Welcome to our tutorial on how to install and setup Velociraptor on Ubuntu 18.04. Velociraptor is an endpoint monitoring open source tool that allows collection of information about clients and monitor them. It is based on GRR, OSQuery and Google’s Rekall tool.
In this setup, we will cover how to install and setup Velociraptor using standalone deployment setup option which employs server-client deployment model. Agents are installed on clients systems and they communicate to the server over TLS.
Velociraptor has six main components:
- Frontend – Frontend receives connections from clients.
- Gui – Web UI for accessing velociraptor.
- Client – Velociraptor endpoint agents
- VQL Engine (VFilter) – Velociraptor Query Language used to query.
- Data store – locations where Velociraptor is going to save its files.
- File store – used by velociraptor for long term storage
We will as well learn how to install Velociraptor clients on both Windows and Linux endpoints.
Installing Velociraptor on Ubuntu 18.04
Step 1: Get velociraptor Linux binary
Get the latest Velociraptor Linux binary from the official Velociraptor Github releases page:
mkdir velociraptor
cd velociraptor
wget https://github.com/Velocidex/velociraptor/releases/download/v0.5.3/velociraptor-v0.5.3-linux-amd64
Step 2: Make the Binary executable
Once the download of the binary installer is complete, make it executable by running the command below;
chmod +x velociraptor-v0.5.3-linux-amd64
Step 3: Generate a server Config File
Generate server configuration file using the command below:
./velociraptor-v0.5.3-linux-amd64 config generate > /etc/velociraptor.config.yaml
To customize the configuration file generation use the command:
./velociraptor-v0.5.3-linux-amd64 config generate config generate -i
Optionally edit the Configuration file once its created to suite your deployment. For instance you can change the server url and the server’s IP where the addresses are binding to;
vim /etc/velociraptor.config.yaml
...
Client:
server_urls:
- https://192.168.56.102:8000/
...
API:
bind_address: 192.168.56.102
...
GUI:
bind_address: 192.168.56.102
...
Monitoring:
bind_address: 192.168.56.102
...
Additionally Datastore location can be edited to change the location where Velociraptor is going to save its files.
Datastore:
implementation: FileBaseDataStore
location: /var/tmp/velociraptor
filestore_directory: /var/tmp/velociraptor
Its important to note client – server communications are encrypted over HTTPS. The keys are embedded in the configuration file.
Step 4: Create GUI user
Create a user to access the GUI by running the command below;
./velociraptor-v0.5.3-linux-amd64 --config /etc/velociraptor.config.yaml user add admin --role administrator
Enter a password for the user when prompted:
The above command adds the user admin
with the administrator
role. Other available roles are:
- reader
- analyst
- investigator
- artifact_writer
Step 5: Start Velociraptor Frontend
Start Velociraptor server using frontend
command, -v
flag is used to show verbose output on the terminal.
./velociraptor-v0.5.3-linux-amd64 --config /etc/velociraptor.config.yaml frontend -v
Sample output:
[INFO] 2020-12-09T20:45:30+03:00 _ __ __ _ __
[INFO] 2020-12-09T20:45:30+03:00 | | / /__ / /___ _____(_)________ _____ / /_____ _____
[INFO] 2020-12-09T20:45:30+03:00 | | / / _ \/ / __ \/ ___/ / ___/ __ `/ __ \/ __/ __ \/ ___/
[INFO] 2020-12-09T20:45:30+03:00 | |/ / __/ / /_/ / /__/ / / / /_/ / /_/ / /_/ /_/ / /
[INFO] 2020-12-09T20:45:30+03:00 |___/\___/_/\____/\___/_/_/ \__,_/ .___/\__/\____/_/
[INFO] 2020-12-09T20:45:30+03:00 /_/
[INFO] 2020-12-09T20:45:30+03:00 Digging deeper! https://www.velocidex.com
[INFO] 2020-12-09T20:45:30+03:00 This is Velociraptor 0.5.3 built on 2020-12-03T15:33:04+10:00 (e957bec)
[INFO] 2020-12-09T20:45:30+03:00 Loading config from file /etc/velociraptor.config.yaml
[INFO] 2020-12-09T20:45:30+03:00 Starting Frontend. {"build_time":"2020-12-03T15:33:04+10:00","commit":"e957bec","version":"0.5.3"}
[INFO] 2020-12-09T20:45:30+03:00 Increased open file limit to 999999
[INFO] 2020-12-09T20:45:30+03:00 Starting Journal service.
[INFO] 2020-12-09T20:45:30+03:00 Starting the notification service.
[INFO] 2020-12-09T20:45:30+03:00 Starting Inventory Service
[INFO] 2020-12-09T20:45:30+03:00 Loaded 216 built in artifacts in 49.831921ms
[INFO] 2020-12-09T20:45:30+03:00 Starting Hunt Dispatcher Service.
[INFO] 2020-12-09T20:45:30+03:00 Starting Label service.
[INFO] 2020-12-09T20:45:30+03:00 Selected frontend configuration localhost:8000
[INFO] 2020-12-09T20:45:30+03:00 Starting Client Monitoring Service
[INFO] 2020-12-09T20:45:30+03:00 Creating default Client Monitoring Service
...
