Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
j
jby
11/25/2020, 3:00 PM@zwass for #fleet bootstrapping feedback, would you like that here or in the MacAdmins Slack?
n
Noah Talerman
11/25/2020, 4:31 PMFeel free to let us know here in this thread. Or reach out privately in slack DMs if you’d like the information to be shared confidentially.
👍 1
j
jby
11/25/2020, 5:10 PMI'll try and summarize what I'd like to see in the documentation of initial setup tomorrow. It's 6pm here now and I have family obligations to take care of tonight.
🍻 1
So, there’s a docker image available as fleetdm/fleet at dockerhub. Does that contain everything needed to run fleet?
I’ve tried the https://github.com/fleetdm/osquery-in-a-box before and that does contain everything.
If more is required than just the docker image - what?
I’m right now at a stage where all my endpoints has osquery itself installed, and now I need somewhere to send the data and make it searchable and able to present in a “manager friendly” way.
Since I’ve tried osquery-in-a-box before, I thought that I’d give this non-Kolide fleet a try, but how?
So, what I’d like to see is instructions on how to get a fleet server up and running preferably using the fleetdm/fleet docker image from docker hub - or alternatively how do I get a fleet server up and running if not using the docker image?
n
Noah Talerman
11/30/2020, 3:55 PMThank you for the awesome questions Jonas!
So, there’s a docker image available as fleetdm/fleet at dockerhub. Does that contain everything needed to run fleet?No. You will also need to use a container orchestration platform to deploy the Fleet docker image in production. Two examples of this container orchestration tool are Kubernetes and AWS ECS.
j
jby
11/30/2020, 3:56 PMI want to run the complete installation on-prem, hence AWS is not an option for me
g
Gavin
11/30/2020, 3:58 PMWhat components do you have setup so far , the fleet server is a configuration and log forwarding tool but doesn’t do log storage or analysis
Also you mention on-prem do you have something like ELK / Splunk to store the logs ?
j
jby
11/30/2020, 3:59 PMI'll deal with provisioning of the fleet docker image on my own.
At the moment I'm just looking at getting something to run to see if it'll provide me with the insight about my machines that I'm looking for...
Just a basic proof of concept setup to start with.
What are your recommendations for something like that?
g
Gavin
11/30/2020, 4:00 PMI would recommend this blog post then https://jordanpotti.com/2018/02/16/elk-osquery-kolide-fleet-love/
It’s a single tenant OSquery setup on an ubuntu Vm
j
jby
11/30/2020, 4:02 PMYeah, but I'm trying to get the fleet team to provide documentation on how to set up their product. Which is how I understood the request from @Noah Talerman
g
Gavin
11/30/2020, 4:06 PMI appreciate that the only comment I have is that fleet should be considered in the larger osquery system as only being a compliant OSquery TLS server responsible for agent configuration and management on a host system and not a single out of the box product containing log storage , aggregation or analysis at this time (the fleet teams indicative roadmap posted in here suggests some changes to this in the future).
The docker image itself contains everything you need to have a fully functional osquery TLS Server with support for managing Scheduled Queries , host groups , enrolment & log forwardning.
🍻 1
Once you have the server you need to look at the following guides
https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md
https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/working-with-osquery-logs.md
The OSquery in a box repo, deploys fleet + elk stack + a log shipper much like the above blog post.
n
Noah Talerman
11/30/2020, 4:16 PMI’m trying to get the fleet team to provide documentation on how to set up their product. Which is how I understood the request from @Noah TalermanCorrect! I just opened this issue (https://github.com/fleetdm/fleet/issues/75) in the fleetdm/fleet repo that describes the project of creating Docker deploy production documentation. Currently, the fleet documentation only provides detailed instruction for deploying fleet on ubuntu and on centos. The blog post shared by @Gavin also seems like a great resource for deploying Fleet. The Fleet team plans to provide more detailed documentation on other deployment scenarios including those @jby is inquiring about. I’m about to copy your awesome questions over to the new github issue if that’s ok with you.
j
jby
11/30/2020, 4:20 PMLet me start over here:
I have a fleet consisting of some 200 Macs and some 50 Linux-clients, I’m looking at osquery to gather inventory data about all of them and to be able to present it in a “manager friendly” way.
I’m trying to find a tool suitable for collation, search-ability and presentability of the data I can collect with osquery - I’ve been trying for almost all of 2020 to find a tool that can help me with what I’d like to accomplish.
I might have misunderstood the usefulness of fleet in my quest - but I don’t think so - if I have then let me know it and point me towards som other tool that can help me - please…
If fleet is the way to go, help me get it running - if
osquery-in-a-boxg
Gavin
11/30/2020, 4:23 PMWhat inventory data ?
j
jby
11/30/2020, 4:24 PMApplications, with versions, kernel versions, is the disk encrypted etc.
g
Gavin
11/30/2020, 4:24 PMHonestly for a quick and easy life I would recommend SAL
j
jby
11/30/2020, 4:24 PMYeah, I have that for the Macs, but I haven’t found a way to use it with my Linux-clients
g
Gavin
11/30/2020, 4:25 PMI added linux support to SAL
j
jby
11/30/2020, 4:25 PMOk, care to share how?
g
Gavin
11/30/2020, 4:26 PMIt uses gosal on a cron, there is sal v3 & v4 support depending on what version you run.
I don’t capture disk encryption however
j
jby
11/30/2020, 4:26 PMI do have my puppet clients managed by puppet, and I have an old foreman instance running (for reporting only, not as puppet server or enc), but there are lots of data that could be a lot easier to get to than from foreman
z
zwass
11/30/2020, 4:26 PM@jby have you tried following the instructions on https://github.com/fleetdm/osquery-in-a-box? Anything missing there to get you a test instance set up?
j
jby
11/30/2020, 4:28 PMNo, it seemed to work the last time I tried it - it’s been a while though, I think it was before the summer - this year has wreaked havoc on dates and times…
So, are you proposing I’m using the
osquery-in-a-boxz
zwass
11/30/2020, 4:29 PMNo, but it may inspire you on how you'd like to set up a production instance.
My recommendation would be to spend 5 mins setting up osquery-in-a-box so that you can try the functionality of Fleet and then spend an hour or two setting up a prod instance if it's meeting your needs.
j
jby
11/30/2020, 4:31 PMOk, I’ll try that then
@Gavin - I decided to give gosal a try, but it fails immediately:
./build/linux/gosal --config to.json
gosal did not complete: build report: reports: getting serial: DMI run: exit status 1make depsmake buildg
Gavin
12/01/2020, 9:36 AMRun as root
j
jby
12/01/2020, 9:36 AMAh, ok
g
Gavin
12/01/2020, 9:36 AMAlso you may be better on sal slack channel
j
jby
12/01/2020, 2:16 PMOk, @Noah Talerman & @zwass - I now have a working osquery-in-a-box running, after a bit of wrestling with SELinux in my RHEL server running docker…
What’s the recommended way to get my clients to populate it with data?
(just to be transparent here, I’ve done it before and I almost remember how I did it then - these questions are mostly to help you clarify the documentation)
👍 1
And after getting the launcher - how do I set all parameters for it easily, to make it deployable using Jamf or Munki for macOS and using puppet for Linux?
And - starting the launcher as a normal user gives the same restrictions as running osqueryi as a normal user, BUT starting as root gives the headache of
Will not autoload extension with unsafe directory permissions:Oh, and the launcher only exist in the Kolide repo - is that the one to use, or will you provide a fleetdm-launcher as well?
Or, is there another way to populate the fleetdm/fleet server with client data?
n
Noah Talerman
12/01/2020, 3:07 PMHi Jonas. All the questions you’re asking are awesome and will be very helpful for altering/making additions to the existing documentation. Right now I’ll answer the questions I can to the best of my ability.
I’m confident you’ve come across the Adding Hosts to Fleet documentation (https://github.com/fleetdm/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md). Here we outline two recommended ways to connect your clients to Fleet which include installing osquery binaries or the Kolide Launcher on your hosts. Fleet remains compatible with Launcher and we do not expect to drop compatibility.
In the documentation I link to above, the name “Kolide Fleet” is being used and this is inconsistent with other updated parts of the documentation (should be “Fleet”). I’m drafting a PR to change this. Thank you for calling my attention to possible confusion.
What’s the recommended way to get my clients to populate it with data?@jby I’m not sure how/if it’s possible to connect your clients to the local instance of Fleet you’ve started via osquery-in-a-box. I’m working on getting that answer for you now. In the meantime, have you tried to start the containerized osquery agents to test this functionality? Instructions are linked here: https://github.com/fleetdm/osquery-in-a-box#run-osquery
j
jby
12/01/2020, 3:36 PMSo, if it’s not possible - then I feel like I’m back at square 1, with nothing other than a server running a docker instance of something that I can’t use for anything… 😞
I’ve actually managed to get the Kolide launcher to send data to the osquery-in-a-box, but I seem unable to get osqueryd to do it - it refuses to start properly
Dec 01 16:54:14 LIN5W2V3Z2.trioptima.local osqueryd[111674]: osqueryd started [version=4.5.1]
Dec 01 16:54:17 LIN5W2V3Z2.trioptima.local systemd[1]: osqueryd.service: Main process exited, code=exited, status=78/CONFIG
Dec 01 16:54:17 LIN5W2V3Z2.trioptima.local systemd[1]: osqueryd.service: Failed with result 'exit-code'.
