Add osquery testing
Change-Id: Ia8249da40bf5eb0e09b5d7811eb126b60dc5dc73 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
33d22c552e
commit
88bf46c65c
@ -42,6 +42,7 @@ if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then
|
||||
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated"
|
||||
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated"
|
||||
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade hvac --isolated"
|
||||
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade netaddr --isolated"
|
||||
echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin"
|
||||
fi
|
||||
|
||||
|
@ -595,7 +595,7 @@ deployed to the environment as if this was a production installation.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
tests/run-tests.sh
|
||||
CLUSTERED=yes tests/run-tests.sh
|
||||
|
||||
|
||||
After the test build is completed the cluster will test it's layout and ensure
|
||||
|
@ -14,7 +14,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
- name: Setup host for nspawn
|
||||
hosts: physical_hosts
|
||||
hosts: localhost
|
||||
connection: local
|
||||
become: true
|
||||
vars:
|
||||
|
@ -60,6 +60,11 @@
|
||||
reload: "yes"
|
||||
sysctl_file: /etc/sysctl.d/99-elasticsearch.conf
|
||||
|
||||
- name: Create tmp osquery dir
|
||||
file:
|
||||
path: "/tmp/elk-metrics-6x-logs"
|
||||
state: directory
|
||||
|
||||
- name: Flush iptables rules
|
||||
command: "{{ item }}"
|
||||
args:
|
||||
@ -90,17 +95,19 @@
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/elk_metrics_6x"
|
||||
|
||||
- name: Run ansible-galaxy
|
||||
- name: Run ansible-galaxy (tests)
|
||||
become: yes
|
||||
become_user: root
|
||||
command: "/root/ansible25/bin/ansible-galaxy install --force -r ansible-role-requirements.yml"
|
||||
command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
|
||||
chdir: "src/{{ current_test_repo }}/osquery/tests"
|
||||
|
||||
- name: Install netaddr
|
||||
pip:
|
||||
name: netaddr
|
||||
virtualenv: "/root/ansible25"
|
||||
- name: Run ansible-galaxy (elk_metrics_6x)
|
||||
become: yes
|
||||
become_user: root
|
||||
command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/osquery"
|
||||
|
||||
- name: Run environment setup
|
||||
become: yes
|
||||
@ -110,6 +117,7 @@
|
||||
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
|
||||
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
|
||||
ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-container-setup.log"
|
||||
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
|
||||
when:
|
||||
@ -124,6 +132,7 @@
|
||||
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
|
||||
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
|
||||
ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-container-setup.log"
|
||||
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
|
||||
when:
|
||||
@ -144,6 +153,7 @@
|
||||
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
|
||||
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
|
||||
ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-deployment.log"
|
||||
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/elk_metrics_6x"
|
||||
|
||||
@ -155,5 +165,6 @@
|
||||
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
|
||||
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
|
||||
ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-show-cluster.log"
|
||||
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/elk_metrics_6x"
|
||||
|
@ -34,6 +34,12 @@ ${HOME}/ansible25/bin/ansible-galaxy install --force \
|
||||
--roles-path="${HOME}/ansible25/repositories/roles" \
|
||||
--role-file="${TEST_DIR}/elk_metrics_6x/tests/ansible-role-requirements.yml"
|
||||
|
||||
if [[ ! -e "${TEST_DIR}/osquery/tests/src" ]]; then
|
||||
ln -s ${TEST_DIR}/../ ${TEST_DIR}/osquery/tests/src
|
||||
fi
|
||||
|
||||
${HOME}/ansible25/bin/ansible-playbook -i 'localhost,' \
|
||||
-vv \
|
||||
-e ansible_connection=local \
|
||||
-e test_clustered_elk=${CLUSTERED:-no} \
|
||||
${TEST_DIR}/elk_metrics_6x/tests/test.yml
|
||||
|
@ -208,10 +208,42 @@ The individual playbooks found within this repository can be independently run
|
||||
at anytime.
|
||||
|
||||
|
||||
Local testing
|
||||
-------------
|
||||
|
||||
To test these playbooks within a local environment you will need a single server
|
||||
with at leasts 8GiB of RAM and 40GiB of storage on root. Running an `m1.medium`
|
||||
(openstack) flavor size is generally enough to get an environment online.
|
||||
|
||||
To run the local functional tests execute the `run-tests.sh` script out of the
|
||||
tests directory. This will create a 1 node kolide-fleet cluster and install
|
||||
osquery on the local host.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
CLUSTERED=yes tests/run-tests.sh
|
||||
|
||||
|
||||
After the test build is completed the cluster will test it's layout and ensure
|
||||
processes are functioning normally. Logs for the cluster can be found at
|
||||
`/tmp/osquery-logs`.
|
||||
|
||||
To rerun the playbooks after a test build, source the `tests/manual-test.rc`
|
||||
file and follow the onscreen instructions.
|
||||
|
||||
To clean-up a test environment and start from a bare server slate the
|
||||
`run-cleanup.sh` script can be used. This script is disruptive and will purge
|
||||
all `osquery` related services within the local test environment.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
tests/run-cleanup.sh
|
||||
|
||||
|
||||
Architecture | Data flow
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
This diagram outlines the data flow from within an Elastic-Stack deployment.
|
||||
This diagram outlines the data flow from within an osquery deployment.
|
||||
|
||||
.. image:: assets/architecture-osquery.png
|
||||
:scale: 50 %
|
||||
@ -224,7 +256,7 @@ TODO
|
||||
The following is a list of open items.
|
||||
- [x] Test Redhat familly Operating Systems
|
||||
- [x] missing mariadb cluster (should all work needs additional vars)
|
||||
- [ ] use haproxy instead of the kolide fleet server ip
|
||||
- [x] use haproxy instead of the kolide fleet server ip
|
||||
- [ ] add/update tags
|
||||
- [ ] convert to roles
|
||||
- [ ] add testing
|
||||
- [x] convert to roles
|
||||
- [x] add testing
|
||||
|
@ -14,7 +14,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
- name: Get osquery facts
|
||||
hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
|
||||
hosts: kolide-fleet_all[0]
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/variables.yml
|
||||
@ -37,6 +37,21 @@
|
||||
- src: "{{ kolide_fleet_ssl_key }}"
|
||||
dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
|
||||
- name: Retrieve Enrollment Token
|
||||
command: /usr/local/bin/fleetctl get enroll-secret
|
||||
changed_when: false
|
||||
register: _enrollment_token
|
||||
|
||||
- name: Set kolide fleet enrollment token fact
|
||||
set_fact:
|
||||
kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
|
||||
|
||||
- name: Write enroll secret
|
||||
copy:
|
||||
dest: "/tmp/{{ osquery_enroll_secret_file | basename }}"
|
||||
content: "{{ kolide_fleet_enroll_secret }}"
|
||||
mode: "0640"
|
||||
|
||||
|
||||
- name: Install osquery
|
||||
hosts: "hosts:all_containers"
|
||||
@ -66,23 +81,8 @@
|
||||
src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
|
||||
- dest: "{{ kolide_fleet_ssl_key }}"
|
||||
src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
|
||||
- name: retrieve Enrollment Token
|
||||
command: /usr/local/bin/fleetctl get enroll-secret
|
||||
changed_when: false
|
||||
register: _enrollment_token
|
||||
delegate_to: "{{ groups['kolide-fleet_all'][0] }}"
|
||||
run_once: true
|
||||
|
||||
- name: Set kolide fleet enrollment token fact
|
||||
set_fact:
|
||||
kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
|
||||
|
||||
- name: write enroll secret
|
||||
copy:
|
||||
dest: "{{ osquery_enroll_secret_file }}"
|
||||
content: "{{ kolide_fleet_enroll_secret }}"
|
||||
mode: "0640"
|
||||
- dest: "{{ osquery_enroll_secret_file }}"
|
||||
src: "/tmp/{{ osquery_enroll_secret_file | basename }}"
|
||||
|
||||
post_tasks:
|
||||
- name: Cleanup certifactes
|
||||
@ -93,6 +93,7 @@
|
||||
with_items:
|
||||
- "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
|
||||
- "/tmp/{{ kolide_fleet_ssl_key | basename }}"
|
||||
- "/tmp/{{ osquery_enroll_secret_file | basename }}"
|
||||
|
||||
roles:
|
||||
- role: "osquery"
|
||||
|
@ -1,35 +0,0 @@
|
||||
---
|
||||
|
||||
################################## ALL HOSTS ##################################
|
||||
all:
|
||||
hosts:
|
||||
# Local host
|
||||
localhost:
|
||||
ansible_connection: local
|
||||
|
||||
################################## REQUIRED ###################################
|
||||
logging01:
