Hello! Where is the best place to read about what ...
# fleett
Tor Houghton
12/03/2021, 12:52 PMHello! Where is the best place to read about what "--update-url" is used for, when building a package? While I am quite keen for my fleetdm server (--fleet-url) to check for any updates to Orbit (I guess that is what the --update-url is for?), I don't really want all my other clients making (or attempt to make) outbound connections. If they need an update, I'd rather push this myself. (Caveat: I have made an assumption/guess about --update-url)
l
Lucas Rodriguez
12/03/2021, 1:41 PMOne option is to run not Orbit but plain osquery.
✅ 1
Lucas Rodriguez
12/03/2021, 1:41 PMFleet supports plain osquery.
k
koo
12/03/2021, 1:42 PMThat’s true!
l
Lucas Rodriguez
12/03/2021, 1:43 PMOne of the benefits of Orbit is the auto-update/auto-config (useful when managing thousands of hosts).
Lucas Rodriguez
12/03/2021, 1:43 PMBut Fleet server supports plain osquery, Orbit is a relatively new addition.
💐 1
n
Noah Talerman
12/03/2021, 2:23 PM@Tor Houghton, the
--update-url--update-url✅ 2
💯 1
Noah Talerman
12/03/2021, 2:24 PMFleet Free users have several options for deploying osquery like Lucas explains above. These are…
• Deploy Fleet’s osquery installer (Orbit). The Fleet team’s autoupdate server will automatically update osquery on your hosts to the latest stable release of osquery.
• Deploying plain osquery. When an update to osquery is released you’ll have to deploy a new binary.
ty 1
t
Tor Houghton
12/03/2021, 5:16 PMThanks for all this information; indeed, the first time around of installing fleetdm, I did run plain old osquery but I thought I'd give the installer package a go as well, to see how that worked (which worked fine on all my linux hosts, but had weird MAC tls errors when installing the .pkg on MacOS). So .. I may go back to what @Lucas Rodriguez suggests. I was just curious as to what --update-url was for and if I could avoid using it on my client machines (e.g. with a "--manual-update" option ;)).
Tor Houghton
12/03/2021, 5:17 PMThanks so much for your time + input.
Tor Houghton
12/03/2021, 5:31 PMJust to understand what @Noah Talerman says: "Fleet Free users do not have to set this option."; can I initialise --update-url with "something" (or "")?
I am no go programmer so I wouldn't know if putting "something" into --update-url that resulted in a socket not being opened would cause orbit to die (in update.go):
remoteStore, err := client.HTTPRemoteStore(opt.ServerURL, nil, httpClient)
if err != nil {
return nil, fmt.Errorf("init remote store: %w", err)
}
z
zwass
12/03/2021, 6:25 PM
@Tor Houghton we haven't yet added functionality to disable autoupdate completely in Orbit (since autoupdate is one of the primary benefits), but we do intend to do so. As a workaround you could set
--orbit-channel--osqueryd-channel✅ 1
t
Tor Houghton
12/03/2021, 6:44 PMWhile I can (for the most part) mitigate against the autoupdate by blocking the domain in our outbound proxy and/or provide NXDOMAIN replies in our resolvers, I would rather the client hosts just stay quiet; several do not have any business making outbound connections and any attempts either trigger alerts or skew the flow data. So I guess that's the first reason. The second is probably not likely, but I would still like to further reduce it (or at least reduce the impact): the effects of a supply chain attack, should it happen.
Tor Houghton
12/03/2021, 6:48 PMFor now, though, I can go with @Lucas Rodriguez solution 🙂
Tor Houghton
12/03/2021, 7:09 PMBut as for orbit, I liked the idea of being able to get the package direct from the GUI.
Tor Houghton
12/03/2021, 7:14 PM(With all the configuration etc. bundled, so all it needs is a dpkg -i/whatnot, instead of apt install of osquery+a push of /etc/osquery w/flagfile,secret,pem)
z
zwass
12/03/2021, 7:29 PM
Nice, thank you for the context there. That all makes sense.
2 Views