Skip to content

Latest commit

 

History

History
74 lines (54 loc) · 2.52 KB

README.md

File metadata and controls

74 lines (54 loc) · 2.52 KB
Raw

Fleet Docker Deployment for Defcon30 Workshop

A quick and easy method for creating a production ready FleetDM environment using only Docker Compose.

Prerequisites

Services

  • Fleet
  • MySQL - Database for Fleet
  • Redis - Caching server for Fleet
  • traefik - Proxy server and TLS endpoint
  • filebeat - Log shipper

Additional tools

  • traefik.me - Handles DNS resolution and SSL Certificates
  • Graylog - Logging destination for filebeat

Configuration Files

All services configured using the default.env or service.yml file located in the service folder.

Data persistence

All data is stored on the host machine in the folder for the service it is associate with. Data will persist after restart as long as the local folder is not deleted. Can be changed in docker-compose.yml by removing volume links.

Running Fleet

  • Start docker

  • Clone this repository

  • cd in to fleet-docker

  • switch to defcon branch

  • run "docker compose up"

  • Fleet is now accessible at fleet.traefik.me

  • Follow the instructions to set up Fleet.

  • Go to Hosts

  • click "Add hosts"

  • Select the correct platform for the host you're enrolling

  • Copy the command

  • Run the command command with --insecure flag to prevent error when using self-signed certificate:

fleetctl package --type=deb --fleet-desktop --fleet-url=https://fleet.traefik.me --enroll-secret=totallysecuresecret --insecure
  • Run generated package on the host.
  • Once you have your host(s) enrolled, you can begin querying your hosts in the Fleet UI at fleet.traefik.me/queries/manage!

If you're enrolling multiple hosts, you can use the same installer package to enroll all hosts for a given platform. You can use network storage or copy the package to each host you'd like to install and run it.

File access denied issues with Fleet and Filebeat containers

Fleet

  1. Run it for the first time or create the mount directory fleet/logs
  2. Create (i.e. touch) and provide the right access rights (chmod 666) to the files:
touch osqueryd.results.log && chmod 666 osqueryd.results.log
touch osqueryd.status.log && chmod 666 osqueryd.status.log
  1. Run fleet container again

Filebeat

  1. Run it for the first time
  2. Set the correct access rights (chmod go-w) at filebeat/:
chmod go-w filebeat.yml
  1. Run filebeat container again (will show an error for file filebeat-{date}.ndjson, but container will keep running)