Fleet: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 1: | Zeile 1: | ||
== FleetDM Docker-Installation == | == FleetDM Docker-Installation == | ||
| − | ===Docker | + | |
| − | *apt install -y docker.io docker-compose curl | + | === Docker & Tools installieren === |
| − | ===Zertifikate und Keys | + | * apt install -y docker.io docker-compose curl |
| − | *mkdir -p /mnt/docker/fleet | + | |
| − | *cd /mnt/docker/fleet | + | === Zertifikate und Keys vorbereiten === |
| − | *wget https://web.samogo.de/certs/ca.crt | + | * mkdir -p /mnt/docker/fleet |
| − | *wget https://web.samogo.de/certs/star.it113.int.crt | + | * cd /mnt/docker/fleet |
| − | *wget https://web.samogo.de/certs/star.it113.int.key | + | * wget https://web.samogo.de/certs/ca.crt |
| − | === | + | * wget https://web.samogo.de/certs/star.it113.int.crt |
| − | + | * wget https://web.samogo.de/certs/star.it113.int.key | |
| − | + | * cat star.it113.int.crt ca.crt > certs/fullchain.pem | |
| − | *vi docker-compose.yaml | + | * mv star.it113.int.key certs/privkey.pem |
| + | |||
| + | === Docker Compose-Konfiguration === | ||
| + | * vi docker-compose.yaml | ||
<pre> | <pre> | ||
version: '3.8' | version: '3.8' | ||
| Zeile 69: | Zeile 72: | ||
FLEET_MYSQL_PASSWORD: changeme | FLEET_MYSQL_PASSWORD: changeme | ||
FLEET_REDIS_ADDRESS: redis:6379 | FLEET_REDIS_ADDRESS: redis:6379 | ||
| − | FLEET_SERVER_TLS: " | + | FLEET_SERVER_TLS: "true" |
| + | FLEET_SERVER_CERT: /certs/fullchain.pem | ||
| + | FLEET_SERVER_KEY: /certs/privkey.pem | ||
| + | volumes: | ||
| + | - ./certs:/certs | ||
command: fleet serve | command: fleet serve | ||
| + | </pre> | ||
| − | + | * docker-compose up -d | |
| − | *docker-compose up -d | + | |
| − | == | + | === fleetctl besorgen (auf dem Server) === |
| − | *wget https://github.com/fleetdm/fleet/releases/download/fleet-v4.66.0/fleetctl_v4.66.0_linux_amd64.tar.gz | + | * wget https://github.com/fleetdm/fleet/releases/download/fleet-v4.66.0/fleetctl_v4.66.0_linux_amd64.tar.gz |
| − | *tar -xvzf fleetctl_v4.66.0_linux_amd64.tar.gz | + | * tar -xvzf fleetctl_v4.66.0_linux_amd64.tar.gz |
| − | *cp fleetctl_v4.66.0_linux_amd64/fleetctl | + | * cp fleetctl_v4.66.0_linux_amd64/fleetctl /usr/local/sbin/ |
| − | *fleetctl --version | + | * fleetctl --version |
| − | + | ||
| − | + | === Paket für die Clients bauen (insecure-Variante) === | |
| − | + | ; Die Enroll-Secret gibt’s in der Web-Oberfläche unter: | |
| − | + | * Hosts → Add Host → Linux (DEB) | |
| − | + | ||
| − | + | * fleetctl package --type=deb --enable-scripts \ | |
| − | ==Paket für | + | --fleet-url=https://fleet.it113.int:8080 \ |
| − | ; | + | --enroll-secret=gYpHjdyHvQb3/JD1K2NSdnJg4aAqgSH8 \ |
| − | *Hosts | + | --insecure |
| − | + | ||
| − | + | Erzeugt wird z. B.: | |
| − | *fleetctl package --type=deb --enable-scripts | + | * fleet-osquery_1.41.0_amd64.deb |
| + | |||
| + | === Debian Paket auf den Clients installieren === | ||
| + | * dpkg -i fleet-osquery_1.41.0_amd64.deb | ||
| + | * systemctl status orbit.service | ||
| − | + | === CA auf dem Client einspielen (wenn man nicht mit --insecure arbeitet) === | |
