https://github.com/osquery/osquery logo
Join Slack
Powered by
Is there a Team ID for All Teams? `fleetctl api ap...
# fleet
e
Is there a Team ID for All Teams? 
fleetctl api api/v1/fleet/teams/5/policies | jq .policies | yq -P
Trying to migrate to gitops and want to copy over the handful of policies in All Teams
a
hmmm, I would need to do a little more digging to confirm but I don't think there is. The All Teams settings are controlled by 
default.yml
, not a team specific 
team.yml
file.
e
No worries, I have just added them all manually into 
default.yml
Can I ask about how the 
software
yaml is supposed to work? I have this policy that was built in the UI but I am migrating to git ops:
Copy code
- name: '[Install software] falcon-sensor (deb)'
  platform: linux
  description: |
    Policy triggers automatic install of falcon-sensor on each host that's missing this software.
    Software won't be installed on Linux hosts with RPM-based distributions because this policy's query is written to always pass on these hosts.
  resolution: ""
  query: |
    SELECT 1 WHERE EXISTS (
      SELECT 1 WHERE (SELECT COUNT(*) FROM deb_packages) = 0
    ) OR EXISTS (
      SELECT 1 FROM deb_packages WHERE name = 'falcon-sensor'
    );
  install_software:
    package_path: ../../software/linux/Falcon_Sensor_7.20.0_17306.deb
and I have uploaded the .deb file to the repo (prob wont do this in the future?) my 
teams.yml
is the below:
Copy code
name: Testing (linux)
policies:
  - path: ../../policies/linux/device-health-policies.yml
queries:
agent_options:
  path: ./agent-options.yml
controls:
  scripts:
    - path: ../../scripts/linux/create_cronjob_gsettings_table.sh
team_settings:
  secrets:
    - secret: "$FLEET_GLOBAL_ENROLL_SECRET"
software:
software
isn't an array like scripts according to the errors.
Copy code
Error: 2 errors occurred:
        * Couldn't edit software. "software" must be a spec.Software, found array
        * failed to parse policy install_software "[Install software] falcon-sensor (deb)": failed to unmarshal install_software.package_path file ../../software/linux/Falcon_Sensor_7.20.0_17306.deb: error converting YAML to JSON: yaml: invalid leading UTF-8 octet
Guidance would be great!
a
It should be...
Copy code
software:
  packages:
    - path: ../path/to/file.yml
e
Ah nice, I was reading the fleety-gitops repo!
a
Ya check out this folder too: https://github.com/fleetdm/fleet/tree/main/it-and-security This is our actual, in-production internal instance of Fleet's gitops repo.
e
sweeeeet - thank you.
Last one, sorry - so is my policy install crorrect:
Copy code
- name: '[Install software] falcon-sensor (deb)'
  platform: linux
  description: |
    Policy triggers automatic install of falcon-sensor on each host that's missing this software.
    Software won't be installed on Linux hosts with RPM-based distributions because this policy's query is written to always pass on these hosts.
  resolution: ""
  query: |
    SELECT 1 WHERE EXISTS (
      SELECT 1 WHERE (SELECT COUNT(*) FROM deb_packages) = 0
    ) OR EXISTS (
      SELECT 1 FROM deb_packages WHERE name = 'falcon-sensor'
    );
  install_software:
    package_path: ../../software/linux/crowdstrike-falcon.yml
where 
crowdstrike-falcon.yml
would be a URL the software package? (Likely in S3)?
Copy code
name: falcon-sensor
url: <https://some.s3.thing/falcon-sensor-7.20.0-17306.deb>
self-service: false
a
That looks good to me assuming 
url
is right and the 
../../
in the 
package_path
are correct. I don't think 
name:
is supported in the software yaml file or at least you don't need that flag. That is automatically extracted from the package when Fleet downloads it.
you can always pass the flag 
--dry-run
and it will validate everything for you
e
okay cool - I only took name from the GET polocy result on the API I'm running --dry-run so thats cool One bit of feedback - feels a little broken to have to upload my - non public - packages to somewhere, lets say S3, for fleet then to copy this to S3 (hosted in AWS via Terrafrom) Would make sense to upload directly to the AWS S3 bucket and have some form of referencethere
a
^ ya, I'm guessing you are self-managed?
e
oui!
a
ya, its awkward then for sure
e
I'm getting 
dial tcp: lookup <http://nexus.xxxx.net|nexus.xxxx.net> on 10.10.0.2:53: no such host
when trying to run a --dry-run with a software package. I can get to the host and download the file via curl in the same place I am running fleetctl Any ideas?
a
Just want to confirm something... when you set up the software yaml files, that tells the Fleet server to go and download the software and store it locally. Your devices then download it from Fleet, not the URL. So your devices don't need access to that URL but your server does. Can you confirm the server has access to where ever that software package is hosted?
e
okay cool, so even on --dry-run fleet is trying to make the out-bound connction?
a
Yep! Making sure everything works before applying.
e
Thanks for all the help recently, it's great to be really investing our time into Fleet.
a
No problem and great to hear! Thanks for spending time with Fleet and also for sharing your queries with the community. I don't know if you noticed but we are running the one you shared a few weeks ago surfacing Chrome extension vulnerabilities in our internal instance: https://github.com/fleetdm/fleet/blob/main/it-and-security/lib/all/queries/collect-known-vulnerable-chrome-extensions.yml
3 Views
Open in Slack
PreviousNext
Powered by