diff --git a/osquery/roles/osquery/.kitchen.docker.yml b/osquery/roles/osquery/.kitchen.docker.yml deleted file mode 100644 index 4eeefa1a..00000000 --- a/osquery/roles/osquery/.kitchen.docker.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -driver: - name: docker -## https://github.com/test-kitchen/kitchen-docker/issues/54 - use_sudo: false - -transport: - name: sftp - -provisioner: - name: ansible_playbook - roles_path: ../ - hosts: test-kitchen -# ansible_verbose: true - ansible_verbose: false - ansible_verbosity: 3 - ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> -# require_chef_omnibus: false - require_ansible_omnibus: true -# require_chef_for_busser: false - enable_yum_epel: true - ansible_connection: ssh - -platforms: - - name: ubuntu-18.04 - driver_config: -# https://github.com/test-kitchen/kitchen-docker/issues/285 - provision_command: mkdir -p /run/sshd - - name: ubuntu-16.04 -## systemd? - driver: - config: - security.privileged: true - - name: ubuntu-14.04 - - name: ubuntu-12.04 - - name: centos-7 -## systemd - driver: - config: - security.privileged: true -### epel mirror issue. see readme -# - name: centos-6 -### Ansible 2.2+/cryptography: https://github.com/ansible/ansible/issues/276 -# provisioner: -# ansible_version: 2.1.2.0 -## tool chain kitchen and image need customization... nok currently -# - name: alpine-3.4 -# - name: debian-8 - - name: debian-9 - -suites: - - name: default - run_list: - attributes: - - name: default-osquery-syslog - run_list: - attributes: - - name: default-osquery-syslog-fs - run_list: - attributes: - - name: default-profiling - run_list: - attributes: - includes: - - ubuntu-16.04 - - name: default-fleetmanager - run_list: - attributes: - includes: - - ubuntu-16.04 diff --git a/osquery/roles/osquery/.kitchen.vagrant.yml b/osquery/roles/osquery/.kitchen.vagrant.yml deleted file mode 100644 index c6445110..00000000 --- a/osquery/roles/osquery/.kitchen.vagrant.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- -# $ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify - -driver: - name: vagrant - provider: <%= ENV['KITCHEN_PROVIDER'] || 'virtualbox' %> - -## make file transfer faster. need https://github.com/coderanger/kitchen-sync -transport: - name: sftp - -provisioner: - name: ansible_playbook - roles_path: ../ - hosts: test-kitchen -# ansible_verbose: true - ansible_verbose: false - ansible_verbosity: 3 - ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> - -platforms: - - name: ubuntu-18.04 - - name: ubuntu-16.04 - - name: ubuntu-14.04 - - name: centos-7.1 -## ansible < 2.x -# - name: debian-8 -# driver_config: -# box: debian-8 -# box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box - - name: debian-9 - driver: - box: remram/debian-9-amd64 - -suites: - - name: default - run_list: - attributes: - - name: default-osquery-syslog - run_list: - attributes: - - name: default-osquery-syslog-fs - run_list: - attributes: - - name: default-profiling - run_list: - attributes: - includes: - - ubuntu-18.04 - - name: default-fleetmanager - run_list: - attributes: - includes: - - ubuntu-18.04 - driver_config: - network: - - ["forwarded_port", {guest: 8080, host: 9080}] diff --git a/osquery/roles/osquery/.kitchen.yml b/osquery/roles/osquery/.kitchen.yml deleted file mode 100644 index 024e48d9..00000000 --- a/osquery/roles/osquery/.kitchen.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -driver: - name: lxd_cli - -transport: - name: sftp - -provisioner: - name: ansible_playbook - roles_path: ../ - hosts: test-kitchen - ansible_verbose: true -# ansible_verbose: false - ansible_verbosity: 2 - ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %> - require_ansible_omnibus: true - require_chef_omnibus: false -# require_chef_for_busser: false - enable_yum_epel: true - ansible_connection: ssh - -platforms: - - name: ubuntu-18.04 - - name: ubuntu-16.04 -# - name: ubuntu-14.04 -# - name: ubuntu-12.04 - - name: centos-7 -# - name: centos-6 -# - name: alpine-3.7 - -suites: - - name: default - run_list: - attributes: - - name: default-osquery-syslog - run_list: - attributes: - includes: - - ubuntu-18.04 - - centos-7 - - name: default-osquery-syslog-fs - run_list: - attributes: - includes: - - ubuntu-18.04 - - centos-7 - - name: default-profiling - run_list: - attributes: - includes: - - ubuntu-18.04 - - name: default-fleetmanager - run_list: - attributes: - includes: - - ubuntu-18.04 diff --git a/osquery/roles/osquery/.travis.yml b/osquery/roles/osquery/.travis.yml deleted file mode 100644 index dcf97ce8..00000000 --- a/osquery/roles/osquery/.travis.yml +++ /dev/null @@ -1,97 +0,0 @@ ---- -dist: trusty -sudo: required -rvm: - - 2.4 - -env: -## those images need pre-configuration before being usable (openssh...) -# - distribution: centos -# version: 6 - - distribution: centos - version: 7 - suite: default - - distribution: ubuntu - version: 18.04 - suite: default - - distribution: ubuntu - version: 16.04 - suite: default -# - distribution: ubuntu -# version: 14.04 -# - distribution: ubuntu -# version: 12.04 -# - distribution: alpine -# version: 3.4 - - distribution: centos - version: 7 - suite: default-osquery-syslog - - distribution: ubuntu - version: 18.04 - suite: default-osquery-syslog - - distribution: centos - version: 7 - suite: default-osquery-syslog-fs - - distribution: ubuntu - version: 18.04 - suite: default-osquery-syslog-fs - - distribution: ubuntu - version: 18.04 - suite: default-profiling - - distribution: ubuntu - version: 18.04 - suite: default-fleetmanager - -before_install: - - env - - pwd - - find -ls -## use appropriate role path and not github name - - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" -## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821 -# - sudo apt install lxd - - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list - - sudo apt-get update -qq - - sudo apt -t trusty-backports -y install lxd acl -q -## change of group implies logout+login to apply... can't do with travis = run as root (sic) -## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..." - - sudo usermod -G lxd travis - # Pull container -# - lxc remote add images images.linuxcontainers.org - - sudo -E su $USER -c "lxc remote list" - - sudo -E su $USER -c "lxc image list" -## pre-download base images - - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"' - - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true' -## configure lxd-bridge - - sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge -# - cat /etc/default/lxd-bridge -# - service --status-all - - sudo service lxd restart - - - sudo pip install ansible - - gem install kitchen - - gem install kitchen-ansible - - gem install kitchen-sync - - gem install kitchen-lxd_cli - - gem list - - which kitchen -## ssh key for lxd_cli ? - - ls ~/.ssh - - ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P "" -## sudo/su get us a non-usual PATH ... - - '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true' - - sudo -E su $USER -c "env" -## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during . -# - sudo -E su $USER -c "which kitchen" - - sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all" -# - sudo -E su $USER -c "kitchen diagnose --all" -# - sudo -E -u $USER kitchen diagnose --all - -script: -# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE} - - sudo -E su $USER -c "env PATH=$PATH kitchen verify ${suite}-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/${suite}-${distribution}-${version//./}.log; find /tmp/kitchen)" - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ - diff --git a/osquery/roles/osquery/.travis.yml.docker b/osquery/roles/osquery/.travis.yml.docker deleted file mode 100644 index 0d25fce1..00000000 --- a/osquery/roles/osquery/.travis.yml.docker +++ /dev/null @@ -1,160 +0,0 @@ ---- -## from https://github.com/geerlingguy/ansible-role-apache/blob/master/.travis.yml -sudo: required - -env: -# - distribution: centos -# version: 6 -# init: /sbin/init -# run_opts: "" -# suite: default - - distribution: centos - version: 7 - init: /usr/lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default - ansible_version: 2.5.5 - ansible_extra_vars: "" -# - distribution: ubuntu -# version: 18.04 -# init: /lib/systemd/systemd -# run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" -# suite: default -# ansible_version: 2.5.5 -# ansible_extra_vars: "" - - distribution: ubuntu - version: 16.04 - init: /lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default - ansible_version: 2.5.5 - ansible_extra_vars: "" -# - distribution: ubuntu -# version: 14.04 -# init: /sbin/init -# run_opts: "" -# suite: default -# - distribution: ubuntu -# version: 12.04 -# init: /sbin/init -# run_opts: "" -# suite: default -# - distribution: alpine -# version: 3.4 -# init: /sbin/init -# run_opts: "" -# suite: default -## https://travis-ci.org/juju4/ansible-osquery/jobs/246615342, https://github.com/facebook/osquery/issues/2321 - - distribution: debian - version: 9 - init: /lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default - ansible_version: 2.5.5 - ansible_extra_vars: "" - - distribution: centos - version: 7 - init: /usr/lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default-osquery-syslog - ansible_version: 2.5.5 - ansible_extra_vars: "" - - distribution: ubuntu - version: 16.04 - init: /lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default-osquery-syslog - ansible_version: 2.5.5 - ansible_extra_vars: "" - - distribution: centos - version: 7 - init: /usr/lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default-osquery-syslog-fs - ansible_version: 2.5.5 - ansible_extra_vars: "" - - distribution: ubuntu - version: 16.04 - init: /lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default-osquery-syslog-fs - ansible_version: 2.5.5 - ansible_extra_vars: "" - - distribution: ubuntu - version: 16.04 - init: /lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default-profiling - ansible_version: 2.5.5 - ansible_extra_vars: "" -# past ansible version - - distribution: ubuntu - version: 16.04 - init: /lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default - ansible_version: 2.4.5 - ansible_extra_vars: "" -# upcoming ansible version - - distribution: ubuntu - version: 16.04 - init: /lib/systemd/systemd - run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'" - suite: default - ansible_version: 2.6.0rc3 - ansible_extra_vars: "" - -services: - - docker - -before_install: - # - sudo apt-get update - # Pull container - - 'sudo docker pull ${distribution}:${version}' - - env - - pwd - - find -ls - - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" - - cp test/travis/initctl_faker test/ - # Customize container - - 'sudo docker build --rm=true --file=test/travis/Dockerfile.${distribution}-${version} --tag=${distribution}-${version}:ansible test' - -before_script: - - container_id=$(mktemp) - # Run container in detached state - - 'sudo docker run --detach --volume="${PWD%/*}":/etc/ansible/roles:ro ${run_opts} ${distribution}-${version}:ansible "${init}" > "${container_id}"' - - - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install --upgrade pip' - - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install ansible==${ansible_version}' - - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible --version' - -script: - # Ansible syntax check. - - 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml --syntax-check' - - # Test role. - - 'travis_wait 30 sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml -vv ${ansible_extra_vars}' - - # Test role idempotence. - - > - travis_wait 30 sudo docker exec "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml ${ansible_extra_vars} - | tee /tmp/idempotency.log - | grep -q 'changed=0.