diff --git a/osquery/readme.rst b/osquery/README.rst similarity index 92% rename from osquery/readme.rst rename to osquery/README.rst index a7b17137..20c12ad4 100644 --- a/osquery/readme.rst +++ b/osquery/README.rst @@ -81,7 +81,6 @@ Update the `/etc/hosts` file *(optional)* openstack-ansible openstack-hosts-setup.yml - Create an haproxy entry for kolide-fleet service 8443 .. code-block:: bash @@ -117,14 +116,14 @@ the `bootstrap-ansible.sh` script these dependencies can be resolved with the .. code-block:: bash - ansible-galaxy install -r ansible-role-requirements.yml + ansible-galaxy install -r ansible-role-requirements.yml --roles-path=~/ansible25/repositories/roles In the even that some of the modules are alread installed execute the following .. code-block:: bash - ansible-galaxy install -r ansible-role-requirements.yml --ignore-errors + ansible-galaxy install -r ansible-role-requirements.yml --ignore-errors --roles-path=~/ansible25/repositories/roles Once the dependencies are set make sure to set the action plugin path to the @@ -139,7 +138,9 @@ Deploying | The environment Create some basic passwords keys that are needed by fleet .. code-block:: bashG - echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" > /etc/openstack_deploy/fleet_user_vars.yml + echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/fleet_user_vars.yml + echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/fleet_user_vars.yml + echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml @@ -184,6 +185,7 @@ This diagram outlines the data flow from within an Elastic-Stack deployment. :alt: Kolide & Osquery Data Flow Diagram :align: center + TODO ---- The following is a list of open items. diff --git a/osquery/ansible-role-requirements.yml b/osquery/ansible-role-requirements.yml index 41168eda..13bafc41 100644 --- a/osquery/ansible-role-requirements.yml +++ b/osquery/ansible-role-requirements.yml @@ -1,24 +1,16 @@ --- -#- name: systemd_service -# scm: git -# src: https://git.openstack.org/openstack/ansible-role-systemd_service -# version: master +- name: systemd_service + scm: git + src: https://git.openstack.org/openstack/ansible-role-systemd_service + version: master - name: config_template scm: git src: https://git.openstack.org/openstack/ansible-config_template version: master -- name: osquery - scm: git - src: https://github.com/kloud-pro/ansible-osquery - version: master - name: redis scm: git src: https://github.com/geerlingguy/ansible-role-redis version: master -- name: mariadb - scm: git - src: https://github.com/lechuckroh/ansible-role-mariadb - version: master - name: galera_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-galera_client diff --git a/osquery/bootstrap-embedded-ansible.sh b/osquery/bootstrap-embedded-ansible.sh deleted file mode 100755 index a119de4c..00000000 --- a/osquery/bootstrap-embedded-ansible.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -export OPTS=() -export ANSIBLE_EMBED_HOME="${HOME}/ansible25" -OPTS+=('ANSIBLE_EMBED_HOME') - -source /etc/os-release -if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then - if [ ${VERSION_ID} = "14.04" ]; then - apt-get update - apt-get -y install python-virtualenv - echo "done installing python-virtualenv" - else - apt-get update - apt-get -y install python3-virtualenv python-virtualenv - echo "done installing python-virtualenv python3-virtualenv" - fi - - if [[ -e "${HOME}/.pip" ]]; then - echo "..................moving .pip out of place to boostrap" - mv ${HOME}/.pip ${HOME}/.off-pip - fi - - if [[ -f "/usr/bin/python2" ]]; then - virtualenv --python="/usr/bin/python2" "${ANSIBLE_EMBED_HOME}" - elif [[ -f "/usr/bin/python3" ]]; then - virtualenv --python="/usr/bin/python3" "${ANSIBLE_EMBED_HOME}" - else - virtualenv "${ANSIBLE_EMBED_HOME}" - fi - - eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade --force pip" - eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated" - eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated" - echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin" - - if [[ -e "${HOME}/.off-pip" ]]; then - mv ${HOME}/off-pip ${HOME}/.pip - echo "..................moving .pip back in to place" - fi -fi - -if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" ]]; then - mkdir -p "${ANSIBLE_EMBED_HOME}/repositories" - git clone https://git.openstack.org/openstack/ansible-config_template "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" - pushd "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" - git checkout a5c9d97e18683f0fdf9769d94ba174c72e2d093c # HEAD of master from 20-06-18 - popd -fi - -if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/openstack_ansible_plugins" ]]; then - mkdir -p "${ANSIBLE_EMBED_HOME}/repositories" - git clone https://git.openstack.org/openstack/openstack-ansible-plugins "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins" - pushd "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins" - git checkout cef7946b3b3b3e4d02406c228741985a94b72cff # HEAD of master from 20-06-18 - popd -fi - -if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" ]]; then - mkdir -p "${ANSIBLE_EMBED_HOME}/repositories" - git clone https://git.openstack.org/openstack/ansible-role-systemd_service "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" - pushd "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" - git checkout 02f5ff1c0e073af53bed2141a045e608162970ea # HEAD of master from 20-06-18 - popd -fi - -if [[ -f "/etc/openstack_deploy/openstack_inventory.json" ]]; then - if [[ ! -f "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" ]]; then - mkdir -p "${ANSIBLE_EMBED_HOME}/inventory" - cat > "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" <- + The root password for the galera cluster is not defined. To proceed with this + installation define the variable `mariadb_root_password` in line or within a + variable file. + when: + - mariadb_root_password is undefined + roles: - role: galera_server galera_root_user: "{{ mariadb_root_user }}" galera_root_password: "{{ mariadb_root_password }}" - galera_cluster_members: "{{ groups['mariadb'] }}" + galera_cluster_members: "{{ groups['mariadb_all'] }}" galera_wsrep_node_name: "{{ inventory_hostname }}" galera_cluster_name: telemetry_galera_cluster + galera_monitoring_allowed_source: "0.0.0.0/0" environment: "{{ deployment_environment_variables | default({}) }}" diff --git a/osquery/installKolideFleet.yml b/osquery/installKolideFleet.yml index 317abe29..c8d19198 100644 --- a/osquery/installKolideFleet.yml +++ b/osquery/installKolideFleet.yml @@ -1,6 +1,6 @@ --- - name: Install Kolide Fleet - hosts: "fleet" + hosts: "fleet_all" become: true vars_files: @@ -10,5 +10,33 @@ gather_facts: "{{ osa_gather_facts | default(True) }}" + pre_tasks: + - name: Test for kolide db password + fail: + msg: >- + The DB password for the Kolide / Fleet cluster is not defined. To proceed with this + installation define the variable `kolide_fleet_db_password` in line or within a + variable file. + when: + - kolide_fleet_db_password is undefined + + - name: Test for kolide shared key + fail: + msg: >- + The shared token for the Kolide / Fleet cluster is not defined. To proceed with this + installation define the variable `kolide_fleet_jwt_key` in line or within a + variable file. + when: + - kolide_fleet_jwt_key is undefined + + - name: Test for kolide admin password + fail: + msg: >- + The admin password for the Kolide / Fleet cluster is not defined. To proceed with this + installation define the variable `kolide_fleet_admin_password` in line or within a + variable file. + when: + - kolide_fleet_admin_password is undefined + roles: - role: fleet diff --git a/osquery/installOSquery.yml b/osquery/installOSquery.yml index 6960477c..b8ec3547 100644 --- a/osquery/installOSquery.yml +++ b/osquery/installOSquery.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Install osquery - hosts: "osquery" + hosts: "fleet_all:osquery:hosts" become: true vars_files: - vars/variables.yml @@ -26,40 +26,63 @@ pre_tasks: - name: create osquery dir file: - path: /etc/osquery/ssl + path: "{{ item }}" state: directory + with_items: + - /etc/osquery + - /etc/osquery/ssl - - name: Debug fleet_config - debug: - var: hostvars[groups['fleet'][0]]['ansible_host'] - verbosity: 2 + - name: Synchronize certifactes back + synchronize: + mode: pull + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: "{{ kolide_fleet_ssl_cert }}" + dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - src: "{{ kolide_fleet_ssl_key }}" + dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + when: + - inventory_hostname == groups['fleet_all'][0] - - name: Store ssl cert - slurp: - src: "{{ kolide_fleet_ssl_cert }}" - register: _kolide_fleet_ssl_cert - - - name: Store ssl key - slurp: - src: "{{ kolide_fleet_ssl_key }}" - register: _kolide_fleet_ssl_key - - - name: Register a fact for the cert and key - set_fact: - kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}" - kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}" - - - name: Distribute self signed ssl cert + - name: Copy certifactes over copy: - dest: "{{ kolide_fleet_ssl_cert }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}" - mode: "0640" + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - dest: "{{ kolide_fleet_ssl_cert }}" + src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - dest: "{{ kolide_fleet_ssl_key }}" + src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + when: + - inventory_hostname != groups['fleet_all'][0] + + - name: retrieve Enrollment Token + command: /usr/local/bin/fleetctl get enroll-secret + changed_when: false + register: _enrollment_token + delegate_to: "{{ groups['fleet_all'][0] }}" + run_once: true + + - name: Set kolide fleet enrollment token fact + set_fact: + kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}" - name: write enroll secret copy: - dest: "{{ osquery_enroll_secret_dir }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}" + dest: "{{ osquery_enroll_secret_file }}" + content: "{{ kolide_fleet_enroll_secret }}" mode: "0640" + post_tasks: + - name: Cleanup certifactes + file: + dest: "{{ item }}" + state: "absent" + delegate_to: localhost + with_items: + - "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - "/tmp/{{ kolide_fleet_ssl_key | basename }}" + roles: - role: "osquery" diff --git a/osquery/inventory.example.yml b/osquery/inventory.example.yml index 814a17cd..c99b8415 100644 --- a/osquery/inventory.example.yml +++ b/osquery/inventory.example.yml @@ -21,15 +21,19 @@ all: # host machines here. hosts: hosts: - logging01: + logging01: {} # This is the location where fleet(s) will live -mariadb: +fleet_all: hosts: - logging01: -fleet: + logging01: {} + +mariadb_all: + children: + fleet_all: {} + +osquery_all: hosts: - logging01: -osquery: - hosts: - logging01: + logging02: + ansible_host: 172.16.27.101 + ansible_user: root diff --git a/osquery/inventory.yaml b/osquery/inventory.yaml deleted file mode 100644 index 9d1c17f4..00000000 --- a/osquery/inventory.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -################################## ALL HOSTS ################################## -all: - hosts: - # Local host - localhost: - ansible_connection: local - -################################## REQUIRED ################################### - logging01: - ansible_host: 104.130.207.70 - ansible_user: root - - vars: {} - - -################################### GROUPS #################################### - -# The hosts group is used to target physical host machines. Enter all physical -# host machines here. -hosts: - hosts: - logging01: - -# This is the location where fleet(s) will live -mariadb: - hosts: - logging01: -fleet: - hosts: - logging01: -osquery: - hosts: - logging01: diff --git a/osquery/registerSSLcerts.yml b/osquery/registerSSLcerts.yml deleted file mode 100644 index 61f0c409..00000000 --- a/osquery/registerSSLcerts.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Install Kolide Fleet - hosts: "fleet" - become: true - - vars_files: - - vars/variables.yml - - environment: "{{ deployment_environment_variables | default({}) }}" - - gather_facts: "{{ osa_gather_facts | default(True) }}" - - pre_tasks: - - name: Store ssl cert - slurp: - src: "{{ kolide_fleet_ssl_cert }}" - register: _kolide_fleet_ssl_cert - - - name: Store ssl ca cert - slurp: - src: "{{ kolide_fleet_ssl_ca_cert }}" - register: _kolide_fleet_ssl_ca_cert - when: kolide_fleet_user_ssl_ca_cert is defined - - - name: Register a fact for the cert and key - set_fact: - kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}" - - - name: Register a fact for the cert and key - set_fact: - kolide_fleet_ssl_ca_cert_fact: "{{ _kolide_fleet_ssl_ca_cert.content }}" - when: kolide_fleet_user_ssl_ca_cert is defined - - - name: Distribute self signed ssl cert - copy: - dest: "{{ kolide_fleet_ssl_cert }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}" - mode: "0640" - - - name: Distribute self signed CA ssl cert - copy: - dest: "{{ kolide_fleet_ca_ssl_cert }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_ca_cert_fact'] | b64decode }}" - mode: "0640" - when: kolide_fleet_user_ssl_ca_cert is defined - - - name: retrieve Enrollment Token - command: /usr/local/bin/fleetctl get enroll-secret - register: _enrollment_token - - - name: Set kolide fleet enrollment token fact - set_fact: - kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}" - - - name: write enroll secret - copy: - dest: "{{ osquery_enroll_secret_dir }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}" - mode: "0640" diff --git a/osquery/roles/fleet/defaults/main.yml b/osquery/roles/fleet/defaults/main.yml index 258562bf..53b323b0 100644 --- a/osquery/roles/fleet/defaults/main.yml +++ b/osquery/roles/fleet/defaults/main.yml @@ -1,10 +1,25 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Kolide Fleet vars kolide_fleet_db_name: fleet kolide_fleet_db_user: fleet #kolide_fleet_db_password: fleetSecrete -kolide_fleet_port: "443" +kolide_fleet_port: "8443" kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}" kolide_fleet_version: "2.0.0-rc5" kolide_fleet_url: "https://github.com/kolide/fleet/releases/download" @@ -14,13 +29,13 @@ kolide_fleet_admin_email: admin@openstack.org kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert kolide_fleet_ssl_key: /etc/ssl/private/fleet.key -kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem -kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem -kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost" +kolide_fleet_ssl_csr: /etc/ssl/private/fleet.csr kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}" kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" +kolide_fleet_ssl_key_purge: false + #kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}" diff --git a/osquery/roles/fleet/handlers/main.yml b/osquery/roles/fleet/handlers/main.yml new file mode 100644 index 00000000..4619591f --- /dev/null +++ b/osquery/roles/fleet/handlers/main.yml @@ -0,0 +1,47 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Enable and restart kolide socket (systemd) + systemd: + name: "kolide-fleet-proxy.socket" + enabled: true + state: started + listen: Restart kolide (systemd) + +- name: Enable and restart kolide (systemd) + systemd: + name: "kolide-fleet.service" + enabled: true + state: restarted + notify: + - Enable and restart kolide proxy (systemd) + listen: Restart kolide (systemd) + +- name: Enable and restart kolide proxy (systemd) + systemd: + name: "kolide-fleet-proxy.service" + enabled: true + state: restarted + listen: Restart kolide (systemd) + +- name: Cleanup certifactes + file: + dest: "{{ item }}" + state: "absent" + delegate_to: localhost + with_items: + - "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - "/tmp/{{ kolide_fleet_ssl_key | basename }}" + - "/tmp/{{ kolide_fleet_ssl_csr | basename }}" diff --git a/osquery/roles/fleet/tasks/createFleetDB.yml b/osquery/roles/fleet/tasks/createFleetDB.yml index fcb7d94e..a53531e1 100644 --- a/osquery/roles/fleet/tasks/createFleetDB.yml +++ b/osquery/roles/fleet/tasks/createFleetDB.yml @@ -20,7 +20,7 @@ login_host: "{{ mariadb_login_host | default('localhost') }}" name: "{{ kolide_fleet_db_name }}" state: "present" - delegate_to: "{{ groups['mariadb'][0] }}" + delegate_to: "{{ groups['mariadb_all'][0] }}" no_log: False tags: - fleet_db_install @@ -36,7 +36,7 @@ state: "present" priv: "{{ kolide_fleet_db_name }}.*:ALL" append_privs: "{{ kolide_fleet_db_append_privs | default(omit) }}" - delegate_to: "{{ groups['mariadb'][0] }}" + delegate_to: "{{ groups['mariadb_all'][0] }}" with_items: "{{ grant_list | default(['localhost', '%']) }}" no_log: False tags: diff --git a/osquery/roles/fleet/tasks/fleetConfig.yml b/osquery/roles/fleet/tasks/fleetConfig.yml index 76b71191..e3704a3a 100644 --- a/osquery/roles/fleet/tasks/fleetConfig.yml +++ b/osquery/roles/fleet/tasks/fleetConfig.yml @@ -22,5 +22,7 @@ template: src: templates/fleet_config.yml.j2 dest: /etc/fleet/fleet_config.yml + notify: + - Restart kolide (systemd) tags: - fleet_config diff --git a/osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml b/osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml index 03efb6c8..89f9dabd 100644 --- a/osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml +++ b/osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml @@ -15,6 +15,7 @@ - name: retrieve Enrollment Token command: /usr/local/bin/fleetctl get enroll-secret + changed_when: false register: _enrollment_token - name: Set kolide fleet enrollment token fact diff --git a/osquery/roles/fleet/tasks/fleetMigrateDB.yml b/osquery/roles/fleet/tasks/fleetMigrateDB.yml index b669a15f..447d32c3 100644 --- a/osquery/roles/fleet/tasks/fleetMigrateDB.yml +++ b/osquery/roles/fleet/tasks/fleetMigrateDB.yml @@ -16,3 +16,5 @@ - name: Migrate the fleet database command: /usr/local/bin/fleet prepare db --config=/etc/fleet/fleet_config.yml --no-prompt + changed_when: false + run_once: true diff --git a/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml b/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml index b8a22181..3d72d219 100644 --- a/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml +++ b/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml @@ -19,14 +19,19 @@ register: fleet_config_set - name: set fleetctl default context - command: fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify - when: fleet_config_set.stat.exists == false + command: /usr/local/bin/fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify + changed_when: false + when: + - fleet_config_set.stat.exists == false - name: register admin account command: /usr/local/bin/fleetctl setup --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }} + changed_when: false register: fleet_register_admin ignore_errors: true # ignore errors as we might have already set this it will be caought later - name: login admin account command: /usr/local/bin/fleetctl login --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }} - when: fleet_register_admin['stderr'] == "Kolide Fleet has already been setup" + changed_when: false + when: + - fleet_register_admin['stderr'] == "Kolide Fleet has already been setup" diff --git a/osquery/roles/fleet/tasks/fleetRequirements.yml b/osquery/roles/fleet/tasks/fleetRequirements.yml index dcce00cc..4e7a3ae8 100644 --- a/osquery/roles/fleet/tasks/fleetRequirements.yml +++ b/osquery/roles/fleet/tasks/fleetRequirements.yml @@ -17,16 +17,12 @@ include_role: name: redis private: true + - name: create fleet dir file: path: /etc/fleet/ssl state: directory -- name: Debug fleet_config - debug: - var: hostvars[groups['mariadb'][0]]['ansible_host'] - verbosity: 2 - - name: Drop fleet conf file template: src: templates/fleet_config.yml.j2 diff --git a/osquery/roles/fleet/tasks/fleetSSL.yml b/osquery/roles/fleet/tasks/fleetSSL.yml index 42a1c43e..dfd0ee73 100644 --- a/osquery/roles/fleet/tasks/fleetSSL.yml +++ b/osquery/roles/fleet/tasks/fleetSSL.yml @@ -20,7 +20,7 @@ tags: - fleet-ssl -- include_tasks: fleetSSLselfSigned.yml +- include_tasks: fleetSSLkeyCreate.yml when: - kolide_fleet_user_ssl_cert is not defined or kolide_fleet_user_ssl_key is not defined diff --git a/osquery/roles/fleet/tasks/fleetSSLdistribute.yml b/osquery/roles/fleet/tasks/fleetSSLdistribute.yml deleted file mode 100644 index ce5ae8bc..00000000 --- a/osquery/roles/fleet/tasks/fleetSSLdistribute.