Add osquery testing

Change-Id: Ia8249da40bf5eb0e09b5d7811eb126b60dc5dc73
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2018-10-16 22:40:36 -05:00
parent 33d22c552e
commit 88bf46c65c
No known key found for this signature in database
GPG Key ID: 9443251A787B9FB3
37 changed files with 715 additions and 908 deletions

View File

@ -42,6 +42,7 @@ if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade hvac --isolated"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade netaddr --isolated"
echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin"
fi

View File

@ -595,7 +595,7 @@ deployed to the environment as if this was a production installation.
.. code-block:: bash
tests/run-tests.sh
CLUSTERED=yes tests/run-tests.sh
After the test build is completed the cluster will test it's layout and ensure

View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Setup host for nspawn
hosts: physical_hosts
hosts: localhost
connection: local
become: true
vars:

View File

@ -60,6 +60,11 @@
reload: "yes"
sysctl_file: /etc/sysctl.d/99-elasticsearch.conf
- name: Create tmp osquery dir
file:
path: "/tmp/elk-metrics-6x-logs"
state: directory
- name: Flush iptables rules
command: "{{ item }}"
args:
@ -90,17 +95,19 @@
args:
chdir: "src/{{ current_test_repo }}/elk_metrics_6x"
- name: Run ansible-galaxy
- name: Run ansible-galaxy (tests)
become: yes
become_user: root
command: "/root/ansible25/bin/ansible-galaxy install --force -r ansible-role-requirements.yml"
command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
args:
chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
chdir: "src/{{ current_test_repo }}/osquery/tests"
- name: Install netaddr
pip:
name: netaddr
virtualenv: "/root/ansible25"
- name: Run ansible-galaxy (elk_metrics_6x)
become: yes
become_user: root
command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
args:
chdir: "src/{{ current_test_repo }}/osquery"
- name: Run environment setup
become: yes
@ -110,6 +117,7 @@
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-container-setup.log"
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
args:
chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
when:
@ -124,6 +132,7 @@
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-container-setup.log"
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
args:
chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
when:
@ -144,6 +153,7 @@
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-deployment.log"
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
args:
chdir: "src/{{ current_test_repo }}/elk_metrics_6x"
@ -155,5 +165,6 @@
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-show-cluster.log"
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
args:
chdir: "src/{{ current_test_repo }}/elk_metrics_6x"

View File

@ -34,6 +34,12 @@ ${HOME}/ansible25/bin/ansible-galaxy install --force \
--roles-path="${HOME}/ansible25/repositories/roles" \
--role-file="${TEST_DIR}/elk_metrics_6x/tests/ansible-role-requirements.yml"
if [[ ! -e "${TEST_DIR}/osquery/tests/src" ]]; then
ln -s ${TEST_DIR}/../ ${TEST_DIR}/osquery/tests/src
fi
${HOME}/ansible25/bin/ansible-playbook -i 'localhost,' \
-vv \
-e ansible_connection=local \
-e test_clustered_elk=${CLUSTERED:-no} \
${TEST_DIR}/elk_metrics_6x/tests/test.yml

View File

@ -208,10 +208,42 @@ The individual playbooks found within this repository can be independently run
at anytime.
Local testing
-------------
To test these playbooks within a local environment you will need a single server
with at leasts 8GiB of RAM and 40GiB of storage on root. Running an `m1.medium`
(openstack) flavor size is generally enough to get an environment online.
To run the local functional tests execute the `run-tests.sh` script out of the
tests directory. This will create a 1 node kolide-fleet cluster and install
osquery on the local host.
.. code-block:: bash
CLUSTERED=yes tests/run-tests.sh
After the test build is completed the cluster will test it's layout and ensure
processes are functioning normally. Logs for the cluster can be found at
`/tmp/osquery-logs`.
To rerun the playbooks after a test build, source the `tests/manual-test.rc`
file and follow the onscreen instructions.
To clean-up a test environment and start from a bare server slate the
`run-cleanup.sh` script can be used. This script is disruptive and will purge
all `osquery` related services within the local test environment.
.. code-block:: bash
tests/run-cleanup.sh
Architecture | Data flow
^^^^^^^^^^^^^^^^^^^^^^^^
This diagram outlines the data flow from within an Elastic-Stack deployment.
This diagram outlines the data flow from within an osquery deployment.
.. image:: assets/architecture-osquery.png
:scale: 50 %
@ -224,7 +256,7 @@ TODO
The following is a list of open items.
- [x] Test Redhat familly Operating Systems
- [x] missing mariadb cluster (should all work needs additional vars)
- [ ] use haproxy instead of the kolide fleet server ip
- [x] use haproxy instead of the kolide fleet server ip
- [ ] add/update tags
- [ ] convert to roles
- [ ] add testing
- [x] convert to roles
- [x] add testing

View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Get osquery facts
hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
hosts: kolide-fleet_all[0]
become: true
vars_files:
- vars/variables.yml
@ -37,6 +37,21 @@
- src: "{{ kolide_fleet_ssl_key }}"
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
- name: Retrieve Enrollment Token
command: /usr/local/bin/fleetctl get enroll-secret
changed_when: false
register: _enrollment_token
- name: Set kolide fleet enrollment token fact
set_fact:
kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
- name: Write enroll secret
copy:
dest: "/tmp/{{ osquery_enroll_secret_file | basename }}"
content: "{{ kolide_fleet_enroll_secret }}"
mode: "0640"
- name: Install osquery
hosts: "hosts:all_containers"
@ -66,23 +81,8 @@
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- dest: "{{ kolide_fleet_ssl_key }}"
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
- name: retrieve Enrollment Token
command: /usr/local/bin/fleetctl get enroll-secret
changed_when: false
register: _enrollment_token
delegate_to: "{{ groups['kolide-fleet_all'][0] }}"
run_once: true
- name: Set kolide fleet enrollment token fact
set_fact:
kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
- name: write enroll secret
copy:
dest: "{{ osquery_enroll_secret_file }}"
content: "{{ kolide_fleet_enroll_secret }}"
mode: "0640"
- dest: "{{ osquery_enroll_secret_file }}"
src: "/tmp/{{ osquery_enroll_secret_file | basename }}"
post_tasks:
- name: Cleanup certifactes
@ -93,6 +93,7 @@
with_items:
- "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
- "/tmp/{{ kolide_fleet_ssl_key | basename }}"
- "/tmp/{{ osquery_enroll_secret_file | basename }}"
roles:
- role: "osquery"

View File

@ -1,35 +0,0 @@
---
################################## ALL HOSTS ##################################
all:
hosts:
# Local host
localhost:
ansible_connection: local
################################## REQUIRED ###################################
logging01:
ansible_host: 172.16.27.100
ansible_user: root
vars: {}
################################### GROUPS ####################################
# The hosts group is used to target physical host machines. Enter all physical
# host machines here.
hosts:
hosts:
logging01: {}
# This is the location where fleet(s) will live
kolide-fleet_all:
children:
kolide_hosts:
hosts:
logging01: {}
mariadb_all:
children:
kolide-fleet_all: {}

