{"id":5395,"date":"2020-04-12T13:00:53","date_gmt":"2020-04-12T10:00:53","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5395"},"modified":"2021-03-20T21:38:12","modified_gmt":"2021-03-20T18:38:12","slug":"install-and-setup-kolide-fleet-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-setup-kolide-fleet-on-ubuntu-18-04\/","title":{"rendered":"Install and Setup Kolide Fleet on Ubuntu 18.04"},"content":{"rendered":"\n

In this guide, we are going to learn how to install and Setup Kolide Fleet on Ubuntu 18.04. Kolide Fleet<\/a> is an opensource Osquery manager that expand Osquery capabilities from a single machine to your entire fleet. It queries a dynamic sets of hosts and watch the data stream in for immediate analysis and investigation.<\/p>\n\n\n\n

Kolide Fleet has retired. Check the new replacement, the Fleetdm Fleet.<\/p>\n\n\n\n

Install Fleet Osquery Manager on Ubuntu 20.04<\/a><\/p>\n\n\n\n

Install and Setup Kolide Fleet on Ubuntu 18.04<\/h2>\n\n\n\n

Run system update<\/h3>\n\n\n\n

Resynchronize your system packages to their latest versions.<\/p>\n\n\n\n

apt update<\/code><\/pre>\n\n\n\n
Download Kolide Fleet BInary Installer<\/h3>\n\n\n\n
Kolide Fleet application is distributed as a single static binary which serves the Fleet web interface, the Fleet application API endpoints and the osquery TLS server API endpoints.<\/p>\n\n\n\n
To download the latest Kolide Fleet binary, simply execute the command below;<\/p>\n\n\n\n
wget https:\/\/github.com\/kolide\/fleet\/releases\/latest\/download\/fleet.zip<\/code><\/pre>\n\n\n\n
Install and Setup Kolide Fleet on Ubuntu 18.04<\/h3>\n\n\n\n
Once the Fleet binary is downloaded, extract the Kolide Fleet binaries for Linux platform.<\/p>\n\n\n\n
unzip fleet.zip 'linux\/*' -d fleet<\/code><\/pre>\n\n\n\n
The command above extracts the Kolide Fleet binaries, the fleet<\/strong> and fleetctl<\/strong> binaries to fleet\/linux<\/strong> directory.<\/p>\n\n\n\n
ls fleet\/linux\/<\/code><\/pre>\n\n\n\n
fleet<\/strong>  fleetctl<\/strong><\/code><\/pre>\n\n\n\n
The installation of Kolide Fleet binaries is therefore as easy as copying them to binary directories e.g \/usr\/bin<\/code><\/strong>.<\/p>\n\n\n\n
cp fleet\/linux\/* \/usr\/bin\/<\/code><\/pre>\n\n\n\n
Kolide Fleet is now installed;<\/p>\n\n\n\n
ls \/usr\/bin\/fleet*<\/code><\/pre>\n\n\n\n
\/usr\/bin\/fleet \/usr\/bin\/fleetctl<\/code><\/pre>\n\n\n\n
Install and Setup Kolide Fleet Dependencies on Ubuntu 18.04<\/h3>\n\n\n\n
Kolide Fleet requires MySQL\/MariaDB for its database and Redis server for ingesting and queueing the results of distributed queries, cache data, etc.<\/p>\n\n\n\n
Install MariaDB 10.4 Database on Ubuntu 18.04<\/h4>\n\n\n\n
Create MariaDB 10.4 APT repository<\/p>\n\n\n\n
apt install software-properties-common<\/code><\/pre>\n\n\n\n
apt-key adv --recv-keys --keyserver hkp:\/\/keyserver.ubuntu.com:80 0xF1656F24C74CD1D8<\/code><\/pre>\n\n\n\n
add-apt-repository 'deb [arch=amd64,arm64,ppc64el] http:\/\/sfo1.mirrors.digitalocean.com\/mariadb\/repo\/10.4\/ubuntu bionic main'<\/code><\/pre>\n\n\n\n
Update your package cache.<\/p>\n\n\n\n
apt update<\/code><\/pre>\n\n\n\n
Run the command install MariaDB server.<\/p>\n\n\n\n
apt install mariadb-server mariadb-client<\/code><\/pre>\n\n\n\n
Running MariaDB<\/h4>\n\n\n\n
MariaDB server is started and enabled to run on system boot upon installation. You can check the status;<\/p>\n\n\n\n
systemctl status mariadb<\/code><\/pre>\n\n\n\n
systemctl is-enabled mariadb<\/code><\/pre>\n\n\n\n
