Title
#fleet
j

jby

11/25/2020, 3:00 PM
@zwass for #fleet bootstrapping feedback, would you like that here or in the MacAdmins Slack?
Noah Talerman

Noah Talerman

11/25/2020, 4:31 PM
Feel free to let us know here in this thread. Or reach out privately in slack DMs if you’d like the information to be shared confidentially.
j

jby

11/25/2020, 5:10 PM
I'll try and summarize what I'd like to see in the documentation of initial setup tomorrow. It's 6pm here now and I have family obligations to take care of tonight.
7:23 AM
So, there’s a docker image available as fleetdm/fleet at dockerhub. Does that contain everything needed to run fleet? I’ve tried the https://github.com/fleetdm/osquery-in-a-box before and that does contain everything. If more is required than just the docker image - what?
7:26 AM
I’m right now at a stage where all my endpoints has osquery itself installed, and now I need somewhere to send the data and make it searchable and able to present in a “manager friendly” way. Since I’ve tried osquery-in-a-box before, I thought that I’d give this non-Kolide fleet a try, but how?
2:14 PM
So, what I’d like to see is instructions on how to get a fleet server up and running preferably using the fleetdm/fleet docker image from docker hub - or alternatively how do I get a fleet server up and running if not using the docker image?
Noah Talerman

Noah Talerman

11/30/2020, 3:55 PM
Thank you for the awesome questions Jonas!
So, there’s a docker image available as fleetdm/fleet at dockerhub. Does that contain everything needed to run fleet?
No. You will also need to use a container orchestration platform to deploy the Fleet docker image in production. Two examples of this container orchestration tool are Kubernetes and AWS ECS.
j

jby

11/30/2020, 3:56 PM
I want to run the complete installation on-prem, hence AWS is not an option for me
Gavin

Gavin

11/30/2020, 3:58 PM
What components do you have setup so far , the fleet server is a configuration and log forwarding tool but doesn’t do log storage or analysis
3:58 PM
Also you mention on-prem do you have something like ELK / Splunk to store the logs ?
j

jby

11/30/2020, 3:59 PM
I'll deal with provisioning of the fleet docker image on my own. At the moment I'm just looking at getting something to run to see if it'll provide me with the insight about my machines that I'm looking for... Just a basic proof of concept setup to start with.
4:00 PM
What are your recommendations for something like that?
Gavin

Gavin

11/30/2020, 4:00 PM
4:00 PM
It’s a single tenant OSquery setup on an ubuntu Vm
j

jby

11/30/2020, 4:02 PM
Yeah, but I'm trying to get the fleet team to provide documentation on how to set up their product. Which is how I understood the request from @Noah Talerman
Gavin

Gavin

11/30/2020, 4:06 PM
I appreciate that the only comment I have is that fleet should be considered in the larger osquery system as only being a compliant OSquery TLS server responsible for agent configuration and management on a host system and not a single out of the box product containing log storage , aggregation or analysis at this time (the fleet teams indicative roadmap posted in here suggests some changes to this in the future). The docker image itself contains everything you need to have a fully functional osquery TLS Server with support for managing Scheduled Queries , host groups , enrolment & log forwardning.
4:09 PM
Once you have the server you need to look at the following guides https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/working-with-osquery-logs.md The OSquery in a box repo, deploys fleet + elk stack + a log shipper much like the above blog post.
Noah Talerman

Noah Talerman

11/30/2020, 4:16 PM
I’m trying to get the fleet team to provide documentation on how to set up their product. Which is how I understood the request from @Noah Talerman
Correct! I just opened this issue (https://github.com/fleetdm/fleet/issues/75) in the fleetdm/fleet repo that describes the project of creating Docker deploy production documentation. Currently, the fleet documentation only provides detailed instruction for deploying fleet on ubuntu and on centos. The blog post shared by @Gavin also seems like a great resource for deploying Fleet. The Fleet team plans to provide more detailed documentation on other deployment scenarios including those @jby is inquiring about. I’m about to copy your awesome questions over to the new github issue if that’s ok with you.
j

jby

11/30/2020, 4:20 PM
Let me start over here: I have a fleet consisting of some 200 Macs and some 50 Linux-clients, I’m looking at osquery to gather inventory data about all of them and to be able to present it in a “manager friendly” way. I’m trying to find a tool suitable for collation, search-ability and presentability of the data I can collect with osquery - I’ve been trying for almost all of 2020 to find a tool that can help me with what I’d like to accomplish. I might have misunderstood the usefulness of fleet in my quest - but I don’t think so - if I have then let me know it and point me towards som other tool that can help me - please…
4:22 PM
If fleet is the way to go, help me get it running - if
osquery-in-a-box
is the easiest way to go then I’ll do that, but I’m more than happy to help develop the documentation of fleet and to get that to do what I’m looking for.
Gavin

Gavin

11/30/2020, 4:23 PM
What inventory data ?
j

jby

11/30/2020, 4:24 PM
Applications, with versions, kernel versions, is the disk encrypted etc.
Gavin

