openstack
/
openstack-ansible-ops
Code Issues Proposed changes

Cleanup the osquery tooling and vendor roles 

The osquery tooling needed a little work to be fully automated and
repeatable. This change tunes up the tools and makes the entire
deployment process multi-node capable and repeatable.

The osquery role was vendored because of bugs within their use of aarmor
profiles and there was no way to disable them.

The fleet use of commands for ssl creation have been removed. The ssl
modules are now being used to generate all of the certificates.

New pre-tasks have been added to check for required variables. If the
required variables are not set the playbooks will fail early and notify
the user of the issue.

Change-Id: I88c2b40ed9d9a88a39bdf07b0dce2900fda50151
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2018-10-15 22:42:04 -05:00
parent 2004e601c2
commit 5aff0b59f4
No known key found for this signature in database
GPG Key ID: 9443251A787B9FB3
138 changed files with 4338 additions and 680 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
osquery/readme.rst → osquery/README.rst
View File

@ -81,7 +81,6 @@ Update the `/etc/hosts` file *(optional)*
openstack-ansible openstack-hosts-setup.yml
Create an haproxy entry for kolide-fleet service 8443
.. code-block:: bash
@ -117,14 +116,14 @@ the `bootstrap-ansible.sh` script these dependencies can be resolved with the
.. code-block:: bash
ansible-galaxy install -r ansible-role-requirements.yml
ansible-galaxy install -r ansible-role-requirements.yml --roles-path=~/ansible25/repositories/roles
In the even that some of the modules are alread installed execute the following
.. code-block:: bash
ansible-galaxy install -r ansible-role-requirements.yml --ignore-errors
ansible-galaxy install -r ansible-role-requirements.yml --ignore-errors --roles-path=~/ansible25/repositories/roles
Once the dependencies are set make sure to set the action plugin path to the
@ -139,7 +138,9 @@ Deploying | The environment
Create some basic passwords keys that are needed by fleet
.. code-block:: bashG
echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" > /etc/openstack_deploy/fleet_user_vars.yml
echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/fleet_user_vars.yml
echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/fleet_user_vars.yml
echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
@ -184,6 +185,7 @@ This diagram outlines the data flow from within an Elastic-Stack deployment.
:alt: Kolide & Osquery Data Flow Diagram
:align: center
TODO
----
The following is a list of open items.

16
osquery/ansible-role-requirements.yml
View File

@ -1,24 +1,16 @@
---
#- name: systemd_service
# scm: git
# src: https://git.openstack.org/openstack/ansible-role-systemd_service
# version: master
- name: systemd_service
scm: git
src: https://git.openstack.org/openstack/ansible-role-systemd_service
version: master
- name: config_template
scm: git
src: https://git.openstack.org/openstack/ansible-config_template
version: master
- name: osquery
scm: git
src: https://github.com/kloud-pro/ansible-osquery
version: master
- name: redis
scm: git
src: https://github.com/geerlingguy/ansible-role-redis
version: master
- name: mariadb
scm: git
src: https://github.com/lechuckroh/ansible-role-mariadb
version: master
- name: galera_client
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-galera_client

129
osquery/bootstrap-embedded-ansible.sh
View File

@ -1,129 +0,0 @@
#!/usr/bin/env bash
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
export OPTS=()
export ANSIBLE_EMBED_HOME="${HOME}/ansible25"
OPTS+=('ANSIBLE_EMBED_HOME')
source /etc/os-release
if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then
if [ ${VERSION_ID} = "14.04" ]; then
apt-get update
apt-get -y install python-virtualenv
echo "done installing python-virtualenv"
else
apt-get update
apt-get -y install python3-virtualenv python-virtualenv
echo "done installing python-virtualenv python3-virtualenv"
fi
if [[ -e "${HOME}/.pip" ]]; then
echo "..................moving .pip out of place to boostrap"
mv ${HOME}/.pip ${HOME}/.off-pip
fi
if [[ -f "/usr/bin/python2" ]]; then
virtualenv --python="/usr/bin/python2" "${ANSIBLE_EMBED_HOME}"
elif [[ -f "/usr/bin/python3" ]]; then
virtualenv --python="/usr/bin/python3" "${ANSIBLE_EMBED_HOME}"
else
virtualenv "${ANSIBLE_EMBED_HOME}"
fi
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade --force pip"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated"
echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin"
if [[ -e "${HOME}/.off-pip" ]]; then
mv ${HOME}/off-pip ${HOME}/.pip
echo "..................moving .pip back in to place"
fi
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/ansible-config_template "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
pushd "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
git checkout a5c9d97e18683f0fdf9769d94ba174c72e2d093c # HEAD of master from 20-06-18
popd
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/openstack_ansible_plugins" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/openstack-ansible-plugins "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
pushd "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
git checkout cef7946b3b3b3e4d02406c228741985a94b72cff # HEAD of master from 20-06-18
popd
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/ansible-role-systemd_service "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
pushd "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
git checkout 02f5ff1c0e073af53bed2141a045e608162970ea # HEAD of master from 20-06-18
popd
fi
if [[ -f "/etc/openstack_deploy/openstack_inventory.json" ]]; then
if [[ ! -f "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/inventory"
cat > "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" <<EOF
#!/usr/bin/env bash
cat /etc/openstack_deploy/openstack_inventory.json
EOF
chmod +x "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
fi
export USER_VARS="$(for i in $(ls -1 /etc/openstack_deploy/user_*secret*.yml); do echo -n "-e@$i "; done)"
OPTS+=('USER_VARS')
echo "env USER_VARS set"
echo "Extra users variables can be expanded by including the option \$USER_VARS on a playbook run."
export ANSIBLE_INVENTORY="${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
OPTS+=('ANSIBLE_INVENTORY')
echo "env ANSIBLE_INVENTORY set"
fi
export ANSIBLE_HOST_KEY_CHECKING="False"
OPTS+=('ANSIBLE_HOST_KEY_CHECKING')
echo "env ANSIBLE_HOST_KEY_CHECKING set"
export ANSIBLE_ROLES_PATH="${ANSIBLE_EMBED_HOME}/repositories/roles"
OPTS+=('ANSIBLE_ROLES_PATH')
echo "env ANSIBLE_ROLES_PATH set"
export ANSIBLE_ACTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template/action"
OPTS+=('ANSIBLE_ACTION_PLUGINS')
echo "env ANSIBLE_ACTION_PLUGINS set"
export ANSIBLE_CONNECTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins/connection/"
OPTS+=('ANSIBLE_CONNECTION_PLUGINS')
echo "env ANSIBLE_CONNECTION_PLUGINS set"
source ${ANSIBLE_EMBED_HOME}/bin/activate
echo "Embedded Ansible has been activated. Run 'deactivate' to leave the embedded environment".
function deactivate_embedded_venv {
deactivate
for i in ${OPTS[@]}; do
unset ${i}
done
unset deactivate_embedded_venv
unalias deactivate
}
alias deactivate=deactivate_embedded_venv

1
osquery/bootstrap-embedded-ansible.sh Symbolic link
View File

@ -0,0 +1 @@
../bootstrap-embedded-ansible/bootstrap-embedded-ansible.sh

7
osquery/conf.d/fleet.yml
View File

@ -5,10 +5,3 @@ fleet_hosts:
ip: 10.0.236.111
logging3:
ip: 10.0.236.112
mariadb_hosts:
logging1:
ip: 10.0.236.110
logging2:
ip: 10.0.236.111
logging3:
ip: 10.0.236.112

17
osquery/env.d/fleet.yml
View File

@ -3,35 +3,30 @@ component_skel:
fleet:
belongs_to:
- fleet_all
mariadb:
belongs_to:
- fleet_all
- mariadb_all
osquery:
belongs_to:
- fleet_all
container_skel:
mariadb_container:
belongs_to:
- mariadb_containers
contains:
- mariadb
fleet_container:
belongs_to:
- fleet_containers
contains:
- fleet
- mariadb
- osquery
physical_skel:
mariadb_container:
belongs_to:
- all_containers
mariadb_hosts:
belongs_to:
- hosts
fleet_containers:
belongs_to:
- all_containers
fleet_hosts:
belongs_to:
- hosts

2
osquery/haproxy.example
View File

@ -2,7 +2,7 @@ haproxy_extra_services:
- service:
haproxy_service_name: kolide-fleet
haproxy_ssl: False
haproxy_backend_nodes: "{{ groups['fleet'] | default([]) }}" # Fleet nodes
haproxy_backend_nodes: "{{ groups['fleet_all'] | default([]) }}" # Fleet nodes
haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable
haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable

15
osquery/installDB.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Install MariaDB Galera Cluster
hosts: "mariadb"
hosts: "mariadb_all"
become: true
user: root
gather_facts: "{{ osa_gather_facts | default(True) }}"
@ -22,12 +22,23 @@
vars_files:
- vars/variables.yml
pre_tasks:
- name: Test for root db password
fail:
msg: >-
The root password for the galera cluster is not defined. To proceed with this
installation define the variable `mariadb_root_password` in line or within a
variable file.
when:
- mariadb_root_password is undefined
roles:
- role: galera_server
galera_root_user: "{{ mariadb_root_user }}"
galera_root_password: "{{ mariadb_root_password }}"
galera_cluster_members: "{{ groups['mariadb'] }}"
galera_cluster_members: "{{ groups['mariadb_all'] }}"
galera_wsrep_node_name: "{{ inventory_hostname }}"
galera_cluster_name: telemetry_galera_cluster
galera_monitoring_allowed_source: "0.0.0.0/0"
environment: "{{ deployment_environment_variables | default({}) }}"

30
osquery/installKolideFleet.yml
View File

@ -1,6 +1,6 @@
---
- name: Install Kolide Fleet
hosts: "fleet"
hosts: "fleet_all"
become: true
vars_files:
@ -10,5 +10,33 @@
gather_facts: "{{ osa_gather_facts | default(True) }}"
pre_tasks:
- name: Test for kolide db password
fail:
msg: >-
The DB password for the Kolide / Fleet cluster is not defined. To proceed with this
installation define the variable `kolide_fleet_db_password` in line or within a
variable file.
when:
- kolide_fleet_db_password is undefined
- name: Test for kolide shared key
fail:
msg: >-
The shared token for the Kolide / Fleet cluster is not defined. To proceed with this
installation define the variable `kolide_fleet_jwt_key` in line or within a
variable file.
when:
- kolide_fleet_jwt_key is undefined
- name: Test for kolide admin password
fail:
msg: >-
The admin password for the Kolide / Fleet cluster is not defined. To proceed with this
installation define the variable `kolide_fleet_admin_password` in line or within a
variable file.
when:
- kolide_fleet_admin_password is undefined
roles:
- role: fleet

77
osquery/installOSquery.yml
View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Install osquery
hosts: "osquery"
hosts: "fleet_all:osquery:hosts"
become: true
vars_files:
- vars/variables.yml
@ -26,40 +26,63 @@
pre_tasks:
- name: create osquery dir
file:
path: /etc/osquery/ssl
path: "{{ item }}"
state: directory
with_items:
- /etc/osquery
- /etc/osquery/ssl
- name: Debug fleet_config
debug:
var: hostvars[groups['fleet'][0]]['ansible_host']
verbosity: 2
- name: Synchronize certifactes back
synchronize:
mode: pull
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: "{{ kolide_fleet_ssl_cert }}"
dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- src: "{{ kolide_fleet_ssl_key }}"
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
when:
- inventory_hostname == groups['fleet_all'][0]
- name: Store ssl cert
slurp:
src: "{{ kolide_fleet_ssl_cert }}"
register: _kolide_fleet_ssl_cert
- name: Store ssl key
slurp:
src: "{{ kolide_fleet_ssl_key }}"
register: _kolide_fleet_ssl_key
- name: Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}"
- name: Distribute self signed ssl cert
- name: Copy certifactes over
copy:
dest: "{{ kolide_fleet_ssl_cert }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}"
mode: "0640"
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- dest: "{{ kolide_fleet_ssl_cert }}"
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- dest: "{{ kolide_fleet_ssl_key }}"
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
when:
- inventory_hostname != groups['fleet_all'][0]
- name: retrieve Enrollment Token
command: /usr/local/bin/fleetctl get enroll-secret
changed_when: false
register: _enrollment_token
delegate_to: "{{ groups['fleet_all'][0] }}"
run_once: true
- name: Set kolide fleet enrollment token fact
set_fact:
kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
- name: write enroll secret
copy:
dest: "{{ osquery_enroll_secret_dir }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}"
dest: "{{ osquery_enroll_secret_file }}"
content: "{{ kolide_fleet_enroll_secret }}"
mode: "0640"
post_tasks:
- name: Cleanup certifactes
file:
dest: "{{ item }}"
state: "absent"
delegate_to: localhost
with_items:
- "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- "/tmp/{{ kolide_fleet_ssl_key | basename }}"
roles:
- role: "osquery"

20
osquery/inventory.example.yml
View File

@ -21,15 +21,19 @@ all:
# host machines here.
hosts:
hosts:
logging01:
logging01: {}
# This is the location where fleet(s) will live
mariadb:
fleet_all:
hosts:
logging01:
fleet:
logging01: {}
mariadb_all:
children:
fleet_all: {}
osquery_all:
hosts:
logging01:
osquery:
hosts:
logging01:
logging02:
ansible_host: 172.16.27.101
ansible_user: root

35
osquery/inventory.yaml
View File

@ -1,35 +0,0 @@
---
################################## ALL HOSTS ##################################
all:
hosts:
# Local host
localhost:
ansible_connection: local
################################## REQUIRED ###################################
logging01:
ansible_host: 104.130.207.70
ansible_user: root
vars: {}
################################### GROUPS ####################################
# The hosts group is used to target physical host machines. Enter all physical
# host machines here.
hosts:
hosts:
logging01:
# This is the location where fleet(s) will live
mariadb:
hosts:
logging01:
fleet:
hosts:
logging01:
osquery:
hosts:
logging01:

73
osquery/registerSSLcerts.yml
View File

@ -1,73 +0,0 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Install Kolide Fleet
hosts: "fleet"
become: true
vars_files:
- vars/variables.yml
environment: "{{ deployment_environment_variables | default({}) }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
pre_tasks:
- name: Store ssl cert
slurp:
src: "{{ kolide_fleet_ssl_cert }}"
register: _kolide_fleet_ssl_cert
- name: Store ssl ca cert
slurp:
src: "{{ kolide_fleet_ssl_ca_cert }}"
register: _kolide_fleet_ssl_ca_cert
when: kolide_fleet_user_ssl_ca_cert is defined
- name: Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
- name: Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_ca_cert_fact: "{{ _kolide_fleet_ssl_ca_cert.content }}"
when: kolide_fleet_user_ssl_ca_cert is defined
- name: Distribute self signed ssl cert
copy:
dest: "{{ kolide_fleet_ssl_cert }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}"
mode: "0640"
- name: Distribute self signed CA ssl cert
copy:
dest: "{{ kolide_fleet_ca_ssl_cert }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_ca_cert_fact'] | b64decode }}"
mode: "0640"
when: kolide_fleet_user_ssl_ca_cert is defined
- name: retrieve Enrollment Token
command: /usr/local/bin/fleetctl get enroll-secret
register: _enrollment_token
- name: Set kolide fleet enrollment token fact
set_fact:
kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
- name: write enroll secret
copy:
dest: "{{ osquery_enroll_secret_dir }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}"
mode: "0640"

23
osquery/roles/fleet/defaults/main.yml
View File

@ -1,10 +1,25 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Kolide Fleet vars
kolide_fleet_db_name: fleet
kolide_fleet_db_user: fleet
#kolide_fleet_db_password: fleetSecrete
kolide_fleet_port: "443"
kolide_fleet_port: "8443"
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
kolide_fleet_version: "2.0.0-rc5"
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
@ -14,13 +29,13 @@ kolide_fleet_admin_email: admin@openstack.org
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
kolide_fleet_ssl_csr: /etc/ssl/private/fleet.csr
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
kolide_fleet_ssl_key_purge: false
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"

