trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #486 from lnxg33k/master

Browse Source 
Update fleet installer
This commit is contained in:
Chris Long
2020-07-26 14:38:22 -07:00
committed by GitHub
parent 2d5a3c014a f1299990b2
commit d6810717b3
2 changed files with 89 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
Vagrant/bootstrap.sh
View File

@@ -221,27 +221,6 @@ display.page.home.dashboardId = /servicesNS/nobody/search/data/ui/views/logger_d
fi fi
} }
install_fleet() {
# Install Fleet
if [ -f "/opt/kolide-quickstart" ]; then
echo "[$(date +%H:%M:%S)]: Fleet is already installed"
else
echo "[$(date +%H:%M:%S)]: Installing Fleet..."
echo -e "\n127.0.0.1 kolide" >>/etc/hosts
echo -e "\n127.0.0.1 logger" >>/etc/hosts
cd /opt && git clone https://github.com/kolide/kolide-quickstart.git
cd /opt/kolide-quickstart || echo "Something went wrong while trying to clone the kolide-quickstart repository"
cp /vagrant/resources/fleet/server.* .
sed -i 's/ -it//g' demo.sh
./demo.sh up simple
# Set the enrollment secret to match what we deploy to Windows hosts
docker run --rm --network=kolidequickstart_default mysql:5.7 mysql -h mysql -u kolide --password=kolide -e 'update app_configs set osquery_enroll_secret = "enrollmentsecret" where id=1;' --batch kolide
# Set snapshot events to be split into multiple events
docker run --rm --network=kolidequickstart_default mysql:5.7 mysql -h mysql -u kolide --password=kolide -e 'insert into options (name, type, value) values ("logger_snapshot_event_type", 2, "true");' --batch kolide
echo "Updated enrollment secret"
fi
}
download_palantir_osquery_config() { download_palantir_osquery_config() {
if [ -f /opt/osquery-configuration ]; then if [ -f /opt/osquery-configuration ]; then
echo "[$(date +%H:%M:%S)]: osquery configs have already been downloaded" echo "[$(date +%H:%M:%S)]: osquery configs have already been downloaded"
@@ -252,16 +231,55 @@ download_palantir_osquery_config() {
fi fi
} }
import_osquery_config_into_fleet() { install_fleet_import_osquery_config() {
if [ -f "/opt/fleet" ]; then
echo "[$(date +%H:%M:%S)]: Fleet is already installed"
else
cd /opt || exit 1 cd /opt || exit 1
wget --progress=bar:force https://github.com/kolide/fleet/releases/download/2.4.0/fleet.zip
echo "[$(date +%H:%M:%S)]: Installing Fleet..."
echo -e "\n127.0.0.1 kolide" >>/etc/hosts
echo -e "\n127.0.0.1 logger" >>/etc/hosts
apt-get -q -y install mysql-server
mysql -uroot -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'kolide';"
mysql -uroot -pkolide -e "create database kolide;"
sudo apt-get install redis-server -y
sudo apt install unzip -y
wget --progress=bar:force https://github.com/kolide/fleet/releases/download/3.0.0/fleet.zip
unzip fleet.zip -d fleet unzip fleet.zip -d fleet
cp fleet/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl cp fleet/linux/fleetctl /usr/local/bin/fleetctl && chmod +x /usr/local/bin/fleetctl
cp fleet/linux/fleet /usr/local/bin/fleet && chmod +x /usr/local/bin/fleet
fleet prepare db --mysql_address=127.0.0.1:3306 --mysql_database=kolide --mysql_username=root --mysql_password=kolide
cp /vagrant/resources/fleet/server.* /opt/fleet/
cp /vagrant/resources/fleet/fleet.service /etc/systemd/system/fleet.service
mkdir /var/log/kolide
/bin/systemctl enable fleet.service
/bin/systemctl start fleet.service
echo "[$(date +%H:%M:%S)]: Waiting for fleet service..."
while true; do
result=$(curl --silent -k https://192.168.38.105:8412)
if echo $result | grep -q setup; then break; fi
sleep 1
done