|
||||
ansible_host: 172.16.27.100
|
||||
ansible_user: root
|
||||
|
||||
vars: {}
|
||||
|
||||
|
||||
################################### GROUPS ####################################
|
||||
|
||||
# The hosts group is used to target physical host machines. Enter all physical
|
||||
# host machines here.
|
||||
hosts:
|
||||
hosts:
|
||||
logging01: {}
|
||||
|
||||
# This is the location where fleet(s) will live
|
||||
kolide-fleet_all:
|
||||
children:
|
||||
kolide_hosts:
|
||||
hosts:
|
||||
logging01: {}
|
||||
|
||||
mariadb_all:
|
||||
children:
|
||||
kolide-fleet_all: {}
|
1
osquery/inventory.example.yml
Symbolic link
1
osquery/inventory.example.yml
Symbolic link
@ -0,0 +1 @@
|
||||
tests/inventory/test-metal-inventory.yml
|
@ -13,22 +13,15 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: check to see if we have alredy registered fleetctl admin
|
||||
stat:
|
||||
path: ~/.fleet/config
|
||||
register: fleet_config_set
|
||||
|
||||
- name: set fleetctl default context
|
||||
command: /usr/local/bin/fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify
|
||||
changed_when: false
|
||||
when:
|
||||
- fleet_config_set.stat.exists == false
|
||||
|
||||
- name: register admin account
|
||||
command: /usr/local/bin/fleetctl setup --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }}
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
register: fleet_register_admin
|
||||
ignore_errors: true # ignore errors as we might have already set this it will be caought later
|
||||
|
||||
- name: login admin account
|
||||
command: /usr/local/bin/fleetctl login --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }}
|
||||
|
@ -12,16 +12,17 @@ osquery_template: 'osquery.conf.j2'
|
||||
osquery_upload_packs:
|
||||
- osquery-snapshots-pack
|
||||
- osquery-monitoring2-pack
|
||||
|
||||
osquery_packs:
|
||||
- "osquery-monitoring"
|
||||
- "incident-response"
|
||||
- "it-compliance"
|
||||
# - "osx-attacks"
|
||||
- "ossec-rootkit"
|
||||
- "vuln-management"
|
||||
- "hardware-monitoring"
|
||||
- "osquery-snapshots-pack"
|
||||
- osquery-monitoring2-pack
|
||||
- "osquery-monitoring2-pack"
|
||||
|
||||
osquery_config_plugin: 'filesystem'
|
||||
osquery_logger_plugin: 'filesystem'
|
||||
#osquery_logger_plugin: 'syslog'
|
||||
|
@ -8,6 +8,3 @@
|
||||
|
||||
- name: restart rsyslog
|
||||
service: name=rsyslog state=restarted
|
||||
|
||||
- name: reload osqueryd apparmor profile
|
||||
shell: cat /etc/apparmor.d/usr.bin.osqueryd | sudo apparmor_parser -r
|
||||
|
@ -12,6 +12,3 @@
|
||||
dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}"
|
||||
mode: '0644'
|
||||
backup: yes
|
||||
|
||||
- include: selinux.yml
|
||||
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))
|
||||
|
@ -31,6 +31,3 @@
|
||||
state: present
|
||||
tags:
|
||||
- osquery
|
||||
|
||||
- include: apparmor.yml
|
||||
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))
|
||||
|
@ -1,27 +0,0 @@
|
||||
---
|
||||
# https://help.ubuntu.com/lts/serverguide/apparmor.html.en
|
||||
|
||||
- name: Ensure apparmor packages are present
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- apparmor
|
||||
- apparmor-utils
|
||||
- apparmor-profiles
|
||||
|
||||
- name: Ensure apparmor profile is set
|
||||
template:
|
||||
src: apparmor-usr.bin.osqueryd.j2
|
||||
dest: /etc/apparmor.d/usr.bin.osqueryd
|
||||
mode: '0600'
|
||||
owner: root
|
||||
backup: yes
|
||||
notify:
|
||||
- reload osqueryd apparmor profile
|
||||
|
||||
- name: Apply apparmor profile for osquery
|
||||
command: aa-complain /usr/bin/osqueryd
|
||||
failed_when: false
|
||||
|
||||
# Refine policy with `aa-logprof -f /var/log/syslog`
|
@ -118,6 +118,3 @@
|
||||
|
||||
- include: syslog-target.yml
|
||||
when: osquery_syslog_target != ''
|
||||
|
||||
- include: selinux-end.yml
|
||||
when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) and ansible_os_family == "RedHat"
|
||||
|
@ -1,10 +0,0 @@
|
||||
---
|
||||
|
||||
- name: RedHat | Ensure selinux context is correctly set
|
||||
command: "/sbin/restorecon -F -R -v {{ item }}"
|
||||
with_items:
|
||||
- /usr/bin/osqueryd
|
||||
- /usr/lib/systemd/system/osqueryd.service
|
||||
- /var/log/osquery
|
||||
- /etc/osquery
|
||||
- /usr/share/osquery/packs
|
@ -1,44 +0,0 @@
|
||||
---
|
||||
|
||||
- name: Ensure selinux package are present
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- selinux-policy
|
||||
- selinux-policy-devel
|
||||
- setools-console
|
||||
- libselinux-python
|
||||
- policycoreutils-python
|
||||
|
||||
- name: Ensure osquery directory exists
|
||||
file:
|
||||
dest: /etc/osquery
|
||||
state: directory
|
||||
mode: '0755'
|
||||
|
||||
- name: Ensure osquery selinux policy is set
|
||||
template:
|
||||
src: "{{ item }}.j2"
|
||||
dest: "/etc/osquery/{{ item }}"
|
||||
mode: '0600'
|
||||
owner: root
|
||||
with_items:
|
||||
- osquery.fc
|
||||
- osquery.sh
|
||||
- osquery.te
|
||||
register: te
|
||||
|
||||
# FIXME!
|
||||
- name: Generate osquery policy file
|
||||
command: sh -x ./osquery.sh
|
||||
args:
|
||||
chdir: /etc/osquery
|
||||
when: te is changed
|
||||
ignore_errors: true
|
||||
|
||||
# `sepolicy generate -n osquery --init /usr/bin/osqueryd` = OK/base
|
||||
# Refine policy with `audit2allow -i /var/log/audit/audit.log -M osquery`
|
||||
# `semodule -i osquery.pp`
|
||||
# FIXME! 'Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/osquery/cil:2'
|
||||
# `/usr/libexec/selinux/hll/pp osquery.pp`
|
@ -1,61 +0,0 @@
|
||||
#!/bin/sh -e
|
||||
|
||||
DIRNAME=`dirname $0`
|
||||
cd $DIRNAME
|
||||
USAGE="$0 [ --update ]"
|
||||
if [ `id -u` != 0 ]; then
|
||||
echo 'You must be root to run this script'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $# -eq 1 ]; then
|
||||
if [ "$1" = "--update" ] ; then
|
||||
time=`ls -l --time-style="+%x %X" osquery.te | awk '{ printf "%s %s", $6, $7 }'`
|
||||
rules=`ausearch --start $time -m avc --raw -se osquery`
|
||||
if [ x"$rules" != "x" ] ; then
|
||||
echo "Found avc's to update policy with"
|
||||
echo -e "$rules" | audit2allow -R
|
||||
echo "Do you want these changes added to policy [y/n]?"
|
||||
read ANS
|
||||
if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
|
||||
echo "Updating policy"
|
||||
echo -e "$rules" | audit2allow -R >> osquery.te
|
||||
# Fall though and rebuild policy
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
else
|
||||
echo "No new avcs found"
|
||||
exit 0
|
||||
fi
|
||||
else
|
||||
echo -e $USAGE
|
||||
exit 1
|
||||
fi
|
||||
elif [ $# -ge 2 ] ; then
|
||||
echo -e $USAGE
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Building and Loading Policy"
|
||||
set -x
|
||||
make -f /usr/share/selinux/devel/Makefile osquery.pp || exit
|
||||
/usr/sbin/semodule -i osquery.pp
|
||||
|
||||
# Generate a man page off the installed module
|
||||
sepolicy manpage -p . -d osquery_t
|
||||
# Fixing the file context on /usr/bin/osqueryd
|
||||
/sbin/restorecon -F -R -v /usr/bin/osqueryd
|
||||
# Fixing the file context on /usr/lib/systemd/system/osqueryd.service
|