Gavin

11/30/2020, 4:24 PM
Honestly for a quick and easy life I would recommend SAL
j

jby

11/30/2020, 4:24 PM
Yeah, I have that for the Macs, but I haven’t found a way to use it with my Linux-clients
Gavin

Gavin

11/30/2020, 4:25 PM
I added linux support to SAL
j

jby

11/30/2020, 4:25 PM
Ok, care to share how?
4:26 PM
It uses gosal on a cron, there is sal v3 & v4 support depending on what version you run. I don’t capture disk encryption however
j

jby

11/30/2020, 4:26 PM
I do have my puppet clients managed by puppet, and I have an old foreman instance running (for reporting only, not as puppet server or enc), but there are lots of data that could be a lot easier to get to than from foreman
zwass

zwass

11/30/2020, 4:26 PM
@jby have you tried following the instructions on https://github.com/fleetdm/osquery-in-a-box? Anything missing there to get you a test instance set up?
j

jby

11/30/2020, 4:28 PM
No, it seemed to work the last time I tried it - it’s been a while though, I think it was before the summer - this year has wreaked havoc on dates and times…
4:29 PM
So, are you proposing I’m using the
osquery-in-a-box
as a production setup as well?
zwass

zwass

11/30/2020, 4:29 PM
No, but it may inspire you on how you'd like to set up a production instance.
4:30 PM
My recommendation would be to spend 5 mins setting up osquery-in-a-box so that you can try the functionality of Fleet and then spend an hour or two setting up a prod instance if it's meeting your needs.
j

jby

11/30/2020, 4:31 PM
Ok, I’ll try that then
9:35 AM
@Gavin - I decided to give gosal a try, but it fails immediately:
./build/linux/gosal --config to.json
gosal did not complete: build report: reports: getting serial: DMI run: exit status 1
This is after cloning the repo and running
make deps
followed by
make build
and then running
Gavin

Gavin

12/01/2020, 9:36 AM
Run as root
j

jby

12/01/2020, 9:36 AM
Ah, ok
Gavin

Gavin

12/01/2020, 9:36 AM
Also you may be better on sal slack channel
j

jby

12/01/2020, 2:16 PM
Ok, @Noah Talerman & @zwass - I now have a working osquery-in-a-box running, after a bit of wrestling with SELinux in my RHEL server running docker…
2:16 PM
What’s the recommended way to get my clients to populate it with data?
2:18 PM
(just to be transparent here, I’ve done it before and I almost remember how I did it then - these questions are mostly to help you clarify the documentation)
2:23 PM
And after getting the launcher - how do I set all parameters for it easily, to make it deployable using Jamf or Munki for macOS and using puppet for Linux?
2:41 PM
And - starting the launcher as a normal user gives the same restrictions as running osqueryi as a normal user, BUT starting as root gives the headache of
Will not autoload extension with unsafe directory permissions:
2:51 PM
Oh, and the launcher only exist in the Kolide repo - is that the one to use, or will you provide a fleetdm-launcher as well?
2:53 PM
Or, is there another way to populate the fleetdm/fleet server with client data?
Noah Talerman

Noah Talerman

12/01/2020, 3:07 PM
Hi Jonas. All the questions you’re asking are awesome and will be very helpful for altering/making additions to the existing documentation. Right now I’ll answer the questions I can to the best of my ability. I’m confident you’ve come across the Adding Hosts to Fleet documentation (https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md). Here we outline two recommended ways to connect your clients to Fleet which include installing osquery binaries or the Kolide Launcher on your hosts. Fleet remains compatible with Launcher and we do not expect to drop compatibility. In the documentation I link to above, the name “Kolide Fleet” is being used and this is inconsistent with other updated parts of the documentation (should be “Fleet”). I’m drafting a PR to change this. Thank you for calling my attention to possible confusion.
3:31 PM
What’s the recommended way to get my clients to populate it with data?
@jby I’m not sure how/if it’s possible to connect your clients to the local instance of Fleet you’ve started via osquery-in-a-box. I’m working on getting that answer for you now. In the meantime, have you tried to start the containerized osquery agents to test this functionality? Instructions are linked here: https://github.com/fleetdm/osquery-in-a-box#run-osquery
j