47
osquery/roles/fleet/handlers/main.yml Normal file
View File

@ -0,0 +1,47 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Enable and restart kolide socket (systemd)
systemd:
name: "kolide-fleet-proxy.socket"
enabled: true
state: started
listen: Restart kolide (systemd)
- name: Enable and restart kolide (systemd)
systemd:
name: "kolide-fleet.service"
enabled: true
state: restarted
notify:
- Enable and restart kolide proxy (systemd)
listen: Restart kolide (systemd)
- name: Enable and restart kolide proxy (systemd)
systemd:
name: "kolide-fleet-proxy.service"
enabled: true
state: restarted
listen: Restart kolide (systemd)
- name: Cleanup certifactes
file:
dest: "{{ item }}"
state: "absent"
delegate_to: localhost
with_items:
- "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- "/tmp/{{ kolide_fleet_ssl_key | basename }}"
- "/tmp/{{ kolide_fleet_ssl_csr | basename }}"

4
osquery/roles/fleet/tasks/createFleetDB.yml
View File

@ -20,7 +20,7 @@
login_host: "{{ mariadb_login_host | default('localhost') }}"
name: "{{ kolide_fleet_db_name }}"
state: "present"
delegate_to: "{{ groups['mariadb'][0] }}"
delegate_to: "{{ groups['mariadb_all'][0] }}"
no_log: False
tags:
- fleet_db_install
@ -36,7 +36,7 @@
state: "present"
priv: "{{ kolide_fleet_db_name }}.*:ALL"
append_privs: "{{ kolide_fleet_db_append_privs | default(omit) }}"
delegate_to: "{{ groups['mariadb'][0] }}"
delegate_to: "{{ groups['mariadb_all'][0] }}"
with_items: "{{ grant_list | default(['localhost', '%']) }}"
no_log: False
tags:

2
osquery/roles/fleet/tasks/fleetConfig.yml
View File

@ -22,5 +22,7 @@
template:
src: templates/fleet_config.yml.j2
dest: /etc/fleet/fleet_config.yml
notify:
- Restart kolide (systemd)
tags:
- fleet_config

1
osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml
View File

@ -15,6 +15,7 @@
- name: retrieve Enrollment Token
command: /usr/local/bin/fleetctl get enroll-secret
changed_when: false
register: _enrollment_token
- name: Set kolide fleet enrollment token fact

2
osquery/roles/fleet/tasks/fleetMigrateDB.yml
View File

@ -16,3 +16,5 @@
- name: Migrate the fleet database
command: /usr/local/bin/fleet prepare db --config=/etc/fleet/fleet_config.yml --no-prompt
changed_when: false
run_once: true

11
osquery/roles/fleet/tasks/fleetRegisterAdmin.yml
View File

@ -19,14 +19,19 @@
register: fleet_config_set
- name: set fleetctl default context
command: fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify
when: fleet_config_set.stat.exists == false
command: /usr/local/bin/fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify
changed_when: false
when:
- fleet_config_set.stat.exists == false
- name: register admin account
command: /usr/local/bin/fleetctl setup --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }}
changed_when: false
register: fleet_register_admin
ignore_errors: true # ignore errors as we might have already set this it will be caought later
- name: login admin account
command: /usr/local/bin/fleetctl login --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }}
when: fleet_register_admin['stderr'] == "Kolide Fleet has already been setup"
changed_when: false
when:
- fleet_register_admin['stderr'] == "Kolide Fleet has already been setup"

6
osquery/roles/fleet/tasks/fleetRequirements.yml
View File

@ -17,16 +17,12 @@
include_role:
name: redis
private: true
- name: create fleet dir
file:
path: /etc/fleet/ssl
state: directory
- name: Debug fleet_config
debug:
var: hostvars[groups['mariadb'][0]]['ansible_host']
verbosity: 2
- name: Drop fleet conf file
template:
src: templates/fleet_config.yml.j2

2
osquery/roles/fleet/tasks/fleetSSL.yml
View File

@ -20,7 +20,7 @@
tags:
- fleet-ssl
- include_tasks: fleetSSLselfSigned.yml
- include_tasks: fleetSSLkeyCreate.yml
when:
- kolide_fleet_user_ssl_cert is not defined or kolide_fleet_user_ssl_key is not defined

30
osquery/roles/fleet/tasks/fleetSSLdistribute.yml
View File

@ -1,30 +0,0 @@
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Distribute self signed ssl key
copy:
dest: "{{ kolide_fleet_ssl_key }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_key_fact'] | b64decode }}"
mode: "0640"
tags:
- fleet-ssl
- name: Distribute self signed ssl cert
copy:
dest: "{{ kolide_fleet_ssl_cert }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}"
mode: "0640"
tags:
- fleet-ssl

80
osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml
View File

@ -17,21 +17,71 @@
file:
dest: "{{ item }}"
state: "absent"
when:
- kolide_fleet_ssl_key_purge | bool
with_items:
- "{{ kolide_fleet_ssl_pem }}"
- "{{ kolide_fleet_ssl_key }}"
- "{{ kolide_fleet_ssl_cert }}"
tags:
- fleet-ssl
- "{{ kolide_fleet_ssl_key }}"
- "{{ kolide_fleet_ssl_pem }}"
- "{{ kolide_fleet_ssl_ca_cert }}"
- name: Create self-signed ssl cert
command: >
openssl req -new -nodes -sha256 -x509 -subj
"{{ kolide_fleet_ssl_self_signed_subject }}"
-days 3650
-keyout {{ kolide_fleet_ssl_key }}
-out {{ kolide_fleet_ssl_cert }}
-extensions v3_ca
creates={{ kolide_fleet_ssl_cert }}
tags:
- kolide_fleet-ssl
- name: SSL Block
block:
- name: Generate service private key
openssl_privatekey:
path: "{{ kolide_fleet_ssl_key }}"
size: 4096
- name: Generate self signed CSR
openssl_csr:
path: "{{ kolide_fleet_ssl_csr }}"
privatekey_path: "{{ kolide_fleet_ssl_key }}"
common_name: "{{ ansible_domain }}"
country_name: XX
locality_name: Kolide-Server
organization_name: OpenStack
organizational_unit_name: OpenStack-Ansible-OPS
- name: Generate a Self Signed OpenSSL certificate
openssl_certificate:
path: "{{ kolide_fleet_ssl_cert }}"
privatekey_path: "{{ kolide_fleet_ssl_key }}"
csr_path: "{{ kolide_fleet_ssl_csr }}"
provider: selfsigned
force: "{{ kolide_fleet_ssl_key_purge | bool }}"
issuer:
O: OpenStack-Ansible-OPS
- name: Synchronize certifactes back
synchronize:
mode: pull
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- src: "{{ kolide_fleet_ssl_csr }}"
dest: "/tmp/{{ kolide_fleet_ssl_csr | basename }}"
- src: "{{ kolide_fleet_ssl_cert }}"
dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- src: "{{ kolide_fleet_ssl_key }}"
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
when:
- (groups['fleet_all'] | length) > 1
notify:
- Cleanup certifactes
when:
- inventory_hostname == groups['fleet_all'][0]
- name: Copy certifactes over
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
with_items:
- dest: "{{ kolide_fleet_ssl_csr }}"
src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}"
- dest: "{{ kolide_fleet_ssl_cert }}"
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- dest: "{{ kolide_fleet_ssl_key }}"
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
when:
- inventory_hostname != groups['fleet_all'][0]
- (groups['fleet_all'] | length) > 1

29
osquery/roles/fleet/tasks/fleetSSLstore.yml
View File

@ -1,29 +0,0 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Store ssl cert
slurp:
src: "{{ kolide_fleet_ssl_cert }}"
register: _kolide_fleet_ssl_cert
- name: Store ssl key
slurp:
src: "{{ kolide_fleet_ssl_key }}"
register: _kolide_fleet_ssl_key
- name: Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}"

42
osquery/roles/fleet/tasks/fleetServerInstall.yml
View File

@ -13,29 +13,41 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Install prerequisites
apt: name={{ item }} update_cache=yes
with_items:
- unzip
- ca-certificates
- apt-transport-https
- software-properties-common
- curl
- name: Run the systemd service role
include_role:
name: redis
private: true
- name: Ensure required disto packages are installed
package:
name: "{{ kolide_fleet_distro_packages }}"
state: "present"
update_cache: "{{ (ansible_pkg_mgr == 'apt') | ternary('yes', omit) }}"
register: _package_task
until: _package_task is success
retries: 3
delay: 2
tags:
- package_install
- name: create fleet dir
- name: Create fleet dir
file:
path: '/tmp/fleet_{{ kolide_fleet_version }}'
state: directory
- name: GET fleet
get_url:
url: "{{ kolide_fleet_url }}/{{ kolide_fleet_version }}/fleet_{{ kolide_fleet_version }}.zip"
dest: "/var/cache/fleet_{{ kolide_fleet_version }}.zip"
register: _get_task
until: _get_task is success
retries: 3
delay: 2
tags:
- package_install
- name: Unarchive Fleet binaries
unarchive:
src: '{{ kolide_fleet_url }}/{{ kolide_fleet_version }}/fleet_{{ kolide_fleet_version }}.zip'
dest: '/tmp/fleet_{{ kolide_fleet_version}}/'
src: '/var/cache/fleet_{{ kolide_fleet_version }}.zip'
dest: '/tmp/fleet_{{ kolide_fleet_version }}/'
remote_src: yes
notify:
- Restart kolide (systemd)
- name: Copy unarchived binaries
copy:

16
osquery/roles/fleet/tasks/fleetService.yml
View File

@ -27,5 +27,21 @@
Unit:
Wants: network-online.target
Requires: redis-server.service
Service:
Slice: kolide-fleet.slice
tags:
- server-install
- name: Place the kolide-fleet socket
template:
src: 'kolide-fleet-proxy.socket.j2'
dest: '/etc/systemd/system/kolide-fleet-proxy.socket'
notify:
- Restart kolide (systemd)
- name: Place the kolide-fleet proxy
template:
src: 'kolide-fleet-proxy.service.j2'
dest: '/etc/systemd/system/kolide-fleet-proxy.service'
notify:
- Restart kolide (systemd)

45
osquery/roles/fleet/tasks/fleetStartService.yml
View File

@ -1,45 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Start redis fleet kolide service - initd
service:
name: redis
enabled: yes
state: restarted
when:
- ansible_service_mgr == "init"
tags:
- config
- name: Start fleet kolide service - initd
service:
name: redis
enabled: yes
state: restarted
when:
- ansible_service_mgr == "init"
tags:
- config
- name: Enable and restart kolide - systemd
systemd:
name: "kolide-fleet"
enabled: true
state: restarted
when:
- ansible_service_mgr == "systemd"
tags:
- config

45
osquery/roles/fleet/tasks/main.yml
View File

@ -1,30 +1,53 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
- "{{ ansible_os_family | lower }}.yml"
tags:
- always
# install kolide fleet server
- include_tasks: fleetServerInstall.yml
# install software requirements
- include_tasks: fleetRequirements.yml
# install SSL certs
- include_tasks: createFleetDB.yml
# install SSL certs
- include_tasks: fleetSSL.yml
# install software requirements
- include_tasks: fleetRequirements.yml
# install kolide fleet server
- include_tasks: fleetServerInstall.yml
# drop the configuration
- include_tasks: fleetConfig.yml
# add files for systemd
- include_tasks: fleetService.yml
when:
- ansible_service_mgr == "systemd"
# migrate the database
- include_tasks: fleetMigrateDB.yml
run_once: true
# start fleet via systemd
- include_tasks: fleetStartService.yml
- name: Force kolide handlers
meta: flush_handlers
# configure kolide fleet & set admin account
- include_tasks: fleetRegisterAdmin.yml

6
osquery/roles/fleet/templates/fleet_config.yml.j2
View File

@ -1,10 +1,12 @@
---
mysql:
address: {{ hostvars[groups['mariadb'][0]]['ansible_host'] }}:3306
address: 127.0.0.1:3306
database: {{ kolide_fleet_db_name }}
username: {{ kolide_fleet_db_user }}
password: {{ kolide_fleet_db_password }}
redis:
address: localhost:6379
address: 127.0.0.1:6379
auth:
jwt_key: {{ kolide_fleet_jwt_key }}
server:

70
osquery/roles/fleet/templates/fleet_initd.yml.j2
View File

@ -1,70 +0,0 @@
#!/usr/bin/env bash
###############
# SysV Init Information
# description: docker daemon.
### BEGIN INIT INFO
# Provides: me
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Short-Description: manage docker daemon
# Description: docker daemon
### END INIT INFO
HOME=path/to/code
EXEC=docker
NAME="fleet_service"
LABEL={{ kolide_fleet_version }}
PORT=8412
case "$1" in
start)
RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}`
if [[ ${RUNNING} == "true" ]]; then
#
# No need to start it
#
echo "Process is running"
exit 1;
if
echo "Starting container: '$NAME'..."
docker run --restart=always -v /etc/fleet:/etc/fleet --name=fleet_service kolide/fleet:{{ kolide_fleet_version }} -p 8412:8412 --config=/etc/fleet/fleet_config.yml
;;
stop)
echo "Stopping $NAME..."
docker stop -t 2 ${NAME} &> /dev/null
if [[ 0 != $? ]]; then
echo "Could not stop container"
exit 4;
fi
;;
status)
RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}`
if [[ "true" == ${RUNNING} ]]; then
echo "$NAME is running"
else
echo "$NAME is not running"
fi
;;
inspect)
docker inspect ${NAME}
;;
logs)
docker logs ${NAME}
;;
restart)
$0 stop
$0 start
;;
*)
echo "Please use start, stop, restart, inspect or status as first argument"
;;
esac

17
osquery/roles/fleet/templates/fleet_service.yml.j2
View File

@ -1,17 +0,0 @@
[Unit]
Requires=redis.service
After=redis.service
[Service]
TimeoutStartSec=0
ExecStartPre=-/usr/bin/docker pull kolide/fleet:{{ kolide_fleet_version }}
ExecStartPre=-/usr/bin/docker kill fleet_service
ExecStartPre=-/usr/bin/docker rm fleet_service
ExecStart=/usr/bin/docker run -v /etc/fleet:/etc/fleet --name fleet_service kolide/fleet:{{ kolide_fleet_version }} --config=/etc/fleet/fleet_config.yml
ExecStop=-/usr/bin/docker stop fleet_fleet
ExecReload=/usr/bin/docker restart fleet_service
[Install]
WantedBy=multi-user.target

8
osquery/roles/fleet/templates/kolide-fleet-proxy.service.j2 Normal file
View File

@ -0,0 +1,8 @@
[Unit]
Description=Remote Switch redirect
[Service]
After = kolide-fleet-proxy.socket
Requires = kolide-fleet-proxy.socket
partof = kolide-fleet.service
ExecStart=/lib/systemd/systemd-socket-proxyd 127.0.0.1:{{ kolide_fleet_port }}

6
osquery/roles/fleet/templates/kolide-fleet-proxy.socket.j2 Normal file
View File

@ -0,0 +1,6 @@
[Socket]
ListenStream=0.0.0.0:443
Transparent=yes
[Install]
WantedBy=sockets.target

69
osquery/roles/fleet/templates/redis_initd.yml.j2
View File

@ -1,69 +0,0 @@
#!/usr/bin/env bash
###############
# SysV Init Information
# description: docker daemon.
### BEGIN INIT INFO
# Provides: me
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 5
# Default-Stop: 0 1 6
# Short-Description: manage docker daemon
# Description: docker daemon
### END INIT INFO
HOME=path/to/code
EXEC=docker
NAME="redis_service"
LABEL={{ kolide_fleet_version }}
case "$1" in
start)
RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}`
if [[ ${RUNNING} == "true" ]]; then
#
# No need to start it
#
echo "Process is running"
exit 1;
if
echo "Starting container: '$NAME'..."
docker run -d --restart=always --name=redis_service redis:4-alpine
;;
stop)
echo "Stopping $NAME..."
docker stop -t 2 ${NAME} &> /dev/null
if [[ 0 != $? ]]; then
echo "Could not stop container"
exit 4;
fi
;;
status)
RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}`
if [[ "true" == ${RUNNING} ]]; then
echo "$NAME is running"
else
echo "$NAME is not running"
fi
;;
inspect)
docker inspect ${NAME}
;;
logs)
docker logs ${NAME}
;;
restart)
$0 stop
$0 start
;;
*)
echo "Please use start, stop, restart, inspect or status as first argument"
;;
esac

