Create a VPCĪmazon enables us to build a virtual network in the AWS cloud. For the purpose of this guide we are going to show a bare-bones minimal configuration for each piece of infrastructure that you can elaborate on using a variety of additional terraform modules as you see fit for your environment. You will be able to reuse some components and settings as-is but not all of them. Note that the configurations below aren't copy-pastable. That’s because at Segment our wonderful Tooling team has abstracted away a lot of commonly used infrastructure modules such that we have many default standard settings applied to our infrastructure in terms of setting up the relevant Security Groups and more. In this post I will be able to share some of those configurations but not all. We set up both these pieces of infrastructure using Terraform. This post will show you how to host Fleet on an EKS cluster and send scheduled query logs to an AWS Opensource destination entirely created and managed as code.įleet has two major infrastructure dependencies - a MySQL Database and a Redis Cache. At Segment, we decided to host it entirely as code on an EKS cluster, which is a new Amazon Web Services offering that makes it easy to run Kubernetes at scale. There are many ways of hosting Fleet in your environment. Once the device/s running Osquery on them are enrolled, Fleet enables us to run queries through the Osquery agent across 100,000+ servers, containers, and laptops at scale. This functionality is very powerful in order to be able to quickly get data about a host’s activity during a security investigation or pro-actively run queries on it at a regular interval that lets security teams monitor for malicious activities on a host.įleet is the most commonly used open-source Osquery manager across Security and Compliance teams in the world. It runs as a simple agent and it supports OSx, Windows or any of the Linux operating systems. Osquery exposes an operating system as a high-performance relational database that allows you to write SQL-based queries to explore operating system data. At Segment our tools of choice for Endpoint monitoring are Osquery paired with Fleet for orchestration. Location ~ ^/ Monitoring and visibility is an essential building block for the success of any Detection & Response team. Ssl_certificate_key "/etc/pki/nginx/server.key" Ssl_certificate "/etc/pki/nginx/server.crt" The first one, for port 443 allows access to both the web interface and the osquery API: As you can see, there are two config blocks. The way I recently handled this with Security Onion was to break out the web UI interface and osquery interface using a reverse proxy, Nginx – here is the relevant Nginx config I used. From a security perspective, we want to reduce the risk to an acceptable level – in this case, it would be best if we can configure the Internet-accessible system to allow osquery endpoints through, but restrict web UI requests in some form. Unfortunately, within Fleet itself, there is no way to split out the osquery management APIs from the web management APIs this means that if you make Fleet Internet-accessible (so that non-VPN roaming endpoints can checkin), you expose the web UI to the public Internet. When osquery agents connect to Fleet for management tasks, they use /api/v1/osquery/ or gRPC. In the background, the web UI is using a bunch of API endpoints that are published at /api/v1/kolide/. The web interface is the more common way to manage Fleet. When you deploy Fleet, there are a couple different ways to manage it – either through a CLI or through a web UI. I have used it in production for my osquery endpoints, within my osquery course ( Osquery For Security Analysis), and now, deeply integrated into the next major version of Security Onion (Hybrid Hunter). I was a very early user of Kolide’s open source osquery fleet manager, Fleet. The content below directly applies to FleetDM as-is. FleetDM has replaced Kolide Fleet in Security Onion and in my osquery course and is what I now recommend for osquery management. FleetDM is a drop-in replacement that was forked from Kolide Fleet by the team over at.
0 Comments
Leave a Reply. |