fleetctl config set --address https://192.168.38.105:8412 fleetctl config set --address https://192.168.38.105:8412
fleetctl config set --tls-skip-verify true fleetctl config set --tls-skip-verify true
fleetctl setup --email admin@detectionlab.network --username admin --password 'admin123#' --org-name DetectionLab fleetctl setup --email admin@detectionlab.network --username admin --password 'admin123#' --org-name DetectionLab
fleetctl login --email admin@detectionlab.network --password 'admin123#' fleetctl login --email admin@detectionlab.network --password 'admin123#'
# Set the enrollment secret to match what we deploy to Windows hosts
mysql -uroot --password=kolide -e 'use kolide; update enroll_secrets set secret = "enrollmentsecret" where active=1;'
echo "Updated enrollment secret"
# Change the query invervals to reflect a lab environment # Change the query invervals to reflect a lab environment
# Every hour -> Every 3 minutes # Every hour -> Every 3 minutes
# Every 24 hours -> Every 15 minutes # Every 24 hours -> Every 15 minutes
@@ -272,10 +290,10 @@ import_osquery_config_into_fleet() {
# Don't log osquery INFO messages # Don't log osquery INFO messages
# Fix snapshot event formatting # Fix snapshot event formatting
fleetctl get options > /tmp/options.yaml #fleetctl get options > /tmp/options.yaml
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_min_status' '1' #/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.enroll_secret' 'enrollmentsecret'
/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_snapshot_event_type' '2' #/usr/bin/yq w -i /tmp/options.yaml 'spec.config.options.logger_snapshot_event_type' 'true'
fleetctl apply -f /tmp/options.yaml #fleetctl apply -f /tmp/options.yaml
# Use fleetctl to import YAML files # Use fleetctl to import YAML files
fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
@@ -285,8 +303,9 @@ import_osquery_config_into_fleet() {
done done
# Add Splunk monitors for Fleet # Add Splunk monitors for Fleet
/opt/splunk/bin/splunk add monitor "/opt/kolide-quickstart/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme' /opt/splunk/bin/splunk add monitor "/var/log/kolide/osquery_result" -index osquery -sourcetype 'osquery:json' -auth 'admin:changeme'
/opt/splunk/bin/splunk add monitor "/opt/kolide-quickstart/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme' /opt/splunk/bin/splunk add monitor "/var/log/kolide/osquery_status" -index osquery-status -sourcetype 'osquery:status' -auth 'admin:changeme'
fi
} }
install_zeek() { install_zeek() {
@@ -495,9 +514,8 @@ main() {
test_prerequisites test_prerequisites
fix_eth1_static_ip fix_eth1_static_ip
install_splunk install_splunk
install_fleet
download_palantir_osquery_config download_palantir_osquery_config
import_osquery_config_into_fleet install_fleet_import_osquery_config
install_velociraptor install_velociraptor
install_suricata install_suricata
install_zeek install_zeek

9
Vagrant/resources/fleet/fleet.service Normal file
View File

@@ -0,0 +1,9 @@
[Unit]
Description=Kolide Fleet
After=network.target
[Service]
ExecStart=/usr/local/bin/fleet serve --mysql_address=127.0.0.1:3306 --mysql_database=kolide --mysql_username=root --mysql_password=kolide --redis_address=127.0.0.1:6379 --server_cert=/opt/fleet/server.crt --server_key=/opt/fleet/server.key --logging_json --osquery_result_log_file=/var/log/kolide/osquery_result --osquery_status_log_file=/var/log/kolide/osquery_status --auth_jwt_key=dasdsadasdjhshgfhdfb --server_address 0.0.0.0:8412 --osquery_enable_log_rotation
[Install]
WantedBy=multi-user.target