[INFO] 2020-12-09T20:45:31+03:00 Starting the hunt manager service.
[INFO] 2020-12-09T20:45:31+03:00 Starting Server Monitoring Service
[INFO] 2020-12-09T20:45:31+03:00 Starting VFS writing service.
[INFO] 2020-12-09T20:45:31+03:00 Starting Server Artifact Runner Service
[INFO] 2020-12-09T20:45:31+03:00 Starting Enrollment service.
[INFO] 2020-12-09T20:45:31+03:00 Collecting Server Event Artifact: Server.Monitor.Health/Prometheus
[INFO] 2020-12-09T20:45:31+03:00 Starting gRPC API server on 192.168.56.102:8001
[INFO] 2020-12-09T20:45:31+03:00 Launched Prometheus monitoring server on 192.168.56.102:8003
[INFO] 2020-12-09T20:45:31+03:00 GUI is ready to handle TLS requests on https://192.168.56.102:8889/
[INFO] 2020-12-09T20:45:31+03:00 Frontend is ready to handle client TLS requests at https://localhost:8000/
...
The output indicates which port the GUI and Front-end are listening on.
Accessing Velociraptor Web Interface
Access the server on https://SERVER-IP:8889. Use the user and password created earlier. GUI communications are authenticated with basic Auth.
Step 6 (Optional) : Install Systemd Service for Verociraptor
Additionally you can create systemd service to start Velociraptor as a service. For easier management you can copy the binary to /usr/local/bin
as velociraptor.
cp velociraptor-v0.5.3-linux-amd64 /usr/local/bin/velociraptor
Create the systemd service file:
vim /lib/systemd/system/velociraptor.service
Add the content below:
[Unit]
Description=Velociraptor linux amd64
After=syslog.target network.target
[Service]
Type=simple
Restart=always
RestartSec=120
LimitNOFILE=20000
Environment=LANG=en_US.UTF-8
ExecStart=/usr/local/bin/velociraptor --config /etc/velociraptor.config.yaml frontend -v
[Install]
WantedBy=multi-user.target
Reload systemd daemon:
systemctl daemon-reload
Start and enable velociraptor to start at boot time:
systemctl enable --now velociraptor
Check the status of velociraptor.
systemctl status velociraptor
● velociraptor.service - Velociraptor linux amd64
Loaded: loaded (/lib/systemd/system/velociraptor.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-12-09 21:10:37 EAT; 6s ago
Main PID: 21354 (velociraptor)
Tasks: 7 (limit: 595)
CGroup: /system.slice/velociraptor.service
└─21354 /usr/local/velociraptor --config /etc/velociraptor.config.yaml frontend -v
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Starting Server Artifact Runner Service
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Starting gRPC API server on 192.168.56.102:8001
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Launched Prometheus monitoring server on 192.168.56
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 GUI is ready to handle TLS requests on https://192.
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Collecting Server Event Artifact: Server.Monitor.He
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Frontend is ready to handle client TLS requests at
Dec 09 21:10:38 user1-VirtualBox velociraptor[21354]: [INFO] 2020-12-09T21:10:38+03:00 Compiled all artifacts.
Access the GUI and login into the interface, you’ll see Velociraptor GUI dashboard.
Install and Configure Velociraptor Client
As stated before, Velociraptor server-client communication happens over an encrypted HTTPS channel. You can use self signed SSL or commercially trusted SSL certs.
In this setup, we will be using self signed SSL certs. Therefore, edit the /etc/velociraptor.config.yaml configuration file and append the directive use_self_signed_ssl: true
in the block below the Frontentd URL CA certificate so as to use the self signed certificate.
vim /etc/velociraptor.config.yaml
...
nonce: cNzXMcNgk0g=
use_self_signed_ssl: true
writeback_darwin: /etc/velociraptor.writeback.yaml
writeback_linux: /etc/velociraptor.writeback.yaml
writeback_windows: $ProgramFiles\Velociraptor\velociraptor.writeback.yaml
tempdir_windows: $ProgramFiles\Velociraptor\Tools
...
Save the file and generate the client configuration file
./velociraptor-v0.5.3-linux-amd64 --config /etc/velociraptor.config.yaml config client > client.config.yaml
NOTE:
Client configuration file contains CA certificate that is used for authentication between the client’s machine and the Velociraptor Server.
Install Velociraptor Clients on Linux and Windows Machines
Velociraptor clients can be configured in two ways;
Using Velociraptor Binary
This method involves using Velociraptor binary and client configuration file generated from the server. The client configuration file has to be copied to the client machine. This method is ideal for testing purposes, for large deployment the second method, below, is preferred.
Using Velociraptor client packages
This method packages the client configuration file on a Linux package or Windows installer which are then distributed to the clients target machines.
Follow the link below to learn how to install and configure Velociraptor clients on Linux and Windows machines.
Install Velociraptor Client on Linux and Windows Systems
Conclusion
That brings us to the end of our guide on how to install Velociraptor on Ubuntu. Velociraptor is powerful open source tool that can be used to query hosts thus providing endpoint monitoring, digital forensic investigations and Threat Hunting.
Further Reading
Other Tutorials
Install Kolide Fleet Osquery Fleet Manager on Debian 10