18
osquery/roles/fleet/templates/redis_service.yml.j2
View File

@ -1,18 +0,0 @@
[Unit]
Description=Redis Container
After=docker.service
Requires=docker.service
[Service]
Type=simple
restart=always
TimeoutStartSec=120
ExecStartPre=-/usr/bin/docker pull redis:4-alpine
ExecStartPre=-/usr/bin/docker kill redis_service
ExecStartPre=-/usr/bin/docker rm redis_service
ExecStart=/usr/bin/docker run --name redis_service redis:alpine
ExecStop=/usr/bin/docker stop redis_service
[Install]
WantedBy=multi-user.target

13
osquery/roles/fleet/tasks/fleetSSLselfSigned.yml → osquery/roles/fleet/vars/debian.yml
View File

@ -1,5 +1,5 @@
---
# Copyright 2018, Rackspace US, Inc.
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
@ -13,6 +13,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- include_tasks: fleetSSLkeyCreate.yml
- include_tasks: fleetSSLstore.yml
- include_tasks: fleetSSLdistribute.yml
kolide_fleet_distro_packages:
- apt-transport-https
- ca-certificates
- curl
- python3-openssl
- python-openssl
- software-properties-common
- unzip

7
osquery/roles/fleet/vars/main.yml
View File

@ -1,10 +1,10 @@
---
# Kolide Fleet vars
kolide_fleet_db_name: fleet
kolide_fleet_db_user: fleet
#kolide_fleet_db_password: fleetSecrete
kolide_fleet_port: "443"
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}"
kolide_fleet_version: "2.0.0-rc5"
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
@ -13,9 +13,6 @@ kolide_fleet_admin_email: admin@openstack.org
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"

70
osquery/roles/osquery/.kitchen.docker.yml Normal file
View File

@ -0,0 +1,70 @@
---
driver:
name: docker
## https://github.com/test-kitchen/kitchen-docker/issues/54
use_sudo: false
transport:
name: sftp
provisioner:
name: ansible_playbook
roles_path: ../
hosts: test-kitchen
# ansible_verbose: true
ansible_verbose: false
ansible_verbosity: 3
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
# require_chef_omnibus: false
require_ansible_omnibus: true
# require_chef_for_busser: false
enable_yum_epel: true
ansible_connection: ssh
platforms:
- name: ubuntu-18.04
driver_config:
# https://github.com/test-kitchen/kitchen-docker/issues/285
provision_command: mkdir -p /run/sshd
- name: ubuntu-16.04
## systemd?
driver:
config:
security.privileged: true
- name: ubuntu-14.04
- name: ubuntu-12.04
- name: centos-7
## systemd
driver:
config:
security.privileged: true
### epel mirror issue. see readme
# - name: centos-6
### Ansible 2.2+/cryptography: https://github.com/ansible/ansible/issues/276
# provisioner:
# ansible_version: 2.1.2.0
## tool chain kitchen and image need customization... nok currently
# - name: alpine-3.4
# - name: debian-8
- name: debian-9
suites:
- name: default
run_list:
attributes:
- name: default-osquery-syslog
run_list:
attributes:
- name: default-osquery-syslog-fs
run_list:
attributes:
- name: default-profiling
run_list:
attributes:
includes:
- ubuntu-16.04
- name: default-fleetmanager
run_list:
attributes:
includes:
- ubuntu-16.04

57
osquery/roles/osquery/.kitchen.vagrant.yml Normal file
View File

@ -0,0 +1,57 @@
---
# $ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify
driver:
name: vagrant
provider: <%= ENV['KITCHEN_PROVIDER'] || 'virtualbox' %>
## make file transfer faster. need https://github.com/coderanger/kitchen-sync
transport:
name: sftp
provisioner:
name: ansible_playbook
roles_path: ../
hosts: test-kitchen
# ansible_verbose: true
ansible_verbose: false
ansible_verbosity: 3
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
platforms:
- name: ubuntu-18.04
- name: ubuntu-16.04
- name: ubuntu-14.04
- name: centos-7.1
## ansible < 2.x
# - name: debian-8
# driver_config:
# box: debian-8
# box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
- name: debian-9
driver:
box: remram/debian-9-amd64
suites:
- name: default
run_list:
attributes:
- name: default-osquery-syslog
run_list:
attributes:
- name: default-osquery-syslog-fs
run_list:
attributes:
- name: default-profiling
run_list:
attributes:
includes:
- ubuntu-18.04
- name: default-fleetmanager
run_list:
attributes:
includes:
- ubuntu-18.04
driver_config:
network:
- ["forwarded_port", {guest: 8080, host: 9080}]

56
osquery/roles/osquery/.kitchen.yml Normal file
View File

@ -0,0 +1,56 @@
---
driver:
name: lxd_cli
transport:
name: sftp
provisioner:
name: ansible_playbook
roles_path: ../
hosts: test-kitchen
ansible_verbose: true
# ansible_verbose: false
ansible_verbosity: 2
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
require_ansible_omnibus: true
require_chef_omnibus: false
# require_chef_for_busser: false
enable_yum_epel: true
ansible_connection: ssh
platforms:
- name: ubuntu-18.04
- name: ubuntu-16.04
# - name: ubuntu-14.04
# - name: ubuntu-12.04
- name: centos-7
# - name: centos-6
# - name: alpine-3.7
suites:
- name: default
run_list:
attributes:
- name: default-osquery-syslog
run_list:
attributes:
includes:
- ubuntu-18.04
- centos-7
- name: default-osquery-syslog-fs
run_list:
attributes:
includes:
- ubuntu-18.04
- centos-7
- name: default-profiling
run_list:
attributes:
includes:
- ubuntu-18.04
- name: default-fleetmanager
run_list:
attributes:
includes:
- ubuntu-18.04

97
osquery/roles/osquery/.travis.yml Normal file
View File

@ -0,0 +1,97 @@
---
dist: trusty
sudo: required
rvm:
- 2.4
env:
## those images need pre-configuration before being usable (openssh...)
# - distribution: centos
# version: 6
- distribution: centos
version: 7
suite: default
- distribution: ubuntu
version: 18.04
suite: default
- distribution: ubuntu
version: 16.04
suite: default
# - distribution: ubuntu
# version: 14.04
# - distribution: ubuntu
# version: 12.04
# - distribution: alpine
# version: 3.4
- distribution: centos
version: 7
suite: default-osquery-syslog
- distribution: ubuntu
version: 18.04
suite: default-osquery-syslog
- distribution: centos
version: 7
suite: default-osquery-syslog-fs
- distribution: ubuntu
version: 18.04
suite: default-osquery-syslog-fs
- distribution: ubuntu
version: 18.04
suite: default-profiling
- distribution: ubuntu
version: 18.04
suite: default-fleetmanager
before_install:
- env
- pwd
- find -ls
## use appropriate role path and not github name
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821
# - sudo apt install lxd
- echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list
- sudo apt-get update -qq
- sudo apt -t trusty-backports -y install lxd acl -q
## change of group implies logout+login to apply... can't do with travis = run as root (sic)
## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..."
- sudo usermod -G lxd travis
# Pull container
# - lxc remote add images images.linuxcontainers.org
- sudo -E su $USER -c "lxc remote list"
- sudo -E su $USER -c "lxc image list"
## pre-download base images
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"'
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true'
## configure lxd-bridge
- sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge
# - cat /etc/default/lxd-bridge
# - service --status-all
- sudo service lxd restart
- sudo pip install ansible
- gem install kitchen
- gem install kitchen-ansible
- gem install kitchen-sync
- gem install kitchen-lxd_cli
- gem list
- which kitchen
## ssh key for lxd_cli ?
- ls ~/.ssh
- ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P ""
## sudo/su get us a non-usual PATH ...
- '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true'
- sudo -E su $USER -c "env"
## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during .
# - sudo -E su $USER -c "which kitchen"
- sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all"
# - sudo -E su $USER -c "kitchen diagnose --all"
# - sudo -E -u $USER kitchen diagnose --all
script:
# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE}
- sudo -E su $USER -c "env PATH=$PATH kitchen verify ${suite}-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/${suite}-${distribution}-${version//./}.log; find /tmp/kitchen)"
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

160
osquery/roles/osquery/.travis.yml.docker Normal file
View File

@ -0,0 +1,160 @@
---
## from https://github.com/geerlingguy/ansible-role-apache/blob/master/.travis.yml
sudo: required
env:
# - distribution: centos
# version: 6
# init: /sbin/init
# run_opts: ""
# suite: default
- distribution: centos
version: 7
init: /usr/lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.5.5
ansible_extra_vars: ""
# - distribution: ubuntu
# version: 18.04
# init: /lib/systemd/systemd
# run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
# suite: default
# ansible_version: 2.5.5
# ansible_extra_vars: ""
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.5.5
ansible_extra_vars: ""
# - distribution: ubuntu
# version: 14.04
# init: /sbin/init
# run_opts: ""
# suite: default
# - distribution: ubuntu
# version: 12.04
# init: /sbin/init
# run_opts: ""
# suite: default
# - distribution: alpine
# version: 3.4
# init: /sbin/init
# run_opts: ""
# suite: default
## https://travis-ci.org/juju4/ansible-osquery/jobs/246615342, https://github.com/facebook/osquery/issues/2321
- distribution: debian
version: 9
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: centos
version: 7
init: /usr/lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-osquery-syslog
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-osquery-syslog
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: centos
version: 7
init: /usr/lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-osquery-syslog-fs
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-osquery-syslog-fs
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-profiling
ansible_version: 2.5.5
ansible_extra_vars: ""
# past ansible version
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.4.5
ansible_extra_vars: ""
# upcoming ansible version
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.6.0rc3
ansible_extra_vars: ""
services:
- docker
before_install:
# - sudo apt-get update
# Pull container
- 'sudo docker pull ${distribution}:${version}'
- env
- pwd
- find -ls
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
- cp test/travis/initctl_faker test/
# Customize container
- 'sudo docker build --rm=true --file=test/travis/Dockerfile.${distribution}-${version} --tag=${distribution}-${version}:ansible test'
before_script:
- container_id=$(mktemp)
# Run container in detached state
- 'sudo docker run --detach --volume="${PWD%/*}":/etc/ansible/roles:ro ${run_opts} ${distribution}-${version}:ansible "${init}" > "${container_id}"'
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install --upgrade pip'
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install ansible==${ansible_version}'
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible --version'
script:
# Ansible syntax check.
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml --syntax-check'
# Test role.
- 'travis_wait 30 sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml -vv ${ansible_extra_vars}'
# Test role idempotence.
- >
travis_wait 30 sudo docker exec "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml ${ansible_extra_vars}
| tee /tmp/idempotency.log
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0)
# serverspec tests
## travis/docker: Errno::EROFS: Read-only file system @ dir_s_mkdir - /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/.bundle
# - 'sudo docker exec --tty "$(cat ${container_id})" /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/run-local-tests.sh'
after_failure:
# Check what happened on systemd systems.
- 'docker exec --tty "$(cat ${container_id})" env TERM=xterm systemctl -l --no-pager status osqueryd.service'
- 'docker exec --tty "$(cat ${container_id})" env TERM=xterm journalctl -xe --no-pager'
after_script:
# Clean up
- 'sudo docker stop "$(cat ${container_id})"'
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

71
osquery/roles/osquery/.travis.yml.kitchen-docker Normal file
View File

@ -0,0 +1,71 @@
---
## note: can't fully test osquery inside docker as will not be able have kernel /dev/osquery
dist: trusty
sudo: required
rvm:
- 2.4
env:
# - distribution: centos
# version: 6
- distribution: centos
version: 7
suite: default
- distribution: ubuntu
version: 16.04
suite: default
- distribution: ubuntu
version: 14.04
suite: default
# - distribution: ubuntu
# version: 12.04
# - distribution: alpine
# version: 3.4
- distribution: debian
version: 8
suite: default
- distribution: centos
version: 7
suite: default-osquery-syslog
- distribution: ubuntu
version: 16.04
suite: default-osquery-syslog
- distribution: ubuntu
version: 14.04
suite: default-osquery-syslog
- distribution: centos
version: 7
suite: default-osquery-syslog-fs
- distribution: ubuntu
version: 16.04
suite: default-osquery-syslog-fs
- distribution: ubuntu
version: 14.04
suite: default-osquery-syslog-fs
before_install:
- env
- pwd
- find -ls
## use appropriate role path and not github name
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
- sudo pip install ansible
## need to use chef gem for some reason? BAD PATH https://github.com/chef/chef-dk/issues/15
# - chef gem install kitchen
- gem install kitchen
- gem install kitchen-ansible
- gem install kitchen-sync
- gem install kitchen-docker
- gem list
- which kitchen
- KITCHEN_YAML=.kitchen.docker.yml kitchen diagnose --all
script:
## avoid locale issue under xenial docker, https://github.com/pypa/pip/issues/3575
- export LC_ALL=C.UTF-8
- export LANG=C.UTF-8
- KITCHEN_YAML=.kitchen.docker.yml kitchen verify ${suite}-${distribution}-${version//./}
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

76
osquery/roles/osquery/.travis.yml.lxd-kitchen Normal file
View File

@ -0,0 +1,76 @@
---
dist: trusty
sudo: required
rvm:
- 2.4
env:
## those images need pre-configuration before being usable (openssh...)
# - distribution: centos
# version: 6
- distribution: centos
version: 7
- distribution: ubuntu
version: 18.04
- distribution: ubuntu
version: 16.04
# - distribution: ubuntu
# version: 14.04
# - distribution: ubuntu
# version: 12.04
# - distribution: alpine
# version: 3.4
before_install:
- env
- pwd
- find -ls
## use appropriate role path and not github name
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821
# - sudo apt install lxd
- echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list
- sudo apt-get update -qq
- sudo apt -t trusty-backports -y install lxd acl -q
## change of group implies logout+login to apply... can't do with travis = run as root (sic)
## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..."
- sudo usermod -G lxd travis
# Pull container
# - lxc remote add images images.linuxcontainers.org
- sudo -E su $USER -c "lxc remote list"
- sudo -E su $USER -c "lxc image list"
## pre-download base images
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"'
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true'
## configure lxd-bridge
- sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge
# - cat /etc/default/lxd-bridge
# - service --status-all
- sudo service lxd restart
- sudo pip install ansible
- gem install kitchen
- gem install kitchen-ansible
- gem install kitchen-sync
- gem install kitchen-lxd_cli
- gem list
- which kitchen
## ssh key for lxd_cli ?
- ls ~/.ssh
- ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P ""
## sudo/su get us a non-usual PATH ...
- '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true'
- sudo -E su $USER -c "env"
## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during .
# - sudo -E su $USER -c "which kitchen"
- sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all"
# - sudo -E su $USER -c "kitchen diagnose --all"
# - sudo -E -u $USER kitchen diagnose --all
script:
# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE}
- sudo -E su $USER -c "env PATH=$PATH kitchen verify default-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/default-${distribution}-${version//./}.log; find /tmp/kitchen)"
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

42
osquery/roles/osquery/.travis.yml.orig Normal file
View File

@ -0,0 +1,42 @@
---
sudo: required
dist: trusty
language: generic
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y python python-pip
install:
# Install ansible
- sudo pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
# Install role dependencies
# ...
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
# Run the role/playbook with ansible-playbook
- ansible-playbook tests/test.yml -i tests/inventory --connection=local --become
# Run the role/playbook again, checking to make sure it's idempotent
- >
ansible-playbook tests/test.yml -i tests/inventory --connection=local --become
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
# Playbook specific tests
# ...
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

