Title
#fleet
CptOfEvilMinions

CptOfEvilMinions

12/18/2020, 6:04 PM
Hey y’all, I am creating a blog post on: • Installing/setting up FleetDM manually on Ubuntu 20.04 • Installing/setting up FleetDM with an Ansible playbook • Installing/setting up FleetDM with Docker-compose v2.x, • Installing/setting up FleetDM with Docker swarm v3.X. • How to manually install Osquery on Windows and Ubuntu • How to install Osquery on endpoints with an Ansible playbook • Section on converting an Osquery query pack to the YAML format to upload to FleetDM with FleetCTL • Section on creating query pack via webgui • Section on running live queries with FleetCTL • Section on running live queries with web gui • Section on the new file carve feature in FleetDM In a thread below, please add any additional items I should cover in my blog post for first time FleetDM users.
z

Zach Zeid

12/18/2020, 6:19 PM
CI/CD for queries
6:19 PM
Personally I'd love a deep dive on the options in the
flags
file and the
conf
file.
CptOfEvilMinions

CptOfEvilMinions

12/18/2020, 6:21 PM
@Zach Zeid I love the idea about CI/CD but I will probably cover that in a separate post since I don’t know of an easy way to implement that.
6:21 PM
It would require some additional research and implementation but I love the idea 🙂
6:22 PM
@Zach Zeid attempting to generate a discussion here. Is there something specific about the flags file that the Osquery documentation doesn’t cover?
6:24 PM
Or is the fact that as a blog writer I just hand you a flags file without any context as to why i choose the flags I did? If so, I might meet you in the middle and add a comment to each flag option with supporting references linking to Osquery’s documentation
z

Zach Zeid

12/18/2020, 6:24 PM
I'm generally a dense person, and it's not really clear to me when something should be in
flags
vs
conf
, and what options are required vs what aren't vs what options selected need other required flags
CptOfEvilMinions

CptOfEvilMinions

12/18/2020, 6:25 PM
Ahhhh. Yeah that took me some time to understand as well.
z

Zach Zeid

12/18/2020, 6:25 PM
I've generally been told that the docs make sense, but they don't for me, that's my hottake
CptOfEvilMinions

CptOfEvilMinions

12/18/2020, 6:25 PM
I think I can providence so on that topic that will help ppl 🙂
maxwhite

maxwhite

12/18/2020, 6:33 PM
I would be interested in "alerting" strategies based on query packs/snapshots 🙂
CptOfEvilMinions

CptOfEvilMinions

12/18/2020, 6:42 PM
@maxwhite can you elaborate/provide an example on what you mean by alerting strategies?
maxwhite

maxwhite

12/18/2020, 6:45 PM
For example, if I want to be alerted when a device is not encrypted (what to look for in the logs, how to send to a SIEM/Lambda?)
6:46 PM
But it might be too infrastructure-dependant for a general blog
CptOfEvilMinions

CptOfEvilMinions

12/18/2020, 7:21 PM
yeah that would be a more IR focused blog post for me. However, it’s good to know ppl are interested in something like that for a future blog post
5:20 PM
@Zach Zeid per your comment above on when to add a config setting to
osquery.flags
vs.
osquery.conf
I wrote guidance on my latest blog post here: https://holdmybeersecurity.com/2021/01/07/getting-started-with-fleetdm-v3-6-0/
5:20 PM
Checkout it out and let me know if that helps 🙂
5:21 PM
@Zach Zeid also per your first comment on CI/CD I am currently working on mocking up a CI/CD pipeline with Gitlab which will turn into a blog post
z

Zach Zeid

01/08/2021, 5:27 PM
Thanks man for the work, I'll check it out! Looking forwarding to the next release 😄