<@U011HA3E3KR> You need to provide a valid certifi...
# generalh
Hugh (Zercurity)
04/16/2020, 9:22 AM@xiaoliuzi You need to provide a valid certificate bundle in order for Osquery to connect to your remote server e.g.
Copy code
--tls_server_certs=/usr/local/zercurity/zercurity.pemx
xiaoliuzi
04/16/2020, 12:58 PMThanks, I will try it immediately
xiaoliuzi
04/16/2020, 1:01 PMbut, I have provided something like this。/usr/bin/osqueryd \
--enroll_secret_path=/var/osquery/enroll_secret \
--tls_server_certs=/var/osquery/server.pem \
--tls_hostname=127.0.0.1:8080 \
--host_identifier=xiaoliuzi-virtual-machine \
--enroll_tls_endpoint=/api/osquery/enroll \
--config_plugin=tls \
--config_tls_endpoint=/api/osquery/config \
--config_tls_refresh=10 \
--disable_distributed=false \
--distributed_plugin=tls \
--distributed_interval=3 \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/osquery/distributed/write \
--logger_plugin=tls \
--logger_tls_endpoint=/api/osquery/log \
--logger_tls_period=10
h
Hugh (Zercurity)
04/16/2020, 1:02 PMYou just need to ensure the file /var/osquery/server.pem had the correct certificates
x
xiaoliuzi
04/16/2020, 1:26 PMI used a command like this
openssl s_client -connect 192.168.0.101:8080 -CAfile /var/osquery/server.pem
What is returned is this:
CONNECTED (00000003)
depth = 0 C = CN, ST = Henan, L = Hebi, O = zyq, OU = zyq, CN = zyq
verify return: 1
---
Certificate chain
0 s: / C = CN / ST = Henan / L = Hebi / O = zyq / OU = zyq / CN = zyq
i: / C = CN / ST = Henan / L = Hebi / O = zyq / OU = zyq / CN = zyq
.................................................. ...................................
Start Time: 1587043207
Timeout: 300 (sec)
Verify return code: 0 (ok)
---
closed
Is this correct?
h
Hugh (Zercurity)
04/16/2020, 1:33 PMthat looks good
Hugh (Zercurity)
04/16/2020, 1:33 PMso if its still not working can I ask what remote server are you using?
Hugh (Zercurity)
04/16/2020, 1:33 PMIt might be that the enroll key is wrong
Hugh (Zercurity)
04/16/2020, 1:33 PMor not provided
x
xiaoliuzi
04/16/2020, 1:42 PMThe kolide fleet service running on ubantu18 is just a host. Osquery runs on another host on the same LAN. Enroll key downloaded from the kolide page.
h
Hugh (Zercurity)
04/16/2020, 1:43 PMThis might be one for the #C1XCLA5DZ channel
Hugh (Zercurity)
04/16/2020, 1:43 PMout of my depth 🙂
x
xiaoliuzi
04/16/2020, 1:44 PMoh thank you🙂
3 Views