timestamp.json","http.request.useragent":"Go-http-client/1.1","http.response.duration":"847.722µs","http.response.status":200,"http.response.written":495,"level":"info","msg":"response completed","time":"2020-04-22T15:33:12Z"}

launcher v0.11.8 and notary guide setup is: https://porter.io/github.com/kolide/updater please support me, thank you all

nle

04/22/2020, 2:40 PM

Hi! I am trying to login to fleetctl and I get this error:

Copy code

error logging in: POST /api/v1/kolide/login: Post https://<hostname>:443/api/v1/kolide/login: read tcp <src_ip>-><dst_ip>:443: read: connection reset by peer

Does anyone know why that happens? Thanks!

Jose

04/22/2020, 4:07 PM

Hi I'm trying to connect Osquery on (windows 10) to my fleet on (ubuntu 18) but I'm getting this error ( tls handshake error ) any ideas ? #kolide

Bharadwaj Thirumal

04/23/2020, 2:17 PM

Hi everyone! I want to deploy fleet on a GCP VM instance using Ansible. I’m new to GCP and Ansible. Are there any reference documents in this group that can help me?

Erich Stoekl

04/23/2020, 9:20 PM

Hi Folks. I was wondering, what is the risk of a data leak of the Fleet Enrollment secret? What would a malicious actor be able to do with that information? It seems that only being able to connect their agents to the Fleet server would not be especially bad

ravindrags24

04/24/2020, 9:50 AM

Hi Friends: Have some issues with new Kolide fleet server. Present Fleet version 2.6.0 Osquery Version: 4.3.0 Problem is below command works perfectly fine on Ubuntu host to join Kolide fleet server, but same command is not working on Windows host.

Copy code

sudo /usr/bin/osqueryd   --enroll_secret_path=/var/osquery/enroll_secret   --tls_server_certs=/var/osquery/kolide.pem   --tls_hostname=<http://kolide-test.abc.com|kolide-test.abc.com>  --host_identifier=hostname   --enroll_tls_endpoint=/api/v1/osquery/enroll   --config_plugin=tls   --config_tls_endpoint=/api/v1/osquery/config   --config_refresh=10   --disable_distributed=false   --distributed_plugin=tls   --distributed_interval=3   --distributed_tls_max_attempts=3   --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read   --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write   --logger_plugin=tls   --logger_tls_endpoint=/api/v1/osquery/log   --logger_tls_period=10

Windows commands.

Copy code

PS C:\Program Files\osquery> .\manage-osqueryd.ps1 -install --enroll_secret_path=C:\Program Files\osquery\secret.txt --tls_hostname=<http://kolide-test.abc.com|kolide-test.abc.com> --tls_server_certs=\Program Files\osquery\certs\kolide.pem --enroll_tls_endpoint=/api/v1/osquery/enroll --config_plugin=tls --config_tls_endpoint=/api/v1/osquery/config --config_refresh=10 --disable_distributed=false --distributed_plugin=tls --distributed_interval=3 --distributed_tls_max_attempts=3 --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write --logger_plugin=tls --logger_tls_endpoint=/api/v1/osquery/log --logger_tls_period=10

Can some help on this.

Seán O'Halloran

04/24/2020, 3:25 PM

Are labels a way to create smart groups of machines? Or is it a “run-once” kind of feature? I set up a label called “Currently connected to USB Device” with the following SQL:

Copy code

SELECT path FROM mounts LEFT JOIN block_devices ON mounts.device = block_devices.name WHERE block_devices.type="USB"

It correctly added my machine to the label, but after removing the USB it hasn’t updated. The wording on your website implies that you can use labels to dynamically detect which machines are running vulnerable software:

KryptoNyte

04/24/2020, 4:31 PM

I now would like to query

myhost:8000/api/v1/kolide/hosts

for example

KryptoNyte

04/24/2020, 6:36 PM

Isn't the package supposed to avoid this, and in fact install all binaries?

seph

04/25/2020, 2:06 AM

Copy code

dover:launcher seph$ ./build/package-builder make --hostname=localhost --enroll_secret=secret --insecure --insecure_transport --targets linux-systemd-deb --package_version 1
Built packages in /tmp/launcher-package071939396

dover:launcher seph$ /usr/local/Cellar/binutils/2.33.1/bin/ar -p /tmp/launcher-package071939396/launcher.linux-systemd-deb.deb  data.tar.gz | tar tzf - | grep osq
./usr/local/launcher/bin/osqueryd
./usr/local/launcher/bin/osquery-extension.ext

👍 1

Mojed

04/27/2020, 10:11 AM

Hello I Have a question. Where do Kolide fleet saves logs for the queries or packs ? Is there a folder where I can find them or are they in db ? I hope iam not just to dumb to find it in the documentation. 😊

KryptoNyte

04/27/2020, 2:35 PM

I was clicking on the gRPC Specification link in the laucher repo https://github.com/kolide/launcher/blob/master/docs/launcher.md which points to https://github.com/kolide/agent-api/blob/master/agent_api.proto but github's Jedi gatekeeper tells me I should believe it does not exist

KryptoNyte

04/27/2020, 6:25 PM

Does fleet just generate one enrollment_token per instance? Can the same instance "partition" hosts by assigning different enrollment tokens?