Title
#fleet
k

Kyle Goode

09/04/2022, 12:17 AM
Hey guys may be pushing it here but trying to configure my Raspbian Debian 11 osquery 5.4 agent to my fleet this is arm64 with the arm64 deb of osquery set up. I have taken and adjusted the following flag file and know that I have my cert and secret setup correctly. Fleetctl fails with "/usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: _: not found k: not found /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: @ ^@6: not found /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 1: ELF: not found /usr/lib/node_modules/fleetctl/install/v4.19.1/fleetctl: 2: Syntax error: "(" unexpected" and when I try it manually with osqueryd --flagfile=flagfile.txt --verbose the closet I get is "Failed enrollment request to https://ip:8090/api/latest/osquery/enroll (Cannot parse JSON: Invalid value. Offset: 0) retrying... I0903 19:04:38.469650 264500 smbios_tables.cpp:252] Could not read SMBIOS memory " Looking through old issues I see a suggestion to add--tls_dump to the output so I've attached that as well. Please let me know if you have any thoughts I have already checked networking and should not be having any firewall or blocking issues. Thanks.
Lucas Rodriguez

Lucas Rodriguez

09/05/2022, 3:58 PM
Hi @Kyle Goode! Please try replacing the paths
/api/latest/osquery/...
in your
flagfile.txt
with
/api/v1/osquery/...
Osquery API endpoints in Fleet are not versioned like the Fleet user API. Let me know that works.
k

Kyle Goode

09/07/2022, 4:55 AM
Hello @Lucas Rodriguez thank you for taking a look. I have attempted your solution but am encountering the same results unfortunately.
Lucas Rodriguez

Lucas Rodriguez

09/07/2022, 11:00 AM
@Kyle Goode Have you restarted osquery after changing the
flagfile.txt
?
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
W0903 19:12:55.460351 269113 tls_enroll.cpp:101] Failed enrollment request to <https://ip:8090/api/latest/osquery/enroll> (Cannot parse JSON: Invalid value. Offset: 0) retrying...
That seems to be the issue AFAICS (it expects a JSON body but nginx is returning a not found page?)
k

Kyle Goode

09/08/2022, 3:59 AM
@Lucas Rodriguez yes I did this may be further complicated by the fact that my fleet server is part of security onion. I think I'll pop on their support and see if I can get any additional insight to see what I can do. I can get osqueryd to run with systemctl but its the same error if I try to launch it manually with the flagfile and it never connects to server even though it's whitelisted on the firewall.
4:27 AM
Looks like they suggest getting the answer from you guys. https://github.com/Security-Onion-Solutions/securityonion/discussions/8679
Lucas Rodriguez

Lucas Rodriguez

09/08/2022, 2:02 PM
OK, can you attach the logs after the restart? to check if it's still failing with the same error when requesting to
<https://ip:8090/api/v1/osquery/enroll>
k

Kyle Goode

09/15/2022, 2:02 AM
@Lucas Rodriguez would you have any other recommendations?
Lucas Rodriguez

Lucas Rodriguez

09/15/2022, 12:45 PM
Hi @Kyle Goode! Do you have access to the host? Could you try running the following command on such host?
curl -k -v -X POST <https://IP:8090/api/v1/osquery/enroll>
Kathy Satterlee

Kathy Satterlee

09/15/2022, 9:30 PM
It looks like the structure for the enroll secret is a little off in the secret file (extrapolating from the object in verboserror.txt).
"secret":"1"
That should just be:
<your secret>
Can you run again with
--verbose --tls_dump
to see if you're getting the same error now that the endpoint is correct?