Security Engineering via Fleet

This blog is complimentary to the talk I did on MoneroTopia 26. Find the slides for the talk here.

The Cybersecurity Lifecycle

Effective security isn't about buying expensive tools—it's about covering the fundamentals consistently. The cybersecurity lifecycle breaks down into three key phases:

• Prepare: Hardening and vulnerability management
• Detect: Monitor your assets continuously
• Respond: Understand what happened, contain the threat, and recover

The best part? You can implement all of this with free and open source software. It costs $0 (except your time), and everything runs self-hosted and sovereign.

Running Fleet (osquery)

Fleet is a lightweight alternative to Wazuh/OSSEC—and honestly, most organizations don't need a full-blown SIEM anyway. Fleet provides:

• Easy and fast setup/enrollment
• Real-time visibility into your endpoints
• SQL-based querying of system state

Built on osquery, Fleet turns your endpoints into a queryable database. Want to know what processes are running across all your servers? That's a SQL query away.

As part of this work, I've converted Chainguard's osquery detection queries into a format that works with Fleet. These queries are maintained and updated periodically—check out RasterSec/fleetdm-osquery-defense-kit to use them.

Vulnerability Management

Software and CVE Search

Fleet gives you immediate visibility into your software inventory across all enrolled hosts:

• Full software inventory across all endpoints
• CVE search to identify vulnerable packages
• Ability to find malicious packages before they cause damage

Hardening via Policies

Fleet policies let you enforce security baselines using SQL queries. For example, to ensure SSH is properly hardened:

SELECT 1
WHERE NOT EXISTS (
  SELECT 1
  FROM file_lines
  WHERE path = '/etc/ssh/sshd_config'
    AND (
      line LIKE 'PasswordAuthentication yes%'
      OR line LIKE 'PermitRootLogin yes%'
      OR line LIKE 'PermitEmptyPasswords yes%'
    )
);

Policies can trigger alerts and even automated remediation when hosts fall out of compliance.

Additional Scanners and Resources

Complement Fleet with these tools:

• Nuclei — External vulnerability scanning
• Trivy — Docker, Kubernetes, code repositories, cloud infrastructure
• ossf/cve-bin-tool — SBOM CVE scanning

Stay informed by following:

• CISA Known Exploited Vulnerabilities (KEV) Catalog
• Full Disclosure and Open Source Security mailing lists

Intrusion Detection

Fleet Queries for Detection

Detection rules from RasterSec/fleetdm-osquery-defense-kit can catch common attack patterns:

• Unexpected shell parents — Why did nginx just spawn /bin/bash?
• Missing from disk — Process is running but the binary doesn't exist anymore
• Unexpected talkers — Why is sshd connecting to a suspicious IP at 3am?
• Unexpected cron entries — Someone added a cron job that runs curl | bash
• Unexpected tmp executables — Binaries running from /tmp or /dev/shm
• Exotic commands — python -c 'import socket,subprocess...'

YARA Rules

YARA allows you to find textual or binary patterns inside files. Combined with osquery, you can scan running processes for malware signatures:

SELECT yara.*, p0.pid, p0.path, p0.name
FROM processes p0 JOIN yara ON p0.path = yara.path
WHERE yara.sigrule = '
  rule miner {
  strings:
      $tcp = "stratum+tcp://" ascii
      $tls = "stratum+tls://" ascii
  condition:
      filesize < 10MB and 1 of them
}' AND yara.count > 0

This query finds cryptominer processes by looking for Stratum protocol strings—a common indicator of mining malware.

Incident Response

#Authentication & Access

• User accounts, SSH keys, login history
• Authorized keys and known hosts

Persistence Mechanisms

• Crontab, systemd units, launchd
• Startup items, login window configs

Process Forensics

• Running processes with metadata
• Open files, sockets, memory maps

Network Artifacts

• Listening ports, open sockets
• DNS resolvers, firewall rules

File System

• Recently modified files
• Downloads with hashes
• Shell history

Software Inventory

• Installed packages, browser extensions
• Docker containers and images

Going Further

Level up your setup with these additions:

• Ship Fleet logs to a SIEM — Wazuh, Graylog, or Elasticsearch
• Network IDS — Suricata, SNORT, or Security Onion
• Container monitoring — Falco (eBPF-based)
• Automated response — Fleet + webhooks for real-time actions

Resources

• RasterSec Fleet Defense Kit — My port of detection rules for Fleet
• Fleet webhook for ntfy — Get push notifications from Fleet
• FleetDM / osquery — Official documentation