INACTIVE - http://mzl.la/ghe-archive - Osquery launcher, autoupdater, and packager
Перейти к файлу
seph 95a39827f1
Fix docs WRT autoupdate default (#455)
2019-03-26 12:41:59 -04:00
.circleci Add linters (#430) 2019-02-22 13:58:47 -05:00
cmd Small Updates (#449) 2019-03-19 14:27:04 -04:00
docker Rework Dockerfiles (#443) 2019-03-13 15:03:43 -04:00
docs Fix docs WRT autoupdate default (#455) 2019-03-26 12:41:59 -04:00
pkg Add gofmt as a linter (#454) 2019-03-26 10:58:13 -04:00
tools Windows Update Support (#444) 2019-03-15 17:21:26 -04:00
.gitignore Windows services and move to flag files (#415) 2019-02-25 15:42:18 -05:00
.travis.yml Add linters (#430) 2019-02-22 13:58:47 -05:00
CHANGELOG.md Introduce a changelog. (#270) 2018-02-28 14:16:36 -05:00
CONTRIBUTING.md Add contributing document 2017-09-25 00:47:54 -06:00
Dockerfile Rework Dockerfiles (#443) 2019-03-13 15:03:43 -04:00
LICENSE Add MIT license (#144) 2017-09-21 16:50:19 -06:00
Makefile Add gofmt as a linter (#454) 2019-03-26 10:58:13 -04:00
README.md Update readme with info about screensaver password (#432) 2019-02-26 09:22:01 -05:00
go.mod Windows Update Support (#444) 2019-03-15 17:21:26 -04:00
go.sum Windows Update Support (#444) 2019-03-15 17:21:26 -04:00

README.md

The Osquery Launcher CircleCI

The Osquery Launcher is a lightweight launcher/manager which offers a few extra capabilities on top of osquery:

  • secure automatic updates of osquery
  • remote communication via a modern gRPC server API
  • a curated kolide_best_practices table which includes a curated set of standards for the modern enterprise
  • tooling to generate deployment packages for a variety of platforms

osquery is lightweight

Documentation

The documentation for this project is included on GitHub in the docs subdirectory of the repository.

Features

Secure Osquery Autoupdater

Osquery is statically linked and that allows for the easy bundling and distribution of capabilities. Unfortunately, however, it also implies that you have to maintain excellent osquery update hygiene in order to take advantage of emerging osquery capabilities.

The Launcher includes the ability to securely manage and autoupdate osquery instances. This is implemented using The Update Framework (TUF). TUF defines a specification for secure software update systems. The spec describes a client/server model where the client is the software to be updated and the server is the update server. For our implementation, we use Docker Notary as our TUF server and a Go client library that we built in-house.

Because we understand the security implications of an osquery autoupdater, NCC Group was contracted to perform a security audit of our in-house TUF client library. This report is available for public review. NCC Group has also previously performed assessments on Docker Notary and Osquery as well.

gRPC Server Specification and Implementation

Osquery has a very extensible plugin architecture that allow it to be heavily customized with plugins. The included TLS plugins are used by many existing osquery management servers, but the design of the TLS API leaves much to be desired. The Launcher includes a set of gRPC plugins for remote communication with a gRPC server. The server specification is independently published and versioned.

An implementation of the gRPC server is included with the Kolide Fleet osquery fleet manager. Kolide Fleet implements both the gRPC server as well as the legacy TLS server API, so it presents an easy migration path for existing TLS API users.

Kolide's Best Practices

Osquery allows you to ask a lot of great questions, but sometimes it's hard to know exactly which questions you should ask and what queries will expose the answers. The Launcher includes a table called kolide_best_practices which aggregates useful information in an easy "compliant" vs "not compliant" interface. Consider the following queries:

The following best practices, and many more, are included:

  • Is SIP enabled?
  • Is Filevault enabled?
  • Is the firewall enabled?
  • Are Remote Apple Events disabled?
  • Is Internet Sharing disabled?

Reduced Configuration Surface

The osqueryd binary was designed to be very configurable, which allows it to be used in very different environments. The Launcher wraps osqueryd configuration and exposes very high-level options that allow you to easily connect osquery to a server that is compliant with the gRPC specification (such as Kolide Fleet).

Consider the following side-by-side example of The Launcher's command-line help versus osqueryd's command-line help. The Launcher exposes the bare essentials as top-level configuration options. This makes getting started with Osquery easier than ever.

launcher is simple

To learn about The Launcher's command-line interface, see the Launcher documentation.

Easy Packaging and Deployment Tooling

Deploying osquery and configuring it to communicate with a management server can be complicated, especially if you have to make customized deployment packages. The Launcher includes a tool called package-builder which you can use to create Launcher packages for your organization.

To learn more about using package-builder to package and deploy osquery, check out the documentation.

Kolide Cloud

Want to go directly to insights? Not sure how to package Launcher or manage your Fleet?

Try our osquery SaaS platform providing insights, alerting, fleet management and user-driven security tools. We also support advanced aggregation of osquery results for power users. Get started immediately, with your 30-day free trial today. Launcher packages customized for your organization can be downloaded in-app after signup.