diff --git a/osquery/README.rst b/osquery/README.rst index 20c12ad4..274e11ac 100644 --- a/osquery/README.rst +++ b/osquery/README.rst @@ -83,13 +83,29 @@ Update the `/etc/hosts` file *(optional)* Create an haproxy entry for kolide-fleet service 8443 +Add the following configuration item to the `haproxy_extra_services` variable +within a **user** defined variable file. + +.. code-block:: yaml + + haproxy_extra_services: + - service: + haproxy_service_name: kolide-fleet + haproxy_ssl: False + haproxy_backend_nodes: "{{ groups['kolide-fleet_all'] | default([]) }}" + haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable + haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable + haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable + haproxy_balance_type: tcp + + +With the appropriate haproxy configuration in place, setup haproxy to begin +load balancing the traffic. + .. code-block:: bash - cd /opt/openstack-ansible-ops/osquery - cat haproxy.example >> /etc/openstack_deploy/user_variables.yml - cd /opt/openstack-ansible/playbooks/ - openstack-ansible haproxy-install.yml --tags=haproxy-service-config + openstack-ansible haproxy-install.yml Deploying | Installing with embedded Ansible @@ -136,21 +152,36 @@ Deploying | The environment ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Create some basic passwords keys that are needed by fleet -.. code-block:: bashG - echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/fleet_user_vars.yml - echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/fleet_user_vars.yml - echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml - echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml +.. code-block:: bash + + echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/user_secrets.yml + echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/user_secrets.yml + echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/user_secrets.yml + # NOTICE: This may already be defined + echo "galera_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/user_secrets.yml Install master/data Fleet nodes on the elastic-logstash containers, deploy logstash, deploy Kibana, and then deploy all of the service beats. -.. code-block:: bashG + +.. code-block:: bash cd /opt/openstack-ansible-ops/osquery - ansible-playbook site.yml -e@/etc/openstack_deploy/fleet_user_vars.yml + ansible-playbook site.yml -e@/etc/openstack_deploy/user_secrets.yml + + +If the `installOSquery.yml` playbook is executed with a limit, a single +kolide-fleet host must be part of the limit. This requirement exists because +the nodes running osquery require certificates to authenticate to the +kolide-fleet cluster. Should a node within the kolide-fleet cluster not be +part of the limit the playbooks will not be able to fetch the required +certificates. + +.. code-block:: bash + + ansible-playbook installOSquery.yml $USER_VARS --limit 'host1,host2,kolide-fleet_all[0]' * The `openstack-ansible` command can be used if the version of ansible on the @@ -167,6 +198,7 @@ deploy logstash, deploy Kibana, and then deploy all of the service beats. of the OSA group_vars. These are not available by default with the embedded ansible and can be symlinked into the ops repo. + .. code-block:: bash ln -s /opt/openstack-ansible/inventory/group_vars /opt/openstack-ansible-ops/osquery/group_vars @@ -175,6 +207,7 @@ deploy logstash, deploy Kibana, and then deploy all of the service beats. The individual playbooks found within this repository can be independently run at anytime. + Architecture | Data flow ^^^^^^^^^^^^^^^^^^^^^^^^ diff --git a/osquery/conf.d/fleet.yml b/osquery/conf.d/fleet.yml index 397e19cf..ae341d46 100644 --- a/osquery/conf.d/fleet.yml +++ b/osquery/conf.d/fleet.yml @@ -1,4 +1,4 @@ -fleet_hosts: +kolide_hosts: logging1: ip: 10.0.236.110 logging2: diff --git a/osquery/env.d/fleet.yml b/osquery/env.d/fleet.yml index 171e074d..d8cf81d0 100644 --- a/osquery/env.d/fleet.yml +++ b/osquery/env.d/fleet.yml @@ -1,32 +1,28 @@ --- component_skel: - fleet: + kolide-fleet: belongs_to: - fleet_all + - kolide-fleet_all mariadb: belongs_to: - fleet_all - mariadb_all - osquery: - belongs_to: - - fleet_all - container_skel: - fleet_container: + kolide-fleet_container: belongs_to: - - fleet_containers + - kolide_containers contains: - - fleet + - kolide-fleet - mariadb - - osquery physical_skel: - fleet_containers: + kolide_containers: belongs_to: - all_containers - fleet_hosts: + kolide_hosts: belongs_to: - hosts diff --git a/osquery/haproxy.example b/osquery/haproxy.example deleted file mode 100644 index 28bdca80..00000000 --- a/osquery/haproxy.example +++ /dev/null @@ -1,9 +0,0 @@ -haproxy_extra_services: - - service: - haproxy_service_name: kolide-fleet - haproxy_ssl: False - haproxy_backend_nodes: "{{ groups['fleet_all'] | default([]) }}" # Fleet nodes - haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable - haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable - haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable - haproxy_balance_type: tcp diff --git a/osquery/installDB.yml b/osquery/installDB.yml index 940a7919..0759dfb0 100644 --- a/osquery/installDB.yml +++ b/osquery/installDB.yml @@ -27,15 +27,13 @@ fail: msg: >- The root password for the galera cluster is not defined. To proceed with this - installation define the variable `mariadb_root_password` in line or within a + installation define the variable `galera_root_password` in line or within a variable file. when: - - mariadb_root_password is undefined + - galera_root_password is undefined roles: - role: galera_server - galera_root_user: "{{ mariadb_root_user }}" - galera_root_password: "{{ mariadb_root_password }}" galera_cluster_members: "{{ groups['mariadb_all'] }}" galera_wsrep_node_name: "{{ inventory_hostname }}" galera_cluster_name: telemetry_galera_cluster diff --git a/osquery/installKolideFleet.yml b/osquery/installKolideFleet.yml index c8d19198..34b69f91 100644 --- a/osquery/installKolideFleet.yml +++ b/osquery/installKolideFleet.yml @@ -1,6 +1,6 @@ --- - name: Install Kolide Fleet - hosts: "fleet_all" + hosts: "kolide-fleet_all" become: true vars_files: diff --git a/osquery/installOSquery.yml b/osquery/installOSquery.yml index b8ec3547..38e92364 100644 --- a/osquery/installOSquery.yml +++ b/osquery/installOSquery.yml @@ -13,8 +13,33 @@ # See the License for the specific language governing permissions and # limitations under the License. +- name: Get osquery facts + hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}" + become: true + vars_files: + - vars/variables.yml + tags: + - always + + environment: "{{ deployment_environment_variables | default({}) }}" + + gather_facts: "{{ osa_gather_facts | default(True) }}" + + tasks: + - name: Fetch Certificates + fetch: + flat: yes + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: "{{ kolide_fleet_ssl_cert }}" + dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - src: "{{ kolide_fleet_ssl_key }}" + dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + + - name: Install osquery - hosts: "fleet_all:osquery:hosts" + hosts: "hosts:all_containers" become: true vars_files: - vars/variables.yml @@ -32,19 +57,6 @@ - /etc/osquery - /etc/osquery/ssl - - name: Synchronize certifactes back - synchronize: - mode: pull - src: "{{ item.src }}" - dest: "{{ item.dest }}" - with_items: - - src: "{{ kolide_fleet_ssl_cert }}" - dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" - - src: "{{ kolide_fleet_ssl_key }}" - dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" - when: - - inventory_hostname == groups['fleet_all'][0] - - name: Copy certifactes over copy: src: "{{ item.src }}" @@ -54,14 +66,12 @@ src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" - dest: "{{ kolide_fleet_ssl_key }}" src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" - when: - - inventory_hostname != groups['fleet_all'][0] - name: retrieve Enrollment Token command: /usr/local/bin/fleetctl get enroll-secret changed_when: false register: _enrollment_token - delegate_to: "{{ groups['fleet_all'][0] }}" + delegate_to: "{{ groups['kolide-fleet_all'][0] }}" run_once: true - name: Set kolide fleet enrollment token fact diff --git a/osquery/inventory.example.yml b/osquery/inventory.example.yml index c99b8415..3a94a8f5 100644 --- a/osquery/inventory.example.yml +++ b/osquery/inventory.example.yml @@ -24,16 +24,12 @@ hosts: logging01: {} # This is the location where fleet(s) will live -fleet_all: - hosts: - logging01: {} +kolide-fleet_all: + children: + kolide_hosts: + hosts: + logging01: {} mariadb_all: children: - fleet_all: {} - -osquery_all: - hosts: - logging02: - ansible_host: 172.16.27.101 - ansible_user: root + kolide-fleet_all: {} diff --git a/osquery/roles/fleet/defaults/main.yml b/osquery/roles/fleet/defaults/main.yml index 53b323b0..76e49980 100644 --- a/osquery/roles/fleet/defaults/main.yml +++ b/osquery/roles/fleet/defaults/main.yml @@ -20,7 +20,7 @@ kolide_fleet_db_user: fleet #kolide_fleet_db_password: fleetSecrete kolide_fleet_port: "8443" -kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}" +kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}" kolide_fleet_version: "2.0.0-rc5" kolide_fleet_url: "https://github.com/kolide/fleet/releases/download" @@ -43,7 +43,6 @@ kolide_fleet_ssl_key_purge: false mariadb_bind_address: "0.0.0.0" mariadb_root_remote: 1 mariadb_root_user: root -#mariadb_root_password: fleetSecrete mariadb_databases: - name: "{{ kolide_fleet_db_name }}" @@ -52,5 +51,3 @@ mariadb_users: password: "{{ kolide_fleet_db_password }}" priv: " {{ kolide_fleet_db_name }}.