Adding agents to Security Onion Kolide Fleet with duplicate UUID's #9109
Replies: 12 comments 6 replies
-
|
Can you give some more context around how you have the env setup? It sounds like you have osquery pre-installed on an EC2 instance and are cloning it? What are trying to change it to? |
Beta Was this translation helpful? Give feedback.
-
|
Sir,
I do have launcher installed on a template that has been cloned so all
UUID’s are the same. I’m in an AWS environment. I also have issues with
identical host names. Only one will report at a time. If I could change the
host_identifier to instance then I think all will work well.
Editing the flagfile or launcher executable doesn’t seem to help
…On Mon, Nov 14, 2022 at 8:00 AM Josh Brower ***@***.***> wrote:
Can you give some more context around how you have the env setup? It
sounds like you have osquery pre-installed on an EC2 instance and are
cloning it?
What are trying to change it to?
—
Reply to this email directly, view it on GitHub
<#9109 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUJ6QVNQ4NUHENGVWWVKTELWIIZXNANCNFSM6AAAAAAR4OW65A>
.
You are receiving this because you authored the thread.Message ID:
<Security-Onion-Solutions/securityonion/repo-discussions/9109/comments/4136103
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
I just wiped out a pre-installed launcher install and reinstalled. Fleet did not recognize it initially until I refreshed the one linux that does show connected and then it showed up, but the latter disappeared. the option doesn't exist and adding the host_identifier=instance flag does not change the below (running config) inside the launcher executable in cat /usr/local/so-launcher/bin/launcher |
Beta Was this translation helpful? Give feedback.
-
|
Are you using the Security Onion AMI for your Grid? |
Beta Was this translation helpful? Give feedback.
-
|
Yes |
Beta Was this translation helpful? Give feedback.
-
|
Just some more notes. I read that the --host_identifier=uuid is easily overwritten using a flag file. Doesn't seem to be true. In the SO implementation the launcher.flags is recognized, any edit to it can stop launcher from starting. Adding host_identifier=instance, --host_identifier=instance or host identifier instance does not work.
…--host_identifier=uuid.localhost.localdomain is the setting in /usr/local/so-launcher/bin/launcher but if you change that value the program will not start.
I've explored pulling this function out from security onion and stood up a stand alone Fleet server. Installing the client on a server I'm getting the same damn thing (but with Orbit).
There has to be an easy button for this, but I can't find it anywhere.
Tue, Nov 22, 2022 at 8:03 AM Josh Brower
wrote:
Are you using the Security Onion AMI for your Grid?
—
Reply to this email directly, view it on GitHub
<#9109 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUJ6QVJIA7OZIDOBKHBRFODWJTAARANCNFSM6AAAAAAR4OW65A>
.
You are receiving this because you authored the thread.Message ID:
<Security-Onion-Solutions/securityonion/repo-discussions/9109/comments/4205466
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
I saw this over the weekend. Does this mean that if you clone an image
after Fleet/Osquery DB has first been initialized that "instance" wouldn't
work even if you was able to change the value and it be enforced?
On Wed, Nov 23, 2022 at 3:31 PM Thomas Wilburn ***@***.***>
wrote:
… I am.
On Tue, Nov 22, 2022 at 8:03 AM Josh Brower ***@***.***>
wrote:
> Are you using the Security Onion AMI for your Grid?
>
> —
> Reply to this email directly, view it on GitHub
> <#9109 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AUJ6QVJIA7OZIDOBKHBRFODWJTAARANCNFSM6AAAAAAR4OW65A>
> .
> You are receiving this because you authored the thread.Message ID:
> <Security-Onion-Solutions/securityonion/repo-discussions/9109/comments/4205466
> @github.com>
>
|
Beta Was this translation helpful? Give feedback.
-
|
Have you tried changing the config using the FleetDM interface, found at: Settings --> Organization Settings --> Global agent options
|
Beta Was this translation helpful? Give feedback.
-
|
I have added host_identifier: instance to the YAML, Saved and restarted
Fleet. To test, I went to the current AMI that is populated in the host
page, refreshed, and everytime the refresh completes a different AMI pops
up that shares the same UUID. Guess it didn't work.
I'm wondering how I can make the installer package set the host_identifier
value to instance. Currently in launcher (or Osqueryd, nor sure, but one of
them) the value is set to uuid.localhost.localdomain. I have changed that
value to instance, no joy. Same for changing it to
instance.localhost.localdomain. The program will not load when I change
these values.
…On Tue, Nov 29, 2022 at 9:18 AM Josh Brower ***@***.***> wrote:
Have you tried changing the config using the FleetDM interface, found at:
Settings --> Organization Settings --> Global agent options
[image: image]
<https://user-images.githubusercontent.com/954732/204553262-2022484f-571d-4f3e-b4fe-84ca2dd4240b.png>
—
Reply to this email directly, view it on GitHub
<#9109 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUJ6QVOFB43LPIGZVC3NAL3WKYGD7ANCNFSM6AAAAAAR4OW65A>
.
You are receiving this because you authored the thread.Message ID:
<Security-Onion-Solutions/securityonion/repo-discussions/9109/comments/4264527
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
How did you |
Beta Was this translation helpful? Give feedback.
