Sadly this one took weeks because it involved Security Onion, Docker, Kolide Launcher, FleetDM and various bits that I obviously made up because I’m insane.
If you just want the code, go here for the latest version
What’s the problem?
When you first install Security Onion, it generates a self-signed SSL certificate for the nginx web server and a self-signed intermediate certificate to add to Fleet so the client can verify secure communications with the Server.
However when you download the Mac client, it isn’t customised and ready to install. The instructions say you must 1. Update the hostname and port in the .flags file, 2. add the contents of the self-signed intermediate certificate into the content-less version provided in the .pkg
But I discovered a couple of issues with this- nothing I did would allow a client to connect… OSQuery basically trusts anything you put in the roots.pem file, but I suspect macOS was barfing because the self-singed cert was for the hostname, and the hostname was different from the FQDN.
I wasn’t happy using self-signed certificates anyway, so I figured out a way to fix that. Then the real work began of cross referencing all the disparate bits of info to figure out what on earth is going on…
The solution turned out to be stupidly simple.
If you delete the roots.pem certificate, Launcher notes this in the logs and falls back to the OS trust framework. That’s it. It still uses ssl/tls to talk to the Server. It trusts the Server cert because macOS trusts it (as long as it is not self signed- remember we added LetsEncrypt for this). So I made a script that modifies the files that pkg-launcher.pkg lays down on the operating system.
Here’s the code, but go to Github for the latest version…
#!/bin/sh
# this script will configure a Kolide Launcher downloaded from Security Onion for macOS after it is installed
# add this as a postinstall script to your MDM. Tested with Mosyle
# let's grab some variables
fqdn=so_fqdn # example 'sec_onion.domain.com'
hostname=so_hostname # your hostname, not FQDN! Example 'sec_onion'
secret=so_secret # get this from so by executing 'sudo salt-call pillar.get secrets:fleet_enroll-secret'
port=8090 # external port 8090 for Fleet proxies to 8080 internally via nginx proxy
# Now unload the launchd
launchctl unload /Library/LaunchDaemons/com.so-launcher.launcher.plist
# add the enrol secret to /etc/so-launcher/secret
echo $secret > /etc/so-launcher/secret
# now remove the roots.pem cert so Launcher will rely on the computers' built in cert store
rm -rf /etc/so-launcher/roots.pem
# this is kind of dumb because it could be done more accurately in one step, but it's more flexible?
# add the hostname to the launcher.flags file
sed -i '' "s/fqdn:443/$fqdn:443/" /etc/so-launcher/launcher.flags
# add the port numnber to the launcher.flags file
sed -i '' "s/$fqdn:443/$fqdn:$port/" /etc/so-launcher/launcher.flags
# remove the reference to roots.pem certificate file
sed -i '' "/root_pem/d" /etc/so-launcher/launcher.flags
# reload the launchd
launchctl load /Library/LaunchDaemons/com.so-launcher.launcher.plist
echo 'Kolide Launcher modified successfully'
exit 0