We have now come so far that we want to add things in my installation of SecurityOnion. And we will start with how to add Linux and Windows boxes to Kolide Fleet. I do not know if this is the right way but after a couple of hours I was able to see the vm:s on Fleet. Remember I am a beginner at this. I just want to share my experience with SecurityOnion with you guys.
https://docs.securityonion.net/en/latest/
It is a good start to look at previous post to get the setup in your head. I have ESXi host with different vm:s on and a lot of products installed in this closed environment. SecurityOnion is one of them.
We can also use Ansible to install and configure the clients. But that’s for another day. I need to learn how to crawl before walking and finally run. But then I will be an old guy sitting at a home watching netflix. I leave that to the young people to figure that one out.
We start with picture of the goal of having my machines in Kolide Fleet!
We start with the what we need to do on the SecurityOnion server. We need to open firewall to except clients reporting to Kolide Fleet.
sudo so-allow
Choose o
Now we can start with the Linux Client!
Short version:
- Install osquery
- Edit config files
- Install launcher from SecurityOnion
- Register the client
Longer version:
I found a couple of files we need to copy to the clients. I collected these on one place so it is easy to grab those for new machines.
I have placed these /home/onion/files
Orginal: /opt/so/conf/fleet/packages/
[onion@onion files]$ ls -alh
-rw-r–r–. 1 onion onion 1,7K 18 okt 08.59 cert.pem
-rw-r–r–. 1 onion root 349 18 okt 08.58 fims.conf
-rw-r–r–. 1 onion onion 1,6K 18 okt 08.57 osquery.conf
-rw-r–r–. 1 onion onion 33 18 okt 09.00 secret
-rw-r–r–. 1 onion onion 22M 18 okt 10.27 launcher.deb
-rw-r–r–. 1 onion onion 19M 18 okt 10.27 launcher.msi
We start with the certificate. That one you can download from your SecurityOnion server. Make notice also we have a secret that we will use later. You can try to connect from your client to the SecurityOnion with open ssl when you have the certificate on the client:
openssl s_client -connect 172.21.21.27:8090 -CAfile /var/osquery/cert.pem
Then there is the fims.conf file it look like this
{
"queries": {
"file_events": {
"query": "select * from file_events;",
"removed": false,
"interval": 300
}
},
"file_paths": {
"homes": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"etc": [
"/etc/%%"
],
"home": [
"/home/%%"
],
"tmp": [
"/tmp/%%"
]
}
}
The osquery.conf look like this
{
“options”: {
“config_plugin”: “filesystem”,
“logger_plugin”: “filesystem”,
“logger_path”: “/var/log/osquery”,
“disable_logging”: “false”,
“schedule_splay_percent”: “10”,
“pidfile”: “/var/osquery/osquery.pidfile”,
“events_expiry”: “3600”,
“database_path”: “/var/osquery/osquery.db”,
“verbose”: “true”,
“worker_threads”: “2”,
“disable_events”: “false”,
“disable_audit”: “false”,
“audit_allow_config”: “true”,
“host_identifier”: “hostname”,
“enable_syslog”: “true”,
“syslog_pipe_path”: “/var/osquery/syslog_pipe”,
“audit_allow_sockets”: “true”,
“schedule_default_interval”: “3600”
},
“schedule”: {
"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 300
},
"largest_process": {
"query": "select pid, name, uid, resident_size from processes order by resident_size desc limit 10;",
"interval": 60
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
"fim": "/usr/share/osquery/packs/fims.conf",
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
"incident-response": "/usr/share/osquery/packs/incident-
"schedule": {
"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 300
},
"largest_process": {
"query": "select pid, name, uid, resident_size from processes order by resident_size desc limit 10;",
"interval": 60
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
"fim": "/usr/share/osquery/packs/fims.conf",
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
"incident-response": "/usr/share/osquery/packs/incident-response.conf",
"it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
"vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
"hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
}
}The secret file contains the secret from fleet site on SecurityOnion server. Se picture above.
Copy the installations files from /var/so-launcher/securityonion to /home/onion/files
So it easy accessible to other when you are doing installation.
Now ssh to a server that you want to add to Fleet
Installation of osquery
echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-get update
sudo apt install osquery
Now it is time to get the config file and installation of launcher. For this to be easy, configure ssh with keys.
sudo su
ssh-keygen
ssh-copy-id onion@onion
scp onion@onion:~/files/osquery.conf /etc/osquery scp onion@onion:~/files/fims.conf /usr/share/osquery/packs scp onion@onion:~/files/secret /var/osquery scp onion@onion:~/files/cert.pem /var/osquery scp onion@onion:~/files/launcher.deb ./ apt-get install ./launcher.deb rm launher.deb
Last thing we need to do is to register the client to the server. We did have a secret that you can see on the Fleet site of the SecurityOnion server. See picture above.
/usr/local/so-launcher/bin/launcher --hostname=172.21.21.27:443 root_directory=/var/osquery/ --enroll_secret=SECRET_OF_THE_FLEET
Then you can see your server in Fleet as the first picture show.
Now off to the windows machine
Download and install osquery from there website
I use winscp for this but you can do it like you want. Transfer the launcher.msi to the windows box and install it.
Open CMD as Administrator and navigate to this directory
The type this:
launcher.exe --hostname=172.21.21.27:443 root_directory=C:\Program Files\osquery --enroll_secret=SECRET_OF_THE_FLEET
I hope this help someone to get started with SecurityOnion least test the product and dig deeper. I wish the days where 36 hours long.
Happy SecurityOnioning! If thats a word.
Have a great day!
Tips and Tricks 
Is there an available installer for 32bit WinOS?
LikeLike
I have looked, but no luck. Because in my test environment I have Windows 7. If you find any, please pling me!
LikeLike