openstack-ansible-ops/osquery/roles/osquery/tasks/osquery_configure.yml

---
- name: Ensure directories exist
  file:
    dest: "/var/osquery"
    state: directory
    mode: "0755"

- name: Ensure target syslog dir exists
  file:
    dest: "/var/log/osquery"
    state: directory
    mode: "{{ varlog_mode }}"
    group: "{{ varlog_group }}"

- name: Push extra osquery packs file
  template:
    src: "{{ item }}.conf.j2"
    dest: "/usr/share/osquery/packs/{{ item | basename }}.conf"
    backup: yes
  with_items: "{{ osquery_upload_packs }}"
  notify:
    - restart osquery

- name: Print osquery packs
  debug: var=osquery_packs

- name: Configure osquery
  template:
    src: "{{ osquery_template }}"
    dest: /etc/osquery/osquery.conf
    mode: '0644'
    backup: yes
    validate: 'osqueryi --config_path %s --config_check --verbose'
  notify:
    - restart osquery

- name: Express the osquery secret to disk
  lineinfile:
    path: "/etc/osquery/osquery_enroll_secret"
    line: "{{ osquery_enroll_secret }}"
    state: present
    owner: "root"
    group: "root"
    mode: "0600"
    create: true
  notify:
    - restart osquery
  when:
    - osquery_enroll_secret is defined

- name: Configure osquery flags
  template:
    src: "osquery.flags.j2"
    dest: /etc/osquery/osquery.flags
    mode: '0644'
    backup: yes
  notify:
    - restart osquery

- name: Re-validate whole osquery config
  command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose'
  changed_when: false
  register: confcheck
  failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout"

- name: Add logrotate configuration for osquery log
  copy:
    src: logrotate-osquery
    dest: /etc/logrotate.d/osquery
    mode: '0644'
    backup: yes

- name: Review inotify sysctl settings for osquery
  sysctl:
    name: "{{ item.n }}"
    value: "{{ item.v }}"
    sysctl_set: yes
    state: present
    reload: yes
    sysctl_file: /etc/sysctl.d/99-osquery.conf
  failed_when: false
  with_items:
    - n: 'fs.inotify.max_user_watches'
      v: 524288
    - n: 'fs.inotify.max_user_instances'
      v: 256
    - n: 'fs.inotify.max_queued_events'
      v: 32768