https://github.com/osquery/osquery logo
Powered by
Title
k

KryptoNyte

04/09/2020, 10:52 PM
Where does the package builder get its binaries? Do I need to provide an own server? What kind of server?
s

sundsta

04/09/2020, 10:53 PM
If you don’t specify, it pulls them from Kolide’s Notary servers
All of the package builder options are here https://github.com/kolide/launcher/blob/master/cmd/package-builder/package-builder.go
k

KryptoNyte

04/09/2020, 10:55 PM
Does that mean that if I DON'T provide a 
hostname
parameter it will take some default? And then I will get 
osquery
installed from there?
s

sundsta

04/09/2020, 10:55 PM
No. 
hostname
has no default (see the link above).
hostname
is the URL of the Fleet or other osquery management server where it retrieves its configuration from and sends the logs to
k

KryptoNyte

04/09/2020, 10:57 PM
oh, so it is not the server "serving" the binaries
s

sundsta

04/09/2020, 10:57 PM
No. That is specified by 
notary_url
k

KryptoNyte

04/09/2020, 10:57 PM
AAAAAH! That makes things much clearer! Thanks @sundsta
Can the packge builder be used without a 
hostname
? Does this make any sense at all?
I managed to build a package on my manjaro with target 
linux-systemd-pacman
. I could install it with 
sudo pacman -U <package>
, and I can start it via 
sudo systemctl start launcher.launcher
- but I do not have any osquery installed or running with that....I still must be doing and understanding something very badly...
z

zwass

04/09/2020, 11:40 PM
If you don't want a central server (like Fleet) managing the osquery configurations (and receiving the logs), you might just want to build a package with plain 
osqueryd
. You then need to figure out how you want to get the logs off the endpoint.
k

KryptoNyte

04/09/2020, 11:41 PM
That sounds like what I want to do! So how do I build a packge with plain 
osqueryd
?
z

zwass

04/09/2020, 11:46 PM
https://osquery.readthedocs.io/en/latest/development/building/#custom-packages
k

KryptoNyte

04/09/2020, 11:46 PM
🙏
s

seph

04/09/2020, 11:51 PM
You might be able to patch package-builder, but it is oriented to packaging launcher, osquery, and launchers config to talk to a fleet manager.
k

KryptoNyte

04/13/2020, 4:56 PM
Thanks @seph, this is very explicit and clear.
So after looking at @zwass’s link, and having built a package, I have a very concrete question:
With that link I was able to build a package for linux, from where I was building it. My ideal situation is to get the auto-updater function with the launcher for 
osqueryd
, 
osqueryi
and 
osqueryctl,
without the need of any fleet or other gRPC server. Is this possible?
z

zwass

04/13/2020, 5:03 PM
I think it's possible, though you'll have to patch the code in Launcher that starts osquery to use different config and logging plugins.
s

seph

04/13/2020, 5:04 PM
Maybe. But not without work. I feel compelled to suggest you also look at SaaS vendors here. Kolide, for example. But anyhow, Launcher has some built in update functionality. Extracting that into a standalone tool would be hard. You may as well write your own at that point. Launcher only knows how to speak grpc or jsonrpc. You could do some work to have launcher manage osquery. and have osquery connect directly to something. Or not connect anywhere. But you’ll have to figure that out
k

KryptoNyte

04/13/2020, 5:11 PM
I see, thank you very much for your support guys
#kolideJoin Slack
Powered by