61
osquery/roles/osquery/.travis.yml.simple Normal file
View File

@ -0,0 +1,61 @@
---
sudo: required
dist: trusty
language: generic
env:
- suite: default
- suite: default-osquery-syslog
- suite: default-osquery-syslog-fs
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y python python-pip
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
## serverspec test
- sudo apt-get install -qq ruby2.0 rake
- sudo gem2.0 install serverspec
install:
# Install ansible
- sudo pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
- "echo \"[test-kitchen]\nlocalhost\" > inventory"
- gem2.0 --version
# Install role dependencies
# ...
script:
# Basic role syntax check
- "ansible-playbook -i inventory --syntax-check test/integration/${suite}/default.yml"
# Run the role/playbook with ansible-playbook
- "ansible-playbook -i inventory --connection=local --sudo -vvvv test/integration/${suite}/default.yml"
# Run the role/playbook again, checking to make sure it's idempotent
- >
ansible-playbook -i inventory test/integration/${suite}/default.yml --connection=local --become
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
# Playbook specific tests
# - "cd test/integration/${suite}/serverspec/ && bundle exec rake spec"
after_failure:
- "ls -l /var/log/ /var/log/osquery/"
- "sudo cat /var/log/osquery*.log /var/log/osquery/*.log"
- "sudo cat /etc/rsyslog.d/30-osquery-target.conf"
- "sudo systemctl -l status"
- "sudo journalctl -xe --no-pager"
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

59
osquery/roles/osquery/Jenkinsfile vendored Normal file
View File

@ -0,0 +1,59 @@
// Work in progress
node {
try{
currentBuild.result = "SUCCESS"
def workspace = pwd()
def directory = "kbrebanov.osquery"
stage 'Clean Workspace'
deleteDir()
stage("Download source and capture commit ID") {
sh "mkdir $directory"
dir("$directory") {
checkout scm
// Get the commit ID
sh 'git rev-parse --verify HEAD > GIT_COMMIT'
git_commit = readFile('GIT_COMMIT').take(7)
echo "Current commit ID: ${git_commit}"
}
}
dir("$directory") {
stage("Get dependencies"){
sh "sh -x get-dependencies.sh"
}
stage("Build and verify 1"){
defaultplatform = sh (
script: '''#!/bin/bash
kitchen list | awk "!/Instance/ {print \\$1; exit}"
''',
returnStdout: true
).trim()
echo "default platform: ${defaultplatform}"
sh "kitchen test ${defaultplatform}"
// must keep instance for security testing after
//sh "kitchen verify ${defaultplatform}"
}
stage("Build and verify all platforms"){
sh "kitchen test"
}
stage("Cleanup if no errors"){
sh "kitchen destroy"
}
}
}
catch(err) {
currentBuild.result = "FAILURE"
throw err
}
}

24
osquery/roles/osquery/LICENSE Normal file
View File

@ -0,0 +1,24 @@
Copyright (c) 2015, Kevin Brebanov
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

43
osquery/roles/osquery/README.md Normal file
View File

@ -0,0 +1,43 @@
[![Build Status - Master](https://travis-ci.org/juju4/ansible-osquery.svg?branch=master)](https://travis-ci.org/juju4/ansible-osquery)
[![Build Status - Devel](https://travis-ci.org/juju4/ansible-osquery.svg?branch=devel)](https://travis-ci.org/juju4/ansible-osquery/branches)
osquery
=======
[![Build Status](https://travis-ci.org/kbrebanov/ansible-osquery.svg?branch=master)](https://travis-ci.org/kbrebanov/ansible-osquery)
Installs osquery
Requirements
------------
This role requires Ansible 2.0 or higher.
Role Variables
--------------
None
Dependencies
------------
None
Example Playbook
----------------
Install osquery
```yaml
- hosts: all
roles:
- kbrebanov.osquery
```
License
-------
BSD
Author Information
------------------
Kevin Brebanov

131
osquery/roles/osquery/defaults/main.yml Normal file
View File

@ -0,0 +1,131 @@
---
# defaults file for osquery
osquery_service_enable: true
osquery_debug_packages_install: true
## define this if don't want to use upstream ones
#osquery_repository: ''
#osquery_repositorykey: ''
osquery_template: 'osquery.conf.j2'
#osquery_upload_packs: []
osquery_upload_packs:
- osquery-snapshots-pack
- osquery-monitoring2-pack
osquery_packs:
- "osquery-monitoring"
- "incident-response"
- "it-compliance"
# - "osx-attacks"
- "ossec-rootkit"
- "vuln-management"
- "hardware-monitoring"
- "osquery-snapshots-pack"
- osquery-monitoring2-pack
osquery_config_plugin: 'filesystem'
osquery_logger_plugin: 'filesystem'
#osquery_logger_plugin: 'syslog'
#osquery_logger_plugin: 'filesystem,syslog'
#osquery_logger_plugin: 'tls'
osquery_flags: []
## if using zentral, kolide or else
## https://github.com/zentralopensource/zentral/blob/f460b10a95d4ea1e515aea3363f55733465d1d9c/zentral/contrib/osquery/deb_script/template.sh
## https://docs.kolide.co/kolide/current/infrastructure/adding-hosts-to-kolide.html
#osquery_enroll_secret: ""
#osquery_flags:
# - '--enroll_secret_path=/etc/osquery/osquery_enroll_secret'
# - '--tls_server_certs=/etc/osquery/kolide.crt'
# - '--tls_hostname=acme.kolide.co'
# - '--host_identifier=hostname'
# - '--enroll_tls_endpoint=/api/v1/osquery/enroll'
# - '--config_plugin=tls'
# - '--config_tls_endpoint=/api/v1/osquery/config'
# - '--config_tls_refresh=10'
# - '--disable_distributed=false'
# - '--distributed_plugin=tls'
# - '--distributed_interval=10'
# - '--distributed_tls_max_attempts=3'
# - '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read'
# - '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write'
# - '--logger_plugin=tls'
# - '--logger_tls_endpoint=/api/v1/osquery/log'
# - '--logger_tls_period=10'
osquery_fim: true
osquery_fim_interval: 900
osquery_fim_filepaths:
- name: homes_sshdir
list:
- "/root/.ssh/%%"
- "/home/%/.ssh/%%"
- name: etc
list:
- "/etc/%%"
## Take care if using a lot /tmp. can trigger
## 'Expiring events for subscriber: file_events (overflowed limit 1000)'
## => losing many queries results (fim or not)
# - name: tmp
# list:
# - "/tmp/%%"
- name: bin
list:
- "/bin/%%"
- "/sbin/%%"
- "/usr/bin/%%"
- "/usr/sbin/%%"
- "/usr/local/bin/%%"
- "/usr/local/sbin/%%"
- "/opt/bin/%%"
- "/opt/sbin/%%"
- name: webroot
list:
- "/var/www/%%"
osquery_fim_excludepaths:
- name: tmp
list:
- /tmp/too_many_events/
osquery_rsyslog: true
## conflict with auditd. choose one.
## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
osquery_process_auditing: false
osquery_process_interval: 900
osquery_socket_interval: 900
## queries snapshots: 1/week (or 1/month? nok)
## Max interval 1/w: https://github.com/theopolis/osquery/commit/b76dee8a1fddccb500bc4a058daa1b39083b9dbb
osquery_snapshot_interval: 604800
osquery_snapshot_interval2: 604800
#osquery_snapshot_interval2: 2592000
osquery_logrotate: true
osquery_logrotate_days: 90
## https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags
## per facility
## osquery wants a facility code, while keyword for rsyslog...
osquery_syslog_target_facility_osqueryconf: 19
osquery_syslog_target_facility_syslogconf: local3
osquery_syslog_target: ''
#osquery_syslog_target: '@@10.1.1.100'
## mostly for testing purpose
#osquery_syslog_target: '/var/log/osquery/osquery_syslog.log'
## per programname: mostly query execution log and daemon state. avoid mixing with default syslog messages
#osquery_syslog_target2: ''
osquery_syslog_target2: '/var/log/osquery/osqueryd.log'
osquery_syslog_dirs:
- /var/log/osquery
## making schedule query faster to have logs faster...
osquery_testing: false
osquery_testing_pause: false
osquery_testing_fim_load: false
osquery_testing_fim_load_bigger: 100M
osquery_testing_fim_load_smaller: 1000
## profiling?
osquery_profiling: false
## full config might be too long for travis (max 50min)
#osquery_profiling_conf: /etc/osquery/osquery.conf
osquery_profiling_conf: /usr/share/osquery/packs/incident-response.conf

22
osquery/roles/osquery/get-dependencies.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/sh
## one script to be used by travis, jenkins, packer...
umask 022
if [ $# != 0 ]; then
rolesdir=$1
else
rolesdir=$(dirname $0)/..
fi
[ ! -d $rolesdir/juju4.redhat-epel ] && git clone https://github.com/juju4/ansible-redhat-epel $rolesdir/juju4.redhat-epel
[ ! -d $rolesdir/geerlingguy.redis ] && git clone https://github.com/juju4/ansible-role-redis.git $rolesdir/geerlingguy.redis
[ ! -d $rolesdir/geerlingguy.mysql ] && git clone https://github.com/geerlingguy/ansible-role-mysql.git $rolesdir/geerlingguy.mysql
[ ! -d $rolesdir/juju4.kolide ] && git clone https://github.com/juju4/ansible-kolide $rolesdir/juju4.kolide
## galaxy naming: kitchen fails to transfer symlink folder
#[ ! -e $rolesdir/kbrebanov.osquery ] && ln -s ansible-osquery $rolesdir/kbrebanov.osquery
[ ! -e $rolesdir/kbrebanov.osquery ] && cp -R $rolesdir/ansible-osquery $rolesdir/kbrebanov.osquery
## don't stop build on this script return code
true

13
osquery/roles/osquery/handlers/main.yml Normal file
View File

@ -0,0 +1,13 @@
---
# handlers file for osquery
- name: restart osquery
# service: name=osqueryd state=restarted
## for rocksdb backend
shell: "systemctl stop osqueryd; sleep 5; systemctl start osqueryd"
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: reload osqueryd apparmor profile
shell: cat /etc/apparmor.d/usr.bin.osqueryd | sudo apparmor_parser -r

1
osquery/roles/osquery/meta/.galaxy_install_info Normal file
View File

@ -0,0 +1 @@
{install_date: 'Mon Oct 15 18:43:31 2018', version: master}

158
osquery/roles/osquery/meta/main.yml Normal file
View File

@ -0,0 +1,158 @@
---
galaxy_info:
author: Kevin Brebanov
description: Installs osquery
company:
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: BSD
min_ansible_version: 1.9
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If travis integration is cofigured, only notification for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
github_branch: master
#
# Below are all platforms currently available. Just uncomment
# the ones that apply to your role. If you don't see your
# platform on this list, let us know and we'll get it added!
#
platforms:
- name: EL
versions:
# - all
# - 5
- 6
- 7
#- name: GenericUNIX
# versions:
# - all
# - any
#- name: Solaris
# versions:
# - all
# - 10
# - 11.0
# - 11.1
# - 11.2
# - 11.3
#- name: Fedora
# versions:
# - all
# - 16
# - 17
# - 18
# - 19
# - 20
# - 21
# - 22
# - 23
#- name: Windows
# versions:
# - all
# - 2012R2
#- name: SmartOS
# versions:
# - all
# - any
#- name: opensuse
# versions:
# - all
# - 12.1
# - 12.2
# - 12.3
# - 13.1
# - 13.2
#- name: Amazon
# versions:
# - all
# - 2013.03
# - 2013.09
#- name: GenericBSD
# versions:
# - all
# - any
#- name: FreeBSD
# versions:
# - all
# - 8.0
# - 8.1
# - 8.2
# - 8.3
# - 8.4
# - 9.0
# - 9.1
# - 9.1
# - 9.2
# - 9.3
# - 10.0
# - 10.1
# - 10.2
- name: Ubuntu
versions:
# - all
# - lucid
# - maverick
# - natty
# - oneiric
# - precise
# - quantal
# - raring
# - saucy
- trusty
# - utopic
# - vivid
# - wily
- xenial
#- name: SLES
# versions:
# - all
# - 10SP3
# - 10SP4
# - 11
# - 11SP1
# - 11SP2
# - 11SP3
#- name: GenericLinux
# versions:
# - all
# - any
#- name: Debian
# versions:
# - all
# - etch
# - jessie
# - lenny
# - squeeze
# - wheezy
galaxy_tags:
- monitoring
- system
# List tags for your role here, one per line. A tag is
# a keyword that describes and categorizes the role.
# Users find roles by searching for tags. Be sure to
# remove the '[]' above if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of
# alphanumeric characters. Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.

17
osquery/roles/osquery/tasks/CentOS.yml Normal file
View File

@ -0,0 +1,17 @@
---
# tasks file for osquery (CentOS specific)
- name: Install osquery repository key
rpm_key:
state: present
key: "{{ _osquery_repositorykey }}"
- name: Install osquery repository
get_url:
url: "{{ _osquery_repository }}"
dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}"
mode: '0644'
backup: yes
- include: selinux.yml
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))

36
osquery/roles/osquery/tasks/Debian.yml Normal file
View File

@ -0,0 +1,36 @@
---
# tasks file for osquery (Debian, Ubuntu specific)
- name: Ensure dirmngr is present for apt-key
package:
name: dirmngr
state: present
- name: Download osquery APT key
become: yes
apt_key:
keyserver: keyserver.ubuntu.com
id: "{{ _osquery_repositorykey }}"
state: present
tags:
- osquery
- name: Ensure apt-transport-https is installed
become: yes
apt:
name: apt-transport-https
state: present
tags:
- osquery
- name: Configure osquery APT repository
become: yes
apt_repository:
repo: "{{ _osquery_repository }}"
state: present
tags:
- osquery
- include: apparmor.yml
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))

27
osquery/roles/osquery/tasks/apparmor.yml Normal file
View File

@ -0,0 +1,27 @@
---
# https://help.ubuntu.com/lts/serverguide/apparmor.html.en
- name: Ensure apparmor packages are present
package:
name: "{{ item }}"
state: present
with_items:
- apparmor
- apparmor-utils
- apparmor-profiles
- name: Ensure apparmor profile is set
template:
src: apparmor-usr.bin.osqueryd.j2
dest: /etc/apparmor.d/usr.bin.osqueryd
mode: '0600'
owner: root
backup: yes
notify:
- reload osqueryd apparmor profile
- name: Apply apparmor profile for osquery
command: aa-complain /usr/bin/osqueryd
failed_when: false
# Refine policy with `aa-logprof -f /var/log/syslog`

123
osquery/roles/osquery/tasks/configure.yml Normal file
View File

@ -0,0 +1,123 @@
---
- name: check if osquery is present
stat: path=/etc/osquery
register: hasOsquery
- block:
- name: ensure directories exist
file:
dest: "{{ item.d }}"
state: directory
mode: "{{ item.m }}"
with_items:
- { d: '/var/log/osquery', m: '0755' }
- name: push extra osquery packs file
template:
src: "{{ item }}.conf.j2"
dest: "/usr/share/osquery/packs/{{ item | basename }}.conf"
backup: yes
with_items: "{{ osquery_upload_packs }}"
notify:
- restart osquery
- debug: var=osquery_packs
- name: configure osquery
template:
src: "{{ osquery_template }}"
dest: /etc/osquery/osquery.conf
mode: '0644'
backup: yes
validate: 'osqueryi --config_path %s --config_check --verbose'
# validate: 'egrep -v '^\s*//' %s | tee /tmp/a | python -mjson.tool'
notify:
- restart osquery
- name: "ensure osquery var dir exists"
file:
state: "directory"
path: "/var/osquery"
- name: "express the osquery secret to disk"
lineinfile:
path: "/etc/osquery/osquery_enroll_secret"
line: "{{ osquery_enroll_secret }}"
state: present
owner: "root"
group: "root"
mode: "0600"
create: true
when:
- osquery_enroll_secret is defined
- name: configure osquery flags
template:
src: "osquery.flags.j2"
dest: /etc/osquery/osquery.flags
mode: '0644'
backup: yes
notify:
- restart osquery
- name: re-validate whole osquery config
command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose'
changed_when: false
register: confcheck
failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout"
- block:
- name: ensure logrotate package is present
package:
name: logrotate
state: present
- name: add logrotate configuration for osquery log
template:
src: logrotate-osquery.j2
dest: /etc/logrotate.d/osquery
mode: '0644'
backup: yes
validate: 'logrotate -dv %s'
when: osquery_logrotate
- name: ensure service is enabled and started
service: name=osqueryd state=started enabled=yes
- set_fact:
monit_osqueryd: true
when: hasOsquery.stat.exists
## FIXME! warnings like (from packs/incident-response.conf)
#virtual_table.cpp:484] The shell_history table returns data based on the current user by default, consider JOINing against the users table
# but still apply with
# SELECT s.uid,s.time,s.command,s.history_file FROM shell_history s JOIN users USING (uid) limit 10;
- block:
- name: review inotify sysctl settings for osquery
sysctl: name="{{ item.n }}" value="{{ item.v }}" sysctl_set=yes state=present reload=yes
with_items:
- { n: 'fs.inotify.max_user_watches', v: '524288' }
- { n: 'fs.inotify.max_user_instances', v: '256' }
- { n: 'fs.inotify.max_queued_events', v: '32768' }
when: osquery_fim and not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))
## ensure no auditd at the same time
## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
- block:
- name: ensure auditd is not present
package: name="{{ _osquery_auditd_pkg }}" state=absent
when: osquery_process_auditing
- name: get rsyslog version
command: "rsyslogd -v | awk -F'[ ,]' '/rsyslogd/ { print $2 }'"
environment:
PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
changed_when: false
register: rsyslog_v
- block:
- name: setup rsyslog pipe for osquery communication
template:
src: osquery-rsyslog.conf.j2
dest: /etc/rsyslog.d/90-osquery.conf
mode: '0644'
backup: yes
notify:
- restart rsyslog
when: osquery_rsyslog
- include: syslog-target.yml
when: osquery_syslog_target != ''
- include: selinux-end.yml
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) and ansible_os_family == "RedHat"

