Add capability to serve YARA rules via authenticated Fleet endpoints #23343
Conversation
Part of #14899, this implements the ability for Fleet to server up yara rules with the usual osquery (node key) authentication. The relevant changes to allow authentication via osquery are shipped in osquery 5.14.
|
@sharon-fdm IIRC we had discussed the endpoint ops team helping out with a code review for this one. Can you please tag the appropriate person for review? Thanks! |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #23343 +/- ##
==========================================
- Coverage 63.09% 53.45% -9.64%
==========================================
Files 1555 1556 +1
Lines 147014 147147 +133
Branches 3666 3666
==========================================
- Hits 92754 78654 -14100
- Misses 46924 62036 +15112
+ Partials 7336 6457 -879
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
@zwass, sorry, this fell between the cracks. |
|
No worries I only just put it up an hour ago! |
There was a problem hiding this comment.
LGTM!
Left a few questions.
Also (from Noah comments on the issue):
- Let's add
yara_rulesto https://fleetdm.com/docs/configuration/yaml-files. - Add API changes to
PATCH/GET /api/latest/fleet/configendpoints. - CI failures:
- Maybe reorder migrations yet again and run
make dump-test-schema? - lint checks 🙈
- test-native-packaging can be ignored (was fixed on main)
- Go tests seem a-ok, failures are known flaky tests.
- Maybe reorder migrations yet again and run
(We usually do a separate PR for the docs to not block the merge on docs changes.)
| @@ -0,0 +1 @@ | |||
| * Add capability for Fleet to serve yara rules to agents over HTTPS authenticated via node key. | |||
| @@ -0,0 +1 @@ | |||
| * Add capability for Fleet to serve yara rules to agents over HTTPS authenticated via node key. | |||
There was a problem hiding this comment.
Let's clarify it needs osquery 5.14.X on the hosts.
| @@ -115,6 +115,7 @@ type osqueryOptions struct { | |||
| TlsDisableStatusLog bool `json:"tls_disable_status_log"` | |||
| Verbose bool `json:"verbose"` | |||
| YaraDelay uint32 `json:"yara_delay"` | |||
| YaraSigurlAuthenticate bool `json:"yara_sigurl_authenticate"` | |||
There was a problem hiding this comment.
It should also be added to osqueryCommandLineFlags (was this edited manually or did auto generation not add it?)
| CREATE TABLE yara_rules ( | ||
| id INT(10) UNSIGNED NOT NULL AUTO_INCREMENT, | ||
| name VARCHAR(255) NOT NULL, | ||
| contents TEXT NOT NULL, |
There was a problem hiding this comment.
How big can these get?
https://github.com/Yara-Rules/rules/blob/master/crypto/crypto_signatures.yar listed in the osquery docs https://osquery.readthedocs.io/en/stable/deployment/yara/#continuous-monitoring-using-the-yara_events-table is ~76KB.
Eventually if customers/users need bigger rules we can migrate and store them in S3.
| rules, ok := asMap["yara_rules"] | ||
| if !ok { | ||
| // yara_rules is not present | ||
| return nil, nil |
There was a problem hiding this comment.
return []fleet.YaraRuleSpec{}, nil
GitOps mode is so that if it's not defined or set then the settings are removed/cleared.
That is,
org_settings:
(without putting yara_rules:) should also clear yara rules.
Implements the Fleet side of #14899
Checklist for submitter
If some of the following don't apply, delete the relevant line.
changes/,orbit/changes/oree/fleetd-chrome/changes.See Changes files for more information.
SELECT *is avoided, SQL injection is prevented (using placeholders for values in statements)cmd/osquery-perffor new osquery data ingestion features.COLLATE utf8mb4_unicode_ci).