Has anybody set up osquery to be serverless? I am ...
# generalj
Jason NG
06/18/2021, 2:30 AMHas anybody set up osquery to be serverless? I am unable to find much information about it except for a video by cloudflare which deploys it in GCP.
z
zwass
06/18/2021, 2:33 AM
What are you looking to achieve? You can totally deploy osquery without a management server, but typically folks enjoy the benefits of having one.
j
Jason NG
06/18/2021, 2:42 AMto send osquery telemetry to a lambda function which trigger downstream services like cloudwatch. I guess what i dont really understand right now is how can the agents be "registered" in a serverless architecture in the event i want to send sql queries out to all the agents.
Jason NG
06/18/2021, 2:43 AMsorry if i am notmaking sense haha
Jason NG
06/18/2021, 2:43 AMi got the whole set up working via a fleet manager, now i am just looking for ways to remove fleet manager and replace it with a lambda.
z
zwass
06/18/2021, 2:55 AM
You could implement the osquery remote API via Lambda functions: https://osquery.readthedocs.io/en/stable/deployment/remote/
I'm not aware of an OSS solution that does this with Lambda.
FWIW Matt Jane discussed lambda a bit in https://www.okta.com/blog/2018/01/meet-the-sgt-an-osquery-management-server-built-entirely-on-aws/ and apparently settled on not doing it. That SGT project is now unmaintained.
s
Seshu
06/18/2021, 2:58 AMI wrote this for some other purpose. It doesn't support DR/DW, but writes stuff to S3...
https://github.com/Uptycs/query-tls
👍 1
j
Jason NG
06/18/2021, 3:25 AM@Seshu oh nice! ill check it out. Thank you!
👍 1
Jason NG
06/18/2021, 3:29 AM@Seshu But in this way, you can get each endpoint (where osquery is installed) to hit the apigateway. But the reverse wont be possible right? and also if the osquery agent goes down, you will not be able to detect that as well. Is my understanding correct?
s
Seshu
06/18/2021, 3:32 AMTheoretically it is possible to extend this to support distributed read, write, state tracking etc. Would need to integrate with redis, dynamo or some other persistent store. My intent for this was a bit different. So...
👍 1
j
Jason NG
06/18/2021, 8:01 AM@Seshu Are you using a self-signed ssl certificate for the API gateway or you have a CNAME for the url of the API gateway and your ssl certificate is bound to the CNAME? Just having some issues with the certificate verification process when i try to start osqueryd while pointing the tls_host_name to my API gateway.
s
Seshu
06/18/2021, 12:39 PMNope, just using the API GW output from CF as TLS host works. Will post more details in a bit
Seshu
06/18/2021, 5:01 PM Copy code
* Server certificate:
* subject: CN=*.<http://execute-api.us-west-2.amazonaws.com|execute-api.us-west-2.amazonaws.com>
* start date: Aug 30 00:00:00 2020 GMT
* expire date: Sep 29 12:00:00 2021 GMT
* subjectAltName: host "<http://xxxxx.execute-api.us-west-2.amazonaws.com|xxxxx.execute-api.us-west-2.amazonaws.com>" matched cert's "*.<http://execute-api.us-west-2.amazonaws.com|execute-api.us-west-2.amazonaws.com>"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.Seshu
06/18/2021, 5:01 PMAm just using the certs generated by AWS for the API GW. It is in the trusted CA cert bundle (if you have the latest)
g
Gavin
06/18/2021, 11:47 PMJason , you're referring to cloudflares internal system called Cenote which they talked about a couple of times at places like Bsides lisbon the closest thing to the complete system is https://github.com/airbnb/streamalert but it is overkill for just osquery and doesn't provide fleet management but can be a way of using "serverless" functions and services to ingest Logs
This is also a decent read , dated but core items relevant still https://medium.com/airbnb-engineering/introducing-syslog-to-aws-kinesis-via-osquery-da4fc19de5ce
3 Views