https://github.com/osquery/osquery logo
Join Slack
Powered by
Hello team :wave: I've been a few days trying to b...
# fleet
t
Hello team 👋 I've been a few days trying to build a simple setup using Orbit standalone and OSQuery. The idea is to deploy a lightweight agent across a bunch of hosts at scale that report directly to my backend. What I have now is a build pipeline that builds and customises my Orbit package for MacOS, built using fleetctl and osquery.flags and using postinstall and preinstall scripts to place my custom osquery.conf file in the directory I configured in the flags. However, once installed I don't receive the logs correctly. I managed to get some system logs, which I don't want, and query results in a disorganised way and not consistently. I am struggling though, especially with: 1. Configuring OSQuery to startup and log a few basic queries results to my backend endpoint consistently. a. Happy to share my flags file. 2. Making sure Orbit does not try to reach a Fleet server, instead run standalone. a. I read this one is tricky due to some logs being generated regardless of it working standalone, but that it should still work. It would be much appreciated if someone is knowledgeable about this setup and is willing to answer a couple of questions at least to get unblocked. 🙏 Thanks so much in advance
For testing purposes I am running this basic query. This is my 
osquery.conf
file:
Copy code
{
  "schedule": {
    "os_version_check": {
      "query": "SELECT name AS os_name, version AS os_version FROM os_version;",
      "interval": 10,
      "platform": "all"
    }
  }
}
And this is my 
osquery.flags
file:
Copy code
--host_identifier=uuid
--config_plugin=filesystem
--config_path=/var/osquery/osquery.conf
--disable_enrollment=true
--watchdog_memory_limit=200
--watchdog_utilization_limit=70
--watchdog_delay=60
--logger_snapshot_event_type=true
--disable_events=false
--schedule_splay_percent=10
--logger_plugin=tls
--logger_tls_period=10
--logger_tls_max=5000
--tls_hostname=<hostname>
--logger_tls_endpoint=</endpoint>
--tls_server_certs=/private/etc/ssl/cert.pem
And last, my 
postinstall
script:
Copy code
set -e

echo "[postinstall] Starting Orbit Agent setup..."

# 1. Symlink the orbit binary to the expected location
ln -sf /opt/orbit/bin/orbit/macos/stable/orbit /opt/orbit/bin/orbit/orbit
ln -sf /opt/orbit/bin/orbit/orbit /usr/local/bin/orbit
echo "[postinstall] Symlinked orbit binary."

# 2. Symlink osqueryd to /opt/orbit/bin/osqueryd
ln -sf /opt/orbit/bin/osqueryd/macos-app/stable/osquery.app/Contents/MacOS/osqueryd /opt/orbit/bin/osqueryd
chmod +x /opt/orbit/bin/osqueryd
echo "[postinstall] Symlinked osqueryd binary."

# 3. Place osquery.conf in /var/osquery/
mkdir -p /var/osquery
cp "$(dirname "$0")/osquery.conf" /var/osquery/osquery.conf
chmod 600 /var/osquery/osquery.conf
chown root:wheel /var/osquery/osquery.conf
echo "[postinstall] Installed osquery.conf."

# 4. Create log directory and files
mkdir -p /var/log/osquery
touch /var/log/osquery/osqueryd.results.log
touch /var/log/osquery/osqueryd.INFO
chmod 644 /var/log/osquery/osqueryd.*
chown root:wheel /var/log/osquery/osqueryd.*
echo "[postinstall] Created osquery log files."

# 5. Inject environment variable into Orbit LaunchDaemon plist
DAEMON_LABEL="com.fleetdm.orbit"
DAEMON_PLIST="/Library/LaunchDaemons/${DAEMON_LABEL}.plist"
ENV_KEY="FLEETD_SILENCE_ENROLL_ERROR"
ENV_VAL="1"

/usr/libexec/PlistBuddy -c "Add :EnvironmentVariables dict" "${DAEMON_PLIST}" 2>/dev/null || true
/usr/libexec/PlistBuddy -c "Set :EnvironmentVariables:${ENV_KEY} ${ENV_VAL}" "${DAEMON_PLIST}" || \
/usr/libexec/PlistBuddy -c "Add :EnvironmentVariables:${ENV_KEY} string ${ENV_VAL}" "${DAEMON_PLIST}"

chown root:wheel "${DAEMON_PLIST}"
chmod 644 "${DAEMON_PLIST}"
echo "[postinstall] Injected environment variable ${ENV_KEY}=${ENV_VAL} into Orbit plist."

# 6. Bootstrap LaunchDaemon
pkill fleet-desktop || true
launchctl bootout "system/${DAEMON_LABEL}" || true
launchctl enable "system/${DAEMON_LABEL}"

count=0
while ! launchctl bootstrap system "${DAEMON_PLIST}"; do
	sleep 1
	((count++))
	if [[ $count -eq 30 ]]; then
		echo "[postinstall] Failed to bootstrap ${DAEMON_PLIST}"
		exit 1
	fi
	echo "[postinstall] Retrying launchctl bootstrap..."
done

launchctl kickstart "system/${DAEMON_LABEL}"
echo "[postinstall] Orbit agent started via launchd!"
k
@Toni Sanmateu can you give me a little more information about what you’re actually seeing with this setup? Are there any errors in the fleetd or osquery logs? What system logs are you receiving? What do the query result logs that you are receiving look like?
t
Hey Kathy, Ill install it again and let you know the answer to your questions.
Right now, I am not seeing any logs on osquery log files, neither I am receiving requests to my hookdeck mock endpoint. Something is not working as expected.
Copy code
➜  ~ sudo launchctl list | grep orbit
-       0       com.fleetdm.orbit
Getting quite a few system logs from orbit (see image). No "enroll failed error"
I wonder if OSquery is correctly installed by Orbit...
I'm building the package using the Fleetctl binary. I am trying to build it now installing the npm dependency instead. let's see
I got it working. I had to adjust the symlink mapping in my postinstall script
u
Glad you got that sorted!
t
Yes, what I was not distinguishing was that I could use orbit as an installer/updater because it never fully launches osquery due to the error enrolling with fleet dm. Since I wanted to use it standalone, I used the postinstall script to launch another osquery daemon, with launches without problems and starts logging. I wonder if there was a workaround for that. The env var that docs suggest doesn't work properly. I still would like to better understand what does orbit update for me. Im thinking how would we roll out a new set of queries. Ideally, updating the osquery.conf packaging and signing, but I'll see if it only updates osquery and orbit themselves automatically. I am planning on hosting a tuf made with notary.
k
It does not update the osquery configuration, that's typically handled by osquery itself using the tls_config plugin.
t
Yes I saw that I need to setup enrol, log, and config endpoints. But then what does orbit do as an updater? I am also going to set up Notary for signing the packages. Btw I think tls plugin is to pick up new osquery.confs but not the actual osquery version?
But I am confused still about what does orbit do as an updater pointing to my TUF server, what will it update automatically for me? I am also concerned that by default it didn't launch Osquery properly, I had to launch another osquery daemon in postinstall phase.
4 Views
Open in Slack
PreviousNext
Powered by