Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
i
Ibra
06/08/2022, 1:19 PMTrying with docker and node js gives me problems and instead trying in server mode (https://fleetdm.com/docs/deploying/server-installation) as soon as I do the /usr/bin/fleet prepare db part \
--mysql_address=127.0.0.1:3306 \
--mysql_database=fleet \
--mysql_username=root \
--mysql_password=toor?fl33t
it tells me Error: No help topic for 'prepare'
k
Keith Swagler
06/08/2022, 4:08 PMIt sounds like there may be "help" before the "prepare" command
I also see "part" in the command you pasted, which I don't see any docs for and could cause problems
i
Ibra
06/08/2022, 7:12 PMHi @Keith Swagler, I succeeded to install the preview version with docker (https://fleetdm.com/get-started) but when I click on add node and create the msi file, on windows pc it remains in initializing state and I don't see it among the hosts it shows me.
also i would like to know how to implement it in production mode and not in demo mode, i can't find any guides online, could you help me?
thanks
k
Keith Swagler
06/08/2022, 7:39 PMHi Ibra, you can follow the instructions on the deploy page for doing a production deployment
https://fleetdm.com/docs/deploying/server-installation
i
Ibra
06/08/2022, 8:05 PMhi @Keith Swagler having rhel 7.9 I downloaded fleetctl_v4.15.0_linux.zipper (https://github.com/fleetdm/fleet/releases/tag/fleet-v4.15.0) but inside there is no linux subfolder nor in the source code folder (https://github.com/fleetdm/fleet/releases/tag/fleet-v4.15.0) as indicated in the code in the installation link you provided me
unzip fleet.zip 'linux/*' -d fleet
sudo cp fleet/linux/fleet* /usr/bin/k
Keith Swagler
06/09/2022, 4:05 AMthere isn't a fleet zip file you would want the tar.gz, which is just another compressed file.
You can uncompress using
tar xvf fleet_v4.15.0.tar.gzi
Ibra
06/09/2022, 12:22 PMHi @Keith Swagler thanks for your support, I installed it but when I do
/usr/bin/fleet serve \
--mysql_address=127.0.0.1:3306 \
--mysql_database=fleet \
--mysql_username=root \
--mysql_password=toor \
--redis_address=127.0.0.1:6379 \
--server_cert=/tmp/server.cert \
--server_key=/tmp/server.key \
--logging_jsoni get this massege
{"component":"redis","level":"info","mode":"standalone","ts":"2022-06-09T12:09:21.87259795Z"}
{"component":"crons","cron":"vulnerabilities","level":"info","software inventory":"not configured","ts":"2022-06-09T12:09:21.939422235Z"}
{"level":"info","msg":"metrics endpoint disabled (http basic auth credentials not set)","ts":"2022-06-09T12:09:21.968107573Z"}
{"address":"0.0.0.0:8080","msg":"listening","transport":"https","ts":"2022-06-09T12:09:21.968800662Z"}
what can i do?
k
Keith Swagler
06/09/2022, 12:57 PMlooks like it's working!
But listening on port 8080
i
Ibra
06/09/2022, 2:45 PMthanks, now it's working
but when i g to do fleetctl package --type=msi --fleet-desktop --fleet-url=https://fleet.ibratech.it --enroll-secret=N6O0IYtIeQ4wmpsvnFXZ+Gw09XwSde3Y
I HAVE GOT fleetctl not found
@Keith Swagler
k
Keith Swagler
06/09/2022, 3:22 PMfleetctl is a separate package
you can download on a server or a workstation
i
Ibra
06/09/2022, 3:26 PM@Keith Swagler once I run the fleetctl command to create the msi package, is it included inside osquery or do I have to install it separately?
is there any way to allow pc's to be reached by fleet even if they are not in the same lan, using for example a fqdn or public ip? what are the ports to open on the firewall? how do i see the ports used by fleet?
thanks for your support
k
Keith Swagler
06/09/2022, 3:34 PMI think the msi includes everything you need but I'm not sure on that.
