Select Fetch Kolide Certificate and move certificate to your Linux box at /var/osquery/server.pem.
#Osquery daemon and shell install
Now on your Linux host we need to install OSQuery, like I mentioned in the beginning of the post, you can install this on the same machine that’s running Kolide, your Elastic stack or a standalone box.īack on your new Kolide instance, select ‘Add New Hosts’ and copy the enroll Secret. Repeat these steps for the following queries: etc_hosts, iptables, listening_ports, mounts, open_files, and shell_history.Īll of these queries can be run on demand as well. In a large environment, it might make sense to only query a portion of the hosts every time instead of all of them. The shard is the percent of hosts that this Osquery pack will query. The logging set to Snapshot will simply return all the results, differential would return the changes since the last query, and this is good for monitoring for malicious changes. Set the interval to 60, the Platform to Linux, the minimum version to All and the Logging to Snapshot. Click that drop down and choose ‘crontab’. Now on the right hand side of the page, you should see Select Query. Under Select Pack Targets, choose All Hosts. Name the pack ‘linux_collection’ and add a description of you’d like. Go to Packs –> Manage Packs –> Create New Pack The importer tool is a bit buggy so for the purpose of this post, we will just configure the queries manually. We need to create some queries now, you can do this with the GUI, or you can run the importer tool found here. Now, if you go to your local browser, you should be redirected to you can create your first Fleet user account. Or if you have time, use the proper procedure to run Redis although totally not necessary for the purpose of this guide! Use the password: ‘kolide’ (Or whatever you want, just adjust accordingly as you go) I basically customized their install guide to be more fitting for our purpose. You can use Kolides official documentation for most of this if you’d like.
#Osquery daemon and shell update
This tutorial uses a separate host to run Kolide Fleet so I will let you know what you might need to change to make it work on the same server.īefore we begin, make sure to run: apt update & apt upgrade Kolide Setup: An Ubuntu 16.04 Server to run Kolide Fleet, you can run this on the same box as your Elastic stack.At least one Linux host to run your osquery daemon, you can also run it on the same box as you are running Kolide or your Elastic stack.If you like to do things manually so you understand how things are working, Roberto Rodriguez has you covered, head over to his site and follow his tutorials (They are top-notch). For this post, I am using HELK so it should be all you need. This has most likely never been easier, simply check out Roberto Rodriguez’s HELK (Hunting ELK) and run the setup script. This post will assume a couple of things: Fleet allows us query multiple hosts on demand as well as create query packs, build schedules and manage the hosts in our environment.Įlastic Stack – Elasticsearch, Logstash and Kibana are tools that allow for the collection, normalizing and visualization of logs. Kolide Fleet – A flexible control server for osquery fleets. It was built by Facebook and is built with performance in mind. Osquery – Is a tool that allows us to query devices as if they are databases. Osquery is even platform agnostic so we can deploy it across all endpoints, regardless of host OS. With the combination of these tools, we can query all of our hosts on demand for IOC’s, schedule queries to run on an automated basis and feed all of these results into our SIEM.
#Osquery daemon and shell mac
Threat hunting on Linux and Mac has probably never been easier.
0 kommentar(er)
