Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Osquery Enrollment #87

Open
zacharysfisher opened this issue Aug 7, 2019 · 9 comments
Open

Windows Osquery Enrollment #87

zacharysfisher opened this issue Aug 7, 2019 · 9 comments

Comments

@zacharysfisher
Copy link

zacharysfisher commented Aug 7, 2019
edited
Loading

Attempting to enroll windows devices in Zentral. I used the Linux script as a basis. I create the tls.server.crt file based on this file and I also built a txt file with the enrollment secret in it. I then created the following osquery.flags file:

--tls_hostname=zentral-server.DOMAIN.com

--tls_server_certs=C:\ProgramData\osquery\tls_server_certs.crt

--enroll_secret_path=C:\ProgramData\osquery\enroll_secret.key
--enroll_tls_endpoint=/osquery/enroll
--host_identifier=hostname
--config_plugin=tls

--config_tls_endpoint=/osquery/config

--config_tls_refresh=120

--config_tls_max_attempts=3

--config_accelerated_refresh=60

--enroll_tls_endpoint=/enroll

--disable_distributed=false

--distributed_plugin=tls

--distributed_interval=60

--distributed_tls_max_attempts=3

--distributed_tls_read_endpoint=/osquery/distributed/read

--distributed_tls_write_endpoint=/osquery/distributed/write

--logger_plugin=tls

--logger_tls_endpoint=/osquery/log

--logger_tls_period=60

--disable_audit=false

--audit_allow_config=true

--audit_persist=true

--disable_carver=true

--config_refresh=60

--buffered_log_max=500000

I then ran this to test enrollment: C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile C:\ProgramData\osquery\osquery.flags --verbose and i get following:
TLSEnrollPlugin requesting a node enroll key from: https://zentral-server.DOMAIN.com/enroll I0807 16:55:25.554425 6512 tls.cpp:240] TLS/HTTPS POST request to URI: https://zentral-server.DOMAIN.com/enroll W0807 16:55:26.101603 6512 tls_enroll.cpp:67] Failed enrollment request to https://zentral-server.DOMAIN.com/enroll (Cannot parse JSON: Invalid value. Offset: 0) retrying... I0807 16:55:28.179082 6512 tls.cpp:240] TLS/HTTPS POST request to URI: https://zentral-server.DOMAIN.com/enroll W0807 16:55:28.194224 6512 tls_enroll.cpp:67] Failed enrollment request to https://zentral-server.DOMAIN.com/enroll (Cannot parse JSON: Invalid value. Offset: 0) retrying...

Not sure if I am missing something or if this is something on the server i need to edit?
@np5
Copy link
Member

np5 commented Aug 8, 2019

It is probably an error on the server, in the zentral app, that is returned to the osquery client. The osquery client is expecting JSON, and cannot enroll. Look in the server logs, you will find the error.

On a Zentral all in one instance:

journalctl -u zentral_web_app.service

On a docker deployment:

docker-compose logs web

@zacharysfisher
Copy link
Author

I see the following:

Aug 08 15:10:11 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:11,064 PID1742 log WARNING Bad Request: /
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,013 PID1726 log WARNING Not Found: /enroll
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,108 PID1726 api ERROR APIAuthError Wrong node_key
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,108 PID1726 api_views ERROR APIAuthError Wrong node_key
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,109 PID1726 log WARNING Forbidden: /osquery/config
Aug 08 15:10:14 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:14,222 PID1703 log WARNING Not Found: /enroll
Aug 08 15:10:16 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:16,330 PID1726 log WARNING Not Found: /enroll```

@np5
Copy link
Member

np5 commented Aug 9, 2019

It seems the endpoint for the enrollment is the wrong one:

Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,013 PID1726 log WARNING Not Found: /enroll

You should be able to fix it with this flag:

--enroll_tls_endpoint=/osquery/enroll

@zacharysfisher
Copy link
Author

zacharysfisher commented Aug 12, 2019
edited
Loading

I have that flag in my flag file. --enroll_tls_endpoint=/osquery/enroll

@zacharysfisher
Copy link
Author

It is odd in my flag file I have above enroll endpoint however in my verbose logging on the windows machine it says its request a node url enroll key from my-zentral-url.com/enroll instead of /osquery/enroll?

@zacharysfisher
Copy link
Author

Doh, figured it out. Had 2 enroll tls endpoint flags .

@zacharysfisher
Copy link
Author

Will try to get osqueryd to enroll, however having trouble running queries on it if I dont invoke osqueryd manually.

@headmin
Copy link
Collaborator

headmin commented Sep 22, 2019

please see the build in windows enrollment (powershell script) in latest code update.

@maikroservice
Copy link

I am currently in the process of trying to enroll a Windows 11 (arm64) and while osquery is running and the zentral ps1 script is finishing, the machine does not show up in the zentral UI

I added the hostname to the respective etc/hosts and can validate that the resolution works by opening the login page in the browser on the machine

any pointers how to debug this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@headmin @np5 @zacharysfisher @maikroservice