View File

@ -0,0 +1 @@
tests/inventory/test-metal-inventory.yml

View File

@ -13,22 +13,15 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: check to see if we have alredy registered fleetctl admin
stat:
path: ~/.fleet/config
register: fleet_config_set
- name: set fleetctl default context
command: /usr/local/bin/fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify
changed_when: false
when:
- fleet_config_set.stat.exists == false
- name: register admin account
command: /usr/local/bin/fleetctl setup --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }}
changed_when: false
failed_when: false
register: fleet_register_admin
ignore_errors: true # ignore errors as we might have already set this it will be caought later
- name: login admin account
command: /usr/local/bin/fleetctl login --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }}

View File

@ -12,16 +12,17 @@ osquery_template: 'osquery.conf.j2'
osquery_upload_packs:
- osquery-snapshots-pack
- osquery-monitoring2-pack
osquery_packs:
- "osquery-monitoring"
- "incident-response"
- "it-compliance"
# - "osx-attacks"
- "ossec-rootkit"
- "vuln-management"
- "hardware-monitoring"
- "osquery-snapshots-pack"
- osquery-monitoring2-pack
- "osquery-monitoring2-pack"
osquery_config_plugin: 'filesystem'
osquery_logger_plugin: 'filesystem'
#osquery_logger_plugin: 'syslog'

View File

@ -8,6 +8,3 @@
- name: restart rsyslog
service: name=rsyslog state=restarted
- name: reload osqueryd apparmor profile
shell: cat /etc/apparmor.d/usr.bin.osqueryd | sudo apparmor_parser -r

View File

@ -12,6 +12,3 @@
dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}"
mode: '0644'
backup: yes
- include: selinux.yml
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))

View File

@ -31,6 +31,3 @@
state: present
tags:
- osquery
- include: apparmor.yml
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))

View File

@ -1,27 +0,0 @@
---
# https://help.ubuntu.com/lts/serverguide/apparmor.html.en
- name: Ensure apparmor packages are present
package:
name: "{{ item }}"
state: present
with_items:
- apparmor
- apparmor-utils
- apparmor-profiles
- name: Ensure apparmor profile is set
template:
src: apparmor-usr.bin.osqueryd.j2
dest: /etc/apparmor.d/usr.bin.osqueryd
mode: '0600'
owner: root
backup: yes
notify:
- reload osqueryd apparmor profile
- name: Apply apparmor profile for osquery
command: aa-complain /usr/bin/osqueryd
failed_when: false
# Refine policy with `aa-logprof -f /var/log/syslog`

View File

@ -118,6 +118,3 @@
- include: syslog-target.yml
when: osquery_syslog_target != ''
- include: selinux-end.yml
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) and ansible_os_family == "RedHat"

View File

@ -1,10 +0,0 @@
---
- name: RedHat | Ensure selinux context is correctly set
command: "/sbin/restorecon -F -R -v {{ item }}"
with_items:
- /usr/bin/osqueryd
- /usr/lib/systemd/system/osqueryd.service
- /var/log/osquery
- /etc/osquery
- /usr/share/osquery/packs

View File

@ -1,44 +0,0 @@
---
- name: Ensure selinux package are present
package:
name: "{{ item }}"
state: present
with_items:
- selinux-policy
- selinux-policy-devel
- setools-console
- libselinux-python
- policycoreutils-python
- name: Ensure osquery directory exists
file:
dest: /etc/osquery
state: directory
mode: '0755'
- name: Ensure osquery selinux policy is set
template:
src: "{{ item }}.j2"
dest: "/etc/osquery/{{ item }}"
mode: '0600'
owner: root
with_items:
- osquery.fc
- osquery.sh
- osquery.te
register: te
# FIXME!
- name: Generate osquery policy file
command: sh -x ./osquery.sh
args:
chdir: /etc/osquery
when: te is changed
ignore_errors: true
# `sepolicy generate -n osquery --init /usr/bin/osqueryd` = OK/base
# Refine policy with `audit2allow -i /var/log/audit/audit.log -M osquery`
# `semodule -i osquery.pp`
# FIXME! 'Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/osquery/cil:2'
# `/usr/libexec/selinux/hll/pp osquery.pp`

View File

@ -1,61 +0,0 @@
#!/bin/sh -e
DIRNAME=`dirname $0`
cd $DIRNAME
USAGE="$0 [ --update ]"
if [ `id -u` != 0 ]; then
echo 'You must be root to run this script'
exit 1
fi
if [ $# -eq 1 ]; then
if [ "$1" = "--update" ] ; then
time=`ls -l --time-style="+%x %X" osquery.te | awk '{ printf "%s %s", $6, $7 }'`
rules=`ausearch --start $time -m avc --raw -se osquery`
if [ x"$rules" != "x" ] ; then
echo "Found avc's to update policy with"
echo -e "$rules" | audit2allow -R
echo "Do you want these changes added to policy [y/n]?"
read ANS
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
echo "Updating policy"
echo -e "$rules" | audit2allow -R >> osquery.te
# Fall though and rebuild policy
else
exit 0
fi
else
echo "No new avcs found"
exit 0
fi
else
echo -e $USAGE
exit 1
fi
elif [ $# -ge 2 ] ; then
echo -e $USAGE
exit 1
fi
echo "Building and Loading Policy"
set -x
make -f /usr/share/selinux/devel/Makefile osquery.pp || exit
/usr/sbin/semodule -i osquery.pp
# Generate a man page off the installed module
sepolicy manpage -p . -d osquery_t
# Fixing the file context on /usr/bin/osqueryd
/sbin/restorecon -F -R -v /usr/bin/osqueryd
# Fixing the file context on /usr/lib/systemd/system/osqueryd.service
/sbin/restorecon -F -R -v /usr/lib/systemd/system/osqueryd.service
# Fixing the file context on /var/log/osquery
/sbin/restorecon -F -R -v /var/log/osquery
/sbin/restorecon -F -R -v /etc/osquery
/sbin/restorecon -F -R -v /usr/share/osquery/packs
# Generate a rpm package for the newly generated policy
pwd=$(pwd)
#rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba osquery_selinux.spec

