{"id":7989,"date":"2021-03-20T13:21:16","date_gmt":"2021-03-20T10:21:16","guid":{"rendered":"https:\/\/kifarunix.com\/?p=7989"},"modified":"2024-03-19T18:48:39","modified_gmt":"2024-03-19T15:48:39","slug":"install-fleet-osquery-manager-on-ubuntu","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-fleet-osquery-manager-on-ubuntu\/","title":{"rendered":"Install Fleet Osquery Manager on Ubuntu 20.04\/Ubuntu 22.04"},"content":{"rendered":"\n

In this tutorial, you will learn how to install Fleet<\/a> osquery manager on Ubuntu 20.04\/Ubuntu 22.04. With the official retirement of the Kolide Fleet as on November 4th, 2020, there has been yet another Fleet<\/a> that offers the same functionality as Kolide Fleet. According to its Github repository<\/a>, “Fleet is the most widely used open source osquery manager. Deploying osquery with Fleet enables programmable live queries, streaming logs, and effective management of osquery across 50,000+ servers, containers, and laptops. It’s especially useful for talking to multiple devices at the same time.<\/em>“<\/p>\n\n\n\n

If you are using Debian 10, follow the guide below to install Fleet Osquery on Debian 10;<\/p>\n\n\n\n

Install Fleet Osquery Manager on Debian 10<\/a><\/p>\n\n\n\n

Install Osquery Fleet Manager on Ubuntu<\/h2>\n\n\n\n

Prerequisites<\/h3>\n\n\n\n

In order to install Fleet osquery manager on Ubuntu, there are a few requirements. In our setup, we will be using Ubuntu 20.04\/Ubuntu 22.04 as our base OS.<\/p>\n\n\n\n

Install MySQL Database on Ubuntu 20.04\/Ubuntu 22.04<\/h4>\n\n\n\n

Fleet uses MySQL as its main database<\/p>\n\n\n\n

In this setup, we will use MariaDB database. Hence, create latest MariaDB (currently v10.8) APT repository<\/p>\n\n\n\n

