A containerized setup for Catch, ELK and Kolide Fleet server, for automated HITRUST security audits against servers/containers and MacOS workstations.
Kolide Fleet server needs to be configured to use TLS certificates for communication with Osquery agents. These certificates should be generated and placed within the kolide/certs
directory.
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 366 -in /tmp/server.csr -signkey server.key -out server.cert
Theserver.cert
certificate will automatically be appended to the Kolide containers's/etc/ssl/certs/ca-certificates.crt
trusted certificate list during its startup.
A number of environment variables need to be set prior to executing setup.sh
.
export ELK_VERSION=7.6.2
export MYSQL_PASS=mysqlpass
export REDIS_PASS=redispass
export JWT_KEY=jwtkey
export ELASTIC_PASS=elasticpass
export JIRA_URL=https://jira.local
export JIRA_USER=jirauser
export JIRA_PASSWORD=jirapass
chmod +x setup.sh && ./setup.sh
Kolide needs to be configured after it's container has been launched. Access the Kolide server via https://kolideserver:8080/
and follow the setup instructions.
No query packs are installed by default on Kolide. To add query packs to Kolide you'll need to download the fleetctl binary from https://github.com/kolide/fleet/releases
to your workstation.
Add the generated server.cert
to your trusted certificate keystore otherwise fleetctl will produce TLS errors while trying to communicate with Kolide. Copy the Osquery query pack to the same folder as fleetctl and then run the following:
fleetctl config set --address https://kolideserver:8080
fleetctl login
mkdir ~/querypacks
cp elk-kolide-osquery/catch/osquery_packs/servers/hitrust-ubuntu-containers-pack.conf ~/querypacks
fleetctl convert -f ~/querypacks/hitrust-ubuntu-containers-pack.conf > ~/querypacks/hitrust-ubuntu-containers-pack.yaml
fleetctl apply -f ~/querypacks/hitrust-ubuntu-containers-pack.yaml
Verify that you can see the installed query pack on the Kolide web interface under the packs section. Then select the uploaded pack in Kolide and choose "edit pack". Edit the target hosts you'd like the query pack to be applied to and save. This will push the query pack down to the selected target hosts' osquery agents and configure them to be used.
Currently, Catch is configured to do HITRUST security audits for servers/containers and MacOS workstations. However, the configuration files have been designed in a versatile way that new query packs can be created for just about any audting standard that can be measured on hosts via osquery. Catch will load all server configurations in the catch/osquery_packs/servers/
path and workstations configurations in the catch/osquery_packs/workstations/
path.
http:https://catch.local:9090/audit?filter=servers
http:https://catch.local:9090/audit?filter=workstations
A Prometheius metrics endpoint has been included at http:https://catch.local:9090/metrics
An audit can automatically generate Jira ticket for each failed HITRUST control reference for each host, by appending &jira=1
to the audit URL. Ensure that the Jira environmental variables have been set for authentication to the Jira server to use this functionality. For example:
http:https://catch.local:9090/audit?filter=servers&jira=1