https://github.com/osquery/osquery logo
Title
a

Ari Weinberg

05/25/2023, 3:59 PM
Is there a way to set different command line options for different OSs under agent options in the fleet UI?
z

Zay Hanlon

05/25/2023, 6:00 PM
@Kathy Satterlee ^
k

Kathy Satterlee

05/25/2023, 7:12 PM
@Ari Weinberg, There isn't a way to override the flags by platform, but we can likely come up with a workaround. Can you give me some examples of flags you might want to set differently and why?
a

Ari Weinberg

05/25/2023, 7:12 PM
disabling tables on specific OSs?
k

Kathy Satterlee

05/25/2023, 7:17 PM
Can you give me an example table?
a

Ari Weinberg

05/25/2023, 7:17 PM
chrome_extensions
k

Kathy Satterlee

05/25/2023, 7:20 PM
Gotcha. What I'd likely do there is manage the flags at package creation rather than through the Fleet agent options. When you're generating your packages for each OS, you can us the
--osquery-flagfile value
flag to pass your flags.
a

Ari Weinberg

05/25/2023, 7:21 PM
but then I cant change that without re-installing, correct?
or the API/fleetctl
k

Kathy Satterlee

05/25/2023, 7:23 PM
Was just adding a little more information there 🙂 You'd need to manually manage the osquery flags if you go this route. You could deploy a new
fleetd
package, or update the
osquery.flags
file on the host.
a

Ari Weinberg

05/25/2023, 7:26 PM
Im actually having a bigger problem right now. I generated a mac pkg installer using fleetctl, and installed on a mac. the agent connects, but then immediately goes offline. any advice?
k

Kathy Satterlee

05/25/2023, 7:30 PM
Can you take a look at the Orbit logs? There should be some helpful information there. If not, try installing a new package in
--debug
mode to generate some more detailed logs: https://fleetdm.com/docs/using-fleet/orbit#troubleshooting
a

Ari Weinberg

05/25/2023, 7:34 PM
this keeps repeating in the orbit stderr logs:
goroutine 1 [running]:
<http://github.com/fleetdm/fleet/v4/orbit/pkg/update.(*Runner).HasRunnerOptTarget(0x1ba13c0|github.com/fleetdm/fleet/v4/orbit/pkg/update.(*Runner).HasRunnerOptTarget(0x1ba13c0>?, {0x1d3c331, 0x5})
	<http://github.com/fleetdm/fleet/v4/orbit/pkg/update/runner.go:69|github.com/fleetdm/fleet/v4/orbit/pkg/update/runner.go:69> +0x45
<http://github.com/fleetdm/fleet/v4/orbit/pkg/update.(*Runner).RemoveRunnerOptTarget(0x0|github.com/fleetdm/fleet/v4/orbit/pkg/update.(*Runner).RemoveRunnerOptTarget(0x0>, {0x1d3c331, 0x5})
	<http://github.com/fleetdm/fleet/v4/orbit/pkg/update/runner.go:52|github.com/fleetdm/fleet/v4/orbit/pkg/update/runner.go:52> +0x57
<http://github.com/fleetdm/fleet/v4/orbit/pkg/update.(*NudgeConfigFetcher).GetConfig(0xc0009977a0)|github.com/fleetdm/fleet/v4/orbit/pkg/update.(*NudgeConfigFetcher).GetConfig(0xc0009977a0)>
	<http://github.com/fleetdm/fleet/v4/orbit/pkg/update/nudge.go:80|github.com/fleetdm/fleet/v4/orbit/pkg/update/nudge.go:80> +0x39a
<http://github.com/fleetdm/fleet/v4/orbit/pkg/update.(*DiskEncryptionRunner).GetConfig(0xc000126d68)|github.com/fleetdm/fleet/v4/orbit/pkg/update.(*DiskEncryptionRunner).GetConfig(0xc000126d68)>
	<http://github.com/fleetdm/fleet/v4/orbit/pkg/update/disk_encryption.go:23|github.com/fleetdm/fleet/v4/orbit/pkg/update/disk_encryption.go:23> +0x2d
<http://github.com/fleetdm/fleet/v4/orbit/pkg/update.(*FlagRunner).DoFlagsUpdate(0xc0009cca50)|github.com/fleetdm/fleet/v4/orbit/pkg/update.(*FlagRunner).DoFlagsUpdate(0xc0009cca50)>
	<http://github.com/fleetdm/fleet/v4/orbit/pkg/update/flag_runner.go:96|github.com/fleetdm/fleet/v4/orbit/pkg/update/flag_runner.go:96> +0x7a
main.main.func2(0xc000049780)
	<http://github.com/fleetdm/fleet/v4/orbit/cmd/orbit/orbit.go:635|github.com/fleetdm/fleet/v4/orbit/cmd/orbit/orbit.go:635> +0x3e72
<http://github.com/urfave/cli/v2.(*Command).Run|github.com/urfave/cli/v2.(*Command).Run>(0xc000163540, 0xc000049780, {0xc000116010, 0x1, 0x1})
	<http://github.com/urfave/cli/v2@v2.23.5/command.go:271|github.com/urfave/cli/v2@v2.23.5/command.go:271> +0xa4b
<http://github.com/urfave/cli/v2.(*App).RunContext(0xc0005601e0|github.com/urfave/cli/v2.(*App).RunContext(0xc0005601e0>, {0x20eacb8?, 0xc00011e000}, {0xc000116010, 0x1, 0x1})
	<http://github.com/urfave/cli/v2@v2.23.5/app.go:329|github.com/urfave/cli/v2@v2.23.5/app.go:329> +0x665
<http://github.com/urfave/cli/v2.(*App).Run(...)|github.com/urfave/cli/v2.(*App).Run(...)>
	<http://github.com/urfave/cli/v2@v2.23.5/app.go:306|github.com/urfave/cli/v2@v2.23.5/app.go:306>
main.main()
	<http://github.com/fleetdm/fleet/v4/orbit/cmd/orbit/orbit.go:884|github.com/fleetdm/fleet/v4/orbit/cmd/orbit/orbit.go:884> +0x11bc
2023-05-25T15:31:13-04:00 INF running with auto updates disabled
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x1a6a585]
ill try a debug pkg as well
Its basically the same with
--debug
, but shows the initial query attempting to run, then hits that
panic: runtime error: invalid memory address or nil pointer dereference
k

