Mystery Incorporated
08/09/2021, 2:31 PMZachary Dawe
08/09/2021, 3:49 PMYash Boura
08/09/2021, 6:02 PMZachary Dawe
08/09/2021, 8:14 PMKun Nan
08/10/2021, 2:05 AMfor {
// Loop reading messages from conn.Receive() (via
// msgChannel) until the context is cancelled.
select {
case msg, ok := <-msgChannel:
if !ok {
return
}
switch msg := msg.(type) {
case redis.Message:
var res fleet.DistributedQueryResult
err := json.Unmarshal(msg.Data, &res)
if err != nil {
outChannel <- err
}
outChannel <- res
case error:
outChannel <- errors.Wrap(msg, "reading from redis")
}
case <-ctx.Done():
conn.Unsubscribe()
}
}
the ctx here is a empty context,so ctx.Done()
only get nil .
Does this select case will not be executed forevere?
If so,what's the purpose here?Ivan
08/10/2021, 9:37 AMm s
08/10/2021, 11:11 AMYash Boura
08/10/2021, 5:13 PMYash Boura
08/10/2021, 6:37 PMMystery Incorporated
08/11/2021, 8:48 AMSELECT * FROM startup_items;
seems to get the split of executable path/args wrong, see it has split at the first space in Program Files" and is listing path and binary in arguments, this is incorrect.cyberkryption
08/11/2021, 10:53 AMabraham linkolan
08/11/2021, 1:02 PMEsteban
08/12/2021, 12:02 PMEsteban
08/12/2021, 1:40 PMsql: Scan error on column index 5, name "vulnerabilities": json: cannot unmarshal object into Go value of type fleet.VulnerabilitiesSlice
benbass
08/12/2021, 2:43 PMpvirani
08/12/2021, 8:38 PMMadhur Jodhwani
08/13/2021, 7:19 AMosueryd
name in CMD and also in proccess log like I want to launch it as madhurs_daemon --flagfile=flagfile.txt
instead of osqueryd --flagfile=flagfile.txt
and it should be seen as madhurs_daemon
in the process log as well as in the console application, any idea or any stuff I need to check out?Mystery Incorporated
08/13/2021, 11:10 AMEsteban
08/13/2021, 3:15 PMZach Zeid
08/13/2021, 3:47 PMZander Mackie
08/13/2021, 4:03 PMosquery.conf
that all agents will receive when then phone home?Zach Zeid
08/13/2021, 4:07 PMfleetctl config set --context default
NAME:
fleetctl config set - Set config options
USAGE:
fleetctl config set [options]
OPTIONS:
--config value Path to the fleetctl config file (default: "/Users/zzeid/.fleet/config") [$CONFIG]
--context value Name of fleetctl config context to use (default: "default") [$CONTEXT]
--address value Address of the Fleet server [$ADDRESS]
--email value Email to use when connecting to the Fleet server [$EMAIL]
--token value Fleet API token [$TOKEN]
--tls-skip-verify Skip TLS certificate validation (default: false) [$INSECURE]
--rootca value Specify RootCA chain used to communicate with fleet [$ROOTCA]
--url-prefix value Specify URL Prefix to use with Fleet server (copy from server configuration) [$URL_PREFIX]
--help, -h show help (default: false)
Jason
08/13/2021, 4:08 PMZach Zeid
08/13/2021, 4:39 PMZach Zeid
08/13/2021, 5:03 PMfleetctl
to get packages/users for a host?
edit: I can with packaages and associated CPEs by specifying a single hostChad
08/14/2021, 10:13 AM.\orbit.exe --fleet-url=<https://host.domain.com:443> --enroll-secret=[Redacted Secret]
I get the following errors which makes me think orbit/osquery doesn't support trusted CAs on windows:
Failed to retrieve system cert pool. Cannot validate Fleet server connection. error="crypto/x509: system root pool is not available on Windows"
...
...
Cannot read TLS server certificate(s): \Program Files\osquery\certs\certs.pem
My understanding is that if I am using a cert signed by a trusted authority then osquery/orbit shouldn't even be looking for certs locally?Mystery Incorporated
08/15/2021, 1:13 AMMystery Incorporated
08/15/2021, 1:43 AM{
"hostIdentifier": "8bca743b-7701-4c3a-ae18-7cbf883ee711",
"calendarTime": "Sun Aug 15 01:41:44 2021 UTC",
"unixTime": "1628991704",
"severity": "0",
"filename": "process_ops.cpp",
"line": "164",
"message": "Failed to lookup account name XXXXX with 1332",
"version": "4.9.0",
"decorations": {
"company": "YYYY",
"host_hostname": "ZZZZZ",
"username": "XXXXX"
}
}
Manu Odago
08/16/2021, 6:22 AMerror setting up Fleet: POST /api/v1/setup: Post "https://<address>/api/v1/setup": dial tcp <address>:443: connect: connection refused
Steven
08/16/2021, 3:22 PM