This tutorial assumes that you have a preview environment of Fleet up and running. If you haven't already done so, check out our Get Started guide for instructions on how to start a preview environment of Fleet.
In this tutorial, we'll cover the following concepts:
Once you log into Fleet, you are presented with the Hosts page.
In Fleet, devices are referred to as "hosts."
On this page you'll see 7 hosts by default. These hosts are simulated Linux devices, and like the Fleet preview environment, they're running locally on your computer in Docker.
With osquery and Fleet, you can ask a multitude of questions to help you manage, monitor, and identify threats on your devices, but if you are just starting out, and unsure of what to ask, Fleet comes baked in with a query library of common questions.
So, let's start by asking the following questions about Fleet's 7 simulated Linux hosts:
What version of OpenSSL is installed on each device, if any?
Do these devices have a high severity vulnerable version of OpenSSL installed?
These questions can easily be answered, by running this simple query: "Get OpenSSL versions."
On the Queries page, enter the query name, "Get OpenSSL versions," in the search box, and select it to enter the query console. Then from the query console, hit "Run query", and from the "Select targets" page, select "All hosts," to run this query against all hosts enrolled in your Fleet. Then hit the "Run" button to execute the query.
The query may take several seconds to complete, because Fleet has to wait for the osquery agents to respond with results.
Fleet's query response time is inherently variable because of osquery's heartbeat response time. This helps prevent performance issues on hosts.
When the query has finished, you should see 4 columns and several rows in the "Results" table:
The "hostname" column answers: which device responded for a given row of results?
The "name" column answers: what is the name of the installed software item? The query we just ran asked for all software items that contain "openssl" in their name, so each row in this column should contain "openssl."
The "source" column answers: which osquery table is the result coming from? For more information on the table's available in osquery, check out the osquery schema documentation.
The "version" column answers: which version of the software item was detected on this device?
The "Results" table presented in Fleet answers our first question of interest which was "What version of OpenSSL is installed on each device, if any?"
Now you have the results from your query, you can compare the results from the "version" column to the table below, which includes the high severity vulnerabilities reported by OpenSSL.
|OpenSSL version range||Vulnerability (CVE)|
|1.1.1-1.1.1h and 1.0.2-1.0.2w||CVE-2020-1971|
|1.1.1-1.1.1d and 1.0.2-1.0.2t||CVE-2019-1551|
|1.1.0 and 1.0.2-1.0.2h and 1.0.1-1.0.1t||CVE-2016-6304|
|1.0.2-1.0.2b and 1.0.1-1.0.1n||CVE-2016-2108|
|1.0.2-1.0.2f and 1.0.1-1.0.1r||CVE-2016-0800|
|1.0.2 and 1.0.1-1.0.1l and 1.0.0-1.0.0q and 0.9.8-0.9.8ze||CVE-2016-0703|
|1.0.2b-1.0.2c and 1.0.1n-1.0.1o||CVE-2015-1793|
Do any of the simulated, Linux hosts have a high severity vulnerable version of OpenSSL installed? If the answer is yes, don't worry. The devices are running in a simulated Docker environment and do not provide any additional vectors for performing malicious actions against your device.
To add your own device to Fleet, you'll first need to install the osquery agent. In this tutorial, we'll be using Orbit, the recommended agent for Fleet.
Take note on where your new Orbit directory is located on you device. Knowing this will be helpful when building the Orbit package in step 3.
YOUR_FLEET_ENROLL_SECRET_HEREfor the one you copied in the previous step:
# From within the top-level directory of your cloned Orbit repository… # Generate a macOS installer pointed at your local Fleet go run ./cmd/package --type=pkg --fleet-url=localhost:8412 --insecure --enroll-secret=YOUR_FLEET_ENROLL_SECRET_HERE
If you'd like to build a Windows package, set
--type=msiin the above command. If you'd like to build a Linux package, set
--type=deb(Debian, Ubuntu, etc.) or
--type=rpm(RHEL, CentOS, etc.) in the above command.
A package configured to point at your Fleet instance has now been generated in your local Orbit repository
open .from macOS commandline,) then double click on the package, and finally complete the installation walkthrough to enroll your device as a host in Fleet.
It may take several seconds (≈30s) for your device to enroll. Refresh Fleet UI, and you should now see your local device in your list of hosts.
If you notice something we’ve missed, or that could be improved, please click here to edit this page.