Add osquery testing

Change-Id: Ia8249da40bf5eb0e09b5d7811eb126b60dc5dc73
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

bootstrap-embedded-ansible/bootstrap-embedded-ansible.sh

@@ -42,6 +42,7 @@ if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then
   eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated"
   eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated"
   eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade hvac --isolated"
+  eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade netaddr --isolated"
   echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin"
 fi
 

elk_metrics_6x/README.rst

@@ -595,7 +595,7 @@ deployed to the environment as if this was a production installation.
 
 .. code-block:: bash
 
-    tests/run-tests.sh
+    CLUSTERED=yes tests/run-tests.sh
 
 
 After the test build is completed the cluster will test it's layout and ensure

elk_metrics_6x/tests/_container-setup.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Setup host for nspawn
-  hosts: physical_hosts
+  hosts: localhost
   connection: local
   become: true
   vars:

elk_metrics_6x/tests/functional.yml

@@ -60,6 +60,11 @@
         reload: "yes"
         sysctl_file: /etc/sysctl.d/99-elasticsearch.conf
 
+    - name: Create tmp osquery dir
+      file:
+        path: "/tmp/elk-metrics-6x-logs"
+        state: directory
+
     - name: Flush iptables rules
       command: "{{ item }}"
       args:
@@ -90,17 +95,19 @@
       args:
         chdir: "src/{{ current_test_repo }}/elk_metrics_6x"
 
-    - name: Run ansible-galaxy
+    - name: Run ansible-galaxy (tests)
       become: yes
       become_user: root
-      command: "/root/ansible25/bin/ansible-galaxy install --force -r ansible-role-requirements.yml"
+      command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
       args:
-        chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
+        chdir: "src/{{ current_test_repo }}/osquery/tests"
 
-    - name: Install netaddr
+    - name: Run ansible-galaxy (elk_metrics_6x)
-      pip:
+      become: yes
-        name: netaddr
+      become_user: root
-        virtualenv: "/root/ansible25"
+      command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
+      args:
+        chdir: "src/{{ current_test_repo }}/osquery"
 
     - name: Run environment setup
       become: yes
@@ -110,6 +117,7 @@
         ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
         ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
         ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-container-setup.log"
+        ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
       args:
         chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
       when:
@@ -124,6 +132,7 @@
         ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
         ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
         ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-container-setup.log"
+        ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
       args:
         chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests"
       when:
@@ -144,6 +153,7 @@
         ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
         ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
         ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-deployment.log"
+        ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
       args:
         chdir: "src/{{ current_test_repo }}/elk_metrics_6x"
 
@@ -155,5 +165,6 @@
         ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
         ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
         ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-show-cluster.log"
+        ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
       args:
         chdir: "src/{{ current_test_repo }}/elk_metrics_6x"

elk_metrics_6x/tests/run-tests.sh

@@ -34,6 +34,12 @@ ${HOME}/ansible25/bin/ansible-galaxy install --force \
                                              --roles-path="${HOME}/ansible25/repositories/roles" \
                                              --role-file="${TEST_DIR}/elk_metrics_6x/tests/ansible-role-requirements.yml"
 
+if [[ ! -e "${TEST_DIR}/osquery/tests/src" ]]; then
+  ln -s ${TEST_DIR}/../ ${TEST_DIR}/osquery/tests/src
+fi
+
 ${HOME}/ansible25/bin/ansible-playbook -i 'localhost,' \
                                        -vv \
+                                       -e ansible_connection=local \
+                                       -e test_clustered_elk=${CLUSTERED:-no} \
                                        ${TEST_DIR}/elk_metrics_6x/tests/test.yml

osquery/README.rst

@@ -208,10 +208,42 @@ The individual playbooks found within this repository can be independently run
 at anytime.
 
 
+Local testing
+-------------
+
+To test these playbooks within a local environment you will need a single server
+with at leasts 8GiB of RAM and 40GiB of storage on root. Running an `m1.medium`
+(openstack) flavor size is generally enough to get an environment online.
+
+To run the local functional tests execute the `run-tests.sh` script out of the
+tests directory. This will create a 1 node kolide-fleet cluster and install
+osquery on the local host.
+
+.. code-block:: bash
+
+    CLUSTERED=yes tests/run-tests.sh
+
+
+After the test build is completed the cluster will test it's layout and ensure
+processes are functioning normally. Logs for the cluster can be found at
+`/tmp/osquery-logs`.
+
+To rerun the playbooks after a test build, source the `tests/manual-test.rc`
+file and follow the onscreen instructions.
+
+To clean-up a test environment and start from a bare server slate the
+`run-cleanup.sh` script can be used. This script is disruptive and will purge
+all `osquery` related services within the local test environment.
+
+.. code-block:: bash
+
+   tests/run-cleanup.sh
+
+
 Architecture | Data flow
 ^^^^^^^^^^^^^^^^^^^^^^^^
 
-This diagram outlines the data flow from within an Elastic-Stack deployment.
+This diagram outlines the data flow from within an osquery deployment.
 
 .. image:: assets/architecture-osquery.png
     :scale: 50 %
@@ -224,7 +256,7 @@ TODO
 The following is a list of open items.
  - [x] Test Redhat familly Operating Systems
  - [x] missing mariadb cluster (should all work needs additional vars)
- - [ ] use haproxy instead of the kolide fleet server ip
+ - [x] use haproxy instead of the kolide fleet server ip
  - [ ] add/update tags
- - [ ] convert to roles
+ - [x] convert to roles
- - [ ] add testing
+ - [x] add testing

osquery/installOSquery.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Get osquery facts
-  hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
+  hosts: kolide-fleet_all[0]
   become: true
   vars_files:
     - vars/variables.yml
@@ -37,6 +37,21 @@
         - src: "{{ kolide_fleet_ssl_key }}"
           dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
 
+    - name: Retrieve Enrollment Token
+      command: /usr/local/bin/fleetctl get enroll-secret
+      changed_when: false
+      register: _enrollment_token
+
+    - name: Set kolide fleet enrollment token fact
+      set_fact:
+        kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
+
+    - name: Write enroll secret
+      copy:
+        dest: "/tmp/{{ osquery_enroll_secret_file | basename }}"
+        content: "{{ kolide_fleet_enroll_secret }}"
+        mode: "0640"
+
 
 - name: Install osquery
   hosts: "hosts:all_containers"
@@ -66,23 +81,8 @@
           src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
         - dest: "{{ kolide_fleet_ssl_key }}"
           src: "/tmp/{{ kolide_fleet_ssl_key | basename }}"
-
+        - dest: "{{ osquery_enroll_secret_file }}"
-    - name: retrieve Enrollment Token
+          src: "/tmp/{{ osquery_enroll_secret_file | basename }}"
-      command: /usr/local/bin/fleetctl get enroll-secret
-      changed_when: false
-      register: _enrollment_token
-      delegate_to: "{{ groups['kolide-fleet_all'][0] }}"
-      run_once: true
-
-    - name: Set kolide fleet enrollment token fact
-      set_fact:
-        kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
-
-    - name: write enroll secret
-      copy:
-        dest: "{{ osquery_enroll_secret_file }}"
-        content: "{{ kolide_fleet_enroll_secret }}"
-        mode: "0640"
 
   post_tasks:
     - name: Cleanup certifactes
@@ -93,6 +93,7 @@
       with_items:
         - "/tmp/{{ kolide_fleet_ssl_cert | basename }}"
         - "/tmp/{{ kolide_fleet_ssl_key | basename }}"
+        - "/tmp/{{ osquery_enroll_secret_file | basename }}"
 
   roles:
     - role: "osquery"

osquery/inventory.example.yml

@@ -1,35 +0,0 @@
----
-
-################################## ALL HOSTS ##################################
-all:
-  hosts:
-    # Local host
-    localhost:
-      ansible_connection: local
-
-################################## REQUIRED ###################################
-    logging01:
-      ansible_host: 172.16.27.100
-      ansible_user: root
-
-  vars: {}
-
-
-################################### GROUPS ####################################
-
-# The hosts group is used to target physical host machines. Enter all physical
-# host machines here.
-hosts:
-  hosts:
-    logging01: {}
-
-# This is the location where fleet(s) will live
-kolide-fleet_all:
-  children:
-    kolide_hosts:
-      hosts:
-        logging01: {}
-
-mariadb_all:
-  children:
-    kolide-fleet_all: {}

osquery/inventory.example.yml

@@ -0,0 +1 @@
+tests/inventory/test-metal-inventory.yml

osquery/roles/fleet/tasks/fleetRegisterAdmin.yml

@@ -13,22 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: check to see if we have alredy registered fleetctl admin
-  stat:
-    path: ~/.fleet/config
-  register: fleet_config_set
-
 - name: set fleetctl default context
   command: /usr/local/bin/fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify
   changed_when: false
-  when:
-    - fleet_config_set.stat.exists == false
 