Run the initial MySQL security script, mysql_secure_installation<\/strong>, to remove anonymous database users, test tables, disable remote root login.<\/p>\n\n\n\n
mysql_secure_installation<\/code><\/pre>\n\n\n\n
Create Kolide Fleet Database and Database User<\/h4>\n\n\n\n
By default, MariaDB 10.4 uses unix_socket for authentication by default and hence, can login by just running, mysql -u root<\/strong><\/code>. If have however enabled password authentication, simply run;<\/p>\n\n\n\n
mysql -u root -p<\/code><\/pre>\n\n\n\n
Next, create the Kolide database.<\/p>\n\n\n\n
Note:<\/strong> the database database names used here are not standard. Choose any name of your preference.<\/strong><\/p>\n\n\n\n
create database kolide;<\/code><\/pre>\n\n\n\n
Create Kollide Fleet database user with all grants on Kolide DB created above.<\/p>\n\n\n\n
grant all on kolide.* to kolideadmin@localhost identified by 'StrongP@SS';<\/code><\/pre>\n\n\n\n
Reload privileges tables and exit the database;<\/p>\n\n\n\n
flush privileges;
exit<\/code><\/pre>\n\n\n\n
Install Redis on Ubuntu 18.04<\/h4>\n\n\n\n
Run the command below to install Redis on Ubuntu 18.04.<\/p>\n\n\n\n
apt install redis<\/code><\/pre>\n\n\n\n
Redis is set to start and enabled on system boot upon installation.<\/p>\n\n\n\n
Running  Kolide Fleet Server on Ubuntu 18.04<\/h3>\n\n\n\n
Initialize Kolide Fleet Database<\/h4>\n\n\n\n
To initialize Fleet infrastructure after installing and setting up all the requirements above, use the fleet prepare db<\/code> as follows;<\/p>\n\n\n\n
fleet prepare db --mysql_address=127.0.0.1:3306 --mysql_database=kolide --mysql_username=kolideadmin --mysql_password=StrongP@SS<\/code><\/pre>\n\n\n\n
If the initialization is complete, you should get the output,<\/p>\n\n\n\n
Migrations completed.<\/code><\/pre>\n\n\n\n
Generate SSL\/TLS Certificates<\/h4>\n\n\n\n
Fleet serve is used to run the main HTTPS server. Hence, run the command below to generate self-signed certificates.<\/p>\n\n\n\n
NOTE: If you are using Self Signed Certificates as in this demo, DO NOT use wildcards or enrollment of hosts won’t work.<\/strong><\/p>\n\n\n\n
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \/etc\/ssl\/private\/kolide.key -out \/etc\/ssl\/certs\/kolide.cert -subj \"\/CN=kolide.kifarunix-demo.com\/\"<\/code><\/pre>\n\n\n\n
If you can, use the commercial TLS certificates from your preferred trusted CA.<\/strong><\/p>\n\n\n\n
Generate Json Web Token<\/h4>\n\n\n\n
Generate a random Json Web Token (JWT)<\/code> key for signing and verify session tokens. This will be required when running the fleet serve<\/strong> command for use with \u2013auth_jwt_key<\/strong> option. Fleet server won’t start without this option<\/strong>.<\/p>\n\n\n\n
To help with auto-generating the token, simply run the fleet server command without this option.<\/p>\n\n\n\n
fleet serve --mysql_address=127.0.0.1:3306 \\\n--mysql_database=kolide --mysql_username=kolideadmin --mysql_password=StrongP@SS \\\n--server_cert=\/etc\/ssl\/certs\/kolide.cert --server_key=\/etc\/ssl\/private\/kolide.key \\\n--logging_json<\/code><\/pre>\n\n\n\n
The command fails and auto-generates a random key for you;<\/p>\n\n\n\n
################################################################################\n# ERROR:\n#   A value must be supplied for --auth_jwt_key. This value is used to create\n#   session tokens for users.\n#\n#   Consider using the following randomly generated key:\n#   WS+Q2v6RyJdZgJDCHFWgak5HtxzPDhH8<\/strong>\n################################################################################<\/code><\/pre>\n\n\n\n
Testing Kolide Fleet<\/h4>\n\n\n\n