*:ALL" host: "%" - -galera_root_password: "{{ mariadb_root_password }}" diff --git a/osquery/roles/fleet/tasks/createFleetDB.yml b/osquery/roles/fleet/tasks/createFleetDB.yml index a53531e1..54c5b359 100644 --- a/osquery/roles/fleet/tasks/createFleetDB.yml +++ b/osquery/roles/fleet/tasks/createFleetDB.yml @@ -16,7 +16,7 @@ - name: Create DB for service mysql_db: login_user: "{{ mariadb_root_user }}" - login_password: "{{ mariadb_root_password }}" + login_password: "{{ galera_root_password }}" login_host: "{{ mariadb_login_host | default('localhost') }}" name: "{{ kolide_fleet_db_name }}" state: "present" @@ -28,7 +28,7 @@ - name: Grant access to the DB for the service mysql_user: login_user: "{{ mariadb_root_user }}" - login_password: "{{ mariadb_root_password }}" + login_password: "{{ galera_root_password }}" login_host: "{{ mariadb_login_host | default('localhost') }}" name: "{{ kolide_fleet_db_user }}" password: "{{ kolide_fleet_db_password }}" diff --git a/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml b/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml index 37de30fa..2d5cd043 100644 --- a/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml +++ b/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml @@ -65,23 +65,23 @@ - src: "{{ kolide_fleet_ssl_key }}" dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" when: - - (groups['fleet_all'] | length) > 1 + - (groups['kolide-fleet_all'] | length) > 1 notify: - Cleanup certifactes when: - - inventory_hostname == groups['fleet_all'][0] + - inventory_hostname == groups['kolide-fleet_all'][0] - name: Copy certifactes over copy: src: "{{ item.src }}" dest: "{{ item.dest }}" - with_items: - - dest: "{{ kolide_fleet_ssl_csr }}" - src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}" - - dest: "{{ kolide_fleet_ssl_cert }}" - src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" - - dest: "{{ kolide_fleet_ssl_key }}" - src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + with_items: + - dest: "{{ kolide_fleet_ssl_csr }}" + src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}" + - dest: "{{ kolide_fleet_ssl_cert }}" + src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - dest: "{{ kolide_fleet_ssl_key }}" + src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" when: - - inventory_hostname != groups['fleet_all'][0] - - (groups['fleet_all'] | length) > 1 + - inventory_hostname != groups['kolide-fleet_all'][0] + - (groups['kolide-fleet_all'] | length) > 1 diff --git a/osquery/roles/fleet/vars/main.yml b/osquery/roles/fleet/vars/main.yml deleted file mode 100644 index 1f933e79..00000000 --- a/osquery/roles/fleet/vars/main.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# Kolide Fleet vars -kolide_fleet_db_name: fleet -kolide_fleet_db_user: fleet -#kolide_fleet_db_password: fleetSecrete - -kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}" -kolide_fleet_version: "2.0.0-rc5" -kolide_fleet_url: "https://github.com/kolide/fleet/releases/download" - -kolide_fleet_admin_email: admin@openstack.org -#kolide_fleet_admin_password: AdminSecrete - -kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert -kolide_fleet_ssl_key: /etc/ssl/private/fleet.key - -kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}" -kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" - -#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}" -# MariaDB/Gallera Variables -#mariadb_root_password: fleetSecrete -mariadb_bind_address: "0.0.0.0" -mariadb_root_remote: 1 -mariadb_root_user: root -mariadb_databases: - - name: "{{ kolide_fleet_db_name }}" - -mariadb_users: - - name: "{{ kolide_fleet_db_user }}" - password: "{{ kolide_fleet_db_password }}" - priv: " {{ kolide_fleet_db_name }}.*:ALL" - host: "%" - -galera_root_password: "{{ mariadb_root_password }}" diff --git a/osquery/vars/variables.yml b/osquery/vars/variables.yml index 57381b5b..d07d9ae4 100644 --- a/osquery/vars/variables.yml +++ b/osquery/vars/variables.yml @@ -1,7 +1,5 @@ --- -mariadb_root_user: root - kolide_fleet_enable: true kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert @@ -20,7 +18,7 @@ osquery_rsyslog: false osquery_flags: - "--tls_server_certs={{ kolide_fleet_ssl_cert }}" - - "--tls_hostname={{ hostvars[groups['fleet_all'][0]]['ansible_host'] }}:443" + - "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443" - "--host_identifier=hostname" - "--enroll_tls_endpoint=/api/v1/osquery/enroll" - "--config_plugin=tls"