||||
/sbin/restorecon -F -R -v /usr/lib/systemd/system/osqueryd.service
|
||||
# Fixing the file context on /var/log/osquery
|
||||
/sbin/restorecon -F -R -v /var/log/osquery
|
||||
/sbin/restorecon -F -R -v /etc/osquery
|
||||
/sbin/restorecon -F -R -v /usr/share/osquery/packs
|
||||
|
||||
|
||||
# Generate a rpm package for the newly generated policy
|
||||
|
||||
pwd=$(pwd)
|
||||
#rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba osquery_selinux.spec
|
||||
|
@ -1,674 +0,0 @@
|
||||
module osquery 1.0;
|
||||
|
||||
require {
|
||||
type osquery_t;
|
||||
type osquery_conf_t;
|
||||
type osquery_unit_file_t;
|
||||
|
||||
type insmod_exec_t;
|
||||
type home_root_t;
|
||||
type gssd_exec_t;
|
||||
type udev_exec_t;
|
||||
type sound_device_t;
|
||||
type setsebool_exec_t;
|
||||
type proc_t;
|
||||
type unconfined_service_t;
|
||||
type netutils_exec_t;
|
||||
type load_policy_exec_t;
|
||||
type memory_device_t;
|
||||
type tmp_t;
|
||||
type gpg_exec_t;
|
||||
type autofs_device_t;
|
||||
type systemd_hwdb_exec_t;
|
||||
type tcpd_exec_t;
|
||||
type gssproxy_exec_t;
|
||||
type showmount_exec_t;
|
||||
type rsync_exec_t;
|
||||
type crond_unit_file_t;
|
||||
type udev_rules_t;
|
||||
type systemd_logind_t;
|
||||
type setfiles_exec_t;
|
||||
type sshd_keygen_exec_t;
|
||||
type chronyd_exec_t;
|
||||
type xserver_etc_t;
|
||||
type crond_t;
|
||||
type tun_tap_device_t;
|
||||
type default_context_t;
|
||||
type anacron_exec_t;
|
||||
type virt_qemu_ga_exec_t;
|
||||
type auditd_t;
|
||||
type syslogd_t;
|
||||
type NetworkManager_t;
|
||||
type sysctl_t;
|
||||
type pppd_etc_t;
|
||||
type consolehelper_exec_t;
|
||||
type userhelper_conf_t;
|
||||
type systemd_systemctl_exec_t;
|
||||
type postfix_pickup_exec_t;
|
||||
type syslog_conf_t;
|
||||
type systemd_unit_file_t;
|
||||
type tuned_exec_t;
|
||||
type plymouthd_exec_t;
|
||||
type vlock_exec_t;
|
||||
type systemd_passwd_agent_exec_t;
|
||||
type pinentry_exec_t;
|
||||
type passwd_exec_t;
|
||||
type dmidecode_exec_t;
|
||||
type systemd_notify_exec_t;
|
||||
type hwclock_exec_t;
|
||||
type firewalld_etc_rw_t;
|
||||
type crack_exec_t;
|
||||
type postfix_qmgr_t;
|
||||
type sulogin_exec_t;
|
||||
type netcontrol_device_t;
|
||||
type rpcd_unit_file_t;
|
||||
type auditd_exec_t;
|
||||
type crontab_exec_t;
|
||||
type crash_device_t;
|
||||
type exports_t;
|
||||
type event_device_t;
|
||||
type cgroup_t;
|
||||
type loadkeys_exec_t;
|
||||
type postfix_qmgr_exec_t;
|
||||
type pam_timestamp_exec_t;
|
||||
type random_device_t;
|
||||
type initrc_exec_t;
|
||||
type hugetlbfs_t;
|
||||
type lvm_unit_file_t;
|
||||
type dmesg_exec_t;
|
||||
type proc_mdstat_t;
|
||||
type mouse_device_t;
|
||||
type nfsd_exec_t;
|
||||
type slapd_cert_t;
|
||||
type login_exec_t;
|
||||
type usbmon_device_t;
|
||||
type ldconfig_exec_t;
|
||||
type initctl_t;
|
||||
type debuginfo_exec_t;
|
||||
type postfix_pickup_t;
|
||||
type updpwd_exec_t;
|
||||
type oddjob_mkhomedir_exec_t;
|
||||
type irqbalance_exec_t;
|
||||
type proc_kmsg_t;
|
||||
type gssproxy_t;
|
||||
type postfix_etc_t;
|
||||
type init_exec_t;
|
||||
type postfix_spool_t;
|
||||
type var_run_t;
|
||||
type mtrr_device_t;
|
||||
type hypervvssd_exec_t;
|
||||
type hostname_exec_t;
|
||||
type system_cron_spool_t;
|
||||
type sshd_key_t;
|
||||
type proc_kcore_t;
|
||||
type dbusd_exec_t;
|
||||
type plymouth_exec_t;
|
||||
type tuned_rw_etc_t;
|
||||
type pppd_exec_t;
|
||||
type pam_console_exec_t;
|
||||
type adjtime_t;
|
||||
type chronyc_exec_t;
|
||||
type auditd_unit_file_t;
|
||||
type fuse_device_t;
|
||||
type userhelper_exec_t;
|
||||
type tuned_etc_t;
|
||||
type systemd_logind_exec_t;
|
||||
type var_log_t;
|
||||
type init_t;
|
||||
type pppd_initrc_exec_t;
|
||||
type fs_t;
|
||||
type systemd_tmpfiles_exec_t;
|
||||
type user_home_dir_t;
|
||||
type lvm_etc_t;
|
||||
type chronyd_t;
|
||||
type dbusd_etc_t;
|
||||
type etc_aliases_t;
|
||||
type auditctl_exec_t;
|
||||
type usernetctl_exec_t;
|
||||
type clock_device_t;
|
||||
type traceroute_exec_t;
|
||||
type sshd_t;
|
||||
type mdadm_exec_t;
|
||||
type initrc_var_run_t;
|
||||
type mount_exec_t;
|
||||
type scsi_generic_device_t;
|
||||
type vhost_device_t;
|
||||
type uhid_device_t;
|
||||
type ifconfig_exec_t;
|
||||
type device_t;
|
||||
type namespace_init_exec_t;
|
||||
type lvm_exec_t;
|
||||
type checkpolicy_exec_t;
|
||||
type rpm_script_tmp_t;
|
||||
type user_tmp_t;
|
||||
type unlabeled_t;
|
||||
type sshd_unit_file_t;
|
||||
type policykit_exec_t;
|
||||
type modules_conf_t;
|
||||
type chfn_exec_t;
|
||||
type dhcp_etc_t;
|
||||
type logrotate_exec_t;
|
||||
type getty_unit_file_t;
|
||||
type selinux_config_t;
|
||||
type ppp_device_t;
|
||||
type ssh_keygen_exec_t;
|
||||
type cupsd_rw_etc_t;
|
||||
type authconfig_exec_t;
|
||||
type ssh_exec_t;
|
||||
type rpcbind_t;
|
||||
type audisp_exec_t;
|
||||
type chronyd_keys_t;
|
||||
type dri_device_t;
|
||||
type rpm_exec_t;
|
||||
type getty_t;
|
||||
type virt_qemu_ga_unconfined_exec_t;
|
||||
type NetworkManager_exec_t;
|
||||
type user_fonts_t;
|
||||
type rpc_pipefs_t;
|
||||
type ping_exec_t;
|
||||
type gpg_agent_exec_t;
|
||||
type su_exec_t;
|
||||
type firewalld_exec_t;
|
||||
type getty_exec_t;
|
||||
type quota_exec_t;
|
||||
type devpts_t;
|
||||
type nvram_device_t;
|
||||
type cpu_device_t;
|
||||
type rpcbind_exec_t;
|
||||
type NetworkManager_etc_rw_t;
|
||||
type unconfined_t;
|
||||
type NetworkManager_initrc_exec_t;
|
||||
type sshd_exec_t;
|
||||
type udev_t;
|
||||
type rpcd_exec_t;
|
||||
type fixed_disk_device_t;
|
||||
type selinux_login_config_t;
|
||||
type sysctl_irq_t;
|
||||
type ptmx_t;
|
||||
type ssh_agent_exec_t;
|
||||
type NetworkManager_unit_file_t;
|
||||
type binfmt_misc_fs_t;
|
||||
type semanage_store_t;
|
||||
type framebuf_device_t;
|
||||
type udev_var_run_t;
|
||||
type rdisc_exec_t;
|
||||
type NetworkManager_etc_t;
|
||||
type rsync_etc_t;
|
||||
type postfix_postdrop_exec_t;
|
||||
type tuned_t;
|
||||
type wtmp_t;
|
||||
type dhcpc_exec_t;
|
||||
type useradd_exec_t;
|
||||
type dhcpc_t;
|
||||
type sudo_exec_t;
|
||||
type vfio_device_t;
|
||||
type thumb_exec_t;
|
||||
type crond_exec_t;
|
||||
type bootloader_etc_t;
|
||||
type sysfs_t;
|
||||
type postfix_postqueue_exec_t;
|
||||
type postfix_map_exec_t;
|
||||
type admin_passwd_exec_t;
|
||||
type apm_bios_t;
|
||||
type policykit_t;
|
||||
type iptables_exec_t;
|
||||
type semanage_exec_t;
|
||||
type journalctl_exec_t;
|
||||
type lvm_control_t;
|
||||
type lvm_t;
|
||||
type screen_exec_t;
|
||||
type auditd_etc_t;
|
||||
type xserver_misc_device_t;
|
||||
type fsadm_exec_t;
|
||||
type bootloader_exec_t;
|
||||
type system_cronjob_t;
|
||||
type syslogd_exec_t;
|
||||
type system_dbusd_t;
|
||||
type lvm_lock_t;
|
||||
type user_cron_spool_t;
|
||||
type kmsg_device_t;
|
||||
type mysqld_etc_t;
|
||||
type pppd_etc_rw_t;
|
||||
type configfs_t;
|
||||
type proc_net_t;
|
||||
type postfix_master_exec_t;
|
||||
type shadow_t;
|
||||
type sendmail_exec_t;
|
||||
type loop_control_device_t;
|
||||
type kernel_t;
|
||||
type var_t;
|
||||
type pstore_t;
|
||||
type chkpwd_exec_t;
|
||||
type groupadd_exec_t;
|
||||
type debugfs_t;
|
||||
type hypervkvp_exec_t;
|
||||
type postfix_master_t;
|
||||
type sysctl_fs_t;
|
||||
type blkmapd_exec_t;
|
||||
type nfsd_unit_file_t;
|
||||
type ssh_home_t;
|
||||
type systemd_hwdb_etc_t;
|
||||
type mandb_exec_t;
|
||||
type tmpfs_t;
|
||||
type lvm_metadata_t;
|
||||
type policykit_auth_exec_t;
|
||||
type chronyd_unit_file_t;
|
||||
type print_spool_t;
|
||||
type rpcbind_var_lib_t;
|
||||
class fifo_file getattr;
|
||||
class process setsched;
|
||||
class unix_stream_socket connectto;
|
||||
class netlink_kobject_uevent_socket { bind create getattr setopt };
|
||||
class chr_file { getattr ioctl open read write };
|
||||
class capability { dac_override sys_rawio sys_ptrace };
|
||||
class file { append create getattr lock open read relabelto rename setattr unlink write };
|
||||
class filesystem getattr;
|
||||
class sock_file { create getattr unlink write };
|
||||
class lnk_file { create getattr read unlink };
|
||||
class blk_file { getattr ioctl open read };
|
||||
class dir { add_name getattr open read remove_name search setattr write };
|
||||
}
|
||||
|
||||
#============= osquery_t ==============
|
||||
allow osquery_t NetworkManager_etc_rw_t:dir { getattr open read };
|
||||
allow osquery_t NetworkManager_etc_rw_t:file getattr;
|
||||
allow osquery_t NetworkManager_etc_t:dir { getattr open read };
|
||||
allow osquery_t NetworkManager_exec_t:file getattr;
|
||||
allow osquery_t NetworkManager_initrc_exec_t:dir { getattr open read };
|
||||
allow osquery_t NetworkManager_initrc_exec_t:file getattr;
|
||||
allow osquery_t NetworkManager_t:dir { getattr open read search };
|
||||
allow osquery_t NetworkManager_t:file { getattr open read };
|
||||
|
||||
allow osquery_t NetworkManager_t:lnk_file { getattr read };
|
||||
allow osquery_t NetworkManager_unit_file_t:file getattr;
|
||||
allow osquery_t adjtime_t:file getattr;
|
||||
allow osquery_t admin_passwd_exec_t:file getattr;
|
||||
allow osquery_t anacron_exec_t:file getattr;
|
||||
allow osquery_t apm_bios_t:chr_file getattr;
|
||||
allow osquery_t audisp_exec_t:file getattr;
|
||||
allow osquery_t auditctl_exec_t:file getattr;
|
||||
allow osquery_t auditd_etc_t:dir { getattr open read };
|
||||
allow osquery_t auditd_etc_t:file getattr;
|
||||
allow osquery_t auditd_exec_t:file getattr;
|
||||
allow osquery_t auditd_t:dir { getattr open read search };
|
||||
allow osquery_t auditd_t:file { getattr open read };
|
||||
|
||||
allow osquery_t auditd_t:lnk_file { getattr read };
|
||||
allow osquery_t auditd_unit_file_t:file getattr;
|
||||
allow osquery_t authconfig_exec_t:file getattr;
|
||||
allow osquery_t autofs_device_t:chr_file getattr;
|
||||
allow osquery_t binfmt_misc_fs_t:filesystem getattr;
|
||||
allow osquery_t blkmapd_exec_t:file getattr;
|
||||
allow osquery_t bootloader_etc_t:file getattr;
|
||||
allow osquery_t bootloader_exec_t:file getattr;
|
||||
allow osquery_t cgroup_t:filesystem getattr;
|
||||
allow osquery_t checkpolicy_exec_t:file getattr;
|
||||
allow osquery_t chfn_exec_t:file getattr;
|
||||
allow osquery_t chkpwd_exec_t:file getattr;
|
||||
allow osquery_t chronyc_exec_t:file getattr;
|
||||
allow osquery_t chronyd_exec_t:file getattr;
|
||||
allow osquery_t chronyd_keys_t:file getattr;
|
||||
allow osquery_t chronyd_t:dir { getattr open read search };
|
||||
allow osquery_t chronyd_t:file { getattr open read };
|
||||
|
||||
allow osquery_t chronyd_t:lnk_file { getattr read };
|
||||
allow osquery_t chronyd_unit_file_t:file getattr;
|
||||
allow osquery_t clock_device_t:chr_file getattr;
|
||||
allow osquery_t configfs_t:filesystem getattr;
|
||||
allow osquery_t consolehelper_exec_t:file getattr;
|
||||
allow osquery_t cpu_device_t:chr_file getattr;
|
||||
allow osquery_t crack_exec_t:file getattr;
|
||||
allow osquery_t crash_device_t:chr_file getattr;
|
||||
allow osquery_t crond_exec_t:file getattr;
|
||||
allow osquery_t crond_t:dir { getattr open read search };
|
||||
allow osquery_t crond_t:file { getattr open read };
|
||||
|
||||
allow osquery_t crond_t:lnk_file { getattr read };
|
||||
allow osquery_t crond_unit_file_t:file getattr;
|
||||
allow osquery_t crontab_exec_t:file getattr;
|
||||
allow osquery_t cupsd_rw_etc_t:file getattr;
|
||||
allow osquery_t dbusd_etc_t:dir { getattr open read };
|
||||
allow osquery_t dbusd_etc_t:file getattr;
|
||||
allow osquery_t dbusd_exec_t:file getattr;
|
||||
allow osquery_t debugfs_t:filesystem getattr;
|
||||
allow osquery_t debuginfo_exec_t:file getattr;
|
||||
allow osquery_t default_context_t:dir read;
|
||||
allow osquery_t default_context_t:file getattr;
|
||||
|
||||
#!!!! WARNING: 'device_t' is a base type.
|
||||
allow osquery_t device_t:filesystem getattr;
|
||||
allow osquery_t devpts_t:filesystem getattr;
|
||||
allow osquery_t dhcp_etc_t:dir { getattr open read };
|
||||
allow osquery_t dhcp_etc_t:file getattr;
|
||||
allow osquery_t dhcpc_exec_t:file getattr;
|
||||
allow osquery_t dhcpc_t:dir { getattr open read search };
|
||||
allow osquery_t dhcpc_t:file { getattr open read };
|
||||
|
||||
allow osquery_t dhcpc_t:lnk_file { getattr read };
|
||||
allow osquery_t dmesg_exec_t:file getattr;
|
||||
allow osquery_t dmidecode_exec_t:file getattr;
|
||||
allow osquery_t dri_device_t:chr_file getattr;
|
||||
allow osquery_t etc_aliases_t:file getattr;
|
||||
allow osquery_t event_device_t:chr_file getattr;
|
||||
allow osquery_t exports_t:file getattr;
|
||||
allow osquery_t firewalld_etc_rw_t:dir { getattr open read };
|
||||
allow osquery_t firewalld_etc_rw_t:file getattr;
|
||||
allow osquery_t firewalld_exec_t:file getattr;
|
||||
allow osquery_t fixed_disk_device_t:blk_file { getattr ioctl open read };
|
||||
allow osquery_t fixed_disk_device_t:chr_file getattr;
|
||||
allow osquery_t framebuf_device_t:chr_file getattr;
|
||||
allow osquery_t fs_t:filesystem getattr;
|
||||
allow osquery_t fsadm_exec_t:file getattr;
|
||||
allow osquery_t fuse_device_t:chr_file getattr;
|
||||
allow osquery_t getty_exec_t:file getattr;
|
||||
allow osquery_t getty_t:dir { getattr open read search };
|
||||
allow osquery_t getty_t:file { getattr open read };
|
||||
|
||||
allow osquery_t getty_t:lnk_file { getattr read };
|
||||
allow osquery_t getty_unit_file_t:file getattr;
|
||||
allow osquery_t gpg_agent_exec_t:file getattr;
|
||||
allow osquery_t gpg_exec_t:file getattr;
|
||||
allow osquery_t groupadd_exec_t:file getattr;
|
||||
allow osquery_t gssd_exec_t:file getattr;
|
||||
allow osquery_t gssproxy_exec_t:file getattr;
|
||||
allow osquery_t gssproxy_t:dir { getattr open read search };
|
||||
allow osquery_t gssproxy_t:file { getattr open read };
|
||||
|
||||
allow osquery_t gssproxy_t:lnk_file { getattr read };
|
||||
|
||||
#!!!! WARNING: 'home_root_t' is a base type.
|
||||
allow osquery_t home_root_t:dir read;
|
||||
allow osquery_t hostname_exec_t:file getattr;
|
||||
allow osquery_t hugetlbfs_t:dir { getattr open read };
|
||||
allow osquery_t hugetlbfs_t:filesystem getattr;
|
||||
allow osquery_t hwclock_exec_t:file getattr;
|
||||
allow osquery_t hypervkvp_exec_t:file getattr;
|
||||
allow osquery_t hypervvssd_exec_t:file getattr;
|
||||
allow osquery_t ifconfig_exec_t:file getattr;
|
||||
allow osquery_t init_exec_t:file getattr;
|
||||
allow osquery_t init_t:dir read;
|
||||
allow osquery_t init_t:file { getattr open read };
|
||||
|
||||
allow osquery_t init_t:lnk_file { getattr read };
|
||||
allow osquery_t initctl_t:fifo_file getattr;
|
||||
allow osquery_t initrc_exec_t:file getattr;
|
||||
allow osquery_t initrc_var_run_t:file { lock open read };
|
||||
allow osquery_t insmod_exec_t:file getattr;
|
||||
allow osquery_t iptables_exec_t:file getattr;
|
||||
allow osquery_t irqbalance_exec_t:file getattr;
|
||||
allow osquery_t journalctl_exec_t:file getattr;
|
||||
allow osquery_t kernel_t:dir { getattr open read search };
|
||||
allow osquery_t kernel_t:file { getattr open read };
|
||||
allow osquery_t kernel_t:lnk_file { getattr read };
|
||||
|
||||
#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg'
|
||||
allow osquery_t kmsg_device_t:chr_file getattr;
|
||||
allow osquery_t ldconfig_exec_t:file getattr;
|
||||
allow osquery_t load_policy_exec_t:file getattr;
|
||||
allow osquery_t loadkeys_exec_t:file getattr;
|
||||
allow osquery_t login_exec_t:file getattr;
|
||||
allow osquery_t logrotate_exec_t:file getattr;
|
||||
allow osquery_t loop_control_device_t:chr_file getattr;
|
||||
allow osquery_t lvm_control_t:chr_file { getattr ioctl open read write };
|
||||
allow osquery_t lvm_etc_t:dir { getattr open read };
|
||||
allow osquery_t lvm_etc_t:file { getattr open read };
|
||||
allow osquery_t lvm_exec_t:file getattr;
|
||||
allow osquery_t lvm_lock_t:dir { add_name getattr read remove_name search write };
|
||||
allow osquery_t lvm_lock_t:file { append create getattr lock open read unlink };
|
||||
allow osquery_t lvm_metadata_t:dir { add_name getattr open read remove_name write };
|
||||
allow osquery_t lvm_metadata_t:file { create getattr lock open read rename unlink write };
|
||||
allow osquery_t lvm_t:dir { getattr open read search };
|
||||
allow osquery_t lvm_t:file { getattr open read };
|
||||
|
||||
allow osquery_t lvm_t:lnk_file { getattr read };
|
||||
allow osquery_t lvm_unit_file_t:file getattr;
|
||||
allow osquery_t mandb_exec_t:file getattr;
|
||||
allow osquery_t mdadm_exec_t:file getattr;
|
||||
allow osquery_t memory_device_t:chr_file getattr;
|
||||
allow osquery_t modules_conf_t:dir { getattr open read };
|
||||
allow osquery_t modules_conf_t:file getattr;
|
||||
allow osquery_t mount_exec_t:file getattr;
|
||||
allow osquery_t mouse_device_t:chr_file getattr;
|
||||
allow osquery_t mtrr_device_t:file getattr;
|
||||
allow osquery_t mysqld_etc_t:dir { getattr open read };
|
||||
allow osquery_t mysqld_etc_t:file getattr;
|
||||
allow osquery_t namespace_init_exec_t:file getattr;
|
||||
allow osquery_t netcontrol_device_t:chr_file getattr;
|
||||
allow osquery_t netutils_exec_t:file getattr;
|
||||
allow osquery_t nfsd_exec_t:file getattr;
|
||||
allow osquery_t nfsd_unit_file_t:file getattr;
|
||||
allow osquery_t nvram_device_t:chr_file getattr;
|
||||
allow osquery_t oddjob_mkhomedir_exec_t:file getattr;
|
||||
allow osquery_t osquery_conf_t:file getattr;
|
||||
allow osquery_t osquery_unit_file_t:file getattr;
|
||||
allow osquery_t pam_console_exec_t:file getattr;
|
||||
allow osquery_t pam_timestamp_exec_t:file getattr;
|
||||
allow osquery_t passwd_exec_t:file getattr;
|
||||
allow osquery_t pinentry_exec_t:file getattr;
|
||||
allow osquery_t ping_exec_t:file getattr;
|
||||
allow osquery_t plymouth_exec_t:file getattr;
|
||||
allow osquery_t plymouthd_exec_t:file getattr;
|
||||
allow osquery_t policykit_auth_exec_t:file getattr;
|
||||
allow osquery_t policykit_exec_t:file getattr;
|
||||
allow osquery_t policykit_t:dir { getattr open read search };
|
||||
allow osquery_t policykit_t:file { getattr open read };
|
||||
|
||||
allow osquery_t policykit_t:lnk_file { getattr read };
|
||||
allow osquery_t postfix_etc_t:dir { getattr open read };
|
||||
allow osquery_t postfix_etc_t:file getattr;
|
||||
allow osquery_t postfix_map_exec_t:file getattr;
|
||||
allow osquery_t postfix_master_exec_t:file getattr;
|
||||
allow osquery_t postfix_master_t:dir { getattr open read search };
|
||||
allow osquery_t postfix_master_t:file { getattr open read };
|
||||
|
||||
allow osquery_t postfix_master_t:lnk_file { getattr read };
|
||||
allow osquery_t postfix_pickup_exec_t:file getattr;
|
||||
allow osquery_t postfix_pickup_t:dir { getattr open read search };
|
||||
allow osquery_t postfix_pickup_t:file { getattr open read };
|
||||
|
||||
allow osquery_t postfix_pickup_t:lnk_file { getattr read };
|
||||
allow osquery_t postfix_postdrop_exec_t:file getattr;
|
||||
allow osquery_t postfix_postqueue_exec_t:file getattr;
|
||||
allow osquery_t postfix_qmgr_exec_t:file getattr;
|
||||
allow osquery_t postfix_qmgr_t:dir { getattr open read search };
|
||||
allow osquery_t postfix_qmgr_t:file { getattr open read };
|
||||
|
||||
allow osquery_t postfix_qmgr_t:lnk_file { getattr read };
|
||||
allow osquery_t postfix_spool_t:dir getattr;
|
||||
allow osquery_t ppp_device_t:chr_file getattr;
|
||||
allow osquery_t pppd_etc_rw_t:dir { getattr open read };
|
||||
allow osquery_t pppd_etc_t:dir { getattr open read };
|
||||
allow osquery_t pppd_exec_t:file getattr;
|
||||
allow osquery_t pppd_initrc_exec_t:file getattr;
|
||||
allow osquery_t proc_kcore_t:file getattr;
|
||||
allow osquery_t proc_kmsg_t:file getattr;
|
||||
allow osquery_t proc_mdstat_t:file getattr;
|
||||
allow osquery_t proc_net_t:file { getattr open read };
|
||||
allow osquery_t proc_t:dir read;
|
||||
allow osquery_t proc_t:file { getattr open read };
|
||||
allow osquery_t proc_t:filesystem getattr;
|
||||
allow osquery_t pstore_t:filesystem getattr;
|
||||
allow osquery_t ptmx_t:chr_file getattr;
|
||||
allow osquery_t quota_exec_t:file getattr;
|
||||
|
||||
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
|
||||
allow osquery_t random_device_t:chr_file getattr;
|
||||
allow osquery_t rdisc_exec_t:file getattr;
|
||||
allow osquery_t rpc_pipefs_t:filesystem getattr;
|
||||
allow osquery_t rpcbind_exec_t:file getattr;
|
||||
allow osquery_t rpcbind_t:dir { getattr open read search };
|
||||
allow osquery_t rpcbind_t:file { getattr open read };
|
||||
|
||||
allow osquery_t rpcbind_t:lnk_file { getattr read };
|
||||
allow osquery_t rpcd_exec_t:file getattr;
|
||||
allow osquery_t rpcd_unit_file_t:file getattr;
|
||||
allow osquery_t rpm_exec_t:file getattr;
|
||||
allow osquery_t rpm_script_tmp_t:dir read;
|
||||
allow osquery_t rsync_etc_t:file getattr;
|
||||
allow osquery_t rsync_exec_t:file getattr;
|
||||
allow osquery_t screen_exec_t:file getattr;
|
||||
allow osquery_t scsi_generic_device_t:chr_file getattr;
|
||||
allow osquery_t self:capability { dac_override sys_rawio };
|
||||
allow osquery_t self:netlink_kobject_uevent_socket { bind create getattr setopt };
|
||||
allow osquery_t self:process setsched;
|
||||
|
||||
#!!!! The file '/var/osquery/osquery.em' is mislabeled on your system.
|
||||
#!!!! Fix with $ restorecon -R -v /var/osquery/osquery.em
|
||||
#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
|
||||
allow osquery_t self:unix_stream_socket connectto;
|
||||
allow osquery_t selinux_config_t:dir read;
|
||||
allow osquery_t selinux_login_config_t:dir { getattr open read };
|
||||
allow osquery_t semanage_exec_t:file getattr;
|
||||
allow osquery_t semanage_store_t:dir { getattr open read };
|
||||
allow osquery_t semanage_store_t:file { getattr open read };
|
||||
allow osquery_t sendmail_exec_t:file getattr;
|
||||
allow osquery_t setfiles_exec_t:file getattr;
|
||||
allow osquery_t setsebool_exec_t:file getattr;
|
||||
allow osquery_t shadow_t:file getattr;
|
||||
allow osquery_t showmount_exec_t:file getattr;
|
||||
|
||||
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
|
||||
allow osquery_t slapd_cert_t:dir { getattr open read };
|
||||
|
||||
#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
|
||||
allow osquery_t slapd_cert_t:file getattr;
|
||||
allow osquery_t sound_device_t:chr_file getattr;
|
||||
allow osquery_t ssh_agent_exec_t:file getattr;
|
||||
allow osquery_t ssh_exec_t:file getattr;
|
||||
allow osquery_t ssh_home_t:dir { getattr open read };
|
||||
allow osquery_t ssh_home_t:file getattr;
|
||||
allow osquery_t ssh_keygen_exec_t:file getattr;
|
||||
allow osquery_t sshd_exec_t:file getattr;
|
||||
allow osquery_t sshd_key_t:file getattr;
|
||||
allow osquery_t sshd_keygen_exec_t:file getattr;
|
||||
allow osquery_t sshd_t:dir { getattr open read search };
|
||||
allow osquery_t sshd_t:file { getattr open read };
|
||||
|
||||
allow osquery_t sshd_t:lnk_file { getattr read };
|
||||
allow osquery_t sshd_unit_file_t:file getattr;
|
||||
allow osquery_t su_exec_t:file getattr;
|
||||
allow osquery_t sudo_exec_t:file getattr;
|
||||
allow osquery_t sulogin_exec_t:file getattr;
|
||||
allow osquery_t sysctl_fs_t:dir search;
|
||||
allow osquery_t sysctl_irq_t:dir getattr;
|
||||
allow osquery_t sysctl_t:file getattr;
|
||||
allow osquery_t sysfs_t:dir read;
|
||||
allow osquery_t sysfs_t:file { getattr open read };
|
||||
allow osquery_t sysfs_t:filesystem getattr;
|
||||
allow osquery_t sysfs_t:lnk_file { getattr read };
|
||||
allow osquery_t syslog_conf_t:dir { getattr open read };
|
||||
allow osquery_t syslog_conf_t:file getattr;
|
||||
allow osquery_t syslogd_exec_t:file getattr;
|
||||
allow osquery_t syslogd_t:dir { getattr open read search };
|
||||
allow osquery_t syslogd_t:file { getattr open read };
|
||||
|
||||
allow osquery_t syslogd_t:lnk_file { getattr read };
|
||||
allow osquery_t system_cron_spool_t:dir { getattr open read };
|
||||
allow osquery_t system_cron_spool_t:file { getattr open read };
|
||||
allow osquery_t system_cronjob_t:dir { getattr open read search };
|
||||
allow osquery_t system_cronjob_t:file { getattr open read };
|
||||
|
||||
allow osquery_t system_cronjob_t:lnk_file { getattr read };
|
||||
allow osquery_t system_dbusd_t:dir { getattr open read search };
|
||||
allow osquery_t system_dbusd_t:file { getattr open read };
|
||||
|
||||
allow osquery_t system_dbusd_t:lnk_file { getattr read };
|
||||
allow osquery_t systemd_hwdb_etc_t:file getattr;
|
||||
allow osquery_t systemd_hwdb_exec_t:file getattr;
|
||||
allow osquery_t systemd_logind_exec_t:file getattr;
|
||||
allow osquery_t systemd_logind_t:dir { getattr open read search };
|
||||
allow osquery_t systemd_logind_t:file { getattr open read };
|
||||
|
||||
allow osquery_t systemd_logind_t:lnk_file { getattr read };
|
||||
allow osquery_t systemd_notify_exec_t:file getattr;
|
||||
allow osquery_t systemd_passwd_agent_exec_t:file getattr;
|
||||
allow osquery_t systemd_systemctl_exec_t:file getattr;
|
||||
allow osquery_t systemd_tmpfiles_exec_t:file getattr;
|
||||
allow osquery_t systemd_unit_file_t:dir { open read };
|
||||
allow osquery_t systemd_unit_file_t:file getattr;
|
||||
allow osquery_t systemd_unit_file_t:lnk_file read;
|
||||
allow osquery_t tcpd_exec_t:file getattr;
|
||||
allow osquery_t thumb_exec_t:file getattr;
|
||||
|
||||
#!!!! WARNING: 'tmp_t' is a base type.
|
||||
allow osquery_t tmp_t:dir { add_name read remove_name write };
|
||||
allow osquery_t tmp_t:file { create unlink write };
|
||||
|
||||
#!!!! WARNING: 'tmp_t' is a base type.
|
||||
allow osquery_t tmp_t:lnk_file { create unlink };
|
||||
allow osquery_t tmpfs_t:dir read;
|
||||
allow osquery_t tmpfs_t:filesystem getattr;
|
||||
allow osquery_t traceroute_exec_t:file getattr;
|
||||
allow osquery_t tun_tap_device_t:chr_file getattr;
|
||||
allow osquery_t tuned_etc_t:dir { getattr open read };
|
||||
allow osquery_t tuned_etc_t:file getattr;
|
||||
allow osquery_t tuned_exec_t:file getattr;
|
||||
allow osquery_t tuned_rw_etc_t:file getattr;
|
||||
allow osquery_t tuned_t:dir { getattr open read search };
|
||||
allow osquery_t tuned_t:file { getattr open read };
|
||||
|
||||
allow osquery_t tuned_t:lnk_file { getattr read };
|
||||
allow osquery_t udev_exec_t:file getattr;
|
||||
allow osquery_t udev_rules_t:dir { getattr open read };
|
||||
allow osquery_t udev_rules_t:file getattr;
|
||||
allow osquery_t udev_t:dir { getattr open read search };
|
||||
allow osquery_t udev_t:file { getattr open read };
|
||||
allow osquery_t udev_t:lnk_file { getattr read };
|
||||
allow osquery_t udev_var_run_t:file { getattr open read };
|
||||
allow osquery_t uhid_device_t:chr_file getattr;
|
||||
allow osquery_t unconfined_service_t:dir { getattr open read search };
|
||||
allow osquery_t unconfined_service_t:file { getattr open read };
|
||||
allow osquery_t unconfined_service_t:lnk_file { getattr read };
|
||||
allow osquery_t unconfined_t:dir { getattr open read search };
|
||||
allow osquery_t unconfined_t:file { getattr open read };
|
||||
allow osquery_t unconfined_t:lnk_file { getattr read };
|
||||
|
||||
#!!!! WARNING: 'unlabeled_t' is a base type.
|
||||
#!!!! The file '/etc/sysconfig/cloud-info' is mislabeled on your system.
|
||||
#!!!! Fix with $ restorecon -R -v /etc/sysconfig/cloud-info
|
||||
allow osquery_t unlabeled_t:file getattr;
|
||||
allow osquery_t updpwd_exec_t:file getattr;
|
||||
allow osquery_t usbmon_device_t:chr_file getattr;
|
||||
allow osquery_t user_cron_spool_t:dir { getattr open read };
|
||||
allow osquery_t user_fonts_t:dir { getattr open read search };
|
||||
allow osquery_t user_home_dir_t:dir getattr;
|
||||
allow osquery_t user_tmp_t:dir read;
|
||||
allow osquery_t useradd_exec_t:file getattr;
|
||||
allow osquery_t userhelper_conf_t:dir { getattr open read };
|
||||
allow osquery_t userhelper_conf_t:file getattr;
|
||||
allow osquery_t userhelper_exec_t:file getattr;
|
||||
allow osquery_t usernetctl_exec_t:file getattr;
|
||||
allow osquery_t var_log_t:lnk_file unlink;
|
||||
|
||||
#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t.
|
||||
allow osquery_t var_run_t:dir { add_name remove_name write };
|
||||
|
||||
#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t.
|
||||
#!!!! $ semanage fcontext -a -t osquery_var_run_t /run/osqueryd.pid
|
||||
#!!!! $ restorecon -R -v /run/osqueryd.pid
|
||||
#!!!! The file '/run/osqueryd.pid' is mislabeled on your system.
|
||||
#!!!! Fix with $ restorecon -R -v /run/osqueryd.pid
|
||||
allow osquery_t var_run_t:file { append create getattr open read setattr unlink };
|
||||
|
||||
#!!!! WARNING: 'var_t' is a base type.
|
||||
allow osquery_t var_t:dir { add_name read remove_name setattr write };
|
||||
allow osquery_t var_t:file { create getattr lock open read rename unlink write };
|
||||
allow osquery_t var_t:sock_file { create getattr unlink write };
|
||||
allow osquery_t vfio_device_t:chr_file getattr;
|
||||
allow osquery_t vhost_device_t:chr_file getattr;
|
||||
allow osquery_t virt_qemu_ga_exec_t:file getattr;
|
||||
allow osquery_t virt_qemu_ga_unconfined_exec_t:dir { getattr open read };
|
||||
allow osquery_t vlock_exec_t:file getattr;
|
||||
allow osquery_t wtmp_t:file { open read };
|
||||
allow osquery_t xserver_etc_t:dir { getattr open read };
|
||||
allow osquery_t xserver_misc_device_t:chr_file getattr;
|
||||
|
||||
allow osquery_t print_spool_t:dir search;
|
||||
allow osquery_t rpcbind_var_lib_t:dir search;
|
||||
allow osquery_t self:capability sys_ptrace;
|
||||
|
||||
#============= unconfined_t ==============
|
||||
|
||||
#!!!! This avc is allowed in the current policy
|
||||
allow unconfined_t osquery_conf_t:file relabelto;
|
||||
|
@ -4,7 +4,6 @@
|
||||
osquery_packages:
|
||||
- osquery
|
||||
- rsyslog
|
||||
- libselinux-python
|
||||
|
||||
osquery_debug_packages:
|
||||
- osquery-debuginfo
|
||||
|
@ -4,7 +4,6 @@
|
||||
osquery_packages:
|
||||
- osquery
|
||||
- rsyslog
|
||||
- libselinux-python
|
||||
|
||||
osquery_debug_packages:
|
||||
- osquery-debuginfo
|
||||
|
@ -14,7 +14,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
- name: Setup osquery packs
|
||||
hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
|
||||
hosts: kolide-fleet_all[0]
|
||||
become: false
|
||||
vars_files:
|
||||
- vars/variables.yml
|
||||
|
73
osquery/tests/_container-setup.yml
Normal file
73
osquery/tests/_container-setup.yml
Normal file
@ -0,0 +1,73 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Setup host for nspawn
|
||||
hosts: localhost
|
||||
connection: local
|
||||
become: true
|
||||
vars:
|
||||
nspawn_networks:
|
||||
nspawn_address:
|
||||
bridge: "nspawn0"
|
||||
private_device: true
|
||||
enable_dhcp: true
|
||||
dhcp_range: 10.100.101.2,10.100.101.129
|
||||
address: 10.100.101.1
|
||||
netmask: 255.255.255.0
|
||||
macvlan_mode: bridge
|
||||
|
||||
pre_tasks:
|
||||
- name: Ensure root ssh key
|
||||
user:
|
||||
name: "{{ ansible_env.USER | default('root') }}"
|
||||
generate_ssh_key: "yes"
|
||||
ssh_key_bits: 2048
|
||||
ssh_key_file: ".ssh/id_rsa"
|
||||
|
||||
- name: Get root ssh key
|
||||
slurp:
|
||||
src: '~/.ssh/id_rsa.pub'
|
||||
register: _root_ssh_key
|
||||
|
||||
- name: Prepare container ssh key fact
|
||||
set_fact:
|
||||
nspawn_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}"
|
||||
|
||||
- name: Ensure public ssh key is in authorized_keys
|
||||
authorized_key:
|
||||
user: "{{ ansible_env.USER | default('root') }}"
|
||||
key: "{{ nspawn_container_ssh_key }}"
|
||||
manage_dir: no
|
||||
|
||||
roles:
|
||||
- role: "nspawn_hosts"
|
||||
|
||||
|
||||
- name: Create container(s)
|
||||
hosts: all_containers
|
||||
gather_facts: false
|
||||
become: true
|
||||
pre_tasks:
|
||||
- name: Show container facts
|
||||
debug:
|
||||
var: hostvars
|
||||
|
||||
roles:
|
||||
- role: "nspawn_container_create"
|
||||
|
||||
post_tasks:
|
||||
- name: Rescan quotas
|
||||
command: "btrfs quota rescan -w /var/lib/machines"
|
||||
delegate_to: "{{ physical_host }}"
|
41
osquery/tests/_key-setup.yml
Normal file
41
osquery/tests/_key-setup.yml
Normal file
@ -0,0 +1,41 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Setup host keys
|
||||
hosts: physical_hosts
|
||||
connection: local
|
||||
become: true
|
||||
tasks:
|
||||
- name: Ensure root ssh key
|
||||
user:
|
||||
name: "{{ ansible_env.USER | default('root') }}"
|
||||
generate_ssh_key: "yes"
|
||||
ssh_key_bits: 2048
|
||||
ssh_key_file: ".ssh/id_rsa"
|
||||
|
||||
- name: Get root ssh key
|
||||
slurp:
|
||||
src: '~/.ssh/id_rsa.pub'
|
||||
register: _root_ssh_key
|
||||
|
||||
- name: Prepare container ssh key fact
|
||||
set_fact:
|
||||
nspawn_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}"
|
||||
|
||||
- name: Ensure public ssh key is in authorized_keys
|
||||
authorized_key:
|
||||
user: "{{ ansible_env.USER | default('root') }}"
|
||||
key: "{{ nspawn_container_ssh_key }}"
|
||||
manage_dir: no
|
33
osquery/tests/ansible-role-requirements.yml
Normal file
33
osquery/tests/ansible-role-requirements.yml
Normal file
@ -0,0 +1,33 @@
|
||||
---
|
||||
- name: apt_package_pinning
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
|
||||
version: master
|
||||
- name: config_template
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/ansible-config_template
|
||||
version: master
|
||||
- name: nspawn_container_create
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-nspawn_container_create
|
||||
version: master
|
||||
- name: nspawn_hosts
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-nspawn_hosts
|
||||
version: master
|
||||
- name: plugins
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-plugins
|
||||
version: master
|
||||
- name: systemd_mount
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/ansible-role-systemd_mount
|
||||
version: master
|
||||
- name: systemd_networkd
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/ansible-role-systemd_networkd
|
||||
version: master
|
||||
- name: systemd_service
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/ansible-role-systemd_service
|
||||
version: master
|
158
osquery/tests/functional.yml
Normal file
158
osquery/tests/functional.yml
Normal file
@ -0,0 +1,158 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- import_playbook: run-setup.yml
|
||||
|
||||
- name: Basic setup
|
||||
hosts: "all"
|
||||
become: true
|
||||
|
||||
environment:
|
||||
# ZUUL_PROJECT is used by tests/get-ansible-role-requirements to
|
||||
# determine when CI provided repos should be used.
|
||||
ZUUL_PROJECT: "{{ zuul.project.short_name }}"
|
||||
ANSIBLE_PACKAGE: "{{ ansible_package | default('') }}"
|
||||
ANSIBLE_HOST_KEY_CHECKING: "False"
|
||||
ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test.log"
|
||||
|
||||
vars:
|
||||
inventory_file: "inventory/test-{{ (contianer_inventory | bool) | ternary('container', 'metal') }}-inventory.yml"
|
||||
|
||||
pre_tasks:
|
||||
- name: Create swap file
|
||||
command: "dd if=/dev/zero of=/swap.img bs=1M count=4096"
|
||||
args:
|
||||
creates: /swap.img
|
||||
register: swap_create
|
||||
|
||||
- name: Format the swap file
|
||||
command: mkswap /swap.img
|
||||
when:
|
||||
- swap_create is changed
|
||||
tags:
|
||||
- swap-format
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Enable swap file
|
||||
command: swapon /swap.img
|
||||
failed_when: false
|
||||
tags:
|
||||
- swap-format
|
||||
- skip_ansible_lint
|
||||
|
||||
- name: Set system swappiness
|
||||
sysctl:
|
||||
name: vm.swappiness
|
||||
value: 10
|
||||
state: present
|
||||
reload: "yes"
|
||||
sysctl_file: /etc/sysctl.d/99-elasticsearch.conf
|
||||
|
||||
- name: Create tmp osquery dir
|
||||
file:
|
||||
path: "/tmp/osquery-logs"
|
||||
state: directory
|
||||
|
||||
- name: Flush iptables rules
|
||||
command: "{{ item }}"
|
||||
args:
|
||||
creates: "/tmp/osquery-logs/iptables.flushed"
|
||||
with_items:
|
||||
- "iptables -F"
|
||||
- "iptables -X"
|
||||
- "iptables -t nat -F"
|
||||
- "iptables -t nat -X"
|
||||
- "iptables -t mangle -F"
|
||||
- "iptables -t mangle -X"
|
||||
- "iptables -P INPUT ACCEPT"
|
||||
- "iptables -P FORWARD ACCEPT"
|
||||
- "iptables -P OUTPUT ACCEPT"
|
||||
- "touch /tmp/osquery-logs/iptables.flushed"
|
||||
|
||||
- name: First ensure apt cache is always refreshed
|
||||
apt:
|
||||
update_cache: yes
|
||||
when:
|
||||
- ansible_pkg_mgr == 'apt'
|
||||
|
||||
tasks:
|
||||
- name: Run embedded ansible installation
|
||||
become: yes
|
||||
become_user: root
|
||||
command: "./bootstrap-embedded-ansible.sh"
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/osquery"
|
||||
|
||||
- name: Run ansible-galaxy (tests)
|
||||
become: yes
|
||||
become_user: root
|
||||
command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/osquery/tests"
|
||||
|
||||
- name: Run ansible-galaxy (osquery)
|
||||
become: yes
|
||||
become_user: root
|
||||
command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/osquery"
|
||||
|
||||
- name: Run environment setup
|
||||
become: yes
|
||||
become_user: root
|
||||
command: "/root/ansible25/bin/ansible-playbook -i {{ inventory_file }} -e @test-vars.yml _key-setup.yml"
|
||||
environment:
|
||||
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
|
||||
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
|
||||
ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-container-setup.log"
|
||||
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/osquery/tests"
|
||||
when:
|
||||
- ansible_service_mgr != 'systemd' or
|
||||
not (contianer_inventory | bool)
|
||||
|
||||
- name: Run environment setup
|
||||
become: yes
|
||||
become_user: root
|
||||
command: "/root/ansible25/bin/ansible-playbook -i {{ inventory_file }} -e @test-vars.yml _container-setup.yml"
|
||||
environment:
|
||||
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
|
||||
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
|
||||
ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-container-setup.log"
|
||||
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/osquery/tests"
|
||||
when:
|
||||
- ansible_service_mgr == 'systemd'
|
||||
- contianer_inventory | bool
|
||||
|
||||
- name: Wait 15 seconds
|
||||
command: "sleep 15"
|
||||
changed_when: false
|
||||
when:
|
||||
- ansible_service_mgr == 'systemd'
|
||||
|
||||
- name: Run functional test
|
||||
become: yes
|
||||
become_user: root
|
||||
command: "/root/ansible25/bin/ansible-playbook -i tests/{{ inventory_file }} -e @tests/test-vars.yml site.yml"
|
||||
environment:
|
||||
ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
|
||||
ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
|
||||
ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-deployment.log"
|
||||
ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
|
||||
args:
|
||||
chdir: "src/{{ current_test_repo }}/osquery"
|
52
osquery/tests/inventory/test-container-inventory.yml
Normal file
52
osquery/tests/inventory/test-container-inventory.yml
Normal file
@ -0,0 +1,52 @@
|
||||
---
|
||||
all:
|
||||
hosts:
|
||||
# Local host
|
||||
localhost:
|
||||
ansible_connection: local
|
||||
ansible_host: 127.0.0.1
|
||||
ansible_user: root
|
||||
|
||||
kolide-fleet1:
|
||||
ansible_host: 172.29.236.100
|
||||
ansible_user: root
|
||||
|
||||
|
||||
hosts:
|
||||
vars:
|
||||
physical_host: localhost
|
||||
management_cidr: "172.29.236.0/24"
|
||||
container_networks:
|
||||
management_address:
|
||||
address: "172.29.236.1"
|
||||
netmask: "255.255.255.0"
|
||||
bridge: "{{ hostvars[physical_host]['ansible_default_ipv4']['alias'] }}"
|
||||
|
||||
hosts:
|
||||
localhost: {}
|
||||
|
||||
|
||||
all_containers:
|
||||
vars:
|
||||
physical_host: localhost
|
||||
container_tech: nspawn
|
||||
container_networks:
|
||||
management_address:
|
||||
address: "{{ ansible_host }}"
|
||||
netmask: "255.255.255.0"
|
||||
bridge: "{{ hostvars[physical_host]['ansible_default_ipv4']['alias'] }}"
|
||||
|
||||
children:
|
||||
mariadb_all:
|
||||
children:
|
||||
mariadb:
|
||||
