https://github.com/osquery/osquery logo
Powered by
#fleet
Title
i

Ibra

06/08/2022, 1:19 PM
Trying with docker and node js gives me problems and instead trying in server mode (https://fleetdm.com/docs/deploying/server-installation) as soon as I do the /usr/bin/fleet prepare db part \ --mysql_address=127.0.0.1:3306 \ --mysql_database=fleet \ --mysql_username=root \ --mysql_password=toor?fl33t it tells me Error: No help topic for 'prepare'
k

Keith Swagler

06/08/2022, 4:08 PM
It sounds like there may be "help" before the "prepare" command
I also see "part" in the command you pasted, which I don't see any docs for and could cause problems
i

Ibra

06/08/2022, 7:12 PM
Hi @Keith Swagler, I succeeded to install the preview version with docker (https://fleetdm.com/get-started) but when I click on add node and create the msi file, on windows pc it remains in initializing state and I don't see it among the hosts it shows me. also i would like to know how to implement it in production mode and not in demo mode, i can't find any guides online, could you help me? thanks
k

Keith Swagler

06/08/2022, 7:39 PM
Hi Ibra, you can follow the instructions on the deploy page for doing a production deployment https://fleetdm.com/docs/deploying/server-installation
i

Ibra

06/08/2022, 8:05 PM
hi @Keith Swagler having rhel 7.9 I downloaded fleetctl_v4.15.0_linux.zipper (https://github.com/fleetdm/fleet/releases/tag/fleet-v4.15.0) but inside there is no linux subfolder nor in the source code folder (https://github.com/fleetdm/fleet/releases/tag/fleet-v4.15.0) as indicated in the code in the installation link you provided me
Copy code
unzip fleet.zip 'linux/*' -d fleet
sudo cp fleet/linux/fleet* /usr/bin/
k

Keith Swagler

06/09/2022, 4:05 AM
there isn't a fleet zip file you would want the tar.gz, which is just another compressed file.
You can uncompress using 
tar xvf fleet_v4.15.0.tar.gz
i

Ibra

06/09/2022, 12:22 PM
Hi @Keith Swagler thanks for your support, I installed it but when I do
Copy code
/usr/bin/fleet serve \
  --mysql_address=127.0.0.1:3306 \
  --mysql_database=fleet \
  --mysql_username=root \
  --mysql_password=toor \
  --redis_address=127.0.0.1:6379 \
  --server_cert=/tmp/server.cert \
  --server_key=/tmp/server.key \
  --logging_json
i get this massege
{"component":"redis","level":"info","mode":"standalone","ts":"2022-06-09T120921.87259795Z"} {"component":"crons","cron":"vulnerabilities","level":"info","software inventory":"not configured","ts":"2022-06-09T120921.939422235Z"} {"level":"info","msg":"metrics endpoint disabled (http basic auth credentials not set)","ts":"2022-06-09T120921.968107573Z"} {"address":"0.0.0.0:8080","msg":"listening","transport":"https","ts":"2022-06-09T120921.968800662Z"}
what can i do?
k

Keith Swagler

06/09/2022, 12:57 PM
looks like it's working! But listening on port 8080
i

Ibra

06/09/2022, 2:45 PM
thanks, now it's working
but when i g to do fleetctl package --type=msi --fleet-desktop --fleet-url=https://fleet.ibratech.it --enroll-secret=N6O0IYtIeQ4wmpsvnFXZ+Gw09XwSde3Y
I HAVE GOT fleetctl not found
@Keith Swagler
k

Keith Swagler

06/09/2022, 3:22 PM
fleetctl is a separate package
you can download on a server or a workstation
i

Ibra

06/09/2022, 3:26 PM
@Keith Swagler once I run the fleetctl command to create the msi package, is it included inside osquery or do I have to install it separately? is there any way to allow pc's to be reached by fleet even if they are not in the same lan, using for example a fqdn or public ip? what are the ports to open on the firewall? how do i see the ports used by fleet? thanks for your support
k

Keith Swagler

06/09/2022, 3:34 PM
I think the msi includes everything you need but I'm not sure on that. You can have the clients reach the Fleet server by FQDN and that is the preferred method. The simpliest is just HTTPS 443
i

Ibra

06/09/2022, 3:44 PM
@Keith Swagler perfect, when I start the msi will I see the host right away or do I have to do other operation?
I keep seeing this situation on the Windows pc
k

Keith Swagler

06/09/2022, 3:47 PM
I'm not sure I've never installed that way
i

Ibra

06/09/2022, 8:39 PM
Hi @Keith Swagler I think I found the problem, I tried installing osquery on the same machine where fleet is installed, but after generating the rpm package with fleetctl and starting orbit, I noticed that it does not connect to fleet on port 443:
Copy code
systemctl status orbit -l
● orbit.service - Orbit osquery
   Loaded: loaded (/usr/lib/systemd/system/orbit.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2022-06-09 16:26:37 EDT; 3min 33s ago
 Main PID: 8640 (orbit)
    Tasks: 20 (limit: 11268)
   Memory: 19.9M
   CGroup: /system.slice/orbit.service
           ├─8640 /opt/orbit/bin/orbit/orbit
           ├─8645 /opt/orbit/bin/osqueryd/linux/stable/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extensions_socket=/opt/orbit/orbit-osquery.em --logger_path=/opt/orbit/osquery_log --enroll_secret_>
           └─8649 /opt/orbit/bin/osqueryd/linux/stable/osqueryd

giu 09 16:26:52 test-fleet-01.ibratech.local orbit[8640]: 2022-06-09T16:26:52-04:00 INF start osqueryd cmd="/opt/orbit/bin/osqueryd/linux/stable/osqueryd --pidfile=/opt/orbit/osquery.pid --database_path=/opt/orbit/osquery.db --extension>
giu 09 16:26:52 test-fleet-01.ibratech.local osqueryd[8645]: osqueryd started [version=5.2.2]
giu 09 16:26:57 test-fleet-01.ibratech.local orbit[8640]: W0609 16:26:57.937232  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:26:58 test-fleet-01.ibratech.local orbit[8640]: W0609 16:26:58.988256  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:27:03 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:03.044104  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:27:12 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:12.095988  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:27:28 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:28.154523  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:27:53 test-fleet-01.ibratech.local orbit[8640]: W0609 16:27:53.206271  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:28:29 test-fleet-01.ibratech.local orbit[8640]: W0609 16:28:29.254662  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
giu 09 16:29:18 test-fleet-01.ibratech.local orbit[8640]: W0609 16:29:18.307225  8649 tls_enroll.cpp:101] Failed enrollment request to <https://10.0.63.135/api/v1/osquery/enroll> (Request error: Failed to connect to 10.0.63.135:443: Connection refused>
the port however is open, I can't find the fleet configuration file nor the log files to understand why it refuses connection on 443
Copy code
firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: cockpit dhcpv6-client ssh
  ports: 8080/tcp 443/tcp
  protocols:
  forward: no
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
can you help me?
k

Keith Swagler

06/10/2022, 12:10 PM
By default Fleet listens on 8080, you can redirect from firewall-cmd by doing
Copy code
firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8080
Or use a WAF/reverse proxy
i

Ibra

06/10/2022, 1:55 PM
@Keith Swagler currently i was able to add 2 external hosts (windows, rhel) not connected to the same lan via fqdn with port 8080 using --insecure in fleetctl command otherwise it kept telling me it can't verify the certificate. since I plan to balance the server with F5, the ssl certificate will be installed on the balancer and not on the server, is there any way to use fleet without the certificate in the fleet.service file configuration? or how do i properly configure the certificate within the agent to communicate with the balancer? since the server is balanced in ssl offloading mode?
k

Keith Swagler

06/10/2022, 6:22 PM
You can include the certificate when generating the package in fleetctl using --fleet-certificate. I'm not familiar with F5s specifically but you can either have the certificate on the server or disable strict host checking between the F5 and the Fleet server
i

Ibra

06/10/2022, 7:00 PM
Should I download the certificate from here and put it in path on the server such as /tmp/fleet.pm and put it in fleetctl command as you indicate?
@Keith Swagler
this is the situation I want to have (in black), when there is no balancer in the middle (in red) entering the --fleet-certificate option tells me error verifing certificate after downloading it from the screenshot above
k

Keith Swagler

06/10/2022, 7:57 PM
most of the time certificate errors are: • not matching hostname • not trusting certificate (self-signed)
OSQuery should trust any cert that you package it with in fleetctl, as long as it is the same one being hosted
i

Ibra

06/11/2022, 12:36 PM
@Keith Swagler i will use le'ts encrypt r3
4 Views
Powered by