Once you get a random key, rerun the command with the option and the key provided. <\/p>\n\n\n\n
Kolide Fleet is setup and thus you need to run the command below to verify that it can run successfully using the fleet serve<\/strong> command as shown below.<\/p>\n\n\n\n
fleet serve --mysql_address=127.0.0.1:3306 \\\n--mysql_database=kolide --mysql_username=kolideadmin --mysql_password=StrongP@SS \\\n--server_cert=\/etc\/ssl\/certs\/kolide.cert --server_key=\/etc\/ssl\/private\/kolide.key \\\n--logging_json --auth_jwt_key=WS+Q2v6RyJdZgJDCHFWgak5HtxzPDhH8<\/strong><\/code><\/pre>\n\n\n\n
If all is well, you should see that Fleet server is now running on 0.0.0.0:8080<\/strong> and hence can be accessed on https:\/\/<server-IP>:8080<\/strong>.<\/p>\n\n\n\n
{\"component\":\"service\",\"err\":null,\"method\":\"ListUsers\",\"took\":\"921.991\u00b5s\",\"ts\":\"2020-04-12T07:06:41.184166743Z\",\"user\":\"none\"}\n{\"address\":\"0.0.0.0:8080\",\"msg\":\"listening\",\"transport\":\"https\",\"ts\":\"2020-04-12T07:06:41.185827799Z\"}<\/code><\/pre>\n\n\n\n
Press Ctrl+c to stop Kolide Fleet server.<\/p>\n\n\n\n
Create Kolide Fleet Systemd Service Unit on Ubuntu 18.04<\/h3>\n\n\n\n
Once you have verified that Kolide Fleet is running fine, create a systemd service file.<\/p>\n\n\n\n
vim \/etc\/systemd\/system\/kolide-fleet.service<\/code><\/pre>\n\n\n\n
[Unit]\nDescription=Kolide Fleet Osquery Fleet Manager\nAfter=network.target\n\n[Service]\nLimitNOFILE=8192\nExecStart=\/usr\/bin\/fleet serve \\\n  --mysql_address=127.0.0.1:3306 \\\n  --mysql_database=kolide \\\n  --mysql_username=kolideadmin \\\n  --mysql_password=StrongP@SS \\\n  --redis_address=127.0.0.1:6379 \\\n  --server_cert=\/etc\/ssl\/certs\/kolide.cert \\\n  --server_key=\/etc\/ssl\/private\/kolide.key \\\n  --auth_jwt_key=WS+Q2v6RyJdZgJDCHFWgak5HtxzPDhH8 \\\n  --logging_json\nExecStop=\/bin\/kill -15 $(ps aux | grep \"fleet serve\" | grep -v grep | awk '{print$2}')\n\n[Install]\nWantedBy=multi-user.target<\/code><\/pre>\n\n\n\n
Save and exit the file.<\/p>\n\n\n\n
Reload systemd configurations.<\/p>\n\n\n\n
systemctl daemon-reload<\/code><\/pre>\n\n\n\n
Start and enable Kolide Fleet service.<\/p>\n\n\n\n
systemctl enable --now kolide-fleet<\/code><\/pre>\n\n\n\n
Check the status;<\/p>\n\n\n\n
systemctl status kolide-fleet<\/code><\/pre>\n\n\n\n
\u25cf kolide-fleet.service - Kolide Fleet Osquery Fleet Manager\n   Loaded: loaded (\/etc\/systemd\/system\/kolide-fleet.service; enabled; vendor preset: enabled)\n   Active: active (running) since Sun 2020-04-12 10:23:44 EAT; 3s ago\n Main PID: 6777 (fleet)\n    Tasks: 6 (limit: 1108)\n   CGroup: \/system.slice\/kolide-fleet.service\n           \u2514\u25006777 \/usr\/bin\/fleet serve --mysql_address=127.0.0.1:3306 --mysql_database=kolide --mysql_username=kolideadmin --mysql_password=StrongP@SS \n\nApr 12 10:23:44 u18 systemd[1]: Started Kolide Fleet Osquery Fleet Manager.\nApr 12 10:23:44 u18 fleet[6777]: {\"component\":\"service\",\"err\":null,\"method\":\"ListUsers\",\"took\":\"218.912\u00b5s\",\"ts\":\"2020-04-12T07:23:44.414494933Z\",\"user\"\nApr 12 10:23:44 u18 fleet[6777]: {\"address\":\"0.0.0.0:8080\",\"msg\":\"listening\",\"transport\":\"https\",\"ts\":\"2020-04-12T07:23:44.418368662Z\"}<\/code><\/pre>\n\n\n\n
Access Kolide Fleet Web Interface<\/h3>\n\n\n\n
Kolide Fleet can be accessed on the browser using the URL https:\/\/<server-IP_OR_hostname>:8080<\/strong>.<\/p>\n\n\n\n
\"kolide<\/figure>\n\n\n\n
Setup your username, password, email, organization details and proceed to Kollide Web interface.<\/p>\n\n\n\n