*failed=0' - && (echo 'Idempotence test: pass' && exit 0) - || (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0) - - # serverspec tests -## travis/docker: Errno::EROFS: Read-only file system @ dir_s_mkdir - /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/.bundle -# - 'sudo docker exec --tty "$(cat ${container_id})" /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/run-local-tests.sh' - -after_failure: - # Check what happened on systemd systems. - - 'docker exec --tty "$(cat ${container_id})" env TERM=xterm systemctl -l --no-pager status osqueryd.service' - - 'docker exec --tty "$(cat ${container_id})" env TERM=xterm journalctl -xe --no-pager' - -after_script: - # Clean up - - 'sudo docker stop "$(cat ${container_id})"' - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/.travis.yml.kitchen-docker b/osquery/roles/osquery/.travis.yml.kitchen-docker deleted file mode 100644 index 20a0db28..00000000 --- a/osquery/roles/osquery/.travis.yml.kitchen-docker +++ /dev/null @@ -1,71 +0,0 @@ ---- -## note: can't fully test osquery inside docker as will not be able have kernel /dev/osquery -dist: trusty -sudo: required -rvm: - - 2.4 - -env: -# - distribution: centos -# version: 6 - - distribution: centos - version: 7 - suite: default - - distribution: ubuntu - version: 16.04 - suite: default - - distribution: ubuntu - version: 14.04 - suite: default -# - distribution: ubuntu -# version: 12.04 -# - distribution: alpine -# version: 3.4 - - distribution: debian - version: 8 - suite: default - - distribution: centos - version: 7 - suite: default-osquery-syslog - - distribution: ubuntu - version: 16.04 - suite: default-osquery-syslog - - distribution: ubuntu - version: 14.04 - suite: default-osquery-syslog - - distribution: centos - version: 7 - suite: default-osquery-syslog-fs - - distribution: ubuntu - version: 16.04 - suite: default-osquery-syslog-fs - - distribution: ubuntu - version: 14.04 - suite: default-osquery-syslog-fs - -before_install: - - env - - pwd - - find -ls -## use appropriate role path and not github name - - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" - - sudo pip install ansible -## need to use chef gem for some reason? BAD PATH https://github.com/chef/chef-dk/issues/15 -# - chef gem install kitchen - - gem install kitchen - - gem install kitchen-ansible - - gem install kitchen-sync - - gem install kitchen-docker - - gem list - - which kitchen - - KITCHEN_YAML=.kitchen.docker.yml kitchen diagnose --all - -script: -## avoid locale issue under xenial docker, https://github.com/pypa/pip/issues/3575 - - export LC_ALL=C.UTF-8 - - export LANG=C.UTF-8 - - KITCHEN_YAML=.kitchen.docker.yml kitchen verify ${suite}-${distribution}-${version//./} - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ - diff --git a/osquery/roles/osquery/.travis.yml.lxd-kitchen b/osquery/roles/osquery/.travis.yml.lxd-kitchen deleted file mode 100644 index e471bca6..00000000 --- a/osquery/roles/osquery/.travis.yml.lxd-kitchen +++ /dev/null @@ -1,76 +0,0 @@ ---- -dist: trusty -sudo: required -rvm: - - 2.4 - -env: -## those images need pre-configuration before being usable (openssh...) -# - distribution: centos -# version: 6 - - distribution: centos - version: 7 - - distribution: ubuntu - version: 18.04 - - distribution: ubuntu - version: 16.04 -# - distribution: ubuntu -# version: 14.04 -# - distribution: ubuntu -# version: 12.04 -# - distribution: alpine -# version: 3.4 - -before_install: - - env - - pwd - - find -ls -## use appropriate role path and not github name - - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" -## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821 -# - sudo apt install lxd - - echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list - - sudo apt-get update -qq - - sudo apt -t trusty-backports -y install lxd acl -q -## change of group implies logout+login to apply... can't do with travis = run as root (sic) -## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..." - - sudo usermod -G lxd travis - # Pull container -# - lxc remote add images images.linuxcontainers.org - - sudo -E su $USER -c "lxc remote list" - - sudo -E su $USER -c "lxc image list" -## pre-download base images - - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"' - - 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true' -## configure lxd-bridge - - sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge -# - cat /etc/default/lxd-bridge -# - service --status-all - - sudo service lxd restart - - - sudo pip install ansible - - gem install kitchen - - gem install kitchen-ansible - - gem install kitchen-sync - - gem install kitchen-lxd_cli - - gem list - - which kitchen -## ssh key for lxd_cli ? - - ls ~/.ssh - - ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P "" -## sudo/su get us a non-usual PATH ... - - '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true' - - sudo -E su $USER -c "env" -## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during . -# - sudo -E su $USER -c "which kitchen" - - sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all" -# - sudo -E su $USER -c "kitchen diagnose --all" -# - sudo -E -u $USER kitchen diagnose --all - -script: -# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE} - - sudo -E su $USER -c "env PATH=$PATH kitchen verify default-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/default-${distribution}-${version//./}.log; find /tmp/kitchen)" - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ - diff --git a/osquery/roles/osquery/.travis.yml.orig b/osquery/roles/osquery/.travis.yml.orig deleted file mode 100644 index e72b9ba6..00000000 --- a/osquery/roles/osquery/.travis.yml.orig +++ /dev/null @@ -1,42 +0,0 @@ ---- -sudo: required -dist: trusty - -language: generic - -before_install: - - sudo apt-get -qq update - - sudo apt-get install -y python python-pip - -install: - # Install ansible - - sudo pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - - # Install role dependencies - # ... - -script: - # Basic role syntax check - - ansible-playbook tests/test.yml -i tests/inventory --syntax-check - - # Run the role/playbook with ansible-playbook - - ansible-playbook tests/test.yml -i tests/inventory --connection=local --become - - # Run the role/playbook again, checking to make sure it's idempotent - - > - ansible-playbook tests/test.yml -i tests/inventory --connection=local --become - | grep -q 'changed=0.*failed=0' - && (echo 'Idempotence test: pass' && exit 0) - || (echo 'Idempotence test: fail' && exit 1) - - # Playbook specific tests - # ... - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/.travis.yml.simple b/osquery/roles/osquery/.travis.yml.simple deleted file mode 100644 index d765d799..00000000 --- a/osquery/roles/osquery/.travis.yml.simple +++ /dev/null @@ -1,61 +0,0 @@ ---- -sudo: required -dist: trusty - -language: generic - -env: - - suite: default - - suite: default-osquery-syslog - - suite: default-osquery-syslog-fs - -before_install: - - sudo apt-get -qq update - - sudo apt-get install -y python python-pip - - "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh" -## serverspec test - - sudo apt-get install -qq ruby2.0 rake - - sudo gem2.0 install serverspec - -install: - # Install ansible - - sudo pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - - "echo \"[test-kitchen]\nlocalhost\" > inventory" - - - gem2.0 --version - - # Install role dependencies - # ... - -script: - # Basic role syntax check - - "ansible-playbook -i inventory --syntax-check test/integration/${suite}/default.yml" - - # Run the role/playbook with ansible-playbook - - "ansible-playbook -i inventory --connection=local --sudo -vvvv test/integration/${suite}/default.yml" - - # Run the role/playbook again, checking to make sure it's idempotent - - > - ansible-playbook -i inventory test/integration/${suite}/default.yml --connection=local --become - | grep -q 'changed=0.*failed=0' - && (echo 'Idempotence test: pass' && exit 0) - || (echo 'Idempotence test: fail' && exit 1) - - # Playbook specific tests -# - "cd test/integration/${suite}/serverspec/ && bundle exec rake spec" - -after_failure: - - "ls -l /var/log/ /var/log/osquery/" - - "sudo cat /var/log/osquery*.log /var/log/osquery/*.log" - - "sudo cat /etc/rsyslog.d/30-osquery-target.conf" - - "sudo systemctl -l status" - - "sudo journalctl -xe --no-pager" - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/osquery/roles/osquery/Jenkinsfile b/osquery/roles/osquery/Jenkinsfile deleted file mode 100644 index 7b3d7581..00000000 --- a/osquery/roles/osquery/Jenkinsfile +++ /dev/null @@ -1,59 +0,0 @@ -// Work in progress - -node { - - try{ - currentBuild.result = "SUCCESS" - def workspace = pwd() - def directory = "kbrebanov.osquery" - - stage 'Clean Workspace' - deleteDir() - - stage("Download source and capture commit ID") { - sh "mkdir $directory" - dir("$directory") { - checkout scm - // Get the commit ID - sh 'git rev-parse --verify HEAD > GIT_COMMIT' - git_commit = readFile('GIT_COMMIT').take(7) - echo "Current commit ID: ${git_commit}" - } - } - - dir("$directory") { - - stage("Get dependencies"){ - sh "sh -x get-dependencies.sh" - } - stage("Build and verify 1"){ - defaultplatform = sh ( - script: '''#!/bin/bash -kitchen list | awk "!/Instance/ {print \\$1; exit}" - ''', - returnStdout: true - ).trim() - echo "default platform: ${defaultplatform}" - - sh "kitchen test ${defaultplatform}" - // must keep instance for security testing after - //sh "kitchen verify ${defaultplatform}" - } - - stage("Build and verify all platforms"){ - sh "kitchen test" - } - - stage("Cleanup if no errors"){ - sh "kitchen destroy" - } - - } - - } - - catch(err) { - currentBuild.result = "FAILURE" - throw err - } -} diff --git a/osquery/roles/osquery/README.md b/osquery/roles/osquery/README.md deleted file mode 100644 index 96f6448a..00000000 --- a/osquery/roles/osquery/README.md +++ /dev/null @@ -1,43 +0,0 @@ -[![Build Status - Master](https://travis-ci.org/juju4/ansible-osquery.svg?branch=master)](https://travis-ci.org/juju4/ansible-osquery) -[![Build Status - Devel](https://travis-ci.org/juju4/ansible-osquery.svg?branch=devel)](https://travis-ci.org/juju4/ansible-osquery/branches) -osquery -======= - -[![Build Status](https://travis-ci.org/kbrebanov/ansible-osquery.svg?branch=master)](https://travis-ci.org/kbrebanov/ansible-osquery) - -Installs osquery - -Requirements ------------- - -This role requires Ansible 2.0 or higher. - -Role Variables --------------- - -None - -Dependencies ------------- - -None - -Example Playbook ----------------- - -Install osquery -```yaml -- hosts: all - roles: - - kbrebanov.osquery -``` - -License -------- - -BSD - -Author Information ------------------- - -Kevin Brebanov diff --git a/osquery/roles/osquery/defaults/main.yml b/osquery/roles/osquery/defaults/main.yml index 9fff5d29..38edad0e 100644 --- a/osquery/roles/osquery/defaults/main.yml +++ b/osquery/roles/osquery/defaults/main.yml @@ -1,14 +1,9 @@ --- -# defaults file for osquery - -osquery_service_enable: true -osquery_debug_packages_install: true -## define this if don't want to use upstream ones -#osquery_repository: '' -#osquery_repositorykey: '' +# Enable or disable the installation of the