 - name: register admin account
   command: /usr/local/bin/fleetctl setup --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }}
   changed_when: false
+  failed_when: false
   register: fleet_register_admin
-  ignore_errors: true # ignore errors as we might have already set this it will be caought later
 
 - name: login admin account
   command: /usr/local/bin/fleetctl login --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }}

osquery/roles/osquery/defaults/main.yml

@@ -12,16 +12,17 @@ osquery_template: 'osquery.conf.j2'
 osquery_upload_packs:
   - osquery-snapshots-pack
   - osquery-monitoring2-pack
+
 osquery_packs:
   - "osquery-monitoring"
   - "incident-response"
   - "it-compliance"
-#  - "osx-attacks"
   - "ossec-rootkit"
   - "vuln-management"
   - "hardware-monitoring"
   - "osquery-snapshots-pack"
-  - osquery-monitoring2-pack
+  - "osquery-monitoring2-pack"
+
 osquery_config_plugin: 'filesystem'
 osquery_logger_plugin: 'filesystem'
 #osquery_logger_plugin: 'syslog'

osquery/roles/osquery/handlers/main.yml

@@ -8,6 +8,3 @@
 
 - name: restart rsyslog
   service: name=rsyslog state=restarted
-
-- name: reload osqueryd apparmor profile
-  shell: cat /etc/apparmor.d/usr.bin.osqueryd | sudo apparmor_parser -r

osquery/roles/osquery/tasks/CentOS.yml

@@ -12,6 +12,3 @@
     dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}"
     mode: '0644'
     backup: yes
-
-- include: selinux.yml
-  when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))

osquery/roles/osquery/tasks/Debian.yml

@@ -31,6 +31,3 @@
     state: present
   tags:
     - osquery
-
-- include: apparmor.yml
-  when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))

osquery/roles/osquery/tasks/apparmor.yml

@@ -1,27 +0,0 @@
----
-# https://help.ubuntu.com/lts/serverguide/apparmor.html.en
-
-- name: Ensure apparmor packages are present
-  package:
-    name: "{{ item }}"
-    state: present
-  with_items:
-    - apparmor
-    - apparmor-utils
-    - apparmor-profiles
-
-- name: Ensure apparmor profile is set
-  template:
-    src: apparmor-usr.bin.osqueryd.j2
-    dest: /etc/apparmor.d/usr.bin.osqueryd
-    mode: '0600'
-    owner: root
-    backup: yes
-  notify:
-    - reload osqueryd apparmor profile
-
-- name: Apply apparmor profile for osquery
-  command: aa-complain /usr/bin/osqueryd
-  failed_when: false
-
-# Refine policy with `aa-logprof -f /var/log/syslog`

osquery/roles/osquery/tasks/configure.yml

@@ -118,6 +118,3 @@
 
 - include: syslog-target.yml
   when: osquery_syslog_target != ''
-
-- include: selinux-end.yml
-  when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) and ansible_os_family == "RedHat"

osquery/roles/osquery/tasks/selinux-end.yml

@@ -1,10 +0,0 @@
----
-
-- name: RedHat | Ensure selinux context is correctly set
-  command: "/sbin/restorecon -F -R -v {{ item }}"
-  with_items:
-    - /usr/bin/osqueryd
-    - /usr/lib/systemd/system/osqueryd.service
-    - /var/log/osquery
-    - /etc/osquery
-    - /usr/share/osquery/packs

osquery/roles/osquery/tasks/selinux.yml

@@ -1,44 +0,0 @@
----
-
-- name: Ensure selinux package are present
-  package:
-    name: "{{ item }}"
-    state: present
-  with_items:
-    - selinux-policy
-    - selinux-policy-devel
-    - setools-console
-    - libselinux-python
-    - policycoreutils-python
-
-- name: Ensure osquery directory exists
-  file:
-    dest: /etc/osquery
-    state: directory
-    mode: '0755'
-
-- name: Ensure osquery selinux policy is set
-  template:
-    src: "{{ item }}.j2"
-    dest: "/etc/osquery/{{ item }}"
-    mode: '0600'
-    owner: root
-  with_items:
-    - osquery.fc
-    - osquery.sh
-    - osquery.te
-  register: te
-
-# FIXME!
-- name: Generate osquery policy file
-  command: sh -x ./osquery.sh
-  args:
-    chdir: /etc/osquery
-  when: te is changed
-  ignore_errors: true
-
-# `sepolicy generate -n osquery --init /usr/bin/osqueryd`     = OK/base
-# Refine policy with `audit2allow -i /var/log/audit/audit.log -M osquery`
-# `semodule -i osquery.pp`
-# FIXME! 'Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/osquery/cil:2'
-# `/usr/libexec/selinux/hll/pp osquery.pp`

osquery/roles/osquery/templates/osquery.sh.j2

@@ -1,61 +0,0 @@
-#!/bin/sh -e
-
-DIRNAME=`dirname $0`
-cd $DIRNAME
-USAGE="$0 [ --update ]"
-if [ `id -u` != 0 ]; then
-echo 'You must be root to run this script'
-exit 1
-fi
-
-if [ $# -eq 1 ]; then
-        if [ "$1" = "--update" ] ; then
-                time=`ls -l --time-style="+%x %X" osquery.te | awk '{ printf "%s %s", $6, $7 }'`
-                rules=`ausearch --start $time -m avc --raw -se osquery`
-                if [ x"$rules" != "x" ] ; then
-                        echo "Found avc's to update policy with"
-                        echo -e "$rules" | audit2allow -R
-                        echo "Do you want these changes added to policy [y/n]?"
-                        read ANS
-                        if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
-                                echo "Updating policy"
-                                echo -e "$rules" | audit2allow -R >> osquery.te
-                                # Fall though and rebuild policy
-                        else
-                                exit 0
-                        fi
-                else
-                        echo "No new avcs found"
-                        exit 0
-                fi
-        else
-                echo -e $USAGE
-                exit 1
-        fi
-elif [ $# -ge 2 ] ; then
-        echo -e $USAGE
-        exit 1
-fi
-
-echo "Building and Loading Policy"
-set -x
-make -f /usr/share/selinux/devel/Makefile osquery.pp || exit
-/usr/sbin/semodule -i osquery.pp
-
-# Generate a man page off the installed module
-sepolicy manpage -p . -d osquery_t
-# Fixing the file context on /usr/bin/osqueryd
-/sbin/restorecon -F -R -v /usr/bin/osqueryd
-# Fixing the file context on /usr/lib/systemd/system/osqueryd.service
-/sbin/restorecon -F -R -v /usr/lib/systemd/system/osqueryd.service
-# Fixing the file context on /var/log/osquery
-/sbin/restorecon -F -R -v /var/log/osquery
-/sbin/restorecon -F -R -v /etc/osquery
-/sbin/restorecon -F -R -v /usr/share/osquery/packs
-
-
-# Generate a rpm package for the newly generated policy
-
-pwd=$(pwd)
-#rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba osquery_selinux.spec
-

