In this blog post we will be installing, setting up, and utilizing Kolide Fleet as our OSQuery fleet manager. As stated by Kolide, ” Fleet is a state of the art host monitoring platform tailored for security experts. Leveraging Facebook’s battle-tested OSQuery project, Fleet delivers fast answers to big questions.” In future blog posts I plan on using this tool for incident response and threat hunting scenarios.

Kolide terms

• Node– A single machine
• Fleet – All the machines controlled and owned by an enterprise
• Queries – A query runs a set of tasks on fleet of machines on a specified interval
• Distributed queries – An on the fly query
• Packs –  Group queries into packs to perform ongoing monitoring.

Install/Setup Kolide on Ubuntu 16.04

Ansible deployment – production

1. git clone https://github.com/Benster900/BlogPosts/Kolide.git
2. cd Kolide
3. mv group_vars/all.example group_vars/all
4. vim group_vars/all and set:
   1. timezone
   2. fleet_hostname
   3. graylog_hostname
   4. base_domain
5. openssl rand -base64 32
6. Copy the output from above
7. mv group_vars/kolide.example group_vars/kolide
8. vim group_vars/kolide and set:
   1. kolide_jwt_key to output from above
   2. Set necessary information for Kolide, MySQL
   3. Set information for certificate
9. vim hosts
   1. Set “ansible_ssh_host” with Kolide’s IP addr under [kolide]
10. ansible-playbook -i hosts deploy_kolide.yml -u <username>

Kolide webGUI setup

1. Browse to “https://<Hostname/IP addr of Kolide>”
2. Setup user
   1. Enter a username
   2. Enter a password
   3. Enter an e-mail
   4. Select “submit”
3. Setup organization
   1. Enter organization name
   2. Enter url
      1. NOT the URL of Kolide
   3. Select “Submit”
4. Set Kolide URL
   1. Enter “https://<fleet_hostname>.<base_domain>
   2. Select “Submit”
5. Finish
   1. Select “Finish”

OSQuery Windows client deployment

Prep setup

1. Browse to https://<Hostname/IP addr of Kolide>
2. Select “Add new host” in top right
3. Select “Reveal secret” and copy the string
4. vim group_vars/agents and set:
   1. osquery_enroll_secret with string from Kolide

Windows deployment

1. Copy contents of /etc/nginx/ssl/kolide.crt on Kolide server
2. mv conf/agents/certificate.example conf/agents/certificate.crt
3. vim conf/agents/certificate.crt and paste contents
   1. I WISH I had a better method :/
4. mv group_vars/win_agents.example group_vars/win_agents
5. vim group_vars/win_agents and set:
   1. ansible_user
   2. ansible_password
6.  vim hosts
   1. Set “ansible_ssh_host” to the Windows machine IP addr under “[win_agents]”
7. ansible-playbook -i hosts deploy_windows_osquery_agents.yml

Linux deployment

Ubuntu 16.04 Desktop/Server OSQuery agent deployment

1. vim hosts
   1. Set “ansible_ssh_host” to Ubuntu’s IP addr under “[linux_agents]”
2. ansible-playbook -i hosts deploy_linux_osquery_agents.yml -u <user>

Centos 7.4 OSQuery agent deployment

1. vim hosts
   1. Set “ansible_ssh_host” to Ubuntu’s IP addr under “[linux_agents]”
2. ansible-playbook -i hosts deploy_linux_osquery_agents.yml -u <user>

Kolide webGUI features

Creating OSQuery query

1. Browse to “https://<Hostname/IP addr of Kolide>” and login
2. Select “Query” on the left then “New Query”
   1. Enter “Get host processes”
   2. Enter “SELECT * FROM processes;” into SQL
      1. Kolide will provide tables as you type
   3. Select “All hosts” for targets
   4. OPTIONAL – Select “Run” to test query
   5. Select “Save” then “Save as new
3. Select “Query” on the left then “Manage Queries”

Creating OSQuery pack

1. Select “Packs” on the left then “New Pack”
   1. Enter “test” for Query Pack Title
   2. Select “All hosts” for targets
   3. Select “Save query pack”
   4. On the left select “Select query” under “Choose Query” for a drop down menu of pre-created queries
   5. Select “Get host processes”
      1. Enter “300” for interval(in seconds)
      2. Select “All” for platforms
      3. Select “All” for minimum OSQuery version
      4. Select “Differential” for logging
         1. Differential means the OSQuery agent will ONLY send data if state of query changes.
      5. Select “Save”

Install/Setup Graylog on Ubuntu 16.04

Ansible deployment – prod

1. mv group_vars/graylog.example group_vars/graylog
2. vim group_vars/graylog set:
   1. Graylog_admin_password
      1. graylog_admin_password can not contain special characters: (,),;
3. vim hosts and set:
   1. Set “ansible_ssh_host” to Graylog’s IP addr under [graylog]
4. ansible-playbook -i hosts deploy_graylog.yml -u <username>

Setup/Configure Graylog

Create Graylog input

1. Browse to https://<graylog FQDN> and login
2. Select “System” then “Inputs”
3. Select “Beats” for input then “Launch new input”
   1. Select “<node>” for Node
   2. Enter “Beats input” for title
   3. Leave default for bind address
   4. Leave default for port
   5. Select “save”

Create Graylog stream

1. Select “Streams” at the top
2. Select “Create stream”
   1. Enter “OSQuery stream” for title
   2. Enter “OSQuery results from daemons” for description
   3. Select “Default index set” for index set
   4. Select “Save”
3. Select “Start stream” for “OSQuery stream”
4. Select “Manage Rules” for “OSQuery stream”
5. Select “Add stream rule”
   1. Enter “tool” for Field
   2. Select “match exactly” for type
   3. Enter “osquery” for value
   4. Select “save”

Install/Setup Filebeat on Kolide

1. vim deploy_kolide.yml and UNcomment “#- import_tasks: roles/kolide/filebeat.yml”
2. vim drop filebeat.yml config into conf/filebeat/filebeat.yml
   1. A slightly modified config is provided but is not recommended for production
   2. Custom config MUST include a field of “tool: osquery”.
3. ansible-playbook -i hosts deploy_kolide.yml -u <username>

Resource/Sources

• Github: BlogProjects
• Kolide fleet documentation