apt install software-properties-common gnupg2 zip -y<\/code><\/pre>\n\n\n\n
wget -qO- https:\/\/mariadb.org\/mariadb_release_signing_key.asc | gpg --dearmor > \/etc\/apt\/trusted.gpg.d\/mariadb.gpg<\/code><\/pre>\n\n\n\n
echo \"deb [arch=amd64] http:\/\/sfo1.mirrors.digitalocean.com\/mariadb\/repo\/10.8\/ubuntu $(lsb_release -sc) main\" > \/etc\/apt\/sources.list.d\/mariadb-10.8.list<\/code><\/pre>\n\n\n\n
If you need, you can choose other MariaDB mirrors closed to your region<\/a>.<\/p>\n\n\n\n
Update your package cache.<\/p>\n\n\n\n
apt update<\/code><\/pre>\n\n\n\n
Run the command install MariaDB server 10.5 on Ubuntu 20.04<\/p>\n\n\n\n
apt install mariadb-server<\/code><\/pre>\n\n\n\n
MariaDB is started and enabled to run on system boot upon installation.<\/p>\n\n\n\n
systemctl status mariadb.service<\/code><\/pre>\n\n\n\n
\n\u25cf mariadb.service - MariaDB 10.8.5 database server\n     Loaded: loaded (\/lib\/systemd\/system\/mariadb.service; enabled; vendor preset: enabled)\n    Drop-In: \/etc\/systemd\/system\/mariadb.service.d\n             \u2514\u2500migrated-from-my.cnf-settings.conf\n     Active: active (running) since Mon 2022-09-26 17:16:45 UTC; 2min 4s ago\n       Docs: man:mariadbd(8)\n             https:\/\/mariadb.com\/kb\/en\/library\/systemd\/\n    Process: 3526 ExecStartPre=\/usr\/bin\/install -m 755 -o mysql -g root -d \/var\/run\/mysqld (code=exited, status=0\/SUCCESS)\n    Process: 3527 ExecStartPre=\/bin\/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0\/SUCCESS)\n    Process: 3529 ExecStartPre=\/bin\/sh -c [ ! -e \/usr\/bin\/galera_recovery ] && VAR= ||   VAR=`cd \/usr\/bin\/..; \/usr\/bin\/galera_recovery`; [ $? -eq 0 ]   && systemctl set-en>\n    Process: 3575 ExecStartPost=\/bin\/sh -c systemctl unset-environment _WSREP_START_POSITION (code=exited, status=0\/SUCCESS)\n    Process: 3577 ExecStartPost=\/etc\/mysql\/debian-start (code=exited, status=0\/SUCCESS)\n   Main PID: 3558 (mariadbd)\n     Status: \"Taking your SQL requests now...\"\n      Tasks: 9 (limit: 4574)\n     Memory: 78.1M\n        CPU: 359ms\n     CGroup: \/system.slice\/mariadb.service\n             \u2514\u25003558 \/usr\/sbin\/mariadbd\n\nSep 26 17:16:45 jellyfish mariadbd[3558]: 2022-09-26 17:16:45 0 [Note] Plugin 'FEEDBACK' is disabled.\nSep 26 17:16:45 jellyfish mariadbd[3558]: 2022-09-26 17:16:45 0 [Note] InnoDB: Loading buffer pool(s) from \/var\/lib\/mysql\/ib_buffer_pool\nSep 26 17:16:45 jellyfish mariadbd[3558]: 2022-09-26 17:16:45 0 [Warning] You need to use --log-bin to make --expire-logs-days or --binlog-expire-logs-seconds work.\nSep 26 17:16:45 jellyfish mariadbd[3558]: 2022-09-26 17:16:45 0 [Note] Server socket created on IP: '127.0.0.1'.\nSep 26 17:16:45 jellyfish mariadbd[3558]: 2022-09-26 17:16:45 0 [Note] InnoDB: Buffer pool(s) load completed at 220926 17:16:45\nSep 26 17:16:45 jellyfish mariadbd[3558]: 2022-09-26 17:16:45 0 [Note] \/usr\/sbin\/mariadbd: ready for connections.\nSep 26 17:16:45 jellyfish mariadbd[3558]: Version: '10.8.5-MariaDB-1:10.8.5+maria~ubu2204'  socket: '\/run\/mysqld\/mysqld.sock'  port: 3306  mariadb.org binary distribution\nSep 26 17:16:45 jellyfish systemd[1]: Started MariaDB 10.8.5 database server.\n<\/code><\/pre>\n\n\n\n
Create Fleet Database and Database User<\/h4>\n\n\n\n
Run the initial MySQL security script, mysql_secure_installation<\/strong>, to remove anonymous database users, test tables, disable remote root login.<\/p>\n\n\n\n
mysql_secure_installation<\/code><\/pre>\n\n\n\n
By default, MariaDB 10.5 uses unix_socket for authentication by default and hence, can login by just running, mysql -u root<\/strong><\/code>. If have however enabled password authentication, simply run;<\/p>\n\n\n\n
mysql -u root -p<\/code><\/pre>\n\n\n\n
Next, create the Fleet database.<\/p>\n\n\n\n
Note:<\/strong> the database database names used here are not standard. Choose any name of your preference.<\/strong><\/p>\n\n\n\n
create database fleetdb;<\/code><\/pre>\n\n\n\n
Create Fleet database user with all grants on Fleet DB created above.<\/p>\n\n\n\n
grant all on fleetdb.* to fleetadmin@localhost identified by 'StrongP@SS';<\/code><\/pre>\n\n\n\n
Reload privileges tables and exit the database;<\/p>\n\n\n\n
flush privileges;\nexit<\/code><\/pre>\n\n\n\n
Install Redis on Ubuntu 20.04\/Ubuntu 22.04<\/h4>\n\n\n\n
Fleet uses Redis to ingest and queue the results of distributed queries, cache data, etc.<\/em><\/p>\n\n\n\n
To install the latest stable version of Redis, run the command below;<\/p>\n\n\n\n
curl -fsSL https:\/\/packages.redis.io\/gpg | gpg --dearmor > \/etc\/apt\/trusted.gpg.d\/redis.gpg <\/code><\/pre>\n\n\n\n
echo \"deb https:\/\/packages.redis.io\/deb $(lsb_release -cs) main\" > \/etc\/apt\/sources.list.d\/redis.list<\/code><\/pre>\n\n\n\n
Next, update the package cache;<\/p>\n\n\n\n
apt update<\/code><\/pre>\n\n\n\n
Install Redis on Ubuntu 20.04\/Ubuntu 22.04;<\/p>\n\n\n\n
apt install redis<\/code><\/pre>\n\n\n\n
Redis server is similarly started upon installation;<\/p>\n\n\n\n
systemctl status redis-server.service<\/code><\/pre>\n\n\n\n
\n\u25cf redis-server.service - Advanced key-value store\n     Loaded: loaded (\/lib\/systemd\/system\/redis-server.service; disabled; vendor preset: enabled)\n     Active: active (running) since Mon 2022-09-26 17:24:43 UTC; 25s ago\n       Docs: http:\/\/redis.io\/documentation,\n             man:redis-server(1)\n   Main PID: 4457 (redis-server)\n     Status: \"Ready to accept connections\"\n      Tasks: 5 (limit: 4574)\n     Memory: 2.8M\n        CPU: 100ms\n     CGroup: \/system.slice\/redis-server.service\n             \u2514\u25004457 \"\/usr\/bin\/redis-server 127.0.0.1:6379\" \"\" \"\" \"\" \"\" \"\" \"\" \"\"\n\nSep 26 17:24:43 jellyfish systemd[1]: Starting Advanced key-value store...\nSep 26 17:24:43 jellyfish systemd[1]: Started Advanced key-value store.\n<\/code><\/pre>\n\n\n\n
Enable it to run on system boot;<\/p>\n\n\n\n
systemctl enable redis-server<\/code><\/pre>\n\n\n\n
Installing Osquery Fleet Manager on Ubuntu<\/h3>\n\n\n\n
Install the Fleet binary on Ubuntu 20.04\/Ubuntu 22.04<\/h4>\n\n\n\n
The Fleet application is distributed as a single static binary. This binary serves:<\/em><\/p>\n\n\n\n