Title
#general
j

Jason NG

06/18/2021, 2:30 AM
Has anybody set up osquery to be serverless? I am unable to find much information about it except for a video by cloudflare which deploys it in GCP.
zwass

zwass

06/18/2021, 2:33 AM
What are you looking to achieve? You can totally deploy osquery without a management server, but typically folks enjoy the benefits of having one.
j

Jason NG

06/18/2021, 2:42 AM
to send osquery telemetry to a lambda function which trigger downstream services like cloudwatch. I guess what i dont really understand right now is how can the agents be "registered" in a serverless architecture in the event i want to send sql queries out to all the agents.
2:43 AM
sorry if i am notmaking sense haha
2:43 AM
i got the whole set up working via a fleet manager, now i am just looking for ways to remove fleet manager and replace it with a lambda.
zwass

zwass

06/18/2021, 2:55 AM
You could implement the osquery remote API via Lambda functions: https://osquery.readthedocs.io/en/stable/deployment/remote/ I'm not aware of an OSS solution that does this with Lambda. FWIW Matt Jane discussed lambda a bit in https://www.okta.com/blog/2018/01/meet-the-sgt-an-osquery-management-server-built-entirely-on-aws/ and apparently settled on not doing it. That SGT project is now unmaintained.
s

Seshu

06/18/2021, 2:58 AM
I wrote this for some other purpose. It doesn't support DR/DW, but writes stuff to S3... https://github.com/Uptycs/query-tls
j

Jason NG

06/18/2021, 3:25 AM
@Seshu oh nice! ill check it out. Thank you!
3:29 AM
@Seshu But in this way, you can get each endpoint (where osquery is installed) to hit the apigateway. But the reverse wont be possible right? and also if the osquery agent goes down, you will not be able to detect that as well. Is my understanding correct?
s

Seshu

06/18/2021, 3:32 AM
Theoretically it is possible to extend this to support distributed read, write, state tracking etc. Would need to integrate with redis, dynamo or some other persistent store. My intent for this was a bit different. So...
j

Jason NG

06/18/2021, 8:01 AM
@Seshu Are you using a self-signed ssl certificate for the API gateway or you have a CNAME for the url of the API gateway and your ssl certificate is bound to the CNAME? Just having some issues with the certificate verification process when i try to start osqueryd while pointing the tls_host_name to my API gateway.
s

Seshu

06/18/2021, 12:39 PM
Nope, just using the API GW output from CF as TLS host works. Will post more details in a bit
5:01 PM
* Server certificate:
*  subject: CN=*.<http://execute-api.us-west-2.amazonaws.com|execute-api.us-west-2.amazonaws.com>
*  start date: Aug 30 00:00:00 2020 GMT
*  expire date: Sep 29 12:00:00 2021 GMT
*  subjectAltName: host "<http://xxxxx.execute-api.us-west-2.amazonaws.com|xxxxx.execute-api.us-west-2.amazonaws.com>" matched cert's "*.<http://execute-api.us-west-2.amazonaws.com|execute-api.us-west-2.amazonaws.com>"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
5:01 PM
Am just using the certs generated by AWS for the API GW. It is in the trusted CA cert bundle (if you have the latest)
Gavin

Gavin

06/18/2021, 11:47 PM
Jason , you're referring to cloudflares internal system called Cenote which they talked about a couple of times at places like Bsides lisbon the closest thing to the complete system is https://github.com/airbnb/streamalert but it is overkill for just osquery and doesn't provide fleet management but can be a way of using "serverless" functions and services to ingest Logs This is also a decent read , dated but core items relevant still https://medium.com/airbnb-engineering/introducing-syslog-to-aws-kinesis-via-osquery-da4fc19de5ce