9ad246876c
# Overview This PR adds support for remote YARA queries to osquery-perf, so that remote YARA queries can be load-tested. # Details The existing `runLiveQuery()` is updated to branch off into different query running functions based on the content of the query. If the query contains `from yara` and `sigurl`, then the new `runLiveYaraQuery()` function is run which makes a request to the Fleet "get yara rules" API before returning an appropriate response. Otherwise, the new `RunLiveMockQuery()` function is run which includes the previous logic for sending a mock response. # Testing I don't see any automated testing for osquery-perf, but I manually tested in the following way: 1. Started osquery-perf with `go run agent.go` 2. Ran a live query on the new host using ``` SELECT * FROM yara where sigurl="https://localhost:8080/api/osquery/yara/rule1.yar" ``` and verified that the result was as-expected: <img width="1642" alt="image" src="https://github.com/user-attachments/assets/a2c9cacf-e28d-409c-8e83-1c82809b89c0" /> I also used a log in Fleet to verify that the "get yara rules" API was really being called. 3. Ran another live query on the host using: ``` SELECT * FROM system_info" ``` and verified that the result was as expected: <img width="1665" alt="image" src="https://github.com/user-attachments/assets/a8d35389-f193-4902-badf-200d760fdf46" /> I also tested that sending a `sigurl` with the wrong host returns a `live yara query failed because sigurl host did not match server address` error # Checklist for submitter <!-- Note that API documentation changes are now addressed by the product design team. --> - [X] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. |
||
|---|---|---|
| .. | ||
| installer_cache | ||
| agent.go | ||
| ipad_13.18.tmpl | ||
| iphone_14.6.tmpl | ||
| mac10.14.6.tmpl | ||
| macos_13.6.2.tmpl | ||
| macos_14.1.2.tmpl | ||
| macos_vulnerable.software | ||
| README.md | ||
| ubuntu_22.04.tmpl | ||
| ubuntu_2204-software.json.bz2 | ||
| vscode_extensions_vulnerable.software | ||
| windows_11-software.json.bz2 | ||
| windows_11.tmpl | ||
| windows_11_22H2_2861.tmpl | ||
| windows_11_22H2_3007.tmpl | ||
Osquery Server Performance Tester
This is a tool to generate realistic traffic to an osquery management server (primarily, Fleet). With this tool, many thousands of hosts can be simulated from a single host.
Requirements
The only requirement for running this tool is a working installation of Go.
Usage
Typically go run is used.
You can use --help to view the available configuration:
go run agent.go --help
The tool should be invoked with the appropriate enroll secret. A typical invocation looks like:
go run agent.go --enroll_secret hgh4hk3434l2jjf
When starting many hosts, it is a good idea to extend the intervals, and also the period over which the hosts are started:
go run agent.go --enroll_secret hgh4hk3434l2jjf --host_count 5000 --start_period 5m --query_interval 60s --config_interval 5m
This will start 5,000 hosts over a period of 5 minutes. Each host will check in for live queries at a 1 minute interval, and for configuration at a 5 minute interval. Starting over a 5 minute period ensures that the configuration requests are spread evenly over the 5 minute interval.
It can be useful to start the "same" hosts. This can be achieved with the
--seed parameter:
go run agent.go --enroll_secret hgh4hk3434l2jjf --seed 0
By using the same seed, along with other values, we usually get hosts that look the same to the server. This is not guaranteed, but it is a useful technique.
By default, all hosts will simulate macOS hosts (specifically, macOS 10.14). To simulate hosts using other operating systems, use the --os_templates flag. This flag takes a comma-separated list of host template names and will start hosts by alternating in the list of OS templates when multiple templates are specified. For example:
go run agent.go --enroll_secret hgh4hk3434l2jjf --os_templates ubuntu_22.04,windows_11 --host_count 6
would start 3 Ubuntu hosts and 3 Windows hosts. See the os_templates flag description in go run agent.go --help for the list of supported template names.
Controlling Agent Behavior From the Fleet UI
Specify Query Results
Using the naming convention MyQuery_10 (name separated by _number) will instruct agents to
return 10 rows for that query
Control policy pass/fail per policy
In the Policy SQL:
select 1will instruct agents to send back only passing responsesselect 0will instruct agents to send back only failing responses
Running Locally (Development Environment)
First, ensure your Fleet local development environment is up and running. Refer to Building Fleet for details. Once this is done:
- navigate to the Hosts tab of your Fleet web interface (typically, this would be at https://localhost:8080/hosts/manage).
- click on "Manage enroll secret" and copy the enroll secret.
- start the
osquery-perfagent (from the root of the Fleet repository, it would bego run ./cmd/osquery-perf/agent.go --enroll_secret <paste-the-secret>).
Alternatively, you can retrieve the enroll secret from the command-line using fleetctl get enroll_secret (you may have to login to fleetctl first).
The agent will start. You can connect to MySQL to view changes made to the development database by the agent (e.g., at the terminal, with docker-compose exec mysql mysql -uroot -ptoor -Dfleet). Remember that frequency of the reported data depends on the configuration of the Fleet instance, so you may want to start it with shorter delays for some cases and enable debug logging (e.g., ./build/fleet serve --dev --logging_debug --osquery_detail_update_interval 1m).
Resource Limits
On many systems, trying to simulate a large number of hosts will result in hitting system resource limits (such as number of open file descriptors).
If you see errors such as dial tcp: lookup localhost: no such host or read: connection reset by peer, try increasing these limits.
macOS
Run the following command in the shell before running the Fleet server and before running agent.go (run it once in each shell):
ulimit -n 64000
Running with MDM
Set up MDM on your server. To extract the SCEP challenge, you can use the MDM asset extractor.
For your server, disable Apple push notifications since we will be using devices with fake UUIDs:
export FLEET_DEV_MDM_APPLE_DISABLE_PUSH=1
Example of running the agent with MDM. Note that enroll_secret is not needed for iPhone/iPad devices:
go run agent.go --os_templates ipad_13.18,iphone_14.6 --host_count 10 --mdm_scep_challenge 0d53306e-6d7a-9d14-a372-f9e53f9d62db
Installing software
The agent can install software for "macos", "ubuntu", and "windows" OSs when running with orbit agent. The following options control the installation behavior:
--software_installer_pre_install_fail_prob: default 0.05,select 1always passes andselect 0always fails--software_installer_install_fail_prob: default 0.05,exit 0always passes andexit 1always fails--software_installer_post_install_fail_prob: default 0.05,exit 0always passes andexit 1always fails