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Distribute self signed ssl key - copy: - dest: "{{ kolide_fleet_ssl_key }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_key_fact'] | b64decode }}" - mode: "0640" - tags: - - fleet-ssl - -- name: Distribute self signed ssl cert - copy: - dest: "{{ kolide_fleet_ssl_cert }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}" - mode: "0640" - tags: - - fleet-ssl diff --git a/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml b/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml index 302e37b6..37de30fa 100644 --- a/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml +++ b/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml @@ -17,21 +17,71 @@ file: dest: "{{ item }}" state: "absent" + when: + - kolide_fleet_ssl_key_purge | bool with_items: - - "{{ kolide_fleet_ssl_pem }}" - - "{{ kolide_fleet_ssl_key }}" - "{{ kolide_fleet_ssl_cert }}" - tags: - - fleet-ssl + - "{{ kolide_fleet_ssl_key }}" + - "{{ kolide_fleet_ssl_pem }}" + - "{{ kolide_fleet_ssl_ca_cert }}" -- name: Create self-signed ssl cert - command: > - openssl req -new -nodes -sha256 -x509 -subj - "{{ kolide_fleet_ssl_self_signed_subject }}" - -days 3650 - -keyout {{ kolide_fleet_ssl_key }} - -out {{ kolide_fleet_ssl_cert }} - -extensions v3_ca - creates={{ kolide_fleet_ssl_cert }} - tags: - - kolide_fleet-ssl +- name: SSL Block + block: + - name: Generate service private key + openssl_privatekey: + path: "{{ kolide_fleet_ssl_key }}" + size: 4096 + + - name: Generate self signed CSR + openssl_csr: + path: "{{ kolide_fleet_ssl_csr }}" + privatekey_path: "{{ kolide_fleet_ssl_key }}" + common_name: "{{ ansible_domain }}" + country_name: XX + locality_name: Kolide-Server + organization_name: OpenStack + organizational_unit_name: OpenStack-Ansible-OPS + + - name: Generate a Self Signed OpenSSL certificate + openssl_certificate: + path: "{{ kolide_fleet_ssl_cert }}" + privatekey_path: "{{ kolide_fleet_ssl_key }}" + csr_path: "{{ kolide_fleet_ssl_csr }}" + provider: selfsigned + force: "{{ kolide_fleet_ssl_key_purge | bool }}" + issuer: + O: OpenStack-Ansible-OPS + + - name: Synchronize certifactes back + synchronize: + mode: pull + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: "{{ kolide_fleet_ssl_csr }}" + dest: "/tmp/{{ kolide_fleet_ssl_csr | basename }}" + - src: "{{ kolide_fleet_ssl_cert }}" + dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - src: "{{ kolide_fleet_ssl_key }}" + dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + when: + - (groups['fleet_all'] | length) > 1 + notify: + - Cleanup certifactes + when: + - inventory_hostname == groups['fleet_all'][0] + +- name: Copy certifactes over + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - dest: "{{ kolide_fleet_ssl_csr }}" + src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}" + - dest: "{{ kolide_fleet_ssl_cert }}" + src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - dest: "{{ kolide_fleet_ssl_key }}" + src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + when: + - inventory_hostname != groups['fleet_all'][0] + - (groups['fleet_all'] | length) > 1 diff --git a/osquery/roles/fleet/tasks/fleetSSLstore.yml b/osquery/roles/fleet/tasks/fleetSSLstore.yml deleted file mode 100644 index 0dde5771..00000000 --- a/osquery/roles/fleet/tasks/fleetSSLstore.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Store ssl cert - slurp: - src: "{{ kolide_fleet_ssl_cert }}" - register: _kolide_fleet_ssl_cert - -- name: Store ssl key - slurp: - src: "{{ kolide_fleet_ssl_key }}" - register: _kolide_fleet_ssl_key - -- name: Register a fact for the cert and key - set_fact: - kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}" - kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}" diff --git a/osquery/roles/fleet/tasks/fleetServerInstall.yml b/osquery/roles/fleet/tasks/fleetServerInstall.yml index c61cedc2..7ec25d4c 100644 --- a/osquery/roles/fleet/tasks/fleetServerInstall.yml +++ b/osquery/roles/fleet/tasks/fleetServerInstall.yml @@ -13,29 +13,41 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Install prerequisites - apt: name={{ item }} update_cache=yes - with_items: - - unzip - - ca-certificates - - apt-transport-https - - software-properties-common - - curl -- name: Run the systemd service role - include_role: - name: redis - private: true +- name: Ensure required disto packages are installed + package: + name: "{{ kolide_fleet_distro_packages }}" + state: "present" + update_cache: "{{ (ansible_pkg_mgr == 'apt') | ternary('yes', omit) }}" + register: _package_task + until: _package_task is success + retries: 3 + delay: 2 + tags: + - package_install -- name: create fleet dir +- name: Create fleet dir file: path: '/tmp/fleet_{{ kolide_fleet_version }}' state: directory +- name: GET fleet + get_url: + url: "{{ kolide_fleet_url }}/{{ kolide_fleet_version }}/fleet_{{ kolide_fleet_version }}.zip" + dest: "/var/cache/fleet_{{ kolide_fleet_version }}.zip" + register: _get_task + until: _get_task is success + retries: 3 + delay: 2 + tags: + - package_install + - name: Unarchive Fleet binaries unarchive: - src: '{{ kolide_fleet_url }}/{{ kolide_fleet_version }}/fleet_{{ kolide_fleet_version }}.zip' - dest: '/tmp/fleet_{{ kolide_fleet_version}}/' + src: '/var/cache/fleet_{{ kolide_fleet_version }}.zip' + dest: '/tmp/fleet_{{ kolide_fleet_version }}/' remote_src: yes + notify: + - Restart kolide (systemd) - name: Copy unarchived binaries copy: diff --git a/osquery/roles/fleet/tasks/fleetService.yml b/osquery/roles/fleet/tasks/fleetService.yml index ea143369..2eba403c 100644 --- a/osquery/roles/fleet/tasks/fleetService.yml +++ b/osquery/roles/fleet/tasks/fleetService.yml @@ -27,5 +27,21 @@ Unit: Wants: network-online.target Requires: redis-server.service + Service: + Slice: kolide-fleet.slice tags: - server-install + +- name: Place the kolide-fleet socket + template: + src: 'kolide-fleet-proxy.socket.j2' + dest: '/etc/systemd/system/kolide-fleet-proxy.socket' + notify: + - Restart kolide (systemd) + +- name: Place the kolide-fleet proxy + template: + src: 'kolide-fleet-proxy.service.j2' + dest: '/etc/systemd/system/kolide-fleet-proxy.service' + notify: + - Restart kolide (systemd) diff --git a/osquery/roles/fleet/tasks/fleetStartService.yml b/osquery/roles/fleet/tasks/fleetStartService.yml deleted file mode 100644 index 133f1fb3..00000000 --- a/osquery/roles/fleet/tasks/fleetStartService.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - - -- name: Start redis fleet kolide service - initd - service: - name: redis - enabled: yes - state: restarted - when: - - ansible_service_mgr == "init" - tags: - - config -- name: Start fleet kolide service - initd - service: - name: redis - enabled: yes - state: restarted - when: - - ansible_service_mgr == "init" - tags: - - config - -- name: Enable and restart kolide - systemd - systemd: - name: "kolide-fleet" - enabled: true - state: restarted - when: - - ansible_service_mgr == "systemd" - tags: - - config diff --git a/osquery/roles/fleet/tasks/main.yml b/osquery/roles/fleet/tasks/main.yml index 3407f628..bc0cdeeb 100644 --- a/osquery/roles/fleet/tasks/main.yml +++ b/osquery/roles/fleet/tasks/main.yml @@ -1,30 +1,53 @@ --- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Gather variables for each operating system + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" + - "{{ ansible_os_family | lower }}.yml" + tags: + - always + +# install kolide fleet server +- include_tasks: fleetServerInstall.yml + +# install software requirements +- include_tasks: fleetRequirements.yml + # install SSL certs - include_tasks: createFleetDB.yml # install SSL certs - include_tasks: fleetSSL.yml -# install software requirements -- include_tasks: fleetRequirements.yml - -# install kolide fleet server -- include_tasks: fleetServerInstall.yml - # drop the configuration - include_tasks: fleetConfig.yml # add files for systemd - include_tasks: fleetService.yml - when: - - ansible_service_mgr == "systemd" # migrate the database - include_tasks: fleetMigrateDB.yml - run_once: true -# start fleet via systemd -- include_tasks: fleetStartService.yml +- name: Force kolide handlers + meta: flush_handlers # configure kolide fleet & set admin account - include_tasks: fleetRegisterAdmin.yml diff --git a/osquery/roles/fleet/templates/fleet_config.yml.j2 b/osquery/roles/fleet/templates/fleet_config.yml.j2 index d39100dc..5ca2b27f 100644 --- a/osquery/roles/fleet/templates/fleet_config.yml.j2 +++ b/osquery/roles/fleet/templates/fleet_config.yml.j2 @@ -1,10 +1,12 @@ +--- + mysql: - address: {{ hostvars[groups['mariadb'][0]]['ansible_host'] }}:3306 + address: 127.0.0.1:3306 database: {{ kolide_fleet_db_name }} username: {{ kolide_fleet_db_user }} password: {{ kolide_fleet_db_password }} redis: - address: localhost:6379 + address: 127.0.0.1:6379 auth: jwt_key: {{ kolide_fleet_jwt_key }} server: diff --git a/osquery/roles/fleet/templates/fleet_initd.yml.j2 b/osquery/roles/fleet/templates/fleet_initd.yml.j2 deleted file mode 100644 index 562824f2..00000000 --- a/osquery/roles/fleet/templates/fleet_initd.yml.j2 +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash - -############### -# SysV Init Information -# description: docker daemon. -### BEGIN INIT INFO -# Provides: me -# Required-Start: -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Short-Description: manage docker daemon -# Description: docker daemon -### END INIT INFO - - -HOME=path/to/code -EXEC=docker -NAME="fleet_service" - -LABEL={{ kolide_fleet_version }} -PORT=8412 - -case "$1" in - start) - RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}` - - if [[ ${RUNNING} == "true" ]]; then - # - # No need to start it - # - echo "Process is running" - exit 1; - if - echo "Starting container: '$NAME'..." - docker run --restart=always -v /etc/fleet:/etc/fleet --name=fleet_service kolide/fleet:{{ kolide_fleet_version }} -p 8412:8412 --config=/etc/fleet/fleet_config.yml - ;; - stop) - echo "Stopping $NAME..." - - docker stop -t 2 ${NAME} &> /dev/null - - if [[ 0 != $? ]]; then - echo "Could not stop container" - exit 4; - fi - ;; - status) - RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}` - - if [[ "true" == ${RUNNING} ]]; then - echo "$NAME is running" - else - echo "$NAME is not running" - fi - ;; - inspect) - docker inspect ${NAME} - ;; - logs) - docker logs ${NAME} - ;; - restart) - $0 stop - $0 start - ;; - *) - echo "Please use start, stop, restart, inspect or status as first argument" - ;; -esac diff --git a/osquery/roles/fleet/templates/fleet_service.yml.j2 b/osquery/roles/fleet/templates/fleet_service.yml.j2 deleted file mode 100644 index 1c94f6c9..00000000 --- a/osquery/roles/fleet/templates/fleet_service.yml.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Requires=redis.service -After=redis.service - -[Service] -TimeoutStartSec=0 -ExecStartPre=-/usr/bin/docker pull kolide/fleet:{{ kolide_fleet_version }} -ExecStartPre=-/usr/bin/docker kill fleet_service -ExecStartPre=-/usr/bin/docker rm fleet_service -ExecStart=/usr/bin/docker run -v /etc/fleet:/etc/fleet --name fleet_service kolide/fleet:{{ kolide_fleet_version }} --config=/etc/fleet/fleet_config.yml - -ExecStop=-/usr/bin/docker stop fleet_fleet - -ExecReload=/usr/bin/docker restart fleet_service - -[Install] -WantedBy=multi-user.target diff --git a/osquery/roles/fleet/templates/kolide-fleet-proxy.service.j2 b/osquery/roles/fleet/templates/kolide-fleet-proxy.service.j2 new file mode 100644 index 00000000..7c5eab05 --- /dev/null +++ b/osquery/roles/fleet/templates/kolide-fleet-proxy.service.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=Remote Switch redirect + +[Service] +After = kolide-fleet-proxy.socket +Requires = kolide-fleet-proxy.socket +partof = kolide-fleet.service +ExecStart=/lib/systemd/systemd-socket-proxyd 127.0.0.1:{{ kolide_fleet_port }} diff --git a/osquery/roles/fleet/templates/kolide-fleet-proxy.socket.j2 b/osquery/roles/fleet/templates/kolide-fleet-proxy.socket.j2 new file mode 100644 index 00000000..16163937 --- /dev/null +++ b/osquery/roles/fleet/templates/kolide-fleet-proxy.socket.j2 @@ -0,0 +1,6 @@ +[Socket] +ListenStream=0.0.0.0:443 +Transparent=yes + +[Install] +WantedBy=sockets.target diff --git a/osquery/roles/fleet/templates/redis_initd.yml.j2 b/osquery/roles/fleet/templates/redis_initd.yml.j2 deleted file mode 100644 index 47279c75..00000000 --- a/osquery/roles/fleet/templates/redis_initd.yml.j2 +++ /dev/null @@ -1,69 +0,0 @@ -#!/usr/bin/env bash - -############### -# SysV Init Information -# description: docker daemon. -### BEGIN INIT INFO -# Provides: me -# Required-Start: -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Short-Description: manage docker daemon -# Description: docker daemon -### END INIT INFO - - -HOME=path/to/code -EXEC=docker -NAME="redis_service" - -LABEL={{ kolide_fleet_version }} - -case "$1" in - start) - RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}` - - if [[ ${RUNNING} == "true" ]]; then - # - # No need to start it - # - echo "Process is running" - exit 1; - if - echo "Starting container: '$NAME'..." - docker run -d --restart=always --name=redis_service redis:4-alpine - ;; - stop) - echo "Stopping $NAME..." - - docker stop -t 2 ${NAME} &> /dev/null - - if [[ 0 != $? ]]; then - echo "Could not stop container" - exit 4; - fi - ;; - status) - RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}` - - if [[ "true" == ${RUNNING} ]]; then - echo "$NAME is running" - else - echo "$NAME is not running" - fi - ;; - inspect) - docker inspect ${NAME} - ;; - logs) - docker logs ${NAME} - ;; - restart) - $0 stop - $0 start - ;; - *) - echo "Please use start, stop, restart, inspect or status as first argument" - ;; -esac diff --git a/osquery/roles/fleet/templates/redis_service.yml.j2 b/osquery/roles/fleet/templates/redis_service.yml.j2 deleted file mode 100644 index 154de212..00000000 --- a/osquery/roles/fleet/templates/redis_service.yml.j2 +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=Redis Container -After=docker.service -Requires=docker.service - -[Service] -Type=simple -restart=always -TimeoutStartSec=120 -ExecStartPre=-/usr/bin/docker pull redis:4-alpine -ExecStartPre=-/usr/bin/docker kill redis_service -ExecStartPre=-/usr/bin/docker rm redis_service -ExecStart=/usr/bin/docker run --name redis_service redis:alpine - -ExecStop=/usr/bin/docker stop redis_service - -[Install] -WantedBy=multi-user.target diff --git a/osquery/roles/fleet/tasks/fleetSSLselfSigned.yml b/osquery/roles/fleet/vars/debian.yml similarity index 73% rename from osquery/roles/fleet/tasks/fleetSSLselfSigned.yml rename to osquery/roles/fleet/vars/debian.yml index 21a68439..19311ece 100644 --- a/osquery/roles/fleet/tasks/fleetSSLselfSigned.yml +++ b/osquery/roles/fleet/vars/debian.yml @@ -1,5 +1,5 @@ --- -# Copyright 2018, Rackspace US, Inc. +# Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,6 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: fleetSSLkeyCreate.yml -- include_tasks: fleetSSLstore.yml -- include_tasks: fleetSSLdistribute.yml +kolide_fleet_distro_packages: + - apt-transport-https + - ca-certificates + - curl + - python3-openssl + - python-openssl + - software-properties-common + - unzip \ No newline at end of file diff --git a/osquery/roles/fleet/vars/main.yml b/osquery/roles/fleet/vars/main.yml index af066239..1f933e79 100644 --- a/osquery/roles/fleet/vars/main.yml +++ b/osquery/roles/fleet/vars/main.yml @@ -1,10 +1,10 @@ +--- # Kolide Fleet vars kolide_fleet_db_name: fleet kolide_fleet_db_user: fleet #kolide_fleet_db_password: fleetSecrete -kolide_fleet_port: "443" -kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}" +kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}" kolide_fleet_version: "2.0.0-rc5" kolide_fleet_url: "https://github.com/kolide/fleet/releases/download" @@ -13,9 +13,6 @@ kolide_fleet_admin_email: admin@openstack.org kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert kolide_fleet_ssl_key: /etc/ssl/private/fleet.key -kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem -kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem -kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost" kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}" kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" diff --git a/osquery/roles/osquery/.kitchen.docker.yml b/osquery/roles/osquery/.kitchen.docker.yml new file mode 100644 index 00000000..4eeefa1a --- /dev/null +++ b/osquery/roles/osquery/.kitchen.docker.yml @@ -0,0 +1,70 @@ +--- +driver: + name: docker +## https://github.com/test-kitchen/kitchen-docker/issues/54 + use_sudo: false + +transport: + name: sftp + +provisioner: + name: ansible_playbook + roles_path: ../ + hosts: test-kitchen +# ansible_verbose: true + ansible_verbose: false + ansible_verbosity: 3 + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> +# require_chef_omnibus: false + require_ansible_omnibus: true +# require_chef_for_busser: false + enable_yum_epel: true + ansible_connection: ssh + +platforms: + - name: ubuntu-18.04 + driver_config: +# https://github.com/test-kitchen/kitchen-docker/issues/285 + provision_command: mkdir -p /run/sshd + - name: ubuntu-16.04 +## systemd? + driver: + config: + security.privileged: true + - name: ubuntu-14.04 + - name: ubuntu-12.04 + - name: centos-7 +## systemd + driver: + config: + security.privileged: true +### epel mirror issue. see readme +# - name: centos-6 +### Ansible 2.2+/cryptography: https://github.com/ansible/ansible/issues/276 +# provisioner: +# ansible_version: 2.1.2.0 +## tool chain kitchen and image need