The Kolide Osquery Launcher
The Kolide Osquery Launcher is a lightweight launcher/manager which offers a few extra capabilities on top of osquery:
- secure automatic updates of osquery
- many additional tables
- tooling to generate deployment packages for a variety of platforms
The documentation for this project is included on GitHub in the
docs subdirectory of the repository.
Secure Osquery Autoupdater
Osquery is statically linked and that allows for the easy bundling and distribution of capabilities. Unfortunately, however, it also implies that you have to maintain excellent osquery update hygiene in order to take advantage of emerging osquery capabilities.
The Launcher includes the ability to securely manage and autoupdate osquery instances. This is implemented using The Update Framework (TUF). TUF defines a specification for secure software update systems. The spec describes a client/server model where the client is the software to be updated and the server is the update server. For our implementation, we use Docker Notary as our TUF server and a Go client library that we built in-house.
Because we understand the security implications of an osquery autoupdater, NCC Group was contracted to perform a security audit of our in-house TUF client library. This report is available for public review. NCC Group has also previously performed assessments on Docker Notary and Osquery as well.
gRPC Server Specification and Implementation
Osquery has a very extensible plugin architecture that allow it to be heavily customized with plugins. The included TLS plugins are used by many existing osquery management servers, but the design of the TLS API leaves much to be desired. The Launcher includes a set of gRPC plugins for remote communication with a gRPC server. The server specification is independently published and versioned.
Osquery exposes a lot of information, but there is always more. Launcher includes all of the Kolide tables exposing a wealth of additional information.
Reduced Configuration Surface
The osqueryd binary was designed to be very configurable, which allows it to be used in very different environments. The Launcher wraps osqueryd configuration and exposes very high-level options that allow you to easily connect osquery to a server that is compliant with the gRPC specification
To learn about The Launcher's command-line interface, see the Launcher documentation.
Easy Packaging and Deployment Tooling
Deploying osquery and configuring it to communicate with a management
server can be complicated, especially if you have to make customized
deployment packages. The Launcher includes a tool called
package-builder which you can use to create Launcher packages for
To learn more about using
package-builder to package and deploy
osquery, check out the documentation.
Want to go directly to insights? Not sure how to package Launcher or manage your Fleet?
Try our osquery SaaS platform providing insights, alerting, fleet management and user-focused security tools. We also support advanced aggregation of osquery results for power users. Get started immediately, with your 14-day free trial today. Launcher packages customized for your organization can be downloaded in-app after signup.
Code generated by go-bindata.
|Code generated by go-bindata.|
Package autoupdate provides a TUF Updater for the launcher and related binaries.
|Package autoupdate provides a TUF Updater for the launcher and related binaries.|
Package dataflatten contains tools to flatten complex data structures.
|Package dataflatten contains tools to flatten complex data structures.|
Some simple EFI utilities.
|Some simple EFI utilities.|
Package execwrapper provides a Exec method that should work on posix or windows systems.
|Package execwrapper provides a Exec method that should work on posix or windows systems.|
Package filetee provides a go-kit compatible log mirroring tool.
|Package filetee provides a go-kit compatible log mirroring tool.|
Package applenotarization is a wrapper around the apple notarization tools.
|Package applenotarization is a wrapper around the apple notarization tools.|
Package wix is a lightweight wrapper around the wix tooolset.
|Package wix is a lightweight wrapper around the wix tooolset.|
Package service defines the interface used by the launcher to communicate with the Kolide server.
|Package service defines the interface used by the launcher to communicate with the Kolide server.|
Package windowsupdate provides a go-ole interface to the windows update agent.
|Package windowsupdate provides a go-ole interface to the windows update agent.|
Package wmi provides a basic interface for querying against wmi.
|Package wmi provides a basic interface for querying against wmi.|