Orbit is Fleet's osquery runtime and autoupdater. With Orbit, it's easy to deploy osquery, manage configurations, and stay up to date. Orbit eases the deployment of osquery connected with a Fleet server, and is a (near) drop-in replacement for osquery in a variety of deployment scenarios.
With fleetctl preview already running and Go installed:
# From within the top-level directory of this repo…
# Generate a macOS installer pointed at your local Fleet
go run ./cmd/package --type=pkg --fleet-url=localhost:8412 --insecure --enroll-secret=YOUR_FLEET_ENROLL_SECRET_HEREAn installer configured to point at your Fleet instance has now been generated.
Now run that installer (double click, on a Mac) to enroll your own computer as a host in Fleet. In Fleet, after several seconds, you should now see your local computer as a new host.
| Capability | Status |
|---|---|
| Secure autoupdate for osquery | ✅ |
| Secure autoupdate for Orbit | ✅ |
| Configurable update channels | ✅ |
| Full osquery flag customization | ✅ |
Package tooling for macOS .pkg |
✅ |
Package tooling for Linux .deb |
✅ |
Package tooling for Linux .rpm |
✅ |
Package tooling for Windows .msi |
🔜 |
| Manage/update osquery extensions | 🔜 |
| Manage cgroups for Linux performance | 🔜 |
General information and flag documentation can be accessed by running orbit --help.
Orbit generally expects root permissions to be able to create and access it's working files.
To get root level permissions:
Prefix orbit commands with sudo (sudo orbit ...) or run in a root shell.
Run Powershell or cmd.exe with "Run as administrator" and start orbit commands from that shell.
Run an osqueryi shell with orbit osqueryi or orbit shell.
Use the --fleet-url and --enroll-secret flags to connect to a Fleet server.
For example:
orbit --fleet-url=https://localhost:8080 --enroll-secret=the_secret_value Use --fleet_certificate to provide a path to a certificate bundle when necessary for osquery to verify the authenticity of the Fleet server (typically when using a Windows client or self-signed certificates):
orbit --fleet-url=https://localhost:8080 --enroll-secret=the_secret_value --fleet-certificate=cert.pem Add the --insecure flag for connections using otherwise invalid certificates:
orbit --fleet-url=https://localhost:8080 --enroll-secret=the_secret_value --insecure Orbit can be used as near drop-in replacement for osqueryd, enhancing standard osquery with autoupdate capabilities. Orbit passes through any options after -- directly to the osqueryd instance.
For example, the following would be a typical drop-in usage of Orbit:
orbit -- --flagfile=flags.txtOrbit, like standalone osquery, is typically deployed via OS-specific packages. Tooling is provided with this repository to generate installation packages.
-
macOS -
.pkgpackage generation with (optional) Notarization - Persistence vialaunchd. -
Linux -
.deb(Debian, Ubuntu, etc.) &.rpm(RHEL, CentOS, etc.) package generation - Persistence viasystemd. -
Windows (coming soon) -
.msipackage generation - Persistence via Services.
Before building packages, clone or download this repository and install Go.
Use go run ./cmd/package from this directory to run the packaging tools.
The only required parameter is --type, use one of deb, rpm, or pkg (msi coming soon).
Configure osquery to connect to a Fleet (or other TLS) server with the --fleet-url and --enroll-secret flags.
A minimal invocation for communicating with Fleet:
go run ./cmd/package --type deb --fleet-url=fleet.example.com --enroll-secret=notsosecretThis will build a .deb package configured to communicate with a Fleet server at fleet.example.com using the enroll secret notsosecret.
When the Fleet server uses a self-signed (or otherwise invalid) TLS certificate, package with the --insecure or --fleet-certificate options.
See go run ./cmd/package for the full range of packaging options.
Orbit uses the concept of "update channels" to determine the version of Orbit, osquery, and any extensions (extension support coming soon) to run. This concept is modeled from the common versioning convention for Docker containers.
Configure update channels for Orbit and osqueryd with the --orbit-channel and --osqueryd-channel flags when packaging.
| Channel | Versions |
|---|---|
4 |
4.x.x |
4.6 |
4.6.x |
4.6.0 |
4.6.0 |
Additionally stable and edge are special channel names. stable will always return the version Fleet deems to be stable, while edge will provide newer releases for beta testing.
Orbit's packager can automate the codesigning and Notarization steps to allow the resulting package to generate packages that appear "trusted" when install on macOS hosts. Signing & notarization are supported only on macOS hosts.
For signing, a "Developer ID Installer" certificate must be available on the build machine (generation instructions). Use security find-identity -v to verify the existence of this certificate and make note of the identifier provided in the left column.
For Notarization, valid App Store Connect credentials must be available on the build machine. Set these in the environment variables AC_USERNAME and AC_PASSWORD. It is common to configure this via app-specific passwords.
Build a signed and notarized macOS package with an invocation like the following:
[email protected] AC_PASSWORD=llpk-sije-kjlz-jdzw go run ./cmd/package --type pkg --fleet-url=fleet.example.com --enroll-secret=63SBzTT+2UyW --sign-identity 3D7260BF99539C6E80A94835A8921A988F4E6498 --notarizeThis process may take several minutes to complete as the Notarization process completes on Apple's servers.
After successful notarization, the generated "ticket" is automatically stapled to the package.
Orbit is inspired by the success of Kolide Launcher, and approaches a similar problem domain with new strategies informed by the challenges encountered in real world deployments.
- Both Orbit and Launcher use The Update Framework specification for managing updates. Orbit utilizes the official go-tuf library, while Launcher has it's own implementation of the specification.
- Orbit can be deployed as a (near) drop-in replacement for osquery, supporting full customization of the osquery flags. Launcher heavily manages the osquery flags making deployment outside of Fleet or Kolide's SaaS difficult.
- Orbit prefers the battle-tested plugins of osquery. Orbit uses the built-in logging, configuration, and live query plugins, while Launcher uses custom implementations.
- Orbit prefers the built-in osquery remote APIs. Launcher utilizes a custom gRPC API that has led to issues with character encoding, load balancers/proxies, and request size limits.
- Orbit encourages use of the osquery performance Watchdog, while Launcher disables the Watchdog.
Additionally, Orbit aims to tackle problems out of scope for Launcher:
- Configure updates via release channels, providing more granular control over agent versioning.
- Support for deploying and updating osquery extensions (🔜).
- Manage osquery versions and startup flags from a remote (Fleet) server (🔜).
- Further control of osquery performance via cgroups (🔜).
Yes! Orbit is licensed under an MIT license and all uses are encouraged.
Please join us in the #fleet channel on osquery Slack.