osquery/roles/osquery/templates/osquery.te.j2

@@ -1,674 +0,0 @@
-module osquery 1.0;
-
-require {
-        type osquery_t;
-        type osquery_conf_t;
-        type osquery_unit_file_t;
-
-        type insmod_exec_t;
-        type home_root_t;
-        type gssd_exec_t;
-        type udev_exec_t;
-        type sound_device_t;
-        type setsebool_exec_t;
-        type proc_t;
-        type unconfined_service_t;
-        type netutils_exec_t;
-        type load_policy_exec_t;
-        type memory_device_t;
-        type tmp_t;
-        type gpg_exec_t;
-        type autofs_device_t;
-        type systemd_hwdb_exec_t;
-        type tcpd_exec_t;
-        type gssproxy_exec_t;
-        type showmount_exec_t;
-        type rsync_exec_t;
-        type crond_unit_file_t;
-        type udev_rules_t;
-        type systemd_logind_t;
-        type setfiles_exec_t;
-        type sshd_keygen_exec_t;
-        type chronyd_exec_t;
-        type xserver_etc_t;
-        type crond_t;
-        type tun_tap_device_t;
-        type default_context_t;
-        type anacron_exec_t;
-        type virt_qemu_ga_exec_t;
-        type auditd_t;
-        type syslogd_t;
-        type NetworkManager_t;
-        type sysctl_t;
-        type pppd_etc_t;
-        type consolehelper_exec_t;
-        type userhelper_conf_t;
-        type systemd_systemctl_exec_t;
-        type postfix_pickup_exec_t;
-        type syslog_conf_t;
-        type systemd_unit_file_t;
-        type tuned_exec_t;
-        type plymouthd_exec_t;
-        type vlock_exec_t;
-        type systemd_passwd_agent_exec_t;
-        type pinentry_exec_t;
-        type passwd_exec_t;
-        type dmidecode_exec_t;
-        type systemd_notify_exec_t;
-        type hwclock_exec_t;
-        type firewalld_etc_rw_t;
-        type crack_exec_t;
-        type postfix_qmgr_t;
-        type sulogin_exec_t;
-        type netcontrol_device_t;
-        type rpcd_unit_file_t;
-        type auditd_exec_t;
-        type crontab_exec_t;
-        type crash_device_t;
-        type exports_t;
-        type event_device_t;
-        type cgroup_t;
-        type loadkeys_exec_t;
-        type postfix_qmgr_exec_t;
-        type pam_timestamp_exec_t;
-        type random_device_t;
-        type initrc_exec_t;
-        type hugetlbfs_t;
-        type lvm_unit_file_t;
-        type dmesg_exec_t;
-        type proc_mdstat_t;
-        type mouse_device_t;
-        type nfsd_exec_t;
-        type slapd_cert_t;
-        type login_exec_t;
-        type usbmon_device_t;
-        type ldconfig_exec_t;
-        type initctl_t;
-        type debuginfo_exec_t;
-        type postfix_pickup_t;
-        type updpwd_exec_t;
-        type oddjob_mkhomedir_exec_t;
-        type irqbalance_exec_t;
-        type proc_kmsg_t;
-        type gssproxy_t;
-        type postfix_etc_t;
-        type init_exec_t;
-        type postfix_spool_t;
-        type var_run_t;
-        type mtrr_device_t;
-        type hypervvssd_exec_t;
-        type hostname_exec_t;
-        type system_cron_spool_t;
-        type sshd_key_t;
-        type proc_kcore_t;
-        type dbusd_exec_t;
-        type plymouth_exec_t;
-        type tuned_rw_etc_t;
-        type pppd_exec_t;
-        type pam_console_exec_t;
-        type adjtime_t;
-        type chronyc_exec_t;
-        type auditd_unit_file_t;
-        type fuse_device_t;
-        type userhelper_exec_t;
-        type tuned_etc_t;
-        type systemd_logind_exec_t;
-        type var_log_t;
-        type init_t;
-        type pppd_initrc_exec_t;
-        type fs_t;
-        type systemd_tmpfiles_exec_t;
-        type user_home_dir_t;
-        type lvm_etc_t;
-        type chronyd_t;
-        type dbusd_etc_t;
-        type etc_aliases_t;
-        type auditctl_exec_t;
-        type usernetctl_exec_t;
-        type clock_device_t;
-        type traceroute_exec_t;
-        type sshd_t;
-        type mdadm_exec_t;
-        type initrc_var_run_t;
-        type mount_exec_t;
-        type scsi_generic_device_t;
-        type vhost_device_t;
-        type uhid_device_t;
-        type ifconfig_exec_t;
-        type device_t;
-        type namespace_init_exec_t;
-        type lvm_exec_t;
-        type checkpolicy_exec_t;
-        type rpm_script_tmp_t;
-        type user_tmp_t;
-        type unlabeled_t;
-        type sshd_unit_file_t;
-        type policykit_exec_t;
-        type modules_conf_t;
-        type chfn_exec_t;
-        type dhcp_etc_t;
-        type logrotate_exec_t;
-        type getty_unit_file_t;
-        type selinux_config_t;
-        type ppp_device_t;
-        type ssh_keygen_exec_t;
-        type cupsd_rw_etc_t;
-        type authconfig_exec_t;
-        type ssh_exec_t;
-        type rpcbind_t;
-        type audisp_exec_t;
-        type chronyd_keys_t;
-        type dri_device_t;
-        type rpm_exec_t;
-        type getty_t;
-        type virt_qemu_ga_unconfined_exec_t;
-        type NetworkManager_exec_t;
-        type user_fonts_t;
-        type rpc_pipefs_t;
-        type ping_exec_t;
-        type gpg_agent_exec_t;
-        type su_exec_t;
-        type firewalld_exec_t;
-        type getty_exec_t;
-        type quota_exec_t;
-        type devpts_t;
-        type nvram_device_t;
-        type cpu_device_t;
-        type rpcbind_exec_t;
-        type NetworkManager_etc_rw_t;
-        type unconfined_t;
-        type NetworkManager_initrc_exec_t;
-        type sshd_exec_t;
-        type udev_t;
-        type rpcd_exec_t;
-        type fixed_disk_device_t;
-        type selinux_login_config_t;
-        type sysctl_irq_t;
-        type ptmx_t;
-        type ssh_agent_exec_t;
-        type NetworkManager_unit_file_t;
-        type binfmt_misc_fs_t;
-        type semanage_store_t;
-        type framebuf_device_t;
-        type udev_var_run_t;
-        type rdisc_exec_t;
-        type NetworkManager_etc_t;
-        type rsync_etc_t;
-        type postfix_postdrop_exec_t;
-        type tuned_t;
-        type wtmp_t;
-        type dhcpc_exec_t;
-        type useradd_exec_t;
-        type dhcpc_t;
-        type sudo_exec_t;
-        type vfio_device_t;
-        type thumb_exec_t;
-        type crond_exec_t;
-        type bootloader_etc_t;
-        type sysfs_t;
-        type postfix_postqueue_exec_t;
-        type postfix_map_exec_t;
-        type admin_passwd_exec_t;
-        type apm_bios_t;
-        type policykit_t;
-        type iptables_exec_t;
-        type semanage_exec_t;
-        type journalctl_exec_t;
-        type lvm_control_t;
-        type lvm_t;
-        type screen_exec_t;
-        type auditd_etc_t;
-        type xserver_misc_device_t;
-        type fsadm_exec_t;
-        type bootloader_exec_t;
-        type system_cronjob_t;
-        type syslogd_exec_t;
-        type system_dbusd_t;
-        type lvm_lock_t;
-        type user_cron_spool_t;
-        type kmsg_device_t;
-        type mysqld_etc_t;
