Saturday, May 25, 2019

osquery - Part II - Kolide Centralized Management

By Tony Lee and Matt Kemelhar

This series on osquery will take us on a journey from stand-alone agents, to managing multiple agents with Kolide, and then finally onto more advanced integrations and analysis.  We already covered stand-alone local osquery interaction in Part I of this series:

http://securitysynapse.blogspot.com/2019/05/osquery-part-i-local-agent-interaction.html

However, we quickly noticed that it does not scale to hundreds of thousands of hosts -- thus we need a centralized management platform.  In this article, we will examine the freely available Kolide Fleet.

What is Kolide?

Kolide (https://kolide.com/) is a centralized osquery agent management platform.  As of the writing of this article, there are two versions:  Cloud and on-prem Fleet.  Currently Kolide Cloud runs about $6 per endpoint.  However, for our needs, we will kick the tires with the on-prem Kolide Fleet (https://kolide.com/fleet) which is offered free of charge.


Kolide Fleet Dependencies and Installation

Kolide Fleet has a few significant dependencies:
  • *nix based operating system
  • MySQL version 5.7 (or greater) - used as Fleet's primary database
  • Redis - "ingest and queue results of distributed queries, cache data, etc."

Due to these dependencies, setup can be a little painful and time consuming, however we found a pretty awesome Fleet installation script (https://github.com/deeso/fleet-deployment) from Adam Pridgen (https://www.linkedin.com/in/-dso-/) that works great for our lab environment running Ubuntu.

Installation

Follow these steps to get up and running quickly:

 git clone https://github.com/deeso/fleet-deployment.git
cd fleet-deployment/fleet-server-install
cp passwords.example passwords.sh

** Using your favorite text editor (such as vim), update the MYSQL_PASS and JWT_KEY variable with the sql password:

vim passwords.sh

 Now run the installer script:
bash install.sh

 NOTE:  During the SSL certificate creation phase, you will be asked for a "Common Name" / server FQDN (see below) -- be sure to use the server name. 

Ex: Common Name (e.g. server FQDN or YOUR name) []:<ENTER IT HERE>


 It will matter later when you try to connect via fleetctl.  If you do not specify the server name, you will see the following error message upon login attempt:

 "error logging in: POST /api/v1/kolide/login: Post https://<hostname>:443/api/v1/kolide/login: x509: certificate is not valid for any names, but wanted to match localhost"
Check on the status of the service:

service fleet-service status

When complete, open a browser and navigate to https://localhost to complete the Kolide setup to specify the user, organization, and Kolide URL.

Figure 1:  Kolide Fleet Setup Complete


Joining an agent to Kolide Fleet

If you installed osquery as a stand-alone during the part I article, feel free to uninstall it.  We now need to install some osquery agents and get them to connect to our Kolide server.

"To connect a host to Kolide Fleet, you have two general options. 

 1)  You can install the osquery binaries on your hosts via the packages distributed at https://osquery.io/downloads 

 - or -  

 2)  You can use the Kolide osquery Launcher

 The Launcher is a light wrapper that aims to make running and deploying osquery easier by adding a few features and minimizing the configuration interface. Some features of The Launcher are:

  • Secure autoupdates to the latest stable osqueryd
  • Remote communication via a strongly-typed, versioned, modern gRPC server API
  • a curated kolide_best_practices table which includes a curated set of standards for the modern enterprise"

Source:  https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md


Using Kolide osqery Launcher

For this article, we will use the Kolide osquery Launcher to connect a host to our Kolide Fleet server.  The launcher can be obtained as source or pre-compiled binaries from here:  https://github.com/kolide/launcher/releases

Then you will need to obtain the enrollment secret from the Kolide Fleet Server web UI by clicking on the "Add New Host" link.

Figure 2:  Obtain enrollment secret from the Kolide Fleet web UI

Once you have the launcher binary and enrollment secret, run something similar to the following (where 192.168.21.129 is your Kolide server):

launcher.exe --hostname=192.168.21.129:443 --root_directory=c:\programdata\osquery --enroll_secret=6Ua**snip**rUc --insecure

The host will check in and you will be able to run queries from Kolide Fleet.

Figure 3:  Host checked into Kolide Fleet

To run queries, use the side navigator in the Kolide Fleet UI and click Query > New Query.  Type the SQL query you want to run (autocomplete is present), select the target(s), and click run.  The output from the hosts will be at the bottom of the screen.


Figure 4:  Running a query from Kolide Fleet


Conclusion

At this point you should have the basic building blocks for deploying osquery agents and having them check into Kolide Fleet.  This centralized management is quite powerful.  Being able to view (and export) the data from multiple hosts is also powerful, but viewing the results in this interface is a bit limiting--especially when processing results from thousands of hosts.  In the next couple of articles we will examine fleet control and integration possibilities that will allow processing and stacking the data using a big data analytics platform.


Posted by at
Labels: , , , , , , , , , ,

1 comment:

  1. UnknownApril 6, 2021 at 6:33 AM

    good day everyone, pls who have osquery installations on window server 2012 should kindly share.
    Thank you.

    ReplyDelete

Subscribe to: Post Comments (Atom)