customization... nok currently +# - name: alpine-3.4 +# - name: debian-8 + - name: debian-9 + +suites: + - name: default + run_list: + attributes: + - name: default-osquery-syslog + run_list: + attributes: + - name: default-osquery-syslog-fs + run_list: + attributes: + - name: default-profiling + run_list: + attributes: + includes: + - ubuntu-16.04 + - name: default-fleetmanager + run_list: + attributes: + includes: + - ubuntu-16.04 diff --git a/osquery/roles/osquery/.kitchen.vagrant.yml b/osquery/roles/osquery/.kitchen.vagrant.yml new file mode 100644 index 00000000..c6445110 --- /dev/null +++ b/osquery/roles/osquery/.kitchen.vagrant.yml @@ -0,0 +1,57 @@ +--- +# $ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify + +driver: + name: vagrant + provider: <%= ENV['KITCHEN_PROVIDER'] || 'virtualbox' %> + +## make file transfer faster. need https://github.com/coderanger/kitchen-sync +transport: + name: sftp + +provisioner: + name: ansible_playbook + roles_path: ../ + hosts: test-kitchen +# ansible_verbose: true + ansible_verbose: false + ansible_verbosity: 3 + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> + +platforms: + - name: ubuntu-18.04 + - name: ubuntu-16.04 + - name: ubuntu-14.04 + - name: centos-7.1 +## ansible < 2.x +# - name: debian-8 +# driver_config: +# box: debian-8 +# box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box + - name: debian-9 + driver: + box: remram/debian-9-amd64 + +suites: + - name: default + run_list: + attributes: + - name: default-osquery-syslog + run_list: + attributes: + - name: default-osquery-syslog-fs + run_list: + attributes: + - name: default-profiling + run_list: + attributes: + includes: + - ubuntu-18.04 + - name: default-fleetmanager + run_list: + attributes: + includes: + - ubuntu-18.04 + driver_config: + network: + - ["forwarded_port", {guest: 8080, host: 9080}] diff --git a/osquery/roles/osquery/.kitchen.yml b/osquery/roles/osquery/.kitchen.yml new file mode 100644 index 00000000..024e48d9 --- /dev/null +++ b/osquery/roles/osquery/.kitchen.yml @@ -0,0 +1,56 @@ +--- +driver: + name: lxd_cli + +transport: + name: sftp + +provisioner: + name: ansible_playbook + roles_path: ../ + hosts: test-kitchen + ansible_verbose: true +# ansible_verbose: false + ansible_verbosity: 2 + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> + require_ansible_omnibus: true + require_chef_omnibus: false +# require_chef_for_busser: false + enable_yum_epel: true + ansible_connection: ssh + +platforms: + - name: ubuntu-18.04 + - name: ubuntu-16.04 +# - name: ubuntu-14.04 +# - name: ubuntu-12.04 + - name: centos-7 +# - name: centos-6 +# - name: alpine-3.7 + +suites: + - name: default + run_list: + attributes: + - name: default-osquery-syslog + run_list: + attributes: + includes: + - ubuntu-18.04 + - centos-7 + - name: default-osquery-syslog-fs + run_list: + attributes: + includes: + - ubuntu-18.04 + - centos-7 + - name: default-profiling + run_list: + attributes: + includes: + - ubuntu-18.04 + - name: default-fleetmanager + run_list: + attributes: + includes: + - ubuntu-18.04 diff --git a/osquery/roles/osquery/.travis.yml b/osquery/roles/osquery/.travis.yml new file mode 100644 index 00000000..dcf97ce8 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml @@ -0,0 +1,97 @@ +--- +dist: trusty +sudo: required +rvm: + - 2.4 + +env: +## those images need pre-configuration before being usable (openssh...) +# - distribution: centos +# version: 6 + - distribution: centos + version: 7 + suite: default + - distribution: ubuntu + version: 18.04 + suite: default + - distribution: ubuntu + version: 16.04 + suite: default +# - distribution: ubuntu +# version: 14.04 +# - distribution: ubuntu +# version: 12.04 +# - distribution: alpine +# version: 3.4 + - distribution: centos + version: 7 + suite: default-osquery-syslog + - distribution: ubuntu + version: 18.04 + suite: default-osquery-syslog + - distribution: centos + version: 7 + suite: default-osquery-syslog-fs + - distribution: ubuntu + version: 18.04 + suite: default-osquery-syslog-fs + - distribution: ubuntu + version: 18.04 + suite: default-profiling + - distribution: ubuntu + version: 18.04 + suite: default-fleetmanager + +before_install: + - env + - pwd + - find -ls +## use appropriate role path and not github name + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" +## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821 +# - sudo apt install lxd + - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list + - sudo apt-get update -qq + - sudo apt -t trusty-backports -y install lxd acl -q +## change of group implies logout+login to apply... can't do with travis = run as root (sic) +## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..." + - sudo usermod -G lxd travis + # Pull container +# - lxc remote add images images.linuxcontainers.org + - sudo -E su $USER -c "lxc remote list" + - sudo -E su $USER -c "lxc image list" +## pre-download base images + - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"' + - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true' +## configure lxd-bridge + - sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge +# - cat /etc/default/lxd-bridge +# - service --status-all + - sudo service lxd restart + + - sudo pip install ansible + - gem install kitchen + - gem install kitchen-ansible + - gem install kitchen-sync + - gem install kitchen-lxd_cli + - gem list + - which kitchen +## ssh key for lxd_cli ? + - ls ~/.ssh + - ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P "" +## sudo/su get us a non-usual PATH ... + - '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true' + - sudo -E su $USER -c "env" +## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during . +# - sudo -E su $USER -c "which kitchen" + - sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all" +# - sudo -E su $USER -c "kitchen diagnose --all" +# - sudo -E -u $USER kitchen diagnose --all + +script: +# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE} + - sudo -E su $USER -c "env PATH=$PATH kitchen verify ${suite}-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/${suite}-${distribution}-${version//./}.log; find /tmp/kitchen)" + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + diff --git a/osquery/roles/osquery/.travis.yml.docker b/osquery/roles/osquery/.travis.yml.docker new file mode 100644 index 00000000..0d25fce1 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.docker @@ -0,0 +1,160 @@ +--- +## from https://github.com/geerlingguy/ansible-role-apache/blob/master/.travis.yml +sudo: required + +env: +# - distribution: centos +# version: 6 +# init: /sbin/init +# run_opts: "" +# suite: default + - distribution: centos + version: 7 + init: /usr/lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.5.5 + ansible_extra_vars: "" +# - distribution: ubuntu +# version: 18.04 +# init: /lib/systemd/systemd +# run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" +# suite: default +# ansible_version: 2.5.5 +# ansible_extra_vars: "" + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.5.5 + ansible_extra_vars: "" +# - distribution: ubuntu +# version: 14.04 +# init: /sbin/init +# run_opts: "" +# suite: default +# - distribution: ubuntu +# version: 12.04 +# init: /sbin/init +# run_opts: "" +# suite: default +# - distribution: alpine +# version: 3.4 +# init: /sbin/init +# run_opts: "" +# suite: default +## https://travis-ci.org/juju4/ansible-osquery/jobs/246615342, https://github.com/facebook/osquery/issues/2321 + - distribution: debian + version: 9 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: centos + version: 7 + init: /usr/lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-osquery-syslog + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-osquery-syslog + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: centos + version: 7 + init: /usr/lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-osquery-syslog-fs + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-osquery-syslog-fs + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-profiling + ansible_version: 2.5.5 + ansible_extra_vars: "" +# past ansible version + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.4.5 + ansible_extra_vars: "" +# upcoming ansible version + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.6.0rc3 + ansible_extra_vars: "" + +services: + - docker + +before_install: + # - sudo apt-get update + # Pull container + - 'sudo docker pull ${distribution}:${version}' + - env + - pwd + - find -ls + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" + - cp test/travis/initctl_faker test/ + # Customize container + - 'sudo docker build --rm=true --file=test/travis/Dockerfile.${distribution}-${version} --tag=${distribution}-${version}:ansible test' + +before_script: + - container_id=$(mktemp) + # Run container in detached state + - 'sudo docker run --detach --volume="${PWD%/*}":/etc/ansible/roles:ro ${run_opts} ${distribution}-${version}:ansible "${init}" > "${container_id}"' + + - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install --upgrade pip' + - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install ansible==${ansible_version}' + - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible --version' + +script: + # Ansible syntax check. + - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml --syntax-check' + + # Test role. + - 'travis_wait 30 sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml -vv ${ansible_extra_vars}' + + # Test role idempotence. + - > + travis_wait 30 sudo docker exec "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml ${ansible_extra_vars} + | tee /tmp/idempotency.log + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0) + + # serverspec tests +## travis/docker: Errno::EROFS: Read-only file system @ dir_s_mkdir - /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/.bundle +# - 'sudo docker exec --tty "$(cat ${container_id})" /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/run-local-tests.sh' + +after_failure: + # Check what happened on systemd systems. + - 'docker exec --tty "$(cat ${container_id})" env TERM=xterm systemctl -l --no-pager status osqueryd.service' + - 'docker exec --tty "$(cat ${container_id})" env TERM=xterm journalctl -xe --no-pager' + +after_script: + # Clean up + - 'sudo docker stop "$(cat ${container_id})"' + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/.travis.yml.kitchen-docker b/osquery/roles/osquery/.travis.yml.kitchen-docker new file mode 100644 index 00000000..20a0db28 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.kitchen-docker @@ -0,0 +1,71 @@ +--- +## note: can't fully test osquery inside docker as will not be able have kernel /dev/osquery +dist: trusty +sudo: required +rvm: + - 2.4 + +env: +# - distribution: centos +# version: 6 + - distribution: centos + version: 7 + suite: default + - distribution: ubuntu + version: 16.04 + suite: default + - distribution: ubuntu + version: 14.04 + suite: default +# - distribution: ubuntu +# version: 12.04 +# - distribution: alpine +# version: 3.4 + - distribution: debian + version: 8 + suite: default + - distribution: centos + version: 7 + suite: default-osquery-syslog + - distribution: ubuntu + version: 16.04 + suite: default-osquery-syslog + - distribution: ubuntu + version: 14.04 + suite: default-osquery-syslog + - distribution: centos + version: 7 + suite: default-osquery-syslog-fs + - distribution: ubuntu + version: 16.04 + suite: default-osquery-syslog-fs + - distribution: ubuntu + version: 14.04 + suite: default-osquery-syslog-fs + +before_install: + - env + - pwd + - find -ls +## use appropriate role path and not github name + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" + - sudo pip install ansible +## need to use chef gem for some reason? BAD PATH https://github.com/chef/chef-dk/issues/15 +# - chef gem install kitchen + - gem install kitchen + - gem install kitchen-ansible + - gem install kitchen-sync + - gem install kitchen-docker + - gem list + - which kitchen + - KITCHEN_YAML=.kitchen.docker.yml kitchen diagnose --all + +script: +## avoid locale issue under xenial docker, https://github.com/pypa/pip/issues/3575 + - export LC_ALL=C.UTF-8 + - export LANG=C.UTF-8 + - KITCHEN_YAML=.kitchen.docker.yml kitchen verify ${suite}-${distribution}-${version//./} + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + diff --git a/osquery/roles/osquery/.travis.yml.lxd-kitchen b/osquery/roles/osquery/.travis.yml.lxd-kitchen new file mode 100644 index 00000000..e471bca6 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.lxd-kitchen @@ -0,0 +1,76 @@ +--- +dist: trusty +sudo: required +rvm: + - 2.4 + +env: +## those images need pre-configuration before being usable (openssh...) +# - distribution: centos +# version: 6 + - distribution: centos + version: 7 + - distribution: ubuntu + version: 18.04 + - distribution: ubuntu + version: 16.04 +# - distribution: ubuntu +# version: 14.04 +# - distribution: ubuntu +# version: 12.04 +# - distribution: alpine +# version: 3.4 + +before_install: + - env + - pwd + - find -ls +## use appropriate role path and not github name + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" +## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821 +# - sudo apt install lxd + - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list + - sudo apt-get update -qq + - sudo apt -t trusty-backports -y install lxd acl -q +## change of group implies logout+login to apply... can't do with travis = run as root (sic) +## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..." + - sudo usermod -G lxd travis + # Pull container +# - lxc remote add images images.linuxcontainers.org + - sudo -E su $USER -c "lxc remote list" + - sudo -E su $USER -c "lxc image list" +## pre-download base images + - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"' + - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true' +## configure lxd-bridge + - sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge +# - cat /etc/default/lxd-bridge +# - service --status-all + - sudo service lxd restart + + - sudo pip install ansible + - gem install kitchen + - gem install kitchen-ansible + - gem install kitchen-sync + - gem install kitchen-lxd_cli + - gem list + - which kitchen +## ssh key for lxd_cli ? + - ls ~/.ssh + - ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P "" +## sudo/su get us a non-usual PATH ... + - '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true' + - sudo -E su $USER -c "env" +## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during . +# - sudo -E su $USER -c "which kitchen" + - sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all" +# - sudo -E su $USER -c "kitchen diagnose --all" +# - sudo -E -u $USER kitchen diagnose --all + +script: +# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE} + - sudo -E su $USER -c "env PATH=$PATH kitchen verify default-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/default-${distribution}-${version//./}.log; find /tmp/kitchen)" + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + diff --git a/osquery/roles/osquery/.travis.yml.orig b/osquery/roles/osquery/.travis.yml.orig new file mode 100644 index 00000000..e72b9ba6 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.orig @@ -0,0 +1,42 @@ +--- +sudo: required +dist: trusty + +language: generic + +before_install: + - sudo apt-get -qq update + - sudo apt-get install -y python python-pip + +install: + # Install ansible + - sudo pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + + # Install role dependencies + # ... + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + + # Run the role/playbook with ansible-playbook + - ansible-playbook tests/test.yml -i tests/inventory --connection=local --become + + # Run the role/playbook again, checking to make sure it's idempotent + - > + ansible-playbook tests/test.yml -i tests/inventory --connection=local --become + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + + # Playbook specific tests + # ... + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/.travis.yml.simple b/osquery/roles/osquery/.travis.yml.simple new file mode 100644 index 00000000..d765d799 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.simple @@ -0,0 +1,61 @@ +--- +sudo: required +dist: trusty + +language: generic + +env: + - suite: default + - suite: default-osquery-syslog + - suite: default-osquery-syslog-fs + +before_install: + - sudo apt-get -qq update + - sudo apt-get install -y python python-pip + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" +## serverspec test + - sudo apt-get install -qq ruby2.0 rake + - sudo gem2.0 install serverspec + +install: + # Install ansible + - sudo pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + - "echo \"[test-kitchen]\nlocalhost\" > inventory" + + - gem2.0 --version + + # Install role dependencies + # ... + +script: + # Basic role syntax check + - "ansible-playbook -i inventory --syntax-check test/integration/${suite}/default.yml" + + # Run the role/playbook with ansible-playbook + - "ansible-playbook -i inventory --connection=local --sudo -vvvv test/integration/${suite}/default.yml" + + # Run the role/playbook again, checking to make sure it's idempotent + - > + ansible-playbook -i inventory test/integration/${suite}/default.yml --connection=local --become + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + + # Playbook specific tests +# - "cd test/integration/${suite}/serverspec/ && bundle exec rake spec" + +after_failure: + - "ls -l /var/log/ /var/log/osquery/" + - "sudo cat /var/log/osquery*.log /var/log/osquery/*.log" + - "sudo cat /etc/rsyslog.d/30-osquery-target.conf" + - "sudo systemctl -l status" + - "sudo journalctl -xe --no-pager" + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/Jenkinsfile b/osquery/roles/osquery/Jenkinsfile new file mode 100644 index 00000000..7b3d7581 --- /dev/null +++ b/osquery/roles/osquery/Jenkinsfile @@ -0,0 +1,59 @@ +// Work in progress + +node { + + try{ + currentBuild.result = "SUCCESS" + def workspace = pwd() + def directory = "kbrebanov.osquery" + + stage 'Clean Workspace' + deleteDir() + + stage("Download source and capture commit ID") { + sh "mkdir $directory" + dir("$directory") { + checkout scm + // Get the commit ID + sh 'git rev-parse --verify HEAD > GIT_COMMIT' + git_commit = readFile('GIT_COMMIT').take(7) + echo "Current commit ID: ${git_commit}" + } + } + + dir("$directory") { + + stage("Get dependencies"){ + sh "sh -x get-dependencies.sh" + } + stage("Build and verify 1"){ + defaultplatform = sh ( + script: '''#!/bin/bash +kitchen list | awk "!