Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi All,

I'm working on a script to populate policies from existing queries, however when I am sending a POST to <https://fleet.fqdn.tld/api/v1/fleet/global/policies> following <https://fleetdm.com/docs/using-fleet/rest-api#add-policy|this documentation> despite setting the "Authorization: Bearer $TOKEN" header, I keep seeing a 401 Authentication required response , Any ideas what I may be doing wrong ?

Never hurts to check... everything worked fine for me. It could be that the variable isn't set up properly. How are you sending the request?

python requests:

```...
    fleetURL = "<https://fleet.FQDN.tld>"
    policyURI = "/api/v1/fleet/global/policies"
    fleet_token = os.getenv("FLEET_TOKEN")
    if not fleet_token:
        getpass("Please enter your FLEET API token:")
    headers = {"Authorization":"Bearer "+fleet_token}
    req = <http://requests.post|requests.post>(fleetURL + policyURI, json=payload, headers=headers)
...```
payload for example is built out as follows:

```{
  "name": "audit_gatekeeper_disabled",
  "query": "SELECT 1 as compliant WHERE NOT EXISTS (SELECT assessments_enabled AS compliant FROM gatekeeper where compliant !=1);",
  "description": "FleetDM audit check policy foraudit_gatekeeper_disabled",
  "resolution": "Please contact #it-helpdesk on slack for assistance",
  "platform": "darwin"
}```


What happens if you directly copy/paste your token rather than using the variable?

:man-facepalming: p.e.b.k.a.c seems my API token changed and I was not using the latest one

Ah! I should have included "fetch your API token again to make sure it's current" to that step. Filing that away for the future :slightly_smiling_face:

It looks like this is something you'll be running on demand rather than on a scheduled basis, so you might want to consider adding a login to the flow.

Create API only user IMO. Then token doesn't expire. 