Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
h
Hugh (Zercurity)
04/16/2020, 9:22 AM@xiaoliuzi You need to provide a valid certificate bundle in order for Osquery to connect to your remote server e.g.
--tls_server_certs=/usr/local/zercurity/zercurity.pemx
xiaoliuzi
04/16/2020, 12:58 PMThanks, I will try it immediately
but, I have provided something like this。/usr/bin/osqueryd \
--enroll_secret_path=/var/osquery/enroll_secret \
--tls_server_certs=/var/osquery/server.pem \
--tls_hostname=127.0.0.1:8080 \
--host_identifier=xiaoliuzi-virtual-machine \
--enroll_tls_endpoint=/api/osquery/enroll \
--config_plugin=tls \
--config_tls_endpoint=/api/osquery/config \
--config_tls_refresh=10 \
--disable_distributed=false \
--distributed_plugin=tls \
--distributed_interval=3 \
--distributed_tls_max_attempts=3 \
--distributed_tls_read_endpoint=/api/osquery/distributed/read \
--distributed_tls_write_endpoint=/api/osquery/distributed/write \
--logger_plugin=tls \
--logger_tls_endpoint=/api/osquery/log \
--logger_tls_period=10
h
Hugh (Zercurity)
04/16/2020, 1:02 PMYou just need to ensure the file /var/osquery/server.pem had the correct certificates
x
xiaoliuzi
04/16/2020, 1:26 PMI used a command like this
openssl s_client -connect 192.168.0.101:8080 -CAfile /var/osquery/server.pem
What is returned is this:
CONNECTED (00000003)
depth = 0 C = CN, ST = Henan, L = Hebi, O = zyq, OU = zyq, CN = zyq
verify return: 1
---
Certificate chain
0 s: / C = CN / ST = Henan / L = Hebi / O = zyq / OU = zyq / CN = zyq
i: / C = CN / ST = Henan / L = Hebi / O = zyq / OU = zyq / CN = zyq
.................................................. ...................................
Start Time: 1587043207
Timeout: 300 (sec)
Verify return code: 0 (ok)
---
closed
Is this correct?
h
Hugh (Zercurity)
04/16/2020, 1:33 PMthat looks good
so if its still not working can I ask what remote server are you using?
It might be that the enroll key is wrong
or not provided
x
xiaoliuzi
04/16/2020, 1:42 PMThe kolide fleet service running on ubantu18 is just a host. Osquery runs on another host on the same LAN. Enroll key downloaded from the kolide page.
h
Hugh (Zercurity)
04/16/2020, 1:43 PMThis might be one for the #kolide channel
out of my depth 🙂
x
xiaoliuzi
04/16/2020, 1:44 PMoh thank you🙂