Add linux and windows machines to SecurityOnion Kolide Fleet @securityonion #opensource #qsquery #fleet @Kolide #linux @BHinfoSecurity

We have now come so far that we want to add things in my installation of SecurityOnion. And we will start with how to add Linux and Windows boxes to Kolide Fleet. I do not know if this is the right way but after a couple of hours I was able to see the vm:s on Fleet. Remember I am a beginner at this. I just want to share my experience with SecurityOnion with you guys.

https://docs.securityonion.net/en/latest/

It is a good start to look at previous post to get the setup in your head. I have ESXi host with different vm:s on and a lot of products installed in this closed environment. SecurityOnion is one of them.

We can also use Ansible to install and configure the clients. But that’s for another day. I need to learn how to crawl before walking and finally run. But then I will be an old guy sitting at a home watching netflix. I leave that to the young people to figure that one out.

We start with picture of the goal of having my machines in Kolide Fleet!

We start with the what we need to do on the SecurityOnion server. We need to open firewall to except clients reporting to Kolide Fleet.

sudo so-allow
Choose o

so-allow

Now we can start with the Linux Client!

Short version:

  1. Install osquery
  2. Edit config files
  3. Install launcher from SecurityOnion
  4. Register the client

Longer version:

I found a couple of files we need to copy to the clients. I collected these on one place so it is easy to grab those for new machines.

I have placed these /home/onion/files
Orginal: /opt/so/conf/fleet/packages/

[onion@onion files]$ ls -alh

-rw-r–r–. 1 onion onion 1,7K 18 okt 08.59 cert.pem
-rw-r–r–. 1 onion root 349 18 okt 08.58 fims.conf
-rw-r–r–. 1 onion onion 1,6K 18 okt 08.57 osquery.conf
-rw-r–r–. 1 onion onion 33 18 okt 09.00 secret
-rw-r–r–. 1 onion onion 22M 18 okt 10.27 launcher.deb
-rw-r–r–. 1 onion onion 19M 18 okt 10.27 launcher.msi

We start with the certificate. That one you can download from your SecurityOnion server. Make notice also we have a secret that we will use later. You can try to connect from your client to the SecurityOnion with open ssl when you have the certificate on the client:

openssl s_client -connect 172.21.21.27:8090 -CAfile /var/osquery/cert.pem

Then there is the fims.conf file it look like this

fims.conf
{
"queries": {
"file_events": {
"query": "select * from file_events;",
"removed": false,
"interval": 300
}
},
"file_paths": {
"homes": [
"/root/.ssh/%%",
"/home/%/.ssh/%%"
],
"etc": [
"/etc/%%"
],
"home": [
"/home/%%"
],
"tmp": [
"/tmp/%%"
]
}
}

The osquery.conf look like this

osquery.conf

{
“options”: {
“config_plugin”: “filesystem”,
“logger_plugin”: “filesystem”,
“logger_path”: “/var/log/osquery”,
“disable_logging”: “false”,
“schedule_splay_percent”: “10”,
“pidfile”: “/var/osquery/osquery.pidfile”,
“events_expiry”: “3600”,
“database_path”: “/var/osquery/osquery.db”,
“verbose”: “true”,
“worker_threads”: “2”,
“disable_events”: “false”,
“disable_audit”: “false”,
“audit_allow_config”: “true”,
“host_identifier”: “hostname”,
“enable_syslog”: “true”,
“syslog_pipe_path”: “/var/osquery/syslog_pipe”,
“audit_allow_sockets”: “true”,
“schedule_default_interval”: “3600”
},
“schedule”: {

"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 300
},
"largest_process": {
"query": "select pid, name, uid, resident_size from processes order by resident_size desc limit 10;",
"interval": 60
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
"fim": "/usr/share/osquery/packs/fims.conf",
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
"incident-response": "/usr/share/osquery/packs/incident-

"schedule": {

"crontab": {
"query": "SELECT * FROM crontab;",
"interval": 300
},
"largest_process": {
"query": "select pid, name, uid, resident_size from processes order by resident_size desc limit 10;",
"interval": 60
}
},
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
"packs": {
"fim": "/usr/share/osquery/packs/fims.conf",
"osquery-monitoring": "/usr/share/osquery/packs/osquery-monitoring.conf",
"incident-response": "/usr/share/osquery/packs/incident-response.conf",
"it-compliance": "/usr/share/osquery/packs/it-compliance.conf",
"vuln-management": "/usr/share/osquery/packs/vuln-management.conf",
"hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf"
}
}

The secret file contains the secret from fleet site on SecurityOnion server. Se picture above.

Copy the installations files from /var/so-launcher/securityonion to /home/onion/files

So it easy accessible to other when you are doing installation.

Now ssh to a server that you want to add to Fleet

Installation of osquery

echo "deb [arch=amd64] https://pkg.osquery.io/deb deb main" | sudo tee /etc/apt/sources.list.d/osquery.list
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-get update
sudo apt install osquery

Now it is time to get the config file and installation of launcher. For this to be easy, configure ssh with keys.
sudo su
ssh-keygen
ssh-copy-id onion@onion

scp onion@onion:~/files/osquery.conf /etc/osquery
scp onion@onion:~/files/fims.conf /usr/share/osquery/packs
scp onion@onion:~/files/secret /var/osquery
scp onion@onion:~/files/cert.pem /var/osquery
scp onion@onion:~/files/launcher.deb ./

apt-get install ./launcher.deb
rm launher.deb

Last thing we need to do is to register the client to the server. We did have a secret that you can see on the Fleet site of the SecurityOnion server. See picture above.

/usr/local/so-launcher/bin/launcher --hostname=172.21.21.27:443 root_directory=/var/osquery/ --enroll_secret=SECRET_OF_THE_FLEET

Then you can see your server in Fleet as the first picture show.

Now off to the windows machine

Download and install osquery from there website

I use winscp for this but you can do it like you want. Transfer the launcher.msi to the windows box and install it.

Open CMD as Administrator and navigate to this directory

The type this:

launcher.exe --hostname=172.21.21.27:443 root_directory=C:\Program Files\osquery --enroll_secret=SECRET_OF_THE_FLEET

I hope this help someone to get started with SecurityOnion least test the product and dig deeper. I wish the days where 36 hours long.

Happy SecurityOnioning! If thats a word.

Have a great day!

2 Comments

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.