-        type pppd_etc_rw_t;
-        type configfs_t;
-        type proc_net_t;
-        type postfix_master_exec_t;
-        type shadow_t;
-        type sendmail_exec_t;
-        type loop_control_device_t;
-        type kernel_t;
-        type var_t;
-        type pstore_t;
-        type chkpwd_exec_t;
-        type groupadd_exec_t;
-        type debugfs_t;
-        type hypervkvp_exec_t;
-        type postfix_master_t;
-        type sysctl_fs_t;
-        type blkmapd_exec_t;
-        type nfsd_unit_file_t;
-        type ssh_home_t;
-        type systemd_hwdb_etc_t;
-        type mandb_exec_t;
-        type tmpfs_t;
-        type lvm_metadata_t;
-        type policykit_auth_exec_t;
-        type chronyd_unit_file_t;
-        type print_spool_t;
-        type rpcbind_var_lib_t;
-        class fifo_file getattr;
-        class process setsched;
-        class unix_stream_socket connectto;
-        class netlink_kobject_uevent_socket { bind create getattr setopt };
-        class chr_file { getattr ioctl open read write };
-        class capability { dac_override sys_rawio sys_ptrace };
-        class file { append create getattr lock open read relabelto rename setattr unlink write };
-        class filesystem getattr;
-        class sock_file { create getattr unlink write };
-        class lnk_file { create getattr read unlink };
-        class blk_file { getattr ioctl open read };
-        class dir { add_name getattr open read remove_name search setattr write };
-}
-
-#============= osquery_t ==============
-allow osquery_t NetworkManager_etc_rw_t:dir { getattr open read };
-allow osquery_t NetworkManager_etc_rw_t:file getattr;
-allow osquery_t NetworkManager_etc_t:dir { getattr open read };
-allow osquery_t NetworkManager_exec_t:file getattr;
-allow osquery_t NetworkManager_initrc_exec_t:dir { getattr open read };
-allow osquery_t NetworkManager_initrc_exec_t:file getattr;
-allow osquery_t NetworkManager_t:dir { getattr open read search };
-allow osquery_t NetworkManager_t:file { getattr open read };
-
-allow osquery_t NetworkManager_t:lnk_file { getattr read };
-allow osquery_t NetworkManager_unit_file_t:file getattr;
-allow osquery_t adjtime_t:file getattr;
-allow osquery_t admin_passwd_exec_t:file getattr;
-allow osquery_t anacron_exec_t:file getattr;
-allow osquery_t apm_bios_t:chr_file getattr;
-allow osquery_t audisp_exec_t:file getattr;
-allow osquery_t auditctl_exec_t:file getattr;
-allow osquery_t auditd_etc_t:dir { getattr open read };
-allow osquery_t auditd_etc_t:file getattr;
-allow osquery_t auditd_exec_t:file getattr;
-allow osquery_t auditd_t:dir { getattr open read search };
-allow osquery_t auditd_t:file { getattr open read };
-
-allow osquery_t auditd_t:lnk_file { getattr read };
-allow osquery_t auditd_unit_file_t:file getattr;
-allow osquery_t authconfig_exec_t:file getattr;
-allow osquery_t autofs_device_t:chr_file getattr;
-allow osquery_t binfmt_misc_fs_t:filesystem getattr;
-allow osquery_t blkmapd_exec_t:file getattr;
-allow osquery_t bootloader_etc_t:file getattr;
-allow osquery_t bootloader_exec_t:file getattr;
-allow osquery_t cgroup_t:filesystem getattr;
-allow osquery_t checkpolicy_exec_t:file getattr;
-allow osquery_t chfn_exec_t:file getattr;
-allow osquery_t chkpwd_exec_t:file getattr;
-allow osquery_t chronyc_exec_t:file getattr;
-allow osquery_t chronyd_exec_t:file getattr;
-allow osquery_t chronyd_keys_t:file getattr;
-allow osquery_t chronyd_t:dir { getattr open read search };
-allow osquery_t chronyd_t:file { getattr open read };
-
-allow osquery_t chronyd_t:lnk_file { getattr read };
-allow osquery_t chronyd_unit_file_t:file getattr;
-allow osquery_t clock_device_t:chr_file getattr;
-allow osquery_t configfs_t:filesystem getattr;
-allow osquery_t consolehelper_exec_t:file getattr;
-allow osquery_t cpu_device_t:chr_file getattr;
-allow osquery_t crack_exec_t:file getattr;
-allow osquery_t crash_device_t:chr_file getattr;
-allow osquery_t crond_exec_t:file getattr;
-allow osquery_t crond_t:dir { getattr open read search };
-allow osquery_t crond_t:file { getattr open read };
-
-allow osquery_t crond_t:lnk_file { getattr read };
-allow osquery_t crond_unit_file_t:file getattr;
-allow osquery_t crontab_exec_t:file getattr;
-allow osquery_t cupsd_rw_etc_t:file getattr;
-allow osquery_t dbusd_etc_t:dir { getattr open read };
-allow osquery_t dbusd_etc_t:file getattr;
-allow osquery_t dbusd_exec_t:file getattr;
-allow osquery_t debugfs_t:filesystem getattr;
-allow osquery_t debuginfo_exec_t:file getattr;
-allow osquery_t default_context_t:dir read;
-allow osquery_t default_context_t:file getattr;
-
-#!!!! WARNING: 'device_t' is a base type.
-allow osquery_t device_t:filesystem getattr;
-allow osquery_t devpts_t:filesystem getattr;
-allow osquery_t dhcp_etc_t:dir { getattr open read };
-allow osquery_t dhcp_etc_t:file getattr;
-allow osquery_t dhcpc_exec_t:file getattr;
-allow osquery_t dhcpc_t:dir { getattr open read search };
-allow osquery_t dhcpc_t:file { getattr open read };
-
-allow osquery_t dhcpc_t:lnk_file { getattr read };
-allow osquery_t dmesg_exec_t:file getattr;
-allow osquery_t dmidecode_exec_t:file getattr;
-allow osquery_t dri_device_t:chr_file getattr;
-allow osquery_t etc_aliases_t:file getattr;
-allow osquery_t event_device_t:chr_file getattr;
-allow osquery_t exports_t:file getattr;
-allow osquery_t firewalld_etc_rw_t:dir { getattr open read };
-allow osquery_t firewalld_etc_rw_t:file getattr;
-allow osquery_t firewalld_exec_t:file getattr;
-allow osquery_t fixed_disk_device_t:blk_file { getattr ioctl open read };
-allow osquery_t fixed_disk_device_t:chr_file getattr;
-allow osquery_t framebuf_device_t:chr_file getattr;
-allow osquery_t fs_t:filesystem getattr;
-allow osquery_t fsadm_exec_t:file getattr;
-allow osquery_t fuse_device_t:chr_file getattr;
-allow osquery_t getty_exec_t:file getattr;
-allow osquery_t getty_t:dir { getattr open read search };
-allow osquery_t getty_t:file { getattr open read };
-
-allow osquery_t getty_t:lnk_file { getattr read };
-allow osquery_t getty_unit_file_t:file getattr;
-allow osquery_t gpg_agent_exec_t:file getattr;
-allow osquery_t gpg_exec_t:file getattr;
-allow osquery_t groupadd_exec_t:file getattr;
-allow osquery_t gssd_exec_t:file getattr;
-allow osquery_t gssproxy_exec_t:file getattr;
-allow osquery_t gssproxy_t:dir { getattr open read search };
-allow osquery_t gssproxy_t:file { getattr open read };
-
-allow osquery_t gssproxy_t:lnk_file { getattr read };
-
-#!!!! WARNING: 'home_root_t' is a base type.
-allow osquery_t home_root_t:dir read;
-allow osquery_t hostname_exec_t:file getattr;
-allow osquery_t hugetlbfs_t:dir { getattr open read };
-allow osquery_t hugetlbfs_t:filesystem getattr;
-allow osquery_t hwclock_exec_t:file getattr;
-allow osquery_t hypervkvp_exec_t:file getattr;
-allow osquery_t hypervvssd_exec_t:file getattr;
-allow osquery_t ifconfig_exec_t:file getattr;