osquery debug packages. +osquery_debug_packages_install: false osquery_template: 'osquery.conf.j2' -#osquery_upload_packs: [] + osquery_upload_packs: - osquery-snapshots-pack - osquery-monitoring2-pack @@ -25,9 +20,6 @@ osquery_packs: osquery_config_plugin: 'filesystem' osquery_logger_plugin: 'filesystem' -#osquery_logger_plugin: 'syslog' -#osquery_logger_plugin: 'filesystem,syslog' -#osquery_logger_plugin: 'tls' osquery_flags: [] ## if using zentral, kolide or else ## https://github.com/zentralopensource/zentral/blob/f460b10a95d4ea1e515aea3363f55733465d1d9c/zentral/contrib/osquery/deb_script/template.sh @@ -64,6 +56,7 @@ osquery_fim_filepaths: - name: etc list: - "/etc/%%" + ## Take care if using a lot /tmp. can trigger ## 'Expiring events for subscriber: file_events (overflowed limit 1000)' ## => losing many queries results (fim or not) @@ -83,16 +76,11 @@ osquery_fim_filepaths: - name: webroot list: - "/var/www/%%" + osquery_fim_excludepaths: - name: tmp list: - /tmp/too_many_events/ -osquery_rsyslog: true -## conflict with auditd. choose one. -## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ -osquery_process_auditing: false -osquery_process_interval: 900 -osquery_socket_interval: 900 ## queries snapshots: 1/week (or 1/month? nok) ## Max interval 1/w: https://github.com/theopolis/osquery/commit/b76dee8a1fddccb500bc4a058daa1b39083b9dbb @@ -100,24 +88,6 @@ osquery_snapshot_interval: 604800 osquery_snapshot_interval2: 604800 #osquery_snapshot_interval2: 2592000 -osquery_logrotate: true -osquery_logrotate_days: 90 - -## https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags -## per facility -## osquery wants a facility code, while keyword for rsyslog... -osquery_syslog_target_facility_osqueryconf: 19 -osquery_syslog_target_facility_syslogconf: local3 -osquery_syslog_target: '' -#osquery_syslog_target: '@@10.1.1.100' -## mostly for testing purpose -#osquery_syslog_target: '/var/log/osquery/osquery_syslog.log' -## per programname: mostly query execution log and daemon state. avoid mixing with default syslog messages -#osquery_syslog_target2: '' -osquery_syslog_target2: '/var/log/osquery/osqueryd.log' -osquery_syslog_dirs: - - /var/log/osquery - ## making schedule query faster to have logs faster... osquery_testing: false osquery_testing_pause: false @@ -129,4 +99,3 @@ osquery_profiling: false ## full config might be too long for travis (max 50min) #osquery_profiling_conf: /etc/osquery/osquery.conf osquery_profiling_conf: /usr/share/osquery/packs/incident-response.conf - diff --git a/osquery/roles/osquery/files/logrotate-osquery b/osquery/roles/osquery/files/logrotate-osquery new file mode 100644 index 00000000..a7e0cd07 --- /dev/null +++ b/osquery/roles/osquery/files/logrotate-osquery @@ -0,0 +1,12 @@ +/var/log/osquery/*.log.log +{ + copytruncate + daily + rotate 2 + delaycompress + compress + dateext + notifempty + missingok + maxage 5 +} diff --git a/osquery/roles/osquery/get-dependencies.sh b/osquery/roles/osquery/get-dependencies.sh deleted file mode 100755 index f1ae96f3..00000000 --- a/osquery/roles/osquery/get-dependencies.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/sh -## one script to be used by travis, jenkins, packer... - -umask 022 - -if [ $# != 0 ]; then -rolesdir=$1 -else -rolesdir=$(dirname $0)/.. -fi - -[ ! -d $rolesdir/juju4.redhat-epel ] && git clone https://github.com/juju4/ansible-redhat-epel $rolesdir/juju4.redhat-epel -[ ! -d $rolesdir/geerlingguy.redis ] && git clone https://github.com/juju4/ansible-role-redis.git $rolesdir/geerlingguy.redis -[ ! -d $rolesdir/geerlingguy.mysql ] && git clone https://github.com/geerlingguy/ansible-role-mysql.git $rolesdir/geerlingguy.mysql -[ ! -d $rolesdir/juju4.kolide ] && git clone https://github.com/juju4/ansible-kolide $rolesdir/juju4.kolide -## galaxy naming: kitchen fails to transfer symlink folder -#[ ! -e $rolesdir/kbrebanov.osquery ] && ln -s ansible-osquery $rolesdir/kbrebanov.osquery -[ ! -e $rolesdir/kbrebanov.osquery ] && cp -R $rolesdir/ansible-osquery $rolesdir/kbrebanov.osquery - -## don't stop build on this script return code -true - diff --git a/osquery/roles/osquery/handlers/main.yml b/osquery/roles/osquery/handlers/main.yml index c09bfea4..920a4118 100644 --- a/osquery/roles/osquery/handlers/main.yml +++ b/osquery/roles/osquery/handlers/main.yml @@ -1,10 +1,14 @@ --- -# handlers file for osquery +- name: Enable and start the service + systemd: + name: osqueryd + enabled: true + state: restarted + listen: restart osquery -- name: restart osquery -# service: name=osqueryd state=restarted -## for rocksdb backend - shell: "systemctl stop osqueryd; sleep 5; systemctl start osqueryd" - -- name: restart rsyslog - service: name=rsyslog state=restarted +- name: Enable and start the service + systemd: + name: rsyslog + enabled: true + state: restarted + listen: restart rsyslog diff --git a/osquery/roles/osquery/tasks/configure.yml b/osquery/roles/osquery/tasks/configure.yml deleted file mode 100644 index 853fc09a..00000000 --- a/osquery/roles/osquery/tasks/configure.yml +++ /dev/null @@ -1,120 +0,0 @@ ---- - -- name: check if osquery is present - stat: path=/etc/osquery - register: hasOsquery -- block: - - name: ensure directories exist - file: - dest: "{{ item.d }}" - state: directory - mode: "{{ item.m }}" - with_items: - - { d: '/var/log/osquery', m: '0755' } - - name: push extra osquery packs file - template: - src: "{{ item }}.conf.j2" - dest: "/usr/share/osquery/packs/{{ item | basename }}.conf" - backup: yes - with_items: "{{ osquery_upload_packs }}" - notify: - - restart osquery - - debug: var=osquery_packs - - name: configure osquery - template: - src: "{{ osquery_template }}" - dest: /etc/osquery/osquery.conf - mode: '0644' - backup: yes - validate: 'osqueryi --config_path %s --config_check --verbose' -# validate: 'egrep -v '^\s*//' %s | tee /tmp/a | python -mjson.tool' - notify: - - restart osquery - - name: "ensure osquery var dir exists" - file: - state: "directory" - path: "/var/osquery" - - name: "express the osquery secret to disk" - lineinfile: - path: "/etc/osquery/osquery_enroll_secret" - line: "{{ osquery_enroll_secret }}" - state: present - owner: "root" - group: "root" - mode: "0600" - create: true - when: - - osquery_enroll_secret is defined - - name: configure osquery flags - template: - src: "osquery.flags.j2" - dest: /etc/osquery/osquery.flags - mode: '0644' - backup: yes - notify: - - restart osquery - - name: re-validate whole osquery config - command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose' - changed_when: false - register: confcheck - failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout" - - block: - - name: ensure logrotate package is present - package: - name: logrotate - state: present - - name: add logrotate configuration for osquery log - template: - src: logrotate-osquery.j2 - dest: /etc/logrotate.d/osquery - mode: '0644' - backup: yes - validate: 'logrotate -dv %s' - when: osquery_logrotate - - name: ensure service is enabled and started - service: name=osqueryd state=started enabled=yes - - set_fact: - monit_osqueryd: true - when: hasOsquery.stat.exists - -## FIXME! warnings like (from packs/incident-response.conf) -#virtual_table.cpp:484] The shell_history table returns data based on the current user by default, consider JOINing against the users table -# but still apply with -# SELECT s.uid,s.time,s.command,s.history_file FROM shell_history s JOIN users USING (uid) limit 10; - -- block: - - name: review inotify sysctl settings for osquery - sysctl: name="{{ item.n }}" value="{{ item.v }}" sysctl_set=yes state=present reload=yes - with_items: - - { n: 'fs.inotify.max_user_watches', v: '524288' } - - { n: 'fs.inotify.max_user_instances', v: '256' } - - { n: 'fs.inotify.max_queued_events', v: '32768' } - when: osquery_fim and not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) - -## ensure no auditd at the same time -## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/ -- block: - - name: ensure auditd is not present - package: name="{{ _osquery_auditd_pkg }}" state=absent - when: osquery_process_auditing - -- name: get rsyslog version - command: "rsyslogd -v | awk -F'[ ,]' '/rsyslogd/ { print $2 }'" - environment: - PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' - changed_when: false - register: rsyslog_v - -- block: - - name: setup rsyslog pipe for osquery communication - template: - src: osquery-rsyslog.conf.j2 - dest: /etc/rsyslog.d/90-osquery.conf - mode: '0644' - backup: yes - notify: - - restart rsyslog - when: osquery_rsyslog - -- include: syslog-target.yml - when: osquery_syslog_target != '' diff --git a/osquery/roles/osquery/tasks/main.yml b/osquery/roles/osquery/tasks/main.yml index a68320fa..2745783c 100644 --- a/osquery/roles/osquery/tasks/main.yml +++ b/osquery/roles/osquery/tasks/main.yml @@ -1,69 +1,32 @@ --- -# tasks file for osquery +- name: Gather variables for each operating system + include_vars: "{{ item }}" + with_first_found: + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml" + - "{{ ansible_os_family | lower }}.yml" + tags: + - always -- name: Include distribution specific variables - include_vars: "{{ ansible_distribution }}.yml" +- include_tasks: "osquery_{{ ansible_pkg_mgr }}.yml" + +- name: Install osquery + package: + name: "{{ osquery_packages }}" + state: present + +- name: Install osquery debug packages + package: + name: "{{ item }}" + state: present + with_items: "{{ osquery_debug_packages }}" + when: + - osquery_debug_packages_install | bool + +- include: osquery_configure.yml tags: - osquery -- name: Include version-specific variables for RedHat - include_vars: "CentOS-{{ ansible_distribution_version.split('.')[0] }}.yml" - when: ansible_os_family == "RedHat" - -- include: CentOS.yml - when: ansible_os_family == "RedHat" - tags: - - osquery - -- include: Debian.yml - when: ansible_os_family == "Debian" - tags: - - osquery - -- block: - - name: Install osquery - package: - name: "{{ item }}" - state: present - with_items: "{{ osquery_packages }}" - tags: - - osquery - - - name: Install osquery debug packages - package: - name: "{{ item }}" - state: present - with_items: "{{ osquery_debug_packages }}" - when: osquery_debug_packages_install - tags: - - osquery - - - include: configure.yml - tags: - - osquery - - config - - - name: Enable service - service: name=osqueryd enabled={{ osquery_service_enable }} - tags: - - osquery - - service - - name: Start service - service: name=osqueryd state=started - when: osquery_service_enable - tags: - - osquery - - service - - - meta: flush_handlers - - - name: pause a bit to have few queries results - command: sleep 5 - changed_when: false - when: osquery_testing_pause or osquery_testing - - - include: testing.yml - when: osquery_testing - - - include: profiling.yml - when: osquery_profiling - when: ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" or ansible_distribution == "Debian" + - config diff --git a/osquery/roles/osquery/tasks/Debian.yml b/osquery/roles/osquery/tasks/osquery_apt.yml similarity index 65% rename from osquery/roles/osquery/tasks/Debian.yml rename to osquery/roles/osquery/tasks/osquery_apt.yml index 3d6eff42..dd08c2a3 100644 --- a/osquery/roles/osquery/tasks/Debian.yml +++ b/osquery/roles/osquery/tasks/osquery_apt.yml @@ -1,10 +1,7 @@ --- - -# tasks file for osquery (Debian, Ubuntu specific) - - name: Ensure dirmngr is present for apt-key package: - name: dirmngr + name: "{{ osquery_required_packages }}" state: present - name: Download osquery APT key @@ -16,14 +13,6 @@ tags: - osquery -- name: Ensure apt-transport-https is installed - become: yes - apt: - name: apt-transport-https - state: present - tags: - - osquery - - name: Configure osquery APT repository become: yes apt_repository: diff --git a/osquery/roles/osquery/tasks/osquery_configure.yml b/osquery/roles/osquery/tasks/osquery_configure.yml new file mode 100644 index 00000000..3a917e2b --- /dev/null +++ b/osquery/roles/osquery/tasks/osquery_configure.yml @@ -0,0 +1,88 @@ +--- +- name: Ensure directories exist + file: + dest: "/var/osquery" + state: directory + mode: "0755" + +- name: Ensure target syslog dir exists + file: + dest: "/var/log/osquery" + state: directory + mode: "{{ varlog_mode }}" + group: "{{ varlog_group }}" + +- name: Push extra osquery packs file + template: + src: "{{ item }}.conf.j2" + dest: "/usr/share/osquery/packs/{{ item | basename }}.conf" + backup: yes + with_items: "{{ osquery_upload_packs }}" + notify: + - restart osquery + +- name: Print osquery packs + debug: var=osquery_packs + +- name: Configure osquery + template: + src: "{{ osquery_template }}" + dest: /etc/osquery/osquery.conf + mode: '0644' + backup: yes + validate: 'osqueryi --config_path %s --config_check --verbose' + notify: + - restart osquery + +- name: Express the osquery secret to disk + lineinfile: + path: "/etc/osquery/osquery_enroll_secret" + line: "{{ osquery_enroll_secret }}" + state: present + owner: "root" + group: "root" + mode: "0600" + create: true + notify: + - restart osquery + when: + - osquery_enroll_secret is defined + +- name: Configure osquery flags + template: + src: "osquery.flags.j2" + dest: /etc/osquery/osquery.flags + mode: '0644' + backup: yes + notify: + - restart osquery + +- name: Re-validate whole osquery config + command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose' + changed_when: false + register: confcheck + failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout" + +- name: Add logrotate configuration for osquery log + copy: + src: logrotate-osquery + dest: /etc/logrotate.d/osquery + mode: '0644' + backup: yes + +- name: Review inotify sysctl settings for osquery + sysctl: + name: "{{ item.n }}" + value: "{{ item.v }}" + sysctl_set: yes + state: present + reload: yes + sysctl_file: /etc/sysctl.d/99-osquery.conf + failed_when: false + with_items: + - n: 'fs.inotify.max_user_watches' + v: 524288 + - n: 'fs.inotify.max_user_instances' + v: 256 + - n: 'fs.inotify.max_queued_events' + v: 32768 diff --git a/osquery/roles/osquery/tasks/osquery_dnf.yml b/osquery/roles/osquery/tasks/osquery_dnf.yml new file mode 120000 index 00000000..9cfc771c --- /dev/null +++ b/osquery/roles/osquery/tasks/osquery_dnf.yml @@ -0,0 +1 @@ +osquery_yum.yml \ No newline at end of file diff --git a/osquery/roles/osquery/tasks/CentOS.yml b/osquery/roles/osquery/tasks/osquery_yum.yml similarity index 87% rename from osquery/roles/osquery/tasks/CentOS.yml rename to osquery/roles/osquery/tasks/osquery_yum.yml index 2d4cf4a2..f6133308 100644 --- a/osquery/roles/osquery/tasks/CentOS.yml +++ b/osquery/roles/osquery/tasks/osquery_yum.yml @@ -1,14 +1,12 @@ --- -# tasks file for osquery (CentOS specific) - -- name: Install osquery repository key - rpm_key: - state: present - key: "{{ _osquery_repositorykey }}" - - name: Install osquery repository get_url: url: "{{ _osquery_repository }}" dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}" mode: '0644' backup: yes + +- name: Install osquery repository key + rpm_key: + state: present + key: "{{ _osquery_repositorykey }}" diff --git a/osquery/roles/osquery/tasks/profiling.yml b/osquery/roles/osquery/tasks/profiling.yml deleted file mode 100644 index a0711f5d..00000000 --- a/osquery/roles/osquery/tasks/profiling.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- name: get source repository for profiling tools - git: - repo: https://github.com/facebook/osquery.git - dest: /root/osquery - -- name: ensure profiling dependencies are present - pkg - package: - name: "{{ item }}" - state: present - with_items: - - python-pip -- name: ensure profiling dependencies are present - pip - pip: - name: "{{ item }}" - state: present - with_items: - - psutil -- name: profiling - command: "./tools/analysis/profile.py --config {{ osquery_profiling_conf }} --shell /usr/bin/osqueryi --count 1 --rounds 4" - args: - chdir: /root/osquery - changed_when: false - register: perf -- debug: var=perf.stdout_lines - diff --git a/osquery/roles/osquery/tasks/syslog-target.yml b/osquery/roles/osquery/tasks/syslog-target.yml deleted file mode 100644 index 6e15d6af..00000000 --- a/osquery/roles/osquery/tasks/syslog-target.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Ensure target syslog dir exists - file: - dest: "{{ item }}" - state: directory - mode: "{{ varlog_mode }}" - group: "{{ varlog_group }}" - with_items: "{{ osquery_syslog_dirs }}" - -- name: setup rsyslog to send osquery logs to a specific target - template: - src: rsyslog-osquery-target.conf.j2 - dest: /etc/rsyslog.d/30-osquery-target.conf - mode: '0644' - backup: yes - validate: 'rsyslogd -d -N 1 -f %s' - notify: - - restart rsyslog diff --git a/osquery/roles/osquery/tasks/testing.yml b/osquery/roles/osquery/tasks/testing.yml deleted file mode 100644 index 727f28a1..00000000 --- a/osquery/roles/osquery/tasks/testing.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- - -- block: - - name: systemd | check service status - command: "systemctl status osqueryd -l" - changed_when: false - register: systemctl - - debug: var=systemctl.stdout_lines - when: ansible_service_mgr == "systemd" -- block: - - name: service | check service status - command: "service osqueryd status" - changed_when: false - register: service - - debug: var=service.stdout_lines - when: ansible_service_mgr != "systemd" - -- block: - - name: fallocate big file - command: "fallocate -l {{ osquery_testing_fim_load_bigger }} /etc/testing-big-file" - args: - creates: /etc/testing-big-file - - name: creation of many small files - command: "split -b {{ osquery_testing_fim_load_smaller }} /etc/testing-big-file testing-" - args: - chdir: /etc - creates: /etc/testing-big-aa - - name: clean up - shell: find /etc/ -name 'testing-*' -exec rm {} \; - ignore_errors: true -# more diverse load? openssl speed, stress... - - name: retrieve log results - command: "{{ item }}" - with_items: - - head -20 /var/log/osquery/osqueryd.results.log - - tail -20 /var/log/osquery/osqueryd.results.log - ignore_errors: true - changed_when: false - register: log - when: osquery_testing_fim_load diff --git a/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 b/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 deleted file mode 100644 index 6b3e193a..00000000 --- a/osquery/roles/osquery/templates/apparmor-usr.bin.osqueryd.j2 +++ /dev/null @@ -1,34 +0,0 @@ -#include - -/usr/bin/osqueryd { - #include - #include - #include - - /etc/host.conf r, - /etc/hosts r, - /etc/nsswitch.conf r, - /etc/osquery/osquery.conf r, - /etc/osquery/osquery.flags r, - /proc/** rw, - /proc/cpuinfo r, - /root/osqueryd.*.root.log.ERROR.* w, - /root/osqueryd.*.root.log.INFO.* w, - /root/osqueryd.*.root.log.WARNING.* w, - /run/osqueryd.pidfile w, - /run/resolvconf/resolv.conf r, - /run/utmp r, - /sys/devices/** r, - /sys/firmware/dmi/tables/DMI r, - /tmp/* w, - /tmp/user/0/osqueryd.*.root.log.ERROR.* w, - /tmp/user/0/osqueryd.*.root.log.INFO.* w, - /tmp/user/0/osqueryd.*.root.log.WARNING.* w, - /usr/bin/osqueryd Px, - /usr/share/osquery/packs/* r, - /var/log/osquery/* w, - /var/osquery/osquery.db/ rw, - /var/osquery/osquery.db/* rw, - /var/tmp/* rw, - -} diff --git a/osquery/roles/osquery/templates/logrotate-osquery.j2 b/osquery/roles/osquery/templates/logrotate-osquery.j2 deleted file mode 100644 index 50de37bd..00000000 --- a/osquery/roles/osquery/templates/logrotate-osquery.j2 +++ /dev/null @@ -1,39 +0,0 @@ -{{ ansible_managed | comment('plain', decoration='## ') }} -## /etc/logrotate.d/osquery -/var/log/osquery/osqueryd.results.log { - rotate {{ osquery_logrotate_days|int }} - daily - missingok - notifempty - delaycompress - compress - create 640 root adm - sharedscripts -} -{% if osquery_syslog_target is defined and osquery_syslog_target != '' and '/var/log/' in osquery_syslog_target %} -{{ osquery_syslog_target }} { - rotate {{ osquery_logrotate_days|int }} - daily - missingok - notifempty - delaycompress - compress - create 640 root adm - sharedscripts - # Ubuntu: parent directory has insecure permissions (It's world writable or writable by group which is not "root") - su root {{ osquery_syslog_dir_group | default(varlog_group) }} -} -{% endif %} -{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' and '/var/log/' in osquery_syslog_target2 %} -{{ osquery_syslog_target2 }} { - rotate {{ osquery_logrotate_days|int }} - daily - missingok - notifempty - delaycompress - compress - create 640 root adm - sharedscripts - su root {{ osquery_syslog_dir_group2 | default(varlog_group) }} -} -{% endif %} diff --git a/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 b/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 deleted file mode 100644 index 9c20aa1d..00000000 --- a/osquery/roles/osquery/templates/osquery-rsyslog.conf.j2 +++ /dev/null @@ -1,6 +0,0 @@ -template( - name="OsqueryCsvFormat" - type="string" - string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n" -) -*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat") diff --git a/osquery/roles/osquery/templates/osquery.conf.j2 b/osquery/roles/osquery/templates/osquery.conf.j2 index 2db9130c..84458524 100644 --- a/osquery/roles/osquery/templates/osquery.conf.j2 +++ b/osquery/roles/osquery/templates/osquery.conf.j2 @@ -67,7 +67,7 @@ {% else %} "interval": 3600 {% endif %} - }{% if osquery_fim or osquery_process_auditing %},{% endif %} + }{% if osquery_fim %},{% endif %} {% if osquery_fim %} "fim" : { @@ -75,19 +75,8 @@ "query": "select * from file_events;", "removed": false, "interval": {% if osquery_testing_fim_load %}30{% else %}{{ osquery_fim_interval }}{% endif %} - }{% if osquery_process_auditing %},{% endif %} - -{% endif %} - -{% if osquery_process_auditing %} - "process_events":{ - "query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';", - "interval": {{ osquery_process_interval }} - }, - "socket_events":{ - "query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');", - "interval": {{ osquery_socket_interval }} } + {% endif %} }, diff --git a/osquery/roles/osquery/templates/osquery.fc.j2 b/osquery/roles/osquery/templates/osquery.fc.j2 deleted file mode 100644 index 27729fe6..00000000 --- a/osquery/roles/osquery/templates/osquery.fc.j2 +++ /dev/null @@ -1,6 +0,0 @@ -/usr/bin/osqueryd -- gen_context(system_u:object_r:osquery_exec_t,s0) -/etc/osquery(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0) -/usr/share/osquery/packs(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0) -/var/log/osquery(/.