Deploy YARA rules remotely and privately

[zayhanlon]

User story
As a detection & response engineers,
I want to deploy YARA rules to agents remotely and privately from a server I host myself (separate from Fleet)
so don't have to write rules to disk (too large of scope and too slow) or host rules on a non-private webserver (what osquery supports today).

Context

• Product designer: @zwass

Why doesn't current YARA rule deployment with osquery work?

• Too large of scope: If they wrote the rules to disk, any engineering (including outside detection & response team) could read these rules because they'd live in the organization's monorepo. If an engineer's account gets compromised then they can read these rules.
• Too slow: It takes months to get these rules reviewed.
• Privately: Viewing rules must require authentication. Currently, osquery doesn't provide a way to authenticate YARA rules.

Changes

Product

• UI changes: No changes
• CLI (fleetctl) usage changes: No changes
• YAML changes: TODO: Specify changes in the YAML files doc page as a PR to the reference docs release branch. Put "No changes" if there are no changes necessary.
• REST API changes: TODO: Specify changes in the the REST API doc page as a PR to reference docs release branch. Put "No changes" if there are no changes necessary. Move this item to the engineering list below if engineering will design the API changes.
• Fleet's agent (fleetd) changes: PR to allow osquery to authenticate YARA requests: Add --yara_sigurl_authenticate flag osquery/osquery#8437. With the yara_sigurl_authenticate flag enabled, osquery will send the node key when retrieving YARA rules, which will allow the Fleet server to authenticate the request before responding.
• Activity changes: No changes
• Permissions changes: No changes.
• Changes to paid features or tiers: TODO: Specify changes in pricing-features-table.yml as a PR to reference docs release branch. Specify "Fleet Free" and/or "Fleet Premium" if there are no changes to the pricing page necessary.
• Once shipped, requester has been notified
• Once shipped, dogfooding issue has been filed

Engineering

• Feature guide changes: Missing guide: deploy YARA rules remotely and privately #24703
• Database schema migrations: TODO
• Load testing: TODO

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

• Requires load testing: TODO
• Risk level: Low / High TODO
• Risk description: TODO

Manual testing steps

1. Step 1
2. Step 2
3. Step 3

Testing notes

Confirmation

1. Engineer (@____): Added comment to user story confirming successful completion of QA.
2. QA (@____): Added comment to user story confirming successful completion of QA.

[noahtalerman]

Feature fest: We have a yara table in Fleet: https://fleetdm.com/tables/yara

Does that address the need?

[zayhanlon]

Related to an ask from customer-domon re: #19553

[JoStableford]

Related to a Slack conversation

[nonpunctual]

The yara & yara_events tables do not have the capabilities to access sigrules from a remote server securely.

[zayhanlon]

@noahtalerman let me know if you or design team would like to chat with the customer during or after this air guitar. thanks!

[noahtalerman]

Hey @zayhanlon! Would love some help setting up a call w/ the customer.

[noahtalerman]

Containers supported by YARA (Specifically Kubernetes):
Brock: Need context → Adding namespace column by PID would allow you to use YARA rules in containers
kubequery in the repo may be helpful
May be a blocker since they don’t have direct Kubernetes API
Brock: Could pass along to infra team to use
Ben: Potentially, could be hard though
Concern was if they could use osquery to run YARA rules in containers that are Docker → Now use Kubernetes so want that same ability for Kube
osquery does not support containerd → this would resolve the issue
TODO Brock: Bring this to eng to discuss
Found article about osquery support for containerd
https://developer.ibm.com/articles/monitoring-containers-osquery/

[nonpunctual]

Hey @noahtalerman I did reach out to IBM on their GitHub to see if they had open-sourced anything in relation to this. Got no response. That said, I think we could duplicate what was built based on the article.

[noahtalerman]

@zwass also, did this get QA'd by one of our QA engineers? If not, can you please add it to the QA column on the #g-endpoint ops board and tag Sharon to let him know?

cc @zayhanlon

[lucasmrod]

I reviewed the PR and this was shipped in 4.60.0. If we missed QA it was probably because it has :product and doesn't have the :release (and doesn't have a Milestone set).

[noahtalerman]

If we missed QA it was probably because it has :product and doesn't have the :release (and doesn't have a Milestone set).

I added :product yesterday (after we shipped). Sounds like this one missed QA. We want to make sure the specs in the "Product" section are filled out so QA knows the definition of done.

• YAML changes: TODO: Specify changes in the YAML files doc page as a PR to the reference docs release branch. Put "No changes" if there are no changes necessary.
• REST API changes: TODO: Specify changes in the the REST API doc page as a PR to reference docs release branch. Put "No changes" if there are no changes necessary. Move this item to the engineering list below if engineering will design the API changes.
• Permissions changes: TODO: Specify changes in the Manage access doc page as a PR to the reference docs release branch. If doc changes aren't necessary, explicitly mention no changes to the doc page. Put "No changes" if there are no permissions changes.
• Changes to paid features or tiers: TODO: Specify changes in pricing-features-table.yml as a PR to reference docs release branch. Specify "Fleet Free" and/or "Fleet Premium" if there are no changes to the pricing page necessary.

@zwass can you please add PRs/specs for these remaining TODOs.

(I think I had removed them we were working on this story. Whoops from me)

When those are spec'd can you please add :release and #g-endpoint-ops labels and ping Sharon that this one needs QA?

cc @zayhanlon

[zayhanlon]

@lucasmrod @noahtalerman -- we merged these docs awhile ago https://github.com/fleetdm/fleet/pull/24015/files but i can't figure out where it is or where it ended up on the website. did we put it in the wrong place?

[lucasmrod]

@lucasmrod @noahtalerman -- we merged these docs awhile ago https://github.com/fleetdm/fleet/pull/24015/files but i can't figure out where it is or where it ended up on the website. did we put it in the wrong place?

Ah, it was merged to the docs-v4.61.0 branch so the docs will be released when 4.61.0 is released.

[zwass]

Ah, seems like I may have been confused about when it was going out. Maybe should merge it to main now if it shipped to 4.60? Apologies that I'm not on the ball with these process things.

[zayhanlon]

@sharon-fdm i dont think this went through formal qa last sprint, so we're circling it back for qa in case it was missed per noah's comments above. can you check this out and also review if the docs are in the right place? @xpkoala fyi

[sharon-fdm]

cc: @xpkoala, @jmwatts.

[lucasmrod]

@lucasmrod @noahtalerman -- we merged these docs awhile ago https://github.com/fleetdm/fleet/pull/24015/files but i can't figure out where it is or where it ended up on the website. did we put it in the wrong place?

4.61.0 has been released, so now we have the guide published:
https://fleetdm.com/guides/remote-yara-rules

[lucasmrod]

@zayhanlon ⬆️

[fleet-release]

Deploying YARA rules,
Privately, swift as a hawk,
No trace left behind.