Where does the package builder get its binaries Do I need to osquery #kolide

Join Slack

Where does the package builder get its binaries? D...

# kolide

KryptoNyte

04/09/2020, 10:52 PM

Where does the package builder get its binaries? Do I need to provide an own server? What kind of server?

sundsta

04/09/2020, 10:53 PM

If you don’t specify, it pulls them from Kolide’s Notary servers

sundsta

04/09/2020, 10:55 PM

All of the package builder options are here https://github.com/kolide/launcher/blob/master/cmd/package-builder/package-builder.go

KryptoNyte

04/09/2020, 10:55 PM

Does that mean that if I DON'T provide a

hostname

parameter it will take some default? And then I will get

osquery

installed from there?

sundsta

04/09/2020, 10:55 PM

No.

hostname

has no default (see the link above).

sundsta

04/09/2020, 10:56 PM

hostname

is the URL of the Fleet or other osquery management server where it retrieves its configuration from and sends the logs to

KryptoNyte

04/09/2020, 10:57 PM

oh, so it is not the server "serving" the binaries

sundsta

04/09/2020, 10:57 PM

No. That is specified by

notary_url

KryptoNyte

04/09/2020, 10:57 PM

AAAAAH! That makes things much clearer! Thanks @sundsta

KryptoNyte

04/09/2020, 11:28 PM

Can the packge builder be used without a

hostname

? Does this make any sense at all?

KryptoNyte

04/09/2020, 11:39 PM

I managed to build a package on my manjaro with target

linux-systemd-pacman

. I could install it with

sudo pacman -U <package>

, and I can start it via

sudo systemctl start launcher.launcher

- but I do not have any osquery installed or running with that....I still must be doing and understanding something very badly...

zwass

04/09/2020, 11:40 PM

If you don't want a central server (like Fleet) managing the osquery configurations (and receiving the logs), you might just want to build a package with plain

osqueryd

. You then need to figure out how you want to get the logs off the endpoint.

KryptoNyte

04/09/2020, 11:41 PM

That sounds like what I want to do! So how do I build a packge with plain

osqueryd

zwass

04/09/2020, 11:46 PM

https://osquery.readthedocs.io/en/latest/development/building/#custom-packages

KryptoNyte

04/09/2020, 11:46 PM

🙏

seph

04/09/2020, 11:51 PM

You might be able to patch package-builder, but it is oriented to packaging launcher, osquery, and launchers config to talk to a fleet manager.

KryptoNyte

04/13/2020, 4:56 PM

Thanks @seph, this is very explicit and clear.

KryptoNyte

04/13/2020, 4:58 PM

So after looking at @zwass’s link, and having built a package, I have a very concrete question:

KryptoNyte

04/13/2020, 5:00 PM

With that link I was able to build a package for linux, from where I was building it. My ideal situation is to get the auto-updater function with the launcher for

osqueryd

osqueryi

and

osqueryctl,

without the need of any fleet or other gRPC server. Is this possible?

zwass

04/13/2020, 5:03 PM

I think it's possible, though you'll have to patch the code in Launcher that starts osquery to use different config and logging plugins.

seph

04/13/2020, 5:04 PM

Maybe. But not without work. I feel compelled to suggest you also look at SaaS vendors here. Kolide, for example. But anyhow, Launcher has some built in update functionality. Extracting that into a standalone tool would be hard. You may as well write your own at that point. Launcher only knows how to speak grpc or jsonrpc. You could do some work to have launcher manage osquery. and have osquery connect directly to something. Or not connect anywhere. But you’ll have to figure that out

KryptoNyte

04/13/2020, 5:11 PM

I see, thank you very much for your support guys

Open in Slack

Previous Next