zentralopensource
Windows Osquery Enrollment
Attempting to enroll windows devices in Zentral. I used the Linux script as a basis. I create the tls.server.crt file based on this file and I also built a txt file with the enrollment secret in it. I then created the following osquery.flags file:
--tls_hostname=zentral-server.DOMAIN.com
--tls_server_certs=C:\ProgramData\osquery\tls_server_certs.crt
--enroll_secret_path=C:\ProgramData\osquery\enroll_secret.key
--enroll_tls_endpoint=/osquery/enroll
--host_identifier=hostname
--config_plugin=tls
--config_tls_endpoint=/osquery/config
--config_tls_refresh=120
--config_tls_max_attempts=3
--config_accelerated_refresh=60
--enroll_tls_endpoint=/enroll
--disable_distributed=false
--distributed_plugin=tls
--distributed_interval=60
--distributed_tls_max_attempts=3
--distributed_tls_read_endpoint=/osquery/distributed/read
--distributed_tls_write_endpoint=/osquery/distributed/write
--logger_plugin=tls
--logger_tls_endpoint=/osquery/log
--logger_tls_period=60
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--disable_carver=true
--config_refresh=60
--buffered_log_max=500000
I then ran this to test enrollment: C:\ProgramData\osquery\osqueryd\osqueryd.exe --flagfile C:\ProgramData\osquery\osquery.flags --verbose and i get following:
TLSEnrollPlugin requesting a node enroll key from: https://zentral-server.DOMAIN.com/enroll I0807 16:55:25.554425 6512 tls.cpp:240] TLS/HTTPS POST request to URI: https://zentral-server.DOMAIN.com/enroll W0807 16:55:26.101603 6512 tls_enroll.cpp:67] Failed enrollment request to https://zentral-server.DOMAIN.com/enroll (Cannot parse JSON: Invalid value. Offset: 0) retrying... I0807 16:55:28.179082 6512 tls.cpp:240] TLS/HTTPS POST request to URI: https://zentral-server.DOMAIN.com/enroll W0807 16:55:28.194224 6512 tls_enroll.cpp:67] Failed enrollment request to https://zentral-server.DOMAIN.com/enroll (Cannot parse JSON: Invalid value. Offset: 0) retrying...
Not sure if I am missing something or if this is something on the server i need to edit?
It is probably an error on the server, in the zentral app, that is returned to the osquery client. The osquery client is expecting JSON, and cannot enroll. Look in the server logs, you will find the error.
On a Zentral all in one instance:
journalctl -u zentral_web_app.service
On a docker deployment:
docker-compose logs web
I see the following:
Aug 08 15:10:11 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:11,064 PID1742 log WARNING Bad Request: /
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,013 PID1726 log WARNING Not Found: /enroll
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,108 PID1726 api ERROR APIAuthError Wrong node_key
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,108 PID1726 api_views ERROR APIAuthError Wrong node_key
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,109 PID1726 log WARNING Forbidden: /osquery/config
Aug 08 15:10:14 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:14,222 PID1703 log WARNING Not Found: /enroll
Aug 08 15:10:16 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:16,330 PID1726 log WARNING Not Found: /enroll```
It seems the endpoint for the enrollment is the wrong one:
Aug 08 15:10:12 zentral-server.DOMAIN.com gunicorn[1383]: 2019-08-08 19:10:12,013 PID1726 log WARNING Not Found: /enroll
You should be able to fix it with this flag:
--enroll_tls_endpoint=/osquery/enroll
I have that flag in my flag file. --enroll_tls_endpoint=/osquery/enroll
It is odd in my flag file I have above enroll endpoint however in my verbose logging on the windows machine it says its request a node url enroll key from my-zentral-url.com/enroll instead of /osquery/enroll?
Will try to get osqueryd to enroll, however having trouble running queries on it if I dont invoke osqueryd manually.
please see the build in windows enrollment (powershell script) in latest code update.
