Channels
  • a

    Artem

    4 weeks ago
    Hi guys! Could you please give some advices how to securely open fleet access for osquery from internet?
    Some our hosts are in isolated network segments from each other and have access only to internet
  • Benjamin Edwards

    Benjamin Edwards

    4 weeks ago
    https://fleetdm.com/docs/deploying/faq#what-api-endpoints-should-i-expose-to-the-public-internet
    This is the only API absolutely required to be public for hosts that are running osquery and aren't on the same network as the fleet servers.
  • a

    Artem

    4 weeks ago
    Thank you!
  • j

    Jason

    4 weeks ago
    We expose our fleet server to the internet behind a WAF and restrict the admin interface to known IPs. Also we are able to block potential abuse / bots etc this way.
  • a

    Artem

    4 weeks ago
    Hi @Jason! Thank you too! We’ll try to create ACL for such hosts!
  • a

    Andreas Piening

    4 weeks ago
    Just for my understanding: The clients (osquery nodes) needs access to the fleet server at
    /api/osquery
    , but not the other way around, right? So it would be fine to have a local system behind
    NAT
    which is not directly exposed or reachable from the public network as long as the node can access the
    fleet
    server via
    HTTPS
    ?
  • j

    Jason

    4 weeks ago
    Correct
    Double check with the fleet folks. Some of the endpoints have changed recently.