Zach Zeid
08/20/2020, 6:52 PMsundsta
08/20/2020, 8:08 PM--config_tls_endpoint
set?Zach Zeid
08/20/2020, 8:56 PM"config_tls_endpoint": "/api/v1/osquery/config",
zwass
08/20/2020, 8:58 PMconfig_plugin=tls
Zach Zeid
08/20/2020, 8:58 PM"config_plugin": "tls",
{
"options": {
"config_refresh": "600",
"logger_plugin": "tls",
"enroll_secret_path": "foobar",
"tls_server_certs": "/foobaz",
"tls_hostname": "<http://dev.fleet.example.org|dev.fleet.example.org>",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"config_plugin": "tls",
"config_tls_endpoint": "/api/v1/osquery/config",
"config_refresh": "10",
"disable_distributed": "false",
"distributed_plugin": "tls",
"distributed_interval": "10",
"distributed_tls_max_attempts": "3",
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": "10",
"schedule_splay_percent": "10",
"pidfile": "/var/run/osquery.pidfile",
"events_expiry": "3600",
"database_path": "/var/osquery/osquery.db",
"disable_tables": "",
"read_max": "100000",
"events_max": "100000",
"host_identifier": "uuid",
"logger_min_status": 0,
"disable_logging": false,
"utc": "true"
},
zwass
08/20/2020, 9:19 PMZach Zeid
08/20/2020, 9:22 PMKOLIDE_SERVER_TLS=false
which may have something to do with the issue.zwass
08/20/2020, 9:41 PM--verbose --tls_dump
to the osquery flags so you can see (1) whether osquery is requesting config from Fleet and (2) what Fleet is returningZach Zeid
08/20/2020, 9:49 PMKOLIDE_SERVER_TLS=true
I get
` "terminated": "tls: failed to find any PEM data in key input",
even thought I'm passing server_key
and server_cert
as envvarszwass
08/20/2020, 10:36 PMZach Zeid
08/20/2020, 10:40 PMI0820 18:40:36.960268 28460 glog_logger.cpp:44] Could not get RPM header flag.
over and over again.zwass
08/20/2020, 10:44 PMZach Zeid
08/20/2020, 10:47 PM--verbose
and --tls_dump
set in osquery.flags
but it wasn't actually doing anything. running osqueryd
with those flags shows something.I0820 18:46:38.206319 28547 tls.cpp:253] TLS/HTTPS POST request to URI: <https://fleet.boop.org/api/v1/osquery/distributed/read>
{"node_key":"foobar"}
{
"queries": {}
}
"queries":
is {}
is the opposite, meaning that it's getting a config from fleet that's empty?zwass
08/20/2020, 10:54 PMapi/v1/osquery/config
Zach Zeid
08/20/2020, 10:57 PM"options": {
"config_refresh": "600",
"logger_plugin": "tls",
"tls_server_certs": "/etc/osquery/certs/somecert.crt",
"tls_client_key": "/etc/osquery/certs/somekey.key",
"tls_hostname": "<http://fleet.beep.boop.org|fleet.beep.boop.org>",
"enroll_tls_endpoint": "/api/v1/osquery/enroll",
"config_plugin": "tls",
"config_tls_endpoint": "/api/v1/osquery/config",
"config_refresh": "10",
"disable_distributed": "false",
"distributed_plugin": "tls",
"distributed_interval": "10",
"distributed_tls_max_attempts": "3",
"distributed_tls_read_endpoint": "/api/v1/osquery/distributed/read",
"distributed_tls_write_endpoint": "/api/v1/osquery/distributed/write",
"logger_tls_endpoint": "/api/v1/osquery/log",
"logger_tls_period": "10",
"schedule_splay_percent": "10",
"pidfile": "/var/run/osquery.pidfile",
"events_expiry": "3600",
"database_path": "/var/osquery/osquery.db",
"disable_tables": "",
"read_max": "100000",
"events_max": "100000",
"host_identifier": "uuid",
"logger_min_status": 0,
"disable_logging": false,
"utc": "true"
},
zwass
08/20/2020, 11:01 PMZach Zeid
08/20/2020, 11:04 PMcat /etc/osquery/osquery.flags
Ansible managed
--config_plugin=filesystem, tls
--config_path=/etc/osquery/osquery.conf
--config_refresh=600
--watchdog_level=1
--tls_dump
--verbose
--extensions_socket=/var/osquery/osquery.em
--pidfile=/var/run/osquery.pidfile
zwass
08/20/2020, 11:10 PMZach Zeid
08/20/2020, 11:21 PMzwass
08/20/2020, 11:27 PMZach Zeid
08/21/2020, 12:02 PM