Open znewman01 opened 1 year ago
This issue has been mentioned on NixOS Discourse. There might be relevant details there:
https://discourse.nixos.org/t/kolide-launcher-in-nixpkgs/22463/1
I suggest having a look at how dropbox is handled in NixOS - that would probably be similar to what you need.
I am definitely interested in getting osquery back into nixpkgs for the purposes of kolide, so while my current capacity is reduced, I'm for sure interested in helping out/figuring it out/becoming a maintainer!
Thanks to @ngerstle who pointed me to this issue!
Kolide now has official support for Nix https://github.com/kolide/nix-agent
See: https://github.com/kolide/launcher/issues/896#issuecomment-1964533616
For work, I (and many others) are required to install Kolide for endpoint security. This is the least-bad endpoint security solution I've ever used. Getting this to work on NixOS is the difference between me using NixOS at work, and switching to another distro[^1]. I imagine other folks are in the same situation. Here's my goal:
[^1]: I also need this installed on my laptop (macOS). While I'd love to manage it via Nixpkgs, this is a lower priority for me, as the normal install works fine. Let me know in the comments if macOS support matters to you.
osqueryPackage
configuration parameter in the NixOS module.Because I need this for work, I'm willing to invest a fair bit of effort here (though help is appreciated), including being a maintainer for osquery and kolide-launcher in Nixpkgs.
Challenges
Osquery
Kolide relies very heavily on osquery. It ships a (not statically linked) copy of the official osquery releases.
osquery used to be in Nixpkgs, but was removed because it broke frequently and there was no maintainer. There are a couple requests to reinstate it (https://github.com/NixOS/nixpkgs/issues/121745, https://github.com/NixOS/nixpkgs/issues/193673) but interest has been low.
Auto-updater
Kolide has its own autoupdater for osquery (and Kolide itself, IIUC). It relies on The Update Framework (TUF) for package signing and metadata distribution. This isn't going to work if we install via Nix :smile: But how do we handle it? How easy will this be to disable? Maintainers should be checking signatures (maybe? if we're building from source, perhaps not). Is there any way to give some of these benefits downstream? So can we check in the Nixpkgs test suite, or even add a checkPhase to the package itself?
I actually happen to know TUF pretty well so if that winds up being an issue here I can help out.
Building
The launcher has its own build tooling. It's relatively simple, but still somewhat nonstandard. There's a couple issues with it when building in Nix:
Running other binaries
Kolide winds up shelling out to a lot of other tools to query the state of your system. When it does so, it doesn't respect your
$PATH
; instead, most paths to binaries are hardcoded. This is by design. On NixOS, we don't have ZFS in/usr/bin
so the ZFS checks break.OS-specific stuff
One of the big value-adds of Kolide is that it tracks the installed packages on your OS. However, on NixOS, it doesn't.
This is pretty subtle, actually. What counts as an installed package? In your current system profile? Current user profile? In
/nix/store
at all? In the store, but pointed to by any GC root?How I got it kind-of working (warning: terrible hacks)
Write a module to run it in systemd.
There's a minor subtlety in that you need an "enrollment secret." This is out-of-scope for any NixOS module IMO. I just stuck it in a long-lived directory on my machine; a better solution might use one of the NixOS secret managers.
You should be able to get that setup working for you. Let me know if you need help, though I'd prefer to focus efforts on a long-term solution.
There's one final caveat. Presumably your workplace is making you install Kolide so that it can run a bunch of Osquery checks on your machine. NixOS is weird, and many very standard checks are going to fire because of the way NixOS works. I'm very fortunate to have a friendly and flexible security/compliance manager at my company who is willing to work with me on allow-listing certain NixOS behaviors. If you aren't in that situation, YMMV.
Action plan
How you can help!
CC @patflynn @danderson @terlar @joncoll (sorry for the random ping, you're all the folks I could find based on GH issues who care)