jby

12/01/2020, 3:36 PM
So, if it’s not possible - then I feel like I’m back at square 1, with nothing other than a server running a docker instance of something that I can’t use for anything… 😞
3:56 PM
I’ve actually managed to get the Kolide launcher to send data to the osquery-in-a-box, but I seem unable to get osqueryd to do it - it refuses to start properly
3:57 PM
Dec 01 16:54:14 LIN5W2V3Z2.trioptima.local osqueryd[111674]: osqueryd started [version=4.5.1]
Dec 01 16:54:17 LIN5W2V3Z2.trioptima.local systemd[1]: osqueryd.service: Main process exited, code=exited, status=78/CONFIG
Dec 01 16:54:17 LIN5W2V3Z2.trioptima.local systemd[1]: osqueryd.service: Failed with result 'exit-code'.
Dec 01 16:54:17 LIN5W2V3Z2.trioptima.local audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=osqueryd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
3:59 PM
And the
/var/log/osquery/osqueryd.INFO
says:
I1201 16:50:57.000754 111287 events.cpp:867] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I1201 16:50:57.000955 111287 events.cpp:867] Event publisher not enabled: syslog: Publisher disabled via configuration
I1201 16:50:57.001091 111287 events.cpp:1126] Error registering subscriber: apparmor_events: Subscriber disabled via configuration
I1201 16:50:57.001191 111287 events.cpp:1126] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I1201 16:50:57.001235 111287 events.cpp:1126] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I1201 16:50:57.001278 111287 events.cpp:1126] Error registering subscriber: socket_events: Subscriber disabled via configuration
I1201 16:50:57.001502 111287 main.cpp:105] Not starting the distributed query service: Distributed query service not enabled.
I1201 16:50:57.001571 111295 events.cpp:786] Starting event publisher run loop: inotify
I1201 16:50:57.001605 111296 events.cpp:786] Starting event publisher run loop: udev
I1201 16:50:57.001598 111287 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x55f0ab28c6b8) to thread: 140484973627136 (0x55f0ab268240) in process 111287
4:13 PM
E1201 17:12:14.111375 112857 shutdown.cpp:69] Cannot activate tls
4:13 PM
Oh, well - I have to give up today - I’ll continue tomorrow
zwass

zwass

12/01/2020, 4:13 PM
Have you tried following the instructions in the "Add New Host" dialog? If your configs are all correct that should step you through an enroll with plain osquery.
4:22 PM
To clarify that one, you'll need to generate a new SSL certificate that matches the hostname/IP hosts will be using to connect. Osquery is picky about certificates matching where launcher lets you get around that with
--insecure
.
j

jby

12/01/2020, 4:23 PM
I'll try tomorrow
4:23 PM
It's 5.30 pm here now
8:35 AM
@zwass, using the instructions from the “Add New Host”-dialog worked somewhat. I downloaded everything from there and put that in my Linux client (in /etc/osquery), started osqueryd with the --flagfile option pointing to the downloaded flagfile, it read the flagfile, the secret and the tls_server_cert and created the host in my fleet-server. I am however unable to get it to work using
systemctl
to start it… 😞
12:17 PM
Now my questions are more general, both osquery and fleet, so I’ll move them out to the channels…https://osquery.slack.com/archives/C01DXJL16D8/p1606898653173100 https://osquery.slack.com/archives/C08V7KTJB/p1606899596154400
12:58 PM
However, I DO have another question for you guys: How do I configure smtp without TLS? No matter how I do with the mail-form - I DO uncheck the “Use SSL/TLS to connect” it compains about:
1:13 PM
And another - can I install query packs into fleet somehow through the GUI?
Noah Talerman

Noah Talerman

12/02/2020, 3:38 PM
Hi Jonas I’m working on getting answers for your questions. By “install” do you mean inserting query packs to Fleet in bulk using the Fleet UI? Instead of manually creating each query and then adding these queries to their respective packs using the UI.
j

jby

12/02/2020, 3:40 PM
I've found packs on github that I'm wondering if I can download and install using the fleet webgui
Noah Talerman

Noah Talerman

12/02/2020, 3:49 PM
Got it! Thanks for explaining your use case. Working on answers for you.
j

jby

12/02/2020, 3:52 PM
I'll look through the docs on github and add what I've found when you have something to edit
Noah Talerman

Noah Talerman

12/02/2020, 3:55 PM
Feel free to submit a PR to the fleet documentation on github or DM me your suggested changes.
j

jby

12/02/2020, 4:33 PM
I will
Noah Talerman

Noah Talerman

12/02/2020, 8:12 PM
Do you mind sending steps to reproduce this error? Either here in the thread or in a DM to me.
j

jby

12/02/2020, 8:16 PM
Admin-> Setup email -> SMTP port 25 -> Uncheck SSL/TLS -> No user -> Save -> Error
8:25 AM
Any news on this?
Noah Talerman

Noah Talerman

12/09/2020, 9:56 PM
What are you trying to accomplish by setting up SMTP configuration? Are you trying to invite other users? Or use another feature that requires SMTP.
zwass

zwass

12/09/2020, 10:02 PM
I'm going to dig into the code to take a look at what might be happening, but is it possible your SMTP server is trying to upgrade the connection to TLS?
j

jby

12/10/2020, 5:28 AM
I'm unable to setup any other user than the primary admin user that I created during setup, since it refuses to take me to the user admin page since email is not setup.
5:30 AM
I have tried both with and without TLS, but to no avail. I'll check with my exchange-admin as well.
zwass

zwass

12/10/2020, 4:26 PM
@jby you can get around that by
fleetctl user create
. We have some changes coming in the next release (today) that will make this more clear. Please let us know what you hear from the exchange admin.
j

jby

12/10/2020, 4:28 PM
Probably, but I'm also playing 'stupid newbie' here to help you with the documentation as well...😜
4:30 PM
"Clueless" might be better than stupid...