-allow osquery_t init_exec_t:file getattr;
-allow osquery_t init_t:dir read;
-allow osquery_t init_t:file { getattr open read };
-
-allow osquery_t init_t:lnk_file { getattr read };
-allow osquery_t initctl_t:fifo_file getattr;
-allow osquery_t initrc_exec_t:file getattr;
-allow osquery_t initrc_var_run_t:file { lock open read };
-allow osquery_t insmod_exec_t:file getattr;
-allow osquery_t iptables_exec_t:file getattr;
-allow osquery_t irqbalance_exec_t:file getattr;
-allow osquery_t journalctl_exec_t:file getattr;
-allow osquery_t kernel_t:dir { getattr open read search };
-allow osquery_t kernel_t:file { getattr open read };
-allow osquery_t kernel_t:lnk_file { getattr read };
-
-#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg'
-allow osquery_t kmsg_device_t:chr_file getattr;
-allow osquery_t ldconfig_exec_t:file getattr;
-allow osquery_t load_policy_exec_t:file getattr;
-allow osquery_t loadkeys_exec_t:file getattr;
-allow osquery_t login_exec_t:file getattr;
-allow osquery_t logrotate_exec_t:file getattr;
-allow osquery_t loop_control_device_t:chr_file getattr;
-allow osquery_t lvm_control_t:chr_file { getattr ioctl open read write };
-allow osquery_t lvm_etc_t:dir { getattr open read };
-allow osquery_t lvm_etc_t:file { getattr open read };
-allow osquery_t lvm_exec_t:file getattr;
-allow osquery_t lvm_lock_t:dir { add_name getattr read remove_name search write };
-allow osquery_t lvm_lock_t:file { append create getattr lock open read unlink };
-allow osquery_t lvm_metadata_t:dir { add_name getattr open read remove_name write };
-allow osquery_t lvm_metadata_t:file { create getattr lock open read rename unlink write };
-allow osquery_t lvm_t:dir { getattr open read search };
-allow osquery_t lvm_t:file { getattr open read };
-
-allow osquery_t lvm_t:lnk_file { getattr read };
-allow osquery_t lvm_unit_file_t:file getattr;
-allow osquery_t mandb_exec_t:file getattr;
-allow osquery_t mdadm_exec_t:file getattr;
-allow osquery_t memory_device_t:chr_file getattr;
-allow osquery_t modules_conf_t:dir { getattr open read };
-allow osquery_t modules_conf_t:file getattr;
-allow osquery_t mount_exec_t:file getattr;
-allow osquery_t mouse_device_t:chr_file getattr;
-allow osquery_t mtrr_device_t:file getattr;
-allow osquery_t mysqld_etc_t:dir { getattr open read };
-allow osquery_t mysqld_etc_t:file getattr;
-allow osquery_t namespace_init_exec_t:file getattr;
-allow osquery_t netcontrol_device_t:chr_file getattr;
-allow osquery_t netutils_exec_t:file getattr;
-allow osquery_t nfsd_exec_t:file getattr;
-allow osquery_t nfsd_unit_file_t:file getattr;
-allow osquery_t nvram_device_t:chr_file getattr;
-allow osquery_t oddjob_mkhomedir_exec_t:file getattr;
-allow osquery_t osquery_conf_t:file getattr;
-allow osquery_t osquery_unit_file_t:file getattr;
-allow osquery_t pam_console_exec_t:file getattr;
-allow osquery_t pam_timestamp_exec_t:file getattr;
-allow osquery_t passwd_exec_t:file getattr;
-allow osquery_t pinentry_exec_t:file getattr;
-allow osquery_t ping_exec_t:file getattr;
-allow osquery_t plymouth_exec_t:file getattr;
-allow osquery_t plymouthd_exec_t:file getattr;
-allow osquery_t policykit_auth_exec_t:file getattr;
-allow osquery_t policykit_exec_t:file getattr;
-allow osquery_t policykit_t:dir { getattr open read search };
-allow osquery_t policykit_t:file { getattr open read };
-
-allow osquery_t policykit_t:lnk_file { getattr read };
-allow osquery_t postfix_etc_t:dir { getattr open read };
-allow osquery_t postfix_etc_t:file getattr;
-allow osquery_t postfix_map_exec_t:file getattr;
-allow osquery_t postfix_master_exec_t:file getattr;
-allow osquery_t postfix_master_t:dir { getattr open read search };
-allow osquery_t postfix_master_t:file { getattr open read };
-
-allow osquery_t postfix_master_t:lnk_file { getattr read };
-allow osquery_t postfix_pickup_exec_t:file getattr;
-allow osquery_t postfix_pickup_t:dir { getattr open read search };
-allow osquery_t postfix_pickup_t:file { getattr open read };
-
-allow osquery_t postfix_pickup_t:lnk_file { getattr read };
-allow osquery_t postfix_postdrop_exec_t:file getattr;
-allow osquery_t postfix_postqueue_exec_t:file getattr;
-allow osquery_t postfix_qmgr_exec_t:file getattr;
-allow osquery_t postfix_qmgr_t:dir { getattr open read search };
-allow osquery_t postfix_qmgr_t:file { getattr open read };
-
-allow osquery_t postfix_qmgr_t:lnk_file { getattr read };
-allow osquery_t postfix_spool_t:dir getattr;
-allow osquery_t ppp_device_t:chr_file getattr;
-allow osquery_t pppd_etc_rw_t:dir { getattr open read };
-allow osquery_t pppd_etc_t:dir { getattr open read };
-allow osquery_t pppd_exec_t:file getattr;
-allow osquery_t pppd_initrc_exec_t:file getattr;
-allow osquery_t proc_kcore_t:file getattr;
-allow osquery_t proc_kmsg_t:file getattr;
-allow osquery_t proc_mdstat_t:file getattr;
-allow osquery_t proc_net_t:file { getattr open read };
-allow osquery_t proc_t:dir read;
-allow osquery_t proc_t:file { getattr open read };
-allow osquery_t proc_t:filesystem getattr;
-allow osquery_t pstore_t:filesystem getattr;
-allow osquery_t ptmx_t:chr_file getattr;
-allow osquery_t quota_exec_t:file getattr;
-
-#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
-allow osquery_t random_device_t:chr_file getattr;
-allow osquery_t rdisc_exec_t:file getattr;
-allow osquery_t rpc_pipefs_t:filesystem getattr;
-allow osquery_t rpcbind_exec_t:file getattr;
-allow osquery_t rpcbind_t:dir { getattr open read search };
-allow osquery_t rpcbind_t:file { getattr open read };
-
-allow osquery_t rpcbind_t:lnk_file { getattr read };
-allow osquery_t rpcd_exec_t:file getattr;
-allow osquery_t rpcd_unit_file_t:file getattr;
-allow osquery_t rpm_exec_t:file getattr;
-allow osquery_t rpm_script_tmp_t:dir read;
-allow osquery_t rsync_etc_t:file getattr;
-allow osquery_t rsync_exec_t:file getattr;
-allow osquery_t screen_exec_t:file getattr;
-allow osquery_t scsi_generic_device_t:chr_file getattr;
-allow osquery_t self:capability { dac_override sys_rawio };
-allow osquery_t self:netlink_kobject_uevent_socket { bind create getattr setopt };
-allow osquery_t self:process setsched;
-
-#!!!! The file '/var/osquery/osquery.em' is mislabeled on your system.  
-#!!!! Fix with $ restorecon -R -v /var/osquery/osquery.em
-#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
-allow osquery_t self:unix_stream_socket connectto;
-allow osquery_t selinux_config_t:dir read;
-allow osquery_t selinux_login_config_t:dir { getattr open read };
-allow osquery_t semanage_exec_t:file getattr;
-allow osquery_t semanage_store_t:dir { getattr open read };
-allow osquery_t semanage_store_t:file { getattr open read };
-allow osquery_t sendmail_exec_t:file getattr;
-allow osquery_t setfiles_exec_t:file getattr;
-allow osquery_t setsebool_exec_t:file getattr;
-allow osquery_t shadow_t:file getattr;
-allow osquery_t showmount_exec_t:file getattr;
-