69
osquery/roles/osquery/tasks/main.yml Normal file
View File

@ -0,0 +1,69 @@
---
# tasks file for osquery
- name: Include distribution specific variables
include_vars: "{{ ansible_distribution }}.yml"
tags:
- osquery
- name: Include version-specific variables for RedHat
include_vars: "CentOS-{{ ansible_distribution_version.split('.')[0] }}.yml"
when: ansible_os_family == "RedHat"
- include: CentOS.yml
when: ansible_os_family == "RedHat"
tags:
- osquery
- include: Debian.yml
when: ansible_os_family == "Debian"
tags:
- osquery
- block:
- name: Install osquery
package:
name: "{{ item }}"
state: present
with_items: "{{ osquery_packages }}"
tags:
- osquery
- name: Install osquery debug packages
package:
name: "{{ item }}"
state: present
with_items: "{{ osquery_debug_packages }}"
when: osquery_debug_packages_install
tags:
- osquery
- include: configure.yml
tags:
- osquery
- config
- name: Enable service
service: name=osqueryd enabled={{ osquery_service_enable }}
tags:
- osquery
- service
- name: Start service
service: name=osqueryd state=started
when: osquery_service_enable
tags:
- osquery
- service
- meta: flush_handlers
- name: pause a bit to have few queries results
command: sleep 5
changed_when: false
when: osquery_testing_pause or osquery_testing
- include: testing.yml
when: osquery_testing
- include: profiling.yml
when: osquery_profiling
when: ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" or ansible_distribution == "Debian"

27
osquery/roles/osquery/tasks/profiling.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: get source repository for profiling tools
git:
repo: https://github.com/facebook/osquery.git
dest: /root/osquery
- name: ensure profiling dependencies are present - pkg
package:
name: "{{ item }}"
state: present
with_items:
- python-pip
- name: ensure profiling dependencies are present - pip
pip:
name: "{{ item }}"
state: present
with_items:
- psutil
- name: profiling
command: "./tools/analysis/profile.py --config {{ osquery_profiling_conf }} --shell /usr/bin/osqueryi --count 1 --rounds 4"
args:
chdir: /root/osquery
changed_when: false
register: perf
- debug: var=perf.stdout_lines

10
osquery/roles/osquery/tasks/selinux-end.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: RedHat | Ensure selinux context is correctly set
command: "/sbin/restorecon -F -R -v {{ item }}"
with_items:
- /usr/bin/osqueryd
- /usr/lib/systemd/system/osqueryd.service
- /var/log/osquery
- /etc/osquery
- /usr/share/osquery/packs

44
osquery/roles/osquery/tasks/selinux.yml Normal file
View File

@ -0,0 +1,44 @@
---
- name: Ensure selinux package are present
package:
name: "{{ item }}"
state: present
with_items:
- selinux-policy
- selinux-policy-devel
- setools-console
- libselinux-python
- policycoreutils-python
- name: Ensure osquery directory exists
file:
dest: /etc/osquery
state: directory
mode: '0755'
- name: Ensure osquery selinux policy is set
template:
src: "{{ item }}.j2"
dest: "/etc/osquery/{{ item }}"
mode: '0600'
owner: root
with_items:
- osquery.fc
- osquery.sh
- osquery.te
register: te
# FIXME!
- name: Generate osquery policy file
command: sh -x ./osquery.sh
args:
chdir: /etc/osquery
when: te is changed
ignore_errors: true
# `sepolicy generate -n osquery --init /usr/bin/osqueryd` = OK/base
# Refine policy with `audit2allow -i /var/log/audit/audit.log -M osquery`
# `semodule -i osquery.pp`
# FIXME! 'Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/osquery/cil:2'
# `/usr/libexec/selinux/hll/pp osquery.pp`

19
osquery/roles/osquery/tasks/syslog-target.yml Normal file
View File

@ -0,0 +1,19 @@
---
- name: Ensure target syslog dir exists
file:
dest: "{{ item }}"
state: directory
mode: "{{ varlog_mode }}"
group: "{{ varlog_group }}"
with_items: "{{ osquery_syslog_dirs }}"
- name: setup rsyslog to send osquery logs to a specific target
template:
src: rsyslog-osquery-target.conf.j2
dest: /etc/rsyslog.d/30-osquery-target.conf
mode: '0644'
backup: yes
validate: 'rsyslogd -d -N 1 -f %s'
notify:
- restart rsyslog

40
osquery/roles/osquery/tasks/testing.yml Normal file
View File

@ -0,0 +1,40 @@
---
- block:
- name: systemd | check service status
command: "systemctl status osqueryd -l"
changed_when: false
register: systemctl
- debug: var=systemctl.stdout_lines
when: ansible_service_mgr == "systemd"
- block:
- name: service | check service status
command: "service osqueryd status"
changed_when: false
register: service
- debug: var=service.stdout_lines
when: ansible_service_mgr != "systemd"
- block:
- name: fallocate big file
command: "fallocate -l {{ osquery_testing_fim_load_bigger }} /etc/testing-big-file"
args:
creates: /etc/testing-big-file
- name: creation of many small files
command: "split -b {{ osquery_testing_fim_load_smaller }} /etc/testing-big-file testing-"
args:
chdir: /etc
creates: /etc/testing-big-aa
- name: clean up
shell: find /etc/ -name 'testing-*' -exec rm {} \;
ignore_errors: true
# more diverse load? openssl speed, stress...
- name: retrieve log results
command: "{{ item }}"
with_items:
- head -20 /var/log/osquery/osqueryd.results.log
- tail -20 /var/log/osquery/osqueryd.results.log
ignore_errors: true
changed_when: false
register: log
when: osquery_testing_fim_load

34
osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 Normal file
View File

@ -0,0 +1,34 @@
#include <tunables/global>
/usr/bin/osqueryd {
#include <abstractions/base>
#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
/etc/host.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/osquery/osquery.conf r,
/etc/osquery/osquery.flags r,
/proc/** rw,
/proc/cpuinfo r,
/root/osqueryd.*.root.log.ERROR.* w,
/root/osqueryd.*.root.log.INFO.* w,
/root/osqueryd.*.root.log.WARNING.* w,
/run/osqueryd.pidfile w,
/run/resolvconf/resolv.conf r,
/run/utmp r,
/sys/devices/** r,
/sys/firmware/dmi/tables/DMI r,
/tmp/* w,
/tmp/user/0/osqueryd.*.root.log.ERROR.* w,
/tmp/user/0/osqueryd.*.root.log.INFO.* w,
/tmp/user/0/osqueryd.*.root.log.WARNING.* w,
/usr/bin/osqueryd Px,
/usr/share/osquery/packs/* r,
/var/log/osquery/* w,
/var/osquery/osquery.db/ rw,
/var/osquery/osquery.db/* rw,
/var/tmp/* rw,
}

39
osquery/roles/osquery/templates/logrotate-osquery.j2 Normal file
View File

@ -0,0 +1,39 @@
{{ ansible_managed | comment('plain', decoration='## ') }}
## /etc/logrotate.d/osquery
/var/log/osquery/osqueryd.results.log {
rotate {{ osquery_logrotate_days|int }}
daily
missingok
notifempty
delaycompress
compress
create 640 root adm
sharedscripts
}
{% if osquery_syslog_target is defined and osquery_syslog_target != '' and '/var/log/' in osquery_syslog_target %}
{{ osquery_syslog_target }} {
rotate {{ osquery_logrotate_days|int }}
daily
missingok
notifempty
delaycompress
compress
create 640 root adm
sharedscripts
# Ubuntu: parent directory has insecure permissions (It's world writable or writable by group which is not "root")
su root {{ osquery_syslog_dir_group | default(varlog_group) }}
}
{% endif %}
{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' and '/var/log/' in osquery_syslog_target2 %}
{{ osquery_syslog_target2 }} {
rotate {{ osquery_logrotate_days|int }}
daily
missingok
notifempty
delaycompress
compress
create 640 root adm
sharedscripts
su root {{ osquery_syslog_dir_group2 | default(varlog_group) }}
}
{% endif %}

24
osquery/roles/osquery/templates/osquery-monitoring2-pack.conf.j2 Normal file
View File

@ -0,0 +1,24 @@
{
"queries": {
"osquery_extensions": {
"query": "select * from osquery_extensions;",
"interval": 900,
"description": "List of active osquery extensions."
},
"osquery_flags": {
"query": "select * from osquery_flags;",
"interval": 900,
"description": "Configurable flags that modify osquery's behavior."
},
"osquery_packs": {
"query": "select * from osquery_packs;",
"interval": 900,
"description": "Information about the current query packs that are loaded in osquery."
},
"osquery_registry": {
"query": "select * from osquery_registry;",
"interval": 900,
"description": "List the osquery registry plugins."
}
}
}

6
osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 Normal file
View File

@ -0,0 +1,6 @@
template(
name="OsqueryCsvFormat"
type="string"
string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")

183
osquery/roles/osquery/templates/osquery-snapshots-pack.conf.j2 Executable file
View File

@ -0,0 +1,183 @@
{
"queries": {
"authorized_keys": {
"query" : "select authorized_keys.* from users join authorized_keys using (uid);",
"description" : "Info on authorized keys",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"user_ssh_keys": {
"query" : "select user_ssh_keys.* from users join user_ssh_keys using (uid);",
"description" : "info on user ssh keys",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"cpuid": {
"query" : "select * from cpuid;",
"description" : "Useful CPU features from the cpuid ASM call.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"dns_resolvers": {
"query" : "select * from dns_resolvers;",
"description" : "check DNS resolvers",
"interval" : "{{ osquery_snapshot_interval2 }}",
"snapshot": true
},
"known_hosts": {
"query" : "select known_hosts.* from users join known_hosts using (uid);",
"description" : "line-delimited known_hosts table",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"sudoers": {
"query" : "select * from sudoers;",
"description" : "Retrieves all the information for sudoers.",
"interval" : "{{ osquery_snapshot_interval2 }}",
"snapshot": true
},
"groups": {
"query" : "select * from groups;",
"description" : "Retrieves groups info.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"interface_addresses": {
"query" : "select * from interface_addresses;",
"description" : "Retrieves interface addresses.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"interface_details": {
"query" : "select * from interface_details;",
"description" : "Retrieves interface details.",
"interval" : "{{ osquery_snapshot_interval2 }}",
"snapshot": true
},
"iptables": {
"query" : "select * from iptables;",
"description" : "Linux IP packet filtering and NAT tool.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"fileless_process": {
"query" : "SELECT name, path, pid FROM processes WHERE on_disk = 0;",
"description" : "Retrieves interface details.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"processes": {
"query": "SELECT pid, name, path, cmdline from processes;",
"description": "Retrieve list of processes",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"process_binding_to_ports": {
"query" : "select DISTINCT process.name, listening.port, process.pid FROM processes as process JOIN listening_ports AS listening ON process.pid=listening.pid;",
"description" : "Retrieves the list of processes bound to listening ports.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"python_packages": {
"query" : "select * FROM python_packages;",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true,
"description" : "Python packages installed in a system"
},
"arp_anomalies": {
"query" : "SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac HAVING count(mac) > 1;",
"description" : "Retrieves interface details.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"crontab": {
"query" : "select * from crontab;",
"version" : "1.4.5",
"description" : "Retrieves all the jobs scheduled in crontab in the target system.",
"value" : "Identify malware that uses this persistence mechanism to launch at a given interval",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"kernel_info": {
"query" : "select * from kernel_info;",
"platform" : "linux",
"description" : "Basic active kernel information.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"kernel_integrity": {
"query" : "select * from kernel_integrity;",
"platform" : "linux",
"description" : "Various Linux kernel integrity checked attributes.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"kernel_modules": {
"query" : "select * from kernel_modules;",
"platform" : "linux",
"version" : "1.4.5",
"description" : "Retrieves all the information for the current kernel modules in the target Linux system.",
"value" : "Identify malware that has a kernel module component.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"kernel_panics": {
"query" : "select * from kernel_panics;",
"platform" : "linux",
"description" : "System kernel panic logs.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"etc_hosts": {
"query" : "select * from etc_hosts;",
"version" : "1.4.5",
"description" : "Retrieves all the entries in the target system /etc/hosts file.",
"value" : "Identify network communications that are being redirected. Example: identify if security logging has been disabled",
"interval" : "{{ osquery_snapshot_interval2 }}",
"snapshot": true
},
"os_version": {
"query" : "select os_version.* from users join os_version using (uid);",
"description" : "A single row containing the operating system name and version.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"platform_info": {
"query" : "select * from platform_info;",
"description" : "Information about EFI/UEFI/ROM and platform/boot.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"suid_bin": {
"query" : "select * from suid_bin;",
"version" : "1.4.5",
"description" : "Retrieves all the files in the target system that are setuid enabled.",
"value" : "Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.",
"interval" : "{{ osquery_snapshot_interval2 }}",
"snapshot": true
},
"system_controls": {
"query": "select * from system_controls;",
"interval" : "{{ osquery_snapshot_interval2 }}",
"snapshot": true,
"platform": "all",
"description": "sysctl names, values, and settings information"
},
"system_info": {
"query" : "select * from system_info;",
"description" : "System information for identification.",
"interval" : "{{ osquery_snapshot_interval }}",
"snapshot": true
},
"rpm_packages": {
"query" : "select * from rpm_packages;",
"platform" : "redhat,centos",
"version" : "1.4.5",
"description" : "Retrieves all the installed RPM packages in the target Linux system.",
"value" : "General security posture.",
"interval" : "{{ osquery_snapshot_interval2 }}",
"snapshot": true
}
}
}