View File

@ -1,674 +0,0 @@
module osquery 1.0;
require {
type osquery_t;
type osquery_conf_t;
type osquery_unit_file_t;
type insmod_exec_t;
type home_root_t;
type gssd_exec_t;
type udev_exec_t;
type sound_device_t;
type setsebool_exec_t;
type proc_t;
type unconfined_service_t;
type netutils_exec_t;
type load_policy_exec_t;
type memory_device_t;
type tmp_t;
type gpg_exec_t;
type autofs_device_t;
type systemd_hwdb_exec_t;
type tcpd_exec_t;
type gssproxy_exec_t;
type showmount_exec_t;
type rsync_exec_t;
type crond_unit_file_t;
type udev_rules_t;
type systemd_logind_t;
type setfiles_exec_t;
type sshd_keygen_exec_t;
type chronyd_exec_t;
type xserver_etc_t;
type crond_t;
type tun_tap_device_t;
type default_context_t;
type anacron_exec_t;
type virt_qemu_ga_exec_t;
type auditd_t;
type syslogd_t;
type NetworkManager_t;
type sysctl_t;
type pppd_etc_t;
type consolehelper_exec_t;
type userhelper_conf_t;
type systemd_systemctl_exec_t;
type postfix_pickup_exec_t;
type syslog_conf_t;
type systemd_unit_file_t;
type tuned_exec_t;
type plymouthd_exec_t;
type vlock_exec_t;
type systemd_passwd_agent_exec_t;
type pinentry_exec_t;
type passwd_exec_t;
type dmidecode_exec_t;
type systemd_notify_exec_t;
type hwclock_exec_t;
type firewalld_etc_rw_t;
type crack_exec_t;
type postfix_qmgr_t;
type sulogin_exec_t;
type netcontrol_device_t;
type rpcd_unit_file_t;
type auditd_exec_t;
type crontab_exec_t;
type crash_device_t;
type exports_t;
type event_device_t;
type cgroup_t;
type loadkeys_exec_t;
type postfix_qmgr_exec_t;
type pam_timestamp_exec_t;
type random_device_t;
type initrc_exec_t;
type hugetlbfs_t;
type lvm_unit_file_t;
type dmesg_exec_t;
type proc_mdstat_t;
type mouse_device_t;
type nfsd_exec_t;
type slapd_cert_t;
type login_exec_t;
type usbmon_device_t;
type ldconfig_exec_t;
type initctl_t;
type debuginfo_exec_t;
type postfix_pickup_t;
type updpwd_exec_t;
type oddjob_mkhomedir_exec_t;
type irqbalance_exec_t;
type proc_kmsg_t;
type gssproxy_t;
type postfix_etc_t;
type init_exec_t;
type postfix_spool_t;
type var_run_t;
type mtrr_device_t;
type hypervvssd_exec_t;
type hostname_exec_t;
type system_cron_spool_t;
type sshd_key_t;
type proc_kcore_t;
type dbusd_exec_t;
type plymouth_exec_t;
type tuned_rw_etc_t;
type pppd_exec_t;
type pam_console_exec_t;
type adjtime_t;
type chronyc_exec_t;
type auditd_unit_file_t;
type fuse_device_t;
type userhelper_exec_t;
type tuned_etc_t;
type systemd_logind_exec_t;
type var_log_t;
type init_t;
type pppd_initrc_exec_t;
type fs_t;
type systemd_tmpfiles_exec_t;
type user_home_dir_t;
type lvm_etc_t;
type chronyd_t;
type dbusd_etc_t;
type etc_aliases_t;
type auditctl_exec_t;
type usernetctl_exec_t;
type clock_device_t;
type traceroute_exec_t;
type sshd_t;
type mdadm_exec_t;
type initrc_var_run_t;
type mount_exec_t;
type scsi_generic_device_t;
type vhost_device_t;
type uhid_device_t;
type ifconfig_exec_t;
type device_t;
type namespace_init_exec_t;
type lvm_exec_t;
type checkpolicy_exec_t;
type rpm_script_tmp_t;
type user_tmp_t;
type unlabeled_t;
type sshd_unit_file_t;
type policykit_exec_t;
type modules_conf_t;
type chfn_exec_t;
type dhcp_etc_t;
type logrotate_exec_t;
type getty_unit_file_t;
type selinux_config_t;
type ppp_device_t;
type ssh_keygen_exec_t;
type cupsd_rw_etc_t;
type authconfig_exec_t;
type ssh_exec_t;
type rpcbind_t;
type audisp_exec_t;
type chronyd_keys_t;
type dri_device_t;
type rpm_exec_t;
type getty_t;
type virt_qemu_ga_unconfined_exec_t;
type NetworkManager_exec_t;
type user_fonts_t;
type rpc_pipefs_t;
type ping_exec_t;
type gpg_agent_exec_t;
type su_exec_t;
type firewalld_exec_t;
type getty_exec_t;
type quota_exec_t;
type devpts_t;
type nvram_device_t;
type cpu_device_t;
type rpcbind_exec_t;
type NetworkManager_etc_rw_t;
type unconfined_t;
type NetworkManager_initrc_exec_t;
type sshd_exec_t;
type udev_t;
type rpcd_exec_t;
type fixed_disk_device_t;
type selinux_login_config_t;
type sysctl_irq_t;
type ptmx_t;
type ssh_agent_exec_t;
type NetworkManager_unit_file_t;
type binfmt_misc_fs_t;
type semanage_store_t;
type framebuf_device_t;
type udev_var_run_t;
type rdisc_exec_t;
type NetworkManager_etc_t;
type rsync_etc_t;
type postfix_postdrop_exec_t;
type tuned_t;
type wtmp_t;
type dhcpc_exec_t;
type useradd_exec_t;
type dhcpc_t;
type sudo_exec_t;
type vfio_device_t;
type thumb_exec_t;
type crond_exec_t;
type bootloader_etc_t;
type sysfs_t;
type postfix_postqueue_exec_t;
type postfix_map_exec_t;
type admin_passwd_exec_t;
type apm_bios_t;
type policykit_t;
type iptables_exec_t;
type semanage_exec_t;
type journalctl_exec_t;
type lvm_control_t;
type lvm_t;
type screen_exec_t;
type auditd_etc_t;
type xserver_misc_device_t;
type fsadm_exec_t;
type bootloader_exec_t;
type system_cronjob_t;
type syslogd_exec_t;
type system_dbusd_t;
type lvm_lock_t;
type user_cron_spool_t;
type kmsg_device_t;
type mysqld_etc_t;
type pppd_etc_rw_t;
type configfs_t;
type proc_net_t;
type postfix_master_exec_t;
type shadow_t;
type sendmail_exec_t;
type loop_control_device_t;
type kernel_t;
type var_t;
type pstore_t;
type chkpwd_exec_t;
type groupadd_exec_t;
type debugfs_t;
type hypervkvp_exec_t;
type postfix_master_t;
type sysctl_fs_t;
type blkmapd_exec_t;
type nfsd_unit_file_t;
type ssh_home_t;
type systemd_hwdb_etc_t;
type mandb_exec_t;
type tmpfs_t;
type lvm_metadata_t;
type policykit_auth_exec_t;
type chronyd_unit_file_t;
type print_spool_t;
type rpcbind_var_lib_t;
class fifo_file getattr;
class process setsched;
class unix_stream_socket connectto;
class netlink_kobject_uevent_socket { bind create getattr setopt };
class chr_file { getattr ioctl open read write };
class capability { dac_override sys_rawio sys_ptrace };
class file { append create getattr lock open read relabelto rename setattr unlink write };
class filesystem getattr;
class sock_file { create getattr unlink write };
class lnk_file { create getattr read unlink };
class blk_file { getattr ioctl open read };
class dir { add_name getattr open read remove_name search setattr write };
}
#============= osquery_t ==============
allow osquery_t NetworkManager_etc_rw_t:dir { getattr open read };
allow osquery_t NetworkManager_etc_rw_t:file getattr;
allow osquery_t NetworkManager_etc_t:dir { getattr open read };
allow osquery_t NetworkManager_exec_t:file getattr;
allow osquery_t NetworkManager_initrc_exec_t:dir { getattr open read };
allow osquery_t NetworkManager_initrc_exec_t:file getattr;
allow osquery_t NetworkManager_t:dir { getattr open read search };
allow osquery_t NetworkManager_t:file { getattr open read };
allow osquery_t NetworkManager_t:lnk_file { getattr read };
allow osquery_t NetworkManager_unit_file_t:file getattr;
allow osquery_t adjtime_t:file getattr;
allow osquery_t admin_passwd_exec_t:file getattr;
allow osquery_t anacron_exec_t:file getattr;
allow osquery_t apm_bios_t:chr_file getattr;
allow osquery_t audisp_exec_t:file getattr;
allow osquery_t auditctl_exec_t:file getattr;
allow osquery_t auditd_etc_t:dir { getattr open read };
allow osquery_t auditd_etc_t:file getattr;
allow osquery_t auditd_exec_t:file getattr;
allow osquery_t auditd_t:dir { getattr open read search };
allow osquery_t auditd_t:file { getattr open read };
allow osquery_t auditd_t:lnk_file { getattr read };
allow osquery_t auditd_unit_file_t:file getattr;
allow osquery_t authconfig_exec_t:file getattr;
allow osquery_t autofs_device_t:chr_file getattr;
allow osquery_t binfmt_misc_fs_t:filesystem getattr;
allow osquery_t blkmapd_exec_t:file getattr;
allow osquery_t bootloader_etc_t:file getattr;
allow osquery_t bootloader_exec_t:file getattr;
allow osquery_t cgroup_t:filesystem getattr;
allow osquery_t checkpolicy_exec_t:file getattr;
allow osquery_t chfn_exec_t:file getattr;
allow osquery_t chkpwd_exec_t:file getattr;
allow osquery_t chronyc_exec_t:file getattr;
allow osquery_t chronyd_exec_t:file getattr;
allow osquery_t chronyd_keys_t:file getattr;
allow osquery_t chronyd_t:dir { getattr open read search };
allow osquery_t chronyd_t:file { getattr open read };
allow osquery_t chronyd_t:lnk_file { getattr read };
allow osquery_t chronyd_unit_file_t:file getattr;
allow osquery_t clock_device_t:chr_file getattr;
allow osquery_t configfs_t:filesystem getattr;
allow osquery_t consolehelper_exec_t:file getattr;
allow osquery_t cpu_device_t:chr_file getattr;
allow osquery_t crack_exec_t:file getattr;
allow osquery_t crash_device_t:chr_file getattr;
allow osquery_t crond_exec_t:file getattr;
allow osquery_t crond_t:dir { getattr open read search };
allow osquery_t crond_t:file { getattr open read };
allow osquery_t crond_t:lnk_file { getattr read };
allow osquery_t crond_unit_file_t:file getattr;
allow osquery_t crontab_exec_t:file getattr;
allow osquery_t cupsd_rw_etc_t:file getattr;
allow osquery_t dbusd_etc_t:dir { getattr open read };
allow osquery_t dbusd_etc_t:file getattr;
allow osquery_t dbusd_exec_t:file getattr;
allow osquery_t debugfs_t:filesystem getattr;
allow osquery_t debuginfo_exec_t:file getattr;
allow osquery_t default_context_t:dir read;
allow osquery_t default_context_t:file getattr;
#!!!! WARNING: 'device_t' is a base type.
allow osquery_t device_t:filesystem getattr;
allow osquery_t devpts_t:filesystem getattr;
allow osquery_t dhcp_etc_t:dir { getattr open read };
allow osquery_t dhcp_etc_t:file getattr;
allow osquery_t dhcpc_exec_t:file getattr;
allow osquery_t dhcpc_t:dir { getattr open read search };
allow osquery_t dhcpc_t:file { getattr open read };
allow osquery_t dhcpc_t:lnk_file { getattr read };
allow osquery_t dmesg_exec_t:file getattr;
allow osquery_t dmidecode_exec_t:file getattr;
allow osquery_t dri_device_t:chr_file getattr;
allow osquery_t etc_aliases_t:file getattr;
allow osquery_t event_device_t:chr_file getattr;
allow osquery_t exports_t:file getattr;
allow osquery_t firewalld_etc_rw_t:dir { getattr open read };
allow osquery_t firewalld_etc_rw_t:file getattr;
allow osquery_t firewalld_exec_t:file getattr;
allow osquery_t fixed_disk_device_t:blk_file { getattr ioctl open read };
allow osquery_t fixed_disk_device_t:chr_file getattr;
allow osquery_t framebuf_device_t:chr_file getattr;
allow osquery_t fs_t:filesystem getattr;
allow osquery_t fsadm_exec_t:file getattr;
allow osquery_t fuse_device_t:chr_file getattr;
allow osquery_t getty_exec_t:file getattr;
allow osquery_t getty_t:dir { getattr open read search };
allow osquery_t getty_t:file { getattr open read };
allow osquery_t getty_t:lnk_file { getattr read };
allow osquery_t getty_unit_file_t:file getattr;
allow osquery_t gpg_agent_exec_t:file getattr;
allow osquery_t gpg_exec_t:file getattr;
allow osquery_t groupadd_exec_t:file getattr;
allow osquery_t gssd_exec_t:file getattr;
allow osquery_t gssproxy_exec_t:file getattr;
allow osquery_t gssproxy_t:dir { getattr open read search };
allow osquery_t gssproxy_t:file { getattr open read };
allow osquery_t gssproxy_t:lnk_file { getattr read };
#!!!! WARNING: 'home_root_t' is a base type.
allow osquery_t home_root_t:dir read;
allow osquery_t hostname_exec_t:file getattr;
allow osquery_t hugetlbfs_t:dir { getattr open read };
allow osquery_t hugetlbfs_t:filesystem getattr;
allow osquery_t hwclock_exec_t:file getattr;
allow osquery_t hypervkvp_exec_t:file getattr;
allow osquery_t hypervvssd_exec_t:file getattr;
allow osquery_t ifconfig_exec_t:file getattr;
allow osquery_t init_exec_t:file getattr;
allow osquery_t init_t:dir read;
allow osquery_t init_t:file { getattr open read };
allow osquery_t init_t:lnk_file { getattr read };
allow osquery_t initctl_t:fifo_file getattr;
allow osquery_t initrc_exec_t:file getattr;
allow osquery_t initrc_var_run_t:file { lock open read };
allow osquery_t insmod_exec_t:file getattr;
allow osquery_t iptables_exec_t:file getattr;
allow osquery_t irqbalance_exec_t:file getattr;
allow osquery_t journalctl_exec_t:file getattr;
allow osquery_t kernel_t:dir { getattr open read search };
allow osquery_t kernel_t:file { getattr open read };
allow osquery_t kernel_t:lnk_file { getattr read };
#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg'
allow osquery_t kmsg_device_t:chr_file getattr;
allow osquery_t ldconfig_exec_t:file getattr;
allow osquery_t load_policy_exec_t:file getattr;
allow osquery_t loadkeys_exec_t:file getattr;
allow osquery_t login_exec_t:file getattr;
allow osquery_t logrotate_exec_t:file getattr;
allow osquery_t loop_control_device_t:chr_file getattr;
allow osquery_t lvm_control_t:chr_file { getattr ioctl open read write };
allow osquery_t lvm_etc_t:dir { getattr open read };
allow osquery_t lvm_etc_t:file { getattr open read };
allow osquery_t lvm_exec_t:file getattr;
allow osquery_t lvm_lock_t:dir { add_name getattr read remove_name search write };
allow osquery_t lvm_lock_t:file { append create getattr lock open read unlink };
allow osquery_t lvm_metadata_t:dir { add_name getattr open read remove_name write };
allow osquery_t lvm_metadata_t:file { create getattr lock open read rename unlink write };
allow osquery_t lvm_t:dir { getattr open read search };
allow osquery_t lvm_t:file { getattr open read };
allow osquery_t lvm_t:lnk_file { getattr read };
allow osquery_t lvm_unit_file_t:file getattr;
allow osquery_t mandb_exec_t:file getattr;
allow osquery_t mdadm_exec_t:file getattr;
allow osquery_t memory_device_t:chr_file getattr;
allow osquery_t modules_conf_t:dir { getattr open read };
allow osquery_t modules_conf_t:file getattr;
allow osquery_t mount_exec_t:file getattr;
allow osquery_t mouse_device_t:chr_file getattr;
allow osquery_t mtrr_device_t:file getattr;
allow osquery_t mysqld_etc_t:dir { getattr open read };
allow osquery_t mysqld_etc_t:file getattr;
allow osquery_t namespace_init_exec_t:file getattr;
allow osquery_t netcontrol_device_t:chr_file getattr;
allow osquery_t netutils_exec_t:file getattr;
allow osquery_t nfsd_exec_t:file getattr;
allow osquery_t nfsd_unit_file_t:file getattr;
allow osquery_t nvram_device_t:chr_file getattr;
allow osquery_t oddjob_mkhomedir_exec_t:file getattr;
allow osquery_t osquery_conf_t:file getattr;
allow osquery_t osquery_unit_file_t:file getattr;
allow osquery_t pam_console_exec_t:file getattr;
allow osquery_t pam_timestamp_exec_t:file getattr;
allow osquery_t passwd_exec_t:file getattr;
allow osquery_t pinentry_exec_t:file getattr;
allow osquery_t ping_exec_t:file getattr;
allow osquery_t plymouth_exec_t:file getattr;
allow osquery_t plymouthd_exec_t:file getattr;
allow osquery_t policykit_auth_exec_t:file getattr;
allow osquery_t policykit_exec_t:file getattr;
allow osquery_t policykit_t:dir { getattr open read search };
allow osquery_t policykit_t:file { getattr open read };
allow osquery_t policykit_t:lnk_file { getattr read };
allow osquery_t postfix_etc_t:dir { getattr open read };
allow osquery_t postfix_etc_t:file getattr;
allow osquery_t postfix_map_exec_t:file getattr;
allow osquery_t postfix_master_exec_t:file getattr;
allow osquery_t postfix_master_t:dir { getattr open read search };
allow osquery_t postfix_master_t:file { getattr open read };
allow osquery_t postfix_master_t:lnk_file { getattr read };
allow osquery_t postfix_pickup_exec_t:file getattr;
allow osquery_t postfix_pickup_t:dir { getattr open read search };
allow osquery_t postfix_pickup_t:file { getattr open read };
allow osquery_t postfix_pickup_t:lnk_file { getattr read };
allow osquery_t postfix_postdrop_exec_t:file getattr;
allow osquery_t postfix_postqueue_exec_t:file getattr;
allow osquery_t postfix_qmgr_exec_t:file getattr;
allow osquery_t postfix_qmgr_t:dir { getattr open read search };
allow osquery_t postfix_qmgr_t:file { getattr open read };
allow osquery_t postfix_qmgr_t:lnk_file { getattr read };
allow osquery_t postfix_spool_t:dir getattr;
allow osquery_t ppp_device_t:chr_file getattr;
allow osquery_t pppd_etc_rw_t:dir { getattr open read };
allow osquery_t pppd_etc_t:dir { getattr open read };
allow osquery_t pppd_exec_t:file getattr;
allow osquery_t pppd_initrc_exec_t:file getattr;
allow osquery_t proc_kcore_t:file getattr;
allow osquery_t proc_kmsg_t:file getattr;
allow osquery_t proc_mdstat_t:file getattr;
allow osquery_t proc_net_t:file { getattr open read };
allow osquery_t proc_t:dir read;
allow osquery_t proc_t:file { getattr open read };
allow osquery_t proc_t:filesystem getattr;
allow osquery_t pstore_t:filesystem getattr;
allow osquery_t ptmx_t:chr_file getattr;
allow osquery_t quota_exec_t:file getattr;
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow osquery_t random_device_t:chr_file getattr;
allow osquery_t rdisc_exec_t:file getattr;
allow osquery_t rpc_pipefs_t:filesystem getattr;
allow osquery_t rpcbind_exec_t:file getattr;
allow osquery_t rpcbind_t:dir { getattr open read search };
allow osquery_t rpcbind_t:file { getattr open read };
allow osquery_t rpcbind_t:lnk_file { getattr read };
allow osquery_t rpcd_exec_t:file getattr;
allow osquery_t rpcd_unit_file_t:file getattr;
allow osquery_t rpm_exec_t:file getattr;
allow osquery_t rpm_script_tmp_t:dir read;
allow osquery_t rsync_etc_t:file getattr;
allow osquery_t rsync_exec_t:file getattr;
allow osquery_t screen_exec_t:file getattr;
allow osquery_t scsi_generic_device_t:chr_file getattr;
allow osquery_t self:capability { dac_override sys_rawio };
allow osquery_t self:netlink_kobject_uevent_socket { bind create getattr setopt };
allow osquery_t self:process setsched;
#!!!! The file '/var/osquery/osquery.em' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /var/osquery/osquery.em
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
allow osquery_t self:unix_stream_socket connectto;
allow osquery_t selinux_config_t:dir read;
allow osquery_t selinux_login_config_t:dir { getattr open read };
allow osquery_t semanage_exec_t:file getattr;
allow osquery_t semanage_store_t:dir { getattr open read };
allow osquery_t semanage_store_t:file { getattr open read };
allow osquery_t sendmail_exec_t:file getattr;
allow osquery_t setfiles_exec_t:file getattr;
allow osquery_t setsebool_exec_t:file getattr;
allow osquery_t shadow_t:file getattr;
allow osquery_t showmount_exec_t:file getattr;
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow osquery_t slapd_cert_t:dir { getattr open read };
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
allow osquery_t slapd_cert_t:file getattr;
allow osquery_t sound_device_t:chr_file getattr;
allow osquery_t ssh_agent_exec_t:file getattr;
allow osquery_t ssh_exec_t:file getattr;
allow osquery_t ssh_home_t:dir { getattr open read };
allow osquery_t ssh_home_t:file getattr;
allow osquery_t ssh_keygen_exec_t:file getattr;
allow osquery_t sshd_exec_t:file getattr;
allow osquery_t sshd_key_t:file getattr;
allow osquery_t sshd_keygen_exec_t:file getattr;
allow osquery_t sshd_t:dir { getattr open read search };
allow osquery_t sshd_t:file { getattr open read };
allow osquery_t sshd_t:lnk_file { getattr read };
allow osquery_t sshd_unit_file_t:file getattr;
allow osquery_t su_exec_t:file getattr;
allow osquery_t sudo_exec_t:file getattr;
allow osquery_t sulogin_exec_t:file getattr;
allow osquery_t sysctl_fs_t:dir search;
allow osquery_t sysctl_irq_t:dir getattr;
allow osquery_t sysctl_t:file getattr;
allow osquery_t sysfs_t:dir read;
allow osquery_t sysfs_t:file { getattr open read };
allow osquery_t sysfs_t:filesystem getattr;
allow osquery_t sysfs_t:lnk_file { getattr read };
allow osquery_t syslog_conf_t:dir { getattr open read };
allow osquery_t syslog_conf_t:file getattr;
allow osquery_t syslogd_exec_t:file getattr;
allow osquery_t syslogd_t:dir { getattr open read search };
allow osquery_t syslogd_t:file { getattr open read };
allow osquery_t syslogd_t:lnk_file { getattr read };
allow osquery_t system_cron_spool_t:dir { getattr open read };
allow osquery_t system_cron_spool_t:file { getattr open read };
allow osquery_t system_cronjob_t:dir { getattr open read search };
allow osquery_t system_cronjob_t:file { getattr open read };
allow osquery_t system_cronjob_t:lnk_file { getattr read };
allow osquery_t system_dbusd_t:dir { getattr open read search };
allow osquery_t system_dbusd_t:file { getattr open read };
allow osquery_t system_dbusd_t:lnk_file { getattr read };
allow osquery_t systemd_hwdb_etc_t:file getattr;
allow osquery_t systemd_hwdb_exec_t:file getattr;
allow osquery_t systemd_logind_exec_t:file getattr;
allow osquery_t systemd_logind_t:dir { getattr open read search };
allow osquery_t systemd_logind_t:file { getattr open read };
allow osquery_t systemd_logind_t:lnk_file { getattr read };
allow osquery_t systemd_notify_exec_t:file getattr;
allow osquery_t systemd_passwd_agent_exec_t:file getattr;
allow osquery_t systemd_systemctl_exec_t:file getattr;
allow osquery_t systemd_tmpfiles_exec_t:file getattr;
allow osquery_t systemd_unit_file_t:dir { open read };
allow osquery_t systemd_unit_file_t:file getattr;
allow osquery_t systemd_unit_file_t:lnk_file read;
allow osquery_t tcpd_exec_t:file getattr;
allow osquery_t thumb_exec_t:file getattr;
#!!!! WARNING: 'tmp_t' is a base type.
allow osquery_t tmp_t:dir { add_name read remove_name write };
allow osquery_t tmp_t:file { create unlink write };
#!!!! WARNING: 'tmp_t' is a base type.
allow osquery_t tmp_t:lnk_file { create unlink };
allow osquery_t tmpfs_t:dir read;
allow osquery_t tmpfs_t:filesystem getattr;
allow osquery_t traceroute_exec_t:file getattr;
allow osquery_t tun_tap_device_t:chr_file getattr;
allow osquery_t tuned_etc_t:dir { getattr open read };
allow osquery_t tuned_etc_t:file getattr;
allow osquery_t tuned_exec_t:file getattr;
allow osquery_t tuned_rw_etc_t:file getattr;
allow osquery_t tuned_t:dir { getattr open read search };
allow osquery_t tuned_t:file { getattr open read };
allow osquery_t tuned_t:lnk_file { getattr read };
allow osquery_t udev_exec_t:file getattr;
allow osquery_t udev_rules_t:dir { getattr open read };
allow osquery_t udev_rules_t:file getattr;
allow osquery_t udev_t:dir { getattr open read search };
allow osquery_t udev_t:file { getattr open read };
allow osquery_t udev_t:lnk_file { getattr read };
allow osquery_t udev_var_run_t:file { getattr open read };
allow osquery_t uhid_device_t:chr_file getattr;
allow osquery_t unconfined_service_t:dir { getattr open read search };
allow osquery_t unconfined_service_t:file { getattr open read };
allow osquery_t unconfined_service_t:lnk_file { getattr read };
allow osquery_t unconfined_t:dir { getattr open read search };
allow osquery_t unconfined_t:file { getattr open read };
allow osquery_t unconfined_t:lnk_file { getattr read };
#!!!! WARNING: 'unlabeled_t' is a base type.
#!!!! The file '/etc/sysconfig/cloud-info' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /etc/sysconfig/cloud-info
allow osquery_t unlabeled_t:file getattr;
allow osquery_t updpwd_exec_t:file getattr;
allow osquery_t usbmon_device_t:chr_file getattr;
allow osquery_t user_cron_spool_t:dir { getattr open read };
allow osquery_t user_fonts_t:dir { getattr open read search };
allow osquery_t user_home_dir_t:dir getattr;
allow osquery_t user_tmp_t:dir read;
allow osquery_t useradd_exec_t:file getattr;
allow osquery_t userhelper_conf_t:dir { getattr open read };
allow osquery_t userhelper_conf_t:file getattr;
allow osquery_t userhelper_exec_t:file getattr;
allow osquery_t usernetctl_exec_t:file getattr;
allow osquery_t var_log_t:lnk_file unlink;
#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t.
allow osquery_t var_run_t:dir { add_name remove_name write };
#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t.
#!!!! $ semanage fcontext -a -t osquery_var_run_t /run/osqueryd.pid
#!!!! $ restorecon -R -v /run/osqueryd.pid
#!!!! The file '/run/osqueryd.pid' is mislabeled on your system.
#!!!! Fix with $ restorecon -R -v /run/osqueryd.pid
allow osquery_t var_run_t:file { append create getattr open read setattr unlink };
#!!!! WARNING: 'var_t' is a base type.
allow osquery_t var_t:dir { add_name read remove_name setattr write };
allow osquery_t var_t:file { create getattr lock open read rename unlink write };
allow osquery_t var_t:sock_file { create getattr unlink write };
allow osquery_t vfio_device_t:chr_file getattr;
allow osquery_t vhost_device_t:chr_file getattr;
allow osquery_t virt_qemu_ga_exec_t:file getattr;
allow osquery_t virt_qemu_ga_unconfined_exec_t:dir { getattr open read };
allow osquery_t vlock_exec_t:file getattr;
allow osquery_t wtmp_t:file { open read };
allow osquery_t xserver_etc_t:dir { getattr open read };
allow osquery_t xserver_misc_device_t:chr_file getattr;
allow osquery_t print_spool_t:dir search;
allow osquery_t rpcbind_var_lib_t:dir search;
allow osquery_t self:capability sys_ptrace;
#============= unconfined_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_t osquery_conf_t:file relabelto;

View File

@ -4,7 +4,6 @@
osquery_packages:
- osquery
- rsyslog
- libselinux-python
osquery_debug_packages:
- osquery-debuginfo

View File

@ -4,7 +4,6 @@
osquery_packages:
- osquery
- rsyslog
- libselinux-python
osquery_debug_packages:
- osquery-debuginfo

View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Setup osquery packs
hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
hosts: kolide-fleet_all[0]
become: false
vars_files:
- vars/variables.yml

View File

@ -0,0 +1,73 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Setup host for nspawn
hosts: localhost
connection: local
become: true
vars:
nspawn_networks:
nspawn_address:
bridge: "nspawn0"
private_device: true
enable_dhcp: true
dhcp_range: 10.100.101.2,10.100.101.129
address: 10.100.101.1
netmask: 255.255.255.0
macvlan_mode: bridge
pre_tasks:
- name: Ensure root ssh key
user:
name: "{{ ansible_env.USER | default('root') }}"
generate_ssh_key: "yes"
ssh_key_bits: 2048
ssh_key_file: ".ssh/id_rsa"
- name: Get root ssh key
slurp:
src: '~/.ssh/id_rsa.pub'
register: _root_ssh_key
- name: Prepare container ssh key fact
set_fact:
nspawn_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}"
- name: Ensure public ssh key is in authorized_keys
authorized_key:
user: "{{ ansible_env.USER | default('root') }}"
key: "{{ nspawn_container_ssh_key }}"
manage_dir: no
roles:
- role: "nspawn_hosts"
- name: Create container(s)
hosts: all_containers
gather_facts: false
become: true
pre_tasks:
- name: Show container facts
debug:
var: hostvars
roles:
- role: "nspawn_container_create"
post_tasks:
- name: Rescan quotas
command: "btrfs quota rescan -w /var/lib/machines"
delegate_to: "{{ physical_host }}"

View File

@ -0,0 +1,41 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Setup host keys
hosts: physical_hosts
connection: local
become: true
tasks:
- name: Ensure root ssh key
user:
name: "{{ ansible_env.USER | default('root') }}"
generate_ssh_key: "yes"
ssh_key_bits: 2048
ssh_key_file: ".ssh/id_rsa"
- name: Get root ssh key
slurp:
src: '~/.ssh/id_rsa.pub'
register: _root_ssh_key
- name: Prepare container ssh key fact
set_fact:
nspawn_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}"
- name: Ensure public ssh key is in authorized_keys
authorized_key:
user: "{{ ansible_env.USER | default('root') }}"
key: "{{ nspawn_container_ssh_key }}"
manage_dir: no

View File

@ -0,0 +1,33 @@
---
- name: apt_package_pinning
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
version: master
- name: config_template
scm: git
src: https://git.openstack.org/openstack/ansible-config_template
version: master
- name: nspawn_container_create
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-nspawn_container_create
version: master
- name: nspawn_hosts
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-nspawn_hosts
version: master
- name: plugins
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-plugins
version: master
- name: systemd_mount
scm: git
src: https://git.openstack.org/openstack/ansible-role-systemd_mount
version: master
- name: systemd_networkd
scm: git
src: https://git.openstack.org/openstack/ansible-role-systemd_networkd
version: master
- name: systemd_service
scm: git
src: https://git.openstack.org/openstack/ansible-role-systemd_service
version: master

View File

@ -0,0 +1,158 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook: run-setup.yml
- name: Basic setup
hosts: "all"
become: true
environment:
# ZUUL_PROJECT is used by tests/get-ansible-role-requirements to
# determine when CI provided repos should be used.
ZUUL_PROJECT: "{{ zuul.project.short_name }}"
ANSIBLE_PACKAGE: "{{ ansible_package | default('') }}"
ANSIBLE_HOST_KEY_CHECKING: "False"
ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test.log"
vars:
inventory_file: "inventory/test-{{ (contianer_inventory | bool) | ternary('container', 'metal') }}-inventory.yml"
pre_tasks:
- name: Create swap file
command: "dd if=/dev/zero of=/swap.img bs=1M count=4096"
args:
creates: /swap.img
register: swap_create
- name: Format the swap file
command: mkswap /swap.img
when:
- swap_create is changed
tags:
- swap-format
- skip_ansible_lint
- name: Enable swap file
command: swapon /swap.img
failed_when: false
tags:
- swap-format
- skip_ansible_lint
- name: Set system swappiness
sysctl:
name: vm.swappiness
value: 10
state: present
reload: "yes"
sysctl_file: /etc/sysctl.d/99-elasticsearch.conf
- name: Create tmp osquery dir
file:
path: "/tmp/osquery-logs"
state: directory
- name: Flush iptables rules
command: "{{ item }}"
args:
creates: "/tmp/osquery-logs/iptables.flushed"
with_items:
- "iptables -F"
- "iptables -X"
- "iptables -t nat -F"
- "iptables -t nat -X"
- "iptables -t mangle -F"
- "iptables -t mangle -X"
- "iptables -P INPUT ACCEPT"
- "iptables -P FORWARD ACCEPT"
- "iptables -P OUTPUT ACCEPT"
- "touch /tmp/osquery-logs/iptables.flushed"
- name: First ensure apt cache is always refreshed
apt:
update_cache: yes
when:
- ansible_pkg_mgr == 'apt'
tasks:
- name: Run embedded ansible installation
become: yes
become_user: root
command: "./bootstrap-embedded-ansible.sh"
args:
chdir: "src/{{ current_test_repo }}/osquery"
- name: Run ansible-galaxy (tests)
become: yes
become_user: root
command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
args:
chdir: "src/{{ current_test_repo }}/osquery/tests"
- name: Run ansible-galaxy (osquery)
become: yes
become_user: root
command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
args:
chdir: "src/{{ current_test_repo }}/osquery"
- name: Run environment setup
become: yes
become_user: root
command: "/root/ansible25/bin/ansible-playbook -i {{ inventory_file }} -e @test-vars.yml _key-setup.yml"
environment:
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-container-setup.log"
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
args:
chdir: "src/{{ current_test_repo }}/osquery/tests"
when:
- ansible_service_mgr != 'systemd' or
not (contianer_inventory | bool)
- name: Run environment setup
become: yes
become_user: root
command: "/root/ansible25/bin/ansible-playbook -i {{ inventory_file }} -e @test-vars.yml _container-setup.yml"
environment:
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-container-setup.log"
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
args:
chdir: "src/{{ current_test_repo }}/osquery/tests"
when:
- ansible_service_mgr == 'systemd'
- contianer_inventory | bool
- name: Wait 15 seconds
command: "sleep 15"
changed_when: false
when:
- ansible_service_mgr == 'systemd'
- name: Run functional test
become: yes
become_user: root
command: "/root/ansible25/bin/ansible-playbook -i tests/{{ inventory_file }} -e @tests/test-vars.yml site.yml"
environment:
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-deployment.log"
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
args:
chdir: "src/{{ current_test_repo }}/osquery"

View File

@ -0,0 +1,52 @@
---
all:
hosts:
# Local host
localhost:
ansible_connection: local
ansible_host: 127.0.0.1
ansible_user: root
kolide-fleet1:
ansible_host: 172.29.236.100
ansible_user: root
hosts:
vars:
physical_host: localhost
management_cidr: "172.29.236.0/24"
container_networks:
management_address:
address: "172.29.236.1"
netmask: "255.255.255.0"
bridge: "{{ hostvars[physical_host]['ansible_default_ipv4']['alias'] }}"
hosts:
localhost: {}
all_containers:
vars:
physical_host: localhost
container_tech: nspawn
container_networks:
management_address:
address: "{{ ansible_host }}"
netmask: "255.255.255.0"
bridge: "{{ hostvars[physical_host]['ansible_default_ipv4']['alias'] }}"
children:
mariadb_all:
children:
mariadb:
hosts:
kolide-fleet1: {}
fleet_all:
children:
kolide-fleet_all:
children:
kolide-fleet:
hosts:
kolide-fleet1: {}

View File

@ -0,0 +1,28 @@
---
all:
hosts:
# Local host
localhost:
ansible_connection: local
ansible_host: 127.0.0.1
ansible_user: root
hosts:
hosts:
localhost: {}
mariadb_all:
children:
mariadb:
hosts:
localhost: {}
fleet_all:
children:
kolide-fleet_all:
children:
kolide-fleet:
hosts:
localhost: {}

View File

@ -0,0 +1,16 @@
export ANSIBLE_HOST_KEY_CHECKING="False"
export ANSIBLE_ROLES_PATH="${HOME}/ansible25/repositories/roles"
export ANSIBLE_ACTION_PLUGINS="${HOME}/ansible25/repositories/roles/config_template/action"
export ANSIBLE_CONNECTION_PLUGINS="${HOME}/ansible25/repositories/roles/plugins/connection"
export ANSIBLE_LOG_PATH="/tmp/osquery-logs/ansible-elk-test.log"
if [[ ! -d "/tmp/osquery-logs" ]]; then
mkdir -pv "/tmp/osquery-logs"
chmod 0777 "/tmp/osquery-logs"
fi
echo "To build a test environment run the following:"
echo -e "# /root/ansible25/bin/ansible-playbook -i tests/inventory/test-container-inventory.yml tests/test.yml --limit localhost\n"
echo "Run manual functional tests by executing the following:"
echo -e "# /root/ansible25/bin/ansible-playbook -i tests/inventory/test-container-inventory.yml site.yml\n"

View File

@ -0,0 +1,27 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook: run-setup.yml
- name: Run post tasks
hosts: "all"
tasks:
- name: Copy logs back to the executor
synchronize:
src: "/tmp/osquery-logs"
dest: "{{ zuul.executor.log_root }}/"
mode: pull
rsync_opts:
- "--quiet"

34
osquery/tests/run-cleanup.sh Executable file
View File

@ -0,0 +1,34 @@
#!/usr/bin/env bash
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -e
export TEST_DIR="$(readlink -f $(dirname ${0})/../../)"
# Stop beat processes
(systemctl stop osqueryd.service || true) &
# Stop and remove containers
for i in {1..3}; do
if machinectl list-images | grep -v ubuntu | awk '/sub/ {print $1}' | xargs -n 1 machinectl kill; then
sleep 1
fi
done
for i in {1..3}; do
if machinectl list-images | grep -v ubuntu | awk '/sub/ {print $1}' | xargs -n 1 machinectl remove; then
sleep 1
fi
done

View File

@ -0,0 +1,53 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Zuul facts
hosts: "all"
tasks:
- name: Set zuul fact
set_fact:
zuul:
project:
canonical_name: "openstack-ansible-ops"
short_name: "ops"
executor:
log_root: "{{ ansible_env.HOME }}/elk-test-logs"
when:
- zuul is not defined
- name: Print zuul fact
debug: var=zuul
- name: Set current test repo (cross-repo)
set_fact:
current_test_repo: "git.openstack.org/{{ osa_test_repo }}"
when:
- osa_test_repo is defined
- name: Set current test repo (non-cross-repo)
set_fact:
current_test_repo: "{{ zuul.project.canonical_name }}"
when:
- osa_test_repo is not defined
- name: Set inventory for test
set_fact:
contianer_inventory: "{{ test_clustered_kolide | default(false) | bool }}"
post_tasks:
- name: Ensure the log directory exists
file:
path: "/tmp/osquery-logs"
state: directory

45
osquery/tests/run-tests.sh Executable file
View File

@ -0,0 +1,45 @@
#!/usr/bin/env bash
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
set -ve
export TEST_DIR="$(readlink -f $(dirname ${0})/../../)"
pushd "${HOME}"
if [[ ! -d "src" ]]; then
mkdir src
fi
pushd src
ln -sf "${TEST_DIR}"
popd
popd
source ${TEST_DIR}/osquery/tests/manual-test.rc
bash -v "${TEST_DIR}/osquery/bootstrap-embedded-ansible.sh"
${HOME}/ansible25/bin/ansible-galaxy install --force \
--roles-path="${HOME}/ansible25/repositories/roles" \
--role-file="${TEST_DIR}/osquery/tests/ansible-role-requirements.yml"
if [[ ! -e "${TEST_DIR}/osquery/tests/src" ]]; then
ln -s ${TEST_DIR}/../ ${TEST_DIR}/osquery/tests/src
fi
${HOME}/ansible25/bin/ansible-playbook -i 'localhost,' \
-vv \
-e ansible_connection=local \
-e test_clustered_kolide=${CLUSTERED:-no} \
${TEST_DIR}/osquery/tests/test.yml

View File

@ -0,0 +1,23 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
physical_host: localhost
galera_root_password: secrete
kolide_fleet_db_password: secrete
kolide_fleet_admin_password: secrete
kolide_fleet_jwt_key: secrete
osa_test_repo: "openstack/openstack-ansible-ops"

16
osquery/tests/test.yml Normal file
View File

@ -0,0 +1,16 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook: functional.yml

View File

@ -83,3 +83,27 @@
vars:
osa_test_repo: "openstack/openstack-ansible-ops"
test_clustered_elk: true
- job:
name: "openstack-ansible-ops:osquery-ubuntu-xenial"
parent: base
description: "Runs a gate test on the osquery project."
run: "osquery/tests/test.yml"
post-run: "osquery/tests/post-run.yml"
voting: true
files:
- ^osquery/.*
- job:
name: "openstack-ansible-ops:osquery-ubuntu-bionic"
parent: "openstack-ansible-ops:osquery-ubuntu-xenial"
nodeset: ubuntu-bionic
- job:
name: "openstack-ansible-ops:osquery-ubuntu-bionic-clustered"
parent: "openstack-ansible-ops:osquery-ubuntu-xenial"
nodeset: ubuntu-bionic
voting: true
vars:
osa_test_repo: "openstack/openstack-ansible-ops"
test_clustered_kolide: true

View File

@ -29,6 +29,9 @@
- openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic
- openstack-ansible-ops:elk_metrics_6x-ubuntu-xenial-clustered
- openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic-clustered
- openstack-ansible-ops:osquery-ubuntu-xenial
- openstack-ansible-ops:osquery-ubuntu-bionic
gate:
jobs:
- openstack-ansible-ops:elk_metrics_6x-ubuntu-xenial
- openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic
- openstack-ansible-ops:osquery-ubuntu-bionic