*)? -- gen_context(system_u:object_r:osquery_log_t,s0) -/var/osquery/osquery.em -- gen_context(system_u:object_r:osquery_sock_t,s0) -/usr/lib/systemd/system/osqueryd.service -- gen_context(system_u:object_r:osquery_unit_file_t,s0) diff --git a/osquery/roles/osquery/templates/osquery.flags.j2 b/osquery/roles/osquery/templates/osquery.flags.j2 index d3fb2ce0..079f872b 100644 --- a/osquery/roles/osquery/templates/osquery.flags.j2 +++ b/osquery/roles/osquery/templates/osquery.flags.j2 @@ -2,15 +2,5 @@ {% for flag in osquery_flags %} {{ flag }} {% endfor %} -{% if osquery_process_auditing %} ---disable_audit=false ---audit_allow_config=true ---audit_persist=true ---audit_allow_sockets -{% endif %} -{% if osquery_rsyslog %} ---enable_syslog -{% endif %} -{% if osquery_syslog_target != '' and osquery_syslog_target_facility_osqueryconf != '' %} ---logger_syslog_facility={{ osquery_syslog_target_facility_osqueryconf }} -{% endif %} +--logger_path=/var/log/osquery +--logger_plugin=filesystem \ No newline at end of file diff --git a/osquery/roles/osquery/templates/osqueryd-monit.j2 b/osquery/roles/osquery/templates/osqueryd-monit.j2 deleted file mode 100644 index 458b802a..00000000 --- a/osquery/roles/osquery/templates/osqueryd-monit.j2 +++ /dev/null @@ -1,27 +0,0 @@ -{{ ansible_managed | comment('plain', decoration='## ') }} -check process osqueryd - with pidfile "/var/run/osqueryd.pid" - group system - group osqueryd -{% if ansible_service_mgr == 'systemd' %} - start program = "/bin/systemctl start ssh" with timeout 60 seconds - stop program = "/bin/systemctl stop ssh" -{% else %} - start program = "/etc/init.d/ssh start" with timeout 60 seconds - stop program = "/etc/init.d/ssh stop" -{% endif %} - if cpu > 90% for 15 cycles then alert - if totalmem > 90% for 15 cycles then alert - if loadavg(15min) greater than 10 for 50 cycles then alert - if 5 restarts with 5 cycles then alert - depends on osqueryd_binary - depends on osqueryd_conf - -check file osqueryd_binary - with path /usr/bin/osqueryd - group osqueryd - if failed checksum then alert - -check file osqueryd_conf with path /etc/osquery/osquery.conf - include /etc/monit/templates/rootrc - group osqueryd diff --git a/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 b/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 deleted file mode 100644 index c8dbcd72..00000000 --- a/osquery/roles/osquery/templates/rsyslog-osquery-target.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -{% if osquery_syslog_target is defined and osquery_syslog_target != '' %} -{{ osquery_syslog_target_facility_syslogconf }}.* {{ osquery_syslog_target }} -{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %} -& ~ -{% else %} -& stop -{% endif %} -{% endif %} -{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' %} -if $programname == 'osqueryd' then {{ osquery_syslog_target2 }} -{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %} -& ~ -{% else %} -& stop -{% endif %} -{% endif %} diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats deleted file mode 100644 index 0ce1c670..00000000 --- a/osquery/roles/osquery/test/integration/default-fleetmanager/bats/idempotency.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# - -# -# Idempotence test -# from https://github.com/neillturner/kitchen-ansible/issues/92 -# - -@test "Second run should change nothing" { - skip "service module issue" - run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" - [ "$status" -eq 0 ] -} - diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml b/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml deleted file mode 100644 index 91096c93..00000000 --- a/osquery/roles/osquery/test/integration/default-fleetmanager/default.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- - -- hosts: all -#- hosts: test-kitchen - vars: - - mysql_root_password: 'Toor=2017.' - - kolide_mysql_root_pass: "{{ mysql_root_password }}" - - mysql_databases: - - name: "{{ kolide_mysql_db }}" - - mysql_users: - - name: "{{ kolide_mysql_user }}" - host: "localhost" - #host: "%" - password: "{{ kolide_mysql_pass }}" - priv: "{{ kolide_mysql_db }}.*:ALL" - - mysql_enablerepo: epel - - osquery_flags: - - '--enroll_secret_path=/etc/osquery/osquery_enroll_secret' - - "--tls_server_certs={{ ssl_dir }}/{{ ansible_fqdn }}.crt" - - '--tls_hostname=acme.kolide.co:8080' - - '--host_identifier=hostname' - - '--enroll_tls_endpoint=/api/v1/osquery/enroll' - - '--config_plugin=tls' - - '--config_tls_endpoint=/api/v1/osquery/config' - - '--config_tls_refresh=10' - - '--disable_distributed=false' - - '--distributed_plugin=tls' - - '--distributed_interval=10' - - '--distributed_tls_max_attempts=3' - - '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read' - - '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write' - - '--logger_plugin=tls' - pre_tasks: - - name: map acme.kolide.co to localhost - lineinfile: - dest: /etc/hosts - line: 127.0.0.1 acme.kolide.co - ignore_errors: true - roles: - - { role: geerlingguy.mysql, when: ansible_os_family == 'Debian' } - - juju4.kolide - - kbrebanov.osquery - diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile deleted file mode 100644 index 938ed3ed..00000000 --- a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Gemfile +++ /dev/null @@ -1,8 +0,0 @@ -source 'https://rubygems.org' - -gem 'serverspec' -gem 'rake' -## for junit output and jenkins support -## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' -#gem 'yarjuf' - diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile deleted file mode 100644 index 3699568c..00000000 --- a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/Rakefile +++ /dev/null @@ -1,9 +0,0 @@ -require 'rake' -require 'rspec/core/rake_task' - -RSpec::Core::RakeTask.new(:spec) do |t| - t.pattern = '*_spec.rb' -end - -task :default => :spec - diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb deleted file mode 100644 index f05921d7..00000000 --- a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/osquery_spec.rb +++ /dev/null @@ -1,59 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do -## mostly exclude for docker/systemd distributions - it { should be_enabled } -end -describe service('osqueryd') do - it { should be_running } -end - -describe file('/usr/bin/osqueryd') do - it { should be_executable } -end -describe file('/usr/bin/osqueryi') do - it { should be_executable } -end - -describe file('/etc/osquery/osquery.conf') do - it { should contain '"config_plugin":' } - it { should contain '"packs": {' } - it { should contain '"filesystem"' } -end - -describe process("osqueryd") do - its(:user) { should eq "root" } - its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } - its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } -end - -#describe file('/var/log/osquery/osqueryd.INFO') do -# it { should be_symlink } -# its(:content) { should match /Log line format:/ } -#end -#describe file('/var/log/osquery/osqueryd.WARNING') do -# it { should be_symlink } -# its(:content) { should match /Log line format:/ } -# its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } -#end -#describe file('/var/log/osquery/osqueryd.results.log') do -# it { should be_file } -## its(:content) { should match /hostIdentifier/ } -# let(:sudo_options) { '-u root -H' } -#end - -describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do - its(:stdout) { should match /osqueryd is already running/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end diff --git a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh deleted file mode 100755 index 39050487..00000000 --- a/osquery/roles/osquery/test/integration/default-fleetmanager/serverspec/run-local-tests.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -x -## get consistent ruby2+bundler env on each distribution - -location=`dirname "$0"` -cd $location -v=2.3 - -## docker environment in travis missing few utils -[ -f /etc/debian_version ] && apt-get install -y curl -[ -f /etc/redhat-release ] && yum -y install which - -curl -sSL https://get.rvm.io | bash -#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm -#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh - -## troubleshoot -type rvm | head -1 -env - -#export PATH=/usr/local/rvm/bin:$PATH - -bash -l -c "rvm install $v" -bash -l -c "rvm use $v" -bash -l -c "rvm use $v --default" -bash -l -c "gem install bundler" -bash -l -c "bundle install --path ./gems" -if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then - bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" -else - bash -l -c "bundle exec rake spec" -fi - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats deleted file mode 100644 index 0ce1c670..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/bats/idempotency.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# - -# -# Idempotence test -# from https://github.com/neillturner/kitchen-ansible/issues/92 -# - -@test "Second run should change nothing" { - skip "service module issue" - run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" - [ "$status" -eq 0 ] -} - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml deleted file mode 100644 index b60930e6..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/default.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- hosts: all -#- hosts: test-kitchen - vars: - - osquery_flags: - - '--logger_plugin=filesystem,syslog' - - osquery_logger_plugin: 'filesystem,syslog' - - osquery_syslog_target: '/var/log/osquery_syslog-results.log' - - osquery_syslog_target2: '/var/log/osquery_syslog-prog.log' - - osquery_testing: true - - osquery_syslog_dirs: - - /var/log - - osquery_testing_pause: true - roles: - - kbrebanov.osquery - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile deleted file mode 100644 index 938ed3ed..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Gemfile +++ /dev/null @@ -1,8 +0,0 @@ -source 'https://rubygems.org' - -gem 'serverspec' -gem 'rake' -## for junit output and jenkins support -## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' -#gem 'yarjuf' - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile deleted file mode 100644 index 3699568c..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/Rakefile +++ /dev/null @@ -1,9 +0,0 @@ -require 'rake' -require 'rspec/core/rake_task' - -RSpec::Core::RakeTask.new(:spec) do |t| - t.pattern = '*_spec.rb' -end - -task :default => :spec - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb deleted file mode 100644 index 7b4fa769..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_spec.rb +++ /dev/null @@ -1,59 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do -## mostly exclude for docker/systemd distributions - it { should be_enabled } -end -describe service('osqueryd') do - it { should be_running } -end - -describe file('/usr/bin/osqueryd') do - it { should be_executable } -end -describe file('/usr/bin/osqueryi') do - it { should be_executable } -end - -describe file('/etc/osquery/osquery.conf') do - it { should contain '"config_plugin":' } - it { should contain '"packs": {' } - it { should contain '"filesystem,syslog"' } -end - -describe process("osqueryd") do - its(:user) { should eq "root" } - its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } - its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } -end - -describe file('/var/log/osquery/osqueryd.INFO') do - it { should be_symlink } - its(:content) { should match /Log line format:/ } -end -describe file('/var/log/osquery/osqueryd.WARNING') do - it { should be_symlink } - its(:content) { should match /Log line format:/ } - its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } -end -describe file('/var/log/osquery/osqueryd.results.log') do - it { should be_file } -# its(:content) { should match /hostIdentifier/ } - let(:sudo_options) { '-u root -H' } -end - -describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do - its(:stdout) { should match /osqueryd is already running/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb deleted file mode 100644 index 0752faeb..