143
osquery/roles/osquery/templates/osquery.conf.j2 Normal file
View File

@ -0,0 +1,143 @@
{{ ansible_managed | comment('c')}}
{
// Configure the daemon below:
"options": {
// Select the osquery config plugin.
"config_plugin": "{{ osquery_config_plugin }}",
// Select the osquery logging plugin.
"logger_plugin": "{{ osquery_logger_plugin }}",
// The log directory stores info, warning, and errors.
// If the daemon uses the 'filesystem' logging retriever then the log_dir
// will also contain the query results.
//"logger_path": "/var/log/osquery",
// Set 'disable_logging' to true to prevent writing any info, warning, error
// logs. If a logging plugin is selected it will still write query results.
//"disable_logging": "false",
// Query differential results are logged as change-events to assist log
// aggregation operations like searching and transactons.
// Set 'log_results_events' to log differentials as transactions.
//"log_result_events": "true",
// Splay the scheduled interval for queries.
// This is very helpful to prevent system performance impact when scheduling
// large numbers of queries that run a smaller or similar intervals.
"schedule_splay_percent": "10",
// Write the pid of the osqueryd process to a pidfile/mutex.
//"pidfile": "/var/osquery/osquery.pidfile",
// Clear events from the osquery backing store after a number of seconds.
"events_expiry": "3600",
// A filesystem path for disk-based backing storage used for events and
// query results differentials. See also 'use_in_memory_database'.
//"database_path": "/var/osquery/osquery.db",
// Comma-delimited list of table names to be disabled.
// This allows osquery to be launched without certain tables.
//"disable_tables": "foo_bar,time",
// Enable debug or verbose debug output when logging.
"verbose": "false",
// The number of threads for concurrent query schedule execution.
"worker_threads": "2",
// Enable schedule profiling, this will fill in averages and totals for
// system/user CPU time and memory for every query in the schedule.
// Add a query: "select * from osquery_schedule" to record the performances.
"enable_monitor": "true",
"logger_snapshot_event_type": "true"
},
// Define a schedule of queries:
"schedule": {
// This is a simple example query that outputs basic system information.
"system_info": {
// The exact query to run.
"query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;",
// The interval in seconds to run this query, not an exact interval.
{% if osquery_testing or osquery_testing_pause %}
"interval": 10
{% else %}
"interval": 3600
{% endif %}
}{% if osquery_fim or osquery_process_auditing %},{% endif %}
{% if osquery_fim %}
"fim" : {
// "query": "select target_path, category, time, action from file_events;",
"query": "select * from file_events;",
"removed": false,
"interval": {% if osquery_testing_fim_load %}30{% else %}{{ osquery_fim_interval }}{% endif %}
}{% if osquery_process_auditing %},{% endif %}
{% endif %}
{% if osquery_process_auditing %}
"process_events":{
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
"interval": {{ osquery_process_interval }}
},
"socket_events":{
"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
"interval": {{ osquery_socket_interval }}
}
{% endif %}
},
{% if osquery_fim %}
"file_paths": {
{% for item in osquery_fim_filepaths %}
"{{ item.name }}": [
{% for entry in item.list %}
"{{ entry }}"{% if not loop.last %},{% endif %}
{% endfor %}
]{% if not loop.last %},{% endif %}
{% endfor %}
},
"exclude_paths": {
{% for item in osquery_fim_excludepaths %}
"{{ item.name }}": [
{% for entry in item.list %}
"{{ entry }}"{% if not loop.last %},{% endif %}
{% endfor %}
]{% if not loop.last %},{% endif %}
{% endfor %}
},
{% endif %}
// Decorators are normal queries that append data to every query.
"decorators": {
"load": [
"SELECT uuid AS host_uuid FROM system_info;",
"SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;"
]
},
// Add default osquery packs or install your own.
//
// There are several 'default' packs installed with 'make install' or via
// packages and/or Homebrew.
//
// Linux: /usr/share/osquery/packs
// OS X: /var/osquery/packs
// Homebrew: /usr/local/share/osquery/packs
// make install: {PREFIX}/share/osquery/packs
//
"packs": {
{% for item in osquery_packs %}
"{{ item }}": "/usr/share/osquery/packs/{{ item }}.conf"{% if not loop.last %},{% endif %}
{% endfor %}
}
}

6
osquery/roles/osquery/templates/osquery.fc.j2 Normal file
View File

@ -0,0 +1,6 @@
/usr/bin/osqueryd -- gen_context(system_u:object_r:osquery_exec_t,s0)
/etc/osquery(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0)
/usr/share/osquery/packs(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0)
/var/log/osquery(/.*)? -- gen_context(system_u:object_r:osquery_log_t,s0)
/var/osquery/osquery.em -- gen_context(system_u:object_r:osquery_sock_t,s0)
/usr/lib/systemd/system/osqueryd.service -- gen_context(system_u:object_r:osquery_unit_file_t,s0)

16
osquery/roles/osquery/templates/osquery.flags.j2 Normal file
View File

@ -0,0 +1,16 @@
--pidfile=/var/run/osqueryd.pid
{% for flag in osquery_flags %}
{{ flag }}
{% endfor %}
{% if osquery_process_auditing %}
--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_sockets
{% endif %}
{% if osquery_rsyslog %}
--enable_syslog
{% endif %}
{% if osquery_syslog_target != '' and osquery_syslog_target_facility_osqueryconf != '' %}
--logger_syslog_facility={{ osquery_syslog_target_facility_osqueryconf }}
{% endif %}

61
osquery/roles/osquery/templates/osquery.sh.j2 Normal file
View File

@ -0,0 +1,61 @@
#!/bin/sh -e
DIRNAME=`dirname $0`
cd $DIRNAME
USAGE="$0 [ --update ]"
if [ `id -u` != 0 ]; then
echo 'You must be root to run this script'
exit 1
fi
if [ $# -eq 1 ]; then
if [ "$1" = "--update" ] ; then
time=`ls -l --time-style="+%x %X" osquery.te | awk '{ printf "%s %s", $6, $7 }'`
rules=`ausearch --start $time -m avc --raw -se osquery`
if [ x"$rules" != "x" ] ; then
echo "Found avc's to update policy with"
echo -e "$rules" | audit2allow -R
echo "Do you want these changes added to policy [y/n]?"
read ANS
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
echo "Updating policy"
echo -e "$rules" | audit2allow -R >> osquery.te
# Fall though and rebuild policy
else
exit 0
fi
else
echo "No new avcs found"
exit 0
fi
else
echo -e $USAGE
exit 1
fi
elif [ $# -ge 2 ] ; then
echo -e $USAGE
exit 1
fi
echo "Building and Loading Policy"
set -x
make -f /usr/share/selinux/devel/Makefile osquery.pp || exit
/usr/sbin/semodule -i osquery.pp
# Generate a man page off the installed module
sepolicy manpage -p . -d osquery_t
# Fixing the file context on /usr/bin/osqueryd
/sbin/restorecon -F -R -v /usr/bin/osqueryd
# Fixing the file context on /usr/lib/systemd/system/osqueryd.service
/sbin/restorecon -F -R -v /usr/lib/systemd/system/osqueryd.service
# Fixing the file context on /var/log/osquery
/sbin/restorecon -F -R -v /var/log/osquery
/sbin/restorecon -F -R -v /etc/osquery
/sbin/restorecon -F -R -v /usr/share/osquery/packs
# Generate a rpm package for the newly generated policy
pwd=$(pwd)
#rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba osquery_selinux.spec

674
osquery/roles/osquery/templates/osquery.te.j2 Normal file
View File

@ -0,0 +1,674 @@
module osquery 1.0;
require {
type osquery_t;
type osquery_conf_t;
type osquery_unit_file_t;
type insmod_exec_t;
type home_root_t;
type gssd_exec_t;
type udev_exec_t;
type sound_device_t;
type setsebool_exec_t;
type proc_t;
type unconfined_service_t;
type netutils_exec_t;
type load_policy_exec_t;
type memory_device_t;
type tmp_t;
type gpg_exec_t;
type autofs_device_t;
type systemd_hwdb_exec_t;
type tcpd_exec_t;
type gssproxy_exec_t;
type showmount_exec_t;
type rsync_exec_t;
type crond_unit_file_t;
type udev_rules_t;
type systemd_logind_t;
type setfiles_exec_t;
type sshd_keygen_exec_t;
type chronyd_exec_t;
type xserver_etc_t;
type crond_t;
type tun_tap_device_t;
type default_context_t;
type anacron_exec_t;
type virt_qemu_ga_exec_t;
type auditd_t;
type syslogd_t;
type NetworkManager_t;
type sysctl_t;
type pppd_etc_t;
type consolehelper_exec_t;
type userhelper_conf_t;
type systemd_systemctl_exec_t;
type postfix_pickup_exec_t;
type syslog_conf_t;
type systemd_unit_file_t;
type tuned_exec_t;
type plymouthd_exec_t;
type vlock_exec_t;
type systemd_passwd_agent_exec_t;
type pinentry_exec_t;
type passwd_exec_t;
type dmidecode_exec_t;
type systemd_notify_exec_t;
type hwclock_exec_t;
type firewalld_etc_rw_t;
type crack_exec_t;
type postfix_qmgr_t;
type sulogin_exec_t;
type netcontrol_device_t;
type rpcd_unit_file_t;
type auditd_exec_t;
type crontab_exec_t;
type crash_device_t;
type exports_t;
type event_device_t;
type cgroup_t;
type loadkeys_exec_t;
type postfix_qmgr_exec_t;
type pam_timestamp_exec_t;
type random_device_t;
type initrc_exec_t;
type hugetlbfs_t;
type lvm_unit_file_t;
type dmesg_exec_t;
type proc_mdstat_t;
type mouse_device_t;
type nfsd_exec_t;
type slapd_cert_t;
type login_exec_t;
type usbmon_device_t;
type ldconfig_exec_t;
type initctl_t;
type debuginfo_exec_t;
type postfix_pickup_t;
type updpwd_exec_t;
type oddjob_mkhomedir_exec_t;
type irqbalance_exec_t;
type proc_kmsg_t;
type gssproxy_t;
type postfix_etc_t;
type init_exec_t;
type postfix_spool_t;
type var_run_t;
type mtrr_device_t;
type hypervvssd_exec_t;
type hostname_exec_t;
type system_cron_spool_t;
type sshd_key_t;
type proc_kcore_t;
type dbusd_exec_t;
type plymouth_exec_t;
type tuned_rw_etc_t;
type pppd_exec_t;
type pam_console_exec_t;
type adjtime_t;
type chronyc_exec_t;
type auditd_unit_file_t;
type fuse_device_t;
type userhelper_exec_t;
type tuned_etc_t;
type systemd_logind_exec_t;
type var_log_t;
type init_t;
type pppd_initrc_exec_t;
type fs_t;
type systemd_tmpfiles_exec_t;
type user_home_dir_t;
type lvm_etc_t;
type chronyd_t;
type dbusd_etc_t;
type etc_aliases_t;
type auditctl_exec_t;
type usernetctl_exec_t;
type clock_device_t;
type traceroute_exec_t;
type sshd_t;
type mdadm_exec_t;
type initrc_var_run_t;
type mount_exec_t;
type scsi_generic_device_t;
type vhost_device_t;
type uhid_device_t;
type ifconfig_exec_t;
type device_t;
type namespace_init_exec_t;
type lvm_exec_t;
type checkpolicy_exec_t;
type rpm_script_tmp_t;
type user_tmp_t;
type unlabeled_t;
type sshd_unit_file_t;
type policykit_exec_t;
type modules_conf_t;
type chfn_exec_t;
type dhcp_etc_t;
type logrotate_exec_t;
type getty_unit_file_t;
type selinux_config_t;
type ppp_device_t;
type ssh_keygen_exec_t;
type cupsd_rw_etc_t;
type authconfig_exec_t;
type ssh_exec_t;
type rpcbind_t;
type audisp_exec_t;
type chronyd_keys_t;
type dri_device_t;
type rpm_exec_t;
type getty_t;
type virt_qemu_ga_unconfined_exec_t;
type NetworkManager_exec_t;
type user_fonts_t;
type rpc_pipefs_t;
type ping_exec_t;
type gpg_agent_exec_t;
type su_exec_t;
type firewalld_exec_t;
type getty_exec_t;
type quota_exec_t;
type devpts_t;
type nvram_device_t;
type cpu_device_t;
type rpcbind_exec_t;
type NetworkManager_etc_rw_t;
type unconfined_t;
type NetworkManager_initrc_exec_t;
type sshd_exec_t;
type udev_t;
type rpcd_exec_t;
type fixed_disk_device_t;
type selinux_login_config_t;
type sysctl_irq_t;
type ptmx_t;
type ssh_agent_exec_t;
type NetworkManager_unit_file_t;
type binfmt_misc_fs_t;
type semanage_store_t;
type framebuf_device_t;
type udev_var_run_t;
type rdisc_exec_t;
type NetworkManager_etc_t;
type rsync_etc_t;
type postfix_postdrop_exec_t;
type tuned_t;
type wtmp_t;
type dhcpc_exec_t;
type useradd_exec_t;
type dhcpc_t;
type sudo_exec_t;
type vfio_device_t;
type thumb_exec_t;
type crond_exec_t;
type bootloader_etc_t;
type sysfs_t;
type postfix_postqueue_exec_t;
type postfix_map_exec_t;
type admin_passwd_exec_t;
type apm_bios_t;
type policykit_t;
type iptables_exec_t;
type semanage_exec_t;
type journalctl_exec_t;
type lvm_control_t;
type lvm_t;
type screen_exec_t;
type auditd_etc_t;
type xserver_misc_device_t;
type fsadm_exec_t;
type bootloader_exec_t;
type system_cronjob_t;
type syslogd_exec_t;
type system_dbusd_t;
type lvm_lock_t;
type user_cron_spool_t;
type kmsg_device_t;
type mysqld_etc_t;
type pppd_etc_rw_t;
type configfs_t;
type proc_net_t;
type postfix_master_exec_t;
type shadow_t;
type sendmail_exec_t;
type loop_control_device_t;
type kernel_t;
type var_t;
type pstore_t;
type chkpwd_exec_t;
type groupadd_exec_t;
type debugfs_t;
type hypervkvp_exec_t;
type postfix_master_t;
type sysctl_fs_t;
type blkmapd_exec_t;
type nfsd_unit_file_t;
type ssh_home_t;
type systemd_hwdb_etc_t;
type mandb_exec_t;
type tmpfs_t;
type lvm_metadata_t;
type policykit_auth_exec_t;
type chronyd_unit_file_t;
type print_spool_t;
type rpcbind_var_lib_t;
class fifo_file getattr;
class process setsched;
class unix_stream_socket connectto;
class netlink_kobject_uevent_socket { bind create getattr setopt };
class chr_file { getattr ioctl open read write };
class capability { dac_override sys_rawio sys_ptrace };
class file { append create getattr lock open read relabelto rename setattr unlink write };
class filesystem getattr;
class sock_file { create getattr unlink write };
class lnk_file { create getattr read unlink };
class blk_file { getattr ioctl open read };
class dir { add_name getattr open read remove_name search setattr write };
}
#============= osquery_t ==============
allow osquery_t NetworkManager_etc_rw_t:dir { getattr open read };
allow osquery_t NetworkManager_etc_rw_t:file getattr;
allow osquery_t NetworkManager_etc_t:dir { getattr open read };
allow osquery_t NetworkManager_exec_t:file getattr;
allow osquery_t NetworkManager_initrc_exec_t:dir { getattr open read };
allow osquery_t NetworkManager_initrc_exec_t:file getattr;
allow osquery_t NetworkManager_t:dir { getattr open read search };
allow osquery_t NetworkManager_t:file { getattr open read };
allow osquery_t NetworkManager_t:lnk_file { getattr read };
allow osquery_t NetworkManager_unit_file_t:file getattr;
allow osquery_t adjtime_t:file getattr;
allow osquery_t admin_passwd_exec_t:file getattr;
allow osquery_t anacron_exec_t:file getattr;
allow osquery_t apm_bios_t:chr_file getattr;
allow osquery_t audisp_exec_t:file getattr;
allow osquery_t auditctl_exec_t:file getattr;
allow osquery_t auditd_etc_t:dir { getattr open read };
allow osquery_t auditd_etc_t:file getattr;
allow osquery_t auditd_exec_t:file getattr;
allow osquery_t auditd_t:dir { getattr open read search };
allow osquery_t auditd_t:file { getattr open read };
allow osquery_t auditd_t:lnk_file { getattr read };
allow osquery_t auditd_unit_file_t:file getattr;
allow osquery_t authconfig_exec_t:file getattr;
allow osquery_t autofs_device_t:chr_file getattr;
allow osquery_t binfmt_misc_fs_t:filesystem getattr;
allow osquery_t blkmapd_exec_t:file getattr;
allow osquery_t bootloader_etc_t:file getattr;
allow osquery_t bootloader_exec_t:file getattr;
allow osquery_t cgroup_t:filesystem getattr;
allow osquery_t checkpolicy_exec_t:file getattr;
allow osquery_t chfn_exec_t:file getattr;
allow osquery_t chkpwd_exec_t:file getattr;
allow osquery_t chronyc_exec_t:file getattr;
allow osquery_t chronyd_exec_t:file getattr;
allow osquery_t chronyd_keys_t:file getattr;
allow osquery_t chronyd_t:dir { getattr open read search };
allow osquery_t chronyd_t:file { getattr open read };
allow osquery_t chronyd_t:lnk_file { getattr read };
allow osquery_t chronyd_unit_file_t:file getattr;
allow osquery_t clock_device_t:chr_file getattr;
allow osquery_t configfs_t:filesystem getattr;
allow osquery_t consolehelper_exec_t:file getattr;
allow osquery_t cpu_device_t:chr_file getattr;
allow osquery_t crack_exec_t:file getattr;
allow osquery_t crash_device_t:chr_file getattr;
allow osquery_t crond_exec_t:file getattr;
allow osquery_t crond_t:dir { getattr open read search };
allow osquery_t crond_t:file { getattr open read };
allow osquery_t crond_t:lnk_file { getattr read };
allow osquery_t crond_unit_file_t:file getattr;
allow osquery_t crontab_exec_t:file getattr;
allow osquery_t cupsd_rw_etc_t:file getattr;
allow osquery_t dbusd_etc_t:dir { getattr open read };
allow osquery_t dbusd_etc_t:file getattr;
allow osquery_t dbusd_exec_t:file getattr;
allow osquery_t debugfs_t:filesystem getattr;
allow osquery_t debuginfo_exec_t:file getattr;
allow osquery_t default_context_t:dir read;
allow osquery_t default_context_t:file getattr;
#!!!! WARNING: 'device_t' is a base type.
allow osquery_t device_t:filesystem getattr;
allow osquery_t devpts_t:filesystem getattr;
allow osquery_t dhcp_etc_t:dir { getattr open read };
allow osquery_t dhcp_etc_t:file getattr;
allow osquery_t dhcpc_exec_t:file getattr;
allow osquery_t dhcpc_t:dir { getattr open read search };
allow osquery_t dhcpc_t:file { getattr open read };
allow osquery_t dhcpc_t:lnk_file { getattr read };
allow osquery_t dmesg_exec_t:file getattr;
allow osquery_t dmidecode_exec_t:file getattr;
allow osquery_t dri_device_t:chr_file getattr;
allow osquery_t etc_aliases_t:file getattr;
allow osquery_t event_device_t:chr_file getattr;
allow osquery_t exports_t:file getattr;
allow osquery_t firewalld_etc_rw_t:dir { getattr open read };
allow osquery_t firewalld_etc_rw_t:file getattr;
allow osquery_t firewalld_exec_t:file getattr;
allow osquery_t fixed_disk_device_t:blk_file { getattr ioctl open read };
allow osquery_t fixed_disk_device_t:chr_file getattr;
allow osquery_t framebuf_device_t:chr_file getattr;
allow osquery_t fs_t:filesystem getattr;
allow osquery_t fsadm_exec_t:file getattr;
allow osquery_t fuse_device_t:chr_file getattr;
allow osquery_t getty_exec_t:file getattr;
allow osquery_t getty_t:dir { getattr open read search };
allow osquery_t getty_t:file { getattr open read };
allow osquery_t getty_t:lnk_file { getattr read };
allow osquery_t getty_unit_file_t:file getattr;
allow osquery_t gpg_agent_exec_t:file getattr;
allow osquery_t gpg_exec_t:file getattr;
allow osquery_t groupadd_exec_t:file getattr;
allow osquery_t gssd_exec_t:file getattr;
allow osquery_t gssproxy_exec_t:file getattr;
allow osquery_t gssproxy_t:dir { getattr open read search };
allow osquery_t gssproxy_t:file { getattr open read };
allow osquery_t gssproxy_t:lnk_file { getattr read };
#!!!! WARNING: 'home_root_t' is a base type.
allow osquery_t home_root_t:dir read;
allow osquery_t hostname_exec_t:file getattr;
allow osquery_t hugetlbfs_t:dir { getattr open read };
allow osquery_t hugetlbfs_t:filesystem getattr;
allow osquery_t hwclock_exec_t:file getattr;
allow osquery_t hypervkvp_exec_t:file getattr;
allow osquery_t hypervvssd_exec_t:file getattr;
allow osquery_t ifconfig_exec_t:file getattr;
allow osquery_t init_exec_t:file getattr;
allow osquery_t init_t:dir read;
allow osquery_t init_t:file { getattr open read };
allow osquery_t init_t:lnk_file { getattr read };
allow osquery_t initctl_t:fifo_file getattr;
allow osquery_t initrc_exec_t:file getattr;
allow osquery_t initrc_var_run_t:file { lock open read };
allow osquery_t insmod_exec_t:file getattr;
allow osquery_t iptables_exec_t:file getattr;
allow osquery_t irqbalance_exec_t:file getattr;
allow osquery_t journalctl_exec_t:file getattr;
allow osquery_t kernel_t:dir { getattr open read search };
allow osquery_t kernel_t:file { getattr open read };
allow osquery_t kernel_t:lnk_file { getattr read };
#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg'
allow osquery_t kmsg_device_t:chr_file getattr;
allow osquery_t ldconfig_exec_t:file getattr;
allow osquery_t load_policy_exec_t:file getattr;
allow osquery_t loadkeys_exec_t:file getattr;
allow osquery_t login_exec_t:file getattr;
allow osquery_t logrotate_exec_t:file getattr;
allow osquery_t loop_control_device_t:chr_file getattr;
allow osquery_t lvm_control_t:chr_file { getattr ioctl open read write };
allow osquery_t lvm_etc_t:dir { getattr open read };
allow osquery_t lvm_etc_t:file { getattr open read };
allow osquery_t lvm_exec_t:file getattr;
allow osquery_t lvm_lock_t:dir { add_name getattr read remove_name search write };
allow osquery_t lvm_lock_t:file { append create getattr lock open read unlink };
allow osquery_t lvm_metadata_t:dir { add_name getattr open read remove_name write };
allow osquery_t lvm_metadata_t:file { create getattr lock open read rename unlink write };
allow osquery_t lvm_t:dir { getattr open read search };
allow osquery_t lvm_t:file { getattr open read };
allow osquery_t lvm_t:lnk_file { getattr read };
allow osquery_t lvm_unit_file_t:file getattr;
allow osquery_t mandb_exec_t:file getattr;
allow osquery_t mdadm_exec_t:file getattr;
allow osquery_t memory_device_t:chr_file getattr;
allow osquery_t modules_conf_t:dir { getattr open read };
allow osquery_t modules_conf_t:file getattr;
allow osquery_t mount_exec_t:file getattr;
allow osquery_t mouse_device_t:chr_file getattr;
allow osquery_t mtrr_device_t:file getattr;
allow osquery_t mysqld_etc_t:dir { getattr open read };
allow osquery_t mysqld_etc_t:file getattr;
allow osquery_t namespace_init_exec_t:file getattr;
allow osquery_t netcontrol_device_t:chr_file getattr;
allow osquery_t netutils_exec_t:file getattr;
allow osquery_t nfsd_exec_t:file getattr;
allow osquery_t nfsd_unit_file_t:file getattr;
allow osquery_t nvram_device_t:chr_file getattr;
allow osquery_t oddjob_mkhomedir_exec_t:file getattr;
allow osquery_t osquery_conf_t:file getattr;
allow osquery_t osquery_unit_file_t:file getattr;
allow osquery_t pam_console_exec_t:file getattr;
allow osquery_t pam_timestamp_exec_t:file getattr;
allow osquery_t passwd_exec_t:file getattr;
allow osquery_t pinentry_exec_t:file getattr;
allow osquery_t ping_exec_t:file getattr;
allow osquery_t plymouth_exec_t:file getattr;
allow osquery_t plymouthd_exec_t:file getattr;
allow osquery_t policykit_auth_exec_t:file getattr;
allow osquery_t policykit_exec_t:file getattr;
allow osquery_t policykit_t:dir { getattr open read search };
allow osquery_t policykit_t:file { getattr open read };
allow osquery_t policykit_t:lnk_file { getattr read };
allow osquery_t postfix_etc_t:dir { getattr open read };
allow osquery_t postfix_etc_t:file getattr;
allow osquery_t postfix_map_exec_t:file getattr;
allow osquery_t postfix_master_exec_t:file getattr;
allow osquery_t postfix_master_t:dir { getattr open read search };
allow osquery_t postfix_master_t:file { getattr open read };
allow osquery_t postfix_master_t:lnk_file { getattr read };
allow osquery_t postfix_pickup_exec_t:file getattr;
allow osquery_t postfix_pickup_t:dir { getattr open read search };
allow osquery_t postfix_pickup_t:file { getattr open read };
allow osquery_t postfix_pickup_t:lnk_file { getattr read };
allow osquery_t postfix_postdrop_exec_t:file getattr;
allow osquery_t postfix_postqueue_exec_t:file getattr;
allow osquery_t postfix_qmgr_exec_t:file getattr;
allow osquery_t postfix_qmgr_t:dir { getattr open read search };
allow osquery_t postfix_qmgr_t:file { getattr open read };
allow osquery_t postfix_qmgr_t:lnk_file { getattr read };
allow osquery_t postfix_spool_t:dir getattr;
allow osquery_t ppp_device_t:chr_file getattr;
allow osquery_t pppd_etc_rw_t:dir { getattr open read };
allow osquery_t pppd_etc_t:dir { getattr open read };
allow osquery_t pppd_exec_t:file getattr;
allow osquery_t pppd_initrc_exec_t:file getattr;
allow osquery_t proc_kcore_t:file getattr;
allow osquery_t proc_kmsg_t:file getattr;
allow osquery_t proc_mdstat_t:file getattr;
allow osquery_t proc_net_t:file { getattr open read };
allow osquery_t proc_t:dir read;
allow osquery_t proc_t:file { getattr open read };
allow osquery_t proc_t:filesystem getattr;
allow osquery_t pstore_t:filesystem getattr;
allow osquery_t ptmx_t:chr_file getattr;
allow osquery_t quota_exec_t:file getattr;
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow osquery_t random_device_t:chr_file getattr;
allow osquery_t rdisc_exec_t:file getattr;
allow osquery_t rpc_pipefs_t:filesystem getattr;
allow osquery_t rpcbind_exec_t:file getattr;
allow osquery_t rpcbind_t:dir { getattr open read search };
allow osquery_t rpcbind_t:file { getattr open read };
allow osquery_t rpcbind_t:lnk_file { getattr read };
allow osquery_t rpcd_exec_t:file getattr;
allow osquery_t rpcd_unit_file_t:file getattr;
allow osquery_t rpm_exec_t:file getattr;
allow osquery_t rpm_script_tmp_t:dir read;
allow osquery_t rsync_etc_t:file getattr;
allow osquery_t rsync_exec_t:file getattr;
allow osquery_t screen_exec_t:file getattr;
allow osquery_t scsi_generic_device_t:chr_file getattr;
allow osquery_t self:capability { dac_override sys_rawio };
allow osquery_t self:netlink_kobject_uevent_socket { bind create getattr setopt };
allow osquery_t self:process setsched;
#!!!! The file '/var/osquery/osquery.em' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/osquery/osquery.em
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow osquery_t self:unix_stream_socket connectto;
allow osquery_t selinux_config_t:dir read;
allow osquery_t selinux_login_config_t:dir { getattr open read };
allow osquery_t semanage_exec_t:file getattr;
allow osquery_t semanage_store_t:dir { getattr open read };
allow osquery_t semanage_store_t:file { getattr open read };
allow osquery_t sendmail_exec_t:file getattr;
allow osquery_t setfiles_exec_t:file getattr;
allow osquery_t setsebool_exec_t:file getattr;
allow osquery_t shadow_t:file getattr;
allow osquery_t showmount_exec_t:file getattr;
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow osquery_t slapd_cert_t:dir { getattr open read };
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow osquery_t slapd_cert_t:file getattr;
allow osquery_t sound_device_t:chr_file getattr;
allow osquery_t ssh_agent_exec_t:file getattr;
allow osquery_t ssh_exec_t:file getattr;
allow osquery_t ssh_home_t:dir { getattr open read };
allow osquery_t ssh_home_t:file getattr;
allow osquery_t ssh_keygen_exec_t:file getattr;
allow osquery_t sshd_exec_t:file getattr;
allow osquery_t sshd_key_t:file getattr;
allow osquery_t sshd_keygen_exec_t:file getattr;
allow osquery_t sshd_t:dir { getattr open read search };
allow osquery_t sshd_t:file { getattr open read };
allow osquery_t sshd_t:lnk_file { getattr read };
allow osquery_t sshd_unit_file_t:file getattr;
allow osquery_t su_exec_t:file getattr;
allow osquery_t sudo_exec_t:file getattr;
allow osquery_t sulogin_exec_t:file getattr;
allow osquery_t sysctl_fs_t:dir search;
allow osquery_t sysctl_irq_t:dir getattr;
allow osquery_t sysctl_t:file getattr;
allow osquery_t sysfs_t:dir read;
allow osquery_t sysfs_t:file { getattr open read };
allow osquery_t sysfs_t:filesystem getattr;
allow osquery_t sysfs_t:lnk_file { getattr read };
allow osquery_t syslog_conf_t:dir { getattr open read };
allow osquery_t syslog_conf_t:file getattr;
allow osquery_t syslogd_exec_t:file getattr;
allow osquery_t syslogd_t:dir { getattr open read search };
allow osquery_t syslogd_t:file { getattr open read };
allow osquery_t syslogd_t:lnk_file { getattr read };
allow osquery_t system_cron_spool_t:dir { getattr open read };
allow osquery_t system_cron_spool_t:file { getattr open read };
allow osquery_t system_cronjob_t:dir { getattr open read search };
allow osquery_t system_cronjob_t:file { getattr open read };
allow osquery_t system_cronjob_t:lnk_file { getattr read };
allow osquery_t system_dbusd_t:dir { getattr open read search };
allow osquery_t system_dbusd_t:file { getattr open read };
allow osquery_t system_dbusd_t:lnk_file { getattr read };
allow osquery_t systemd_hwdb_etc_t:file getattr;
allow osquery_t systemd_hwdb_exec_t:file getattr;
allow osquery_t systemd_logind_exec_t:file getattr;
allow osquery_t systemd_logind_t:dir { getattr open read search };
allow osquery_t systemd_logind_t:file { getattr open read };
allow osquery_t systemd_logind_t:lnk_file { getattr read };
allow osquery_t systemd_notify_exec_t:file getattr;
allow osquery_t systemd_passwd_agent_exec_t:file getattr;
allow osquery_t systemd_systemctl_exec_t:file getattr;
allow osquery_t systemd_tmpfiles_exec_t:file getattr;
allow osquery_t systemd_unit_file_t:dir { open read };
allow osquery_t systemd_unit_file_t:file getattr;
allow osquery_t systemd_unit_file_t:lnk_file read;
allow osquery_t tcpd_exec_t:file getattr;
allow osquery_t thumb_exec_t:file getattr;
#!!!! WARNING: 'tmp_t' is a base type.
allow osquery_t tmp_t:dir { add_name read remove_name write };
allow osquery_t tmp_t:file { create unlink write };
#!!!! WARNING: 'tmp_t' is a base type.
allow osquery_t tmp_t:lnk_file { create unlink };
allow osquery_t tmpfs_t:dir read;
allow osquery_t tmpfs_t:filesystem getattr;
allow osquery_t traceroute_exec_t:file getattr;
allow osquery_t tun_tap_device_t:chr_file getattr;
allow osquery_t tuned_etc_t:dir { getattr open read };
allow osquery_t tuned_etc_t:file getattr;
allow osquery_t tuned_exec_t:file getattr;
allow osquery_t tuned_rw_etc_t:file getattr;
allow osquery_t tuned_t:dir { getattr open read search };
allow osquery_t tuned_t:file { getattr open read };
allow osquery_t tuned_t:lnk_file { getattr read };
allow osquery_t udev_exec_t:file getattr;
allow osquery_t udev_rules_t:dir { getattr open read };
allow osquery_t udev_rules_t:file getattr;
allow osquery_t udev_t:dir { getattr open read search };
allow osquery_t udev_t:file { getattr open read };
allow osquery_t udev_t:lnk_file { getattr read };
allow osquery_t udev_var_run_t:file { getattr open read };
allow osquery_t uhid_device_t:chr_file getattr;
allow osquery_t unconfined_service_t:dir { getattr open read search };
allow osquery_t unconfined_service_t:file { getattr open read };
allow osquery_t unconfined_service_t:lnk_file { getattr read };
allow osquery_t unconfined_t:dir { getattr open read search };
allow osquery_t unconfined_t:file { getattr open read };
allow osquery_t unconfined_t:lnk_file { getattr read };
#!!!! WARNING: 'unlabeled_t' is a base type.
#!!!! The file '/etc/sysconfig/cloud-info' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /etc/sysconfig/cloud-info
allow osquery_t unlabeled_t:file getattr;
allow osquery_t updpwd_exec_t:file getattr;
allow osquery_t usbmon_device_t:chr_file getattr;
allow osquery_t user_cron_spool_t:dir { getattr open read };
allow osquery_t user_fonts_t:dir { getattr open read search };
allow osquery_t user_home_dir_t:dir getattr;
allow osquery_t user_tmp_t:dir read;
allow osquery_t useradd_exec_t:file getattr;
allow osquery_t userhelper_conf_t:dir { getattr open read };
allow osquery_t userhelper_conf_t:file getattr;
allow osquery_t userhelper_exec_t:file getattr;
allow osquery_t usernetctl_exec_t:file getattr;
allow osquery_t var_log_t:lnk_file unlink;
#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t.
allow osquery_t var_run_t:dir { add_name remove_name write };
#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t.
#!!!! $ semanage fcontext -a -t osquery_var_run_t /run/osqueryd.pid
#!!!! $ restorecon -R -v /run/osqueryd.pid
#!!!! The file '/run/osqueryd.pid' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/osqueryd.pid
allow osquery_t var_run_t:file { append create getattr open read setattr unlink };
#!!!! WARNING: 'var_t' is a base type.
allow osquery_t var_t:dir { add_name read remove_name setattr write };
allow osquery_t var_t:file { create getattr lock open read rename unlink write };
allow osquery_t var_t:sock_file { create getattr unlink write };
allow osquery_t vfio_device_t:chr_file getattr;
allow osquery_t vhost_device_t:chr_file getattr;
allow osquery_t virt_qemu_ga_exec_t:file getattr;
allow osquery_t virt_qemu_ga_unconfined_exec_t:dir { getattr open read };
allow osquery_t vlock_exec_t:file getattr;
allow osquery_t wtmp_t:file { open read };
allow osquery_t xserver_etc_t:dir { getattr open read };
allow osquery_t xserver_misc_device_t:chr_file getattr;
allow osquery_t print_spool_t:dir search;
allow osquery_t rpcbind_var_lib_t:dir search;
allow osquery_t self:capability sys_ptrace;
#============= unconfined_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_t osquery_conf_t:file relabelto;

