More on this process will be demonstrated below (Section: Let’s carve this turkey). Next, the incident responder will generate a file carve request with the following query: SELECT * FROM carves WHERE path= AND carve=1. First, the incident responder will find the machine they want to request a file from. Once everything has been configured properly, the incident responder can initiate a file carve from the Kolide console. This activity also happens when you ask Osquery to generate a file hash for a file larger than the read_max value. If the read_max is set to 100MB and the file you want to upload is 1GB, Osquery will not upload the file. Furthermore, Osquery has another setting called read_max which sets the maximum size of files it can interact with. If Osquery is configured to send 3MB file chunks but NGINX has a client_max_body_size of 1MB it will reject all the data blocks. The configurations provided by the repo for this project are configured for Osquery to send and for NGINX to receive 1MB file chunks. Everyone has to be on the same musical page to play the song in harmony. The various components of this architecture act like a symphony. If you’re curious about how to set up mutual TLS, please see my blog post on: Kolide and Osquery with mutual TLS. That setup will allow arbitrary uploads to the Osquery-file-carve server which can result in a DDOS or more likely the storage backend becoming full. The Osquery-file-carve server can be set up without mutual TLS but that setup is NOT advised. Mutual TLS enforces that only clients with the proper certificates can communicate with Kolide and the osquery-file-carve server. Since the Osquery file carve functionality does NOT support any type of authentication, I decided to implement mutual TLS. Overview Phase 0: Deploy client certificates Third, to request files from the osquery-file-carve server the user must be authenticated by Vault and given permissions to access that resource. Therefore to use this project in the default configuration you need an existing certificate infrastructure. Second, the Vault configuration enforces an HTTPS connection to the Vault server. First, the default configuration used by NGINX enforces mutual TLS (mTLS) for all attempts to access Kolide or the osquery-file-carve server. This project was designed with security in mind and therefore running this project is not as easy as docker-compose up -d. The goal of this capability is removing the need of the incident response team having to manually obtain the file from a remote machine. What is file carving?įile carving is when you instruct Osquery to TAR up a file on an endpoint and send the TAR to a server for further analysis. With Osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, or file hashes. This allows you to write SQL-based queries to explore operating system data. Osquery exposes an operating system as a high-performance relational database. My hope is that this project benefits the community and provides an additional capability to Osquery that may not be supported by all fleet managers. The collection of these experiences and research has led to the creation of this project. This project has been a 6-month long effort that resulted in the creation of 4 blog posts, 3 Udemy certificates/courses, and 3 separate Github repos. This blog will provide a deep dive into the architecture of this project, design decisions, and lessons learned as an evolving incident response engineer. This project set out on a mission to provide an open-source Osquery file carving server for file uploads and downloads that could be used with Kolide. ![]() Furthermore, not all projects have the ability to support the Osquery file carve functionality, more specifically the open-source version of Kolide Fleet. However, Facebook did not release the server component of Osquery and that has led to the creation of many projects: Kolide, Uptycs, Doorman, OSCRTL, and SGT just to name a few. Facebook released an awesome open-source tool named Osquery that is being maintained by a thriving community supported by the Linux Foundation and several product leaders such as Kolide, TrailOfBits, and Uptycs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |