From 083d467aa9f845b8cd016a00ee249264936ec7cc Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 8 Nov 2021 15:05:58 -0500 Subject: [PATCH 1/5] Update to FleetDM 4.5 --- salt/fleet/files/packs/osquery-config.conf | 61 ++++++++++++---------- salt/fleet/init.sls | 28 +++++----- 2 files changed, 46 insertions(+), 43 deletions(-) diff --git a/salt/fleet/files/packs/osquery-config.conf b/salt/fleet/files/packs/osquery-config.conf index 4ce82cb8d..04c286675 100644 --- a/salt/fleet/files/packs/osquery-config.conf +++ b/salt/fleet/files/packs/osquery-config.conf @@ -1,31 +1,34 @@ +--- apiVersion: v1 -kind: options +kind: config spec: - config: - decorators: - always: - - SELECT codename FROM os_version; - - SELECT uuid AS live_query FROM system_info; - - SELECT address AS endpoint_ip1 FROM interface_addresses where address not - like '%:%' and address not like '127%' and address not like '169%' order by - interface desc limit 1; - - SELECT address AS endpoint_ip2 FROM interface_addresses where address not - like '%:%' and address not like '127%' and address not like '169%' order by - interface asc limit 1; - - SELECT hardware_serial FROM system_info; - - SELECT hostname AS hostname FROM system_info; - options: - decorations_top_level: true - disable_distributed: false - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - distributed_tls_read_endpoint: /api/v1/osquery/distributed/read - distributed_tls_write_endpoint: /api/v1/osquery/distributed/write - enable_windows_events_publisher: true - enable_windows_events_subscriber: true - logger_plugin: tls - logger_tls_endpoint: /api/v1/osquery/log - logger_tls_period: 10 - pack_delimiter: _ - overrides: {} + server_settings: + enable_analytics: true +config: + decorators: + always: + - SELECT codename FROM os_version; + - SELECT uuid AS live_query FROM system_info; + - SELECT address AS endpoint_ip1 FROM interface_addresses where address not + like '%:%' and address not like '127%' and address not like '169%' order by + interface desc limit 1; + - SELECT address AS endpoint_ip2 FROM interface_addresses where address not + like '%:%' and address not like '127%' and address not like '169%' order by + interface asc limit 1; + - SELECT hardware_serial FROM system_info; + - SELECT hostname AS hostname FROM system_info; + options: + decorations_top_level: true + disable_distributed: false + distributed_interval: 10 + distributed_plugin: tls + distributed_tls_max_attempts: 3 + distributed_tls_read_endpoint: /api/v1/osquery/distributed/read + distributed_tls_write_endpoint: /api/v1/osquery/distributed/write + enable_windows_events_publisher: true + enable_windows_events_subscriber: true + logger_plugin: tls + logger_tls_endpoint: /api/v1/osquery/log + logger_tls_period: 10 + pack_delimiter: _ +overrides: {} diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 1bb4e73d6..b3b72b96b 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -114,20 +114,20 @@ so-fleet: - port_bindings: - 0.0.0.0:8080:8080 - environment: - - KOLIDE_MYSQL_ADDRESS={{ MAINIP }}:3306 - - KOLIDE_REDIS_ADDRESS={{ MAINIP }}:6379 - - KOLIDE_MYSQL_DATABASE=fleet - - KOLIDE_MYSQL_USERNAME=fleetdbuser - - KOLIDE_MYSQL_PASSWORD={{ FLEETPASS }} - - KOLIDE_SERVER_CERT=/ssl/server.cert - - KOLIDE_SERVER_KEY=/ssl/server.key - - KOLIDE_LOGGING_JSON=true - - KOLIDE_AUTH_JWT_KEY= {{ FLEETJWT }} - - KOLIDE_OSQUERY_STATUS_LOG_FILE=/var/log/fleet/status.log - - KOLIDE_OSQUERY_RESULT_LOG_FILE=/var/log/osquery/result.log - - KOLIDE_SERVER_URL_PREFIX=/fleet - - KOLIDE_FILESYSTEM_ENABLE_LOG_ROTATION=true - - KOLIDE_FILESYSTEM_ENABLE_LOG_COMPRESSION=true + - FLEET_MYSQL_ADDRESS={{ MAINIP }}:3306 + - FLEET_REDIS_ADDRESS={{ MAINIP }}:6379 + - FLEET_MYSQL_DATABASE=fleet + - FLEET_MYSQL_USERNAME=fleetdbuser + - FLEET_MYSQL_PASSWORD={{ FLEETPASS }} + - FLEET_SERVER_CERT=/ssl/server.cert + - FLEET_SERVER_KEY=/ssl/server.key + - FLEET_LOGGING_JSON=true + - FLEET_AUTH_JWT_KEY= {{ FLEETJWT }} + - FLEET_OSQUERY_STATUS_LOG_FILE=/var/log/fleet/status.log + - FLEET_OSQUERY_RESULT_LOG_FILE=/var/log/osquery/result.log + - FLEET_SERVER_URL_PREFIX=/fleet + - FLEET_FILESYSTEM_ENABLE_LOG_ROTATION=true + - FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION=true - binds: - /etc/pki/fleet.key:/ssl/server.key:ro - /etc/pki/fleet.crt:/ssl/server.cert:ro From f6e6b2039247a6a247616edcd7ba194ca460b41b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 9 Nov 2021 09:20:47 -0500 Subject: [PATCH 2/5] Add Name and OrgName to Fleet setup --- salt/common/tools/sbin/so-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup index a3aa013a2..6570862c7 100755 --- a/salt/common/tools/sbin/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -17,7 +17,7 @@ fi docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet docker exec so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done' -docker exec so-fleet fleetctl setup --email $1 --password $2 +docker exec so-fleet fleetctl setup --email $1 --password $2 --name admin --org-name SO docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml From 435f430747f1898211700879ff41156f3cc22e4d Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 10 Nov 2021 10:24:53 -0500 Subject: [PATCH 3/5] Fix enroll secret parsing --- salt/fleet/event_update-enroll-secret.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/fleet/event_update-enroll-secret.sls b/salt/fleet/event_update-enroll-secret.sls index 609020247..65102d82d 100644 --- a/salt/fleet/event_update-enroll-secret.sls +++ b/salt/fleet/event_update-enroll-secret.sls @@ -1,4 +1,4 @@ -{% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %} +{% set ENROLLSECRET = salt['shell.run']('docker exec so-fleet fleetctl get enroll-secret --json | jq -r ".spec.secrets[].secret"') %} so/fleet: event.send: From 67ebfeab16080c1781fabd0a3b2fe60dc5d1976b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 10 Nov 2021 10:49:56 -0500 Subject: [PATCH 4/5] Disable FleetDM usage stats --- salt/fleet/files/packs/osquery-config.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/fleet/files/packs/osquery-config.conf b/salt/fleet/files/packs/osquery-config.conf index 04c286675..99cbe2197 100644 --- a/salt/fleet/files/packs/osquery-config.conf +++ b/salt/fleet/files/packs/osquery-config.conf @@ -3,7 +3,7 @@ apiVersion: v1 kind: config spec: server_settings: - enable_analytics: true + enable_analytics: false config: decorators: always: From d3dc5ffc5aa91088f7c75c435691bf6c605b187b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 10 Nov 2021 11:28:48 -0500 Subject: [PATCH 5/5] Fix salt syntax --- salt/fleet/event_update-enroll-secret.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/fleet/event_update-enroll-secret.sls b/salt/fleet/event_update-enroll-secret.sls index 65102d82d..475c3e968 100644 --- a/salt/fleet/event_update-enroll-secret.sls +++ b/salt/fleet/event_update-enroll-secret.sls @@ -1,4 +1,4 @@ -{% set ENROLLSECRET = salt['shell.run']('docker exec so-fleet fleetctl get enroll-secret --json | jq -r ".spec.secrets[].secret"') %} +{% set ENROLLSECRET = salt['cmd.shell']('docker exec so-fleet fleetctl get enroll-secret --json | jq -r ".spec.secrets[].secret"') %} so/fleet: event.send: