From 5aff0b59f4dccc48678feb16dde7c620c159f747 Mon Sep 17 00:00:00 2001 From: Kevin Carter Date: Mon, 15 Oct 2018 22:42:04 -0500 Subject: [PATCH] Cleanup the osquery tooling and vendor roles The osquery tooling needed a little work to be fully automated and repeatable. This change tunes up the tools and makes the entire deployment process multi-node capable and repeatable. The osquery role was vendored because of bugs within their use of aarmor profiles and there was no way to disable them. The fleet use of commands for ssl creation have been removed. The ssl modules are now being used to generate all of the certificates. New pre-tasks have been added to check for required variables. If the required variables are not set the playbooks will fail early and notify the user of the issue. Change-Id: I88c2b40ed9d9a88a39bdf07b0dce2900fda50151 Signed-off-by: Kevin Carter --- osquery/{readme.rst => README.rst} | 10 +- osquery/ansible-role-requirements.yml | 16 +- osquery/bootstrap-embedded-ansible.sh | 130 +--- osquery/conf.d/fleet.yml | 7 - osquery/env.d/fleet.yml | 17 +- osquery/haproxy.example | 2 +- osquery/installDB.yml | 15 +- osquery/installKolideFleet.yml | 30 +- osquery/installOSquery.yml | 77 +- osquery/inventory.example.yml | 20 +- osquery/inventory.yaml | 35 - osquery/registerSSLcerts.yml | 73 -- osquery/roles/fleet/defaults/main.yml | 23 +- osquery/roles/fleet/handlers/main.yml | 47 ++ osquery/roles/fleet/tasks/createFleetDB.yml | 4 +- osquery/roles/fleet/tasks/fleetConfig.yml | 2 + .../fleet/tasks/fleetGetEnrollmentToken.yml | 1 + osquery/roles/fleet/tasks/fleetMigrateDB.yml | 2 + .../roles/fleet/tasks/fleetRegisterAdmin.yml | 11 +- .../roles/fleet/tasks/fleetRequirements.yml | 6 +- osquery/roles/fleet/tasks/fleetSSL.yml | 2 +- .../roles/fleet/tasks/fleetSSLdistribute.yml | 30 - .../roles/fleet/tasks/fleetSSLkeyCreate.yml | 80 ++- osquery/roles/fleet/tasks/fleetSSLstore.yml | 29 - .../roles/fleet/tasks/fleetServerInstall.yml | 42 +- osquery/roles/fleet/tasks/fleetService.yml | 16 + .../roles/fleet/tasks/fleetStartService.yml | 45 -- osquery/roles/fleet/tasks/main.yml | 45 +- .../roles/fleet/templates/fleet_config.yml.j2 | 6 +- .../roles/fleet/templates/fleet_initd.yml.j2 | 70 -- .../fleet/templates/fleet_service.yml.j2 | 17 - .../templates/kolide-fleet-proxy.service.j2 | 8 + .../templates/kolide-fleet-proxy.socket.j2 | 6 + .../roles/fleet/templates/redis_initd.yml.j2 | 69 -- .../fleet/templates/redis_service.yml.j2 | 18 - .../debian.yml} | 13 +- osquery/roles/fleet/vars/main.yml | 7 +- osquery/roles/osquery/.kitchen.docker.yml | 70 ++ osquery/roles/osquery/.kitchen.vagrant.yml | 57 ++ osquery/roles/osquery/.kitchen.yml | 56 ++ osquery/roles/osquery/.travis.yml | 97 +++ osquery/roles/osquery/.travis.yml.docker | 160 +++++ .../roles/osquery/.travis.yml.kitchen-docker | 71 ++ osquery/roles/osquery/.travis.yml.lxd-kitchen | 76 ++ osquery/roles/osquery/.travis.yml.orig | 42 ++ osquery/roles/osquery/.travis.yml.simple | 61 ++ osquery/roles/osquery/Jenkinsfile | 59 ++ osquery/roles/osquery/LICENSE | 24 + osquery/roles/osquery/README.md | 43 ++ osquery/roles/osquery/defaults/main.yml | 131 ++++ osquery/roles/osquery/get-dependencies.sh | 22 + osquery/roles/osquery/handlers/main.yml | 13 + .../roles/osquery/meta/.galaxy_install_info | 1 + osquery/roles/osquery/meta/main.yml | 158 ++++ osquery/roles/osquery/tasks/CentOS.yml | 17 + osquery/roles/osquery/tasks/Debian.yml | 36 + osquery/roles/osquery/tasks/apparmor.yml | 27 + osquery/roles/osquery/tasks/configure.yml | 123 ++++ osquery/roles/osquery/tasks/main.yml | 69 ++ osquery/roles/osquery/tasks/profiling.yml | 27 + osquery/roles/osquery/tasks/selinux-end.yml | 10 + osquery/roles/osquery/tasks/selinux.yml | 44 ++ osquery/roles/osquery/tasks/syslog-target.yml | 19 + osquery/roles/osquery/tasks/testing.yml | 40 ++ .../templates/apparmor-usr.bin.osqueryd.j2 | 34 + .../osquery/templates/logrotate-osquery.j2 | 39 + .../osquery-monitoring2-pack.conf.j2 | 24 + .../osquery/templates/osquery-rsyslog.conf.j2 | 6 + .../templates/osquery-snapshots-pack.conf.j2 | 183 +++++ .../roles/osquery/templates/osquery.conf.j2 | 143 ++++ osquery/roles/osquery/templates/osquery.fc.j2 | 6 + .../roles/osquery/templates/osquery.flags.j2 | 16 + osquery/roles/osquery/templates/osquery.sh.j2 | 61 ++ osquery/roles/osquery/templates/osquery.te.j2 | 674 ++++++++++++++++++ .../roles/osquery/templates/osqueryd-monit.j2 | 27 + .../templates/rsyslog-osquery-target.conf.j2 | 16 + .../bats/idempotency.bats | 14 + .../default-fleetmanager/default.yml | 43 ++ .../default-fleetmanager/serverspec/Gemfile | 8 + .../default-fleetmanager/serverspec/Rakefile | 9 + .../serverspec/osquery_spec.rb | 59 ++ .../serverspec/run-local-tests.sh | 32 + .../bats/idempotency.bats | 14 + .../default-osquery-syslog-fs/default.yml | 17 + .../serverspec/Gemfile | 8 + .../serverspec/Rakefile | 9 + .../serverspec/osquery_spec.rb | 59 ++ .../serverspec/osquery_syslog_spec.rb | 18 + .../serverspec/rsyslog_spec.rb | 47 ++ .../serverspec/run-local-tests.sh | 32 + .../bats/idempotency.bats | 14 + .../default-osquery-syslog/default.yml | 17 + .../default-osquery-syslog/serverspec/Gemfile | 8 + .../serverspec/Rakefile | 9 + .../serverspec/osquery_spec.rb | 44 ++ .../serverspec/osquery_syslog_spec.rb | 27 + .../serverspec/rsyslog_spec.rb | 47 ++ .../serverspec/run-local-tests.sh | 32 + .../default-profiling/bats/idempotency.bats | 14 + .../integration/default-profiling/default.yml | 11 + .../default-profiling/serverspec/Gemfile | 8 + .../default-profiling/serverspec/Rakefile | 9 + .../serverspec/osquery_load_spec.rb | 17 + .../serverspec/osquery_spec.rb | 59 ++ .../serverspec/run-local-tests.sh | 32 + .../integration/default/bats/idempotency.bats | 14 + .../test/integration/default/default.yml | 7 + .../integration/default/serverspec/Gemfile | 8 + .../integration/default/serverspec/Rakefile | 9 + .../default/serverspec/osquery_spec.rb | 59 ++ .../default/serverspec/run-local-tests.sh | 32 + .../osquery/test/lxd/centos-ssh-image.sh | 25 + .../osquery/test/travis/Dockerfile.alpine-3.4 | 9 + .../osquery/test/travis/Dockerfile.centos-6 | 15 + .../osquery/test/travis/Dockerfile.centos-7 | 29 + .../osquery/test/travis/Dockerfile.debian-8 | 11 + .../osquery/test/travis/Dockerfile.debian-9 | 12 + .../test/travis/Dockerfile.ubuntu-12.04 | 11 + .../test/travis/Dockerfile.ubuntu-14.04 | 15 + .../test/travis/Dockerfile.ubuntu-16.04 | 12 + .../test/travis/Dockerfile.ubuntu-18.04 | 11 + .../roles/osquery/test/travis/initctl_faker | 25 + .../roles/osquery/test/vagrant/Vagrantfile | 36 + .../roles/osquery/test/vagrant/ansible.cfg | 3 + osquery/roles/osquery/test/vagrant/site.yml | 6 + osquery/roles/osquery/tests/inventory | 1 + osquery/roles/osquery/tests/test.yml | 5 + osquery/roles/osquery/vars/CentOS-6.yml | 2 + osquery/roles/osquery/vars/CentOS-7.yml | 2 + osquery/roles/osquery/vars/CentOS.yml | 18 + osquery/roles/osquery/vars/Debian.yml | 19 + osquery/roles/osquery/vars/RedHat-6.yml | 2 + osquery/roles/osquery/vars/RedHat-7.yml | 2 + osquery/roles/osquery/vars/RedHat.yml | 18 + osquery/roles/osquery/vars/Ubuntu.yml | 17 + osquery/roles/osquery/vars/main.yml | 6 + osquery/site-osquery.yml | 1 - osquery/vars/variables.yml | 46 +- 138 files changed, 4338 insertions(+), 680 deletions(-) rename osquery/{readme.rst => README.rst} (92%) mode change 100755 => 120000 osquery/bootstrap-embedded-ansible.sh delete mode 100644 osquery/inventory.yaml delete mode 100644 osquery/registerSSLcerts.yml create mode 100644 osquery/roles/fleet/handlers/main.yml delete mode 100644 osquery/roles/fleet/tasks/fleetSSLdistribute.yml delete mode 100644 osquery/roles/fleet/tasks/fleetSSLstore.yml delete mode 100644 osquery/roles/fleet/tasks/fleetStartService.yml delete mode 100644 osquery/roles/fleet/templates/fleet_initd.yml.j2 delete mode 100644 osquery/roles/fleet/templates/fleet_service.yml.j2 create mode 100644 osquery/roles/fleet/templates/kolide-fleet-proxy.service.j2 create mode 100644 osquery/roles/fleet/templates/kolide-fleet-proxy.socket.j2 delete mode 100644 osquery/roles/fleet/templates/redis_initd.yml.j2 delete mode 100644 osquery/roles/fleet/templates/redis_service.yml.j2 rename osquery/roles/fleet/{tasks/fleetSSLselfSigned.yml => vars/debian.yml} (73%) create mode 100644 osquery/roles/osquery/.kitchen.docker.yml create mode 100644 osquery/roles/osquery/.kitchen.vagrant.yml create mode 100644 osquery/roles/osquery/.kitchen.yml create mode 100644 osquery/roles/osquery/.travis.yml create mode 100644 osquery/roles/osquery/.travis.yml.docker create mode 100644 osquery/roles/osquery/.travis.yml.kitchen-docker create mode 100644 osquery/roles/osquery/.travis.yml.lxd-kitchen create mode 100644 osquery/roles/osquery/.travis.yml.orig create mode 100644 osquery/roles/osquery/.travis.yml.simple create mode 100644 osquery/roles/osquery/Jenkinsfile create mode 100644 osquery/roles/osquery/LICENSE create mode 100644 osquery/roles/osquery/README.md create mode 100644 osquery/roles/osquery/defaults/main.yml create mode 100755 osquery/roles/osquery/get-dependencies.sh create mode 100644 osquery/roles/osquery/handlers/main.yml create mode 100644 osquery/roles/osquery/meta/.galaxy_install_info create mode 100644 osquery/roles/osquery/meta/main.yml create mode 100644 osquery/roles/osquery/tasks/CentOS.yml create mode 100644 osquery/roles/osquery/tasks/Debian.yml create mode 100644 osquery/roles/osquery/tasks/apparmor.yml create mode 100644 osquery/roles/osquery/tasks/configure.yml create mode 100644 osquery/roles/osquery/tasks/main.yml create mode 100644 osquery/roles/osquery/tasks/profiling.yml create mode 100644 osquery/roles/osquery/tasks/selinux-end.yml create mode 100644 osquery/roles/osquery/tasks/selinux.yml create mode 100644 osquery/roles/osquery/tasks/syslog-target.yml create mode 100644 osquery/roles/osquery/tasks/testing.yml create mode 100644 osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 create mode 100644 osquery/roles/osquery/templates/logrotate-osquery.j2 create mode 100644 osquery/roles/osquery/templates/osquery-monitoring2-pack.conf.j2 create mode 100644 osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 create mode 100755 osquery/roles/osquery/templates/osquery-snapshots-pack.conf.j2 create mode 100644 osquery/roles/osquery/templates/osquery.conf.j2 create mode 100644 osquery/roles/osquery/templates/osquery.fc.j2 create mode 100644 osquery/roles/osquery/templates/osquery.flags.j2 create mode 100644 osquery/roles/osquery/templates/osquery.sh.j2 create mode 100644 osquery/roles/osquery/templates/osquery.te.j2 create mode 100644 osquery/roles/osquery/templates/osqueryd-monit.j2 create mode 100644 osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 create mode 100644 osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats create mode 100644 osquery/roles/osquery/test/integration/default-fleetmanager/default.yml create mode 100644 osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile create mode 100644 osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile create mode 100644 osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb create mode 100755 osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb create mode 100755 osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb create mode 100644 osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb create mode 100755 osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh create mode 100644 osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats create mode 100644 osquery/roles/osquery/test/integration/default-profiling/default.yml create mode 100644 osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile create mode 100644 osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile create mode 100644 osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb create mode 100644 osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb create mode 100755 osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh create mode 100644 osquery/roles/osquery/test/integration/default/bats/idempotency.bats create mode 100644 osquery/roles/osquery/test/integration/default/default.yml create mode 100644 osquery/roles/osquery/test/integration/default/serverspec/Gemfile create mode 100644 osquery/roles/osquery/test/integration/default/serverspec/Rakefile create mode 100644 osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb create mode 100755 osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh create mode 100644 osquery/roles/osquery/test/lxd/centos-ssh-image.sh create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.centos-6 create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.centos-7 create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.debian-8 create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.debian-9 create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 create mode 100644 osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 create mode 100644 osquery/roles/osquery/test/travis/initctl_faker create mode 100644 osquery/roles/osquery/test/vagrant/Vagrantfile create mode 100644 osquery/roles/osquery/test/vagrant/ansible.cfg create mode 100644 osquery/roles/osquery/test/vagrant/site.yml create mode 100644 osquery/roles/osquery/tests/inventory create mode 100644 osquery/roles/osquery/tests/test.yml create mode 100644 osquery/roles/osquery/vars/CentOS-6.yml create mode 100644 osquery/roles/osquery/vars/CentOS-7.yml create mode 100644 osquery/roles/osquery/vars/CentOS.yml create mode 100644 osquery/roles/osquery/vars/Debian.yml create mode 100644 osquery/roles/osquery/vars/RedHat-6.yml create mode 100644 osquery/roles/osquery/vars/RedHat-7.yml create mode 100644 osquery/roles/osquery/vars/RedHat.yml create mode 100644 osquery/roles/osquery/vars/Ubuntu.yml create mode 100644 osquery/roles/osquery/vars/main.yml diff --git a/osquery/readme.rst b/osquery/README.rst similarity index 92% rename from osquery/readme.rst rename to osquery/README.rst index a7b17137..20c12ad4 100644 --- a/osquery/readme.rst +++ b/osquery/README.rst @@ -81,7 +81,6 @@ Update the `/etc/hosts` file *(optional)* openstack-ansible openstack-hosts-setup.yml - Create an haproxy entry for kolide-fleet service 8443 .. code-block:: bash @@ -117,14 +116,14 @@ the `bootstrap-ansible.sh` script these dependencies can be resolved with the .. code-block:: bash - ansible-galaxy install -r ansible-role-requirements.yml + ansible-galaxy install -r ansible-role-requirements.yml --roles-path=~/ansible25/repositories/roles In the even that some of the modules are alread installed execute the following .. code-block:: bash - ansible-galaxy install -r ansible-role-requirements.yml --ignore-errors + ansible-galaxy install -r ansible-role-requirements.yml --ignore-errors --roles-path=~/ansible25/repositories/roles Once the dependencies are set make sure to set the action plugin path to the @@ -139,7 +138,9 @@ Deploying | The environment Create some basic passwords keys that are needed by fleet .. code-block:: bashG - echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" > /etc/openstack_deploy/fleet_user_vars.yml + echo "kolide_fleet_db_password: $(openssl rand -base64 16)" > /etc/openstack_deploy/fleet_user_vars.yml + echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" >> /etc/openstack_deploy/fleet_user_vars.yml + echo "kolide_fleet_admin_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml @@ -184,6 +185,7 @@ This diagram outlines the data flow from within an Elastic-Stack deployment. :alt: Kolide & Osquery Data Flow Diagram :align: center + TODO ---- The following is a list of open items. diff --git a/osquery/ansible-role-requirements.yml b/osquery/ansible-role-requirements.yml index 41168eda..13bafc41 100644 --- a/osquery/ansible-role-requirements.yml +++ b/osquery/ansible-role-requirements.yml @@ -1,24 +1,16 @@ --- -#- name: systemd_service -# scm: git -# src: https://git.openstack.org/openstack/ansible-role-systemd_service -# version: master +- name: systemd_service + scm: git + src: https://git.openstack.org/openstack/ansible-role-systemd_service + version: master - name: config_template scm: git src: https://git.openstack.org/openstack/ansible-config_template version: master -- name: osquery - scm: git - src: https://github.com/kloud-pro/ansible-osquery - version: master - name: redis scm: git src: https://github.com/geerlingguy/ansible-role-redis version: master -- name: mariadb - scm: git - src: https://github.com/lechuckroh/ansible-role-mariadb - version: master - name: galera_client scm: git src: https://git.openstack.org/openstack/openstack-ansible-galera_client diff --git a/osquery/bootstrap-embedded-ansible.sh b/osquery/bootstrap-embedded-ansible.sh deleted file mode 100755 index a119de4c..00000000 --- a/osquery/bootstrap-embedded-ansible.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/env bash -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -export OPTS=() -export ANSIBLE_EMBED_HOME="${HOME}/ansible25" -OPTS+=('ANSIBLE_EMBED_HOME') - -source /etc/os-release -if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then - if [ ${VERSION_ID} = "14.04" ]; then - apt-get update - apt-get -y install python-virtualenv - echo "done installing python-virtualenv" - else - apt-get update - apt-get -y install python3-virtualenv python-virtualenv - echo "done installing python-virtualenv python3-virtualenv" - fi - - if [[ -e "${HOME}/.pip" ]]; then - echo "..................moving .pip out of place to boostrap" - mv ${HOME}/.pip ${HOME}/.off-pip - fi - - if [[ -f "/usr/bin/python2" ]]; then - virtualenv --python="/usr/bin/python2" "${ANSIBLE_EMBED_HOME}" - elif [[ -f "/usr/bin/python3" ]]; then - virtualenv --python="/usr/bin/python3" "${ANSIBLE_EMBED_HOME}" - else - virtualenv "${ANSIBLE_EMBED_HOME}" - fi - - eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade --force pip" - eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated" - eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated" - echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin" - - if [[ -e "${HOME}/.off-pip" ]]; then - mv ${HOME}/off-pip ${HOME}/.pip - echo "..................moving .pip back in to place" - fi -fi - -if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" ]]; then - mkdir -p "${ANSIBLE_EMBED_HOME}/repositories" - git clone https://git.openstack.org/openstack/ansible-config_template "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" - pushd "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" - git checkout a5c9d97e18683f0fdf9769d94ba174c72e2d093c # HEAD of master from 20-06-18 - popd -fi - -if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/openstack_ansible_plugins" ]]; then - mkdir -p "${ANSIBLE_EMBED_HOME}/repositories" - git clone https://git.openstack.org/openstack/openstack-ansible-plugins "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins" - pushd "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins" - git checkout cef7946b3b3b3e4d02406c228741985a94b72cff # HEAD of master from 20-06-18 - popd -fi - -if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" ]]; then - mkdir -p "${ANSIBLE_EMBED_HOME}/repositories" - git clone https://git.openstack.org/openstack/ansible-role-systemd_service "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" - pushd "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" - git checkout 02f5ff1c0e073af53bed2141a045e608162970ea # HEAD of master from 20-06-18 - popd -fi - -if [[ -f "/etc/openstack_deploy/openstack_inventory.json" ]]; then - if [[ ! -f "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" ]]; then - mkdir -p "${ANSIBLE_EMBED_HOME}/inventory" - cat > "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" <- + The root password for the galera cluster is not defined. To proceed with this + installation define the variable `mariadb_root_password` in line or within a + variable file. + when: + - mariadb_root_password is undefined + roles: - role: galera_server galera_root_user: "{{ mariadb_root_user }}" galera_root_password: "{{ mariadb_root_password }}" - galera_cluster_members: "{{ groups['mariadb'] }}" + galera_cluster_members: "{{ groups['mariadb_all'] }}" galera_wsrep_node_name: "{{ inventory_hostname }}" galera_cluster_name: telemetry_galera_cluster + galera_monitoring_allowed_source: "0.0.0.0/0" environment: "{{ deployment_environment_variables | default({}) }}" diff --git a/osquery/installKolideFleet.yml b/osquery/installKolideFleet.yml index 317abe29..c8d19198 100644 --- a/osquery/installKolideFleet.yml +++ b/osquery/installKolideFleet.yml @@ -1,6 +1,6 @@ --- - name: Install Kolide Fleet - hosts: "fleet" + hosts: "fleet_all" become: true vars_files: @@ -10,5 +10,33 @@ gather_facts: "{{ osa_gather_facts | default(True) }}" + pre_tasks: + - name: Test for kolide db password + fail: + msg: >- + The DB password for the Kolide / Fleet cluster is not defined. To proceed with this + installation define the variable `kolide_fleet_db_password` in line or within a + variable file. + when: + - kolide_fleet_db_password is undefined + + - name: Test for kolide shared key + fail: + msg: >- + The shared token for the Kolide / Fleet cluster is not defined. To proceed with this + installation define the variable `kolide_fleet_jwt_key` in line or within a + variable file. + when: + - kolide_fleet_jwt_key is undefined + + - name: Test for kolide admin password + fail: + msg: >- + The admin password for the Kolide / Fleet cluster is not defined. To proceed with this + installation define the variable `kolide_fleet_admin_password` in line or within a + variable file. + when: + - kolide_fleet_admin_password is undefined + roles: - role: fleet diff --git a/osquery/installOSquery.yml b/osquery/installOSquery.yml index 6960477c..b8ec3547 100644 --- a/osquery/installOSquery.yml +++ b/osquery/installOSquery.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Install osquery - hosts: "osquery" + hosts: "fleet_all:osquery:hosts" become: true vars_files: - vars/variables.yml @@ -26,40 +26,63 @@ pre_tasks: - name: create osquery dir file: - path: /etc/osquery/ssl + path: "{{ item }}" state: directory + with_items: + - /etc/osquery + - /etc/osquery/ssl - - name: Debug fleet_config - debug: - var: hostvars[groups['fleet'][0]]['ansible_host'] - verbosity: 2 + - name: Synchronize certifactes back + synchronize: + mode: pull + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: "{{ kolide_fleet_ssl_cert }}" + dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - src: "{{ kolide_fleet_ssl_key }}" + dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + when: + - inventory_hostname == groups['fleet_all'][0] - - name: Store ssl cert - slurp: - src: "{{ kolide_fleet_ssl_cert }}" - register: _kolide_fleet_ssl_cert - - - name: Store ssl key - slurp: - src: "{{ kolide_fleet_ssl_key }}" - register: _kolide_fleet_ssl_key - - - name: Register a fact for the cert and key - set_fact: - kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}" - kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}" - - - name: Distribute self signed ssl cert + - name: Copy certifactes over copy: - dest: "{{ kolide_fleet_ssl_cert }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}" - mode: "0640" + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - dest: "{{ kolide_fleet_ssl_cert }}" + src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - dest: "{{ kolide_fleet_ssl_key }}" + src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + when: + - inventory_hostname != groups['fleet_all'][0] + + - name: retrieve Enrollment Token + command: /usr/local/bin/fleetctl get enroll-secret + changed_when: false + register: _enrollment_token + delegate_to: "{{ groups['fleet_all'][0] }}" + run_once: true + + - name: Set kolide fleet enrollment token fact + set_fact: + kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}" - name: write enroll secret copy: - dest: "{{ osquery_enroll_secret_dir }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}" + dest: "{{ osquery_enroll_secret_file }}" + content: "{{ kolide_fleet_enroll_secret }}" mode: "0640" + post_tasks: + - name: Cleanup certifactes + file: + dest: "{{ item }}" + state: "absent" + delegate_to: localhost + with_items: + - "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - "/tmp/{{ kolide_fleet_ssl_key | basename }}" + roles: - role: "osquery" diff --git a/osquery/inventory.example.yml b/osquery/inventory.example.yml index 814a17cd..c99b8415 100644 --- a/osquery/inventory.example.yml +++ b/osquery/inventory.example.yml @@ -21,15 +21,19 @@ all: # host machines here. hosts: hosts: - logging01: + logging01: {} # This is the location where fleet(s) will live -mariadb: +fleet_all: hosts: - logging01: -fleet: + logging01: {} + +mariadb_all: + children: + fleet_all: {} + +osquery_all: hosts: - logging01: -osquery: - hosts: - logging01: + logging02: + ansible_host: 172.16.27.101 + ansible_user: root diff --git a/osquery/inventory.yaml b/osquery/inventory.yaml deleted file mode 100644 index 9d1c17f4..00000000 --- a/osquery/inventory.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -################################## ALL HOSTS ################################## -all: - hosts: - # Local host - localhost: - ansible_connection: local - -################################## REQUIRED ################################### - logging01: - ansible_host: 104.130.207.70 - ansible_user: root - - vars: {} - - -################################### GROUPS #################################### - -# The hosts group is used to target physical host machines. Enter all physical -# host machines here. -hosts: - hosts: - logging01: - -# This is the location where fleet(s) will live -mariadb: - hosts: - logging01: -fleet: - hosts: - logging01: -osquery: - hosts: - logging01: diff --git a/osquery/registerSSLcerts.yml b/osquery/registerSSLcerts.yml deleted file mode 100644 index 61f0c409..00000000 --- a/osquery/registerSSLcerts.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Install Kolide Fleet - hosts: "fleet" - become: true - - vars_files: - - vars/variables.yml - - environment: "{{ deployment_environment_variables | default({}) }}" - - gather_facts: "{{ osa_gather_facts | default(True) }}" - - pre_tasks: - - name: Store ssl cert - slurp: - src: "{{ kolide_fleet_ssl_cert }}" - register: _kolide_fleet_ssl_cert - - - name: Store ssl ca cert - slurp: - src: "{{ kolide_fleet_ssl_ca_cert }}" - register: _kolide_fleet_ssl_ca_cert - when: kolide_fleet_user_ssl_ca_cert is defined - - - name: Register a fact for the cert and key - set_fact: - kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}" - - - name: Register a fact for the cert and key - set_fact: - kolide_fleet_ssl_ca_cert_fact: "{{ _kolide_fleet_ssl_ca_cert.content }}" - when: kolide_fleet_user_ssl_ca_cert is defined - - - name: Distribute self signed ssl cert - copy: - dest: "{{ kolide_fleet_ssl_cert }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}" - mode: "0640" - - - name: Distribute self signed CA ssl cert - copy: - dest: "{{ kolide_fleet_ca_ssl_cert }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_ca_cert_fact'] | b64decode }}" - mode: "0640" - when: kolide_fleet_user_ssl_ca_cert is defined - - - name: retrieve Enrollment Token - command: /usr/local/bin/fleetctl get enroll-secret - register: _enrollment_token - - - name: Set kolide fleet enrollment token fact - set_fact: - kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}" - - - name: write enroll secret - copy: - dest: "{{ osquery_enroll_secret_dir }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}" - mode: "0640" diff --git a/osquery/roles/fleet/defaults/main.yml b/osquery/roles/fleet/defaults/main.yml index 258562bf..53b323b0 100644 --- a/osquery/roles/fleet/defaults/main.yml +++ b/osquery/roles/fleet/defaults/main.yml @@ -1,10 +1,25 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + # Kolide Fleet vars kolide_fleet_db_name: fleet kolide_fleet_db_user: fleet #kolide_fleet_db_password: fleetSecrete -kolide_fleet_port: "443" +kolide_fleet_port: "8443" kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}" kolide_fleet_version: "2.0.0-rc5" kolide_fleet_url: "https://github.com/kolide/fleet/releases/download" @@ -14,13 +29,13 @@ kolide_fleet_admin_email: admin@openstack.org kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert kolide_fleet_ssl_key: /etc/ssl/private/fleet.key -kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem -kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem -kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost" +kolide_fleet_ssl_csr: /etc/ssl/private/fleet.csr kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}" kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" +kolide_fleet_ssl_key_purge: false + #kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}" diff --git a/osquery/roles/fleet/handlers/main.yml b/osquery/roles/fleet/handlers/main.yml new file mode 100644 index 00000000..4619591f --- /dev/null +++ b/osquery/roles/fleet/handlers/main.yml @@ -0,0 +1,47 @@ +--- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Enable and restart kolide socket (systemd) + systemd: + name: "kolide-fleet-proxy.socket" + enabled: true + state: started + listen: Restart kolide (systemd) + +- name: Enable and restart kolide (systemd) + systemd: + name: "kolide-fleet.service" + enabled: true + state: restarted + notify: + - Enable and restart kolide proxy (systemd) + listen: Restart kolide (systemd) + +- name: Enable and restart kolide proxy (systemd) + systemd: + name: "kolide-fleet-proxy.service" + enabled: true + state: restarted + listen: Restart kolide (systemd) + +- name: Cleanup certifactes + file: + dest: "{{ item }}" + state: "absent" + delegate_to: localhost + with_items: + - "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - "/tmp/{{ kolide_fleet_ssl_key | basename }}" + - "/tmp/{{ kolide_fleet_ssl_csr | basename }}" diff --git a/osquery/roles/fleet/tasks/createFleetDB.yml b/osquery/roles/fleet/tasks/createFleetDB.yml index fcb7d94e..a53531e1 100644 --- a/osquery/roles/fleet/tasks/createFleetDB.yml +++ b/osquery/roles/fleet/tasks/createFleetDB.yml @@ -20,7 +20,7 @@ login_host: "{{ mariadb_login_host | default('localhost') }}" name: "{{ kolide_fleet_db_name }}" state: "present" - delegate_to: "{{ groups['mariadb'][0] }}" + delegate_to: "{{ groups['mariadb_all'][0] }}" no_log: False tags: - fleet_db_install @@ -36,7 +36,7 @@ state: "present" priv: "{{ kolide_fleet_db_name }}.*:ALL" append_privs: "{{ kolide_fleet_db_append_privs | default(omit) }}" - delegate_to: "{{ groups['mariadb'][0] }}" + delegate_to: "{{ groups['mariadb_all'][0] }}" with_items: "{{ grant_list | default(['localhost', '%']) }}" no_log: False tags: diff --git a/osquery/roles/fleet/tasks/fleetConfig.yml b/osquery/roles/fleet/tasks/fleetConfig.yml index 76b71191..e3704a3a 100644 --- a/osquery/roles/fleet/tasks/fleetConfig.yml +++ b/osquery/roles/fleet/tasks/fleetConfig.yml @@ -22,5 +22,7 @@ template: src: templates/fleet_config.yml.j2 dest: /etc/fleet/fleet_config.yml + notify: + - Restart kolide (systemd) tags: - fleet_config diff --git a/osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml b/osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml index 03efb6c8..89f9dabd 100644 --- a/osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml +++ b/osquery/roles/fleet/tasks/fleetGetEnrollmentToken.yml @@ -15,6 +15,7 @@ - name: retrieve Enrollment Token command: /usr/local/bin/fleetctl get enroll-secret + changed_when: false register: _enrollment_token - name: Set kolide fleet enrollment token fact diff --git a/osquery/roles/fleet/tasks/fleetMigrateDB.yml b/osquery/roles/fleet/tasks/fleetMigrateDB.yml index b669a15f..447d32c3 100644 --- a/osquery/roles/fleet/tasks/fleetMigrateDB.yml +++ b/osquery/roles/fleet/tasks/fleetMigrateDB.yml @@ -16,3 +16,5 @@ - name: Migrate the fleet database command: /usr/local/bin/fleet prepare db --config=/etc/fleet/fleet_config.yml --no-prompt + changed_when: false + run_once: true diff --git a/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml b/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml index b8a22181..3d72d219 100644 --- a/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml +++ b/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml @@ -19,14 +19,19 @@ register: fleet_config_set - name: set fleetctl default context - command: fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify - when: fleet_config_set.stat.exists == false + command: /usr/local/bin/fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify + changed_when: false + when: + - fleet_config_set.stat.exists == false - name: register admin account command: /usr/local/bin/fleetctl setup --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }} + changed_when: false register: fleet_register_admin ignore_errors: true # ignore errors as we might have already set this it will be caought later - name: login admin account command: /usr/local/bin/fleetctl login --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }} - when: fleet_register_admin['stderr'] == "Kolide Fleet has already been setup" + changed_when: false + when: + - fleet_register_admin['stderr'] == "Kolide Fleet has already been setup" diff --git a/osquery/roles/fleet/tasks/fleetRequirements.yml b/osquery/roles/fleet/tasks/fleetRequirements.yml index dcce00cc..4e7a3ae8 100644 --- a/osquery/roles/fleet/tasks/fleetRequirements.yml +++ b/osquery/roles/fleet/tasks/fleetRequirements.yml @@ -17,16 +17,12 @@ include_role: name: redis private: true + - name: create fleet dir file: path: /etc/fleet/ssl state: directory -- name: Debug fleet_config - debug: - var: hostvars[groups['mariadb'][0]]['ansible_host'] - verbosity: 2 - - name: Drop fleet conf file template: src: templates/fleet_config.yml.j2 diff --git a/osquery/roles/fleet/tasks/fleetSSL.yml b/osquery/roles/fleet/tasks/fleetSSL.yml index 42a1c43e..dfd0ee73 100644 --- a/osquery/roles/fleet/tasks/fleetSSL.yml +++ b/osquery/roles/fleet/tasks/fleetSSL.yml @@ -20,7 +20,7 @@ tags: - fleet-ssl -- include_tasks: fleetSSLselfSigned.yml +- include_tasks: fleetSSLkeyCreate.yml when: - kolide_fleet_user_ssl_cert is not defined or kolide_fleet_user_ssl_key is not defined diff --git a/osquery/roles/fleet/tasks/fleetSSLdistribute.yml b/osquery/roles/fleet/tasks/fleetSSLdistribute.yml deleted file mode 100644 index ce5ae8bc..00000000 --- a/osquery/roles/fleet/tasks/fleetSSLdistribute.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# Copyright 2014, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Distribute self signed ssl key - copy: - dest: "{{ kolide_fleet_ssl_key }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_key_fact'] | b64decode }}" - mode: "0640" - tags: - - fleet-ssl - -- name: Distribute self signed ssl cert - copy: - dest: "{{ kolide_fleet_ssl_cert }}" - content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}" - mode: "0640" - tags: - - fleet-ssl diff --git a/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml b/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml index 302e37b6..37de30fa 100644 --- a/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml +++ b/osquery/roles/fleet/tasks/fleetSSLkeyCreate.yml @@ -17,21 +17,71 @@ file: dest: "{{ item }}" state: "absent" + when: + - kolide_fleet_ssl_key_purge | bool with_items: - - "{{ kolide_fleet_ssl_pem }}" - - "{{ kolide_fleet_ssl_key }}" - "{{ kolide_fleet_ssl_cert }}" - tags: - - fleet-ssl + - "{{ kolide_fleet_ssl_key }}" + - "{{ kolide_fleet_ssl_pem }}" + - "{{ kolide_fleet_ssl_ca_cert }}" -- name: Create self-signed ssl cert - command: > - openssl req -new -nodes -sha256 -x509 -subj - "{{ kolide_fleet_ssl_self_signed_subject }}" - -days 3650 - -keyout {{ kolide_fleet_ssl_key }} - -out {{ kolide_fleet_ssl_cert }} - -extensions v3_ca - creates={{ kolide_fleet_ssl_cert }} - tags: - - kolide_fleet-ssl +- name: SSL Block + block: + - name: Generate service private key + openssl_privatekey: + path: "{{ kolide_fleet_ssl_key }}" + size: 4096 + + - name: Generate self signed CSR + openssl_csr: + path: "{{ kolide_fleet_ssl_csr }}" + privatekey_path: "{{ kolide_fleet_ssl_key }}" + common_name: "{{ ansible_domain }}" + country_name: XX + locality_name: Kolide-Server + organization_name: OpenStack + organizational_unit_name: OpenStack-Ansible-OPS + + - name: Generate a Self Signed OpenSSL certificate + openssl_certificate: + path: "{{ kolide_fleet_ssl_cert }}" + privatekey_path: "{{ kolide_fleet_ssl_key }}" + csr_path: "{{ kolide_fleet_ssl_csr }}" + provider: selfsigned + force: "{{ kolide_fleet_ssl_key_purge | bool }}" + issuer: + O: OpenStack-Ansible-OPS + + - name: Synchronize certifactes back + synchronize: + mode: pull + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - src: "{{ kolide_fleet_ssl_csr }}" + dest: "/tmp/{{ kolide_fleet_ssl_csr | basename }}" + - src: "{{ kolide_fleet_ssl_cert }}" + dest: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - src: "{{ kolide_fleet_ssl_key }}" + dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + when: + - (groups['fleet_all'] | length) > 1 + notify: + - Cleanup certifactes + when: + - inventory_hostname == groups['fleet_all'][0] + +- name: Copy certifactes over + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + with_items: + - dest: "{{ kolide_fleet_ssl_csr }}" + src: "/tmp/{{ kolide_fleet_ssl_csr | basename }}" + - dest: "{{ kolide_fleet_ssl_cert }}" + src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" + - dest: "{{ kolide_fleet_ssl_key }}" + src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + when: + - inventory_hostname != groups['fleet_all'][0] + - (groups['fleet_all'] | length) > 1 diff --git a/osquery/roles/fleet/tasks/fleetSSLstore.yml b/osquery/roles/fleet/tasks/fleetSSLstore.yml deleted file mode 100644 index 0dde5771..00000000 --- a/osquery/roles/fleet/tasks/fleetSSLstore.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# Copyright 2018, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -- name: Store ssl cert - slurp: - src: "{{ kolide_fleet_ssl_cert }}" - register: _kolide_fleet_ssl_cert - -- name: Store ssl key - slurp: - src: "{{ kolide_fleet_ssl_key }}" - register: _kolide_fleet_ssl_key - -- name: Register a fact for the cert and key - set_fact: - kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}" - kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}" diff --git a/osquery/roles/fleet/tasks/fleetServerInstall.yml b/osquery/roles/fleet/tasks/fleetServerInstall.yml index c61cedc2..7ec25d4c 100644 --- a/osquery/roles/fleet/tasks/fleetServerInstall.yml +++ b/osquery/roles/fleet/tasks/fleetServerInstall.yml @@ -13,29 +13,41 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: Install prerequisites - apt: name={{ item }} update_cache=yes - with_items: - - unzip - - ca-certificates - - apt-transport-https - - software-properties-common - - curl -- name: Run the systemd service role - include_role: - name: redis - private: true +- name: Ensure required disto packages are installed + package: + name: "{{ kolide_fleet_distro_packages }}" + state: "present" + update_cache: "{{ (ansible_pkg_mgr == 'apt') | ternary('yes', omit) }}" + register: _package_task + until: _package_task is success + retries: 3 + delay: 2 + tags: + - package_install -- name: create fleet dir +- name: Create fleet dir file: path: '/tmp/fleet_{{ kolide_fleet_version }}' state: directory +- name: GET fleet + get_url: + url: "{{ kolide_fleet_url }}/{{ kolide_fleet_version }}/fleet_{{ kolide_fleet_version }}.zip" + dest: "/var/cache/fleet_{{ kolide_fleet_version }}.zip" + register: _get_task + until: _get_task is success + retries: 3 + delay: 2 + tags: + - package_install + - name: Unarchive Fleet binaries unarchive: - src: '{{ kolide_fleet_url }}/{{ kolide_fleet_version }}/fleet_{{ kolide_fleet_version }}.zip' - dest: '/tmp/fleet_{{ kolide_fleet_version}}/' + src: '/var/cache/fleet_{{ kolide_fleet_version }}.zip' + dest: '/tmp/fleet_{{ kolide_fleet_version }}/' remote_src: yes + notify: + - Restart kolide (systemd) - name: Copy unarchived binaries copy: diff --git a/osquery/roles/fleet/tasks/fleetService.yml b/osquery/roles/fleet/tasks/fleetService.yml index ea143369..2eba403c 100644 --- a/osquery/roles/fleet/tasks/fleetService.yml +++ b/osquery/roles/fleet/tasks/fleetService.yml @@ -27,5 +27,21 @@ Unit: Wants: network-online.target Requires: redis-server.service + Service: + Slice: kolide-fleet.slice tags: - server-install + +- name: Place the kolide-fleet socket + template: + src: 'kolide-fleet-proxy.socket.j2' + dest: '/etc/systemd/system/kolide-fleet-proxy.socket' + notify: + - Restart kolide (systemd) + +- name: Place the kolide-fleet proxy + template: + src: 'kolide-fleet-proxy.service.j2' + dest: '/etc/systemd/system/kolide-fleet-proxy.service' + notify: + - Restart kolide (systemd) diff --git a/osquery/roles/fleet/tasks/fleetStartService.yml b/osquery/roles/fleet/tasks/fleetStartService.yml deleted file mode 100644 index 133f1fb3..00000000 --- a/osquery/roles/fleet/tasks/fleetStartService.yml +++ /dev/null @@ -1,45 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - - -- name: Start redis fleet kolide service - initd - service: - name: redis - enabled: yes - state: restarted - when: - - ansible_service_mgr == "init" - tags: - - config -- name: Start fleet kolide service - initd - service: - name: redis - enabled: yes - state: restarted - when: - - ansible_service_mgr == "init" - tags: - - config - -- name: Enable and restart kolide - systemd - systemd: - name: "kolide-fleet" - enabled: true - state: restarted - when: - - ansible_service_mgr == "systemd" - tags: - - config diff --git a/osquery/roles/fleet/tasks/main.yml b/osquery/roles/fleet/tasks/main.yml index 3407f628..bc0cdeeb 100644 --- a/osquery/roles/fleet/tasks/main.yml +++ b/osquery/roles/fleet/tasks/main.yml @@ -1,30 +1,53 @@ --- +# Copyright 2016, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Gather variables for each operating system + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" + - "{{ ansible_os_family | lower }}.yml" + tags: + - always + +# install kolide fleet server +- include_tasks: fleetServerInstall.yml + +# install software requirements +- include_tasks: fleetRequirements.yml + # install SSL certs - include_tasks: createFleetDB.yml # install SSL certs - include_tasks: fleetSSL.yml -# install software requirements -- include_tasks: fleetRequirements.yml - -# install kolide fleet server -- include_tasks: fleetServerInstall.yml - # drop the configuration - include_tasks: fleetConfig.yml # add files for systemd - include_tasks: fleetService.yml - when: - - ansible_service_mgr == "systemd" # migrate the database - include_tasks: fleetMigrateDB.yml - run_once: true -# start fleet via systemd -- include_tasks: fleetStartService.yml +- name: Force kolide handlers + meta: flush_handlers # configure kolide fleet & set admin account - include_tasks: fleetRegisterAdmin.yml diff --git a/osquery/roles/fleet/templates/fleet_config.yml.j2 b/osquery/roles/fleet/templates/fleet_config.yml.j2 index d39100dc..5ca2b27f 100644 --- a/osquery/roles/fleet/templates/fleet_config.yml.j2 +++ b/osquery/roles/fleet/templates/fleet_config.yml.j2 @@ -1,10 +1,12 @@ +--- + mysql: - address: {{ hostvars[groups['mariadb'][0]]['ansible_host'] }}:3306 + address: 127.0.0.1:3306 database: {{ kolide_fleet_db_name }} username: {{ kolide_fleet_db_user }} password: {{ kolide_fleet_db_password }} redis: - address: localhost:6379 + address: 127.0.0.1:6379 auth: jwt_key: {{ kolide_fleet_jwt_key }} server: diff --git a/osquery/roles/fleet/templates/fleet_initd.yml.j2 b/osquery/roles/fleet/templates/fleet_initd.yml.j2 deleted file mode 100644 index 562824f2..00000000 --- a/osquery/roles/fleet/templates/fleet_initd.yml.j2 +++ /dev/null @@ -1,70 +0,0 @@ -#!/usr/bin/env bash - -############### -# SysV Init Information -# description: docker daemon. -### BEGIN INIT INFO -# Provides: me -# Required-Start: -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Short-Description: manage docker daemon -# Description: docker daemon -### END INIT INFO - - -HOME=path/to/code -EXEC=docker -NAME="fleet_service" - -LABEL={{ kolide_fleet_version }} -PORT=8412 - -case "$1" in - start) - RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}` - - if [[ ${RUNNING} == "true" ]]; then - # - # No need to start it - # - echo "Process is running" - exit 1; - if - echo "Starting container: '$NAME'..." - docker run --restart=always -v /etc/fleet:/etc/fleet --name=fleet_service kolide/fleet:{{ kolide_fleet_version }} -p 8412:8412 --config=/etc/fleet/fleet_config.yml - ;; - stop) - echo "Stopping $NAME..." - - docker stop -t 2 ${NAME} &> /dev/null - - if [[ 0 != $? ]]; then - echo "Could not stop container" - exit 4; - fi - ;; - status) - RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}` - - if [[ "true" == ${RUNNING} ]]; then - echo "$NAME is running" - else - echo "$NAME is not running" - fi - ;; - inspect) - docker inspect ${NAME} - ;; - logs) - docker logs ${NAME} - ;; - restart) - $0 stop - $0 start - ;; - *) - echo "Please use start, stop, restart, inspect or status as first argument" - ;; -esac diff --git a/osquery/roles/fleet/templates/fleet_service.yml.j2 b/osquery/roles/fleet/templates/fleet_service.yml.j2 deleted file mode 100644 index 1c94f6c9..00000000 --- a/osquery/roles/fleet/templates/fleet_service.yml.j2 +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Requires=redis.service -After=redis.service - -[Service] -TimeoutStartSec=0 -ExecStartPre=-/usr/bin/docker pull kolide/fleet:{{ kolide_fleet_version }} -ExecStartPre=-/usr/bin/docker kill fleet_service -ExecStartPre=-/usr/bin/docker rm fleet_service -ExecStart=/usr/bin/docker run -v /etc/fleet:/etc/fleet --name fleet_service kolide/fleet:{{ kolide_fleet_version }} --config=/etc/fleet/fleet_config.yml - -ExecStop=-/usr/bin/docker stop fleet_fleet - -ExecReload=/usr/bin/docker restart fleet_service - -[Install] -WantedBy=multi-user.target diff --git a/osquery/roles/fleet/templates/kolide-fleet-proxy.service.j2 b/osquery/roles/fleet/templates/kolide-fleet-proxy.service.j2 new file mode 100644 index 00000000..7c5eab05 --- /dev/null +++ b/osquery/roles/fleet/templates/kolide-fleet-proxy.service.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=Remote Switch redirect + +[Service] +After = kolide-fleet-proxy.socket +Requires = kolide-fleet-proxy.socket +partof = kolide-fleet.service +ExecStart=/lib/systemd/systemd-socket-proxyd 127.0.0.1:{{ kolide_fleet_port }} diff --git a/osquery/roles/fleet/templates/kolide-fleet-proxy.socket.j2 b/osquery/roles/fleet/templates/kolide-fleet-proxy.socket.j2 new file mode 100644 index 00000000..16163937 --- /dev/null +++ b/osquery/roles/fleet/templates/kolide-fleet-proxy.socket.j2 @@ -0,0 +1,6 @@ +[Socket] +ListenStream=0.0.0.0:443 +Transparent=yes + +[Install] +WantedBy=sockets.target diff --git a/osquery/roles/fleet/templates/redis_initd.yml.j2 b/osquery/roles/fleet/templates/redis_initd.yml.j2 deleted file mode 100644 index 47279c75..00000000 --- a/osquery/roles/fleet/templates/redis_initd.yml.j2 +++ /dev/null @@ -1,69 +0,0 @@ -#!/usr/bin/env bash - -############### -# SysV Init Information -# description: docker daemon. -### BEGIN INIT INFO -# Provides: me -# Required-Start: -# Required-Stop: -# Default-Start: 2 3 5 -# Default-Stop: 0 1 6 -# Short-Description: manage docker daemon -# Description: docker daemon -### END INIT INFO - - -HOME=path/to/code -EXEC=docker -NAME="redis_service" - -LABEL={{ kolide_fleet_version }} - -case "$1" in - start) - RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}` - - if [[ ${RUNNING} == "true" ]]; then - # - # No need to start it - # - echo "Process is running" - exit 1; - if - echo "Starting container: '$NAME'..." - docker run -d --restart=always --name=redis_service redis:4-alpine - ;; - stop) - echo "Stopping $NAME..." - - docker stop -t 2 ${NAME} &> /dev/null - - if [[ 0 != $? ]]; then - echo "Could not stop container" - exit 4; - fi - ;; - status) - RUNNING=`docker inspect -f '{{.State.Running}}' ${NAME}` - - if [[ "true" == ${RUNNING} ]]; then - echo "$NAME is running" - else - echo "$NAME is not running" - fi - ;; - inspect) - docker inspect ${NAME} - ;; - logs) - docker logs ${NAME} - ;; - restart) - $0 stop - $0 start - ;; - *) - echo "Please use start, stop, restart, inspect or status as first argument" - ;; -esac diff --git a/osquery/roles/fleet/templates/redis_service.yml.j2 b/osquery/roles/fleet/templates/redis_service.yml.j2 deleted file mode 100644 index 154de212..00000000 --- a/osquery/roles/fleet/templates/redis_service.yml.j2 +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -Description=Redis Container -After=docker.service -Requires=docker.service - -[Service] -Type=simple -restart=always -TimeoutStartSec=120 -ExecStartPre=-/usr/bin/docker pull redis:4-alpine -ExecStartPre=-/usr/bin/docker kill redis_service -ExecStartPre=-/usr/bin/docker rm redis_service -ExecStart=/usr/bin/docker run --name redis_service redis:alpine - -ExecStop=/usr/bin/docker stop redis_service - -[Install] -WantedBy=multi-user.target diff --git a/osquery/roles/fleet/tasks/fleetSSLselfSigned.yml b/osquery/roles/fleet/vars/debian.yml similarity index 73% rename from osquery/roles/fleet/tasks/fleetSSLselfSigned.yml rename to osquery/roles/fleet/vars/debian.yml index 21a68439..19311ece 100644 --- a/osquery/roles/fleet/tasks/fleetSSLselfSigned.yml +++ b/osquery/roles/fleet/vars/debian.yml @@ -1,5 +1,5 @@ --- -# Copyright 2018, Rackspace US, Inc. +# Copyright 2016, Rackspace US, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -13,6 +13,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -- include_tasks: fleetSSLkeyCreate.yml -- include_tasks: fleetSSLstore.yml -- include_tasks: fleetSSLdistribute.yml +kolide_fleet_distro_packages: + - apt-transport-https + - ca-certificates + - curl + - python3-openssl + - python-openssl + - software-properties-common + - unzip \ No newline at end of file diff --git a/osquery/roles/fleet/vars/main.yml b/osquery/roles/fleet/vars/main.yml index af066239..1f933e79 100644 --- a/osquery/roles/fleet/vars/main.yml +++ b/osquery/roles/fleet/vars/main.yml @@ -1,10 +1,10 @@ +--- # Kolide Fleet vars kolide_fleet_db_name: fleet kolide_fleet_db_user: fleet #kolide_fleet_db_password: fleetSecrete -kolide_fleet_port: "443" -kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}" +kolide_fleet_address: "127.0.0.1:{{ kolide_fleet_port }}" kolide_fleet_version: "2.0.0-rc5" kolide_fleet_url: "https://github.com/kolide/fleet/releases/download" @@ -13,9 +13,6 @@ kolide_fleet_admin_email: admin@openstack.org kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert kolide_fleet_ssl_key: /etc/ssl/private/fleet.key -kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem -kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem -kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost" kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}" kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}" diff --git a/osquery/roles/osquery/.kitchen.docker.yml b/osquery/roles/osquery/.kitchen.docker.yml new file mode 100644 index 00000000..4eeefa1a --- /dev/null +++ b/osquery/roles/osquery/.kitchen.docker.yml @@ -0,0 +1,70 @@ +--- +driver: + name: docker +## https://github.com/test-kitchen/kitchen-docker/issues/54 + use_sudo: false + +transport: + name: sftp + +provisioner: + name: ansible_playbook + roles_path: ../ + hosts: test-kitchen +# ansible_verbose: true + ansible_verbose: false + ansible_verbosity: 3 + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> +# require_chef_omnibus: false + require_ansible_omnibus: true +# require_chef_for_busser: false + enable_yum_epel: true + ansible_connection: ssh + +platforms: + - name: ubuntu-18.04 + driver_config: +# https://github.com/test-kitchen/kitchen-docker/issues/285 + provision_command: mkdir -p /run/sshd + - name: ubuntu-16.04 +## systemd? + driver: + config: + security.privileged: true + - name: ubuntu-14.04 + - name: ubuntu-12.04 + - name: centos-7 +## systemd + driver: + config: + security.privileged: true +### epel mirror issue. see readme +# - name: centos-6 +### Ansible 2.2+/cryptography: https://github.com/ansible/ansible/issues/276 +# provisioner: +# ansible_version: 2.1.2.0 +## tool chain kitchen and image need customization... nok currently +# - name: alpine-3.4 +# - name: debian-8 + - name: debian-9 + +suites: + - name: default + run_list: + attributes: + - name: default-osquery-syslog + run_list: + attributes: + - name: default-osquery-syslog-fs + run_list: + attributes: + - name: default-profiling + run_list: + attributes: + includes: + - ubuntu-16.04 + - name: default-fleetmanager + run_list: + attributes: + includes: + - ubuntu-16.04 diff --git a/osquery/roles/osquery/.kitchen.vagrant.yml b/osquery/roles/osquery/.kitchen.vagrant.yml new file mode 100644 index 00000000..c6445110 --- /dev/null +++ b/osquery/roles/osquery/.kitchen.vagrant.yml @@ -0,0 +1,57 @@ +--- +# $ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify + +driver: + name: vagrant + provider: <%= ENV['KITCHEN_PROVIDER'] || 'virtualbox' %> + +## make file transfer faster. need https://github.com/coderanger/kitchen-sync +transport: + name: sftp + +provisioner: + name: ansible_playbook + roles_path: ../ + hosts: test-kitchen +# ansible_verbose: true + ansible_verbose: false + ansible_verbosity: 3 + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> + +platforms: + - name: ubuntu-18.04 + - name: ubuntu-16.04 + - name: ubuntu-14.04 + - name: centos-7.1 +## ansible < 2.x +# - name: debian-8 +# driver_config: +# box: debian-8 +# box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box + - name: debian-9 + driver: + box: remram/debian-9-amd64 + +suites: + - name: default + run_list: + attributes: + - name: default-osquery-syslog + run_list: + attributes: + - name: default-osquery-syslog-fs + run_list: + attributes: + - name: default-profiling + run_list: + attributes: + includes: + - ubuntu-18.04 + - name: default-fleetmanager + run_list: + attributes: + includes: + - ubuntu-18.04 + driver_config: + network: + - ["forwarded_port", {guest: 8080, host: 9080}] diff --git a/osquery/roles/osquery/.kitchen.yml b/osquery/roles/osquery/.kitchen.yml new file mode 100644 index 00000000..024e48d9 --- /dev/null +++ b/osquery/roles/osquery/.kitchen.yml @@ -0,0 +1,56 @@ +--- +driver: + name: lxd_cli + +transport: + name: sftp + +provisioner: + name: ansible_playbook + roles_path: ../ + hosts: test-kitchen + ansible_verbose: true +# ansible_verbose: false + ansible_verbosity: 2 + ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> + require_ansible_omnibus: true + require_chef_omnibus: false +# require_chef_for_busser: false + enable_yum_epel: true + ansible_connection: ssh + +platforms: + - name: ubuntu-18.04 + - name: ubuntu-16.04 +# - name: ubuntu-14.04 +# - name: ubuntu-12.04 + - name: centos-7 +# - name: centos-6 +# - name: alpine-3.7 + +suites: + - name: default + run_list: + attributes: + - name: default-osquery-syslog + run_list: + attributes: + includes: + - ubuntu-18.04 + - centos-7 + - name: default-osquery-syslog-fs + run_list: + attributes: + includes: + - ubuntu-18.04 + - centos-7 + - name: default-profiling + run_list: + attributes: + includes: + - ubuntu-18.04 + - name: default-fleetmanager + run_list: + attributes: + includes: + - ubuntu-18.04 diff --git a/osquery/roles/osquery/.travis.yml b/osquery/roles/osquery/.travis.yml new file mode 100644 index 00000000..dcf97ce8 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml @@ -0,0 +1,97 @@ +--- +dist: trusty +sudo: required +rvm: + - 2.4 + +env: +## those images need pre-configuration before being usable (openssh...) +# - distribution: centos +# version: 6 + - distribution: centos + version: 7 + suite: default + - distribution: ubuntu + version: 18.04 + suite: default + - distribution: ubuntu + version: 16.04 + suite: default +# - distribution: ubuntu +# version: 14.04 +# - distribution: ubuntu +# version: 12.04 +# - distribution: alpine +# version: 3.4 + - distribution: centos + version: 7 + suite: default-osquery-syslog + - distribution: ubuntu + version: 18.04 + suite: default-osquery-syslog + - distribution: centos + version: 7 + suite: default-osquery-syslog-fs + - distribution: ubuntu + version: 18.04 + suite: default-osquery-syslog-fs + - distribution: ubuntu + version: 18.04 + suite: default-profiling + - distribution: ubuntu + version: 18.04 + suite: default-fleetmanager + +before_install: + - env + - pwd + - find -ls +## use appropriate role path and not github name + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" +## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821 +# - sudo apt install lxd + - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list + - sudo apt-get update -qq + - sudo apt -t trusty-backports -y install lxd acl -q +## change of group implies logout+login to apply... can't do with travis = run as root (sic) +## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..." + - sudo usermod -G lxd travis + # Pull container +# - lxc remote add images images.linuxcontainers.org + - sudo -E su $USER -c "lxc remote list" + - sudo -E su $USER -c "lxc image list" +## pre-download base images + - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"' + - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true' +## configure lxd-bridge + - sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge +# - cat /etc/default/lxd-bridge +# - service --status-all + - sudo service lxd restart + + - sudo pip install ansible + - gem install kitchen + - gem install kitchen-ansible + - gem install kitchen-sync + - gem install kitchen-lxd_cli + - gem list + - which kitchen +## ssh key for lxd_cli ? + - ls ~/.ssh + - ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P "" +## sudo/su get us a non-usual PATH ... + - '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true' + - sudo -E su $USER -c "env" +## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during . +# - sudo -E su $USER -c "which kitchen" + - sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all" +# - sudo -E su $USER -c "kitchen diagnose --all" +# - sudo -E -u $USER kitchen diagnose --all + +script: +# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE} + - sudo -E su $USER -c "env PATH=$PATH kitchen verify ${suite}-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/${suite}-${distribution}-${version//./}.log; find /tmp/kitchen)" + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + diff --git a/osquery/roles/osquery/.travis.yml.docker b/osquery/roles/osquery/.travis.yml.docker new file mode 100644 index 00000000..0d25fce1 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.docker @@ -0,0 +1,160 @@ +--- +## from https://github.com/geerlingguy/ansible-role-apache/blob/master/.travis.yml +sudo: required + +env: +# - distribution: centos +# version: 6 +# init: /sbin/init +# run_opts: "" +# suite: default + - distribution: centos + version: 7 + init: /usr/lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.5.5 + ansible_extra_vars: "" +# - distribution: ubuntu +# version: 18.04 +# init: /lib/systemd/systemd +# run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" +# suite: default +# ansible_version: 2.5.5 +# ansible_extra_vars: "" + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.5.5 + ansible_extra_vars: "" +# - distribution: ubuntu +# version: 14.04 +# init: /sbin/init +# run_opts: "" +# suite: default +# - distribution: ubuntu +# version: 12.04 +# init: /sbin/init +# run_opts: "" +# suite: default +# - distribution: alpine +# version: 3.4 +# init: /sbin/init +# run_opts: "" +# suite: default +## https://travis-ci.org/juju4/ansible-osquery/jobs/246615342, https://github.com/facebook/osquery/issues/2321 + - distribution: debian + version: 9 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: centos + version: 7 + init: /usr/lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-osquery-syslog + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-osquery-syslog + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: centos + version: 7 + init: /usr/lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-osquery-syslog-fs + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-osquery-syslog-fs + ansible_version: 2.5.5 + ansible_extra_vars: "" + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default-profiling + ansible_version: 2.5.5 + ansible_extra_vars: "" +# past ansible version + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.4.5 + ansible_extra_vars: "" +# upcoming ansible version + - distribution: ubuntu + version: 16.04 + init: /lib/systemd/systemd + run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" + suite: default + ansible_version: 2.6.0rc3 + ansible_extra_vars: "" + +services: + - docker + +before_install: + # - sudo apt-get update + # Pull container + - 'sudo docker pull ${distribution}:${version}' + - env + - pwd + - find -ls + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" + - cp test/travis/initctl_faker test/ + # Customize container + - 'sudo docker build --rm=true --file=test/travis/Dockerfile.${distribution}-${version} --tag=${distribution}-${version}:ansible test' + +before_script: + - container_id=$(mktemp) + # Run container in detached state + - 'sudo docker run --detach --volume="${PWD%/*}":/etc/ansible/roles:ro ${run_opts} ${distribution}-${version}:ansible "${init}" > "${container_id}"' + + - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install --upgrade pip' + - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install ansible==${ansible_version}' + - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible --version' + +script: + # Ansible syntax check. + - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml --syntax-check' + + # Test role. + - 'travis_wait 30 sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml -vv ${ansible_extra_vars}' + + # Test role idempotence. + - > + travis_wait 30 sudo docker exec "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml ${ansible_extra_vars} + | tee /tmp/idempotency.log + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0) + + # serverspec tests +## travis/docker: Errno::EROFS: Read-only file system @ dir_s_mkdir - /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/.bundle +# - 'sudo docker exec --tty "$(cat ${container_id})" /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/run-local-tests.sh' + +after_failure: + # Check what happened on systemd systems. + - 'docker exec --tty "$(cat ${container_id})" env TERM=xterm systemctl -l --no-pager status osqueryd.service' + - 'docker exec --tty "$(cat ${container_id})" env TERM=xterm journalctl -xe --no-pager' + +after_script: + # Clean up + - 'sudo docker stop "$(cat ${container_id})"' + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/.travis.yml.kitchen-docker b/osquery/roles/osquery/.travis.yml.kitchen-docker new file mode 100644 index 00000000..20a0db28 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.kitchen-docker @@ -0,0 +1,71 @@ +--- +## note: can't fully test osquery inside docker as will not be able have kernel /dev/osquery +dist: trusty +sudo: required +rvm: + - 2.4 + +env: +# - distribution: centos +# version: 6 + - distribution: centos + version: 7 + suite: default + - distribution: ubuntu + version: 16.04 + suite: default + - distribution: ubuntu + version: 14.04 + suite: default +# - distribution: ubuntu +# version: 12.04 +# - distribution: alpine +# version: 3.4 + - distribution: debian + version: 8 + suite: default + - distribution: centos + version: 7 + suite: default-osquery-syslog + - distribution: ubuntu + version: 16.04 + suite: default-osquery-syslog + - distribution: ubuntu + version: 14.04 + suite: default-osquery-syslog + - distribution: centos + version: 7 + suite: default-osquery-syslog-fs + - distribution: ubuntu + version: 16.04 + suite: default-osquery-syslog-fs + - distribution: ubuntu + version: 14.04 + suite: default-osquery-syslog-fs + +before_install: + - env + - pwd + - find -ls +## use appropriate role path and not github name + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" + - sudo pip install ansible +## need to use chef gem for some reason? BAD PATH https://github.com/chef/chef-dk/issues/15 +# - chef gem install kitchen + - gem install kitchen + - gem install kitchen-ansible + - gem install kitchen-sync + - gem install kitchen-docker + - gem list + - which kitchen + - KITCHEN_YAML=.kitchen.docker.yml kitchen diagnose --all + +script: +## avoid locale issue under xenial docker, https://github.com/pypa/pip/issues/3575 + - export LC_ALL=C.UTF-8 + - export LANG=C.UTF-8 + - KITCHEN_YAML=.kitchen.docker.yml kitchen verify ${suite}-${distribution}-${version//./} + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + diff --git a/osquery/roles/osquery/.travis.yml.lxd-kitchen b/osquery/roles/osquery/.travis.yml.lxd-kitchen new file mode 100644 index 00000000..e471bca6 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.lxd-kitchen @@ -0,0 +1,76 @@ +--- +dist: trusty +sudo: required +rvm: + - 2.4 + +env: +## those images need pre-configuration before being usable (openssh...) +# - distribution: centos +# version: 6 + - distribution: centos + version: 7 + - distribution: ubuntu + version: 18.04 + - distribution: ubuntu + version: 16.04 +# - distribution: ubuntu +# version: 14.04 +# - distribution: ubuntu +# version: 12.04 +# - distribution: alpine +# version: 3.4 + +before_install: + - env + - pwd + - find -ls +## use appropriate role path and not github name + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" +## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821 +# - sudo apt install lxd + - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list + - sudo apt-get update -qq + - sudo apt -t trusty-backports -y install lxd acl -q +## change of group implies logout+login to apply... can't do with travis = run as root (sic) +## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..." + - sudo usermod -G lxd travis + # Pull container +# - lxc remote add images images.linuxcontainers.org + - sudo -E su $USER -c "lxc remote list" + - sudo -E su $USER -c "lxc image list" +## pre-download base images + - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"' + - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true' +## configure lxd-bridge + - sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge +# - cat /etc/default/lxd-bridge +# - service --status-all + - sudo service lxd restart + + - sudo pip install ansible + - gem install kitchen + - gem install kitchen-ansible + - gem install kitchen-sync + - gem install kitchen-lxd_cli + - gem list + - which kitchen +## ssh key for lxd_cli ? + - ls ~/.ssh + - ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P "" +## sudo/su get us a non-usual PATH ... + - '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true' + - sudo -E su $USER -c "env" +## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during . +# - sudo -E su $USER -c "which kitchen" + - sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all" +# - sudo -E su $USER -c "kitchen diagnose --all" +# - sudo -E -u $USER kitchen diagnose --all + +script: +# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE} + - sudo -E su $USER -c "env PATH=$PATH kitchen verify default-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/default-${distribution}-${version//./}.log; find /tmp/kitchen)" + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ + diff --git a/osquery/roles/osquery/.travis.yml.orig b/osquery/roles/osquery/.travis.yml.orig new file mode 100644 index 00000000..e72b9ba6 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.orig @@ -0,0 +1,42 @@ +--- +sudo: required +dist: trusty + +language: generic + +before_install: + - sudo apt-get -qq update + - sudo apt-get install -y python python-pip + +install: + # Install ansible + - sudo pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + + # Install role dependencies + # ... + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + + # Run the role/playbook with ansible-playbook + - ansible-playbook tests/test.yml -i tests/inventory --connection=local --become + + # Run the role/playbook again, checking to make sure it's idempotent + - > + ansible-playbook tests/test.yml -i tests/inventory --connection=local --become + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + + # Playbook specific tests + # ... + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/.travis.yml.simple b/osquery/roles/osquery/.travis.yml.simple new file mode 100644 index 00000000..d765d799 --- /dev/null +++ b/osquery/roles/osquery/.travis.yml.simple @@ -0,0 +1,61 @@ +--- +sudo: required +dist: trusty + +language: generic + +env: + - suite: default + - suite: default-osquery-syslog + - suite: default-osquery-syslog-fs + +before_install: + - sudo apt-get -qq update + - sudo apt-get install -y python python-pip + - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" +## serverspec test + - sudo apt-get install -qq ruby2.0 rake + - sudo gem2.0 install serverspec + +install: + # Install ansible + - sudo pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + - "echo \"[test-kitchen]\nlocalhost\" > inventory" + + - gem2.0 --version + + # Install role dependencies + # ... + +script: + # Basic role syntax check + - "ansible-playbook -i inventory --syntax-check test/integration/${suite}/default.yml" + + # Run the role/playbook with ansible-playbook + - "ansible-playbook -i inventory --connection=local --sudo -vvvv test/integration/${suite}/default.yml" + + # Run the role/playbook again, checking to make sure it's idempotent + - > + ansible-playbook -i inventory test/integration/${suite}/default.yml --connection=local --become + | grep -q 'changed=0.*failed=0' + && (echo 'Idempotence test: pass' && exit 0) + || (echo 'Idempotence test: fail' && exit 1) + + # Playbook specific tests +# - "cd test/integration/${suite}/serverspec/ && bundle exec rake spec" + +after_failure: + - "ls -l /var/log/ /var/log/osquery/" + - "sudo cat /var/log/osquery*.log /var/log/osquery/*.log" + - "sudo cat /etc/rsyslog.d/30-osquery-target.conf" + - "sudo systemctl -l status" + - "sudo journalctl -xe --no-pager" + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/Jenkinsfile b/osquery/roles/osquery/Jenkinsfile new file mode 100644 index 00000000..7b3d7581 --- /dev/null +++ b/osquery/roles/osquery/Jenkinsfile @@ -0,0 +1,59 @@ +// Work in progress + +node { + + try{ + currentBuild.result = "SUCCESS" + def workspace = pwd() + def directory = "kbrebanov.osquery" + + stage 'Clean Workspace' + deleteDir() + + stage("Download source and capture commit ID") { + sh "mkdir $directory" + dir("$directory") { + checkout scm + // Get the commit ID + sh 'git rev-parse --verify HEAD > GIT_COMMIT' + git_commit = readFile('GIT_COMMIT').take(7) + echo "Current commit ID: ${git_commit}" + } + } + + dir("$directory") { + + stage("Get dependencies"){ + sh "sh -x get-dependencies.sh" + } + stage("Build and verify 1"){ + defaultplatform = sh ( + script: '''#!/bin/bash +kitchen list | awk "!/Instance/ {print \\$1; exit}" + ''', + returnStdout: true + ).trim() + echo "default platform: ${defaultplatform}" + + sh "kitchen test ${defaultplatform}" + // must keep instance for security testing after + //sh "kitchen verify ${defaultplatform}" + } + + stage("Build and verify all platforms"){ + sh "kitchen test" + } + + stage("Cleanup if no errors"){ + sh "kitchen destroy" + } + + } + + } + + catch(err) { + currentBuild.result = "FAILURE" + throw err + } +} diff --git a/osquery/roles/osquery/LICENSE b/osquery/roles/osquery/LICENSE new file mode 100644 index 00000000..0ad45320 --- /dev/null +++ b/osquery/roles/osquery/LICENSE @@ -0,0 +1,24 @@ +Copyright (c) 2015, Kevin Brebanov +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +* Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +* Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + diff --git a/osquery/roles/osquery/README.md b/osquery/roles/osquery/README.md new file mode 100644 index 00000000..96f6448a --- /dev/null +++ b/osquery/roles/osquery/README.md @@ -0,0 +1,43 @@ +[![Build Status - Master](https://travis-ci.org/juju4/ansible-osquery.svg?branch=master)](https://travis-ci.org/juju4/ansible-osquery) +[![Build Status - Devel](https://travis-ci.org/juju4/ansible-osquery.svg?branch=devel)](https://travis-ci.org/juju4/ansible-osquery/branches) +osquery +======= + +[![Build Status](https://travis-ci.org/kbrebanov/ansible-osquery.svg?branch=master)](https://travis-ci.org/kbrebanov/ansible-osquery) + +Installs osquery + +Requirements +------------ + +This role requires Ansible 2.0 or higher. + +Role Variables +-------------- + +None + +Dependencies +------------ + +None + +Example Playbook +---------------- + +Install osquery +```yaml +- hosts: all + roles: + - kbrebanov.osquery +``` + +License +------- + +BSD + +Author Information +------------------ + +Kevin Brebanov diff --git a/osquery/roles/osquery/defaults/main.yml b/osquery/roles/osquery/defaults/main.yml new file mode 100644 index 00000000..13e8722e --- /dev/null +++ b/osquery/roles/osquery/defaults/main.yml @@ -0,0 +1,131 @@ +--- +# defaults file for osquery + +osquery_service_enable: true +osquery_debug_packages_install: true +## define this if don't want to use upstream ones +#osquery_repository: '' +#osquery_repositorykey: '' + +osquery_template: 'osquery.conf.j2' +#osquery_upload_packs: [] +osquery_upload_packs: + - osquery-snapshots-pack + - osquery-monitoring2-pack +osquery_packs: + - "osquery-monitoring" + - "incident-response" + - "it-compliance" +# - "osx-attacks" + - "ossec-rootkit" + - "vuln-management" + - "hardware-monitoring" + - "osquery-snapshots-pack" + - osquery-monitoring2-pack +osquery_config_plugin: 'filesystem' +osquery_logger_plugin: 'filesystem' +#osquery_logger_plugin: 'syslog' +#osquery_logger_plugin: 'filesystem,syslog' +#osquery_logger_plugin: 'tls' +osquery_flags: [] +## if using zentral, kolide or else +## https://github.com/zentralopensource/zentral/blob/f460b10a95d4ea1e515aea3363f55733465d1d9c/zentral/contrib/osquery/deb_script/template.sh +## https://docs.kolide.co/kolide/current/infrastructure/adding-hosts-to-kolide.html + +#osquery_enroll_secret: "" + +#osquery_flags: +# - '--enroll_secret_path=/etc/osquery/osquery_enroll_secret' +# - '--tls_server_certs=/etc/osquery/kolide.crt' +# - '--tls_hostname=acme.kolide.co' +# - '--host_identifier=hostname' +# - '--enroll_tls_endpoint=/api/v1/osquery/enroll' +# - '--config_plugin=tls' +# - '--config_tls_endpoint=/api/v1/osquery/config' +# - '--config_tls_refresh=10' +# - '--disable_distributed=false' +# - '--distributed_plugin=tls' +# - '--distributed_interval=10' +# - '--distributed_tls_max_attempts=3' +# - '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read' +# - '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write' +# - '--logger_plugin=tls' +# - '--logger_tls_endpoint=/api/v1/osquery/log' +# - '--logger_tls_period=10' + +osquery_fim: true +osquery_fim_interval: 900 +osquery_fim_filepaths: + - name: homes_sshdir + list: + - "/root/.ssh/%%" + - "/home/%/.ssh/%%" + - name: etc + list: + - "/etc/%%" +## Take care if using a lot /tmp. can trigger +## 'Expiring events for subscriber: file_events (overflowed limit 1000)' +## => losing many queries results (fim or not) +# - name: tmp +# list: +# - "/tmp/%%" + - name: bin + list: + - "/bin/%%" + - "/sbin/%%" + - "/usr/bin/%%" + - "/usr/sbin/%%" + - "/usr/local/bin/%%" + - "/usr/local/sbin/%%" + - "/opt/bin/%%" + - "/opt/sbin/%%" + - name: webroot + list: + - "/var/www/%%" +osquery_fim_excludepaths: + - name: tmp + list: + - /tmp/too_many_events/ +osquery_rsyslog: true +## conflict with auditd. choose one. +## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ +osquery_process_auditing: false +osquery_process_interval: 900 +osquery_socket_interval: 900 + +## queries snapshots: 1/week (or 1/month? nok) +## Max interval 1/w: https://github.com/theopolis/osquery/commit/b76dee8a1fddccb500bc4a058daa1b39083b9dbb +osquery_snapshot_interval: 604800 +osquery_snapshot_interval2: 604800 +#osquery_snapshot_interval2: 2592000 + +osquery_logrotate: true +osquery_logrotate_days: 90 + +## https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags +## per facility +## osquery wants a facility code, while keyword for rsyslog... +osquery_syslog_target_facility_osqueryconf: 19 +osquery_syslog_target_facility_syslogconf: local3 +osquery_syslog_target: '' +#osquery_syslog_target: '@@10.1.1.100' +## mostly for testing purpose +#osquery_syslog_target: '/var/log/osquery/osquery_syslog.log' +## per programname: mostly query execution log and daemon state. avoid mixing with default syslog messages +#osquery_syslog_target2: '' +osquery_syslog_target2: '/var/log/osquery/osqueryd.log' +osquery_syslog_dirs: + - /var/log/osquery + +## making schedule query faster to have logs faster... +osquery_testing: false +osquery_testing_pause: false +osquery_testing_fim_load: false +osquery_testing_fim_load_bigger: 100M +osquery_testing_fim_load_smaller: 1000 +## profiling? +osquery_profiling: false +## full config might be too long for travis (max 50min) +#osquery_profiling_conf: /etc/osquery/osquery.conf +osquery_profiling_conf: /usr/share/osquery/packs/incident-response.conf + diff --git a/osquery/roles/osquery/get-dependencies.sh b/osquery/roles/osquery/get-dependencies.sh new file mode 100755 index 00000000..f1ae96f3 --- /dev/null +++ b/osquery/roles/osquery/get-dependencies.sh @@ -0,0 +1,22 @@ +#!/bin/sh +## one script to be used by travis, jenkins, packer... + +umask 022 + +if [ $# != 0 ]; then +rolesdir=$1 +else +rolesdir=$(dirname $0)/.. +fi + +[ ! -d $rolesdir/juju4.redhat-epel ] && git clone https://github.com/juju4/ansible-redhat-epel $rolesdir/juju4.redhat-epel +[ ! -d $rolesdir/geerlingguy.redis ] && git clone https://github.com/juju4/ansible-role-redis.git $rolesdir/geerlingguy.redis +[ ! -d $rolesdir/geerlingguy.mysql ] && git clone https://github.com/geerlingguy/ansible-role-mysql.git $rolesdir/geerlingguy.mysql +[ ! -d $rolesdir/juju4.kolide ] && git clone https://github.com/juju4/ansible-kolide $rolesdir/juju4.kolide +## galaxy naming: kitchen fails to transfer symlink folder +#[ ! -e $rolesdir/kbrebanov.osquery ] && ln -s ansible-osquery $rolesdir/kbrebanov.osquery +[ ! -e $rolesdir/kbrebanov.osquery ] && cp -R $rolesdir/ansible-osquery $rolesdir/kbrebanov.osquery + +## don't stop build on this script return code +true + diff --git a/osquery/roles/osquery/handlers/main.yml b/osquery/roles/osquery/handlers/main.yml new file mode 100644 index 00000000..2bb19ede --- /dev/null +++ b/osquery/roles/osquery/handlers/main.yml @@ -0,0 +1,13 @@ +--- +# handlers file for osquery + +- name: restart osquery +# service: name=osqueryd state=restarted +## for rocksdb backend + shell: "systemctl stop osqueryd; sleep 5; systemctl start osqueryd" + +- name: restart rsyslog + service: name=rsyslog state=restarted + +- name: reload osqueryd apparmor profile + shell: cat /etc/apparmor.d/usr.bin.osqueryd | sudo apparmor_parser -r diff --git a/osquery/roles/osquery/meta/.galaxy_install_info b/osquery/roles/osquery/meta/.galaxy_install_info new file mode 100644 index 00000000..350f94e9 --- /dev/null +++ b/osquery/roles/osquery/meta/.galaxy_install_info @@ -0,0 +1 @@ +{install_date: 'Mon Oct 15 18:43:31 2018', version: master} diff --git a/osquery/roles/osquery/meta/main.yml b/osquery/roles/osquery/meta/main.yml new file mode 100644 index 00000000..003228ed --- /dev/null +++ b/osquery/roles/osquery/meta/main.yml @@ -0,0 +1,158 @@ +--- +galaxy_info: + author: Kevin Brebanov + description: Installs osquery + company: + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: BSD + + min_ansible_version: 1.9 + + # Optionally specify the branch Galaxy will use when accessing the GitHub + # repo for this role. During role install, if no tags are available, + # Galaxy will use this branch. During import Galaxy will access files on + # this branch. If travis integration is cofigured, only notification for this + # branch will be accepted. Otherwise, in all cases, the repo's default branch + # (usually master) will be used. + github_branch: master + + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + platforms: + - name: EL + versions: + # - all + # - 5 + - 6 + - 7 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + # - 23 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + #- name: GenericBSD + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + # - 9.3 + # - 10.0 + # - 10.1 + # - 10.2 + - name: Ubuntu + versions: + # - all + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + - trusty + # - utopic + # - vivid + # - wily + - xenial + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + #- name: GenericLinux + # versions: + # - all + # - any + #- name: Debian + # versions: + # - all + # - etch + # - jessie + # - lenny + # - squeeze + # - wheezy + + galaxy_tags: + - monitoring + - system + # List tags for your role here, one per line. A tag is + # a keyword that describes and categorizes the role. + # Users find roles by searching for tags. Be sure to + # remove the '[]' above if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of + # alphanumeric characters. Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. diff --git a/osquery/roles/osquery/tasks/CentOS.yml b/osquery/roles/osquery/tasks/CentOS.yml new file mode 100644 index 00000000..1803d235 --- /dev/null +++ b/osquery/roles/osquery/tasks/CentOS.yml @@ -0,0 +1,17 @@ +--- +# tasks file for osquery (CentOS specific) + +- name: Install osquery repository key + rpm_key: + state: present + key: "{{ _osquery_repositorykey }}" + +- name: Install osquery repository + get_url: + url: "{{ _osquery_repository }}" + dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}" + mode: '0644' + backup: yes + +- include: selinux.yml + when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) diff --git a/osquery/roles/osquery/tasks/Debian.yml b/osquery/roles/osquery/tasks/Debian.yml new file mode 100644 index 00000000..706d5272 --- /dev/null +++ b/osquery/roles/osquery/tasks/Debian.yml @@ -0,0 +1,36 @@ +--- + +# tasks file for osquery (Debian, Ubuntu specific) + +- name: Ensure dirmngr is present for apt-key + package: + name: dirmngr + state: present + +- name: Download osquery APT key + become: yes + apt_key: + keyserver: keyserver.ubuntu.com + id: "{{ _osquery_repositorykey }}" + state: present + tags: + - osquery + +- name: Ensure apt-transport-https is installed + become: yes + apt: + name: apt-transport-https + state: present + tags: + - osquery + +- name: Configure osquery APT repository + become: yes + apt_repository: + repo: "{{ _osquery_repository }}" + state: present + tags: + - osquery + +- include: apparmor.yml + when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) diff --git a/osquery/roles/osquery/tasks/apparmor.yml b/osquery/roles/osquery/tasks/apparmor.yml new file mode 100644 index 00000000..1ba2f8c2 --- /dev/null +++ b/osquery/roles/osquery/tasks/apparmor.yml @@ -0,0 +1,27 @@ +--- +# https://help.ubuntu.com/lts/serverguide/apparmor.html.en + +- name: Ensure apparmor packages are present + package: + name: "{{ item }}" + state: present + with_items: + - apparmor + - apparmor-utils + - apparmor-profiles + +- name: Ensure apparmor profile is set + template: + src: apparmor-usr.bin.osqueryd.j2 + dest: /etc/apparmor.d/usr.bin.osqueryd + mode: '0600' + owner: root + backup: yes + notify: + - reload osqueryd apparmor profile + +- name: Apply apparmor profile for osquery + command: aa-complain /usr/bin/osqueryd + failed_when: false + +# Refine policy with `aa-logprof -f /var/log/syslog` diff --git a/osquery/roles/osquery/tasks/configure.yml b/osquery/roles/osquery/tasks/configure.yml new file mode 100644 index 00000000..9bfa0f69 --- /dev/null +++ b/osquery/roles/osquery/tasks/configure.yml @@ -0,0 +1,123 @@ +--- + +- name: check if osquery is present + stat: path=/etc/osquery + register: hasOsquery +- block: + - name: ensure directories exist + file: + dest: "{{ item.d }}" + state: directory + mode: "{{ item.m }}" + with_items: + - { d: '/var/log/osquery', m: '0755' } + - name: push extra osquery packs file + template: + src: "{{ item }}.conf.j2" + dest: "/usr/share/osquery/packs/{{ item | basename }}.conf" + backup: yes + with_items: "{{ osquery_upload_packs }}" + notify: + - restart osquery + - debug: var=osquery_packs + - name: configure osquery + template: + src: "{{ osquery_template }}" + dest: /etc/osquery/osquery.conf + mode: '0644' + backup: yes + validate: 'osqueryi --config_path %s --config_check --verbose' +# validate: 'egrep -v '^\s*//' %s | tee /tmp/a | python -mjson.tool' + notify: + - restart osquery + - name: "ensure osquery var dir exists" + file: + state: "directory" + path: "/var/osquery" + - name: "express the osquery secret to disk" + lineinfile: + path: "/etc/osquery/osquery_enroll_secret" + line: "{{ osquery_enroll_secret }}" + state: present + owner: "root" + group: "root" + mode: "0600" + create: true + when: + - osquery_enroll_secret is defined + - name: configure osquery flags + template: + src: "osquery.flags.j2" + dest: /etc/osquery/osquery.flags + mode: '0644' + backup: yes + notify: + - restart osquery + - name: re-validate whole osquery config + command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose' + changed_when: false + register: confcheck + failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout" + - block: + - name: ensure logrotate package is present + package: + name: logrotate + state: present + - name: add logrotate configuration for osquery log + template: + src: logrotate-osquery.j2 + dest: /etc/logrotate.d/osquery + mode: '0644' + backup: yes + validate: 'logrotate -dv %s' + when: osquery_logrotate + - name: ensure service is enabled and started + service: name=osqueryd state=started enabled=yes + - set_fact: + monit_osqueryd: true + when: hasOsquery.stat.exists + +## FIXME! warnings like (from packs/incident-response.conf) +#virtual_table.cpp:484] The shell_history table returns data based on the current user by default, consider JOINing against the users table +# but still apply with +# SELECT s.uid,s.time,s.command,s.history_file FROM shell_history s JOIN users USING (uid) limit 10; + +- block: + - name: review inotify sysctl settings for osquery + sysctl: name="{{ item.n }}" value="{{ item.v }}" sysctl_set=yes state=present reload=yes + with_items: + - { n: 'fs.inotify.max_user_watches', v: '524288' } + - { n: 'fs.inotify.max_user_instances', v: '256' } + - { n: 'fs.inotify.max_queued_events', v: '32768' } + when: osquery_fim and not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) + +## ensure no auditd at the same time +## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ +- block: + - name: ensure auditd is not present + package: name="{{ _osquery_auditd_pkg }}" state=absent + when: osquery_process_auditing + +- name: get rsyslog version + command: "rsyslogd -v | awk -F'[ ,]' '/rsyslogd/ { print $2 }'" + environment: + PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' + changed_when: false + register: rsyslog_v + +- block: + - name: setup rsyslog pipe for osquery communication + template: + src: osquery-rsyslog.conf.j2 + dest: /etc/rsyslog.d/90-osquery.conf + mode: '0644' + backup: yes + notify: + - restart rsyslog + when: osquery_rsyslog + +- include: syslog-target.yml + when: osquery_syslog_target != '' + +- include: selinux-end.yml + when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) and ansible_os_family == "RedHat" diff --git a/osquery/roles/osquery/tasks/main.yml b/osquery/roles/osquery/tasks/main.yml new file mode 100644 index 00000000..a68320fa --- /dev/null +++ b/osquery/roles/osquery/tasks/main.yml @@ -0,0 +1,69 @@ +--- +# tasks file for osquery + +- name: Include distribution specific variables + include_vars: "{{ ansible_distribution }}.yml" + tags: + - osquery +- name: Include version-specific variables for RedHat + include_vars: "CentOS-{{ ansible_distribution_version.split('.')[0] }}.yml" + when: ansible_os_family == "RedHat" + +- include: CentOS.yml + when: ansible_os_family == "RedHat" + tags: + - osquery + +- include: Debian.yml + when: ansible_os_family == "Debian" + tags: + - osquery + +- block: + - name: Install osquery + package: + name: "{{ item }}" + state: present + with_items: "{{ osquery_packages }}" + tags: + - osquery + + - name: Install osquery debug packages + package: + name: "{{ item }}" + state: present + with_items: "{{ osquery_debug_packages }}" + when: osquery_debug_packages_install + tags: + - osquery + + - include: configure.yml + tags: + - osquery + - config + + - name: Enable service + service: name=osqueryd enabled={{ osquery_service_enable }} + tags: + - osquery + - service + - name: Start service + service: name=osqueryd state=started + when: osquery_service_enable + tags: + - osquery + - service + + - meta: flush_handlers + + - name: pause a bit to have few queries results + command: sleep 5 + changed_when: false + when: osquery_testing_pause or osquery_testing + + - include: testing.yml + when: osquery_testing + + - include: profiling.yml + when: osquery_profiling + when: ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" or ansible_distribution == "Debian" diff --git a/osquery/roles/osquery/tasks/profiling.yml b/osquery/roles/osquery/tasks/profiling.yml new file mode 100644 index 00000000..a0711f5d --- /dev/null +++ b/osquery/roles/osquery/tasks/profiling.yml @@ -0,0 +1,27 @@ +--- + +- name: get source repository for profiling tools + git: + repo: https://github.com/facebook/osquery.git + dest: /root/osquery + +- name: ensure profiling dependencies are present - pkg + package: + name: "{{ item }}" + state: present + with_items: + - python-pip +- name: ensure profiling dependencies are present - pip + pip: + name: "{{ item }}" + state: present + with_items: + - psutil +- name: profiling + command: "./tools/analysis/profile.py --config {{ osquery_profiling_conf }} --shell /usr/bin/osqueryi --count 1 --rounds 4" + args: + chdir: /root/osquery + changed_when: false + register: perf +- debug: var=perf.stdout_lines + diff --git a/osquery/roles/osquery/tasks/selinux-end.yml b/osquery/roles/osquery/tasks/selinux-end.yml new file mode 100644 index 00000000..fd52e8ea --- /dev/null +++ b/osquery/roles/osquery/tasks/selinux-end.yml @@ -0,0 +1,10 @@ +--- + +- name: RedHat | Ensure selinux context is correctly set + command: "/sbin/restorecon -F -R -v {{ item }}" + with_items: + - /usr/bin/osqueryd + - /usr/lib/systemd/system/osqueryd.service + - /var/log/osquery + - /etc/osquery + - /usr/share/osquery/packs diff --git a/osquery/roles/osquery/tasks/selinux.yml b/osquery/roles/osquery/tasks/selinux.yml new file mode 100644 index 00000000..25a7d3f7 --- /dev/null +++ b/osquery/roles/osquery/tasks/selinux.yml @@ -0,0 +1,44 @@ +--- + +- name: Ensure selinux package are present + package: + name: "{{ item }}" + state: present + with_items: + - selinux-policy + - selinux-policy-devel + - setools-console + - libselinux-python + - policycoreutils-python + +- name: Ensure osquery directory exists + file: + dest: /etc/osquery + state: directory + mode: '0755' + +- name: Ensure osquery selinux policy is set + template: + src: "{{ item }}.j2" + dest: "/etc/osquery/{{ item }}" + mode: '0600' + owner: root + with_items: + - osquery.fc + - osquery.sh + - osquery.te + register: te + +# FIXME! +- name: Generate osquery policy file + command: sh -x ./osquery.sh + args: + chdir: /etc/osquery + when: te is changed + ignore_errors: true + +# `sepolicy generate -n osquery --init /usr/bin/osqueryd` = OK/base +# Refine policy with `audit2allow -i /var/log/audit/audit.log -M osquery` +# `semodule -i osquery.pp` +# FIXME! 'Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/osquery/cil:2' +# `/usr/libexec/selinux/hll/pp osquery.pp` diff --git a/osquery/roles/osquery/tasks/syslog-target.yml b/osquery/roles/osquery/tasks/syslog-target.yml new file mode 100644 index 00000000..6e15d6af --- /dev/null +++ b/osquery/roles/osquery/tasks/syslog-target.yml @@ -0,0 +1,19 @@ +--- + +- name: Ensure target syslog dir exists + file: + dest: "{{ item }}" + state: directory + mode: "{{ varlog_mode }}" + group: "{{ varlog_group }}" + with_items: "{{ osquery_syslog_dirs }}" + +- name: setup rsyslog to send osquery logs to a specific target + template: + src: rsyslog-osquery-target.conf.j2 + dest: /etc/rsyslog.d/30-osquery-target.conf + mode: '0644' + backup: yes + validate: 'rsyslogd -d -N 1 -f %s' + notify: + - restart rsyslog diff --git a/osquery/roles/osquery/tasks/testing.yml b/osquery/roles/osquery/tasks/testing.yml new file mode 100644 index 00000000..727f28a1 --- /dev/null +++ b/osquery/roles/osquery/tasks/testing.yml @@ -0,0 +1,40 @@ +--- + +- block: + - name: systemd | check service status + command: "systemctl status osqueryd -l" + changed_when: false + register: systemctl + - debug: var=systemctl.stdout_lines + when: ansible_service_mgr == "systemd" +- block: + - name: service | check service status + command: "service osqueryd status" + changed_when: false + register: service + - debug: var=service.stdout_lines + when: ansible_service_mgr != "systemd" + +- block: + - name: fallocate big file + command: "fallocate -l {{ osquery_testing_fim_load_bigger }} /etc/testing-big-file" + args: + creates: /etc/testing-big-file + - name: creation of many small files + command: "split -b {{ osquery_testing_fim_load_smaller }} /etc/testing-big-file testing-" + args: + chdir: /etc + creates: /etc/testing-big-aa + - name: clean up + shell: find /etc/ -name 'testing-*' -exec rm {} \; + ignore_errors: true +# more diverse load? openssl speed, stress... + - name: retrieve log results + command: "{{ item }}" + with_items: + - head -20 /var/log/osquery/osqueryd.results.log + - tail -20 /var/log/osquery/osqueryd.results.log + ignore_errors: true + changed_when: false + register: log + when: osquery_testing_fim_load diff --git a/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 b/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 new file mode 100644 index 00000000..6b3e193a --- /dev/null +++ b/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 @@ -0,0 +1,34 @@ +#include + +/usr/bin/osqueryd { + #include + #include + #include + + /etc/host.conf r, + /etc/hosts r, + /etc/nsswitch.conf r, + /etc/osquery/osquery.conf r, + /etc/osquery/osquery.flags r, + /proc/** rw, + /proc/cpuinfo r, + /root/osqueryd.*.root.log.ERROR.* w, + /root/osqueryd.*.root.log.INFO.* w, + /root/osqueryd.*.root.log.WARNING.* w, + /run/osqueryd.pidfile w, + /run/resolvconf/resolv.conf r, + /run/utmp r, + /sys/devices/** r, + /sys/firmware/dmi/tables/DMI r, + /tmp/* w, + /tmp/user/0/osqueryd.*.root.log.ERROR.* w, + /tmp/user/0/osqueryd.*.root.log.INFO.* w, + /tmp/user/0/osqueryd.*.root.log.WARNING.* w, + /usr/bin/osqueryd Px, + /usr/share/osquery/packs/* r, + /var/log/osquery/* w, + /var/osquery/osquery.db/ rw, + /var/osquery/osquery.db/* rw, + /var/tmp/* rw, + +} diff --git a/osquery/roles/osquery/templates/logrotate-osquery.j2 b/osquery/roles/osquery/templates/logrotate-osquery.j2 new file mode 100644 index 00000000..50de37bd --- /dev/null +++ b/osquery/roles/osquery/templates/logrotate-osquery.j2 @@ -0,0 +1,39 @@ +{{ ansible_managed | comment('plain', decoration='## ') }} +## /etc/logrotate.d/osquery +/var/log/osquery/osqueryd.results.log { + rotate {{ osquery_logrotate_days|int }} + daily + missingok + notifempty + delaycompress + compress + create 640 root adm + sharedscripts +} +{% if osquery_syslog_target is defined and osquery_syslog_target != '' and '/var/log/' in osquery_syslog_target %} +{{ osquery_syslog_target }} { + rotate {{ osquery_logrotate_days|int }} + daily + missingok + notifempty + delaycompress + compress + create 640 root adm + sharedscripts + # Ubuntu: parent directory has insecure permissions (It's world writable or writable by group which is not "root") + su root {{ osquery_syslog_dir_group | default(varlog_group) }} +} +{% endif %} +{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' and '/var/log/' in osquery_syslog_target2 %} +{{ osquery_syslog_target2 }} { + rotate {{ osquery_logrotate_days|int }} + daily + missingok + notifempty + delaycompress + compress + create 640 root adm + sharedscripts + su root {{ osquery_syslog_dir_group2 | default(varlog_group) }} +} +{% endif %} diff --git a/osquery/roles/osquery/templates/osquery-monitoring2-pack.conf.j2 b/osquery/roles/osquery/templates/osquery-monitoring2-pack.conf.j2 new file mode 100644 index 00000000..64e3c92d --- /dev/null +++ b/osquery/roles/osquery/templates/osquery-monitoring2-pack.conf.j2 @@ -0,0 +1,24 @@ +{ + "queries": { + "osquery_extensions": { + "query": "select * from osquery_extensions;", + "interval": 900, + "description": "List of active osquery extensions." + }, + "osquery_flags": { + "query": "select * from osquery_flags;", + "interval": 900, + "description": "Configurable flags that modify osquery's behavior." + }, + "osquery_packs": { + "query": "select * from osquery_packs;", + "interval": 900, + "description": "Information about the current query packs that are loaded in osquery." + }, + "osquery_registry": { + "query": "select * from osquery_registry;", + "interval": 900, + "description": "List the osquery registry plugins." + } + } +} diff --git a/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 b/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 new file mode 100644 index 00000000..9c20aa1d --- /dev/null +++ b/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 @@ -0,0 +1,6 @@ +template( + name="OsqueryCsvFormat" + type="string" + string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n" +) +*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat") diff --git a/osquery/roles/osquery/templates/osquery-snapshots-pack.conf.j2 b/osquery/roles/osquery/templates/osquery-snapshots-pack.conf.j2 new file mode 100755 index 00000000..6b2fdf09 --- /dev/null +++ b/osquery/roles/osquery/templates/osquery-snapshots-pack.conf.j2 @@ -0,0 +1,183 @@ +{ + "queries": { + "authorized_keys": { + "query" : "select authorized_keys.* from users join authorized_keys using (uid);", + "description" : "Info on authorized keys", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "user_ssh_keys": { + "query" : "select user_ssh_keys.* from users join user_ssh_keys using (uid);", + "description" : "info on user ssh keys", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "cpuid": { + "query" : "select * from cpuid;", + "description" : "Useful CPU features from the cpuid ASM call.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "dns_resolvers": { + "query" : "select * from dns_resolvers;", + "description" : "check DNS resolvers", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "known_hosts": { + "query" : "select known_hosts.* from users join known_hosts using (uid);", + "description" : "line-delimited known_hosts table", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "sudoers": { + "query" : "select * from sudoers;", + "description" : "Retrieves all the information for sudoers.", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "groups": { + "query" : "select * from groups;", + "description" : "Retrieves groups info.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "interface_addresses": { + "query" : "select * from interface_addresses;", + "description" : "Retrieves interface addresses.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "interface_details": { + "query" : "select * from interface_details;", + "description" : "Retrieves interface details.", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "iptables": { + "query" : "select * from iptables;", + "description" : "Linux IP packet filtering and NAT tool.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "fileless_process": { + "query" : "SELECT name, path, pid FROM processes WHERE on_disk = 0;", + "description" : "Retrieves interface details.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "processes": { + "query": "SELECT pid, name, path, cmdline from processes;", + "description": "Retrieve list of processes", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "process_binding_to_ports": { + "query" : "select DISTINCT process.name, listening.port, process.pid FROM processes as process JOIN listening_ports AS listening ON process.pid=listening.pid;", + "description" : "Retrieves the list of processes bound to listening ports.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "python_packages": { + "query" : "select * FROM python_packages;", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true, + "description" : "Python packages installed in a system" + }, + "arp_anomalies": { + "query" : "SELECT address, mac, COUNT(mac) AS mac_count FROM arp_cache GROUP BY mac HAVING count(mac) > 1;", + "description" : "Retrieves interface details.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "crontab": { + "query" : "select * from crontab;", + "version" : "1.4.5", + "description" : "Retrieves all the jobs scheduled in crontab in the target system.", + "value" : "Identify malware that uses this persistence mechanism to launch at a given interval", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "kernel_info": { + "query" : "select * from kernel_info;", + "platform" : "linux", + "description" : "Basic active kernel information.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "kernel_integrity": { + "query" : "select * from kernel_integrity;", + "platform" : "linux", + "description" : "Various Linux kernel integrity checked attributes.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "kernel_modules": { + "query" : "select * from kernel_modules;", + "platform" : "linux", + "version" : "1.4.5", + "description" : "Retrieves all the information for the current kernel modules in the target Linux system.", + "value" : "Identify malware that has a kernel module component.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "kernel_panics": { + "query" : "select * from kernel_panics;", + "platform" : "linux", + "description" : "System kernel panic logs.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "etc_hosts": { + "query" : "select * from etc_hosts;", + "version" : "1.4.5", + "description" : "Retrieves all the entries in the target system /etc/hosts file.", + "value" : "Identify network communications that are being redirected. Example: identify if security logging has been disabled", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "os_version": { + "query" : "select os_version.* from users join os_version using (uid);", + "description" : "A single row containing the operating system name and version.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "platform_info": { + "query" : "select * from platform_info;", + "description" : "Information about EFI/UEFI/ROM and platform/boot.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "suid_bin": { + "query" : "select * from suid_bin;", + "version" : "1.4.5", + "description" : "Retrieves all the files in the target system that are setuid enabled.", + "value" : "Detect backdoor binaries (attacker may drop a copy of /bin/sh). Find potential elevation points / vulnerabilities in the standard build.", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + }, + "system_controls": { + "query": "select * from system_controls;", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true, + "platform": "all", + "description": "sysctl names, values, and settings information" + }, + "system_info": { + "query" : "select * from system_info;", + "description" : "System information for identification.", + "interval" : "{{ osquery_snapshot_interval }}", + "snapshot": true + }, + "rpm_packages": { + "query" : "select * from rpm_packages;", + "platform" : "redhat,centos", + "version" : "1.4.5", + "description" : "Retrieves all the installed RPM packages in the target Linux system.", + "value" : "General security posture.", + "interval" : "{{ osquery_snapshot_interval2 }}", + "snapshot": true + } + } +} + diff --git a/osquery/roles/osquery/templates/osquery.conf.j2 b/osquery/roles/osquery/templates/osquery.conf.j2 new file mode 100644 index 00000000..2db9130c --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.conf.j2 @@ -0,0 +1,143 @@ +{{ ansible_managed | comment('c')}} +{ + // Configure the daemon below: + "options": { + // Select the osquery config plugin. + "config_plugin": "{{ osquery_config_plugin }}", + + // Select the osquery logging plugin. + "logger_plugin": "{{ osquery_logger_plugin }}", + + // The log directory stores info, warning, and errors. + // If the daemon uses the 'filesystem' logging retriever then the log_dir + // will also contain the query results. + //"logger_path": "/var/log/osquery", + + // Set 'disable_logging' to true to prevent writing any info, warning, error + // logs. If a logging plugin is selected it will still write query results. + //"disable_logging": "false", + + // Query differential results are logged as change-events to assist log + // aggregation operations like searching and transactons. + // Set 'log_results_events' to log differentials as transactions. + //"log_result_events": "true", + + // Splay the scheduled interval for queries. + // This is very helpful to prevent system performance impact when scheduling + // large numbers of queries that run a smaller or similar intervals. + "schedule_splay_percent": "10", + + // Write the pid of the osqueryd process to a pidfile/mutex. + //"pidfile": "/var/osquery/osquery.pidfile", + + // Clear events from the osquery backing store after a number of seconds. + "events_expiry": "3600", + + // A filesystem path for disk-based backing storage used for events and + // query results differentials. See also 'use_in_memory_database'. + //"database_path": "/var/osquery/osquery.db", + + // Comma-delimited list of table names to be disabled. + // This allows osquery to be launched without certain tables. + //"disable_tables": "foo_bar,time", + + // Enable debug or verbose debug output when logging. + "verbose": "false", + + // The number of threads for concurrent query schedule execution. + "worker_threads": "2", + + // Enable schedule profiling, this will fill in averages and totals for + // system/user CPU time and memory for every query in the schedule. + // Add a query: "select * from osquery_schedule" to record the performances. + "enable_monitor": "true", + + "logger_snapshot_event_type": "true" + }, + + // Define a schedule of queries: + "schedule": { + // This is a simple example query that outputs basic system information. + "system_info": { + // The exact query to run. + "query": "SELECT hostname, cpu_brand, physical_memory FROM system_info;", + // The interval in seconds to run this query, not an exact interval. +{% if osquery_testing or osquery_testing_pause %} + "interval": 10 +{% else %} + "interval": 3600 +{% endif %} + }{% if osquery_fim or osquery_process_auditing %},{% endif %} + +{% if osquery_fim %} + "fim" : { +// "query": "select target_path, category, time, action from file_events;", + "query": "select * from file_events;", + "removed": false, + "interval": {% if osquery_testing_fim_load %}30{% else %}{{ osquery_fim_interval }}{% endif %} + }{% if osquery_process_auditing %},{% endif %} + +{% endif %} + +{% if osquery_process_auditing %} + "process_events":{ + "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", + "interval": {{ osquery_process_interval }} + }, + "socket_events":{ + "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');", + "interval": {{ osquery_socket_interval }} + } +{% endif %} + }, + +{% if osquery_fim %} + "file_paths": { +{% for item in osquery_fim_filepaths %} + "{{ item.name }}": [ +{% for entry in item.list %} + "{{ entry }}"{% if not loop.last %},{% endif %} + +{% endfor %} + ]{% if not loop.last %},{% endif %} + +{% endfor %} + }, + "exclude_paths": { +{% for item in osquery_fim_excludepaths %} + "{{ item.name }}": [ +{% for entry in item.list %} + "{{ entry }}"{% if not loop.last %},{% endif %} + +{% endfor %} + ]{% if not loop.last %},{% endif %} + +{% endfor %} + }, + +{% endif %} + // Decorators are normal queries that append data to every query. + "decorators": { + "load": [ + "SELECT uuid AS host_uuid FROM system_info;", + "SELECT user AS username FROM logged_in_users ORDER BY time DESC LIMIT 1;" + ] + }, + + // Add default osquery packs or install your own. + // + // There are several 'default' packs installed with 'make install' or via + // packages and/or Homebrew. + // + // Linux: /usr/share/osquery/packs + // OS X: /var/osquery/packs + // Homebrew: /usr/local/share/osquery/packs + // make install: {PREFIX}/share/osquery/packs + // + "packs": { +{% for item in osquery_packs %} + "{{ item }}": "/usr/share/osquery/packs/{{ item }}.conf"{% if not loop.last %},{% endif %} + +{% endfor %} + } +} diff --git a/osquery/roles/osquery/templates/osquery.fc.j2 b/osquery/roles/osquery/templates/osquery.fc.j2 new file mode 100644 index 00000000..27729fe6 --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.fc.j2 @@ -0,0 +1,6 @@ +/usr/bin/osqueryd -- gen_context(system_u:object_r:osquery_exec_t,s0) +/etc/osquery(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0) +/usr/share/osquery/packs(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0) +/var/log/osquery(/.*)? -- gen_context(system_u:object_r:osquery_log_t,s0) +/var/osquery/osquery.em -- gen_context(system_u:object_r:osquery_sock_t,s0) +/usr/lib/systemd/system/osqueryd.service -- gen_context(system_u:object_r:osquery_unit_file_t,s0) diff --git a/osquery/roles/osquery/templates/osquery.flags.j2 b/osquery/roles/osquery/templates/osquery.flags.j2 new file mode 100644 index 00000000..d3fb2ce0 --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.flags.j2 @@ -0,0 +1,16 @@ +--pidfile=/var/run/osqueryd.pid +{% for flag in osquery_flags %} +{{ flag }} +{% endfor %} +{% if osquery_process_auditing %} +--disable_audit=false +--audit_allow_config=true +--audit_persist=true +--audit_allow_sockets +{% endif %} +{% if osquery_rsyslog %} +--enable_syslog +{% endif %} +{% if osquery_syslog_target != '' and osquery_syslog_target_facility_osqueryconf != '' %} +--logger_syslog_facility={{ osquery_syslog_target_facility_osqueryconf }} +{% endif %} diff --git a/osquery/roles/osquery/templates/osquery.sh.j2 b/osquery/roles/osquery/templates/osquery.sh.j2 new file mode 100644 index 00000000..dd756f45 --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.sh.j2 @@ -0,0 +1,61 @@ +#!/bin/sh -e + +DIRNAME=`dirname $0` +cd $DIRNAME +USAGE="$0 [ --update ]" +if [ `id -u` != 0 ]; then +echo 'You must be root to run this script' +exit 1 +fi + +if [ $# -eq 1 ]; then + if [ "$1" = "--update" ] ; then + time=`ls -l --time-style="+%x %X" osquery.te | awk '{ printf "%s %s", $6, $7 }'` + rules=`ausearch --start $time -m avc --raw -se osquery` + if [ x"$rules" != "x" ] ; then + echo "Found avc's to update policy with" + echo -e "$rules" | audit2allow -R + echo "Do you want these changes added to policy [y/n]?" + read ANS + if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then + echo "Updating policy" + echo -e "$rules" | audit2allow -R >> osquery.te + # Fall though and rebuild policy + else + exit 0 + fi + else + echo "No new avcs found" + exit 0 + fi + else + echo -e $USAGE + exit 1 + fi +elif [ $# -ge 2 ] ; then + echo -e $USAGE + exit 1 +fi + +echo "Building and Loading Policy" +set -x +make -f /usr/share/selinux/devel/Makefile osquery.pp || exit +/usr/sbin/semodule -i osquery.pp + +# Generate a man page off the installed module +sepolicy manpage -p . -d osquery_t +# Fixing the file context on /usr/bin/osqueryd +/sbin/restorecon -F -R -v /usr/bin/osqueryd +# Fixing the file context on /usr/lib/systemd/system/osqueryd.service +/sbin/restorecon -F -R -v /usr/lib/systemd/system/osqueryd.service +# Fixing the file context on /var/log/osquery +/sbin/restorecon -F -R -v /var/log/osquery +/sbin/restorecon -F -R -v /etc/osquery +/sbin/restorecon -F -R -v /usr/share/osquery/packs + + +# Generate a rpm package for the newly generated policy + +pwd=$(pwd) +#rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba osquery_selinux.spec + diff --git a/osquery/roles/osquery/templates/osquery.te.j2 b/osquery/roles/osquery/templates/osquery.te.j2 new file mode 100644 index 00000000..1027034d --- /dev/null +++ b/osquery/roles/osquery/templates/osquery.te.j2 @@ -0,0 +1,674 @@ +module osquery 1.0; + +require { + type osquery_t; + type osquery_conf_t; + type osquery_unit_file_t; + + type insmod_exec_t; + type home_root_t; + type gssd_exec_t; + type udev_exec_t; + type sound_device_t; + type setsebool_exec_t; + type proc_t; + type unconfined_service_t; + type netutils_exec_t; + type load_policy_exec_t; + type memory_device_t; + type tmp_t; + type gpg_exec_t; + type autofs_device_t; + type systemd_hwdb_exec_t; + type tcpd_exec_t; + type gssproxy_exec_t; + type showmount_exec_t; + type rsync_exec_t; + type crond_unit_file_t; + type udev_rules_t; + type systemd_logind_t; + type setfiles_exec_t; + type sshd_keygen_exec_t; + type chronyd_exec_t; + type xserver_etc_t; + type crond_t; + type tun_tap_device_t; + type default_context_t; + type anacron_exec_t; + type virt_qemu_ga_exec_t; + type auditd_t; + type syslogd_t; + type NetworkManager_t; + type sysctl_t; + type pppd_etc_t; + type consolehelper_exec_t; + type userhelper_conf_t; + type systemd_systemctl_exec_t; + type postfix_pickup_exec_t; + type syslog_conf_t; + type systemd_unit_file_t; + type tuned_exec_t; + type plymouthd_exec_t; + type vlock_exec_t; + type systemd_passwd_agent_exec_t; + type pinentry_exec_t; + type passwd_exec_t; + type dmidecode_exec_t; + type systemd_notify_exec_t; + type hwclock_exec_t; + type firewalld_etc_rw_t; + type crack_exec_t; + type postfix_qmgr_t; + type sulogin_exec_t; + type netcontrol_device_t; + type rpcd_unit_file_t; + type auditd_exec_t; + type crontab_exec_t; + type crash_device_t; + type exports_t; + type event_device_t; + type cgroup_t; + type loadkeys_exec_t; + type postfix_qmgr_exec_t; + type pam_timestamp_exec_t; + type random_device_t; + type initrc_exec_t; + type hugetlbfs_t; + type lvm_unit_file_t; + type dmesg_exec_t; + type proc_mdstat_t; + type mouse_device_t; + type nfsd_exec_t; + type slapd_cert_t; + type login_exec_t; + type usbmon_device_t; + type ldconfig_exec_t; + type initctl_t; + type debuginfo_exec_t; + type postfix_pickup_t; + type updpwd_exec_t; + type oddjob_mkhomedir_exec_t; + type irqbalance_exec_t; + type proc_kmsg_t; + type gssproxy_t; + type postfix_etc_t; + type init_exec_t; + type postfix_spool_t; + type var_run_t; + type mtrr_device_t; + type hypervvssd_exec_t; + type hostname_exec_t; + type system_cron_spool_t; + type sshd_key_t; + type proc_kcore_t; + type dbusd_exec_t; + type plymouth_exec_t; + type tuned_rw_etc_t; + type pppd_exec_t; + type pam_console_exec_t; + type adjtime_t; + type chronyc_exec_t; + type auditd_unit_file_t; + type fuse_device_t; + type userhelper_exec_t; + type tuned_etc_t; + type systemd_logind_exec_t; + type var_log_t; + type init_t; + type pppd_initrc_exec_t; + type fs_t; + type systemd_tmpfiles_exec_t; + type user_home_dir_t; + type lvm_etc_t; + type chronyd_t; + type dbusd_etc_t; + type etc_aliases_t; + type auditctl_exec_t; + type usernetctl_exec_t; + type clock_device_t; + type traceroute_exec_t; + type sshd_t; + type mdadm_exec_t; + type initrc_var_run_t; + type mount_exec_t; + type scsi_generic_device_t; + type vhost_device_t; + type uhid_device_t; + type ifconfig_exec_t; + type device_t; + type namespace_init_exec_t; + type lvm_exec_t; + type checkpolicy_exec_t; + type rpm_script_tmp_t; + type user_tmp_t; + type unlabeled_t; + type sshd_unit_file_t; + type policykit_exec_t; + type modules_conf_t; + type chfn_exec_t; + type dhcp_etc_t; + type logrotate_exec_t; + type getty_unit_file_t; + type selinux_config_t; + type ppp_device_t; + type ssh_keygen_exec_t; + type cupsd_rw_etc_t; + type authconfig_exec_t; + type ssh_exec_t; + type rpcbind_t; + type audisp_exec_t; + type chronyd_keys_t; + type dri_device_t; + type rpm_exec_t; + type getty_t; + type virt_qemu_ga_unconfined_exec_t; + type NetworkManager_exec_t; + type user_fonts_t; + type rpc_pipefs_t; + type ping_exec_t; + type gpg_agent_exec_t; + type su_exec_t; + type firewalld_exec_t; + type getty_exec_t; + type quota_exec_t; + type devpts_t; + type nvram_device_t; + type cpu_device_t; + type rpcbind_exec_t; + type NetworkManager_etc_rw_t; + type unconfined_t; + type NetworkManager_initrc_exec_t; + type sshd_exec_t; + type udev_t; + type rpcd_exec_t; + type fixed_disk_device_t; + type selinux_login_config_t; + type sysctl_irq_t; + type ptmx_t; + type ssh_agent_exec_t; + type NetworkManager_unit_file_t; + type binfmt_misc_fs_t; + type semanage_store_t; + type framebuf_device_t; + type udev_var_run_t; + type rdisc_exec_t; + type NetworkManager_etc_t; + type rsync_etc_t; + type postfix_postdrop_exec_t; + type tuned_t; + type wtmp_t; + type dhcpc_exec_t; + type useradd_exec_t; + type dhcpc_t; + type sudo_exec_t; + type vfio_device_t; + type thumb_exec_t; + type crond_exec_t; + type bootloader_etc_t; + type sysfs_t; + type postfix_postqueue_exec_t; + type postfix_map_exec_t; + type admin_passwd_exec_t; + type apm_bios_t; + type policykit_t; + type iptables_exec_t; + type semanage_exec_t; + type journalctl_exec_t; + type lvm_control_t; + type lvm_t; + type screen_exec_t; + type auditd_etc_t; + type xserver_misc_device_t; + type fsadm_exec_t; + type bootloader_exec_t; + type system_cronjob_t; + type syslogd_exec_t; + type system_dbusd_t; + type lvm_lock_t; + type user_cron_spool_t; + type kmsg_device_t; + type mysqld_etc_t; + type pppd_etc_rw_t; + type configfs_t; + type proc_net_t; + type postfix_master_exec_t; + type shadow_t; + type sendmail_exec_t; + type loop_control_device_t; + type kernel_t; + type var_t; + type pstore_t; + type chkpwd_exec_t; + type groupadd_exec_t; + type debugfs_t; + type hypervkvp_exec_t; + type postfix_master_t; + type sysctl_fs_t; + type blkmapd_exec_t; + type nfsd_unit_file_t; + type ssh_home_t; + type systemd_hwdb_etc_t; + type mandb_exec_t; + type tmpfs_t; + type lvm_metadata_t; + type policykit_auth_exec_t; + type chronyd_unit_file_t; + type print_spool_t; + type rpcbind_var_lib_t; + class fifo_file getattr; + class process setsched; + class unix_stream_socket connectto; + class netlink_kobject_uevent_socket { bind create getattr setopt }; + class chr_file { getattr ioctl open read write }; + class capability { dac_override sys_rawio sys_ptrace }; + class file { append create getattr lock open read relabelto rename setattr unlink write }; + class filesystem getattr; + class sock_file { create getattr unlink write }; + class lnk_file { create getattr read unlink }; + class blk_file { getattr ioctl open read }; + class dir { add_name getattr open read remove_name search setattr write }; +} + +#============= osquery_t ============== +allow osquery_t NetworkManager_etc_rw_t:dir { getattr open read }; +allow osquery_t NetworkManager_etc_rw_t:file getattr; +allow osquery_t NetworkManager_etc_t:dir { getattr open read }; +allow osquery_t NetworkManager_exec_t:file getattr; +allow osquery_t NetworkManager_initrc_exec_t:dir { getattr open read }; +allow osquery_t NetworkManager_initrc_exec_t:file getattr; +allow osquery_t NetworkManager_t:dir { getattr open read search }; +allow osquery_t NetworkManager_t:file { getattr open read }; + +allow osquery_t NetworkManager_t:lnk_file { getattr read }; +allow osquery_t NetworkManager_unit_file_t:file getattr; +allow osquery_t adjtime_t:file getattr; +allow osquery_t admin_passwd_exec_t:file getattr; +allow osquery_t anacron_exec_t:file getattr; +allow osquery_t apm_bios_t:chr_file getattr; +allow osquery_t audisp_exec_t:file getattr; +allow osquery_t auditctl_exec_t:file getattr; +allow osquery_t auditd_etc_t:dir { getattr open read }; +allow osquery_t auditd_etc_t:file getattr; +allow osquery_t auditd_exec_t:file getattr; +allow osquery_t auditd_t:dir { getattr open read search }; +allow osquery_t auditd_t:file { getattr open read }; + +allow osquery_t auditd_t:lnk_file { getattr read }; +allow osquery_t auditd_unit_file_t:file getattr; +allow osquery_t authconfig_exec_t:file getattr; +allow osquery_t autofs_device_t:chr_file getattr; +allow osquery_t binfmt_misc_fs_t:filesystem getattr; +allow osquery_t blkmapd_exec_t:file getattr; +allow osquery_t bootloader_etc_t:file getattr; +allow osquery_t bootloader_exec_t:file getattr; +allow osquery_t cgroup_t:filesystem getattr; +allow osquery_t checkpolicy_exec_t:file getattr; +allow osquery_t chfn_exec_t:file getattr; +allow osquery_t chkpwd_exec_t:file getattr; +allow osquery_t chronyc_exec_t:file getattr; +allow osquery_t chronyd_exec_t:file getattr; +allow osquery_t chronyd_keys_t:file getattr; +allow osquery_t chronyd_t:dir { getattr open read search }; +allow osquery_t chronyd_t:file { getattr open read }; + +allow osquery_t chronyd_t:lnk_file { getattr read }; +allow osquery_t chronyd_unit_file_t:file getattr; +allow osquery_t clock_device_t:chr_file getattr; +allow osquery_t configfs_t:filesystem getattr; +allow osquery_t consolehelper_exec_t:file getattr; +allow osquery_t cpu_device_t:chr_file getattr; +allow osquery_t crack_exec_t:file getattr; +allow osquery_t crash_device_t:chr_file getattr; +allow osquery_t crond_exec_t:file getattr; +allow osquery_t crond_t:dir { getattr open read search }; +allow osquery_t crond_t:file { getattr open read }; + +allow osquery_t crond_t:lnk_file { getattr read }; +allow osquery_t crond_unit_file_t:file getattr; +allow osquery_t crontab_exec_t:file getattr; +allow osquery_t cupsd_rw_etc_t:file getattr; +allow osquery_t dbusd_etc_t:dir { getattr open read }; +allow osquery_t dbusd_etc_t:file getattr; +allow osquery_t dbusd_exec_t:file getattr; +allow osquery_t debugfs_t:filesystem getattr; +allow osquery_t debuginfo_exec_t:file getattr; +allow osquery_t default_context_t:dir read; +allow osquery_t default_context_t:file getattr; + +#!!!! WARNING: 'device_t' is a base type. +allow osquery_t device_t:filesystem getattr; +allow osquery_t devpts_t:filesystem getattr; +allow osquery_t dhcp_etc_t:dir { getattr open read }; +allow osquery_t dhcp_etc_t:file getattr; +allow osquery_t dhcpc_exec_t:file getattr; +allow osquery_t dhcpc_t:dir { getattr open read search }; +allow osquery_t dhcpc_t:file { getattr open read }; + +allow osquery_t dhcpc_t:lnk_file { getattr read }; +allow osquery_t dmesg_exec_t:file getattr; +allow osquery_t dmidecode_exec_t:file getattr; +allow osquery_t dri_device_t:chr_file getattr; +allow osquery_t etc_aliases_t:file getattr; +allow osquery_t event_device_t:chr_file getattr; +allow osquery_t exports_t:file getattr; +allow osquery_t firewalld_etc_rw_t:dir { getattr open read }; +allow osquery_t firewalld_etc_rw_t:file getattr; +allow osquery_t firewalld_exec_t:file getattr; +allow osquery_t fixed_disk_device_t:blk_file { getattr ioctl open read }; +allow osquery_t fixed_disk_device_t:chr_file getattr; +allow osquery_t framebuf_device_t:chr_file getattr; +allow osquery_t fs_t:filesystem getattr; +allow osquery_t fsadm_exec_t:file getattr; +allow osquery_t fuse_device_t:chr_file getattr; +allow osquery_t getty_exec_t:file getattr; +allow osquery_t getty_t:dir { getattr open read search }; +allow osquery_t getty_t:file { getattr open read }; + +allow osquery_t getty_t:lnk_file { getattr read }; +allow osquery_t getty_unit_file_t:file getattr; +allow osquery_t gpg_agent_exec_t:file getattr; +allow osquery_t gpg_exec_t:file getattr; +allow osquery_t groupadd_exec_t:file getattr; +allow osquery_t gssd_exec_t:file getattr; +allow osquery_t gssproxy_exec_t:file getattr; +allow osquery_t gssproxy_t:dir { getattr open read search }; +allow osquery_t gssproxy_t:file { getattr open read }; + +allow osquery_t gssproxy_t:lnk_file { getattr read }; + +#!!!! WARNING: 'home_root_t' is a base type. +allow osquery_t home_root_t:dir read; +allow osquery_t hostname_exec_t:file getattr; +allow osquery_t hugetlbfs_t:dir { getattr open read }; +allow osquery_t hugetlbfs_t:filesystem getattr; +allow osquery_t hwclock_exec_t:file getattr; +allow osquery_t hypervkvp_exec_t:file getattr; +allow osquery_t hypervvssd_exec_t:file getattr; +allow osquery_t ifconfig_exec_t:file getattr; +allow osquery_t init_exec_t:file getattr; +allow osquery_t init_t:dir read; +allow osquery_t init_t:file { getattr open read }; + +allow osquery_t init_t:lnk_file { getattr read }; +allow osquery_t initctl_t:fifo_file getattr; +allow osquery_t initrc_exec_t:file getattr; +allow osquery_t initrc_var_run_t:file { lock open read }; +allow osquery_t insmod_exec_t:file getattr; +allow osquery_t iptables_exec_t:file getattr; +allow osquery_t irqbalance_exec_t:file getattr; +allow osquery_t journalctl_exec_t:file getattr; +allow osquery_t kernel_t:dir { getattr open read search }; +allow osquery_t kernel_t:file { getattr open read }; +allow osquery_t kernel_t:lnk_file { getattr read }; + +#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg' +allow osquery_t kmsg_device_t:chr_file getattr; +allow osquery_t ldconfig_exec_t:file getattr; +allow osquery_t load_policy_exec_t:file getattr; +allow osquery_t loadkeys_exec_t:file getattr; +allow osquery_t login_exec_t:file getattr; +allow osquery_t logrotate_exec_t:file getattr; +allow osquery_t loop_control_device_t:chr_file getattr; +allow osquery_t lvm_control_t:chr_file { getattr ioctl open read write }; +allow osquery_t lvm_etc_t:dir { getattr open read }; +allow osquery_t lvm_etc_t:file { getattr open read }; +allow osquery_t lvm_exec_t:file getattr; +allow osquery_t lvm_lock_t:dir { add_name getattr read remove_name search write }; +allow osquery_t lvm_lock_t:file { append create getattr lock open read unlink }; +allow osquery_t lvm_metadata_t:dir { add_name getattr open read remove_name write }; +allow osquery_t lvm_metadata_t:file { create getattr lock open read rename unlink write }; +allow osquery_t lvm_t:dir { getattr open read search }; +allow osquery_t lvm_t:file { getattr open read }; + +allow osquery_t lvm_t:lnk_file { getattr read }; +allow osquery_t lvm_unit_file_t:file getattr; +allow osquery_t mandb_exec_t:file getattr; +allow osquery_t mdadm_exec_t:file getattr; +allow osquery_t memory_device_t:chr_file getattr; +allow osquery_t modules_conf_t:dir { getattr open read }; +allow osquery_t modules_conf_t:file getattr; +allow osquery_t mount_exec_t:file getattr; +allow osquery_t mouse_device_t:chr_file getattr; +allow osquery_t mtrr_device_t:file getattr; +allow osquery_t mysqld_etc_t:dir { getattr open read }; +allow osquery_t mysqld_etc_t:file getattr; +allow osquery_t namespace_init_exec_t:file getattr; +allow osquery_t netcontrol_device_t:chr_file getattr; +allow osquery_t netutils_exec_t:file getattr; +allow osquery_t nfsd_exec_t:file getattr; +allow osquery_t nfsd_unit_file_t:file getattr; +allow osquery_t nvram_device_t:chr_file getattr; +allow osquery_t oddjob_mkhomedir_exec_t:file getattr; +allow osquery_t osquery_conf_t:file getattr; +allow osquery_t osquery_unit_file_t:file getattr; +allow osquery_t pam_console_exec_t:file getattr; +allow osquery_t pam_timestamp_exec_t:file getattr; +allow osquery_t passwd_exec_t:file getattr; +allow osquery_t pinentry_exec_t:file getattr; +allow osquery_t ping_exec_t:file getattr; +allow osquery_t plymouth_exec_t:file getattr; +allow osquery_t plymouthd_exec_t:file getattr; +allow osquery_t policykit_auth_exec_t:file getattr; +allow osquery_t policykit_exec_t:file getattr; +allow osquery_t policykit_t:dir { getattr open read search }; +allow osquery_t policykit_t:file { getattr open read }; + +allow osquery_t policykit_t:lnk_file { getattr read }; +allow osquery_t postfix_etc_t:dir { getattr open read }; +allow osquery_t postfix_etc_t:file getattr; +allow osquery_t postfix_map_exec_t:file getattr; +allow osquery_t postfix_master_exec_t:file getattr; +allow osquery_t postfix_master_t:dir { getattr open read search }; +allow osquery_t postfix_master_t:file { getattr open read }; + +allow osquery_t postfix_master_t:lnk_file { getattr read }; +allow osquery_t postfix_pickup_exec_t:file getattr; +allow osquery_t postfix_pickup_t:dir { getattr open read search }; +allow osquery_t postfix_pickup_t:file { getattr open read }; + +allow osquery_t postfix_pickup_t:lnk_file { getattr read }; +allow osquery_t postfix_postdrop_exec_t:file getattr; +allow osquery_t postfix_postqueue_exec_t:file getattr; +allow osquery_t postfix_qmgr_exec_t:file getattr; +allow osquery_t postfix_qmgr_t:dir { getattr open read search }; +allow osquery_t postfix_qmgr_t:file { getattr open read }; + +allow osquery_t postfix_qmgr_t:lnk_file { getattr read }; +allow osquery_t postfix_spool_t:dir getattr; +allow osquery_t ppp_device_t:chr_file getattr; +allow osquery_t pppd_etc_rw_t:dir { getattr open read }; +allow osquery_t pppd_etc_t:dir { getattr open read }; +allow osquery_t pppd_exec_t:file getattr; +allow osquery_t pppd_initrc_exec_t:file getattr; +allow osquery_t proc_kcore_t:file getattr; +allow osquery_t proc_kmsg_t:file getattr; +allow osquery_t proc_mdstat_t:file getattr; +allow osquery_t proc_net_t:file { getattr open read }; +allow osquery_t proc_t:dir read; +allow osquery_t proc_t:file { getattr open read }; +allow osquery_t proc_t:filesystem getattr; +allow osquery_t pstore_t:filesystem getattr; +allow osquery_t ptmx_t:chr_file getattr; +allow osquery_t quota_exec_t:file getattr; + +#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' +allow osquery_t random_device_t:chr_file getattr; +allow osquery_t rdisc_exec_t:file getattr; +allow osquery_t rpc_pipefs_t:filesystem getattr; +allow osquery_t rpcbind_exec_t:file getattr; +allow osquery_t rpcbind_t:dir { getattr open read search }; +allow osquery_t rpcbind_t:file { getattr open read }; + +allow osquery_t rpcbind_t:lnk_file { getattr read }; +allow osquery_t rpcd_exec_t:file getattr; +allow osquery_t rpcd_unit_file_t:file getattr; +allow osquery_t rpm_exec_t:file getattr; +allow osquery_t rpm_script_tmp_t:dir read; +allow osquery_t rsync_etc_t:file getattr; +allow osquery_t rsync_exec_t:file getattr; +allow osquery_t screen_exec_t:file getattr; +allow osquery_t scsi_generic_device_t:chr_file getattr; +allow osquery_t self:capability { dac_override sys_rawio }; +allow osquery_t self:netlink_kobject_uevent_socket { bind create getattr setopt }; +allow osquery_t self:process setsched; + +#!!!! The file '/var/osquery/osquery.em' is mislabeled on your system. +#!!!! Fix with $ restorecon -R -v /var/osquery/osquery.em +#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' +allow osquery_t self:unix_stream_socket connectto; +allow osquery_t selinux_config_t:dir read; +allow osquery_t selinux_login_config_t:dir { getattr open read }; +allow osquery_t semanage_exec_t:file getattr; +allow osquery_t semanage_store_t:dir { getattr open read }; +allow osquery_t semanage_store_t:file { getattr open read }; +allow osquery_t sendmail_exec_t:file getattr; +allow osquery_t setfiles_exec_t:file getattr; +allow osquery_t setsebool_exec_t:file getattr; +allow osquery_t shadow_t:file getattr; +allow osquery_t showmount_exec_t:file getattr; + +#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' +allow osquery_t slapd_cert_t:dir { getattr open read }; + +#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' +allow osquery_t slapd_cert_t:file getattr; +allow osquery_t sound_device_t:chr_file getattr; +allow osquery_t ssh_agent_exec_t:file getattr; +allow osquery_t ssh_exec_t:file getattr; +allow osquery_t ssh_home_t:dir { getattr open read }; +allow osquery_t ssh_home_t:file getattr; +allow osquery_t ssh_keygen_exec_t:file getattr; +allow osquery_t sshd_exec_t:file getattr; +allow osquery_t sshd_key_t:file getattr; +allow osquery_t sshd_keygen_exec_t:file getattr; +allow osquery_t sshd_t:dir { getattr open read search }; +allow osquery_t sshd_t:file { getattr open read }; + +allow osquery_t sshd_t:lnk_file { getattr read }; +allow osquery_t sshd_unit_file_t:file getattr; +allow osquery_t su_exec_t:file getattr; +allow osquery_t sudo_exec_t:file getattr; +allow osquery_t sulogin_exec_t:file getattr; +allow osquery_t sysctl_fs_t:dir search; +allow osquery_t sysctl_irq_t:dir getattr; +allow osquery_t sysctl_t:file getattr; +allow osquery_t sysfs_t:dir read; +allow osquery_t sysfs_t:file { getattr open read }; +allow osquery_t sysfs_t:filesystem getattr; +allow osquery_t sysfs_t:lnk_file { getattr read }; +allow osquery_t syslog_conf_t:dir { getattr open read }; +allow osquery_t syslog_conf_t:file getattr; +allow osquery_t syslogd_exec_t:file getattr; +allow osquery_t syslogd_t:dir { getattr open read search }; +allow osquery_t syslogd_t:file { getattr open read }; + +allow osquery_t syslogd_t:lnk_file { getattr read }; +allow osquery_t system_cron_spool_t:dir { getattr open read }; +allow osquery_t system_cron_spool_t:file { getattr open read }; +allow osquery_t system_cronjob_t:dir { getattr open read search }; +allow osquery_t system_cronjob_t:file { getattr open read }; + +allow osquery_t system_cronjob_t:lnk_file { getattr read }; +allow osquery_t system_dbusd_t:dir { getattr open read search }; +allow osquery_t system_dbusd_t:file { getattr open read }; + +allow osquery_t system_dbusd_t:lnk_file { getattr read }; +allow osquery_t systemd_hwdb_etc_t:file getattr; +allow osquery_t systemd_hwdb_exec_t:file getattr; +allow osquery_t systemd_logind_exec_t:file getattr; +allow osquery_t systemd_logind_t:dir { getattr open read search }; +allow osquery_t systemd_logind_t:file { getattr open read }; + +allow osquery_t systemd_logind_t:lnk_file { getattr read }; +allow osquery_t systemd_notify_exec_t:file getattr; +allow osquery_t systemd_passwd_agent_exec_t:file getattr; +allow osquery_t systemd_systemctl_exec_t:file getattr; +allow osquery_t systemd_tmpfiles_exec_t:file getattr; +allow osquery_t systemd_unit_file_t:dir { open read }; +allow osquery_t systemd_unit_file_t:file getattr; +allow osquery_t systemd_unit_file_t:lnk_file read; +allow osquery_t tcpd_exec_t:file getattr; +allow osquery_t thumb_exec_t:file getattr; + +#!!!! WARNING: 'tmp_t' is a base type. +allow osquery_t tmp_t:dir { add_name read remove_name write }; +allow osquery_t tmp_t:file { create unlink write }; + +#!!!! WARNING: 'tmp_t' is a base type. +allow osquery_t tmp_t:lnk_file { create unlink }; +allow osquery_t tmpfs_t:dir read; +allow osquery_t tmpfs_t:filesystem getattr; +allow osquery_t traceroute_exec_t:file getattr; +allow osquery_t tun_tap_device_t:chr_file getattr; +allow osquery_t tuned_etc_t:dir { getattr open read }; +allow osquery_t tuned_etc_t:file getattr; +allow osquery_t tuned_exec_t:file getattr; +allow osquery_t tuned_rw_etc_t:file getattr; +allow osquery_t tuned_t:dir { getattr open read search }; +allow osquery_t tuned_t:file { getattr open read }; + +allow osquery_t tuned_t:lnk_file { getattr read }; +allow osquery_t udev_exec_t:file getattr; +allow osquery_t udev_rules_t:dir { getattr open read }; +allow osquery_t udev_rules_t:file getattr; +allow osquery_t udev_t:dir { getattr open read search }; +allow osquery_t udev_t:file { getattr open read }; +allow osquery_t udev_t:lnk_file { getattr read }; +allow osquery_t udev_var_run_t:file { getattr open read }; +allow osquery_t uhid_device_t:chr_file getattr; +allow osquery_t unconfined_service_t:dir { getattr open read search }; +allow osquery_t unconfined_service_t:file { getattr open read }; +allow osquery_t unconfined_service_t:lnk_file { getattr read }; +allow osquery_t unconfined_t:dir { getattr open read search }; +allow osquery_t unconfined_t:file { getattr open read }; +allow osquery_t unconfined_t:lnk_file { getattr read }; + +#!!!! WARNING: 'unlabeled_t' is a base type. +#!!!! The file '/etc/sysconfig/cloud-info' is mislabeled on your system. +#!!!! Fix with $ restorecon -R -v /etc/sysconfig/cloud-info +allow osquery_t unlabeled_t:file getattr; +allow osquery_t updpwd_exec_t:file getattr; +allow osquery_t usbmon_device_t:chr_file getattr; +allow osquery_t user_cron_spool_t:dir { getattr open read }; +allow osquery_t user_fonts_t:dir { getattr open read search }; +allow osquery_t user_home_dir_t:dir getattr; +allow osquery_t user_tmp_t:dir read; +allow osquery_t useradd_exec_t:file getattr; +allow osquery_t userhelper_conf_t:dir { getattr open read }; +allow osquery_t userhelper_conf_t:file getattr; +allow osquery_t userhelper_exec_t:file getattr; +allow osquery_t usernetctl_exec_t:file getattr; +allow osquery_t var_log_t:lnk_file unlink; + +#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t. +allow osquery_t var_run_t:dir { add_name remove_name write }; + +#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t. +#!!!! $ semanage fcontext -a -t osquery_var_run_t /run/osqueryd.pid +#!!!! $ restorecon -R -v /run/osqueryd.pid +#!!!! The file '/run/osqueryd.pid' is mislabeled on your system. +#!!!! Fix with $ restorecon -R -v /run/osqueryd.pid +allow osquery_t var_run_t:file { append create getattr open read setattr unlink }; + +#!!!! WARNING: 'var_t' is a base type. +allow osquery_t var_t:dir { add_name read remove_name setattr write }; +allow osquery_t var_t:file { create getattr lock open read rename unlink write }; +allow osquery_t var_t:sock_file { create getattr unlink write }; +allow osquery_t vfio_device_t:chr_file getattr; +allow osquery_t vhost_device_t:chr_file getattr; +allow osquery_t virt_qemu_ga_exec_t:file getattr; +allow osquery_t virt_qemu_ga_unconfined_exec_t:dir { getattr open read }; +allow osquery_t vlock_exec_t:file getattr; +allow osquery_t wtmp_t:file { open read }; +allow osquery_t xserver_etc_t:dir { getattr open read }; +allow osquery_t xserver_misc_device_t:chr_file getattr; + +allow osquery_t print_spool_t:dir search; +allow osquery_t rpcbind_var_lib_t:dir search; +allow osquery_t self:capability sys_ptrace; + +#============= unconfined_t ============== + +#!!!! This avc is allowed in the current policy +allow unconfined_t osquery_conf_t:file relabelto; + diff --git a/osquery/roles/osquery/templates/osqueryd-monit.j2 b/osquery/roles/osquery/templates/osqueryd-monit.j2 new file mode 100644 index 00000000..458b802a --- /dev/null +++ b/osquery/roles/osquery/templates/osqueryd-monit.j2 @@ -0,0 +1,27 @@ +{{ ansible_managed | comment('plain', decoration='## ') }} +check process osqueryd + with pidfile "/var/run/osqueryd.pid" + group system + group osqueryd +{% if ansible_service_mgr == 'systemd' %} + start program = "/bin/systemctl start ssh" with timeout 60 seconds + stop program = "/bin/systemctl stop ssh" +{% else %} + start program = "/etc/init.d/ssh start" with timeout 60 seconds + stop program = "/etc/init.d/ssh stop" +{% endif %} + if cpu > 90% for 15 cycles then alert + if totalmem > 90% for 15 cycles then alert + if loadavg(15min) greater than 10 for 50 cycles then alert + if 5 restarts with 5 cycles then alert + depends on osqueryd_binary + depends on osqueryd_conf + +check file osqueryd_binary + with path /usr/bin/osqueryd + group osqueryd + if failed checksum then alert + +check file osqueryd_conf with path /etc/osquery/osquery.conf + include /etc/monit/templates/rootrc + group osqueryd diff --git a/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 b/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 new file mode 100644 index 00000000..c8dbcd72 --- /dev/null +++ b/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 @@ -0,0 +1,16 @@ +{% if osquery_syslog_target is defined and osquery_syslog_target != '' %} +{{ osquery_syslog_target_facility_syslogconf }}.* {{ osquery_syslog_target }} +{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %} +& ~ +{% else %} +& stop +{% endif %} +{% endif %} +{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' %} +if $programname == 'osqueryd' then {{ osquery_syslog_target2 }} +{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %} +& ~ +{% else %} +& stop +{% endif %} +{% endif %} diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml b/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml new file mode 100644 index 00000000..91096c93 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml @@ -0,0 +1,43 @@ +--- + +- hosts: all +#- hosts: test-kitchen + vars: + - mysql_root_password: 'Toor=2017.' + - kolide_mysql_root_pass: "{{ mysql_root_password }}" + - mysql_databases: + - name: "{{ kolide_mysql_db }}" + - mysql_users: + - name: "{{ kolide_mysql_user }}" + host: "localhost" + #host: "%" + password: "{{ kolide_mysql_pass }}" + priv: "{{ kolide_mysql_db }}.*:ALL" + - mysql_enablerepo: epel + - osquery_flags: + - '--enroll_secret_path=/etc/osquery/osquery_enroll_secret' + - "--tls_server_certs={{ ssl_dir }}/{{ ansible_fqdn }}.crt" + - '--tls_hostname=acme.kolide.co:8080' + - '--host_identifier=hostname' + - '--enroll_tls_endpoint=/api/v1/osquery/enroll' + - '--config_plugin=tls' + - '--config_tls_endpoint=/api/v1/osquery/config' + - '--config_tls_refresh=10' + - '--disable_distributed=false' + - '--distributed_plugin=tls' + - '--distributed_interval=10' + - '--distributed_tls_max_attempts=3' + - '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read' + - '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write' + - '--logger_plugin=tls' + pre_tasks: + - name: map acme.kolide.co to localhost + lineinfile: + dest: /etc/hosts + line: 127.0.0.1 acme.kolide.co + ignore_errors: true + roles: + - { role: geerlingguy.mysql, when: ansible_os_family == 'Debian' } + - juju4.kolide + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb new file mode 100644 index 00000000..f05921d7 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb @@ -0,0 +1,59 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"filesystem"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +#describe file('/var/log/osquery/osqueryd.INFO') do +# it { should be_symlink } +# its(:content) { should match /Log line format:/ } +#end +#describe file('/var/log/osquery/osqueryd.WARNING') do +# it { should be_symlink } +# its(:content) { should match /Log line format:/ } +# its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } +#end +#describe file('/var/log/osquery/osqueryd.results.log') do +# it { should be_file } +## its(:content) { should match /hostIdentifier/ } +# let(:sudo_options) { '-u root -H' } +#end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml new file mode 100644 index 00000000..b60930e6 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml @@ -0,0 +1,17 @@ +--- + +- hosts: all +#- hosts: test-kitchen + vars: + - osquery_flags: + - '--logger_plugin=filesystem,syslog' + - osquery_logger_plugin: 'filesystem,syslog' + - osquery_syslog_target: '/var/log/osquery_syslog-results.log' + - osquery_syslog_target2: '/var/log/osquery_syslog-prog.log' + - osquery_testing: true + - osquery_syslog_dirs: + - /var/log + - osquery_testing_pause: true + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb new file mode 100644 index 00000000..7b4fa769 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb @@ -0,0 +1,59 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"filesystem,syslog"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +describe file('/var/log/osquery/osqueryd.INFO') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } +end +describe file('/var/log/osquery/osqueryd.WARNING') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } +end +describe file('/var/log/osquery/osqueryd.results.log') do + it { should be_file } +# its(:content) { should match /hostIdentifier/ } + let(:sudo_options) { '-u root -H' } +end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb new file mode 100644 index 00000000..0752faeb --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb @@ -0,0 +1,18 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe file('/var/log/osquery_syslog-prog.log') do + it { should be_file } +# its(:content) { should match /osqueryd: osqueryd started \[version=/ } + its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ } +end +describe file('/var/log/osquery_syslog-results.log') do + it { should be_file } + its(:content) { should match /hostIdentifier/ } +# its(:content) { should match /pack/ } +# its(:content) { should match /message=Executing scheduled query system_info:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } + let(:sudo_options) { '-u root -H' } +end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb new file mode 100644 index 00000000..c6069a7e --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb @@ -0,0 +1,47 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do + it { should be_enabled } +end +describe service('rsyslog') do + it { should be_running } +end + +describe file('/usr/sbin/rsyslogd') do + it { should be_executable } +end + +describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do + its(:user) { should eq "syslog" } +end +describe process("rsyslogd"), :if => os[:family] == 'redhat' do + its(:user) { should eq "root" } +end + +describe file('/var/log'), :if => os[:family] == 'ubuntu' do + it { should be_directory } + it { should be_mode 775 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'syslog' } +# it { should be_writable.by('group') } + it { should be_writable.by_user('syslog') } +end +describe file('/var/log'), :if => os[:family] == 'redhat' do + it { should be_directory } + it { should be_mode 755 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } +# it { should be_writable.by('group') } +end + +describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do + it { should be_file } +end + +describe file('/var/log/messages'), :if => os[:family] == 'redhat' do + it { should be_file } +end + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml b/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml new file mode 100644 index 00000000..f14acd08 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml @@ -0,0 +1,17 @@ +--- + +- hosts: all +#- hosts: test-kitchen + vars: +# - osquery_flags: +# - '--logger_plugin=syslog' + - osquery_logger_plugin: 'syslog' + - osquery_syslog_target: '/var/log/osquery_syslog-results.log' + - osquery_syslog_target2: '/var/log/osquery_syslog-prog.log' + - osquery_testing: true + - osquery_syslog_dirs: + - /var/log + - osquery_testing_pause: true + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb new file mode 100644 index 00000000..6c1e3b7f --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb @@ -0,0 +1,44 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"syslog"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb new file mode 100644 index 00000000..4cc4d257 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb @@ -0,0 +1,27 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe file('/var/log/osquery_syslog-prog.log') do + it { should be_file } +# its(:content) { should match /osqueryd: osqueryd started \[version=/ } + its(:content) { should match /Executing scheduled query system_info:/ } + its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ } + its(:content) { should_not match /osqueryd initialize failed: Could not initialize database/ } +end +describe file('/var/log/osquery_syslog-results.log') do + it { should be_file } + its(:content) { should match /hostIdentifier/ } +# its(:content) { should match /pack/ } + its(:content) { should match /message=Executing scheduled query system_info:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } + let(:sudo_options) { '-u root -H' } +end + +describe command('journalctl -l') do + its(:stdout) { should match /osqueryd/ } + its(:stdout) { should match /Executing scheduled query system_info:/ } + its(:stdout) { should match /hostIdentifier/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb new file mode 100644 index 00000000..c6069a7e --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb @@ -0,0 +1,47 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do + it { should be_enabled } +end +describe service('rsyslog') do + it { should be_running } +end + +describe file('/usr/sbin/rsyslogd') do + it { should be_executable } +end + +describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do + its(:user) { should eq "syslog" } +end +describe process("rsyslogd"), :if => os[:family] == 'redhat' do + its(:user) { should eq "root" } +end + +describe file('/var/log'), :if => os[:family] == 'ubuntu' do + it { should be_directory } + it { should be_mode 775 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'syslog' } +# it { should be_writable.by('group') } + it { should be_writable.by_user('syslog') } +end +describe file('/var/log'), :if => os[:family] == 'redhat' do + it { should be_directory } + it { should be_mode 755 } + it { should be_owned_by 'root' } + it { should be_grouped_into 'root' } +# it { should be_writable.by('group') } +end + +describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do + it { should be_file } +end + +describe file('/var/log/messages'), :if => os[:family] == 'redhat' do + it { should be_file } +end + diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default-profiling/default.yml b/osquery/roles/osquery/test/integration/default-profiling/default.yml new file mode 100644 index 00000000..6d930f0f --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/default.yml @@ -0,0 +1,11 @@ +--- + +- hosts: all +#- hosts: test-kitchen + vars: + - osquery_testing: true + - osquery_profiling: true + - osquery_testing_fim_load: true + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb new file mode 100644 index 00000000..0a1a0c5d --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb @@ -0,0 +1,17 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe file('/var/log/osquery/osqueryd.results.log') do + it { should contain '"system_info",' } + it { should contain '"physical_memory":' } + it { should contain '"target_path":"\/etc\/testing-big-file"' } + it { should contain '"target_path":"\/etc\/testing-aa"' } + it { should contain '"target_path":"\/etc\/testing-zz' } + it { should contain '"action":"CREATED"' } + it { should contain '"action":"UPDATED"' } + it { should contain '"action":"DELETED"' } + it { should_not contain '"target_path":"\/tmp\/' } + it { should_not contain '"target_path":"\/var\/' } +end diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb new file mode 100644 index 00000000..7ba33616 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb @@ -0,0 +1,59 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"filesystem"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +describe file('/var/log/osquery/osqueryd.INFO') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } +end +describe file('/var/log/osquery/osqueryd.WARNING') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } +end +describe file('/var/log/osquery/osqueryd.results.log') do + it { should be_file } +# its(:content) { should match /hostIdentifier/ } + let(:sudo_options) { '-u root -H' } +end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/integration/default/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default/bats/idempotency.bats new file mode 100644 index 00000000..0ce1c670 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/bats/idempotency.bats @@ -0,0 +1,14 @@ +#!/usr/bin/env bats +# + +# +# Idempotence test +# from https://github.com/neillturner/kitchen-ansible/issues/92 +# + +@test "Second run should change nothing" { + skip "service module issue" + run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" + [ "$status" -eq 0 ] +} + diff --git a/osquery/roles/osquery/test/integration/default/default.yml b/osquery/roles/osquery/test/integration/default/default.yml new file mode 100644 index 00000000..a7adba95 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/default.yml @@ -0,0 +1,7 @@ +--- + +- hosts: all +#- hosts: test-kitchen + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/test/integration/default/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default/serverspec/Gemfile new file mode 100644 index 00000000..938ed3ed --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/serverspec/Gemfile @@ -0,0 +1,8 @@ +source 'https://rubygems.org' + +gem 'serverspec' +gem 'rake' +## for junit output and jenkins support +## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' +#gem 'yarjuf' + diff --git a/osquery/roles/osquery/test/integration/default/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default/serverspec/Rakefile new file mode 100644 index 00000000..3699568c --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/serverspec/Rakefile @@ -0,0 +1,9 @@ +require 'rake' +require 'rspec/core/rake_task' + +RSpec::Core::RakeTask.new(:spec) do |t| + t.pattern = '*_spec.rb' +end + +task :default => :spec + diff --git a/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb new file mode 100644 index 00000000..7ba33616 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb @@ -0,0 +1,59 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do +## mostly exclude for docker/systemd distributions + it { should be_enabled } +end +describe service('osqueryd') do + it { should be_running } +end + +describe file('/usr/bin/osqueryd') do + it { should be_executable } +end +describe file('/usr/bin/osqueryi') do + it { should be_executable } +end + +describe file('/etc/osquery/osquery.conf') do + it { should contain '"config_plugin":' } + it { should contain '"packs": {' } + it { should contain '"filesystem"' } +end + +describe process("osqueryd") do + its(:user) { should eq "root" } + its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } + its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } +end + +describe file('/var/log/osquery/osqueryd.INFO') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } +end +describe file('/var/log/osquery/osqueryd.WARNING') do + it { should be_symlink } + its(:content) { should match /Log line format:/ } + its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } +end +describe file('/var/log/osquery/osqueryd.results.log') do + it { should be_file } +# its(:content) { should match /hostIdentifier/ } + let(:sudo_options) { '-u root -H' } +end + +describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do + its(:stdout) { should match /osqueryd is already running/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end +describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do + its(:stdout) { should match /active \(running\)/ } + its(:exit_status) { should eq 0 } +end diff --git a/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh new file mode 100755 index 00000000..39050487 --- /dev/null +++ b/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh @@ -0,0 +1,32 @@ +#!/bin/sh -x +## get consistent ruby2+bundler env on each distribution + +location=`dirname "$0"` +cd $location +v=2.3 + +## docker environment in travis missing few utils +[ -f /etc/debian_version ] && apt-get install -y curl +[ -f /etc/redhat-release ] && yum -y install which + +curl -sSL https://get.rvm.io | bash +#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm +#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh + +## troubleshoot +type rvm | head -1 +env + +#export PATH=/usr/local/rvm/bin:$PATH + +bash -l -c "rvm install $v" +bash -l -c "rvm use $v" +bash -l -c "rvm use $v --default" +bash -l -c "gem install bundler" +bash -l -c "bundle install --path ./gems" +if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then + bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" +else + bash -l -c "bundle exec rake spec" +fi + diff --git a/osquery/roles/osquery/test/lxd/centos-ssh-image.sh b/osquery/roles/osquery/test/lxd/centos-ssh-image.sh new file mode 100644 index 00000000..001073ff --- /dev/null +++ b/osquery/roles/osquery/test/lxd/centos-ssh-image.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# add ssh to default lxd image + +image=centos-7 +guest=default-$image +template="$image"-nossh +publishalias="$image" + +lxc init $template $guest +lxc start $guest +openssl rand -base64 48 | perl -ne 'print "$_" x2' | lxc exec $guest -- passwd root + +lxc exec $guest -- dhclient eth0 +lxc exec $guest -- ping -c 1 8.8.8.8 +lxc exec $guest -- yum update +lxc exec $guest -- yum -y upgrade +lxc exec $guest -- yum install -y openssh-server sudo ruby yum-utils +lxc exec $guest -- systemctl enable sshd +lxc exec $guest -- systemctl start sshd +lxc exec $guest -- mkdir /root/.ssh || true +lxc exec $guest -- gem install busser + +lxc stop $guest --force +lxc publish $guest --alias $publishalias +lxc delete $guest diff --git a/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 b/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 new file mode 100644 index 00000000..861b7cda --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 @@ -0,0 +1,9 @@ +FROM alpine:3.4 +RUN apk update + +# Install Ansible +RUN apk add git ansible python python-dev py-pip +RUN mkdir /etc/ansible + +# Install Ansible inventory file +RUN (echo "[local]"; echo "localhost ansible_connection=local") > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.centos-6 b/osquery/roles/osquery/test/travis/Dockerfile.centos-6 new file mode 100644 index 00000000..3d5f0c86 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.centos-6 @@ -0,0 +1,15 @@ +FROM centos:6 + +# Install Ansible +RUN yum -y update; yum clean all; +RUN yum -y install epel-release +RUN yum -y install git ansible sudo python-pip +RUN yum clean all + +# Disable requiretty +RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers + +# Install Ansible inventory file +RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts + +CMD ["/usr/sbin/init"] diff --git a/osquery/roles/osquery/test/travis/Dockerfile.centos-7 b/osquery/roles/osquery/test/travis/Dockerfile.centos-7 new file mode 100644 index 00000000..5763ece8 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.centos-7 @@ -0,0 +1,29 @@ +FROM centos:7 + +# Install systemd -- See https://hub.docker.com/_/centos/ +RUN yum -y swap -- remove fakesystemd -- install systemd systemd-libs +RUN yum -y update; yum clean all; \ +(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ +rm -f /lib/systemd/system/multi-user.target.wants/*; \ +rm -f /etc/systemd/system/*.wants/*; \ +rm -f /lib/systemd/system/local-fs.target.wants/*; \ +rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ +rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ +rm -f /lib/systemd/system/basic.target.wants/*; \ +rm -f /lib/systemd/system/anaconda.target.wants/*; + +# Install Ansible +RUN yum -y install epel-release +RUN yum -y install git sudo python-pip python-devel libffi-devel +RUN yum -y groupinstall 'Development Tools' +RUN yum clean all + +# Disable requiretty +RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers + +# Install Ansible inventory file +RUN mkdir /etc/ansible +RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts + +VOLUME ["/sys/fs/cgroup"] +CMD ["/usr/sbin/init"] diff --git a/osquery/roles/osquery/test/travis/Dockerfile.debian-8 b/osquery/roles/osquery/test/travis/Dockerfile.debian-8 new file mode 100644 index 00000000..bc6a52fb --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.debian-8 @@ -0,0 +1,11 @@ +FROM debian:8 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git python sudo python-pip python-dev libffi-dev libssl-dev +RUN pip install --upgrade cffi +RUN pip install ansible +RUN install -d -m 0755 /etc/ansible + +# Install Ansible inventory file +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.debian-9 b/osquery/roles/osquery/test/travis/Dockerfile.debian-9 new file mode 100644 index 00000000..8cb908b2 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.debian-9 @@ -0,0 +1,12 @@ +FROM debian:9 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git +RUN apt-get update +RUN apt-get install -y python sudo python-pip python-dev libffi-dev +RUN pip install --upgrade setuptools + +RUN mkdir -p /etc/ansible +# Install Ansible inventory file +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 new file mode 100644 index 00000000..e0471c17 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 @@ -0,0 +1,11 @@ +FROM ubuntu:12.04 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common python-software-properties git +RUN apt-add-repository -y ppa:ansible/ansible +RUN apt-get update +RUN apt-get install -y ansible python-pip + +# Install Ansible inventory file +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 new file mode 100644 index 00000000..9466b900 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 @@ -0,0 +1,15 @@ +FROM ubuntu:14.04 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git +#RUN apt-add-repository -y ppa:ansible/ansible +RUN apt-get update +RUN apt-get install -y python-pip python-dev libffi-dev + +COPY initctl_faker . +RUN chmod +x initctl_faker && rm -fr /sbin/initctl && ln -s /initctl_faker /sbin/initctl + +# Install Ansible inventory file +RUN mkdir /etc/ansible +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 new file mode 100644 index 00000000..987793fb --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 @@ -0,0 +1,12 @@ +FROM ubuntu:16.04 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git +#RUN apt-add-repository -y ppa:ansible/ansible +RUN apt-get update +RUN apt-get install -y python sudo python-pip python-dev libffi-dev + +# Install Ansible inventory file +RUN mkdir /etc/ansible +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 new file mode 100644 index 00000000..785803d0 --- /dev/null +++ b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 @@ -0,0 +1,11 @@ +FROM ubuntu:18.04 +RUN apt-get update + +# Install Ansible +RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git systemd +RUN apt-get update +RUN apt-get install -y python sudo python-pip python-dev libffi-dev + +# Install Ansible inventory file +RUN mkdir /etc/ansible +RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/initctl_faker b/osquery/roles/osquery/test/travis/initctl_faker new file mode 100644 index 00000000..8a05ae86 --- /dev/null +++ b/osquery/roles/osquery/test/travis/initctl_faker @@ -0,0 +1,25 @@ +#!/bin/sh +## from https://github.com/oxyc/drupal-vm/blob/84b3ad6cf65fb87ac60777c5aca55bb82a45b4aa/tests/initctl_faker +ALIAS_CMD="$(echo ""$0"" | sed -e 's?/sbin/??')" + +case "$ALIAS_CMD" in + start|stop|restart|reload|status) + exec service $1 $ALIAS_CMD + ;; +esac + +case "$1" in + list ) + exec service --status-all + ;; + reload-configuration ) + exec service $2 restart + ;; + start|stop|restart|reload|status) + exec service $2 $1 + ;; + \?) + exit 0 + ;; +esac + diff --git a/osquery/roles/osquery/test/vagrant/Vagrantfile b/osquery/roles/osquery/test/vagrant/Vagrantfile new file mode 100644 index 00000000..393896a0 --- /dev/null +++ b/osquery/roles/osquery/test/vagrant/Vagrantfile @@ -0,0 +1,36 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +VAGRANTFILE_API_VERSION = "2" +ENV['VAGRANT_DEFAULT_PROVIDER'] = 'virtualbox' + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + config.vm.box = "ubuntu/bionic64" + #config.vm.box = "ubuntu/xenial64" + #config.vm.box = "boxcutter/ubuntu1604" + #config.vm.box = "ubuntu/trusty64" + #config.vm.box = "centos/7" + #config.vm.box = "generic/alpine36" + + config.vm.provision :ansible do |ansible| + ansible.playbook = "site.yml" + #ansible.verbose = "vvvv" + #ansible.host_key_checking = false + #ansible.limit = 'all' + ansible.become = true + ansible.extra_vars = { ansible_user: 'vagrant', ansible_python_interpreter: '/usr/bin/python3' } + ansible.groups = { + "myrole" => ["osquery" ], + } + end + + config.vm.define "vosquery" do |cfg| + cfg.vm.hostname = "vosquery" + cfg.vm.provider "virtualbox" do |v| + v.memory = 512 + end + + end + +end + diff --git a/osquery/roles/osquery/test/vagrant/ansible.cfg b/osquery/roles/osquery/test/vagrant/ansible.cfg new file mode 100644 index 00000000..4dacf8db --- /dev/null +++ b/osquery/roles/osquery/test/vagrant/ansible.cfg @@ -0,0 +1,3 @@ +[defaults] +callback_whitelist = profile_tasks, timer +roles_path = ../../../ diff --git a/osquery/roles/osquery/test/vagrant/site.yml b/osquery/roles/osquery/test/vagrant/site.yml new file mode 100644 index 00000000..27abbe1d --- /dev/null +++ b/osquery/roles/osquery/test/vagrant/site.yml @@ -0,0 +1,6 @@ +--- + +- hosts: all + roles: + - kbrebanov.osquery + diff --git a/osquery/roles/osquery/tests/inventory b/osquery/roles/osquery/tests/inventory new file mode 100644 index 00000000..2fbb50c4 --- /dev/null +++ b/osquery/roles/osquery/tests/inventory @@ -0,0 +1 @@ +localhost diff --git a/osquery/roles/osquery/tests/test.yml b/osquery/roles/osquery/tests/test.yml new file mode 100644 index 00000000..dddb318b --- /dev/null +++ b/osquery/roles/osquery/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ansible-osquery diff --git a/osquery/roles/osquery/vars/CentOS-6.yml b/osquery/roles/osquery/vars/CentOS-6.yml new file mode 100644 index 00000000..0c747005 --- /dev/null +++ b/osquery/roles/osquery/vars/CentOS-6.yml @@ -0,0 +1,2 @@ +--- +_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/CentOS-7.yml b/osquery/roles/osquery/vars/CentOS-7.yml new file mode 100644 index 00000000..0c747005 --- /dev/null +++ b/osquery/roles/osquery/vars/CentOS-7.yml @@ -0,0 +1,2 @@ +--- +_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/CentOS.yml b/osquery/roles/osquery/vars/CentOS.yml new file mode 100644 index 00000000..739cf1be --- /dev/null +++ b/osquery/roles/osquery/vars/CentOS.yml @@ -0,0 +1,18 @@ +--- +# vars file for osquery (CentOS specific) + +osquery_packages: + - osquery + - rsyslog + - libselinux-python + +osquery_debug_packages: + - osquery-debuginfo + +_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}" +_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}" + +_osquery_auditd_pkg: "audit" + +varlog_group: root +varlog_mode: '0755' diff --git a/osquery/roles/osquery/vars/Debian.yml b/osquery/roles/osquery/vars/Debian.yml new file mode 100644 index 00000000..9b5cce8d --- /dev/null +++ b/osquery/roles/osquery/vars/Debian.yml @@ -0,0 +1,19 @@ +--- +# vars file for osquery (Debian specific) +# https://github.com/facebook/osquery/issues/320 +# https://github.com/facebook/osquery/issues/2321 + +osquery_packages: + - osquery + - rsyslog + +osquery_debug_packages: + - osquery-dbg + +_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}" +_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}" + +_osquery_auditd_pkg: "auditd" + +varlog_group: syslog +varlog_mode: '0775' diff --git a/osquery/roles/osquery/vars/RedHat-6.yml b/osquery/roles/osquery/vars/RedHat-6.yml new file mode 100644 index 00000000..0c747005 --- /dev/null +++ b/osquery/roles/osquery/vars/RedHat-6.yml @@ -0,0 +1,2 @@ +--- +_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/RedHat-7.yml b/osquery/roles/osquery/vars/RedHat-7.yml new file mode 100644 index 00000000..0c747005 --- /dev/null +++ b/osquery/roles/osquery/vars/RedHat-7.yml @@ -0,0 +1,2 @@ +--- +_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/RedHat.yml b/osquery/roles/osquery/vars/RedHat.yml new file mode 100644 index 00000000..739cf1be --- /dev/null +++ b/osquery/roles/osquery/vars/RedHat.yml @@ -0,0 +1,18 @@ +--- +# vars file for osquery (CentOS specific) + +osquery_packages: + - osquery + - rsyslog + - libselinux-python + +osquery_debug_packages: + - osquery-debuginfo + +_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}" +_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}" + +_osquery_auditd_pkg: "audit" + +varlog_group: root +varlog_mode: '0755' diff --git a/osquery/roles/osquery/vars/Ubuntu.yml b/osquery/roles/osquery/vars/Ubuntu.yml new file mode 100644 index 00000000..0d5204aa --- /dev/null +++ b/osquery/roles/osquery/vars/Ubuntu.yml @@ -0,0 +1,17 @@ +--- +# vars file for osquery (Ubuntu specific) + +osquery_packages: + - osquery + - rsyslog + +osquery_debug_packages: + - osquery-dbg + +_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}" +_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}" + +_osquery_auditd_pkg: "auditd" + +varlog_group: syslog +varlog_mode: '0775' diff --git a/osquery/roles/osquery/vars/main.yml b/osquery/roles/osquery/vars/main.yml new file mode 100644 index 00000000..444e1029 --- /dev/null +++ b/osquery/roles/osquery/vars/main.yml @@ -0,0 +1,6 @@ +--- +# vars file for osquery + +osquery_packages: + - osquery + - rsyslog diff --git a/osquery/site-osquery.yml b/osquery/site-osquery.yml index da0743c0..686affbd 100644 --- a/osquery/site-osquery.yml +++ b/osquery/site-osquery.yml @@ -11,5 +11,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -- import_playbook: registerSSLcerts.yml - import_playbook: installOSquery.yml diff --git a/osquery/vars/variables.yml b/osquery/vars/variables.yml index 00976ebd..57381b5b 100644 --- a/osquery/vars/variables.yml +++ b/osquery/vars/variables.yml @@ -1,40 +1,38 @@ +--- + mariadb_root_user: root -# kolide_fleet_enable: true kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert kolide_fleet_ssl_key: /etc/ssl/private/fleet.key -kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem -kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost" +kolide_fleet_ssl_ca_key: /etc/ssl/private/fleet-ca.key +kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem # Osquery vars -osquery_enroll_secret_dir: /etc/osquery/osquery_enroll_secret +osquery_enroll_secret_file: /etc/osquery/osquery_enroll_secret osquery_debug_packages_install: false - -osquery_debug_packages_install: false - osquery_config_plugin: 'filesystem' osquery_logger_plugin: 'filesystem' osquery_rsyslog: false osquery_flags: - - "--tls_server_certs={{ kolide_fleet_ssl_cert }}" - - "--tls_hostname={{ hostvars[groups['fleet'][0]]['ansible_host'] }}:{{ kolide_fleet_port }}" - - "--host_identifier=hostname" - - "--enroll_tls_endpoint=/api/v1/osquery/enroll" - - "--config_plugin=tls" - - "--config_tls_endpoint=/api/v1/osquery/config" - - "--config_tls_refresh=10" - - "--disable_distributed=false" - - "--distributed_plugin=tls" - - "--distributed_interval=10" - - "--distributed_tls_max_attempts=3" - - "--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read" - - "--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write" - - "--logger_plugin=tls" - - "--logger_tls_endpoint=/api/v1/osquery/log" - - "--logger_tls_period=10" - - "--enroll_secret_path={{ osquery_enroll_secret_dir }}" + - "--tls_server_certs={{ kolide_fleet_ssl_cert }}" + - "--tls_hostname={{ hostvars[groups['fleet_all'][0]]['ansible_host'] }}:443" + - "--host_identifier=hostname" + - "--enroll_tls_endpoint=/api/v1/osquery/enroll" + - "--config_plugin=tls" + - "--config_tls_endpoint=/api/v1/osquery/config" + - "--config_tls_refresh=10" + - "--disable_distributed=false" + - "--distributed_plugin=tls" + - "--distributed_interval=10" + - "--distributed_tls_max_attempts=3" + - "--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read" + - "--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write" + - "--logger_plugin=tls" + - "--logger_tls_endpoint=/api/v1/osquery/log" + - "--logger_tls_period=10" + - "--enroll_secret_path={{ osquery_enroll_secret_file }}"