hosts:
|
||||
kolide-fleet1: {}
|
||||
|
||||
fleet_all:
|
||||
children:
|
||||
kolide-fleet_all:
|
||||
children:
|
||||
kolide-fleet:
|
||||
hosts:
|
||||
kolide-fleet1: {}
|
28
osquery/tests/inventory/test-metal-inventory.yml
Normal file
28
osquery/tests/inventory/test-metal-inventory.yml
Normal file
@ -0,0 +1,28 @@
|
||||
---
|
||||
all:
|
||||
hosts:
|
||||
# Local host
|
||||
localhost:
|
||||
ansible_connection: local
|
||||
ansible_host: 127.0.0.1
|
||||
ansible_user: root
|
||||
|
||||
hosts:
|
||||
hosts:
|
||||
localhost: {}
|
||||
|
||||
|
||||
mariadb_all:
|
||||
children:
|
||||
mariadb:
|
||||
hosts:
|
||||
localhost: {}
|
||||
|
||||
|
||||
fleet_all:
|
||||
children:
|
||||
kolide-fleet_all:
|
||||
children:
|
||||
kolide-fleet:
|
||||
hosts:
|
||||
localhost: {}
|
16
osquery/tests/manual-test.rc
Normal file
16
osquery/tests/manual-test.rc
Normal file
@ -0,0 +1,16 @@
|
||||
export ANSIBLE_HOST_KEY_CHECKING="False"
|
||||
export ANSIBLE_ROLES_PATH="${HOME}/ansible25/repositories/roles"
|
||||
export ANSIBLE_ACTION_PLUGINS="${HOME}/ansible25/repositories/roles/config_template/action"
|
||||
export ANSIBLE_CONNECTION_PLUGINS="${HOME}/ansible25/repositories/roles/plugins/connection"
|
||||
export ANSIBLE_LOG_PATH="/tmp/osquery-logs/ansible-elk-test.log"
|
||||
|
||||
if [[ ! -d "/tmp/osquery-logs" ]]; then
|
||||
mkdir -pv "/tmp/osquery-logs"
|
||||
chmod 0777 "/tmp/osquery-logs"
|
||||
fi
|
||||
|
||||
echo "To build a test environment run the following:"
|
||||
echo -e "# /root/ansible25/bin/ansible-playbook -i tests/inventory/test-container-inventory.yml tests/test.yml --limit localhost\n"
|
||||
|
||||
echo "Run manual functional tests by executing the following:"
|
||||
echo -e "# /root/ansible25/bin/ansible-playbook -i tests/inventory/test-container-inventory.yml site.yml\n"
|
27
osquery/tests/post-run.yml
Normal file
27
osquery/tests/post-run.yml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- import_playbook: run-setup.yml
|
||||
|
||||
- name: Run post tasks
|
||||
hosts: "all"
|
||||
tasks:
|
||||
- name: Copy logs back to the executor
|
||||
synchronize:
|
||||
src: "/tmp/osquery-logs"
|
||||
dest: "{{ zuul.executor.log_root }}/"
|
||||
mode: pull
|
||||
rsync_opts:
|
||||
- "--quiet"
|
34
osquery/tests/run-cleanup.sh
Executable file
34
osquery/tests/run-cleanup.sh
Executable file
@ -0,0 +1,34 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -e
|
||||
|
||||
export TEST_DIR="$(readlink -f $(dirname ${0})/../../)"
|
||||
|
||||
# Stop beat processes
|
||||
(systemctl stop osqueryd.service || true) &
|
||||
|
||||
# Stop and remove containers
|
||||
for i in {1..3}; do
|
||||
if machinectl list-images | grep -v ubuntu | awk '/sub/ {print $1}' | xargs -n 1 machinectl kill; then
|
||||
sleep 1
|
||||
fi
|
||||
done
|
||||
|
||||
for i in {1..3}; do
|
||||
if machinectl list-images | grep -v ubuntu | awk '/sub/ {print $1}' | xargs -n 1 machinectl remove; then
|
||||
sleep 1
|
||||
fi
|
||||
done
|
53
osquery/tests/run-setup.yml
Normal file
53
osquery/tests/run-setup.yml
Normal file
@ -0,0 +1,53 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Zuul facts
|
||||
hosts: "all"
|
||||
tasks:
|
||||
- name: Set zuul fact
|
||||
set_fact:
|
||||
zuul:
|
||||
project:
|
||||
canonical_name: "openstack-ansible-ops"
|
||||
short_name: "ops"
|
||||
executor:
|
||||
log_root: "{{ ansible_env.HOME }}/elk-test-logs"
|
||||
when:
|
||||
- zuul is not defined
|
||||
|
||||
- name: Print zuul fact
|
||||
debug: var=zuul
|
||||
|
||||
- name: Set current test repo (cross-repo)
|
||||
set_fact:
|
||||
current_test_repo: "git.openstack.org/{{ osa_test_repo }}"
|
||||
when:
|
||||
- osa_test_repo is defined
|
||||
|
||||
- name: Set current test repo (non-cross-repo)
|
||||
set_fact:
|
||||
current_test_repo: "{{ zuul.project.canonical_name }}"
|
||||
when:
|
||||
- osa_test_repo is not defined
|
||||
|
||||
- name: Set inventory for test
|
||||
set_fact:
|
||||
contianer_inventory: "{{ test_clustered_kolide | default(false) | bool }}"
|
||||
|
||||
post_tasks:
|
||||
- name: Ensure the log directory exists
|
||||
file:
|
||||
path: "/tmp/osquery-logs"
|
||||
state: directory
|
45
osquery/tests/run-tests.sh
Executable file
45
osquery/tests/run-tests.sh
Executable file
@ -0,0 +1,45 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
set -ve
|
||||
|
||||
export TEST_DIR="$(readlink -f $(dirname ${0})/../../)"
|
||||
|
||||
pushd "${HOME}"
|
||||
if [[ ! -d "src" ]]; then
|
||||
mkdir src
|
||||
fi
|
||||
pushd src
|
||||
ln -sf "${TEST_DIR}"
|
||||
popd
|
||||
popd
|
||||
|
||||
source ${TEST_DIR}/osquery/tests/manual-test.rc
|
||||
|
||||
bash -v "${TEST_DIR}/osquery/bootstrap-embedded-ansible.sh"
|
||||
|
||||
${HOME}/ansible25/bin/ansible-galaxy install --force \
|
||||
--roles-path="${HOME}/ansible25/repositories/roles" \
|
||||
--role-file="${TEST_DIR}/osquery/tests/ansible-role-requirements.yml"
|
||||
|
||||
if [[ ! -e "${TEST_DIR}/osquery/tests/src" ]]; then
|
||||
ln -s ${TEST_DIR}/../ ${TEST_DIR}/osquery/tests/src
|
||||
fi
|
||||
|
||||
${HOME}/ansible25/bin/ansible-playbook -i 'localhost,' \
|
||||
-vv \
|
||||
-e ansible_connection=local \
|
||||
-e test_clustered_kolide=${CLUSTERED:-no} \
|
||||
${TEST_DIR}/osquery/tests/test.yml
|
23
osquery/tests/test-vars.yml
Normal file
23
osquery/tests/test-vars.yml
Normal file
@ -0,0 +1,23 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
physical_host: localhost
|
||||
|
||||
galera_root_password: secrete
|
||||
kolide_fleet_db_password: secrete
|
||||
kolide_fleet_admin_password: secrete
|
||||
kolide_fleet_jwt_key: secrete
|
||||
|
||||
osa_test_repo: "openstack/openstack-ansible-ops"
|
16
osquery/tests/test.yml
Normal file
16
osquery/tests/test.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- import_playbook: functional.yml
|
@ -83,3 +83,27 @@
|
||||
vars:
|
||||
osa_test_repo: "openstack/openstack-ansible-ops"
|
||||
test_clustered_elk: true
|
||||
|
||||
- job:
|
||||
name: "openstack-ansible-ops:osquery-ubuntu-xenial"
|
||||
parent: base
|
||||
description: "Runs a gate test on the osquery project."
|
||||
run: "osquery/tests/test.yml"
|
||||
post-run: "osquery/tests/post-run.yml"
|
||||
voting: true
|
||||
files:
|
||||
- ^osquery/.*
|
||||
|
||||
- job:
|
||||
name: "openstack-ansible-ops:osquery-ubuntu-bionic"
|
||||
parent: "openstack-ansible-ops:osquery-ubuntu-xenial"
|
||||
nodeset: ubuntu-bionic
|
||||
|
||||
- job:
|
||||
name: "openstack-ansible-ops:osquery-ubuntu-bionic-clustered"
|
||||
parent: "openstack-ansible-ops:osquery-ubuntu-xenial"
|
||||
nodeset: ubuntu-bionic
|
||||
voting: true
|
||||
vars:
|
||||
osa_test_repo: "openstack/openstack-ansible-ops"
|
||||
test_clustered_kolide: true
|
||||
|
@ -29,6 +29,9 @@
|
||||
- openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic
|
||||
- openstack-ansible-ops:elk_metrics_6x-ubuntu-xenial-clustered
|
||||
- openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic-clustered
|
||||
- openstack-ansible-ops:osquery-ubuntu-xenial
|
||||
- openstack-ansible-ops:osquery-ubuntu-bionic
|
||||
gate:
|
||||
jobs:
|
||||
- openstack-ansible-ops:elk_metrics_6x-ubuntu-xenial
|
||||
- openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic
|
||||
- openstack-ansible-ops:osquery-ubuntu-bionic
|
||||
|
Loading…
x
Reference in New Issue
Block a user