-
|
so-restart fleet and yes, it was there after I did so but now I'm wondering
if I need to regenerate new install packages after doing so. I looked later
at
one of my servers after doing so and still get the below.
/usr/local/so-launcher/bin/launcher -config /etc/so-launcher/launcher.flags
root 370590 370519 0 13:49 ? 00:00:03
/usr/local/so-launcher/bin/osqueryd-updates/1663345519/osqueryd
--logger_plugin=kolide_grpc --distributed_plugin=kolide_grpc
--disable_distributed=false --distributed_interval=5 --pack_delimiter=:
--host_identifier=uuid --force=true --disable_watchdog --utc
--config_refresh=300 --config_accelerated_refresh=30
--augeas_lenses=/var/so-launcher/securityonion/augeas-lenses
--pidfile=/var/so-launcher/securityonion/osquery.pid
--database_path=/var/so-launcher/securityonion/osquery.db
--extensions_socket=/var/so-launcher/securityonion/osquery.sock
--extensions_autoload=/var/so-launcher/securityonion/osquery.autoload
--disable_extensions=false
--extensions_timeout=20--config_plugin=kolide_grpc
--extensions_require=kolide_grpc
Current Global config options
config:
options:
enable_syslog: true
logger_plugin: tls
config_refresh: 10
pack_delimiter: _
*host_identifier: instance*
logger_tls_period: 10
distributed_plugin: tls
disable_distributed: false
logger_tls_endpoint: /api/v1/osquery/log
distributed_interval: 10
decorations_top_level: true
distributed_tls_max_attempts: 3
distributed_tls_read_endpoint: /api/v1/osquery/distributed/read
distributed_tls_write_endpoint: /api/v1/osquery/distributed/write
enable_windows_events_publisher: true
enable_windows_events_subscriber: true
osquery:
host_identifier: instance
decorators:
load: SELECT instance_id AS host_instance_id FROM osquery_info;
…On Wed, Nov 30, 2022 at 2:22 PM Josh Brower ***@***.***> wrote:
How did you restart fleet ? Did you confirm that the config was still
there after restarting Fleet?
—
Reply to this email directly, view it on GitHub
<#9109 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUJ6QVOFLEX3VDOZZPFHRGTWK6SNTANCNFSM6AAAAAAR4OW65A>
.
You are receiving this because you authored the thread.Message ID:
<Security-Onion-Solutions/securityonion/repo-discussions/9109/comments/4276742
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
Regenerating a new rpm-launcher.rpm (validated the timestamp, it was new) did not fix the issue. The installer still had host_identifier=uuid is the ps -ef output (as seen above). |
Beta Was this translation helpful? Give feedback.
-
|
I have created an issue to track fixing this: #9258 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks!
…On Thu, Dec 1, 2022 at 8:54 AM Josh Brower ***@***.***> wrote:
I have created an issue to track fixing this: #9258
<#9258>
—
Reply to this email directly, view it on GitHub
<#9109 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUJ6QVNB3DBBX3NLLQERBL3WLCUXTANCNFSM6AAAAAAR4OW65A>
.
You are receiving this because you authored the thread.Message ID:
<Security-Onion-Solutions/securityonion/repo-discussions/9109/comments/4283560
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
Is there an ETA for Security Onion 2.4.X? Thanks.
…On Thu, Dec 1, 2022 at 9:00 AM Thomas Wilburn ***@***.***> wrote:
Thanks!
On Thu, Dec 1, 2022 at 8:54 AM Josh Brower ***@***.***>
wrote:
> I have created an issue to track fixing this: #9258
> <#9258>
>
> —
> Reply to this email directly, view it on GitHub
> <#9109 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AUJ6QVNB3DBBX3NLLQERBL3WLCUXTANCNFSM6AAAAAAR4OW65A>
> .
> You are receiving this because you authored the thread.Message ID:
> <Security-Onion-Solutions/securityonion/repo-discussions/9109/comments/4283560
> @github.com>
>
|
Beta Was this translation helpful? Give feedback.
-
|
That issue was mistagged, it has been retagged for 2.3 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. Do we know what increment? Depending I may have to stand up a
stand-alone and swing off the SO Fleet. Thanks.
…On Thu, Dec 15, 2022 at 10:50 AM Josh Brower ***@***.***> wrote:
That issue was mistagged, it has been retagged for 2.3
—
Reply to this email directly, view it on GitHub
<#9109 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUJ6QVN3U65QR2M42PDH7ILWNM44BANCNFSM6AAAAAAR4OW65A>
.
You are receiving this because you authored the thread.Message ID:
<Security-Onion-Solutions/securityonion/repo-discussions/9109/comments/4411310
@github.com>
|
Beta Was this translation helpful? Give feedback.
-
|
There is no target release or date at this point. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
It appears that the execution code for agents made in Security Onion for at least RHEL agents are hard coded with host_identifier=uuid. Trying to get the launcher.flags to overwrite this does not seem to work (--host_identifier=instance) or (--host_identifier=hostname). Even overwriting the value in launcher does not seem to work. Using the Osquery option does appear to give the option to edit this value, but I keep getting certificate errors, even when the hash for the fleet.pem's on both sides are identical. This makes id appear like any cloned instance in a AWS cloud (and probably others) will not work. Is there a way to make this work that I can't find? Thanks.
Beta Was this translation helpful? Give feedback.
All reactions