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/osquery_syslog_spec.rb +++ /dev/null @@ -1,18 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe file('/var/log/osquery_syslog-prog.log') do - it { should be_file } -# its(:content) { should match /osqueryd: osqueryd started \[version=/ } - its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ } -end -describe file('/var/log/osquery_syslog-results.log') do - it { should be_file } - its(:content) { should match /hostIdentifier/ } -# its(:content) { should match /pack/ } -# its(:content) { should match /message=Executing scheduled query system_info:/ } - its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } - let(:sudo_options) { '-u root -H' } -end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb deleted file mode 100644 index c6069a7e..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/rsyslog_spec.rb +++ /dev/null @@ -1,47 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do - it { should be_enabled } -end -describe service('rsyslog') do - it { should be_running } -end - -describe file('/usr/sbin/rsyslogd') do - it { should be_executable } -end - -describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do - its(:user) { should eq "syslog" } -end -describe process("rsyslogd"), :if => os[:family] == 'redhat' do - its(:user) { should eq "root" } -end - -describe file('/var/log'), :if => os[:family] == 'ubuntu' do - it { should be_directory } - it { should be_mode 775 } - it { should be_owned_by 'root' } - it { should be_grouped_into 'syslog' } -# it { should be_writable.by('group') } - it { should be_writable.by_user('syslog') } -end -describe file('/var/log'), :if => os[:family] == 'redhat' do - it { should be_directory } - it { should be_mode 755 } - it { should be_owned_by 'root' } - it { should be_grouped_into 'root' } -# it { should be_writable.by('group') } -end - -describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do - it { should be_file } -end - -describe file('/var/log/messages'), :if => os[:family] == 'redhat' do - it { should be_file } -end - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh deleted file mode 100755 index 39050487..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog-fs/serverspec/run-local-tests.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -x -## get consistent ruby2+bundler env on each distribution - -location=`dirname "$0"` -cd $location -v=2.3 - -## docker environment in travis missing few utils -[ -f /etc/debian_version ] && apt-get install -y curl -[ -f /etc/redhat-release ] && yum -y install which - -curl -sSL https://get.rvm.io | bash -#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm -#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh - -## troubleshoot -type rvm | head -1 -env - -#export PATH=/usr/local/rvm/bin:$PATH - -bash -l -c "rvm install $v" -bash -l -c "rvm use $v" -bash -l -c "rvm use $v --default" -bash -l -c "gem install bundler" -bash -l -c "bundle install --path ./gems" -if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then - bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" -else - bash -l -c "bundle exec rake spec" -fi - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats deleted file mode 100644 index 0ce1c670..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog/bats/idempotency.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# - -# -# Idempotence test -# from https://github.com/neillturner/kitchen-ansible/issues/92 -# - -@test "Second run should change nothing" { - skip "service module issue" - run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" - [ "$status" -eq 0 ] -} - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml b/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml deleted file mode 100644 index f14acd08..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog/default.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- - -- hosts: all -#- hosts: test-kitchen - vars: -# - osquery_flags: -# - '--logger_plugin=syslog' - - osquery_logger_plugin: 'syslog' - - osquery_syslog_target: '/var/log/osquery_syslog-results.log' - - osquery_syslog_target2: '/var/log/osquery_syslog-prog.log' - - osquery_testing: true - - osquery_syslog_dirs: - - /var/log - - osquery_testing_pause: true - roles: - - kbrebanov.osquery - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile deleted file mode 100644 index 938ed3ed..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Gemfile +++ /dev/null @@ -1,8 +0,0 @@ -source 'https://rubygems.org' - -gem 'serverspec' -gem 'rake' -## for junit output and jenkins support -## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' -#gem 'yarjuf' - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile deleted file mode 100644 index 3699568c..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/Rakefile +++ /dev/null @@ -1,9 +0,0 @@ -require 'rake' -require 'rspec/core/rake_task' - -RSpec::Core::RakeTask.new(:spec) do |t| - t.pattern = '*_spec.rb' -end - -task :default => :spec - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb deleted file mode 100644 index 6c1e3b7f..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_spec.rb +++ /dev/null @@ -1,44 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do -## mostly exclude for docker/systemd distributions - it { should be_enabled } -end -describe service('osqueryd') do - it { should be_running } -end - -describe file('/usr/bin/osqueryd') do - it { should be_executable } -end -describe file('/usr/bin/osqueryi') do - it { should be_executable } -end - -describe file('/etc/osquery/osquery.conf') do - it { should contain '"config_plugin":' } - it { should contain '"packs": {' } - it { should contain '"syslog"' } -end - -describe process("osqueryd") do - its(:user) { should eq "root" } - its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } - its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } -end - -describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do - its(:stdout) { should match /osqueryd is already running/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb deleted file mode 100644 index 4cc4d257..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/osquery_syslog_spec.rb +++ /dev/null @@ -1,27 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe file('/var/log/osquery_syslog-prog.log') do - it { should be_file } -# its(:content) { should match /osqueryd: osqueryd started \[version=/ } - its(:content) { should match /Executing scheduled query system_info:/ } - its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ } - its(:content) { should_not match /osqueryd initialize failed: Could not initialize database/ } -end -describe file('/var/log/osquery_syslog-results.log') do - it { should be_file } - its(:content) { should match /hostIdentifier/ } -# its(:content) { should match /pack/ } - its(:content) { should match /message=Executing scheduled query system_info:/ } - its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } - let(:sudo_options) { '-u root -H' } -end - -describe command('journalctl -l') do - its(:stdout) { should match /osqueryd/ } - its(:stdout) { should match /Executing scheduled query system_info:/ } - its(:stdout) { should match /hostIdentifier/ } - its(:exit_status) { should eq 0 } -end diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb deleted file mode 100644 index c6069a7e..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/rsyslog_spec.rb +++ /dev/null @@ -1,47 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do - it { should be_enabled } -end -describe service('rsyslog') do - it { should be_running } -end - -describe file('/usr/sbin/rsyslogd') do - it { should be_executable } -end - -describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do - its(:user) { should eq "syslog" } -end -describe process("rsyslogd"), :if => os[:family] == 'redhat' do - its(:user) { should eq "root" } -end - -describe file('/var/log'), :if => os[:family] == 'ubuntu' do - it { should be_directory } - it { should be_mode 775 } - it { should be_owned_by 'root' } - it { should be_grouped_into 'syslog' } -# it { should be_writable.by('group') } - it { should be_writable.by_user('syslog') } -end -describe file('/var/log'), :if => os[:family] == 'redhat' do - it { should be_directory } - it { should be_mode 755 } - it { should be_owned_by 'root' } - it { should be_grouped_into 'root' } -# it { should be_writable.by('group') } -end - -describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do - it { should be_file } -end - -describe file('/var/log/messages'), :if => os[:family] == 'redhat' do - it { should be_file } -end - diff --git a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh deleted file mode 100755 index 39050487..00000000 --- a/osquery/roles/osquery/test/integration/default-osquery-syslog/serverspec/run-local-tests.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -x -## get consistent ruby2+bundler env on each distribution - -location=`dirname "$0"` -cd $location -v=2.3 - -## docker environment in travis missing few utils -[ -f /etc/debian_version ] && apt-get install -y curl -[ -f /etc/redhat-release ] && yum -y install which - -curl -sSL https://get.rvm.io | bash -#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm -#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh - -## troubleshoot -type rvm | head -1 -env - -#export PATH=/usr/local/rvm/bin:$PATH - -bash -l -c "rvm install $v" -bash -l -c "rvm use $v" -bash -l -c "rvm use $v --default" -bash -l -c "gem install bundler" -bash -l -c "bundle install --path ./gems" -if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then - bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" -else - bash -l -c "bundle exec rake spec" -fi - diff --git a/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats deleted file mode 100644 index 0ce1c670..00000000 --- a/osquery/roles/osquery/test/integration/default-profiling/bats/idempotency.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# - -# -# Idempotence test -# from https://github.com/neillturner/kitchen-ansible/issues/92 -# - -@test "Second run should change nothing" { - skip "service module issue" - run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" - [ "$status" -eq 0 ] -} - diff --git a/osquery/roles/osquery/test/integration/default-profiling/default.yml b/osquery/roles/osquery/test/integration/default-profiling/default.yml deleted file mode 100644 index 6d930f0f..00000000 --- a/osquery/roles/osquery/test/integration/default-profiling/default.