/Instance/ {print \\$1; exit}" + ''', + returnStdout: true + ).trim() + echo "default platform: ${defaultplatform}" + + sh "kitchen test ${defaultplatform}" + // must keep instance for security testing after + //sh "kitchen verify ${defaultplatform}" + } + + stage("Build and verify all platforms"){ + sh "kitchen test" + } + + stage("Cleanup if no errors"){ + sh "kitchen destroy" + } + + } + + } + + catch(err) { + currentBuild.result = "FAILURE" + throw err + } +} diff --git a/osquery/roles/osquery/LICENSE b/osquery/roles/osquery/LICENSE new file mode 100644 index 00000000..0ad45320 --- /dev/null +++ b/osquery/roles/osquery/LICENSE @@ -0,0 +1,24 @@ +Copyright (c) 2015, Kevin Brebanov +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + diff --git a/osquery/roles/osquery/README.md b/osquery/roles/osquery/README.md new file mode 100644 index 00000000..96f6448a --- /dev/null +++ b/osquery/roles/osquery/README.md @@ -0,0 +1,43 @@ +[![Build Status - Master](https://travis-ci.org/juju4/ansible-osquery.svg?branch=master)](https://travis-ci.org/juju4/ansible-osquery) +[![Build Status - Devel](https://travis-ci.org/juju4/ansible-osquery.svg?branch=devel)](https://travis-ci.org/juju4/ansible-osquery/branches) +osquery +======= + +[![Build Status](https://travis-ci.org/kbrebanov/ansible-osquery.svg?branch=master)](https://travis-ci.org/kbrebanov/ansible-osquery) + +Installs osquery + +Requirements +------------ + +This role requires Ansible 2.0 or higher. + +Role Variables +-------------- + +None + +Dependencies +------------ + +None + +Example Playbook +---------------- + +Install osquery +```yaml +- hosts: all + roles: + - kbrebanov.osquery +``` + +License +------- + +BSD + +Author Information +------------------ + +Kevin Brebanov diff --git a/osquery/roles/osquery/defaults/main.yml b/osquery/roles/osquery/defaults/main.yml new file mode 100644 index 00000000..13e8722e --- /dev/null +++ b/osquery/roles/osquery/defaults/main.yml @@ -0,0 +1,131 @@ +--- +# defaults file for osquery + +osquery_service_enable: true +osquery_debug_packages_install: true +## define this if don't want to use upstream ones +#osquery_repository: '' +#osquery_repositorykey: '' + +osquery_template: 'osquery.conf.j2' +#osquery_upload_packs: [] +osquery_upload_packs: + - osquery-snapshots-pack + - osquery-monitoring2-pack +osquery_packs: + - "osquery-monitoring" + - "incident-response" + - "it-compliance" +# - "osx-attacks" + - "ossec-rootkit" + - "vuln-management" + - "hardware-monitoring" + - "osquery-snapshots-pack" + - osquery-monitoring2-pack +osquery_config_plugin: 'filesystem' +osquery_logger_plugin: 'filesystem' +#osquery_logger_plugin: 'syslog' +#osquery_logger_plugin: 'filesystem,syslog' +#osquery_logger_plugin: 'tls' +osquery_flags: [] +## if using zentral, kolide or else +## https://github.com/zentralopensource/zentral/blob/f460b10a95d4ea1e515aea3363f55733465d1d9c/zentral/contrib/osquery/deb_script/template.sh +## https://docs.kolide.co/kolide/current/infrastructure/adding-hosts-to-kolide.html + +#osquery_enroll_secret: "" + +#osquery_flags: +# - '--enroll_secret_path=/etc/osquery/osquery_enroll_secret' +# - '--tls_server_certs=/etc/osquery/kolide.crt' +# - '--tls_hostname=acme.kolide.co' +# - '--host_identifier=hostname' +# - '--enroll_tls_endpoint=/api/v1/osquery/enroll' +# - '--config_plugin=tls' +# - '--config_tls_endpoint=/api/v1/osquery/config' +# - '--config_tls_refresh=10' +# - '--disable_distributed=false' +# - '--distributed_plugin=tls' +# - '--distributed_interval=10' +# - '--distributed_tls_max_attempts=3' +# - '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read' +# - '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write' +# - '--logger_plugin=tls' +# - '--logger_tls_endpoint=/api/v1/osquery/log' +# - '--logger_tls_period=10' + +osquery_fim: true +osquery_fim_interval: 900 +osquery_fim_filepaths: + - name: homes_sshdir + list: + - "/root/.ssh/%%" + - "/home/%/.ssh/%%" + - name: etc + list: + - "/etc/%%" +## Take care if using a lot /tmp. can trigger +## 'Expiring events for subscriber: file_events (overflowed limit 1000)' +## => losing many queries results (fim or not) +# - name: tmp +# list: +# - "/tmp/%%" + - name: bin + list: + - "/bin/%%" + - "/sbin/%%" + - "/usr/bin/%%" + - "/usr/sbin/%%" + - "/usr/local/bin/%%" + - "/usr/local/sbin/%%" + - "/opt/bin/%%" + - "/opt/sbin/%%" + - name: webroot + list: + - "/var/www/%%" +osquery_fim_excludepaths: + - name: tmp + list: + - /tmp/too_many_events/ +osquery_rsyslog: true +## conflict with auditd. choose one. +## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ +osquery_process_auditing: false +osquery_process_interval: 900 +osquery_socket_interval: 900 + +## queries snapshots: 1/week (or 1/month? nok) +## Max interval 1/w: https://github.com/theopolis/osquery/commit/b76dee8a1fddccb500bc4a058daa1b39083b9dbb +osquery_snapshot_interval: 604800 +osquery_snapshot_interval2: 604800 +#osquery_snapshot_interval2: 2592000 + +osquery_logrotate: true +osquery_logrotate_days: 90 + +## https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags +## per facility +## osquery wants a facility code, while keyword for rsyslog... +osquery_syslog_target_facility_osqueryconf: 19 +osquery_syslog_target_facility_syslogconf: local3 +osquery_syslog_target: '' +#osquery_syslog_target: '@@10.1.1.100' +## mostly for testing purpose +#osquery_syslog_target: '/var/log/osquery/osquery_syslog.log' +## per programname: mostly query execution log and daemon state. avoid mixing with default syslog messages +#osquery_syslog_target2: '' +osquery_syslog_target2: '/var/log/osquery/osqueryd.log' +osquery_syslog_dirs: + - /var/log/osquery + +## making schedule query faster to have logs faster... +osquery_testing: false +osquery_testing_pause: false +osquery_testing_fim_load: false +osquery_testing_fim_load_bigger: 100M +osquery_testing_fim_load_smaller: 1000 +## profiling? +osquery_profiling: false +## full config might be too long for travis (max 50min) +#osquery_profiling_conf: /etc/osquery/osquery.conf +osquery_profiling_conf: /usr/share/osquery/packs/incident-response.conf + diff --git a/osquery/roles/osquery/get-dependencies.sh b/osquery/roles/osquery/get-dependencies.sh new file mode 100755 index 00000000..f1ae96f3 --- /dev/null +++ b/osquery/roles/osquery/get-dependencies.sh @@ -0,0 +1,22 @@ +#!/bin/sh +## one script to be used by travis, jenkins, packer... + +umask 022 + +if [ $# != 0 ]; then +rolesdir=$1 +else +rolesdir=$(dirname $0)/.. +fi + +[ ! -d $rolesdir/juju4.redhat-epel ] && git clone https://github.com/juju4/ansible-redhat-epel $rolesdir/juju4.redhat-epel +[ ! -d $rolesdir/geerlingguy.redis ] && git clone https://github.com/juju4/ansible-role-redis.git $rolesdir/geerlingguy.redis +[ ! -d $rolesdir/geerlingguy.mysql ] && git clone https://github.com/geerlingguy/ansible-role-mysql.git $rolesdir/geerlingguy.mysql +[ ! -d $rolesdir/juju4.kolide ] && git clone https://github.com/juju4/ansible-kolide $rolesdir/juju4.kolide +## galaxy naming: kitchen fails to transfer symlink folder +#[ ! -e $rolesdir/kbrebanov.osquery ] && ln -s ansible-osquery $rolesdir/kbrebanov.osquery +[ ! -e $rolesdir/kbrebanov.osquery ] && cp -R $rolesdir/ansible-osquery $rolesdir/kbrebanov.osquery + +## don't stop build on this script return code +true + diff --git a/osquery/roles/osquery/handlers/main.yml b/osquery/roles/osquery/handlers/main.yml new file mode 100644 index 00000000..2bb19ede --- /dev/null +++ b/osquery/roles/osquery/handlers/main.yml @@ -0,0 +1,13 @@ +--- +# handlers file for osquery + +- name: restart osquery +# service: name=osqueryd state=restarted +## for rocksdb backend + shell: "systemctl stop osqueryd; sleep 5; systemctl start osqueryd" + +- name: restart rsyslog + service: name=rsyslog state=restarted + +- name: reload osqueryd apparmor profile + shell: cat /etc/apparmor.d/usr.bin.osqueryd | sudo apparmor_parser -r diff --git a/osquery/roles/osquery/meta/.galaxy_install_info b/osquery/roles/osquery/meta/.galaxy_install_info new file mode 100644 index 00000000..350f94e9 --- /dev/null +++ b/osquery/roles/osquery/meta/.galaxy_install_info @@ -0,0 +1 @@ +{install_date: 'Mon Oct 15 18:43:31 2018', version: master} diff --git a/osquery/roles/osquery/meta/main.yml b/osquery/roles/osquery/meta/main.yml new file mode 100644 index 00000000..003228ed --- /dev/null +++ b/osquery/roles/osquery/meta/main.yml @@ -0,0 +1,158 @@ +--- +galaxy_info: + author: Kevin Brebanov + description: Installs osquery + company: + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: BSD + + min_ansible_version: 1.9 + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If travis integration is cofigured, only notification for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + github_branch: master + + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + platforms: + - name: EL + versions: + # - all + # - 5 + - 6 + - 7 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + # - 23 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + #- name: GenericBSD + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + # - 9.3 + # - 10.0 + # - 10.1 + # - 10.2 + - name: Ubuntu + versions: + # - all + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + - trusty + # - utopic + # - vivid + # - wily + - xenial + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + #- name: GenericLinux + # versions: + # - all + # - any + #- name: Debian + # versions: + # - all + # - etch + # - jessie + # - lenny + # - squeeze + # - wheezy + + galaxy_tags: + - monitoring + - system + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/osquery/roles/osquery/tasks/CentOS.yml b/osquery/roles/osquery/tasks/CentOS.yml new file mode 100644 index 00000000..1803d235 --- /dev/null +++ b/osquery/roles/osquery/tasks/CentOS.yml @@ -0,0 +1,17 @@ +--- +# tasks file for osquery (CentOS specific) + +- name: Install osquery repository key + rpm_key: + state: present + key: "{{ _osquery_repositorykey }}" + +- name: Install osquery repository + get_url: + url: "{{ _osquery_repository }}" + dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}" + mode: '0644' + backup: yes + +- include: selinux.yml + when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) diff --git a/osquery/roles/osquery/tasks/Debian.yml b/osquery/roles/osquery/tasks/Debian.yml new file mode 100644 index 00000000..706d5272 --- /dev/null +++ b/osquery/roles/osquery/tasks/Debian.yml @@ -0,0 +1,36 @@ +--- + +# tasks file for osquery (Debian, Ubuntu specific) + +- name: Ensure dirmngr is present for apt-key + package: + name: dirmngr + state: present + +- name: Download osquery APT key + become: yes + apt_key: + keyserver: keyserver.ubuntu.com + id: "{{ _osquery_repositorykey }}" + state: present + tags: + - osquery + +- name: Ensure apt-transport-https is installed + become: yes + apt: + name: apt-transport-https + state: present + tags: + - osquery + +- name: Configure osquery APT repository + become: yes + apt_repository: + repo: "{{ _osquery_repository }}" + state: present + tags: + - osquery + +- include: apparmor.yml + when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) diff --git a/osquery/roles/osquery/tasks/apparmor.yml b/osquery/roles/osquery/tasks/apparmor.yml new file mode 100644 index 00000000..1ba2f8c2 --- /dev/null +++ b/osquery/roles/osquery/tasks/apparmor.yml @@ -0,0 +1,27 @@ +--- +# https://help.ubuntu.com/lts/serverguide/apparmor.html.en + +- name: Ensure apparmor packages are present + package: + name: "{{ item }}" + state: present + with_items: + - apparmor + - apparmor-utils + - apparmor-profiles + +- name: Ensure apparmor profile is set + template: + src: apparmor-usr.bin.osqueryd.j2 + dest: /etc/apparmor.d/usr.bin.osqueryd + mode: '0600' + owner: root + backup: yes + notify: + - reload osqueryd apparmor profile + +- name: Apply apparmor profile for osquery + command: aa-complain /usr/bin/osqueryd + failed_when: false + +# Refine policy with `aa-logprof -f /var/log/syslog` diff --git a/osquery/roles/osquery/tasks/configure.yml b/osquery/roles/osquery/tasks/configure.yml new file mode 100644 index 00000000..9bfa0f69 --- /dev/null +++ b/osquery/roles/osquery/tasks/configure.yml @@ -0,0 +1,123 @@ +--- + +- name: check if osquery is present + stat: path=/etc/osquery + register: hasOsquery +- block: + - name: ensure directories exist + file: + dest: "{{ item.d }}" + state: directory + mode: "{{ item.m }}" + with_items: + - { d: '/var/log/osquery', m: '0755' } + - name: push extra osquery packs file + template: + src: "{{ item }}.conf.j2" + dest: "/usr/share/osquery/packs/{{ item | basename }}.conf" + backup: yes + with_items: "{{ osquery_upload_packs }}" + notify: + - restart osquery + - debug: var=osquery_packs + - name: configure osquery + template: + src: "{{ osquery_template }}" + dest: /etc/osquery/osquery.conf + mode: '0644' + backup: yes + validate: 'osqueryi --config_path %s --config_check --verbose' +# validate: 'egrep -v '^\s*//' %s | tee /tmp/a | python -mjson.tool' + notify: + - restart osquery + - name: "ensure osquery var dir exists" + file: + state: "directory" + path: "/var/osquery" + - name: "express the osquery secret to disk" + lineinfile: + path: "/etc/osquery/osquery_enroll_secret" + line: "{{ osquery_enroll_secret }}" + state: present + owner: "root" + group: "root" + mode: "0600" + create: true + when: + - osquery_enroll_secret is defined + - name: configure osquery flags + template: + src: "osquery.flags.j2" + dest: /etc/osquery/osquery.flags + mode: '0644' + backup: yes + notify: + - restart osquery + - name: re-validate whole osquery config + command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose' + changed_when: false + register: confcheck + failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout" + - block: + - name: ensure logrotate package is present + package: + name: logrotate + state: present + - name: add logrotate configuration for osquery log + template: + src: logrotate-osquery.j2 + dest: /etc/logrotate.d/osquery + mode: '0644' + backup: yes + validate: 'logrotate -dv %s' + when: osquery_logrotate + - name: ensure service is enabled and started + service: name=osqueryd state=started enabled=yes + - set_fact: + monit_osqueryd: true + when: hasOsquery.stat.exists + +## FIXME! warnings like (from packs/incident-response.conf) +#virtual_table.cpp:484] The shell_history table returns data based on the current user by default, consider JOINing against the users table +# but still apply with +# SELECT s.uid,s.time,s.command,s.history_file FROM shell_history s JOIN users USING (uid) limit 10; + +- block: + - name: review inotify sysctl settings for osquery + sysctl: name="{{ item.n }}" value="{{ item.v }}" sysctl_set=yes state=present reload=yes + with_items: + - { n: 'fs.inotify.max_user_watches', v: '524288' } + - { n: 'fs.inotify.max_user_instances', v: '256' } + - { n: 'fs.inotify.max_queued_events', v: '32768' } + when: osquery_fim and not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) + +## ensure no auditd at the same time +## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ +- block: + - name: ensure auditd is not present + package: name="{{ _osquery_auditd_pkg }}" state=absent + when: osquery_process_auditing + +- name: get rsyslog version + command: "rsyslogd -v | awk -F'[ ,]' '/rsyslogd/ { print $2 }'" + environment: + PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' + changed_when: false + register: rsyslog_v + +- block: + - name: setup rsyslog pipe for osquery communication + template: + src: osquery-rsyslog.conf.j2 + dest: /etc/rsyslog.d/90-osquery.conf + mode: '0644' + backup: yes + notify: + - restart rsyslog + when: osquery_rsyslog + +- include: syslog-target.yml + when: osquery_syslog_target != '' + +- include: selinux-end.yml + when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) and ansible_os_family == "RedHat" diff --git a/osquery/roles/osquery/tasks/main.yml b/osquery/roles/osquery/tasks/main.yml new file mode 100644 index 00000000..a68320fa --- /dev/null +++ b/osquery/roles/osquery/tasks/main.yml @@ -0,0 +1,69 @@ +--- +# tasks file for osquery + +- name: Include distribution specific variables + include_vars: "{{ ansible_distribution }}.yml" + tags: + - osquery +- name: Include version-specific variables for RedHat + include_vars: "CentOS-{{ ansible_distribution_version.split('.')[0] }}.yml" + when: ansible_os_family == "RedHat" + +- include: CentOS.yml + when: ansible_os_family == "RedHat" + tags: + - osquery + +- include: Debian.yml + when: ansible_os_family == "Debian" + tags: + - osquery + +- block: + - name: Install osquery + package: + name: "{{ item }}" + state: present + with_items: "{{ osquery_packages }}" + tags: + - osquery + + - name: Install osquery debug packages + package: + name: "{{ item }}" + state: present + with_items: "{{ osquery_debug_packages }}" + when: osquery_debug_packages_install + tags: + - osquery + + - include: configure.yml + tags: + - osquery + - config + + - name: Enable service + service: name=osqueryd enabled={{ osquery_service_enable }} + tags: + - osquery + - service + - name: Start service + service: name=osqueryd state=started + when: osquery_service_enable + tags: + - osquery + - service + + - meta: flush_handlers + + - name: pause a bit to have few queries results + command: sleep 5 + changed_when: false + when: osquery_testing_pause or osquery_testing + + - include: testing.yml + when: osquery_testing + + - include: profiling.yml + when: osquery_profiling + when: ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" or ansible_distribution == "Debian" diff --git a/osquery/roles/osquery/tasks/profiling.yml b/osquery/roles/osquery/tasks/profiling.yml new file mode 100644 index 00000000..a0711f5d --- /dev/null +++ b/osquery/roles/osquery/tasks/profiling.yml @@ -0,0 +1,27 @@ +--- + +- name: get source repository for profiling tools + git: + repo: https://github.com/facebook/osquery.git + dest: /root/osquery + +- name: ensure profiling dependencies are present - pkg + package: + name: "{{ item }}" + state: present + with_items: + - python-pip +- name: ensure profiling dependencies are present - pip + pip: + name: "{{ item }}" + state: present + with_items: + - psutil +- name: profiling + command: "./tools/analysis/profile.py --config {{ osquery_profiling_conf }} --shell /usr/bin/osqueryi --count 1 --rounds 4" + args: + chdir: /root/osquery + changed_when: false + register: perf +- debug: var=perf.stdout_lines + diff --git a/osquery/roles/osquery/tasks/selinux-end.yml b/osquery/roles/osquery/tasks/selinux-end.yml new file mode 100644 index 00000000..fd52e8ea --- /dev/null +++ b/osquery/roles/osquery/tasks/selinux-end.yml @@ -0,0 +1,10 @@ +--- + +- name: RedHat | Ensure selinux context is correctly set + command: "/sbin/restorecon -F -R -v {{ item }}" + with_items: + - /usr/bin/osqueryd + - /usr/lib/systemd/system/osqueryd.service + - /var/log/osquery + - /etc/osquery + - /usr/share/osquery/packs diff --git a/osquery/roles/osquery/tasks/selinux.yml b/osquery/roles/osquery/tasks/selinux.yml new file mode 100644 index 00000000..25a7d3f7 --- /dev/null +++ b/osquery/roles/osquery/tasks/selinux.yml @@ -0,0 +1,44 @@ +--- + +- name: Ensure selinux package are present + package: + name: "{{ item }}" + state: present + with_items: + - selinux-policy + - selinux-policy-devel + - setools-console + - libselinux-python + - policycoreutils-python + +- name: Ensure osquery directory exists + file: + dest: /etc/osquery + state: directory + mode: '0755' + +- name: Ensure osquery selinux policy is set + template: + src: "{{ item }}.j2" + dest: "/etc/osquery/{{ item }}" + mode: '0600' + owner: root + with_items: + - osquery.fc + - osquery.sh + - osquery.te + register: te + +# FIXME! +- name: Generate osquery policy file + command: sh -x ./osquery.sh + args: + chdir: /etc/osquery + when: te is changed + ignore_errors: true + +# `sepolicy generate -n osquery --init /usr/bin/osqueryd` = OK/base +# Refine policy with `audit2allow -i /var/log/audit/audit.log -M osquery` +# `semodule -i osquery.pp` +# FIXME! 'Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/osquery/cil:2' +# `/usr/libexec/selinux/hll/pp osquery.pp` diff --git a/osquery/roles/osquery/tasks/syslog-target.yml b/osquery/roles/osquery/tasks/syslog-target.yml new file mode 100644 index 00000000..6e15d6af --- /dev/null +++ b/osquery/roles/osquery/tasks/syslog-target.yml @@ -0,0 +1,19 @@ +--- + +- name: Ensure target syslog dir exists + file: + dest: "{{ item }}" + state: directory + mode: "{{ varlog_mode }}" + group: "{{ varlog_group }}" + with_items: "{{ osquery_syslog_dirs }}" + +- name: setup rsyslog to send osquery logs to a specific target + template: + src: rsyslog-osquery-target.conf.j2 + dest: /etc/rsyslog.d/30-osquery-target.conf + mode: '0644' + backup: yes + validate: 'rsyslogd -d -N 1 -f %s' + notify: + - restart rsyslog diff --git a/osquery/roles/osquery/tasks/testing.yml b/osquery/roles/osquery/tasks/testing.yml new file mode 100644 index 00000000..727f28a1 --- /dev/null +++ b/osquery/roles/osquery/tasks/testing.yml @@ -0,0 +1,40 @@ +--- + +- block: + - name: systemd | check service status + command: "systemctl status osqueryd -l" + changed_when: false + register: systemctl + - debug: var=systemctl.stdout_lines + when: ansible_service_mgr == "systemd" +- block: + - name: service | check service status + command: "service osqueryd status" + changed_when: false + register: service + - debug: var=service.stdout_lines + when: ansible_service_mgr != "systemd" + +- block: + - name: fallocate big file + command: "fallocate -l {{ osquery_testing_fim_load_bigger }} /etc/testing-big-file" + args: + creates: /etc/testing-big-file + - name: creation of many small files + command: "split -b {{ osquery_testing_fim_load_smaller }} /etc/testing-big-file testing-" + args: + chdir: /etc + creates: /etc/testing-big-aa + - name: clean up + shell: find /etc/ -name 'testing-*' -exec rm {} \; + ignore_errors: true +# more diverse load? openssl speed, stress... + - name: retrieve log results + command: "{{ item }}" + with_items: + - head -20 /var/log/osquery/osqueryd.results.log + - tail -20 /var/log/osquery/osqueryd.results.log + ignore_errors: true + changed_when: false + register: log + when: osquery_testing_fim_load diff --git a/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 b/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 new file mode 100644 index 00000000..6b3e193a --- /dev/null +++ b/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 @@ -0,0 +1,34 @@ +#include + +/usr/bin/osqueryd { + #include + #include + #include + + /etc/host.conf r, + /etc/hosts r, + /etc/nsswitch.conf r, + /etc/osquery/osquery.conf r, + /etc/osquery/osquery.flags r, + /proc/** rw, + /proc/cpuinfo r, + /root/osqueryd.*.root.log.ERROR.* w, + /root/osqueryd.*.root.log.INFO.* w, + /root/osqueryd.*.root.log.WARNING.* w, + /run/osqueryd.pidfile w, + /run/resolvconf/resolv.conf r, + /run/utmp r, + /sys/devices/** r, + /sys/firmware/dmi/tables/DMI r, + /tmp/* w, + /tmp/user/0/osqueryd.*.root.log.ERROR.* w, + /tmp/user/0/osqueryd.*.root.log.INFO.* w, + /tmp/user/0/osqueryd.*.root.log.WARNING.* w, + /usr/bin/osqueryd Px, + /usr/share/osquery/packs/* r, + /var/log/osquery/* w, + /var/osquery/osquery.db/ rw, + /var/osquery/osquery.db/* rw, + /var/tmp/* rw, + +} diff --git a/osquery/roles/osquery/templates/logrotate-osquery.j2 b/osquery/roles/osquery/templates/logrotate-osquery.j2 new file mode 100644 index 00000000..50de37bd --- /dev/null +++ b/osquery/roles/osquery/templates/logrotate-osquery.j2 @@ -0,0 +1,39 @@ +{{ ansible_managed | comment('plain', decoration='## ') }} +## /etc/logrotate.d/osquery +/var/log/osquery/osqueryd.results.log { + rotate {{ osquery_logrotate_days|int }} + daily + missingok + notifempty + delaycompress + compress + create 640 root adm + sharedscripts +} +{% if osquery_syslog_target is defined and osquery_syslog_target != '' and '/var/log/' in osquery_syslog_target %} +{{ osquery_syslog_target }} { + rotate {{ osquery_logrotate_days|int }} + daily + missingok + notifempty + delaycompress + compress + create 640 root adm + sharedscripts + # Ubuntu: parent directory has insecure permissions (It's world writable or writable by group which is not "root") + su root {{ osquery_syslog_dir_group | default(varlog_group) }} +} +{% endif %} +{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' and '/var/log/' in osquery_syslog_target2 %} +{{ osquery_syslog_target2 }} { + rotate {{ osquery_logrotate_days|int }} + daily + missingok + notifempty + delaycompress + compress + create 640 root adm + sharedscripts + su root {{ osquery_syslog_dir_group2 | default(varlog_group) }} +} +{% endif %} diff --git a/osquery/roles/osquery/templates/osquery-monitoring2-pack.conf.j2 b/osquery/roles/osquery/templates/osquery-monitoring2-pack.conf.j2 new file mode 100644 index 00000000..64e3c92d --- /dev/null +++ b/osquery/roles/osquery/templates/osquery-monitoring2-pack.conf.j2 @@ -0,0 +1,24 @@ +{ + "queries": { + "osquery_extensions": { + "query": "select * from osquery_extensions;", + "interval": 900, + "description": "List of active osquery extensions." + }, + "osquery_flags": { + "query": "select * from osquery_flags;", + "interval": 900, + "description": "Configurable flags that modify osquery's behavior." + }, + "osquery_packs": { + "query": "select * from osquery_packs;", + "interval": 900, + "description": "Information about the current query packs that are loaded in osquery." + }, + "osquery_registry": { + "query": "select * from osquery_registry;", + "interval": 900, + "description": "List the osquery registry plugins." + } + } +} diff --git a/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 b/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 new file mode 100644 index 00000000..9c20aa1d --- /dev/null +++ b/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 @@ -0,0 +1,6 @@ +template( + name="OsqueryCsvFormat" + type="string" + string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n" +) +*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat") diff --git a/osquery/roles/osquery/templates/osquery-snapshots-pack.conf.j2 b/osquery/roles/osquery/templates/osquery-snapshots-pack.conf.j2 new file mode 100755 index 00000000..6b2fdf09 --- /dev/null +++ b/osquery/roles/osquery/templates/osquery-snapshots-pack.conf.j2 @@ -0,0 +1,183 @@ +{ + "queries": { + "authorized_keys": { + "query" : "select authorized_keys.* from users join authorized_keys using (uid);", + "description" : "Info on authorized keys", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "user_ssh_keys": { + "query" : "select user_ssh_keys.* from users join user_ssh_keys using (uid);", + "description" : "info on user ssh keys", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "cpuid": { + "query" : "select * from cpuid;", + "description" : "Useful CPU features from the cpuid ASM call.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "dns_resolvers": { + "query" : "select * from dns_resolvers;", + "description" : "check DNS resolvers", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "known_hosts": { + "query" : "select known_hosts.* from users join known_hosts using (uid);", + "description" : "line-delimited known_hosts table", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "sudoers": { + "query" : "select * from sudoers;", + "description" : "Retrieves all the information for sudoers.", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "groups": { + "query" : "select * from groups;", + "description" : "Retrieves groups info.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "interface_addresses": { + "query" : "select * from interface_addresses;", + "description" : "Retrieves interface addresses.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "interface_details": { + "query" : "select * from interface_details;", + "description" : "Retrieves interface details.", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "iptables": { + "query" : "select * from iptables;", + "description" : "Linux IP packet filtering and NAT tool.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "fileless_process": { + "query" : "SELECT name, path, pid FROM processes WHERE on_disk = 0;", + "description" : "Retrieves interface details.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "processes": { + "query": "SELECT pid, name, path, cmdline from processes;", + "description": "Retrieve list of processes", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "process_binding_to_ports": { + "query" : "select DISTINCT process.name, listening.port, process.pid FROM processes as process JOIN listening_ports AS listening ON process.pid=listening.pid;", + "description" : "Retrieves the list of processes bound to listening ports.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "python_packages": { + "query" : "select * FROM python_packages;", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true, + "description" : "Python packages installed in a system" + }, + "arp_anomalies": { + "query" : "SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac HAVING count(mac) > 1;", + "description" : "Retrieves interface details.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "crontab": { + "query" : "select * from crontab;", + "version" : "1.4.5", + "description" : "Retrieves all the jobs scheduled in crontab in the target system.", + "value" : "Identify malware that uses this persistence mechanism to launch at a given interval", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "kernel_info": { + "query" : "select * from kernel_info;", + "platform" : "linux", + "description" : "Basic active kernel information.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "kernel_integrity": { + "query" : "select * from kernel_integrity;", + "platform" : "linux", + "description" : "Various Linux kernel integrity checked attributes.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "kernel_modules": { + "query" : "select * from kernel_modules;", + "platform" : "linux", + "version" : "1.4.5", + "description" : "Retrieves all the information for the current kernel modules in the target Linux system.", + "value" : "Identify malware that has a kernel module component.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "kernel_panics": { + "query" : "select * from kernel_panics;", + "platform" : "linux", + "description" : "System kernel panic logs.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "etc_hosts": { + "query" : "select * from etc_hosts;", + "version" : "1.4.5", + "description" : "Retrieves all the entries in the target system /etc/hosts file.", + "value" : "Identify network communications that are being redirected. Example: identify if security logging has been disabled", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "os_version": { + "query" : "select os_version.* from users join os_version using (uid);", + "description" : "A single row containing the operating system name and version.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "platform_info": { + "query" : "select * from platform_info;", + "description" : "Information about EFI/UEFI/ROM and platform/boot.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "suid_bin": { + "query" : "select * from suid_bin;", + "version" : "1.4.5", + "description" : "Retrieves all the files in the target system that are setuid enabled.", + "value" : "Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "system_controls": { + "query": "select * from system_controls;", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true, + "platform": "all", + "description": "sysctl names, values, and settings information" + }, + "system_info": { + "query" : "select * from system_info;", + "description" : "System information for identification.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "rpm_packages": { + "query" : "select * from rpm_packages;", + "platform" : "redhat,centos", + "version" : "1.4.5", + "description" : "Retrieves all the installed RPM packages in the target Linux system.", + "value" : "General security posture.", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + } + } +} + diff --git a/osquery/roles/osquery/templates/osquery.conf.j2 b/osquery/roles/osquery/templates/osquery.conf.j2 new file mode 100644 index 00000000..2db9130c --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.conf.j2 @@ -0,0 +1,143 @@ +{{ ansible_managed | comment('c')}} +{ + // Configure the daemon below: + "options": { + // Select the osquery config plugin. + "config_plugin": "{{ osquery_config_plugin }}", + + // Select the osquery logging plugin. + "logger_plugin": "{{ osquery_logger_plugin }}", + + // The log directory stores info, warning, and errors. + // If the daemon uses the 'filesystem' logging retriever then the log_dir + // will also contain the query results. + //"logger_path": "/var/log/osquery", + + // Set 'disable_logging' to true to prevent writing any info, warning, error + // logs. If a logging plugin is selected it will still write query results. + //"disable_logging": "false", + + // Query differential results are logged as change-events to assist log + // aggregation operations like searching and transactons. + // Set 'log_results_events' to log differentials as transactions. + //"log_result_events": "true", + + // Splay the scheduled interval for queries. + // This is very helpful to prevent system performance impact when scheduling + // large numbers of queries that run a smaller or similar intervals. + "schedule_splay_percent": "10", + + // Write the pid of the osqueryd process to a pidfile/mutex. + //"pidfile": "/var/osquery/osquery.pidfile", + + // Clear events from the osquery backing store after a number of seconds. + "events_expiry": "3600", + + // A filesystem path for disk-based backing storage used for events and + // query results differentials. See also 'use_in_memory_database'. + //"database_path": "/var/osquery/osquery.db", + + // Comma-delimited list of table names to be disabled. + // This allows osquery to be launched without certain tables. + //"disable_tables": "foo_bar,time", + + // Enable debug or verbose debug output when logging. + "verbose": "false", + + // The number of threads for concurrent query schedule execution. + "worker_threads": "2", + + // Enable schedule profiling, this will fill in averages and totals for + // system/user CPU time and memory for every query in the schedule. + // Add a query: "select * from osquery_schedule" to record the performances. + "enable_monitor": "true", + + "logger_snapshot_event_type": "true" + }, + + // Define a schedule of queries: + "schedule": { + // This is a simple example query that outputs basic system information. + "system_info": { + // The exact query to run. + "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;", + // The interval in seconds to run this query, not an exact interval. +{% if osquery_testing or osquery_testing_pause %} + "interval": 10 +{% else %} + "interval": 3600 +{% endif %} + }{% if osquery_fim or osquery_process_auditing %},{% endif %} + +{% if osquery_fim %} + "fim" : { +// "query": "select target_path, category, time, action from file_events;", + "query": "select * from file_events;", + "removed": false, + "interval": {% if osquery_testing_fim_load %}30{% else %}{{ osquery_fim_interval }}{% endif %} + }{% if osquery_process_auditing %},{% endif %} + +{% endif %} + +{% if osquery_process_auditing %} + "process_events":{ + "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", + "interval": {{ osquery_process_interval }} + }, + "socket_events":{ + "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');", + "interval": {{ osquery_socket_interval }} + } +{% endif %} + }, + +{% if osquery_fim %} + "file_paths": { +{% for item in osquery_fim_filepaths %} + "{{ item.name }}": [ +{% for entry in item.list %} + "{{ entry }}"{% if not loop.last %},{% endif %} + +{% endfor %} + ]{% if not loop.last %},{% endif %} + +{% endfor %} + }, + "exclude_paths": { +{% for item in osquery_fim_excludepaths %} + "{{ item.name }}": [ +{% for entry in item.list %} + "{{ entry }}"{% if not loop.last %},{% endif %} + +{% endfor %} + ]{% if not loop.last %},{% endif %} + +{% endfor %} + }, + +{% endif %} + // Decorators are normal queries that append data to every query. + "decorators": { + "load": [ + "SELECT uuid AS host_uuid FROM system_info;", + "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;" + ] + }, + + // Add default osquery packs or install your own. + // + // There are several 'default' packs installed with 'make install' or via + // packages and/or Homebrew. + // + // Linux: /usr/share/osquery/packs + // OS X: /var/osquery/packs + // Homebrew: /usr/local/share/osquery/packs + // make install: {PREFIX}/share/osquery/packs + // + "packs": { +{% for item in osquery_packs %} + "{{ item }}": "/usr/share/osquery/packs/{{ item }}.conf"{% if not loop.last %},{% endif %} + +{% endfor %} + } +} diff --git a/osquery/roles/osquery/templates/osquery.fc.j2 b/osquery/roles/osquery/templates/osquery.fc.j2 new file mode 100644 index 00000000..27729fe6 --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.fc.j2 @@ -0,0 +1,6 @@ +/usr/bin/osqueryd -- gen_context(system_u:object_r:osquery_exec_t,s0) +/etc/osquery(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0) +/usr/share/osquery/packs(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0) +/var/log/osquery(/.*)? -- gen_context(system_u:object_r:osquery_log_t,s0) +/var/osquery/osquery.em -- gen_context(system_u:object_r:osquery_sock_t,s0) +/usr/lib/systemd/system/osqueryd.service -- gen_context(system_u:object_r:osquery_unit_file_t,s0) diff --git a/osquery/roles/osquery/templates/osquery.flags.j2 b/osquery/roles/osquery/templates/osquery.flags.j2 new file mode 100644 index 00000000..d3fb2ce0 --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.flags.j2 @@ -0,0 +1,16 @@ +--pidfile=/var/run/osqueryd.pid +{% for flag in osquery_flags %} +{{ flag }} +{% endfor %} +{% if osquery_process_auditing %} +--disable_audit=false +--audit_allow_config=true +--audit_persist=true +--audit_allow_sockets +{% endif %} +{% if osquery_rsyslog %} +--enable_syslog +{% endif %} +{% if osquery_syslog_target != '' and osquery_syslog_target_facility_osqueryconf != '' %} +--logger_syslog_facility={{ osquery_syslog_target_facility_osqueryconf }} +{% endif %} diff --git a/osquery/roles/osquery/templates/osquery.sh.j2 b/osquery/roles/osquery/templates/osquery.sh.j2 new file mode 100644 index 00000000..dd756f45 --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.sh.j2 @@ -0,0 +1,61 @@ +#!/bin/sh -e + +DIRNAME=`dirname $0` +cd $DIRNAME +USAGE="$0 [ --update ]" +if [ `id -u` != 0 ]; then +echo 'You must be root to run this script' +exit 1 +fi + +if [ $# -eq 1 ]; then + if [ "$1" = "--update" ] ; then + time=`ls -l --time-style="+%x %X" osquery.te | awk '{ printf "%s %s", $6, $7 }'` + rules=`ausearch --start $time -m avc --raw -se osquery` + if [ x"$rules" != "x" ] ; then + echo "Found avc's to update policy with" + echo -e "$rules" | audit2allow -R + echo "Do you want these changes added to policy [y/n]?" + read ANS + if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then + echo "Updating policy" + echo -e "$rules" | audit2allow -R >> osquery.te + # Fall though and rebuild policy + else + exit 0 + fi + else + echo "No new avcs found" + exit 0 + fi + else + echo -e $USAGE + exit 1 + fi +elif [ $# -ge 2 ] ; then + echo -e $USAGE + exit 1 +fi + +echo "Building and Loading Policy" +set -x +make -f /usr/share/selinux/devel/Makefile osquery.pp || exit +/usr/sbin/semodule -i osquery.pp + +# Generate a man page off the installed module +sepolicy manpage -p . -d osquery_t +# Fixing the file context on /usr/bin/osqueryd +/sbin/restorecon -F -R -v /usr/bin/osqueryd +# Fixing the file context on /usr/lib/systemd/system/osqueryd.service +/sbin/restorecon -F -R -v /usr/lib/systemd/system/osqueryd.service +# Fixing the file context on /var/log/osquery +/sbin/restorecon -F -R -v /var/log/osquery +/sbin/restorecon -F -R -v /etc/osquery +/sbin/restorecon -F -R -v /usr/share/osquery/packs + + +# Generate a rpm package for the newly generated policy + +pwd=$(pwd) +#rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba osquery_selinux.spec + diff --git a/osquery/roles/osquery/templates/osquery.te.j2 b/osquery/roles/osquery/templates/osquery.te.j2 new file mode 100644 index 00000000..1027034d --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.te.j2 @@ -0,0 +1,674 @@ +module osquery 1.0; + +require { + type osquery_t; + type osquery_conf_t; + type osquery_unit_file_t; + + type insmod_exec_t; + type home_root_t; + type gssd_exec_t; + type udev_exec_t; + type sound_device_t; + type setsebool_exec_t; + type proc_t; + type unconfined_service_t; + type netutils_exec_t; + type load_policy_exec_t; + type memory_device_t; + type tmp_t; + type gpg_exec_t; + type autofs_device_t; + type systemd_hwdb_exec_t; + type tcpd_exec_t; + type gssproxy_exec_t; + type showmount_exec_t; + type rsync_exec_t; + type crond_unit_file_t; + type udev_rules_t; + type systemd_logind_t; + type setfiles_exec_t; + type sshd_keygen_exec_t; + type chronyd_exec_t; + type xserver_etc_t; + type crond_t; + type tun_tap_device_t; + type default_context_t; + type anacron_exec_t; + type virt_qemu_ga_exec_t; + type auditd_t; + type syslogd_t; + type NetworkManager_t; + type sysctl_t; + type pppd_etc_t; + type consolehelper_exec_t; + type userhelper_conf_t; + type systemd_systemctl_exec_t; + type postfix_pickup_exec_t; + type syslog_conf_t; + type systemd_unit_file_t; + type tuned_exec_t; + type plymouthd_exec_t; + type vlock_exec_t; + type systemd_passwd_agent_exec_t; + type pinentry_exec_t; + type passwd_exec_t; + type dmidecode_exec_t; + type systemd_notify_exec_t; + type hwclock_exec_t; + type firewalld_etc_rw_t; + type crack_exec_t; + type postfix_qmgr_t; + type sulogin_exec_t; + type netcontrol_device_t; + type rpcd_unit_file_t; + type auditd_exec_t; + type crontab_exec_t; + type crash_device_t; + type exports_t; + type event_device_t; + type cgroup_t; + type loadkeys_exec_t; + type postfix_qmgr_exec_t; + type pam_timestamp_exec_t; + type random_device_t; + type initrc_exec_t; + type hugetlbfs_t; + type lvm_unit_file_t; + type dmesg_exec_t; + type proc_mdstat_t; + type mouse_device_t; + type nfsd_exec_t; + type slapd_cert_t; + type login_exec_t; + type usbmon_device_t; + type ldconfig_exec_t; + type initctl_t; + type debuginfo_exec_t; + type postfix_pickup_t; + type updpwd_exec_t; + type oddjob_mkhomedir_exec_t; + type irqbalance_exec_t; + type proc_kmsg_t; + type gssproxy_t; + type postfix_etc_t; + type init_exec_t; + type postfix_spool_t; + type var_run_t; + type mtrr_device_t; + type hypervvssd_exec_t; + type hostname_exec_t; + type system_cron_spool_t; + type sshd_key_t; + type proc_kcore_t; + type dbusd_exec_t; + type plymouth_exec_t; + type tuned_rw_etc_t; + type pppd_exec_t; + type pam_console_exec_t; + type adjtime_t; + type chronyc_exec_t; + type auditd_unit_file_t; + type fuse_device_t; + type userhelper_exec_t; + type tuned_etc_t; + type systemd_logind_exec_t; + type var_log_t; + type init_t; + type pppd_initrc_exec_t; + type fs_t; + type systemd_tmpfiles_exec_t; + type user_home_dir_t; + type lvm_etc_t; + type chronyd_t; + type dbusd_etc_t; + type etc_aliases_t; + type auditctl_exec_t; + type usernetctl_exec_t; + type clock_device_t; + type traceroute_exec_t; + type sshd_t; + type mdadm_exec_t; + type initrc_var_run_t; + type mount_exec_t; + type scsi_generic_device_t; + type vhost_device_t; + type uhid_device_t; + type ifconfig_exec_t; + type device_t; + type namespace_init_exec_t; + type lvm_exec_t; + type checkpolicy_exec_t; + type rpm_script_tmp_t; + type user_tmp_t; + type unlabeled_t; + type sshd_unit_file_t; + type policykit_exec_t; + type modules_conf_t; + type chfn_exec_t; + type dhcp_etc_t; + type logrotate_exec_t; + type getty_unit_file_t; + type selinux_config_t; + type ppp_device_t; + type ssh_keygen_exec_t; + type cupsd_rw_etc_t; + type authconfig_exec_t; + type ssh_exec_t; + type rpcbind_t; + type audisp_exec_t; + type chronyd_keys_t; + type dri_device_t; + type rpm_exec_t; + type getty_t; + type virt_qemu_ga_unconfined_exec_t; + type NetworkManager_exec_t; + type user_fonts_t; + type rpc_pipefs_t; + type ping_exec_t; + type gpg_agent_exec_t; + type su_exec_t; + type firewalld_exec_t; + type getty_exec_t; + type quota_exec_t; + type devpts_t; + type nvram_device_t; + type cpu_device_t; + type rpcbind_exec_t; + type NetworkManager_etc_rw_t; + type unconfined_t; + type NetworkManager_initrc_exec_t; + type sshd_exec_t; + type udev_t; + type rpcd_exec_t; + type fixed_disk_device_t; + type selinux_login_config_t; + type sysctl_irq_t; + type ptmx_t; + type ssh_agent_exec_t; + type NetworkManager_unit_file_t; + type binfmt_misc_fs_t; + type semanage_store_t; + type framebuf_device_t; + type udev_var_run_t; + type rdisc_exec_t; + type NetworkManager_etc_t; + type rsync_etc_t; + type postfix_postdrop_exec_t; + type tuned_t; + type wtmp_t; + type dhcpc_exec_t; + type useradd_exec_t; + type dhcpc_t; + type sudo_exec_t; + type vfio_device_t; + type thumb_exec_t; + type crond_exec_t; + type bootloader_etc_t; + type sysfs_t; + type postfix_postqueue_exec_t; + type postfix_map_exec_t; + type admin_passwd_exec_t; + type apm_bios_t; + type policykit_t; + type iptables_exec_t; + type semanage_exec_t; + type journalctl_exec_t; + type lvm_control_t; + type lvm_t; + type screen_exec_t; + type auditd_etc_t; + type xserver_misc_device_t; + type fsadm_exec_t; + type bootloader_exec_t; + type system_cronjob_t; + type syslogd_exec_t; + type system_dbusd_t; + type lvm_lock_t; + type user_cron_spool_t; + type kmsg_device_t; + type mysqld_etc_t; + type pppd_etc_rw_t; + type configfs_t; + type proc_net_t; + type postfix_master_exec_t; + type shadow_t; + type sendmail_exec_t; + type loop_control_device_t; + type kernel_t; + type var_t; + type pstore_t; + type chkpwd_exec_t; + type groupadd_exec_t; + type debugfs_t; + type hypervkvp_exec_t; + type postfix_master_t; + type sysctl_fs_t; + type blkmapd_exec_t; + type nfsd_unit_file_t; + type ssh_home_t; + type systemd_hwdb_etc_t; + type mandb_exec_t; + type tmpfs_t; + type lvm_metadata_t; + type policykit_auth_exec_t; + type chronyd_unit_file_t; + type print_spool_t; + type rpcbind_var_lib_t; + class fifo_file getattr; + class process setsched; + class unix_stream_socket connectto; + class netlink_kobject_uevent_socket { bind create getattr setopt }; + class chr_file { getattr ioctl open read write }; + class capability { dac_override sys_rawio sys_ptrace }; + class file { append create getattr lock open read relabelto rename setattr unlink write }; + class filesystem getattr; + class sock_file { create getattr unlink write }; + class lnk_file { create getattr read unlink }; + class blk_file { getattr ioctl open read }; + class dir { add_name getattr open read remove_name search setattr write }; +} + +#============= osquery_t ============== +allow osquery_t NetworkManager_etc_rw_t:dir { getattr open read }; +allow osquery_t NetworkManager_etc_rw_t:file getattr; +allow osquery_t NetworkManager_etc_t:dir { getattr open read }; +allow osquery_t NetworkManager_exec_t:file getattr; +allow osquery_t NetworkManager_initrc_exec_t:dir { getattr open read }; +allow osquery_t NetworkManager_initrc_exec_t:file getattr; +allow osquery_t NetworkManager_t:dir { getattr open read search }; +allow osquery_t NetworkManager_t:file { getattr open read }; + +allow osquery_t NetworkManager_t:lnk_file { getattr read }; +allow osquery_t NetworkManager_unit_file_t:file getattr; +allow osquery_t adjtime_t:file getattr; +allow osquery_t admin_passwd_exec_t:file getattr; +allow osquery_t anacron_exec_t:file getattr; +allow osquery_t apm_bios_t:chr_file getattr; +allow osquery_t audisp_exec_t:file getattr; +allow osquery_t auditctl_exec_t:file getattr; +allow osquery_t auditd_etc_t:dir { getattr open read }; +allow osquery_t auditd_etc_t:file getattr; +allow osquery_t auditd_exec_t:file getattr; +allow osquery_t auditd_t:dir { getattr open read search }; +allow osquery_t auditd_t:file { getattr open read }; + +allow osquery_t auditd_t:lnk_file { getattr read }; +allow osquery_t auditd_unit_file_t:file getattr; +allow osquery_t authconfig_exec_t:file getattr; +allow osquery_t autofs_device_t:chr_file getattr; +allow osquery_t binfmt_misc_fs_t:filesystem getattr; +allow osquery_t blkmapd_exec_t:file getattr; +allow osquery_t bootloader_etc_t:file getattr; +allow osquery_t bootloader_exec_t:file getattr; +allow osquery_t cgroup_t:filesystem getattr; +allow osquery_t checkpolicy_exec_t:file getattr; +allow osquery_t chfn_exec_t:file getattr; +allow osquery_t chkpwd_exec_t:file getattr; +allow osquery_t chronyc_exec_t:file getattr; +allow osquery_t chronyd_exec_t:file getattr; +allow osquery_t chronyd_keys_t:file getattr; +allow osquery_t chronyd_t:dir { getattr open read search }; +allow osquery_t chronyd_t:file { getattr open read }; + +allow osquery_t chronyd_t:lnk_file { getattr read }; +allow osquery_t chronyd_unit_file_t:file getattr; +allow osquery_t clock_device_t:chr_file getattr; +allow osquery_t configfs_t:filesystem getattr; +allow osquery_t consolehelper_exec_t:file getattr; +allow osquery_t cpu_device_t:chr_file getattr; +allow osquery_t crack_exec_t:file getattr; +allow osquery_t crash_device_t:chr_file getattr; +allow osquery_t crond_exec_t:file getattr; +allow osquery_t crond_t:dir { getattr open read search }; +allow osquery_t crond_t:file { getattr open read }; + +allow osquery_t crond_t:lnk_file { getattr read }; +allow osquery_t crond_unit_file_t:file getattr; +allow osquery_t crontab_exec_t:file getattr; +allow osquery_t cupsd_rw_etc_t:file getattr; +allow osquery_t dbusd_etc_t:dir { getattr open read }; +allow osquery_t dbusd_etc_t:file getattr; +allow osquery_t dbusd_exec_t:file getattr; +allow osquery_t debugfs_t:filesystem getattr; +allow osquery_t debuginfo_exec_t:file getattr; +allow osquery_t default_context_t:dir read; +allow osquery_t default_context_t:file getattr; + +#!!!! WARNING: 'device_t' is a base type. +allow osquery_t device_t:filesystem getattr; +allow osquery_t devpts_t:filesystem getattr; +allow osquery_t dhcp_etc_t:dir { getattr open read }; +allow osquery_t dhcp_etc_t:file getattr; +allow osquery_t dhcpc_exec_t:file getattr; +allow osquery_t dhcpc_t:dir { getattr open read search }; +allow osquery_t dhcpc_t:file { getattr open read }; + +allow osquery_t dhcpc_t:lnk_file { getattr read }; +allow osquery_t dmesg_exec_t:file getattr; +allow osquery_t dmidecode_exec_t:file getattr; +allow osquery_t dri_device_t:chr_file getattr; +allow osquery_t etc_aliases_t:file getattr; +allow osquery_t event_device_t:chr_file getattr; +allow osquery_t exports_t:file getattr; +allow osquery_t firewalld_etc_rw_t:dir { getattr open read }; +allow osquery_t firewalld_etc_rw_t:file getattr; +allow osquery_t firewalld_exec_t:file getattr; +allow osquery_t fixed_disk_device_t:blk_file { getattr ioctl open read }; +allow osquery_t fixed_disk_device_t:chr_file getattr; +allow osquery_t framebuf_device_t:chr_file getattr; +allow osquery_t fs_t:filesystem getattr; +allow osquery_t fsadm_exec_t:file getattr; +allow osquery_t fuse_device_t:chr_file getattr; +allow osquery_t getty_exec_t:file getattr; +allow osquery_t getty_t:dir { getattr open read search }; +allow osquery_t getty_t:file { getattr open read }; + +allow osquery_t getty_t:lnk_file { getattr read }; +allow osquery_t getty_unit_file_t:file getattr; +allow osquery_t gpg_agent_exec_t:file getattr; +allow osquery_t gpg_exec_t:file getattr; +allow osquery_t groupadd_exec_t:file getattr; +allow osquery_t gssd_exec_t:file getattr; +allow osquery_t gssproxy_exec_t:file getattr; +allow osquery_t gssproxy_t:dir { getattr open read search }; +allow osquery_t gssproxy_t:file { getattr open read }; + +allow osquery_t gssproxy_t:lnk_file { getattr read }; + +#!!!! WARNING: 'home_root_t' is a base type. +allow osquery_t home_root_t:dir read; +allow osquery_t hostname_exec_t:file getattr; +allow osquery_t hugetlbfs_t:dir { getattr open read }; +allow osquery_t hugetlbfs_t:filesystem getattr; +allow osquery_t hwclock_exec_t:file getattr; +allow osquery_t hypervkvp_exec_t:file getattr; +allow osquery_t hypervvssd_exec_t:file getattr; +allow osquery_t ifconfig_exec_t:file getattr; +allow osquery_t init_exec_t:file getattr; +allow osquery_t init_t:dir read; +allow osquery_t init_t:file { getattr open read }; + +allow osquery_t init_t:lnk_file { getattr read }; +allow osquery_t initctl_t:fifo_file getattr; +allow osquery_t initrc_exec_t:file getattr; +allow osquery_t initrc_var_run_t:file { lock open read }; +allow osquery_t insmod_exec_t:file getattr; +allow osquery_t iptables_exec_t:file getattr; +allow osquery_t irqbalance_exec_t:file getattr; +allow osquery_t journalctl_exec_t:file getattr; +allow osquery_t kernel_t:dir { getattr open read search }; +allow osquery_t kernel_t:file { getattr open read }; +allow osquery_t kernel_t:lnk_file { getattr read }; + +#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg' +allow osquery_t kmsg_device_t:chr_file getattr; +allow osquery_t ldconfig_exec_t:file getattr; +allow osquery_t load_policy_exec_t:file getattr; +allow osquery_t loadkeys_exec_t:file getattr; +allow osquery_t login_exec_t:file getattr; +allow osquery_t logrotate_exec_t:file getattr; +allow osquery_t loop_control_device_t:chr_file getattr; +allow osquery_t lvm_control_t:chr_file { getattr ioctl open read write }; +allow osquery_t lvm_etc_t:dir { getattr open read }; +allow osquery_t lvm_etc_t:file { getattr open read }; +allow osquery_t lvm_exec_t:file getattr; +allow osquery_t lvm_lock_t:dir { add_name getattr read remove_name search write }; +allow osquery_t lvm_lock_t:file { append create getattr lock open read unlink }; +allow osquery_t lvm_metadata_t:dir { add_name getattr open read remove_name write }; +allow osquery_t lvm_metadata_t:file { create getattr lock open read rename unlink write }; +allow osquery_t lvm_t:dir { getattr open read search }; +allow osquery_t lvm_t:file { getattr open read }; + +allow osquery_t lvm_t:lnk_file { getattr read }; +allow osquery_t lvm_unit_file_t:file getattr; +allow osquery_t mandb_exec_t:file getattr; +allow osquery_t mdadm_exec_t:file getattr; +allow osquery_t memory_device_t:chr_file getattr; +allow osquery_t modules_conf_t:dir { getattr open read }; +allow osquery_t modules_conf_t:file getattr; +allow osquery_t mount_exec_t:file getattr; +allow osquery_t mouse_device_t:chr_file getattr; +allow osquery_t mtrr_device_t:file getattr; +allow osquery_t mysqld_etc_t:dir { getattr open read }; +allow osquery_t mysqld_etc_t:file getattr; +allow osquery_t namespace_init_exec_t:file getattr; +allow osquery_t netcontrol_device_t:chr_file getattr; +allow osquery_t netutils_exec_t:file getattr; +allow osquery_t nfsd_exec_t:file getattr; +allow osquery_t nfsd_unit_file_t:file getattr; +allow osquery_t nvram_device_t:chr_file getattr; +allow osquery_t oddjob_mkhomedir_exec_t:file getattr; +allow osquery_t osquery_conf_t:file getattr; +allow osquery_t osquery_unit_file_t:file getattr; +allow osquery_t pam_console_exec_t:file getattr; +allow osquery_t pam_timestamp_exec_t:file getattr; +allow osquery_t passwd_exec_t:file getattr; +allow osquery_t pinentry_exec_t:file getattr; +allow osquery_t ping_exec_t:file getattr; +allow osquery_t plymouth_exec_t:file getattr; +allow osquery_t plymouthd_exec_t:file getattr; +allow osquery_t policykit_auth_exec_t:file getattr; +allow osquery_t policykit_exec_t:file getattr; +allow osquery_t policykit_t:dir { getattr open read search }; +allow osquery_t policykit_t:file { getattr open read }; + +allow osquery_t policykit_t:lnk_file { getattr read }; +allow osquery_t postfix_etc_t:dir { getattr open read }; +allow osquery_t postfix_etc_t:file getattr; +allow osquery_t postfix_map_exec_t:file getattr; +allow osquery_t postfix_master_exec_t:file getattr; +allow osquery_t postfix_master_t:dir { getattr open read search }; +allow osquery_t postfix_master_t:file { getattr open read }; + +allow osquery_t postfix_master_t:lnk_file { getattr read }; +allow osquery_t postfix_pickup_exec_t:file getattr; +allow osquery_t postfix_pickup_t:dir { getattr open read search }; +allow osquery_t postfix_pickup_t:file { getattr open read }; + +allow osquery_t postfix_pickup_t:lnk_file { getattr read }; +allow osquery_t postfix_postdrop_exec_t:file getattr; +allow osquery_t postfix_postqueue_exec_t:file getattr; +allow osquery_t postfix_qmgr_exec_t:file getattr; +allow osquery_t postfix_qmgr_t:dir { getattr open read search }; +allow osquery_t postfix_qmgr_t:file { getattr open read }; + +allow osquery_t postfix_qmgr_t:lnk_file { getattr read }; +allow osquery_t postfix_spool_t:dir getattr; +allow osquery_t ppp_device_t:chr_file getattr; +allow osquery_t pppd_etc_rw_t:dir { getattr open read }; +allow osquery_t pppd_etc_t:dir { getattr open read }; +allow osquery_t pppd_exec_t:file getattr; +allow osquery_t pppd_initrc_exec_t:file getattr; +allow osquery_t proc_kcore_t:file getattr; +allow osquery_t proc_kmsg_t:file getattr; +allow osquery_t proc_mdstat_t:file getattr; +allow osquery_t proc_net_t:file { getattr open read }; +allow osquery_t proc_t:dir read; +allow osquery_t proc_t:file { getattr open read }; +allow osquery_t proc_t:filesystem getattr; +allow osquery_t pstore_t:filesystem