Jocelyn Bothe
09/14/2021, 6:29 PMSep 14 18:28:30 <http://osquery-service-orc20.ec2.vzbuilders.com|osquery-service-orc20.ec2.vzbuilders.com> fleet[13403]: ts=2021-09-14T18:28:30.884003459Z component=service method=ingestDiskSpace err="detail_query_disk_space expected single result got 2"
Tomas Touceda
09/14/2021, 6:43 PMJocelyn Bothe
09/14/2021, 6:52 PMTomas Touceda
09/14/2021, 7:08 PMfleetctl get config
?Jocelyn Bothe
09/14/2021, 7:26 PM[root@osquery-service-ora48 ouser]# cat /etc/kolide/fleet.yml
mysql:
address: <http://rds-global.ec2.posq.com:3306|rds-global.ec2.posq.com:3306>
database: osq
username: [REDACTED]
password: [REDACTED]
max_open_conns: 100
max_idle_conns: 100
conn_max_lifetime: 0
mysql_read_replica:
address: <http://replica.rds-global.ec2.posq.com:3306|replica.rds-global.ec2.posq.com:3306>
database: osq
username: [REDACTED]
password: [REDACTED]
max_open_conns: 100
max_idle_conns: 100
conn_max_lifetime: 0
redis:
address: <http://redis-global.ec2.posq.com:6380|redis-global.ec2.posq.com:6380>
connect_timeout: 30s
keep_alive: 60s
server:
tls: true
cert: /etc/kolide/paranoids.c-osq.tls.cert.pem
key: /etc/kolide/paranoids.c-osq.tls.privatekey.pem
address: 0.0.0.0:8090
session:
duration: 12h
osquery:
status_log_plugin: filesystem
result_log_plugin: firehose
# result_log_plugin: filesystem
host_identifier: instance
enroll_cooldown: 1440m
detail_update_interval: 1440m
osquery_label_update_interval: 120m
vulnerabilities:
current_instance_checks: no
logging:
# debug: true
filesystem:
status_log_file: /var/log/osquery/status.log
result_log_file: /var/log/osquery/results.log
enable_log_rotation: true
firehose:
region: us-west-2
sts_assume_role_arn: [REDACTED]
result_stream: osquery-kinesis-firehose-stream-us-west-2
Tomas Touceda
09/14/2021, 8:19 PMJocelyn Bothe
09/14/2021, 8:53 PM# fleetctl get config
get config received status 404 unknown
Tomas Touceda
09/14/2021, 8:56 PMcontexts:
default:
address: <your fleet UI URL here>
in ~/.fleet/config
Jocelyn Bothe
09/14/2021, 8:56 PMTomas Touceda
09/14/2021, 9:03 PM~/.fleet/config
?Jocelyn Bothe
09/14/2021, 9:03 PMcontexts:
default:
address: https://[URL]:8080
email: <mailto:jocelyn.bothe@verizonmedia.com|jocelyn.bothe@verizonmedia.com>
token: [TOKEN]
Tomas Touceda
09/14/2021, 9:06 PMfleetctl --version
how about that one?Jocelyn Bothe
09/14/2021, 9:07 PM# fleetctl --version
fleetctl - version 4.3.0
branch: HEAD
revision: 86044eb0369e27b68e313d33a280f73a332a9994
build date: 2021-09-13
build user: runner
go version: go1.16.5
[root@osquery-service-ora48 .fleet]# fleetctl get config
---
apiVersion: v1
kind: config
spec:
agent_options:
config:
decorators:
load:
- SELECT COALESCE((select instance_id FROM ec2_instance_metadata), hostname)
as hostname FROM system_info;
file_paths:
docker:
- /etc/docker/%%
- /etc/default/docker
- /etc/docker/daemon.json
- /usr/bin/containerd
- /usr/sbin/runc
- /etc/sysconfig/docker
- /usr/lib/systemd/system/docker.service
- /usr/lib/systemd/system/docker.socket
etc:
- /etc/group
- /etc/passwd
- /etc/shadow
- /etc/services
- /etc/sudoers
- /etc/ld.so.preload
- /etc/ld.so.conf
- /etc/ld.so.conf.d/%%
- /etc/pam.d/%%
- /etc/resolv.conf
- /etc/modules
- /etc/hosts
- /etc/hostname
- /etc/fstab
- /etc/rsyslog.conf
firewalls:
- /etc/sysconfig/iptables
- /home/y/conf/yakl/%%
- /etc/yakl/conf/%%
logs:
- /var/log/secure
osquery:
- /etc/osquery/%%
- /usr/share/osquery/packs/%%
ssh:
- /root/.ssh/%%
- /home/%/.ssh/%%
- /etc/ssh/%%
- /var/lib/sia/keys/
- /var/lib/sia/certs/
options:
host_identifier: instance
overrides: {}
host_expiry_settings:
host_expiry_enabled: true
host_expiry_window: 1
host_settings:
enable_host_users: true
enable_software_inventory: false
org_info:
org_logo_url: ""
org_name: Verizon Media LLC
server_settings:
enable_analytics: false
live_query_disabled: false
server_url: https://[URL]
smtp_settings:
authentication_method: "0"
authentication_type: "0"
configured: true
domain: ""
enable_smtp: false
enable_ssl_tls: true
enable_start_tls: true
password: '********'
port: 587
sender_address: [EMAIL]
server: <http://email-smtp.us-east-1.amazonaws.com|email-smtp.us-east-1.amazonaws.com>
user_name: [REDACTED]
verify_ssl_certs: true
sso_settings:
enable_sso: true
enable_sso_idp_login: true
entity_id: http://[OKTA]
idp_image_url: ""
idp_name: Okta
issuer_uri: http://[OKTA]
metadata: ""
metadata_url: https://[OKTA]
vulnerability_settings:
databases_path: ""
webhook_settings:
host_status_webhook:
days_count: 0
destination_url: ""
enable_host_status_webhook: false
host_percentage: 0
interval: 24h0m0s
Tomas Touceda
09/14/2021, 9:17 PMJocelyn Bothe
09/14/2021, 9:18 PMTomas Touceda
09/14/2021, 9:19 PM---
apiVersion: v1
kind: config
spec:
host_settings:
enable_host_users: false
and then fleetctl apply -f path/to/that/file
Jocelyn Bothe
09/14/2021, 9:20 PMTomas Touceda
09/14/2021, 9:21 PMJocelyn Bothe
09/14/2021, 9:23 PMfleetctl apply -f file
applying fleet config: apply config received status 500 Mail Error: sending mail: could not issue mail to provided address: 530 Authentication required
# cat file
---
apiVersion: v1
kind: config
spec:
host_settings:
enable_host_users: false
Tomas Touceda
09/14/2021, 9:25 PMJocelyn Bothe
09/14/2021, 9:28 PM# fleetctl apply -f test
[+] applied fleet config
host_settings:
enable_host_users: false
Tomas Touceda
09/14/2021, 9:32 PMJocelyn Bothe
09/17/2021, 4:30 PMhost_users
SET removed_at
= CURRENT_TIMESTAMP WHERE host_id
= ?" If I've got enable_host_users set to false, why is it still doing a host_users update?Tomas Touceda
09/17/2021, 4:53 PMJocelyn Bothe
09/17/2021, 5:10 PM