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- - -- hosts: all -#- hosts: test-kitchen - vars: - - osquery_testing: true - - osquery_profiling: true - - osquery_testing_fim_load: true - roles: - - kbrebanov.osquery - diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile deleted file mode 100644 index 938ed3ed..00000000 --- a/osquery/roles/osquery/test/integration/default-profiling/serverspec/Gemfile +++ /dev/null @@ -1,8 +0,0 @@ -source 'https://rubygems.org' - -gem 'serverspec' -gem 'rake' -## for junit output and jenkins support -## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' -#gem 'yarjuf' - diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile deleted file mode 100644 index 3699568c..00000000 --- a/osquery/roles/osquery/test/integration/default-profiling/serverspec/Rakefile +++ /dev/null @@ -1,9 +0,0 @@ -require 'rake' -require 'rspec/core/rake_task' - -RSpec::Core::RakeTask.new(:spec) do |t| - t.pattern = '*_spec.rb' -end - -task :default => :spec - diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb deleted file mode 100644 index 0a1a0c5d..00000000 --- a/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_load_spec.rb +++ /dev/null @@ -1,17 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe file('/var/log/osquery/osqueryd.results.log') do - it { should contain '"system_info",' } - it { should contain '"physical_memory":' } - it { should contain '"target_path":"\/etc\/testing-big-file"' } - it { should contain '"target_path":"\/etc\/testing-aa"' } - it { should contain '"target_path":"\/etc\/testing-zz' } - it { should contain '"action":"CREATED"' } - it { should contain '"action":"UPDATED"' } - it { should contain '"action":"DELETED"' } - it { should_not contain '"target_path":"\/tmp\/' } - it { should_not contain '"target_path":"\/var\/' } -end diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb deleted file mode 100644 index 7ba33616..00000000 --- a/osquery/roles/osquery/test/integration/default-profiling/serverspec/osquery_spec.rb +++ /dev/null @@ -1,59 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do -## mostly exclude for docker/systemd distributions - it { should be_enabled } -end -describe service('osqueryd') do - it { should be_running } -end - -describe file('/usr/bin/osqueryd') do - it { should be_executable } -end -describe file('/usr/bin/osqueryi') do - it { should be_executable } -end - -describe file('/etc/osquery/osquery.conf') do - it { should contain '"config_plugin":' } - it { should contain '"packs": {' } - it { should contain '"filesystem"' } -end - -describe process("osqueryd") do - its(:user) { should eq "root" } - its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } - its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } -end - -describe file('/var/log/osquery/osqueryd.INFO') do - it { should be_symlink } - its(:content) { should match /Log line format:/ } -end -describe file('/var/log/osquery/osqueryd.WARNING') do - it { should be_symlink } - its(:content) { should match /Log line format:/ } - its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } -end -describe file('/var/log/osquery/osqueryd.results.log') do - it { should be_file } -# its(:content) { should match /hostIdentifier/ } - let(:sudo_options) { '-u root -H' } -end - -describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do - its(:stdout) { should match /osqueryd is already running/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end diff --git a/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh deleted file mode 100755 index 39050487..00000000 --- a/osquery/roles/osquery/test/integration/default-profiling/serverspec/run-local-tests.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -x -## get consistent ruby2+bundler env on each distribution - -location=`dirname "$0"` -cd $location -v=2.3 - -## docker environment in travis missing few utils -[ -f /etc/debian_version ] && apt-get install -y curl -[ -f /etc/redhat-release ] && yum -y install which - -curl -sSL https://get.rvm.io | bash -#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm -#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh - -## troubleshoot -type rvm | head -1 -env - -#export PATH=/usr/local/rvm/bin:$PATH - -bash -l -c "rvm install $v" -bash -l -c "rvm use $v" -bash -l -c "rvm use $v --default" -bash -l -c "gem install bundler" -bash -l -c "bundle install --path ./gems" -if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then - bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" -else - bash -l -c "bundle exec rake spec" -fi - diff --git a/osquery/roles/osquery/test/integration/default/bats/idempotency.bats b/osquery/roles/osquery/test/integration/default/bats/idempotency.bats deleted file mode 100644 index 0ce1c670..00000000 --- a/osquery/roles/osquery/test/integration/default/bats/idempotency.bats +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env bats -# - -# -# Idempotence test -# from https://github.com/neillturner/kitchen-ansible/issues/92 -# - -@test "Second run should change nothing" { - skip "service module issue" - run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1" - [ "$status" -eq 0 ] -} - diff --git a/osquery/roles/osquery/test/integration/default/default.yml b/osquery/roles/osquery/test/integration/default/default.yml deleted file mode 100644 index a7adba95..00000000 --- a/osquery/roles/osquery/test/integration/default/default.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - -- hosts: all -#- hosts: test-kitchen - roles: - - kbrebanov.osquery - diff --git a/osquery/roles/osquery/test/integration/default/serverspec/Gemfile b/osquery/roles/osquery/test/integration/default/serverspec/Gemfile deleted file mode 100644 index 938ed3ed..00000000 --- a/osquery/roles/osquery/test/integration/default/serverspec/Gemfile +++ /dev/null @@ -1,8 +0,0 @@ -source 'https://rubygems.org' - -gem 'serverspec' -gem 'rake' -## for junit output and jenkins support -## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.' -#gem 'yarjuf' - diff --git a/osquery/roles/osquery/test/integration/default/serverspec/Rakefile b/osquery/roles/osquery/test/integration/default/serverspec/Rakefile deleted file mode 100644 index 3699568c..00000000 --- a/osquery/roles/osquery/test/integration/default/serverspec/Rakefile +++ /dev/null @@ -1,9 +0,0 @@ -require 'rake' -require 'rspec/core/rake_task' - -RSpec::Core::RakeTask.new(:spec) do |t| - t.pattern = '*_spec.rb' -end - -task :default => :spec - diff --git a/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb b/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb deleted file mode 100644 index 7ba33616..00000000 --- a/osquery/roles/osquery/test/integration/default/serverspec/osquery_spec.rb +++ /dev/null @@ -1,59 +0,0 @@ -require 'serverspec' - -# Required by serverspec -set :backend, :exec - -describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do -## mostly exclude for docker/systemd distributions - it { should be_enabled } -end -describe service('osqueryd') do - it { should be_running } -end - -describe file('/usr/bin/osqueryd') do - it { should be_executable } -end -describe file('/usr/bin/osqueryi') do - it { should be_executable } -end - -describe file('/etc/osquery/osquery.conf') do - it { should contain '"config_plugin":' } - it { should contain '"packs": {' } - it { should contain '"filesystem"' } -end - -describe process("osqueryd") do - its(:user) { should eq "root" } - its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ } - its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ } -end - -describe file('/var/log/osquery/osqueryd.INFO') do - it { should be_symlink } - its(:content) { should match /Log line format:/ } -end -describe file('/var/log/osquery/osqueryd.WARNING') do - it { should be_symlink } - its(:content) { should match /Log line format:/ } - its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ } -end -describe file('/var/log/osquery/osqueryd.results.log') do - it { should be_file } -# its(:content) { should match /hostIdentifier/ } - let(:sudo_options) { '-u root -H' } -end - -describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do - its(:stdout) { should match /osqueryd is already running/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end -describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do - its(:stdout) { should match /active \(running\)/ } - its(:exit_status) { should eq 0 } -end diff --git a/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh b/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh deleted file mode 100755 index 39050487..00000000 --- a/osquery/roles/osquery/test/integration/default/serverspec/run-local-tests.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -x -## get consistent ruby2+bundler env on each distribution - -location=`dirname "$0"` -cd $location -v=2.3 - -## docker environment in travis missing few utils -[ -f /etc/debian_version ] && apt-get install -y curl -[ -f /etc/redhat-release ] && yum -y install which - -curl -sSL https://get.rvm.io | bash -#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm -#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh - -## troubleshoot -type rvm | head -1 -env - -#export PATH=/usr/local/rvm/bin:$PATH - -bash -l -c "rvm install $v" -bash -l -c "rvm use $v" -bash -l -c "rvm use $v --default" -bash -l -c "gem install bundler" -bash -l -c "bundle install --path ./gems" -if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then - bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec" -else - bash -l -c "bundle exec rake spec" -fi - diff --git a/osquery/roles/osquery/test/lxd/centos-ssh-image.sh b/osquery/roles/osquery/test/lxd/centos-ssh-image.sh deleted file mode 100644 index 001073ff..00000000 --- a/osquery/roles/osquery/test/lxd/centos-ssh-image.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -# add ssh to default lxd image - -image=centos-7 -guest=default-$image -template="$image"-nossh -publishalias="$image" - -lxc init $template $guest -lxc start $guest -openssl rand -base64 48 | perl -ne 'print "$_" x2' | lxc exec $guest -- passwd root - -lxc exec $guest -- dhclient eth0 -lxc exec $guest -- ping -c 1 8.8.8.8 -lxc exec $guest -- yum update -lxc exec $guest -- yum -y upgrade -lxc exec $guest -- yum install -y openssh-server sudo ruby yum-utils -lxc exec $guest -- systemctl enable sshd -lxc exec $guest -- systemctl start sshd -lxc exec $guest -- mkdir /root/.ssh || true -lxc exec $guest -- gem install busser - -lxc stop $guest --force -lxc publish $guest --alias $publishalias -lxc delete $guest diff --git a/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 b/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 deleted file mode 100644 index 861b7cda..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.alpine-3.4 +++ /dev/null @@ -1,9 +0,0 @@ -FROM alpine:3.4 -RUN apk update - -# Install Ansible -RUN apk add git ansible python python-dev py-pip -RUN mkdir /etc/ansible - -# Install Ansible inventory file -RUN (echo "[local]"; echo "localhost ansible_connection=local") > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.centos-6 b/osquery/roles/osquery/test/travis/Dockerfile.centos-6 deleted file mode 100644 index 3d5f0c86..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.centos-6 +++ /dev/null @@ -1,15 +0,0 @@ -FROM centos:6 - -# Install Ansible -RUN yum -y update; yum clean all; -RUN yum -y install epel-release -RUN yum -y install git ansible sudo python-pip -RUN yum clean all - -# Disable requiretty -RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers - -# Install Ansible inventory file -RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts - -CMD ["/usr/sbin/init"] diff --git a/osquery/roles/osquery/test/travis/Dockerfile.centos-7 b/osquery/roles/osquery/test/travis/Dockerfile.centos-7 deleted file mode 100644 index 5763ece8..