You can have the clients reach the Fleet server by FQDN and that is the preferred method. The simpliest is just HTTPS 443
i
Ibra
06/09/2022, 3:44 PM@Keith Swagler perfect, when I start the msi will I see the host right away or do I have to do other operation?
I keep seeing this situation on the Windows pc
k
Keith Swagler
06/09/2022, 3:47 PMI'm not sure I've never installed that way
i
Ibra
06/09/2022, 8:39 PMHi @Keith Swagler I think I found the problem, I tried installing osquery on the same machine where fleet is installed, but after generating the rpm package with fleetctl and starting orbit, I noticed that it does not connect to fleet on port 443:
systemctl status orbit -l
● orbit.service - Orbit osquery
Loaded: loaded (/usr/lib/systemd/system/orbit.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2022-06-09 16:26:37 EDT; 3min 33s ago
Main PID: 8640 (orbit)
Tasks: 20 (limit: 11268)
Memory: 19.9M
CGroup: /system.slice/orbit.service
├─8640 /opt/orbit/bin/orbit/orbit
├─8645 /opt/orbit/bin/osqueryd/linux/stable/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_>
└─8649 /opt/orbit/bin/osqueryd/linux/stable/osqueryd
giu 09 16:26:52 test-fleet-01.ibratech.local orbit[8640]: 2022-06-09T16:26:52-04:00 INF start osqueryd cmd="/opt/orbit/bin/osqueryd/linux/stable/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extension>
giu 09 16:26:52 test-fleet-01.ibratech.local osqueryd[8645]: osqueryd started [version=5.2.2]
giu 09 16:26:57 test-fleet-01.ibratech.local orbit[8640]: W0609 16:26:57.937232 8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:26:58 test-fleet-01.ibratech.local orbit[8640]: W0609 16:26:58.988256 8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:27:03 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:03.044104 8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:27:12 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:12.095988 8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:27:28 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:28.154523 8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:27:53 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:53.206271 8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:28:29 test-fleet-01.ibratech.local orbit[8640]: W0609 16:28:29.254662 8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:29:18 test-fleet-01.ibratech.local orbit[8640]: W0609 16:29:18.307225 8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>the port however is open, I can't find the fleet configuration file nor the log files to understand why it refuses connection on 443
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp 443/tcp
protocols:
forward: no
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:can you help me?
k
Keith Swagler
06/10/2022, 12:10 PMBy default Fleet listens on 8080, you can redirect from firewall-cmd by doing
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080Or use a WAF/reverse proxy
i
Ibra
06/10/2022, 1:55 PM@Keith Swagler currently i was able to add 2 external hosts (windows, rhel) not connected to the same lan via fqdn with port 8080 using --insecure in fleetctl command otherwise it kept telling me it can't verify the certificate.
since I plan to balance the server with F5, the ssl certificate will be installed on the balancer and not on the server, is there any way to use fleet without the certificate in the fleet.service file configuration?
or how do i properly configure the certificate within the agent to communicate with the balancer? since the server is balanced in ssl offloading mode?
k
Keith Swagler
06/10/2022, 6:22 PMYou can include the certificate when generating the package in fleetctl using --fleet-certificate. I'm not familiar with F5s specifically but you can either have the certificate on the server or disable strict host checking between the F5 and the Fleet server
i
Ibra
06/10/2022, 7:00 PMShould I download the certificate from here and put it in path on the server such as /tmp/fleet.pm and put it in fleetctl command as you indicate?
@Keith Swagler
this is the situation I want to have (in black), when there is no balancer in the middle (in red) entering the --fleet-certificate option tells me error verifing certificate after downloading it from the screenshot above
k
Keith Swagler
06/10/2022, 7:57 PMmost of the time certificate errors are:
• not matching hostname
• not trusting certificate (self-signed)
OSQuery should trust any cert that you package it with in fleetctl, as long as it is the same one being hosted
i
Ibra
06/11/2022, 12:36 PM@Keith Swagler i will use le'ts encrypt r3