Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
d
Daniel Cross
05/26/2022, 6:56 AMAside from the ease of installation, is there any benefit to running the fleet agent vs stock osquery? Anyone have an example of using the secret & flagfile in the osquery systemd unit?
m
Mystery Incorporated
05/26/2022, 10:01 AMOh w00t I didn't even know that there was a fleet-agent vs osquery I just been using osquery stock. or is the fleet-osquery produced by orbit?
@Daniel Cross yes I am using stock osquery from the official osquery debian repo on my ubuntu servers and it gets placed in /opt/osquery and my osquery.flags resides in /etc/osquery so does my secret.txt and my fleet.pem (cert to auth with fleet server)
The install automatically makes and enables a systemd service, the unit file located at /lib/systemd/system/osqueryd.service
[Unit]
Description=The osquery Daemon
After=network.service syslog.service
[Service]
TimeoutStartSec=0
EnvironmentFile=/etc/default/osqueryd
ExecStartPre=/bin/sh -c "if [ ! -f $FLAG_FILE ]; then touch $FLAG_FILE; fi"
ExecStartPre=/bin/sh -c "if [ -f $LOCAL_PIDFILE ]; then mv $LOCAL_PIDFILE $PIDFILE; fi"
ExecStart=/opt/osquery/bin/osqueryd \
--flagfile $FLAG_FILE \
--config_path $CONFIG_FILE
Restart=on-failure
KillMode=control-group
KillSignal=SIGTERM
TimeoutStopSec=15
CPUQuota=20%
[Install]
WantedBy=multi-user.targetfrom what I canh see in that if you want to specify where is the flag file you set $FLAG_FILE inside /etc/default/osquery but i am not bothering I just place it in /etc/osquery
k
Kathy Satterlee
05/26/2022, 4:17 PMAutomatic updates are another big selling point for using Orbit to manage osquery.
d
Daniel Cross
05/26/2022, 10:36 PMThank you @Mystery Incorporated! 😄 & @Kathy Satterlee
I’ll look into Orbit a bit more, currently my plan is to try to decouple osquery as much as possible so that fleet is more used for ad-hoc queries rather than managing the install - we have a very strict installation process, packaging our own RPMs and with a local agent managing install & upgrades across the fleet.