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.centos-7 +++ /dev/null @@ -1,29 +0,0 @@ -FROM centos:7 - -# Install systemd -- See https://hub.docker.com/_/centos/ -RUN yum -y swap -- remove fakesystemd -- install systemd systemd-libs -RUN yum -y update; yum clean all; \ -(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \ -rm -f /lib/systemd/system/multi-user.target.wants/*; \ -rm -f /etc/systemd/system/*.wants/*; \ -rm -f /lib/systemd/system/local-fs.target.wants/*; \ -rm -f /lib/systemd/system/sockets.target.wants/*udev*; \ -rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \ -rm -f /lib/systemd/system/basic.target.wants/*; \ -rm -f /lib/systemd/system/anaconda.target.wants/*; - -# Install Ansible -RUN yum -y install epel-release -RUN yum -y install git sudo python-pip python-devel libffi-devel -RUN yum -y groupinstall 'Development Tools' -RUN yum clean all - -# Disable requiretty -RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers - -# Install Ansible inventory file -RUN mkdir /etc/ansible -RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts - -VOLUME ["/sys/fs/cgroup"] -CMD ["/usr/sbin/init"] diff --git a/osquery/roles/osquery/test/travis/Dockerfile.debian-8 b/osquery/roles/osquery/test/travis/Dockerfile.debian-8 deleted file mode 100644 index bc6a52fb..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.debian-8 +++ /dev/null @@ -1,11 +0,0 @@ -FROM debian:8 -RUN apt-get update - -# Install Ansible -RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git python sudo python-pip python-dev libffi-dev libssl-dev -RUN pip install --upgrade cffi -RUN pip install ansible -RUN install -d -m 0755 /etc/ansible - -# Install Ansible inventory file -RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.debian-9 b/osquery/roles/osquery/test/travis/Dockerfile.debian-9 deleted file mode 100644 index 8cb908b2..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.debian-9 +++ /dev/null @@ -1,12 +0,0 @@ -FROM debian:9 -RUN apt-get update - -# Install Ansible -RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git -RUN apt-get update -RUN apt-get install -y python sudo python-pip python-dev libffi-dev -RUN pip install --upgrade setuptools - -RUN mkdir -p /etc/ansible -# Install Ansible inventory file -RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 deleted file mode 100644 index e0471c17..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-12.04 +++ /dev/null @@ -1,11 +0,0 @@ -FROM ubuntu:12.04 -RUN apt-get update - -# Install Ansible -RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common python-software-properties git -RUN apt-add-repository -y ppa:ansible/ansible -RUN apt-get update -RUN apt-get install -y ansible python-pip - -# Install Ansible inventory file -RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 deleted file mode 100644 index 9466b900..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-14.04 +++ /dev/null @@ -1,15 +0,0 @@ -FROM ubuntu:14.04 -RUN apt-get update - -# Install Ansible -RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git -#RUN apt-add-repository -y ppa:ansible/ansible -RUN apt-get update -RUN apt-get install -y python-pip python-dev libffi-dev - -COPY initctl_faker . -RUN chmod +x initctl_faker && rm -fr /sbin/initctl && ln -s /initctl_faker /sbin/initctl - -# Install Ansible inventory file -RUN mkdir /etc/ansible -RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 deleted file mode 100644 index 987793fb..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-16.04 +++ /dev/null @@ -1,12 +0,0 @@ -FROM ubuntu:16.04 -RUN apt-get update - -# Install Ansible -RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git -#RUN apt-add-repository -y ppa:ansible/ansible -RUN apt-get update -RUN apt-get install -y python sudo python-pip python-dev libffi-dev - -# Install Ansible inventory file -RUN mkdir /etc/ansible -RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 b/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 deleted file mode 100644 index 785803d0..00000000 --- a/osquery/roles/osquery/test/travis/Dockerfile.ubuntu-18.04 +++ /dev/null @@ -1,11 +0,0 @@ -FROM ubuntu:18.04 -RUN apt-get update - -# Install Ansible -RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git systemd -RUN apt-get update -RUN apt-get install -y python sudo python-pip python-dev libffi-dev - -# Install Ansible inventory file -RUN mkdir /etc/ansible -RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts diff --git a/osquery/roles/osquery/test/travis/initctl_faker b/osquery/roles/osquery/test/travis/initctl_faker deleted file mode 100644 index 8a05ae86..00000000 --- a/osquery/roles/osquery/test/travis/initctl_faker +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -## from https://github.com/oxyc/drupal-vm/blob/84b3ad6cf65fb87ac60777c5aca55bb82a45b4aa/tests/initctl_faker -ALIAS_CMD="$(echo ""$0"" | sed -e 's?/sbin/??')" - -case "$ALIAS_CMD" in - start|stop|restart|reload|status) - exec service $1 $ALIAS_CMD - ;; -esac - -case "$1" in - list ) - exec service --status-all - ;; - reload-configuration ) - exec service $2 restart - ;; - start|stop|restart|reload|status) - exec service $2 $1 - ;; - \?) - exit 0 - ;; -esac - diff --git a/osquery/roles/osquery/test/vagrant/Vagrantfile b/osquery/roles/osquery/test/vagrant/Vagrantfile deleted file mode 100644 index 393896a0..00000000 --- a/osquery/roles/osquery/test/vagrant/Vagrantfile +++ /dev/null @@ -1,36 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -VAGRANTFILE_API_VERSION = "2" -ENV['VAGRANT_DEFAULT_PROVIDER'] = 'virtualbox' - -Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| - config.vm.box = "ubuntu/bionic64" - #config.vm.box = "ubuntu/xenial64" - #config.vm.box = "boxcutter/ubuntu1604" - #config.vm.box = "ubuntu/trusty64" - #config.vm.box = "centos/7" - #config.vm.box = "generic/alpine36" - - config.vm.provision :ansible do |ansible| - ansible.playbook = "site.yml" - #ansible.verbose = "vvvv" - #ansible.host_key_checking = false - #ansible.limit = 'all' - ansible.become = true - ansible.extra_vars = { ansible_user: 'vagrant', ansible_python_interpreter: '/usr/bin/python3' } - ansible.groups = { - "myrole" => ["osquery" ], - } - end - - config.vm.define "vosquery" do |cfg| - cfg.vm.hostname = "vosquery" - cfg.vm.provider "virtualbox" do |v| - v.memory = 512 - end - - end - -end - diff --git a/osquery/roles/osquery/test/vagrant/ansible.cfg b/osquery/roles/osquery/test/vagrant/ansible.cfg deleted file mode 100644 index 4dacf8db..00000000 --- a/osquery/roles/osquery/test/vagrant/ansible.cfg +++ /dev/null @@ -1,3 +0,0 @@ -[defaults] -callback_whitelist = profile_tasks, timer -roles_path = ../../../ diff --git a/osquery/roles/osquery/test/vagrant/site.yml b/osquery/roles/osquery/test/vagrant/site.yml deleted file mode 100644 index 27abbe1d..00000000 --- a/osquery/roles/osquery/test/vagrant/site.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- - -- hosts: all - roles: - - kbrebanov.osquery - diff --git a/osquery/roles/osquery/tests/inventory b/osquery/roles/osquery/tests/inventory deleted file mode 100644 index 2fbb50c4..00000000 --- a/osquery/roles/osquery/tests/inventory +++ /dev/null @@ -1 +0,0 @@ -localhost diff --git a/osquery/roles/osquery/tests/test.yml b/osquery/roles/osquery/tests/test.yml deleted file mode 100644 index dddb318b..00000000 --- a/osquery/roles/osquery/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - ansible-osquery diff --git a/osquery/roles/osquery/vars/CentOS-6.yml b/osquery/roles/osquery/vars/CentOS-6.yml deleted file mode 100644 index 0c747005..00000000 --- a/osquery/roles/osquery/vars/CentOS-6.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/CentOS-7.yml b/osquery/roles/osquery/vars/CentOS-7.yml deleted file mode 100644 index 0c747005..00000000 --- a/osquery/roles/osquery/vars/CentOS-7.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/Debian.yml b/osquery/roles/osquery/vars/Debian.yml deleted file mode 100644 index 9b5cce8d..00000000 --- a/osquery/roles/osquery/vars/Debian.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# vars file for osquery (Debian specific) -# https://github.com/facebook/osquery/issues/320 -# https://github.com/facebook/osquery/issues/2321 - -osquery_packages: - - osquery - - rsyslog - -osquery_debug_packages: - - osquery-dbg - -_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}" -_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}" - -_osquery_auditd_pkg: "auditd" - -varlog_group: syslog -varlog_mode: '0775' diff --git a/osquery/roles/osquery/vars/RedHat-6.yml b/osquery/roles/osquery/vars/RedHat-6.yml deleted file mode 100644 index 0c747005..00000000 --- a/osquery/roles/osquery/vars/RedHat-6.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/RedHat-7.yml b/osquery/roles/osquery/vars/RedHat-7.yml deleted file mode 100644 index 0c747005..00000000 --- a/osquery/roles/osquery/vars/RedHat-7.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -_osquery_auditd_pkg: "audit" diff --git a/osquery/roles/osquery/vars/RedHat.yml b/osquery/roles/osquery/vars/RedHat.yml deleted file mode 100644 index 28dafbd2..00000000 --- a/osquery/roles/osquery/vars/RedHat.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -# vars file for osquery (CentOS specific) - -osquery_packages: - - osquery - - rsyslog - -osquery_debug_packages: - - osquery-debuginfo - -_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}" -_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}" - -_osquery_auditd_pkg: "audit" - -varlog_group: root -varlog_mode: '0755' diff --git a/osquery/roles/osquery/vars/Ubuntu.yml b/osquery/roles/osquery/vars/debian.yml similarity index 82% rename from osquery/roles/osquery/vars/Ubuntu.yml rename to osquery/roles/osquery/vars/debian.yml index 0d5204aa..fa222c92 100644 --- a/osquery/roles/osquery/vars/Ubuntu.yml +++ b/osquery/roles/osquery/vars/debian.yml @@ -1,5 +1,8 @@ --- -# vars file for osquery (Ubuntu specific) +osquery_required_packages: + - apt-transport-https + - dirmngr + - logrotate osquery_packages: - osquery @@ -11,7 +14,5 @@ osquery_debug_packages: _osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}" _osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}" -_osquery_auditd_pkg: "auditd" - varlog_group: syslog varlog_mode: '0775' diff --git a/osquery/roles/osquery/vars/main.yml b/osquery/roles/osquery/vars/main.yml deleted file mode 100644 index 444e1029..00000000 --- a/osquery/roles/osquery/vars/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# vars file for osquery - -osquery_packages: - - osquery - - rsyslog diff --git a/osquery/roles/osquery/vars/CentOS.yml b/osquery/roles/osquery/vars/redhat.yml similarity index 82% rename from osquery/roles/osquery/vars/CentOS.yml rename to osquery/roles/osquery/vars/redhat.yml index 28dafbd2..e5f0f864 100644 --- a/osquery/roles/osquery/vars/CentOS.yml +++ b/osquery/roles/osquery/vars/redhat.yml @@ -1,5 +1,6 @@ --- -# vars file for osquery (CentOS specific) +osquery_required_packages: + - logrotate osquery_packages: - osquery @@ -11,7 +12,5 @@ osquery_debug_packages: _osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}" _osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}" -_osquery_auditd_pkg: "audit" - varlog_group: root varlog_mode: '0755' diff --git a/osquery/tests/functional.yml b/osquery/tests/functional.yml index 1eed027c..b0d468be 100644 --- a/osquery/tests/functional.yml +++ b/osquery/tests/functional.yml @@ -58,7 +58,7 @@ value: 10 state: present reload: "yes" - sysctl_file: /etc/sysctl.d/99-elasticsearch.conf + sysctl_file: /etc/sysctl.d/99-osquery.conf - name: Create tmp osquery dir file: diff --git a/osquery/vars/variables.yml b/osquery/vars/variables.yml index d07d9ae4..e190cf27 100644 --- a/osquery/vars/variables.yml +++ b/osquery/vars/variables.yml @@ -14,8 +14,6 @@ osquery_debug_packages_install: false osquery_config_plugin: 'filesystem' osquery_logger_plugin: 'filesystem' -osquery_rsyslog: false - osquery_flags: - "--tls_server_certs={{ kolide_fleet_ssl_cert }}" - "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443"