Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-24 09:28:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 52

Update Ask-questions-about-your-devices.md (#1733)

Browse source 
* Update Ask-questions-about-your-devices.md

Further edited the doc for tone and grammar.
Added section about enrolling your own device.

* Update docs/1-Using-Fleet/tutorials/Ask-questions-about-your-devices.md

* Update docs/1-Using-Fleet/tutorials/Ask-questions-about-your-devices.md

* Update docs/1-Using-Fleet/tutorials/Ask-questions-about-your-devices.md

Co-authored-by: noahtalerman <47070608+noahtalerman@users.noreply.github.com>

* Update docs/1-Using-Fleet/tutorials/Ask-questions-about-your-devices.md

Co-authored-by: noahtalerman <47070608+noahtalerman@users.noreply.github.com>

* Update docs/1-Using-Fleet/tutorials/Ask-questions-about-your-devices.md

Co-authored-by: noahtalerman <47070608+noahtalerman@users.noreply.github.com>

* Update docs/1-Using-Fleet/tutorials/Ask-questions-about-your-devices.md

Co-authored-by: noahtalerman <47070608+noahtalerman@users.noreply.github.com>

Co-authored-by: noahtalerman <47070608+noahtalerman@users.noreply.github.com>
This commit is contained in:
Mike Thomas 2021-08-19 22:27:53 +09:00 committed by GitHub
parent 35d15d1274
commit 457ba20aa0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 49 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
docs/1-Using-Fleet/tutorials/Ask-questions-about-your-devices.md
View file

