https://github.com/osquery/osquery logo
Powered by
h

Hugh (Zercurity)

04/16/2020, 9:22 AM
@xiaoliuzi You need to provide a valid certificate bundle in order for Osquery to connect to your remote server e.g.
Copy code
--tls_server_certs=/usr/local/zercurity/zercurity.pem
x

xiaoliuzi

04/16/2020, 12:58 PM
Thanks, I will try it immediately
but, I have provided something like this。/usr/bin/osqueryd \ --enroll_secret_path=/var/osquery/enroll_secret \ --tls_server_certs=/var/osquery/server.pem \ --tls_hostname=127.0.0.1:8080 \ --host_identifier=xiaoliuzi-virtual-machine \ --enroll_tls_endpoint=/api/osquery/enroll \ --config_plugin=tls \ --config_tls_endpoint=/api/osquery/config \ --config_tls_refresh=10 \ --disable_distributed=false \ --distributed_plugin=tls \ --distributed_interval=3 \ --distributed_tls_max_attempts=3 \ --distributed_tls_read_endpoint=/api/osquery/distributed/read \ --distributed_tls_write_endpoint=/api/osquery/distributed/write \ --logger_plugin=tls \ --logger_tls_endpoint=/api/osquery/log \ --logger_tls_period=10
h

Hugh (Zercurity)

04/16/2020, 1:02 PM
You just need to ensure the file /var/osquery/server.pem had the correct certificates
x

xiaoliuzi

04/16/2020, 1:26 PM
I used a command like this openssl s_client -connect 192.168.0.101:8080 -CAfile /var/osquery/server.pem What is returned is this: CONNECTED (00000003) depth = 0 C = CN, ST = Henan, L = Hebi, O = zyq, OU = zyq, CN = zyq verify return: 1 --- Certificate chain   0 s: / C = CN / ST = Henan / L = Hebi / O = zyq / OU = zyq / CN = zyq     i: / C = CN / ST = Henan / L = Hebi / O = zyq / OU = zyq / CN = zyq .................................................. ...................................      Start Time: 1587043207      Timeout: 300 (sec)      Verify return code: 0 (ok) --- closed Is this correct?
h

Hugh (Zercurity)

04/16/2020, 1:33 PM
that looks good
so if its still not working can I ask what remote server are you using?
It might be that the enroll key is wrong
or not provided
x

xiaoliuzi

04/16/2020, 1:42 PM
The kolide fleet service running on ubantu18 is just a host. Osquery runs on another host on the same LAN. Enroll key downloaded from the kolide page.
h

Hugh (Zercurity)

04/16/2020, 1:43 PM
This might be one for the #kolide channel
out of my depth 🙂
x

xiaoliuzi

04/16/2020, 1:44 PM
oh thank you🙂
2 Views
Powered by