27
osquery/roles/osquery/templates/osqueryd-monit.j2 Normal file
View File

@ -0,0 +1,27 @@
{{ ansible_managed | comment('plain', decoration='## ') }}
check process osqueryd
with pidfile "/var/run/osqueryd.pid"
group system
group osqueryd
{% if ansible_service_mgr == 'systemd' %}
start program = "/bin/systemctl start ssh" with timeout 60 seconds
stop program = "/bin/systemctl stop ssh"
{% else %}
start program = "/etc/init.d/ssh start" with timeout 60 seconds
stop program = "/etc/init.d/ssh stop"
{% endif %}
if cpu > 90% for 15 cycles then alert
if totalmem > 90% for 15 cycles then alert
if loadavg(15min) greater than 10 for 50 cycles then alert
if 5 restarts with 5 cycles then alert
depends on osqueryd_binary
depends on osqueryd_conf
check file osqueryd_binary
with path /usr/bin/osqueryd
group osqueryd
if failed checksum then alert
check file osqueryd_conf with path /etc/osquery/osquery.conf
include /etc/monit/templates/rootrc
group osqueryd

16
osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 Normal file
View File

@ -0,0 +1,16 @@
{% if osquery_syslog_target is defined and osquery_syslog_target != '' %}
{{ osquery_syslog_target_facility_syslogconf }}.* {{ osquery_syslog_target }}
{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %}
& ~
{% else %}
& stop
{% endif %}
{% endif %}
{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' %}
if $programname == 'osqueryd' then {{ osquery_syslog_target2 }}
{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %}
& ~
{% else %}
& stop
{% endif %}
{% endif %}

14
osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

43
osquery/roles/osquery/test/integration/default-fleetmanager/default.yml Normal file
View File

@ -0,0 +1,43 @@
---
- hosts: all
#- hosts: test-kitchen
vars:
- mysql_root_password: 'Toor=2017.'
- kolide_mysql_root_pass: "{{ mysql_root_password }}"
- mysql_databases:
- name: "{{ kolide_mysql_db }}"
- mysql_users:
- name: "{{ kolide_mysql_user }}"
host: "localhost"
#host: "%"
password: "{{ kolide_mysql_pass }}"
priv: "{{ kolide_mysql_db }}.*:ALL"
- mysql_enablerepo: epel
- osquery_flags:
- '--enroll_secret_path=/etc/osquery/osquery_enroll_secret'
- "--tls_server_certs={{ ssl_dir }}/{{ ansible_fqdn }}.crt"
- '--tls_hostname=acme.kolide.co:8080'
- '--host_identifier=hostname'
- '--enroll_tls_endpoint=/api/v1/osquery/enroll'
- '--config_plugin=tls'
- '--config_tls_endpoint=/api/v1/osquery/config'
- '--config_tls_refresh=10'
- '--disable_distributed=false'
- '--distributed_plugin=tls'
- '--distributed_interval=10'
- '--distributed_tls_max_attempts=3'
- '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read'
- '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write'
- '--logger_plugin=tls'
pre_tasks:
- name: map acme.kolide.co to localhost
lineinfile:
dest: /etc/hosts
line: 127.0.0.1 acme.kolide.co
ignore_errors: true
roles:
- { role: geerlingguy.mysql, when: ansible_os_family == 'Debian' }
- juju4.kolide
- kbrebanov.osquery

8
osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile Normal file
View File

@ -0,0 +1,8 @@
source 'https://rubygems.org'
gem 'serverspec'
gem 'rake'
## for junit output and jenkins support
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
#gem 'yarjuf'

9
osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile Normal file
View File

@ -0,0 +1,9 @@
require 'rake'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) do |t|
t.pattern = '*_spec.rb'
end
task :default => :spec

59
osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb Normal file
View File

@ -0,0 +1,59 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
## mostly exclude for docker/systemd distributions
it { should be_enabled }
end
describe service('osqueryd') do
it { should be_running }
end
describe file('/usr/bin/osqueryd') do
it { should be_executable }
end
describe file('/usr/bin/osqueryi') do
it { should be_executable }
end
describe file('/etc/osquery/osquery.conf') do
it { should contain '"config_plugin":' }
it { should contain '"packs": {' }
it { should contain '"filesystem"' }
end
describe process("osqueryd") do
its(:user) { should eq "root" }
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
end
#describe file('/var/log/osquery/osqueryd.INFO') do
# it { should be_symlink }
# its(:content) { should match /Log line format:/ }
#end
#describe file('/var/log/osquery/osqueryd.WARNING') do
# it { should be_symlink }
# its(:content) { should match /Log line format:/ }
# its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
#end
#describe file('/var/log/osquery/osqueryd.results.log') do
# it { should be_file }
## its(:content) { should match /hostIdentifier/ }
# let(:sudo_options) { '-u root -H' }
#end
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
its(:stdout) { should match /osqueryd is already running/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end

32
osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/sh -x
## get consistent ruby2+bundler env on each distribution
location=`dirname "$0"`
cd $location
v=2.3
## docker environment in travis missing few utils
[ -f /etc/debian_version ] && apt-get install -y curl
[ -f /etc/redhat-release ] && yum -y install which
curl -sSL https://get.rvm.io | bash
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
## troubleshoot
type rvm | head -1
env
#export PATH=/usr/local/rvm/bin:$PATH
bash -l -c "rvm install $v"
bash -l -c "rvm use $v"
bash -l -c "rvm use $v --default"
bash -l -c "gem install bundler"
bash -l -c "bundle install --path ./gems"
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
else
bash -l -c "bundle exec rake spec"
fi

14
osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

17
osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml Normal file
View File

@ -0,0 +1,17 @@
---
- hosts: all
#- hosts: test-kitchen
vars:
- osquery_flags:
- '--logger_plugin=filesystem,syslog'
- osquery_logger_plugin: 'filesystem,syslog'
- osquery_syslog_target: '/var/log/osquery_syslog-results.log'
- osquery_syslog_target2: '/var/log/osquery_syslog-prog.log'
- osquery_testing: true
- osquery_syslog_dirs:
- /var/log
- osquery_testing_pause: true
roles:
- kbrebanov.osquery

8
osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile Normal file
View File

@ -0,0 +1,8 @@
source 'https://rubygems.org'
gem 'serverspec'
gem 'rake'
## for junit output and jenkins support
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
#gem 'yarjuf'

9
osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile Normal file
View File

@ -0,0 +1,9 @@
require 'rake'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) do |t|
t.pattern = '*_spec.rb'
end
task :default => :spec

59
osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb Normal file
View File

@ -0,0 +1,59 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
## mostly exclude for docker/systemd distributions
it { should be_enabled }
end
describe service('osqueryd') do
it { should be_running }
end
describe file('/usr/bin/osqueryd') do
it { should be_executable }
end
describe file('/usr/bin/osqueryi') do
it { should be_executable }
end
describe file('/etc/osquery/osquery.conf') do
it { should contain '"config_plugin":' }
it { should contain '"packs": {' }
it { should contain '"filesystem,syslog"' }
end
describe process("osqueryd") do
its(:user) { should eq "root" }
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
end
describe file('/var/log/osquery/osqueryd.INFO') do
it { should be_symlink }
its(:content) { should match /Log line format:/ }
end
describe file('/var/log/osquery/osqueryd.WARNING') do
it { should be_symlink }
its(:content) { should match /Log line format:/ }
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
end
describe file('/var/log/osquery/osqueryd.results.log') do
it { should be_file }
# its(:content) { should match /hostIdentifier/ }
let(:sudo_options) { '-u root -H' }
end
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
its(:stdout) { should match /osqueryd is already running/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end

18
osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb Normal file
View File

@ -0,0 +1,18 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe file('/var/log/osquery_syslog-prog.log') do
it { should be_file }
# its(:content) { should match /osqueryd: osqueryd started \[version=/ }
its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ }
end
describe file('/var/log/osquery_syslog-results.log') do
it { should be_file }
its(:content) { should match /hostIdentifier/ }
# its(:content) { should match /pack/ }
# its(:content) { should match /message=Executing scheduled query system_info:/ }
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
let(:sudo_options) { '-u root -H' }
end

47
osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb Normal file
View File

@ -0,0 +1,47 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do
it { should be_enabled }
end
describe service('rsyslog') do
it { should be_running }
end
describe file('/usr/sbin/rsyslogd') do
it { should be_executable }
end
describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do
its(:user) { should eq "syslog" }
end
describe process("rsyslogd"), :if => os[:family] == 'redhat' do
its(:user) { should eq "root" }
end
describe file('/var/log'), :if => os[:family] == 'ubuntu' do
it { should be_directory }
it { should be_mode 775 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'syslog' }
# it { should be_writable.by('group') }
it { should be_writable.by_user('syslog') }
end
describe file('/var/log'), :if => os[:family] == 'redhat' do
it { should be_directory }
it { should be_mode 755 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
# it { should be_writable.by('group') }
end
describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do
it { should be_file }
end
describe file('/var/log/messages'), :if => os[:family] == 'redhat' do
it { should be_file }
end

32
osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/sh -x
## get consistent ruby2+bundler env on each distribution
location=`dirname "$0"`
cd $location
v=2.3
## docker environment in travis missing few utils
[ -f /etc/debian_version ] && apt-get install -y curl
[ -f /etc/redhat-release ] && yum -y install which
curl -sSL https://get.rvm.io | bash
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
## troubleshoot
type rvm | head -1
env
#export PATH=/usr/local/rvm/bin:$PATH
bash -l -c "rvm install $v"
bash -l -c "rvm use $v"
bash -l -c "rvm use $v --default"
bash -l -c "gem install bundler"
bash -l -c "bundle install --path ./gems"
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
else
bash -l -c "bundle exec rake spec"
fi

14
osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

17
osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml Normal file
View File

@ -0,0 +1,17 @@
---
- hosts: all
#- hosts: test-kitchen
vars:
# - osquery_flags:
# - '--logger_plugin=syslog'
- osquery_logger_plugin: 'syslog'
- osquery_syslog_target: '/var/log/osquery_syslog-results.log'
- osquery_syslog_target2: '/var/log/osquery_syslog-prog.log'
- osquery_testing: true
- osquery_syslog_dirs:
- /var/log
- osquery_testing_pause: true
roles:
- kbrebanov.osquery

8
osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile Normal file
View File

@ -0,0 +1,8 @@
source 'https://rubygems.org'
gem 'serverspec'
gem 'rake'
## for junit output and jenkins support
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
#gem 'yarjuf'

9
osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile Normal file
View File

@ -0,0 +1,9 @@
require 'rake'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) do |t|
t.pattern = '*_spec.rb'
end
task :default => :spec

44
osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb Normal file
View File

@ -0,0 +1,44 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
## mostly exclude for docker/systemd distributions
it { should be_enabled }
end
describe service('osqueryd') do
it { should be_running }
end
describe file('/usr/bin/osqueryd') do
it { should be_executable }
end
describe file('/usr/bin/osqueryi') do
it { should be_executable }
end
describe file('/etc/osquery/osquery.conf') do
it { should contain '"config_plugin":' }
it { should contain '"packs": {' }
it { should contain '"syslog"' }
end
describe process("osqueryd") do
its(:user) { should eq "root" }
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
end
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
its(:stdout) { should match /osqueryd is already running/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end

27
osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb Normal file
View File

@ -0,0 +1,27 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe file('/var/log/osquery_syslog-prog.log') do
it { should be_file }
# its(:content) { should match /osqueryd: osqueryd started \[version=/ }
its(:content) { should match /Executing scheduled query system_info:/ }
its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ }
its(:content) { should_not match /osqueryd initialize failed: Could not initialize database/ }
end
describe file('/var/log/osquery_syslog-results.log') do
it { should be_file }
its(:content) { should match /hostIdentifier/ }
# its(:content) { should match /pack/ }
its(:content) { should match /message=Executing scheduled query system_info:/ }
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
let(:sudo_options) { '-u root -H' }
end
describe command('journalctl -l') do
its(:stdout) { should match /osqueryd/ }
its(:stdout) { should match /Executing scheduled query system_info:/ }
its(:stdout) { should match /hostIdentifier/ }
its(:exit_status) { should eq 0 }
end

47
osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb Normal file
View File

@ -0,0 +1,47 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do
it { should be_enabled }
end
describe service('rsyslog') do
it { should be_running }
end
describe file('/usr/sbin/rsyslogd') do
it { should be_executable }
end
describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do
its(:user) { should eq "syslog" }
end
describe process("rsyslogd"), :if => os[:family] == 'redhat' do
its(:user) { should eq "root" }
end
describe file('/var/log'), :if => os[:family] == 'ubuntu' do
it { should be_directory }
it { should be_mode 775 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'syslog' }
# it { should be_writable.by('group') }
it { should be_writable.by_user('syslog') }
end
describe file('/var/log'), :if => os[:family] == 'redhat' do
it { should be_directory }
it { should be_mode 755 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
# it { should be_writable.by('group') }
end
describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do
it { should be_file }
end
describe file('/var/log/messages'), :if => os[:family] == 'redhat' do
it { should be_file }
end

32
osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh Executable file
View File

@ -0,0 +1,32 @@
#!/bin/sh -x
## get consistent ruby2+bundler env on each distribution
location=`dirname "$0"`
cd $location
v=2.3
## docker environment in travis missing few utils
[ -f /etc/debian_version ] && apt-get install -y curl
[ -f /etc/redhat-release ] && yum -y install which
curl -sSL https://get.rvm.io | bash
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
## troubleshoot
type rvm | head -1
env
#export PATH=/usr/local/rvm/bin:$PATH
bash -l -c "rvm install $v"
bash -l -c "rvm use $v"
bash -l -c "rvm use $v --default"
bash -l -c "gem install bundler"
bash -l -c "bundle install --path ./gems"
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
else
bash -l -c "bundle exec rake spec"
fi

14
osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats Normal file
View File

@ -0,0 +1,14 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

Some files were not shown because too many files have changed in this diff Show More