-#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
-allow osquery_t slapd_cert_t:dir { getattr open read };
-
-#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap'
-allow osquery_t slapd_cert_t:file getattr;
-allow osquery_t sound_device_t:chr_file getattr;
-allow osquery_t ssh_agent_exec_t:file getattr;
-allow osquery_t ssh_exec_t:file getattr;
-allow osquery_t ssh_home_t:dir { getattr open read };
-allow osquery_t ssh_home_t:file getattr;
-allow osquery_t ssh_keygen_exec_t:file getattr;
-allow osquery_t sshd_exec_t:file getattr;
-allow osquery_t sshd_key_t:file getattr;
-allow osquery_t sshd_keygen_exec_t:file getattr;
-allow osquery_t sshd_t:dir { getattr open read search };
-allow osquery_t sshd_t:file { getattr open read };
-
-allow osquery_t sshd_t:lnk_file { getattr read };
-allow osquery_t sshd_unit_file_t:file getattr;
-allow osquery_t su_exec_t:file getattr;
-allow osquery_t sudo_exec_t:file getattr;
-allow osquery_t sulogin_exec_t:file getattr;
-allow osquery_t sysctl_fs_t:dir search;
-allow osquery_t sysctl_irq_t:dir getattr;
-allow osquery_t sysctl_t:file getattr;
-allow osquery_t sysfs_t:dir read;
-allow osquery_t sysfs_t:file { getattr open read };
-allow osquery_t sysfs_t:filesystem getattr;
-allow osquery_t sysfs_t:lnk_file { getattr read };
-allow osquery_t syslog_conf_t:dir { getattr open read };
-allow osquery_t syslog_conf_t:file getattr;
-allow osquery_t syslogd_exec_t:file getattr;
-allow osquery_t syslogd_t:dir { getattr open read search };
-allow osquery_t syslogd_t:file { getattr open read };
-
-allow osquery_t syslogd_t:lnk_file { getattr read };
-allow osquery_t system_cron_spool_t:dir { getattr open read };
-allow osquery_t system_cron_spool_t:file { getattr open read };
-allow osquery_t system_cronjob_t:dir { getattr open read search };
-allow osquery_t system_cronjob_t:file { getattr open read };
-
-allow osquery_t system_cronjob_t:lnk_file { getattr read };
-allow osquery_t system_dbusd_t:dir { getattr open read search };
-allow osquery_t system_dbusd_t:file { getattr open read };
-
-allow osquery_t system_dbusd_t:lnk_file { getattr read };
-allow osquery_t systemd_hwdb_etc_t:file getattr;
-allow osquery_t systemd_hwdb_exec_t:file getattr;
-allow osquery_t systemd_logind_exec_t:file getattr;
-allow osquery_t systemd_logind_t:dir { getattr open read search };
-allow osquery_t systemd_logind_t:file { getattr open read };
-
-allow osquery_t systemd_logind_t:lnk_file { getattr read };
-allow osquery_t systemd_notify_exec_t:file getattr;
-allow osquery_t systemd_passwd_agent_exec_t:file getattr;
-allow osquery_t systemd_systemctl_exec_t:file getattr;
-allow osquery_t systemd_tmpfiles_exec_t:file getattr;
-allow osquery_t systemd_unit_file_t:dir { open read };
-allow osquery_t systemd_unit_file_t:file getattr;
-allow osquery_t systemd_unit_file_t:lnk_file read;
-allow osquery_t tcpd_exec_t:file getattr;
-allow osquery_t thumb_exec_t:file getattr;
-
-#!!!! WARNING: 'tmp_t' is a base type.
-allow osquery_t tmp_t:dir { add_name read remove_name write };
-allow osquery_t tmp_t:file { create unlink write };
-
-#!!!! WARNING: 'tmp_t' is a base type.
-allow osquery_t tmp_t:lnk_file { create unlink };
-allow osquery_t tmpfs_t:dir read;
-allow osquery_t tmpfs_t:filesystem getattr;
-allow osquery_t traceroute_exec_t:file getattr;
-allow osquery_t tun_tap_device_t:chr_file getattr;
-allow osquery_t tuned_etc_t:dir { getattr open read };
-allow osquery_t tuned_etc_t:file getattr;
-allow osquery_t tuned_exec_t:file getattr;
-allow osquery_t tuned_rw_etc_t:file getattr;
-allow osquery_t tuned_t:dir { getattr open read search };
-allow osquery_t tuned_t:file { getattr open read };
-
-allow osquery_t tuned_t:lnk_file { getattr read };
-allow osquery_t udev_exec_t:file getattr;
-allow osquery_t udev_rules_t:dir { getattr open read };
-allow osquery_t udev_rules_t:file getattr;
-allow osquery_t udev_t:dir { getattr open read search };
-allow osquery_t udev_t:file { getattr open read };
-allow osquery_t udev_t:lnk_file { getattr read };
-allow osquery_t udev_var_run_t:file { getattr open read };
-allow osquery_t uhid_device_t:chr_file getattr;
-allow osquery_t unconfined_service_t:dir { getattr open read search };
-allow osquery_t unconfined_service_t:file { getattr open read };
-allow osquery_t unconfined_service_t:lnk_file { getattr read };
-allow osquery_t unconfined_t:dir { getattr open read search };
-allow osquery_t unconfined_t:file { getattr open read };
-allow osquery_t unconfined_t:lnk_file { getattr read };
-
-#!!!! WARNING: 'unlabeled_t' is a base type.
-#!!!! The file '/etc/sysconfig/cloud-info' is mislabeled on your system.
-#!!!! Fix with $ restorecon -R -v /etc/sysconfig/cloud-info
-allow osquery_t unlabeled_t:file getattr;
-allow osquery_t updpwd_exec_t:file getattr;
-allow osquery_t usbmon_device_t:chr_file getattr;
-allow osquery_t user_cron_spool_t:dir { getattr open read };
-allow osquery_t user_fonts_t:dir { getattr open read search };
-allow osquery_t user_home_dir_t:dir getattr;
-allow osquery_t user_tmp_t:dir read;
-allow osquery_t useradd_exec_t:file getattr;
-allow osquery_t userhelper_conf_t:dir { getattr open read };
-allow osquery_t userhelper_conf_t:file getattr;
-allow osquery_t userhelper_exec_t:file getattr;
-allow osquery_t usernetctl_exec_t:file getattr;
-allow osquery_t var_log_t:lnk_file unlink;
-
-#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t.  Change the label to osquery_var_run_t.
-allow osquery_t var_run_t:dir { add_name remove_name write };
-
-#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t.  Change the label to osquery_var_run_t.
-#!!!! $ semanage fcontext -a -t osquery_var_run_t /run/osqueryd.pid
-#!!!! $ restorecon -R -v /run/osqueryd.pid
-#!!!! The file '/run/osqueryd.pid' is mislabeled on your system.
-#!!!! Fix with $ restorecon -R -v /run/osqueryd.pid
-allow osquery_t var_run_t:file { append create getattr open read setattr unlink };
-
-#!!!! WARNING: 'var_t' is a base type.
-allow osquery_t var_t:dir { add_name read remove_name setattr write };
-allow osquery_t var_t:file { create getattr lock open read rename unlink write };
-allow osquery_t var_t:sock_file { create getattr unlink write };
-allow osquery_t vfio_device_t:chr_file getattr;
-allow osquery_t vhost_device_t:chr_file getattr;
-allow osquery_t virt_qemu_ga_exec_t:file getattr;
-allow osquery_t virt_qemu_ga_unconfined_exec_t:dir { getattr open read };
-allow osquery_t vlock_exec_t:file getattr;
-allow osquery_t wtmp_t:file { open read };
-allow osquery_t xserver_etc_t:dir { getattr open read };
-allow osquery_t xserver_misc_device_t:chr_file getattr;
-
-allow osquery_t print_spool_t:dir search;
-allow osquery_t rpcbind_var_lib_t:dir search;
-allow osquery_t self:capability sys_ptrace;
-
-#============= unconfined_t ==============
-
-#!!!! This avc is allowed in the current policy
-allow unconfined_t osquery_conf_t:file relabelto;
-