Dec 01 16:54:17 LIN5W2V3Z2.trioptima.local audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=osqueryd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'And the
/var/log/osquery/osqueryd.INFOI1201 16:50:57.000754 111287 events.cpp:867] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration
I1201 16:50:57.000955 111287 events.cpp:867] Event publisher not enabled: syslog: Publisher disabled via configuration
I1201 16:50:57.001091 111287 events.cpp:1126] Error registering subscriber: apparmor_events: Subscriber disabled via configuration
I1201 16:50:57.001191 111287 events.cpp:1126] Error registering subscriber: process_file_events: Subscriber disabled via configuration
I1201 16:50:57.001235 111287 events.cpp:1126] Error registering subscriber: selinux_events: Subscriber disabled via configuration
I1201 16:50:57.001278 111287 events.cpp:1126] Error registering subscriber: socket_events: Subscriber disabled via configuration
I1201 16:50:57.001502 111287 main.cpp:105] Not starting the distributed query service: Distributed query service not enabled.
I1201 16:50:57.001571 111295 events.cpp:786] Starting event publisher run loop: inotify
I1201 16:50:57.001605 111296 events.cpp:786] Starting event publisher run loop: udev
I1201 16:50:57.001598 111287 dispatcher.cpp:78] Adding new service: SchedulerRunner (0x55f0ab28c6b8) to thread: 140484973627136 (0x55f0ab268240) in process 111287E1201 17:12:14.111375 112857 shutdown.cpp:69] Cannot activate tlsOh, well - I have to give up today - I’ll continue tomorrow
z
zwass
12/01/2020, 4:13 PMHave you tried following the instructions in the "Add New Host" dialog? If your configs are all correct that should step you through an enroll with plain osquery.
To clarify that one, you'll need to generate a new SSL certificate that matches the hostname/IP hosts will be using to connect. Osquery is picky about certificates matching where launcher lets you get around that with
--insecurej
jby
12/01/2020, 4:23 PMI'll try tomorrow
It's 5.30 pm here now
🍻 2
@zwass, using the instructions from the “Add New Host”-dialog worked somewhat.
I downloaded everything from there and put that in my Linux client (in /etc/osquery), started osqueryd with the --flagfile option pointing to the downloaded flagfile, it read the flagfile, the secret and the tls_server_cert and created the host in my fleet-server.
I am however unable to get it to work using
systemctlNow my questions are more general, both osquery and fleet, so I’ll move them out to the channels…
https://osquery.slack.com/archives/C01DXJL16D8/p1606898653173100
https://osquery.slack.com/archives/C08V7KTJB/p1606899596154400
However, I DO have another question for you guys: How do I configure smtp without TLS?
No matter how I do with the mail-form - I DO uncheck the “Use SSL/TLS to connect” it compains about:
And another - can I install query packs into fleet somehow through the GUI?
n
Noah Talerman
12/02/2020, 3:38 PMHi Jonas I’m working on getting answers for your questions. By “install” do you mean inserting query packs to Fleet in bulk using the Fleet UI? Instead of manually creating each query and then adding these queries to their respective packs using the UI.
j
jby
12/02/2020, 3:40 PMI've found packs on github that I'm wondering if I can download and install using the fleet webgui
n
Noah Talerman
12/02/2020, 3:49 PMGot it! Thanks for explaining your use case. Working on answers for you.
j
jby
12/02/2020, 3:52 PMI'll look through the docs on github and add what I've found when you have something to edit
n
Noah Talerman
12/02/2020, 3:55 PMFeel free to submit a PR to the fleet documentation on github or DM me your suggested changes.
j
jby
12/02/2020, 4:33 PMI will
🙂 1
This is now my main outstanding problem:
https://osquery.slack.com/archives/C01DXJL16D8/p1606913930175900?thread_ts=1606316442.122300&cid=C01DXJL16D8
n
Noah Talerman
12/02/2020, 8:12 PMDo you mind sending steps to reproduce this error? Either here in the thread or in a DM to me.
j
jby
12/02/2020, 8:16 PMAdmin-> Setup email -> SMTP port 25 -> Uncheck SSL/TLS -> No user -> Save -> Error
Any news on this?
n
Noah Talerman
12/09/2020, 9:56 PMWhat are you trying to accomplish by setting up SMTP configuration? Are you trying to invite other users? Or use another feature that requires SMTP.
z
zwass
12/09/2020, 10:02 PMI'm going to dig into the code to take a look at what might be happening, but is it possible your SMTP server is trying to upgrade the connection to TLS?
j
jby
12/10/2020, 5:28 AMI'm unable to setup any other user than the primary admin user that I created during setup, since it refuses to take me to the user admin page since email is not setup.
I have tried both with and without TLS, but to no avail.
I'll check with my exchange-admin as well.
z
zwass
12/10/2020, 4:26 PM@jby you can get around that by
fleetctl user createj
jby
12/10/2020, 4:28 PMProbably, but I'm also playing 'stupid newbie' here to help you with the documentation as well...😜
👍 1
"Clueless" might be better than stupid...