Kolide Fleet on Ubuntu
In this guide, we're going to install Kolide Fleet and all of it's application dependencies on an Ubuntu 16.04 LTS server. Once we have Fleet up and running, we're going to install osquery on that same Ubuntu 16.04 host and enroll it in Fleet. This should give you a good understanding of both how to install Fleet as well as how to install and configure osquery such that it can communicate with Fleet.
Setting up a host
Acquiring an Ubuntu host to use for this guide is largely an exercise for the reader. If you don't have an Ubuntu host readily available, feel free to use Vagrant. In a clean, temporary directory, you can run the following to create a vagrant box, start it, and log into it:
$ echo 'Vagrant.configure("2") do |config| config.vm.box = "bento/ubuntu-16.04" config.vm.network "forwarded_port", guest: 8080, host: 8080 end' > Vagrantfile $ vagrant up $ vagrant ssh
To install Fleet, run the following:
$ wget https://dl.kolide.co/bin/fleet_latest.zip $ unzip fleet_latest.zip 'linux/*' -d fleet $ sudo cp fleet/linux/fleet /usr/bin/fleet $ sudo cp fleet/linux/fleetctl /usr/bin/fleetctl
Installing and configuring dependencies
To install the MySQL server files, run the following:
$ sudo apt-get install mysql-server -y
When asked for MySQL's root password, enter
toor for the sake of this tutorial if you are having trouble thinking of a better password for the MySQL root user. If you decide to set your own password, be mindful that you will need to substitute it every time
toor is used in this document.
mysqld server should be running. You can verify this by running the following:
$ ps aux | grep mysqld mysql 13158 3.1 14.4 1105320 146408 ? Ssl 21:36 0:00 /usr/sbin/mysqld
It's also worth creating a MySQL database for us to use at this point. Run the following to create the
kolide database in MySQL. Note that you will be prompted for the password you created above.
$ echo 'CREATE DATABASE kolide;' | mysql -u root -p
To install the Redis server files, run the following:
$ sudo apt-get install redis-server -y
To start the Redis server in the background, you can run the following:
$ sudo redis-server &
Note that this isn't a very robust way to run a Redis server. Digital Ocean has written a very nice community tutorial on installing and running Redis in a more productionalized way.
Running the Fleet server
Now that we have installed Fleet, MySQL, and Redis, we are ready to launch Fleet! First, we must "prepare" the database. We do this via
fleet prepare db:
$ /usr/bin/fleet prepare db \ --mysql_address=127.0.0.1:3306 \ --mysql_database=kolide \ --mysql_username=root \ --mysql_password=toor
The output should look like:
Before we can run the server, we need to generate some TLS keying material. If you already have tooling for generating valid TLS certificates, then you are encouraged to use that instead. You will need a TLS certificate and key for running the Fleet server. If you'd like to generate self-signed certificates, you can do this via the following steps (note - you will be asked for severl bits of information, including name, contact info, and location, in order to generate the certificate):
$ openssl genrsa -out /tmp/server.key 4096 $ openssl req -new -key /tmp/server.key -out /tmp/server.csr $ openssl x509 -req -days 366 -in /tmp/server.csr -signkey /tmp/server.key -out /tmp/server.cert
You should now have three new files in
Now we are ready to run the server! We do this via
$ /usr/bin/fleet serve \ --mysql_address=127.0.0.1:3306 \ --mysql_database=kolide \ --mysql_username=root \ --mysql_password=toor \ --redis_address=127.0.0.1:6379 \ --server_cert=/tmp/server.cert \ --server_key=/tmp/server.key \ --logging_json
You will be prompted to add a value for
--auth_jwt_key. A randomly generated key will be suggested, you can simply add the flag with the sugested key.
Running Fleet with systemd
See systemd for documentation on running fleet as a background process and managing the fleet server logs.
Installing and running osquery
Note that this whole process is outlined in more detail in the Adding Hosts To Fleet document. The steps are repeated here for the sake of a continuous tutorial.
To install osquery on Ubuntu, you can run the following:
$ export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B $ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY $ sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main' $ sudo apt-get update $ sudo apt-get install osquery
If you're having trouble with the above steps, check the official downloads link for a direct download of the .deb.
You will need to set the osquery enroll secret and osquery server certificate. If you head over to the manage hosts page on your Fleet instance (which should be https://localhost:8080/hosts/manage), you should be able to click "Add New Hosts" and see a modal like the following:
If you select "Fetch Fleet Certificate", your browser will download the appropriate file to your downloads directory (to a file probably called
localhost-8080.pem). Copy this file to your Ubuntu host at
You can also select "Reveal Secret" on that modal and the enrollment secret for your Fleet instance will be revealed. Copy that text and create a file with it's contents:
$ echo 'LQWzGg9+/yaxxcBUMY7VruDGsJRYULw8' | sudo tee /var/osquery/enroll_secret
Now you're ready to run the
sudo /usr/bin/osqueryd \ --enroll_secret_path=/var/osquery/enroll_secret \ --tls_server_certs=/var/osquery/server.pem \ --tls_hostname=localhost:8080 \ --host_identifier=hostname \ --enroll_tls_endpoint=/api/v1/osquery/enroll \ --config_plugin=tls \ --config_tls_endpoint=/api/v1/osquery/config \ --config_tls_refresh=10 \ --disable_distributed=false \ --distributed_plugin=tls \ --distributed_interval=3 \ --distributed_tls_max_attempts=3 \ --distributed_tls_read_endpoint=/api/v1/osquery/distributed/read \ --distributed_tls_write_endpoint=/api/v1/osquery/distributed/write \ --logger_plugin=tls \ --logger_tls_endpoint=/api/v1/osquery/log \ --logger_tls_period=10
If you go back to https://localhost:8080/hosts/manage, you should have a host successfully enrolled in Fleet! For information on how to further use the Fleet application, see the Application Documentation.