@ -1,42 +1,47 @@
# Ask questions about your devices
# Learn how to use Fleet
> This tutorial assumes that you have a preview environment of Fleet up and running. Check out [the "Try Fleet" instructions](../../../README.md#try-fleet) on how to start a preview environment of Fleet.
> This tutorial assumes that you have a preview environment of Fleet up and running. If you haven't already done so, check out our [Get Started](../../../README.md#try-fleet) guide for instructions on how to start a preview environment of Fleet.
In this tutorial, we'll cover the following Fleet concepts:
In this tutorial, we'll cover the following concepts:
- Where to see your devices in Fleet
- How to ask questions about your devices by running queries
- [Where to see your devices in Fleet](#where-to-see-your-devices-in-fleet)
- [How to ask questions about your devices](#how-to-ask-questions-about-your-devices)
- [How to enroll your own device](#how-to-enroll-your-own-device)
### Where to see your devices in Fleet
Once you log into Fleet, you're presented with the **Hosts** page. In Fleet, devices are refered to as "hosts."
Once you log into Fleet, you are presented with the **Hosts** page.
On this page you'll see 7 hosts by default. These hosts are simulated Linux devices, and like the Fleet preview environment, they're running locally on your computer in Docker. For this tutorial we'll be asking questions about these devices by running some queries against them.
>In Fleet, devices are referred to as "hosts."
<img src="https://user-images.githubusercontent.com/78363703/130040107-02d0161f-0afe-49db-a9b1-116149ed9814.png" alt="Fleet query search" width="600"/>
### How to ask questions about your devices by running queries
On this page you'll see 7 hosts by default. These hosts are simulated Linux devices, and like the Fleet preview environment, they're running locally on your computer in Docker.
Let's ask the following questions about the simulated Linux hosts connected to your Fleet:
### How to ask questions about your devices
With osquery and Fleet, you can ask a multitude of questions to help you manage, monitor, and identify threats on your devices, but if you are just starting out, and unsure of what to ask, Fleet comes baked in with a [query library](https://fleetdm.com/queries) of common questions.
So, let's start by asking the following questions about Fleet's 7 simulated Linux hosts:
1. What version of OpenSSL is installed on each device, if any?
2. Do these devices have a high severity vulnerable version of OpenSSL installed?
These questions can easily be answered with Fleet, by running the following query: "Detect Linux hosts with high severity vulnerable versions of OpenSSL."
These questions can easily be answered, by running the following query: "Detect Linux hosts with high severity vulnerable versions of OpenSSL."
On the **Queries** page, enter the query name, "Detect Linux hosts with high severity vulnerable versions of OpenSSL," in the search bar, and select it from the table to navigate to the **Edit or run query** page.
On the **Queries** page, enter the query name, "Detect Linux hosts with high severity vulnerable versions of OpenSSL," in the search box, select the query from the results table, and navigate to the **Edit or run query** page.
<img src="https://user-images.githubusercontent.com/78363703/128487468-7961c509-d0ba-48be-a0e8-54bfb4c371d5.png" alt="Fleet query search" width="600"/>
On the **Edit or run query** page, open the "Select targets" dropdown, and press the purple "+" icon to the right of "All hosts." This means we'll be attempting to run this query against all hosts connected to your Fleet.
On the **Edit or run query** page, open the "Select targets" dropdown, and press the purple "+" icon to the right of "All hosts," to run this query against all hosts enrolled in your Fleet. Then hit the "Run" button to execute the query.
<img src="https://user-images.githubusercontent.com/78363703/128487638-7d779d89-f3fa-42dd-903f-070dc9347a9b.png" alt="Fleet select targets" width="600"/>
Now hit the "Run" button to run the query, and you're done. The query may take several seconds to complete because Fleet has to wait for the osquery agents to respond with results.
The query may take several seconds to complete, because Fleet has to wait for the osquery agents to respond with results.
> Fleet's query response time is inherently variable because of osquery's heartbeat response time. This helps prevent performance issues on hosts.
@ -81,3 +86,33 @@ Now you have the results from your query, you can compare the results from the "
| 1.0.1-1.0.1h | [CVE-2014-3511](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511) |
Do any of the simulated, Linux hosts have a high severity vulnerable version of OpenSSL installed? If the answer is yes, don't worry. The devices are running in a simulated Docker environment and do not provide any additional vectors for performing malicious actions against your device.
### How to enroll your own device
To add your own device to Fleet, you'll first need to install the osquery agent. In this tutorial, we'll be using [Orbit](https://github.com/fleetdm/orbit), the recommended agent for Fleet.
1. Make a clone of [Orbit's GitHub repository](https://github.com/fleetdm/orbit).
> Take note on where your new Orbit directory is located on you device. Knowing this will be helpful when building the Orbit package in step 3.
<img src="https://user-images.githubusercontent.com/78363703/130035034-7363ebe1-f89b-42af-9e88-24db867e8047.png" alt="Clone Orbit repository" width="300"/>
2. In Fleet UI's Host page, hit the "Add new host" button, and copy your Fleet enroll secret (you'll need this in the next step.)
<img src="https://user-images.githubusercontent.com/78363703/130040559-9eb77221-aeba-45ce-8f8a-fb1913d3843b.png" alt="Clone Orbit repository" width="600"/>
3. With [fleetctl preview](http://www.fleetdm.com/get-started) still running, and [Go](https://golang.org/doc/install) 1.16 installed, run the following command (remembering to swap ```YOUR_FLEET_ENROLL_SECRET_HERE``` for the one you copied in the previous step:
```
# From within the top-level directory of your cloned Orbit repository…
# Generate a macOS installer pointed at your local Fleet
go run ./cmd/package --type=pkg --fleet-url=localhost:8412 --insecure --enroll-secret=YOUR_FLEET_ENROLL_SECRET_HERE```
```
> If you'd like to build a Windows package, set `--type=msi` in the above command. If you'd like to build a Linux package, set `--type=deb` (Debian, Ubuntu, etc.) or `--type=rpm` (RHEL, CentOS, etc.) in the above command.
A package configured to point at your Fleet instance has now been generated in your local Orbit repository
4. Navigate to your generated package (use ```open .``` from macOS commandline,) then double click on the package, and finally complete the installation walkthrough to enroll your device as a host in Fleet.
> It may take several seconds (≈30s) for your device to enroll. Refresh Fleet UI, and you should now see your local device in your list of hosts.