Want to know every time someone installs a new Chrome extension? All listening sockets on external interfaces, and the process name and user/group its owned by? New root certificate authorities added to the keychain? Done, all thanks to osquery introspection capabilities coupled with Doorman. It is one of the few security tools that I honestly can say I "set and forget" with respects to the rules we write. One of the stronger points of Doorman is it's builtin rules and alerting engine. We favor tools like osquery that don't expose remote command and control capabilities over tools like Chef or Puppet that concentrates super powers in the hands of a few people. Besides gaining remote administration functionality to osquery, we developed Doorman with a security-first attitude. We use osquery and Doorman at my company to gain visibility into our laptops in a manner many remote control based applications don't provide. I wrote Doorman as a way of utilizing osquery's TLS remoting endpoints, allowing me to dynamically configure an endpoint with custom queries, as well as run ad-hoc queries. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company." Some background, from osquery's site: "osquery allows you to easily ask questions about your Linux, Windows, and OS X infrastructure. Explore osquery further.(I am one of the developers of Doorman). Sample output of the query SELECT * from users You can now run queries against your windows hosts Restart Osquery service Restart-Service osquerydĪnd that is it on how to enroll Windows systems into Osquery Fleet Manager. Save the changes Restart Osquery Service to Enroll the Windows Host carver_continue_endpoint=/api/v1/osquery/carve/block carver_start_endpoint=/api/v1/osquery/carve/begin distributed_tls_write_endpoint=/api/v1/osquery/distributed/write distributed_tls_read_endpoint=/api/v1/osquery/distributed/read config_tls_endpoint=/api/v1/osquery/config enroll_secret_path= C:\ProgramData\secret.txt tls_server_certs= C:\ProgramData\fleet.pem Next, open the Flags file and update the path to TLS and Secrets files notepad 'C:\Program Files\osquery\osquery.flags' # Server \Downloads\flagfile.txt 'C:\Program Files\osquery\osquery.flags' Replace the Osquery flagsfile with the flags file you downloaded from Fleet manager rm 'C:\Program Files\osquery\osquery.flags' mv. Ensure you run Powershell as Administrator, if using powershell to move the files. Move the secrets file and TLS certificate file to C:\ProgramsData folder or any other suitable folder for you. \Downloads\ Directory: C:\Users\kifarunix\Downloads We have downloaded these files to Windows host Downloads folder. The agent should now show up on Fleet manager hosts page Restart Fleet-osquery service Restart-Service 'Fleet osquery' Minimum = 0ms, Maximum = 1ms, Average = 0ms Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Īpproximate round trip times in milli-seconds: Next, ensure that the Fleet server is reachable via the domain name ping Next, edit the osquery.flags file and add the path to the TLS certificate by adding the line below -tls_server_certs=C:\ProgramData\fleet.pem The installer will also create Fleet-osquery service Get-Service -Name "fleet*" Status Name DisplayNameīefore you can start the Fleet-osquery service, download the Fleet manager TLS certificate, place it under the C:\ProgramData\fleet.pem The Fleet-osquery will be installed as Orbit program, C:\Program Files\Orbit C:\Users\kifarunix\Downloads\fleet-osquery.msi You can as well execute the MSI on the powershell. Install Fleet Osquery Package on Windows systemĬopy the Fleet Osquery MSI installer to the Windows System and install it by double clicking on the MSI. The command generates fleet-osquery.msi installer on the current working directory. To add other devices to Fleet, distribute this installer using Chef, Ansible, Jamf, or Puppet. To add this device to Fleet, double-click to open your installer. Success! You generated an osquery installer at /root/fleet-osquery.msi Windows Installer XML Toolset Linker version Windows Installer XML Toolset Compiler version Windows Installer XML Toolset Toolset Harvester versionĬopyright (c). Status: Downloaded newer image for fleetdm/wix:latest Unable to find image 'fleetdm/wix:latest' locallyĭigest: sha256:3183e1a702efe74cef600b73c193605bed5aeff53f09cf858b86fe66efdd8e3e The way osquery works is by offering relational tables (some of which are general and others which are OS-specific) which can be queried using SQL and allow you to inspect live information from hosts in your fleet. Sample command output Generating your osquery installer. enroll-secret=wFULaNuzE0wuo3/z3jbZNV5ZD0Ku1ERJ fleetctl package -type=msi -fleet-desktop \ Copy the osquery installer package generating command on the wizard above and execute it on the Fleet Manager.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |