--- - name: Ensure directories exist file: dest: "/var/osquery" state: directory mode: "0755" - name: Ensure target syslog dir exists file: dest: "/var/log/osquery" state: directory mode: "{{ varlog_mode }}" group: "{{ varlog_group }}" - name: Push extra osquery packs file template: src: "{{ item }}.conf.j2" dest: "/usr/share/osquery/packs/{{ item | basename }}.conf" backup: yes with_items: "{{ osquery_upload_packs }}" notify: - restart osquery - name: Print osquery packs debug: var=osquery_packs - name: Configure osquery template: src: "{{ osquery_template }}" dest: /etc/osquery/osquery.conf mode: '0644' backup: yes validate: 'osqueryi --config_path %s --config_check --verbose' notify: - restart osquery - name: Express the osquery secret to disk lineinfile: path: "/etc/osquery/osquery_enroll_secret" line: "{{ osquery_enroll_secret }}" state: present owner: "root" group: "root" mode: "0600" create: true notify: - restart osquery when: - osquery_enroll_secret is defined - name: Configure osquery flags template: src: "osquery.flags.j2" dest: /etc/osquery/osquery.flags mode: '0644' backup: yes notify: - restart osquery - name: Re-validate whole osquery config command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose' changed_when: false register: confcheck failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout" - name: Add logrotate configuration for osquery log copy: src: logrotate-osquery dest: /etc/logrotate.d/osquery mode: '0644' backup: yes - name: Review inotify sysctl settings for osquery sysctl: name: "{{ item.n }}" value: "{{ item.v }}" sysctl_set: yes state: present reload: yes sysctl_file: /etc/sysctl.d/99-osquery.conf failed_when: false with_items: - n: 'fs.inotify.max_user_watches' v: 524288 - n: 'fs.inotify.max_user_instances' v: 256 - n: 'fs.inotify.max_queued_events' v: 32768