Kathy Satterlee

05/25/2023, 7:41 PM
What version of Fleet and
fleetctl
are you working with?
a

Ari Weinberg

05/25/2023, 7:41 PM
4.31.1
on both
k

Kathy Satterlee

05/25/2023, 7:47 PM
Is this a brand new install, or was there a previous version of Orbit installed on this host?
a

Ari Weinberg

05/25/2023, 7:47 PM
There was a really old osquery installed, I think 4.9
but I removed, and reinstalled with the new generated pkg
this is multiple uninstalls, reboots, and reinstalls later
unless I missed some file somewhere
k

Kathy Satterlee

05/25/2023, 7:48 PM
Hmm. Maybe there are some artifacts hanging about.
Can you try: 1. Following the uninstall steps here 2. Running this cleanup script 3. Reinstalling Orbit
a

Ari Weinberg

05/25/2023, 7:58 PM
nope, still happening
vanillia osqury seems to work
k

Kathy Satterlee

05/25/2023, 8:02 PM
Are you specifying an update channel for Orbit?
a

Ari Weinberg

05/25/2023, 8:02 PM
here are the additional debug lines:
2023-05-25T15:59:28-04:00 DBG running nudge config fetcher middleware
2023-05-25T15:59:28-04:00 DBG empty nudge config, removing nudge as target
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x38 pc=0x1a6a585]
nope, default channel
k

Kathy Satterlee

05/25/2023, 9:23 PM
Thanks! I'm reaching out to the team to see if they have any additional insight.
Are you using Fleet MDM?
And do you use Nudge (either through Fleet or otherwise)
a

Ari Weinberg

05/30/2023, 3:04 PM
Hi, sorry for the delayed reply, and thanks for your help so far. I am not using MDM, and have no idea what nudge is, so I assume im not using it
I also disabled updated. Not sure if that should make a difference
k

Kathy Satterlee

05/30/2023, 3:22 PM
Does the same thing happen if you don't disable updates?
We're looking into this bug and it seems to be a common thread, so I'd be curious to see if that made a difference for you.
a

Ari Weinberg

05/30/2023, 3:23 PM
yes. I went into the plist file and changed disable updates to false
Is there a way I can disable nudge?
For that matter, how can I disable MDM, seeing as I'm not using it? I think the host that I'm testing on has it turned on by default
k

Kathy Satterlee

05/30/2023, 3:54 PM
There isn't a flag to disable Nudge. At the moment, what seems to be failing is the step that akios including Nudge if there isn't a config file present for it.
a

Ari Weinberg

05/30/2023, 4:07 PM
When I run manually with
sudo orbit --enroll-secret-path /opt/orbit/secret.txt --fleet-url '<https://my.fleet.com>'
it automatically fills in the nudge URL from
--fleet-url
, and doesnt error out
not sure why the service doesnt do that
k

Kathy Satterlee

05/30/2023, 4:09 PM
I'll add that to the ticket!