| − | * | + | * cp ca.crt /usr/local/share/ca-certificates/fleet-ca.crt |
| − | * | + | * update-ca-certificates |
| − | + | → danach kann das Paket auch ohne `--insecure` gebaut werden, sofern osquery die CA akzeptiert. | |
| − | |||
[[Kategorie:Cybersecurity]] | [[Kategorie:Cybersecurity]] | ||
[[Kategorie:Hacking]] | [[Kategorie:Hacking]] | ||
Version vom 19. April 2025, 20:13 Uhr
FleetDM Docker-Installation
Docker & Tools installieren
- apt install -y docker.io docker-compose curl
Zertifikate und Keys vorbereiten
- mkdir -p /mnt/docker/fleet
- cd /mnt/docker/fleet
- wget https://web.samogo.de/certs/ca.crt
- wget https://web.samogo.de/certs/star.it113.int.crt
- wget https://web.samogo.de/certs/star.it113.int.key
- cat star.it113.int.crt ca.crt > certs/fullchain.pem
- mv star.it113.int.key certs/privkey.pem
Docker Compose-Konfiguration
- vi docker-compose.yaml
version: '3.8'
services:
mysql:
image: mysql:8.0.36
container_name: mysql
environment:
MYSQL_ROOT_PASSWORD: rootpw
MYSQL_DATABASE: fleet
MYSQL_USER: fleet
MYSQL_PASSWORD: changeme
volumes:
- ./mysql-data:/var/lib/mysql
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-pfleet"]
interval: 10s
timeout: 5s
retries: 10
redis:
image: redis:7
container_name: redis
volumes:
- ./redis-data:/data
fleet-init:
image: fleetdm/fleet:v4.49.1
container_name: fleet-init
depends_on:
mysql:
condition: service_healthy
redis:
condition: service_started
environment:
FLEET_MYSQL_ADDRESS: mysql:3306
FLEET_MYSQL_DATABASE: fleet
FLEET_MYSQL_USERNAME: fleet
FLEET_MYSQL_PASSWORD: changeme
FLEET_REDIS_ADDRESS: redis:6379
command: fleet prepare db --no-prompt
restart: "no"
fleet:
image: fleetdm/fleet:v4.49.1
container_name: fleet
ports:
- "8080:8080"
depends_on:
fleet-init:
condition: service_completed_successfully
environment:
FLEET_MYSQL_ADDRESS: mysql:3306
FLEET_MYSQL_DATABASE: fleet
FLEET_MYSQL_USERNAME: fleet
FLEET_MYSQL_PASSWORD: changeme
FLEET_REDIS_ADDRESS: redis:6379
FLEET_SERVER_TLS: "true"
FLEET_SERVER_CERT: /certs/fullchain.pem
FLEET_SERVER_KEY: /certs/privkey.pem
volumes:
- ./certs:/certs
command: fleet serve
- docker-compose up -d
fleetctl besorgen (auf dem Server)
- wget https://github.com/fleetdm/fleet/releases/download/fleet-v4.66.0/fleetctl_v4.66.0_linux_amd64.tar.gz
- tar -xvzf fleetctl_v4.66.0_linux_amd64.tar.gz
- cp fleetctl_v4.66.0_linux_amd64/fleetctl /usr/local/sbin/
- fleetctl --version
Paket für die Clients bauen (insecure-Variante)
- Die Enroll-Secret gibt’s in der Web-Oberfläche unter
- Hosts → Add Host → Linux (DEB)
- fleetctl package --type=deb --enable-scripts \
--fleet-url=https://fleet.it113.int:8080 \ --enroll-secret=gYpHjdyHvQb3/JD1K2NSdnJg4aAqgSH8 \ --insecure
Erzeugt wird z. B.:
- fleet-osquery_1.41.0_amd64.deb
Debian Paket auf den Clients installieren
- dpkg -i fleet-osquery_1.41.0_amd64.deb
- systemctl status orbit.service
CA auf dem Client einspielen (wenn man nicht mit --insecure arbeitet)
- cp ca.crt /usr/local/share/ca-certificates/fleet-ca.crt
- update-ca-certificates
→ danach kann das Paket auch ohne `--insecure` gebaut werden, sofern osquery die CA akzeptiert.