getattr; +allow osquery_t ptmx_t:chr_file getattr; +allow osquery_t quota_exec_t:file getattr; + +#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' +allow osquery_t random_device_t:chr_file getattr; +allow osquery_t rdisc_exec_t:file getattr; +allow osquery_t rpc_pipefs_t:filesystem getattr; +allow osquery_t rpcbind_exec_t:file getattr; +allow osquery_t rpcbind_t:dir { getattr open read search }; +allow osquery_t rpcbind_t:file { getattr open read }; + +allow osquery_t rpcbind_t:lnk_file { getattr read }; +allow osquery_t rpcd_exec_t:file getattr; +allow osquery_t rpcd_unit_file_t:file getattr; +allow osquery_t rpm_exec_t:file getattr; +allow osquery_t rpm_script_tmp_t:dir read; +allow osquery_t rsync_etc_t:file getattr; +allow osquery_t rsync_exec_t:file getattr; +allow osquery_t screen_exec_t:file getattr; +allow osquery_t scsi_generic_device_t:chr_file getattr; +allow osquery_t self:capability { dac_override sys_rawio }; +allow osquery_t self:netlink_kobject_uevent_socket { bind create getattr setopt }; +allow osquery_t self:process setsched; + +#!!!! The file '/var/osquery/osquery.em' is mislabeled on your system. +#!!!! Fix with $ restorecon -R -v /var/osquery/osquery.em +#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' +allow osquery_t self:unix_stream_socket connectto; +allow osquery_t selinux_config_t:dir read; +allow osquery_t selinux_login_config_t:dir { getattr open read }; +allow osquery_t semanage_exec_t:file getattr; +allow osquery_t semanage_store_t:dir { getattr open read }; +allow osquery_t semanage_store_t:file { getattr open read }; +allow osquery_t sendmail_exec_t:file getattr; +allow osquery_t setfiles_exec_t:file getattr; +allow osquery_t setsebool_exec_t:file getattr; +allow osquery_t shadow_t:file getattr; +allow osquery_t showmount_exec_t:file getattr; + +#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' +allow osquery_t slapd_cert_t:dir { getattr open read }; + +#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' +allow osquery_t slapd_cert_t:file getattr; +allow osquery_t sound_device_t:chr_file getattr; +allow osquery_t ssh_agent_exec_t:file getattr; +allow osquery_t ssh_exec_t:file getattr; +allow osquery_t ssh_home_t:dir { getattr open read }; +allow osquery_t ssh_home_t:file getattr; +allow osquery_t ssh_keygen_exec_t:file getattr; +allow osquery_t sshd_exec_t:file getattr; +allow osquery_t sshd_key_t:file getattr; +allow osquery_t sshd_keygen_exec_t:file getattr; +allow osquery_t sshd_t:dir { getattr open read search }; +allow osquery_t sshd_t:file { getattr open read }; + +allow osquery_t sshd_t:lnk_file { getattr read }; +allow osquery_t sshd_unit_file_t:file getattr; +allow osquery_t su_exec_t:file getattr; +allow osquery_t sudo_exec_t:file getattr; +allow osquery_t sulogin_exec_t:file getattr; +allow osquery_t sysctl_fs_t:dir search; +allow osquery_t sysctl_irq_t:dir getattr; +allow osquery_t sysctl_t:file getattr; +allow osquery_t sysfs_t:dir read; +allow osquery_t sysfs_t:file { getattr open read }; +allow osquery_t sysfs_t:filesystem getattr; +allow osquery_t sysfs_t:lnk_file { getattr read }; +allow osquery_t syslog_conf_t:dir { getattr open read }; +allow osquery_t syslog_conf_t:file getattr; +allow osquery_t syslogd_exec_t:file getattr; +allow osquery_t syslogd_t:dir { getattr open read search }; +allow osquery_t syslogd_t:file { getattr open read }; + +allow osquery_t syslogd_t:lnk_file { getattr read }; +allow osquery_t system_cron_spool_t:dir { getattr open read }; +allow osquery_t system_cron_spool_t:file { getattr open read }; +allow osquery_t system_cronjob_t:dir { getattr open read search }; +allow osquery_t system_cronjob_t:file { getattr open read }; + +allow osquery_t system_cronjob_t:lnk_file { getattr read }; +allow osquery_t system_dbusd_t:dir { getattr open read search }; +allow osquery_t system_dbusd_t:file { getattr open read }; + +allow osquery_t system_dbusd_t:lnk_file { getattr read }; +allow osquery_t systemd_hwdb_etc_t:file getattr; +allow osquery_t systemd_hwdb_exec_t:file getattr; +allow osquery_t systemd_logind_exec_t:file getattr; +allow osquery_t systemd_logind_t:dir { getattr open read search }; +allow osquery_t systemd_logind_t:file { getattr open read }; + +allow osquery_t systemd_logind_t:lnk_file { getattr read }; +allow osquery_t systemd_notify_exec_t:file getattr; +allow osquery_t systemd_passwd_agent_exec_t:file getattr; +allow osquery_t systemd_systemctl_exec_t:file getattr; +allow osquery_t systemd_tmpfiles_exec_t:file getattr; +allow osquery_t systemd_unit_file_t:dir { open read }; +allow osquery_t systemd_unit_file_t:file getattr; +allow osquery_t systemd_unit_file_t:lnk_file read; +allow osquery_t tcpd_exec_t:file getattr; +allow osquery_t thumb_exec_t:file getattr; + +#!!!! WARNING: 'tmp_t' is a base type. +allow osquery_t tmp_t:dir { add_name read remove_name write }; +allow osquery_t tmp_t:file { create unlink write }; + +#!!!! WARNING: 'tmp_t' is a base type. +allow osquery_t tmp_t:lnk_file { create unlink }; +allow osquery_t tmpfs_t:dir read; +allow osquery_t tmpfs_t:filesystem getattr; +allow osquery_t traceroute_exec_t:file getattr; +allow osquery_t tun_tap_device_t:chr_file getattr; +allow osquery_t tuned_etc_t:dir { getattr open read }; +allow osquery_t tuned_etc_t:file getattr; +allow osquery_t tuned_exec_t:file getattr; +allow osquery_t tuned_rw_etc_t:file getattr; +allow osquery_t tuned_t:dir { getattr open read search }; +allow osquery_t tuned_t:file { getattr open read }; + +allow osquery_t tuned_t:lnk_file { getattr read }; +allow osquery_t udev_exec_t:file getattr; +allow osquery_t udev_rules_t:dir { getattr open read }; +allow osquery_t udev_rules_t:file getattr; +allow osquery_t udev_t:dir { getattr open read search }; +allow osquery_t udev_t:file { getattr open read }; +allow osquery_t udev_t:lnk_file { getattr read }; +allow osquery_t udev_var_run_t:file { getattr open read }; +allow osquery_t uhid_device_t:chr_file getattr; +allow osquery_t unconfined_service_t:dir { getattr open read search }; +allow osquery_t unconfined_service_t:file { getattr open read }; +allow osquery_t unconfined_service_t:lnk_file { getattr read }; +allow osquery_t unconfined_t:dir { getattr open read search }; +allow osquery_t unconfined_t:file { getattr open read }; +allow osquery_t unconfined_t:lnk_file { getattr read }; + +#!!!! WARNING: 'unlabeled_t' is a base type. +#!!!! The file '/etc/sysconfig/cloud-info' is mislabeled on your system. +#!!!! Fix with $ restorecon -R -v /etc/sysconfig/cloud-info +allow osquery_t unlabeled_t:file getattr; +allow osquery_t updpwd_exec_t:file getattr; +allow osquery_t usbmon_device_t:chr_file getattr; +allow osquery_t user_cron_spool_t:dir { getattr open read }; +allow osquery_t user_fonts_t:dir { getattr open read search }; +allow osquery_t user_home_dir_t:dir getattr; +allow osquery_t user_tmp_t:dir read; +allow osquery_t useradd_exec_t:file getattr; +allow osquery_t userhelper_conf_t:dir { getattr open read }; +allow osquery_t userhelper_conf_t:file getattr; +allow osquery_t userhelper_exec_t:file getattr; +allow osquery_t usernetctl_exec_t:file getattr; +allow osquery_t var_log_t:lnk_file unlink; + +#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t. +allow osquery_t var_run_t:dir { add_name remove_name write }; + +#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t. +#!!!! $ semanage fcontext -a -t osquery_var_run_t /run/osqueryd.pid +#!!!! $ restorecon -R -v /run/osqueryd.pid +#!!!! The file '/run/osqueryd.pid' is mislabeled on your system. +#!!!! Fix with $ restorecon -R -v /run/osqueryd.pid +allow osquery_t var_run_t:file { append create getattr open read setattr unlink }; + +#!!!! WARNING: 'var_t' is a base type. +allow osquery_t var_t:dir { add_name read remove_name setattr write }; +allow osquery_t var_t:file { create getattr lock open read rename unlink write }; +allow osquery_t var_t:sock_file { create getattr unlink write }; +allow osquery_t vfio_device_t:chr_file getattr; +allow osquery_t vhost_device_t:chr_file getattr; +allow osquery_t virt_qemu_ga_exec_t:file getattr; +allow osquery_t virt_qemu_ga_unconfined_exec_t:dir { getattr open read }; +allow osquery_t vlock_exec_t:file getattr; +allow osquery_t wtmp_t:file { open read }; +allow osquery_t xserver_etc_t:dir { getattr open read }; +allow osquery_t xserver_misc_device_t:chr_file getattr; + +allow osquery_t print_spool_t:dir search; +allow osquery_t rpcbind_var_lib_t:dir search; +allow osquery_t self:capability sys_ptrace; + +#============= unconfined_t ============== + +#!!!! This avc is allowed in the current policy +allow unconfined_t osquery_conf_t:file relabelto; + diff --git a/osquery/roles/osquery/templates/osqueryd-monit.j2 b/osquery/roles/osquery/templates/osqueryd-monit.j2 new file mode 100644 index 00000000..458b802a --- /dev/null +++ b/osquery/roles/osquery/templates/osqueryd-monit.j2 @@ -0,0 +1,27 @@ +{{ ansible_managed | comment('plain', decoration='## ') }} +check process osqueryd + with pidfile "/var/run/osqueryd.pid" + group system + group osqueryd +{% if ansible_service_mgr == 'systemd' %} + start program = "/bin/systemctl start ssh" with timeout 60 seconds + stop program = "/bin/systemctl stop ssh" +{% else %} + start program = "/etc/init.d/ssh start" with timeout 60 seconds + stop program = "/etc/init.d/ssh stop" +{% endif %} + if cpu > 90% for 15 cycles then alert + if totalmem > 90% for 15 cycles then alert + if loadavg(15min) greater than 10 for 50 cycles then alert + if 5 restarts with 5 cycles then alert + depends on osqueryd_binary + depends on osqueryd_conf + +check file osqueryd_binary + with path /usr/bin/osqueryd + group osqueryd + if failed checksum then alert + +check file osqueryd_conf with path /etc/osquery/osquery.conf + include /etc/monit/templates/rootrc + group osqueryd diff --git a/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 b/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 new file mode 100644 index 00000000..c8dbcd72 --- /dev/null +++ b/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 @@ -0,0 +1,16 @@ +{% if osquery_syslog_target is defined and osquery_syslog_target != '' %} +{{ osquery_syslog_target_facility_syslogconf }}.* {{ osquery_syslog_target }} +{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %} +& ~ +{% else %} +& stop +{% endif %} +{% endif %} +{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' %} +if $programname == 'osqueryd' then {{ osquery_syslog_target2 }} +{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %} +& ~ +{% else %} +& stop +{% endif %} +{% endif %} diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml b/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml new file mode 100644 index 00000000..91096c93 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml @@ -0,0 +1,43 @@ +--- + +- hosts: all +#- hosts: test-kitchen + vars: + - mysql_root_password: 'Toor=2017.' + - kolide_mysql_root_pass: "{{ mysql_root_password }}" + - mysql_databases: + - name: "{{ kolide_mysql_db }}" + - mysql_users: + - name: "{{ kolide_mysql_user }}" + host: "localhost" + #host: "%" + password: "{{ kolide_mysql_pass }}" + priv: "{{ kolide_mysql_db }}.*:ALL" + - mysql_enablerepo: epel + - osquery_flags: + - '--enroll_secret_path=/etc/osquery/osquery_enroll_secret' + - "--tls_server_certs={{ ssl_dir }}/{{ ansible_fqdn }}.crt" + - '--tls_hostname=acme.kolide.co:8080' + - '--host_identifier=hostname' + - '--enroll_tls_endpoint=/api/v1/osquery/enroll' + - '--config_plugin=tls' + - '--config_tls_endpoint=/api/v1/osquery/config' + - '--config_tls_refresh=10' + - '--disable_distributed=false' + - '--distributed_plugin=tls' + - '--distributed_interval=10' + - '--distributed_tls_max_attempts=3' + - '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read' + - '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write' + - '--logger_plugin=tls' + pre_tasks: + - name: map acme.kolide.co to localhost + lineinfile: + dest: /etc/hosts + line: 127.0.0.1 acme.kolide.co + ignore_errors: true + roles: + - { role: geerlingguy.mysql, when: ansible_os_family == 'Debian' } + - juju4.kolide + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb new file mode 100644 index 00000000..f05921d7 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb @@ -0,0 +1,59 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"filesystem"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +#describe file('/var/log/osquery/osqueryd.INFO') do +# it { should be_symlink } +# its(:content) { should match /Log line format:/ } +#end +#describe file('/var/log/osquery/osqueryd.WARNING') do +# it { should be_symlink } +# its(:content) { should match /Log line format:/ } +# its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } +#end +#describe file('/var/log/osquery/osqueryd.results.log') do +# it { should be_file } +## its(:content) { should match /hostIdentifier/ } +# let(:sudo_options) { '-u root -H' } +#end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml new file mode 100644 index 00000000..b60930e6 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml @@ -0,0 +1,17 @@ +--- + +- hosts: all +#- hosts: test-kitchen + vars: + - osquery_flags: + - '--logger_plugin=filesystem,syslog' + - osquery_logger_plugin: 'filesystem,syslog' + - osquery_syslog_target: '/var/log/osquery_syslog-results.log' + - osquery_syslog_target2: '/var/log/osquery_syslog-prog.log' + - osquery_testing: true + - osquery_syslog_dirs: + - /var/log + - osquery_testing_pause: true + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb new file mode 100644 index 00000000..7b4fa769 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb @@ -0,0 +1,59 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"filesystem,syslog"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +describe file('/var/log/osquery/osqueryd.INFO') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } +end +describe file('/var/log/osquery/osqueryd.WARNING') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } +end +describe file('/var/log/osquery/osqueryd.results.log') do + it { should be_file } +# its(:content) { should match /hostIdentifier/ } + let(:sudo_options) { '-u root -H' } +end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb new file mode 100644 index 00000000..0752faeb --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb @@ -0,0 +1,18 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe file('/var/log/osquery_syslog-prog.log') do + it { should be_file } +# its(:content) { should match /osqueryd: osqueryd started \[version=/ } + its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ } +end +describe file('/var/log/osquery_syslog-results.log') do + it { should be_file } + its(:content) { should match /hostIdentifier/ } +# its(:content) { should match /pack/ } +# its(:content) { should match /message=Executing scheduled query system_info:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } + let(:sudo_options) { '-u root -H' } +end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb new file mode 100644 index 00000000..c6069a7e --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb @@ -0,0 +1,47 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do + it { should be_enabled } +end +describe service('rsyslog') do + it { should be_running } +end + +describe file('/usr/sbin/rsyslogd') do + it { should be_executable } +end + +describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do + its(:user) { should eq "syslog" } +end +describe process("rsyslogd"), :if => os[:family] == 'redhat' do + its(:user) { should eq "root" } +end + +describe file('/var/log'), :if => os[:family] == 'ubuntu' do + it { should be_directory } + it { should be_mode 775 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'syslog' } +# it { should be_writable.by('group') } + it { should be_writable.by_user('syslog') } +end +describe file('/var/log'), :if => os[:family] == 'redhat' do + it { should be_directory } + it { should be_mode 755 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } +# it { should be_writable.by('group') } +end + +describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do + it { should be_file } +end + +describe file('/var/log/messages'), :if => os[:family] == 'redhat' do + it { should be_file } +end + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml b/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml new file mode 100644 index 00000000..f14acd08 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml @@ -0,0 +1,17 @@ +--- + +- hosts: all +#- hosts: test-kitchen + vars: +# - osquery_flags: +# - '--logger_plugin=syslog' + - osquery_logger_plugin: 'syslog' + - osquery_syslog_target: '/var/log/osquery_syslog-results.log' + - osquery_syslog_target2: '/var/log/osquery_syslog-prog.log' + - osquery_testing: true + - osquery_syslog_dirs: + - /var/log + - osquery_testing_pause: true + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb new file mode 100644 index 00000000..6c1e3b7f --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb @@ -0,0 +1,44 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"syslog"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb new file mode 100644 index 00000000..4cc4d257 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb @@ -0,0 +1,27 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe file('/var/log/osquery_syslog-prog.log') do + it { should be_file } +# its(:content) { should match /osqueryd: osqueryd started \[version=/ } + its(:content) { should match /Executing scheduled query system_info:/ } + its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ } + its(:content) { should_not match /osqueryd initialize failed: Could not initialize database/ } +end +describe file('/var/log/osquery_syslog-results.log') do + it { should be_file } + its(:content) { should match /hostIdentifier/ } +# its(:content) { should match /pack/ } + its(:content) { should match /message=Executing scheduled query system_info:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } + let(:sudo_options) { '-u root -H' } +end + +describe command('journalctl -l') do + its(:stdout) { should match /osqueryd/ } + its(:stdout) { should match /Executing scheduled query system_info:/ } + its(:stdout) { should match /hostIdentifier/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb new file mode 100644 index 00000000..c6069a7e --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb @@ -0,0 +1,47 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do + it { should be_enabled } +end +describe service('rsyslog') do + it { should be_running } +end + +describe file('/usr/sbin/rsyslogd') do + it { should be_executable } +end + +describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do + its(:user) { should eq "syslog" } +end +describe process("rsyslogd"), :if => os[:family] == 'redhat' do + its(:user) { should eq "root" } +end + +describe file('/var/log'), :if => os[:family] == 'ubuntu' do + it { should be_directory } + it { should be_mode 775 