Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
b
Bacarus
05/26/2021, 12:35 PMHi, Can someone help me with osquery configuration?
I’m trying to modify osquery configuration throught fleet ui -> settings/osquery options
if I modify something like logger_tls_period it saves the changes to the server but with more complex yaml cinfigurations it doesn’t work.
It doesn’t send the post from the front end and the console gives the error in the screenshot.
(Below the yaml configuration)
---
apiVersion: v1
kind: options
spec:
config:
options:
logger_plugin: tls
pack_delimiter: /
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/v1/osquery/log
distributed_interval: 10
distributed_tls_max_attempts: 3
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
overrides: {}
---
apiVersion: v1
kind: enroll_secret
spec:
secrets:
- active: true
name: default
secret: RzTlxPvugG4o4O5IKS/HqEDJUmI1hwBoffff
- active: true
name: new_one
secret: reallyworks
- active: false
name: inactive_secret
secret: thissecretwontwork!
i
Ian Muscat
05/26/2021, 12:59 PMNot sure about the JS console error, but if you’re editing options via the UI you should ditch the
apiVersionkindspec:
config:
options:
logger_plugin: tls
pack_delimiter: /
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/v1/osquery/log
distributed_interval: 10
distributed_tls_max_attempts: 3
decorators:
load:
- SELECT uuid AS host_uuid FROM system_info;
- SELECT hostname AS hostname FROM system_info;
overrides: {}enroll_secretfleetctl➕ 1
🙏 1
b
Bacarus
05/26/2021, 1:21 PMso fleet doesn’t allow to change all the settings from ui? even if the logged user is the admin?
By the way with fleetctl I use the command:
./build/fleetctl get options > options.yamln
Noah Talerman
05/26/2021, 1:29 PMOnly the osquery options can be edited on the osquery options page in the Fleet UI. You’ll want to use the above yaml configuration that Ian has provided to successfully edit the osquery options.
To create/modify enroll secrets you must create a separate yaml configuration file and use the
fleetctl apply -f <file-name-here>fleetctlfleetctl config set --address localhost:18080🙏 1
m
mikermcneil
05/26/2021, 4:19 PMLooks like Fleet could use a better error message for this scenario, when editing these agent options fails in the UI
👍 1
n
Noah Talerman
05/26/2021, 4:38 PMDefinitely, in the linked GitHub issue I added…the first step for adding validation in this scenario is to first add better error handling: https://github.com/fleetdm/fleet/issues/289#issuecomment-848928631
:ty: 1
🎉 1