osquery/roles/osquery/vars/CentOS.yml

@@ -4,7 +4,6 @@
 osquery_packages:
   - osquery
   - rsyslog
-  - libselinux-python
 
 osquery_debug_packages:
   - osquery-debuginfo

osquery/roles/osquery/vars/RedHat.yml

@@ -4,7 +4,6 @@
 osquery_packages:
   - osquery
   - rsyslog
-  - libselinux-python
 
 osquery_debug_packages:
   - osquery-debuginfo

osquery/setupOSqueryPacks.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Setup osquery packs
-  hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}"
+  hosts: kolide-fleet_all[0]
   become: false
   vars_files:
     - vars/variables.yml

osquery/tests/_container-setup.yml

@@ -0,0 +1,73 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Setup host for nspawn
+  hosts: localhost
+  connection: local
+  become: true
+  vars:
+    nspawn_networks:
+      nspawn_address:
+        bridge: "nspawn0"
+        private_device: true
+        enable_dhcp: true
+        dhcp_range: 10.100.101.2,10.100.101.129
+        address: 10.100.101.1
+        netmask: 255.255.255.0
+        macvlan_mode: bridge
+
+  pre_tasks:
+    - name: Ensure root ssh key
+      user:
+        name: "{{ ansible_env.USER | default('root') }}"
+        generate_ssh_key: "yes"
+        ssh_key_bits: 2048
+        ssh_key_file: ".ssh/id_rsa"
+
+    - name: Get root ssh key
+      slurp:
+        src: '~/.ssh/id_rsa.pub'
+      register: _root_ssh_key
+
+    - name: Prepare container ssh key fact
+      set_fact:
+        nspawn_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}"
+
+    - name: Ensure public ssh key is in authorized_keys
+      authorized_key:
+        user: "{{ ansible_env.USER | default('root') }}"
+        key: "{{ nspawn_container_ssh_key }}"
+        manage_dir: no
+
+  roles:
+    - role: "nspawn_hosts"
+
+
+- name: Create container(s)
+  hosts: all_containers
+  gather_facts: false
+  become: true
+  pre_tasks:
+    - name: Show container facts
+      debug:
+        var: hostvars
+
+  roles:
+    - role: "nspawn_container_create"
+
+  post_tasks:
+    - name: Rescan quotas
+      command: "btrfs quota rescan -w /var/lib/machines"
+      delegate_to: "{{ physical_host }}"

osquery/tests/_key-setup.yml

@@ -0,0 +1,41 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Setup host keys
+  hosts: physical_hosts
+  connection: local
+  become: true
+  tasks:
+    - name: Ensure root ssh key
+      user:
+        name: "{{ ansible_env.USER | default('root') }}"
+        generate_ssh_key: "yes"
+        ssh_key_bits: 2048
+        ssh_key_file: ".ssh/id_rsa"
+
+    - name: Get root ssh key
+      slurp:
+        src: '~/.ssh/id_rsa.pub'
+      register: _root_ssh_key
+
+    - name: Prepare container ssh key fact
+      set_fact:
+        nspawn_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}"
+
+    - name: Ensure public ssh key is in authorized_keys
+      authorized_key:
+        user: "{{ ansible_env.USER | default('root') }}"
+        key: "{{ nspawn_container_ssh_key }}"
+        manage_dir: no

osquery/tests/ansible-role-requirements.yml

@@ -0,0 +1,33 @@
+---
+- name: apt_package_pinning
+  scm: git
+  src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
+  version: master
+- name: config_template
+  scm: git
+  src: https://git.openstack.org/openstack/ansible-config_template
+  version: master
+- name: nspawn_container_create
+  scm: git
+  src: https://git.openstack.org/openstack/openstack-ansible-nspawn_container_create
+  version: master
+- name: nspawn_hosts
+  scm: git
+  src: https://git.openstack.org/openstack/openstack-ansible-nspawn_hosts
+  version: master
+- name: plugins
+  scm: git
+  src: https://git.openstack.org/openstack/openstack-ansible-plugins
+  version: master
+- name: systemd_mount
+  scm: git
+  src: https://git.openstack.org/openstack/ansible-role-systemd_mount
+  version: master
+- name: systemd_networkd
+  scm: git
+  src: https://git.openstack.org/openstack/ansible-role-systemd_networkd
+  version: master
+- name: systemd_service
+  scm: git
+  src: https://git.openstack.org/openstack/ansible-role-systemd_service
+  version: master

osquery/tests/functional.yml

@@ -0,0 +1,158 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- import_playbook: run-setup.yml
+
+- name: Basic setup
+  hosts: "all"
+  become: true
+
+  environment:
+    # ZUUL_PROJECT is used by tests/get-ansible-role-requirements to
+    # determine when CI provided repos should be used.
+    ZUUL_PROJECT: "{{ zuul.project.short_name }}"
+    ANSIBLE_PACKAGE: "{{ ansible_package | default('') }}"
+    ANSIBLE_HOST_KEY_CHECKING: "False"
+    ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test.log"
+
+  vars:
+    inventory_file: "inventory/test-{{ (contianer_inventory | bool) | ternary('container', 'metal') }}-inventory.yml"
+
+  pre_tasks:
+    - name: Create swap file
+      command: "dd if=/dev/zero of=/swap.img bs=1M count=4096"
+      args:
+        creates: /swap.img
+      register: swap_create
+
+    - name: Format the swap file
+      command: mkswap /swap.img
+      when:
+        - swap_create is changed
+      tags:
+        - swap-format
+        - skip_ansible_lint
+
+    - name: Enable swap file
+      command: swapon /swap.img
+      failed_when: false
+      tags:
+        - swap-format
+        - skip_ansible_lint
+
+    - name: Set system swappiness
+      sysctl:
+        name: vm.swappiness
+        value: 10
+        state: present
+        reload: "yes"
+        sysctl_file: /etc/sysctl.d/99-elasticsearch.conf
+
+    - name: Create tmp osquery dir
+      file:
+        path: "/tmp/osquery-logs"
+        state: directory
+
+    - name: Flush iptables rules
+      command: "{{ item }}"
+      args:
+        creates: "/tmp/osquery-logs/iptables.flushed"
+      with_items:
+        - "iptables -F"
+        - "iptables -X"
+        - "iptables -t nat -F"
+        - "iptables -t nat -X"
+        - "iptables -t mangle -F"
+        - "iptables -t mangle -X"
+        - "iptables -P INPUT ACCEPT"
+        - "iptables -P FORWARD ACCEPT"
+        - "iptables -P OUTPUT ACCEPT"
+        - "touch /tmp/osquery-logs/iptables.flushed"
+
+    - name: First ensure apt cache is always refreshed
+      apt:
+        update_cache: yes
+      when:
+        - ansible_pkg_mgr == 'apt'
+
+  tasks:
+    - name: Run embedded ansible installation
+      become: yes
+      become_user: root
+      command: "./bootstrap-embedded-ansible.sh"
+      args:
+        chdir: "src/{{ current_test_repo }}/osquery"
+
+    - name: Run ansible-galaxy (tests)
+      become: yes
+      become_user: root
+      command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
+      args:
+        chdir: "src/{{ current_test_repo }}/osquery/tests"
+
+    - name: Run ansible-galaxy (osquery)
+      become: yes
+      become_user: root
+      command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml"
+      args:
+        chdir: "src/{{ current_test_repo }}/osquery"
+
+    - name: Run environment setup
+      become: yes
+      become_user: root
+      command: "/root/ansible25/bin/ansible-playbook -i {{ inventory_file }} -e @test-vars.yml _key-setup.yml"
+      environment:
+        ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
+        ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
+        ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-container-setup.log"
+        ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
+      args:
+        chdir: "src/{{ current_test_repo }}/osquery/tests"
+      when:
+        - ansible_service_mgr != 'systemd' or
+          not (contianer_inventory | bool)
+
+    - name: Run environment setup
+      become: yes
+      become_user: root
+      command: "/root/ansible25/bin/ansible-playbook -i {{ inventory_file }} -e @test-vars.yml _container-setup.yml"
+      environment:
+        ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
+        ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
+        ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-container-setup.log"
+        ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
+      args:
+        chdir: "src/{{ current_test_repo }}/osquery/tests"
+      when:
+        - ansible_service_mgr == 'systemd'
+        - contianer_inventory | bool
+
+    - name: Wait 15 seconds
+      command: "sleep 15"
+      changed_when: false
+      when:
+        - ansible_service_mgr == 'systemd'
+
+    - name: Run functional test
+      become: yes
+      become_user: root
+      command: "/root/ansible25/bin/ansible-playbook -i tests/{{ inventory_file }} -e @tests/test-vars.yml site.yml"
+      environment:
+        ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action"
+        ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection"
+        ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-deployment.log"
+        ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles
+      args:
+        chdir: "src/{{ current_test_repo }}/osquery"