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'syslog' } +# it { should be_writable.by('group') } + it { should be_writable.by_user('syslog') } +end +describe file('/var/log'), :if => os[:family] == 'redhat' do + it { should be_directory } + it { should be_mode 755 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } +# it { should be_writable.by('group') } +end + +describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do + it { should be_file } +end + +describe file('/var/log/messages'), :if => os[:family] == 'redhat' do + it { should be_file } +end + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default-profiling/default.yml b/osquery/roles/osquery/test/integration/default-profiling/default.yml new file mode 100644 index 00000000..6d930f0f --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/default.yml @@ -0,0 +1,11 @@ +--- + +- hosts: all +#- hosts: test-kitchen + vars: + - osquery_testing: true + - osquery_profiling: true + - osquery_testing_fim_load: true + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb new file mode 100644 index 00000000..0a1a0c5d --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb @@ -0,0 +1,17 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe file('/var/log/osquery/osqueryd.results.log') do + it { should contain '"system_info",' } + it { should contain '"physical_memory":' } + it { should contain '"target_path":"\/etc\/testing-big-file"' } + it { should contain '"target_path":"\/etc\/testing-aa"' } + it { should contain '"target_path":"\/etc\/testing-zz' } + it { should contain '"action":"CREATED"' } + it { should contain '"action":"UPDATED"' } + it { should contain '"action":"DELETED"' } + it { should_not contain '"target_path":"\/tmp\/' } + it { should_not contain '"target_path":"\/var\/' } +end diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb new file mode 100644 index 00000000..7ba33616 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb @@ -0,0 +1,59 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"filesystem"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +describe file('/var/log/osquery/osqueryd.INFO') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } +end +describe file('/var/log/osquery/osqueryd.WARNING') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } +end +describe file('/var/log/osquery/osqueryd.results.log') do + it { should be_file } +# its(:content) { should match /hostIdentifier/ } + let(:sudo_options) { '-u root -H' } +end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/integration/default/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default/default.yml b/osquery/roles/osquery/test/integration/default/default.yml new file mode 100644 index 00000000..a7adba95 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/default.yml @@ -0,0 +1,7 @@ +--- + +- hosts: all +#- hosts: test-kitchen + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb new file mode 100644 index 00000000..7ba33616 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb @@ -0,0 +1,59 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"filesystem"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +describe file('/var/log/osquery/osqueryd.INFO') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } +end +describe file('/var/log/osquery/osqueryd.WARNING') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } +end +describe file('/var/log/osquery/osqueryd.results.log') do + it { should be_file } +# its(:content) { should match /hostIdentifier/ } + let(:sudo_options) { '-u root -H' } +end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/lxd/centos-ssh-image.sh b/osquery/roles/osquery/test/lxd/centos-ssh-image.sh new file mode 100644 index 00000000..001073ff --- /dev/null +++ b/osquery/roles/osquery/test/lxd/centos-ssh-image.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# add ssh to default lxd image + +image=centos-7 +guest=default-$image +template="$image"-nossh +publishalias="$image" + +lxc init $template $guest +lxc start $guest +openssl rand -base64 48 | perl -ne 'print "$_" x2' | lxc exec $guest -- passwd root + +lxc exec $guest -- dhclient eth0 +lxc exec $guest -- ping -c 1 8.8.8.8 +lxc exec $guest -- yum update +lxc exec $guest -- yum -y upgrade +lxc exec $guest -- yum install -y openssh-server sudo ruby yum-utils +lxc exec $guest -- systemctl enable sshd +lxc exec $guest -- systemctl start sshd +lxc exec $guest -- mkdir /root/.ssh || true +lxc exec $guest -- gem install busser + +lxc stop $guest --force +lxc publish $guest --alias $publishalias +lxc delete $guest diff --git a/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 b/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 new file mode 100644 index 00000000..861b7cda --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 @@ -0,0 +1,9 @@ +FROM alpine:3.4 +RUN apk update + +# Install Ansible +RUN apk add git ansible python python-dev py-pip +RUN mkdir /etc/ansible + +# Install Ansible inventory file +RUN (echo "[local]"; echo "localhost ansible_connection=local") > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.centos-6 b/osquery/roles/osquery/test/travis/Dockerfile.centos-6 new file mode 100644 index 00000000..3d5f0c86 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.centos-6 @@ -0,0 +1,15 @@ +FROM centos:6 + +# Install Ansible +RUN yum -y update; yum clean all; +RUN yum -y install epel-release +RUN yum -y install git ansible sudo python-pip +RUN yum clean all + +# Disable requiretty +RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers + +# Install Ansible inventory file +RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts + +CMD ["/usr/sbin/init"] diff --git a/osquery/roles/osquery/test/travis/Dockerfile.centos-7 b/osquery/roles/osquery/test/travis/Dockerfile.centos-7 new file mode 100644 index 00000000..5763ece8 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.centos-7 @@ -0,0 +1,29 @@ +FROM centos:7 + +# Install systemd -- See https://hub.docker.com/_/centos/ +RUN yum -y swap -- remove fakesystemd -- install systemd systemd-libs +RUN yum -y update; yum clean all; \ +(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ +rm -f /lib/systemd/system/multi-user.target.wants/*; \ +rm -f /etc/systemd/system/*.wants/*; \ +rm -f /lib/systemd/system/local-fs.target.wants/*; \ +rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ +rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ +rm -f /lib/systemd/system/basic.target.wants/*; \ +rm -f /lib/systemd/system/anaconda.target.wants/*; + +# Install Ansible +RUN yum -y install epel-release +RUN yum -y install git sudo python-pip python-devel libffi-devel +RUN yum -y groupinstall 'Development Tools' +RUN yum clean all + +# Disable requiretty +RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers + +# Install Ansible inventory file +RUN mkdir /etc/ansible +RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts + +VOLUME ["/sys/fs/cgroup"] +CMD ["/usr/sbin/init"] diff --git a/osquery/roles/osquery/test/travis/Dockerfile.debian-8 b/osquery/roles/osquery/test/travis/Dockerfile.debian-8 new file mode 100644 index 00000000..bc6a52fb --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.debian-8 @@ -0,0 +1,11 @@ +FROM debian:8 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git python sudo python-pip python-dev libffi-dev libssl-dev +RUN pip install --upgrade cffi +RUN pip install ansible +RUN install -d -m 0755 /etc/ansible + +# Install Ansible inventory file +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.debian-9 b/osquery/roles/osquery/test/travis/Dockerfile.debian-9 new file mode 100644 index 00000000..8cb908b2 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.debian-9 @@ -0,0 +1,12 @@ +FROM debian:9 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git +RUN apt-get update +RUN apt-get install -y python sudo python-pip python-dev libffi-dev +RUN pip install --upgrade setuptools + +RUN mkdir -p /etc/ansible +# Install Ansible inventory file +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 new file mode 100644 index 00000000..e0471c17 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 @@ -0,0 +1,11 @@ +FROM ubuntu:12.04 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common python-software-properties git +RUN apt-add-repository -y ppa:ansible/ansible +RUN apt-get update +RUN apt-get install -y ansible python-pip + +# Install Ansible inventory file +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 new file mode 100644 index 00000000..9466b900 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 @@ -0,0 +1,15 @@ +FROM ubuntu:14.04 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git +#RUN apt-add-repository -y ppa:ansible/ansible +RUN apt-get update +RUN apt-get install -y python-pip python-dev libffi-dev + +COPY initctl_faker . +RUN chmod +x initctl_faker && rm -fr /sbin/initctl && ln -s /initctl_faker /sbin/initctl + +# Install Ansible inventory file +RUN mkdir /etc/ansible +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 new file mode 100644 index 00000000..987793fb --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 @@ -0,0 +1,12 @@ +FROM ubuntu:16.04 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git +#RUN apt-add-repository -y ppa:ansible/ansible +RUN apt-get update +RUN apt-get install -y python sudo python-pip python-dev libffi-dev + +# Install Ansible inventory file +RUN mkdir /etc/ansible +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 new file mode 100644 index 00000000..785803d0 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 @@ -0,0 +1,11 @@ +FROM ubuntu:18.04 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git systemd +RUN apt-get update +RUN apt-get install -y python sudo python-pip python-dev libffi-dev + +# Install Ansible inventory file +RUN mkdir /etc/ansible +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/initctl_faker b/osquery/roles/osquery/test/travis/initctl_faker new file mode 100644 index 00000000..8a05ae86 --- /dev/null +++ b/osquery/roles/osquery/test/travis/initctl_faker @@ -0,0 +1,25 @@ +#!/bin/sh +## from https://github.com/oxyc/drupal-vm/blob/84b3ad6cf65fb87ac60777c5aca55bb82a45b4aa/tests/initctl_faker +ALIAS_CMD="$(echo ""$0"" | sed -e 's?/sbin/??')" + +case "$ALIAS_CMD" in + start|stop|restart|reload|status) + exec service $1 $ALIAS_CMD + ;; +esac + +case "$1" in + list ) + exec service --status-all + ;; + reload-configuration ) + exec service $2 restart + ;; + start|stop|restart|reload|status) + exec service $2 $1 + ;; + \?) + exit 0 + ;; +esac + diff --git a/osquery/roles/osquery/test/vagrant/Vagrantfile b/osquery/roles/osquery/test/vagrant/Vagrantfile new file mode 100644 index 00000000..393896a0 --- /dev/null +++ b/osquery/roles/osquery/test/vagrant/Vagrantfile @@ -0,0 +1,36 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +VAGRANTFILE_API_VERSION = "2" +ENV['VAGRANT_DEFAULT_PROVIDER'] = 'virtualbox' + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + config.vm.box = "ubuntu/bionic64" + #config.vm.box = "ubuntu/xenial64" + #config.vm.box = "boxcutter/ubuntu1604" + #config.vm.box = "ubuntu/trusty64" + #config.vm.box = "centos/7" + #config.vm.box = "generic/alpine36" + + config.vm.provision :ansible do |ansible| + ansible.playbook = "site.yml" + #ansible.verbose = "vvvv" + #ansible.host_key_checking = false + #ansible.limit = 'all' + ansible.become = true + ansible.extra_vars = { ansible_user: 'vagrant', ansible_python_interpreter: '/usr/bin/python3' } + ansible.groups = { + "myrole" => ["osquery" ], + } + end + + config.vm.define "vosquery" do |cfg| + cfg.vm.hostname = "vosquery" + cfg.vm.provider "virtualbox" do |v| + v.memory = 512 + end + + end + +end + diff --git a/osquery/roles/osquery/test/vagrant/ansible.cfg b/osquery/roles/osquery/test/vagrant/ansible.cfg new file mode 100644 index 00000000..4dacf8db --- /dev/null +++ b/osquery/roles/osquery/test/vagrant/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +callback_whitelist = profile_tasks, timer +roles_path = ../../../ diff --git a/osquery/roles/osquery/test/vagrant/site.yml b/osquery/roles/osquery/test/vagrant/site.yml new file mode 100644 index 00000000..27abbe1d --- /dev/null +++ b/osquery/roles/osquery/test/vagrant/site.yml @@ -0,0 +1,6 @@ +--- + +- hosts: all + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/tests/inventory b/osquery/roles/osquery/tests/inventory new file mode 100644 index 00000000..2fbb50c4 --- /dev/null +++ b/osquery/roles/osquery/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/osquery/roles/osquery/tests/test.yml b/osquery/roles/osquery/tests/test.yml new file mode 100644 index 00000000..dddb318b --- /dev/null +++ b/osquery/roles/osquery/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ansible-osquery diff --git a/osquery/roles/osquery/vars/CentOS-6.yml b/osquery/roles/osquery/vars/CentOS-6.yml new file mode 100644 index 00000000..0c747005 --- /dev/null +++ b/osquery/roles/osquery/vars/CentOS-6.yml @@ -0,0 +1,2 @@ +--- +_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/CentOS-7.yml b/osquery/roles/osquery/vars/CentOS-7.yml new file mode 100644 index 00000000..0c747005 --- /dev/null +++ b/osquery/roles/osquery/vars/CentOS-7.yml @@ -0,0 +1,2 @@ +--- +_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/CentOS.yml b/osquery/roles/osquery/vars/CentOS.yml new file mode 100644 index 00000000..739cf1be --- /dev/null +++ b/osquery/roles/osquery/vars/CentOS.yml @@ -0,0 +1,18 @@ +--- +# vars file for osquery (CentOS specific) + +osquery_packages: + - osquery + - rsyslog + - libselinux-python + +osquery_debug_packages: + - osquery-debuginfo + +_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}" +_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}" + +_osquery_auditd_pkg: "audit" + +varlog_group: root +varlog_mode: '0755' diff --git a/osquery/roles/osquery/vars/Debian.yml b/osquery/roles/osquery/vars/Debian.yml new file mode 100644 index 00000000..9b5cce8d --- /dev/null +++ b/osquery/roles/osquery/vars/Debian.yml @@ -0,0 +1,19 @@ +--- +# vars file for osquery (Debian specific) +# https://github.com/facebook/osquery/issues/320 +# https://github.com/facebook/osquery/issues/2321 + +osquery_packages: + - osquery + - rsyslog + +osquery_debug_packages: + - osquery-dbg + +_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}" +_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}" + +_osquery_auditd_pkg: "auditd" + +varlog_group: syslog +varlog_mode: '0775' diff --git a/osquery/roles/osquery/vars/RedHat-6.yml b/osquery/roles/osquery/vars/RedHat-6.yml new file mode 100644 index 00000000..0c747005 --- /dev/null +++ b/osquery/roles/osquery/vars/RedHat-6.yml @@ -0,0 +1,2 @@ +--- +_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/RedHat-7.yml b/osquery/roles/osquery/vars/RedHat-7.yml new file mode 100644 index 00000000..0c747005 --- /dev/null +++ b/osquery/roles/osquery/vars/RedHat-7.yml @@ -0,0 +1,2 @@ +--- +_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/RedHat.yml b/osquery/roles/osquery/vars/RedHat.yml new file mode 100644 index 00000000..739cf1be --- /dev/null +++ b/osquery/roles/osquery/vars/RedHat.yml @@ -0,0 +1,18 @@ +--- +# vars file for osquery (CentOS specific) + +osquery_packages: + - osquery + - rsyslog + - libselinux-python + +osquery_debug_packages: + - osquery-debuginfo + +_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}" +_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}" + +_osquery_auditd_pkg: "audit" + +varlog_group: root +varlog_mode: '0755' diff --git a/osquery/roles/osquery/vars/Ubuntu.yml b/osquery/roles/osquery/vars/Ubuntu.yml new file mode 100644 index 00000000..0d5204aa --- /dev/null +++ b/osquery/roles/osquery/vars/Ubuntu.yml @@ -0,0 +1,17 @@ +--- +# vars file for osquery (Ubuntu specific) + +osquery_packages: + - osquery + - rsyslog + +osquery_debug_packages: + - osquery-dbg + +_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}" +_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}" + +_osquery_auditd_pkg: "auditd" + +varlog_group: syslog +varlog_mode: '0775' diff --git a/osquery/roles/osquery/vars/main.yml b/osquery/roles/osquery/vars/main.yml new file mode 100644 index 00000000..444e1029 --- /dev/null +++ b/osquery/roles/osquery/vars/main.yml @@ -0,0 +1,6 @@ +--- +# vars file for osquery + +osquery_packages: + - osquery + - rsyslog diff --git a/osquery/site-osquery.yml b/osquery/site-osquery.yml index da0743c0..686affbd 100644 --- a/osquery/site-osquery.yml +++ b/osquery/site-osquery.yml @@ -11,5 +11,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -- import_playbook: registerSSLcerts.yml - import_playbook: installOSquery.yml diff --git a/osquery/vars/variables.yml b/osquery/vars/variables.yml index 00976ebd..57381b5b 100644 --- a/osquery/vars/variables.yml +++ b/osquery/vars/variables.yml @@ -1,40 +1,38 @@ +--- + mariadb_root_user: root -# kolide_fleet_enable: true kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert kolide_fleet_ssl_key: /etc/ssl/private/fleet.key -kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem -kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost" +kolide_fleet_ssl_ca_key: /etc/ssl/private/fleet-ca.key +kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem # Osquery vars -osquery_enroll_secret_dir: /etc/osquery/osquery_enroll_secret +osquery_enroll_secret_file: /etc/osquery/osquery_enroll_secret osquery_debug_packages_install: false - -osquery_debug_packages_install: false - osquery_config_plugin: 'filesystem' osquery_logger_plugin: 'filesystem' osquery_rsyslog: false osquery_flags: - - "--tls_server_certs={{ kolide_fleet_ssl_cert }}" - - "--tls_hostname={{ hostvars[groups['fleet'][0]]['ansible_host'] }}:{{ kolide_fleet_port }}" - - "--host_identifier=hostname" - - "--enroll_tls_endpoint=/api/v1/osquery/enroll" - - "--config_plugin=tls" - - "--config_tls_endpoint=/api/v1/osquery/config" - - "--config_tls_refresh=10" - - "--disable_distributed=false" - - "--distributed_plugin=tls" - - "--distributed_interval=10" - - "--distributed_tls_max_attempts=3" - - "--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read" - - "--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write" - - "--logger_plugin=tls" - - "--logger_tls_endpoint=/api/v1/osquery/log" - - "--logger_tls_period=10" - - "--enroll_secret_path={{ osquery_enroll_secret_dir }}" + - "--tls_server_certs={{ kolide_fleet_ssl_cert }}" + - "--tls_hostname={{ hostvars[groups['fleet_all'][0]]['ansible_host'] }}:443" + - "--host_identifier=hostname" + - "--enroll_tls_endpoint=/api/v1/osquery/enroll" + - "--config_plugin=tls" + - "--config_tls_endpoint=/api/v1/osquery/config" + - "--config_tls_refresh=10" + - "--disable_distributed=false" + - "--distributed_plugin=tls" + - "--distributed_interval=10" + - "--distributed_tls_max_attempts=3" + - "--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read" + - "--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write" + - "--logger_plugin=tls" + - "--logger_tls_endpoint=/api/v1/osquery/log" + - "--logger_tls_period=10" + - "--enroll_secret_path={{ osquery_enroll_secret_file }}"