osquery/tests/inventory/test-container-inventory.yml

@@ -0,0 +1,52 @@
+---
+all:
+  hosts:
+    # Local host
+    localhost:
+      ansible_connection: local
+      ansible_host: 127.0.0.1
+      ansible_user: root
+
+    kolide-fleet1:
+      ansible_host: 172.29.236.100
+      ansible_user: root
+
+
+hosts:
+  vars:
+    physical_host: localhost
+    management_cidr: "172.29.236.0/24"
+    container_networks:
+      management_address:
+        address: "172.29.236.1"
+        netmask: "255.255.255.0"
+        bridge: "{{ hostvars[physical_host]['ansible_default_ipv4']['alias'] }}"
+
+  hosts:
+    localhost: {}
+
+
+all_containers:
+  vars:
+    physical_host: localhost
+    container_tech: nspawn
+    container_networks:
+      management_address:
+        address: "{{ ansible_host }}"
+        netmask: "255.255.255.0"
+        bridge: "{{ hostvars[physical_host]['ansible_default_ipv4']['alias'] }}"
+
+  children:
+    mariadb_all:
+      children:
+        mariadb:
+          hosts:
+            kolide-fleet1: {}
+
+    fleet_all:
+      children:
+        kolide-fleet_all:
+          children:
+            kolide-fleet:
+              hosts:
+                kolide-fleet1: {}

osquery/tests/inventory/test-metal-inventory.yml

@@ -0,0 +1,28 @@
+---
+all:
+  hosts:
+    # Local host
+    localhost:
+      ansible_connection: local
+      ansible_host: 127.0.0.1
+      ansible_user: root
+
+hosts:
+  hosts:
+    localhost: {}
+
+
+mariadb_all:
+  children:
+    mariadb:
+      hosts:
+        localhost: {}
+
+
+fleet_all:
+  children:
+    kolide-fleet_all:
+      children:
+        kolide-fleet:
+          hosts:
+            localhost: {}

osquery/tests/manual-test.rc

@@ -0,0 +1,16 @@
+export ANSIBLE_HOST_KEY_CHECKING="False"
+export ANSIBLE_ROLES_PATH="${HOME}/ansible25/repositories/roles"
+export ANSIBLE_ACTION_PLUGINS="${HOME}/ansible25/repositories/roles/config_template/action"
+export ANSIBLE_CONNECTION_PLUGINS="${HOME}/ansible25/repositories/roles/plugins/connection"
+export ANSIBLE_LOG_PATH="/tmp/osquery-logs/ansible-elk-test.log"
+
+if [[ ! -d "/tmp/osquery-logs" ]]; then
+  mkdir -pv "/tmp/osquery-logs"
+  chmod 0777 "/tmp/osquery-logs"
+fi
+
+echo "To build a test environment run the following:"
+echo -e "# /root/ansible25/bin/ansible-playbook -i tests/inventory/test-container-inventory.yml tests/test.yml --limit localhost\n"
+
+echo "Run manual functional tests by executing the following:"
+echo -e "# /root/ansible25/bin/ansible-playbook -i tests/inventory/test-container-inventory.yml site.yml\n"

osquery/tests/post-run.yml

@@ -0,0 +1,27 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- import_playbook: run-setup.yml
+
+- name: Run post tasks
+  hosts: "all"
+  tasks:
+    - name: Copy logs back to the executor
+      synchronize:
+        src: "/tmp/osquery-logs"
+        dest: "{{ zuul.executor.log_root }}/"
+        mode: pull
+        rsync_opts:
+          - "--quiet"

osquery/tests/run-cleanup.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+export TEST_DIR="$(readlink -f $(dirname ${0})/../../)"
+
+# Stop beat processes
+(systemctl stop osqueryd.service || true) &
+
+# Stop and remove containers
+for i in {1..3}; do
+  if machinectl list-images | grep -v ubuntu | awk '/sub/ {print $1}' | xargs -n 1 machinectl kill; then
+    sleep 1
+  fi
+done
+
+for i in {1..3}; do
+  if machinectl list-images | grep -v ubuntu | awk '/sub/ {print $1}' | xargs -n 1 machinectl remove; then
+    sleep 1
+  fi
+done

osquery/tests/run-setup.yml

@@ -0,0 +1,53 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Zuul facts
+  hosts: "all"
+  tasks:
+    - name: Set zuul fact
+      set_fact:
+        zuul:
+          project:
+            canonical_name: "openstack-ansible-ops"
+            short_name: "ops"
+          executor:
+            log_root: "{{ ansible_env.HOME }}/elk-test-logs"
+      when:
+        - zuul is not defined
+
+    - name: Print zuul fact
+      debug: var=zuul
+
+    - name: Set current test repo (cross-repo)
+      set_fact:
+        current_test_repo: "git.openstack.org/{{ osa_test_repo }}"
+      when:
+        - osa_test_repo is defined
+
+    - name: Set current test repo (non-cross-repo)
+      set_fact:
+        current_test_repo: "{{ zuul.project.canonical_name }}"
+      when:
+        - osa_test_repo is not defined
+
+    - name: Set inventory for test
+      set_fact:
+        contianer_inventory: "{{ test_clustered_kolide | default(false) | bool }}"
+
+  post_tasks:
+    - name: Ensure the log directory exists
+      file:
+        path: "/tmp/osquery-logs"
+        state: directory

osquery/tests/run-tests.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -ve
+
+export TEST_DIR="$(readlink -f $(dirname ${0})/../../)"
+
+pushd "${HOME}"
+  if [[ ! -d "src" ]]; then
+    mkdir src
+  fi
+  pushd src
+    ln -sf "${TEST_DIR}"
+  popd
+popd
+
+source ${TEST_DIR}/osquery/tests/manual-test.rc
+
+bash -v "${TEST_DIR}/osquery/bootstrap-embedded-ansible.sh"
+
+${HOME}/ansible25/bin/ansible-galaxy install --force \
+                                             --roles-path="${HOME}/ansible25/repositories/roles" \
+                                             --role-file="${TEST_DIR}/osquery/tests/ansible-role-requirements.yml"
+
+if [[ ! -e "${TEST_DIR}/osquery/tests/src" ]]; then
+  ln -s ${TEST_DIR}/../ ${TEST_DIR}/osquery/tests/src
+fi
+
+${HOME}/ansible25/bin/ansible-playbook -i 'localhost,' \
+                                       -vv \
+                                       -e ansible_connection=local \
+                                       -e test_clustered_kolide=${CLUSTERED:-no} \
+                                       ${TEST_DIR}/osquery/tests/test.yml

osquery/tests/test-vars.yml

@@ -0,0 +1,23 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+physical_host: localhost
+
+galera_root_password: secrete
+kolide_fleet_db_password: secrete
+kolide_fleet_admin_password: secrete
+kolide_fleet_jwt_key: secrete
+
+osa_test_repo: "openstack/openstack-ansible-ops"

osquery/tests/test.yml

@@ -0,0 +1,16 @@
+---
+# Copyright 2018, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- import_playbook: functional.yml

zuul.d/jobs.yaml

@@ -83,3 +83,27 @@
     vars:
       osa_test_repo: "openstack/openstack-ansible-ops"
       test_clustered_elk: true
+
+- job:
+    name: "openstack-ansible-ops:osquery-ubuntu-xenial"
+    parent: base
+    description: "Runs a gate test on the osquery project."
+    run: "osquery/tests/test.yml"
+    post-run: "osquery/tests/post-run.yml"
+    voting: true
+    files:
+      - ^osquery/.*
+
+- job:
+    name: "openstack-ansible-ops:osquery-ubuntu-bionic"
+    parent: "openstack-ansible-ops:osquery-ubuntu-xenial"
+    nodeset: ubuntu-bionic
+
+- job:
+    name: "openstack-ansible-ops:osquery-ubuntu-bionic-clustered"
+    parent: "openstack-ansible-ops:osquery-ubuntu-xenial"
+    nodeset: ubuntu-bionic
+    voting: true
+    vars:
+      osa_test_repo: "openstack/openstack-ansible-ops"
+      test_clustered_kolide: true

zuul.d/project.yaml

@@ -29,6 +29,9 @@
         - openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic
         - openstack-ansible-ops:elk_metrics_6x-ubuntu-xenial-clustered
         - openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic-clustered
+        - openstack-ansible-ops:osquery-ubuntu-xenial
+        - openstack-ansible-ops:osquery-ubuntu-bionic
     gate:
       jobs:
-        - openstack-ansible-ops:elk_metrics_6x-ubuntu-xenial
+        - openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic
+        - openstack-ansible-ops:osquery-ubuntu-bionic