Cleanup the osquery role
This change removes things we don't need and simplifies the task execution. Change-Id: I5be516311eaadd634990a4b9006d1ceec4de5847 Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
569c7557b6
commit
c901b0b706
@ -1,70 +0,0 @@
|
|||||||
---
|
|
||||||
driver:
|
|
||||||
name: docker
|
|
||||||
## https://github.com/test-kitchen/kitchen-docker/issues/54
|
|
||||||
use_sudo: false
|
|
||||||
|
|
||||||
transport:
|
|
||||||
name: sftp
|
|
||||||
|
|
||||||
provisioner:
|
|
||||||
name: ansible_playbook
|
|
||||||
roles_path: ../
|
|
||||||
hosts: test-kitchen
|
|
||||||
# ansible_verbose: true
|
|
||||||
ansible_verbose: false
|
|
||||||
ansible_verbosity: 3
|
|
||||||
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
|
|
||||||
# require_chef_omnibus: false
|
|
||||||
require_ansible_omnibus: true
|
|
||||||
# require_chef_for_busser: false
|
|
||||||
enable_yum_epel: true
|
|
||||||
ansible_connection: ssh
|
|
||||||
|
|
||||||
platforms:
|
|
||||||
- name: ubuntu-18.04
|
|
||||||
driver_config:
|
|
||||||
# https://github.com/test-kitchen/kitchen-docker/issues/285
|
|
||||||
provision_command: mkdir -p /run/sshd
|
|
||||||
- name: ubuntu-16.04
|
|
||||||
## systemd?
|
|
||||||
driver:
|
|
||||||
config:
|
|
||||||
security.privileged: true
|
|
||||||
- name: ubuntu-14.04
|
|
||||||
- name: ubuntu-12.04
|
|
||||||
- name: centos-7
|
|
||||||
## systemd
|
|
||||||
driver:
|
|
||||||
config:
|
|
||||||
security.privileged: true
|
|
||||||
### epel mirror issue. see readme
|
|
||||||
# - name: centos-6
|
|
||||||
### Ansible 2.2+/cryptography: https://github.com/ansible/ansible/issues/276
|
|
||||||
# provisioner:
|
|
||||||
# ansible_version: 2.1.2.0
|
|
||||||
## tool chain kitchen and image need customization... nok currently
|
|
||||||
# - name: alpine-3.4
|
|
||||||
# - name: debian-8
|
|
||||||
- name: debian-9
|
|
||||||
|
|
||||||
suites:
|
|
||||||
- name: default
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
- name: default-osquery-syslog
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
- name: default-osquery-syslog-fs
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
- name: default-profiling
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
includes:
|
|
||||||
- ubuntu-16.04
|
|
||||||
- name: default-fleetmanager
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
includes:
|
|
||||||
- ubuntu-16.04
|
|
@ -1,57 +0,0 @@
|
|||||||
---
|
|
||||||
# $ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify
|
|
||||||
|
|
||||||
driver:
|
|
||||||
name: vagrant
|
|
||||||
provider: <%= ENV['KITCHEN_PROVIDER'] || 'virtualbox' %>
|
|
||||||
|
|
||||||
## make file transfer faster. need https://github.com/coderanger/kitchen-sync
|
|
||||||
transport:
|
|
||||||
name: sftp
|
|
||||||
|
|
||||||
provisioner:
|
|
||||||
name: ansible_playbook
|
|
||||||
roles_path: ../
|
|
||||||
hosts: test-kitchen
|
|
||||||
# ansible_verbose: true
|
|
||||||
ansible_verbose: false
|
|
||||||
ansible_verbosity: 3
|
|
||||||
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
|
|
||||||
|
|
||||||
platforms:
|
|
||||||
- name: ubuntu-18.04
|
|
||||||
- name: ubuntu-16.04
|
|
||||||
- name: ubuntu-14.04
|
|
||||||
- name: centos-7.1
|
|
||||||
## ansible < 2.x
|
|
||||||
# - name: debian-8
|
|
||||||
# driver_config:
|
|
||||||
# box: debian-8
|
|
||||||
# box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
|
|
||||||
- name: debian-9
|
|
||||||
driver:
|
|
||||||
box: remram/debian-9-amd64
|
|
||||||
|
|
||||||
suites:
|
|
||||||
- name: default
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
- name: default-osquery-syslog
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
- name: default-osquery-syslog-fs
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
- name: default-profiling
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
includes:
|
|
||||||
- ubuntu-18.04
|
|
||||||
- name: default-fleetmanager
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
includes:
|
|
||||||
- ubuntu-18.04
|
|
||||||
driver_config:
|
|
||||||
network:
|
|
||||||
- ["forwarded_port", {guest: 8080, host: 9080}]
|
|
@ -1,56 +0,0 @@
|
|||||||
---
|
|
||||||
driver:
|
|
||||||
name: lxd_cli
|
|
||||||
|
|
||||||
transport:
|
|
||||||
name: sftp
|
|
||||||
|
|
||||||
provisioner:
|
|
||||||
name: ansible_playbook
|
|
||||||
roles_path: ../
|
|
||||||
hosts: test-kitchen
|
|
||||||
ansible_verbose: true
|
|
||||||
# ansible_verbose: false
|
|
||||||
ansible_verbosity: 2
|
|
||||||
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
|
|
||||||
require_ansible_omnibus: true
|
|
||||||
require_chef_omnibus: false
|
|
||||||
# require_chef_for_busser: false
|
|
||||||
enable_yum_epel: true
|
|
||||||
ansible_connection: ssh
|
|
||||||
|
|
||||||
platforms:
|
|
||||||
- name: ubuntu-18.04
|
|
||||||
- name: ubuntu-16.04
|
|
||||||
# - name: ubuntu-14.04
|
|
||||||
# - name: ubuntu-12.04
|
|
||||||
- name: centos-7
|
|
||||||
# - name: centos-6
|
|
||||||
# - name: alpine-3.7
|
|
||||||
|
|
||||||
suites:
|
|
||||||
- name: default
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
- name: default-osquery-syslog
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
includes:
|
|
||||||
- ubuntu-18.04
|
|
||||||
- centos-7
|
|
||||||
- name: default-osquery-syslog-fs
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
includes:
|
|
||||||
- ubuntu-18.04
|
|
||||||
- centos-7
|
|
||||||
- name: default-profiling
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
includes:
|
|
||||||
- ubuntu-18.04
|
|
||||||
- name: default-fleetmanager
|
|
||||||
run_list:
|
|
||||||
attributes:
|
|
||||||
includes:
|
|
||||||
- ubuntu-18.04
|
|
@ -1,97 +0,0 @@
|
|||||||
---
|
|
||||||
dist: trusty
|
|
||||||
sudo: required
|
|
||||||
rvm:
|
|
||||||
- 2.4
|
|
||||||
|
|
||||||
env:
|
|
||||||
## those images need pre-configuration before being usable (openssh...)
|
|
||||||
# - distribution: centos
|
|
||||||
# version: 6
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
suite: default
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 18.04
|
|
||||||
suite: default
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
suite: default
|
|
||||||
# - distribution: ubuntu
|
|
||||||
# version: 14.04
|
|
||||||
# - distribution: ubuntu
|
|
||||||
# version: 12.04
|
|
||||||
# - distribution: alpine
|
|
||||||
# version: 3.4
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
suite: default-osquery-syslog
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 18.04
|
|
||||||
suite: default-osquery-syslog
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
suite: default-osquery-syslog-fs
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 18.04
|
|
||||||
suite: default-osquery-syslog-fs
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 18.04
|
|
||||||
suite: default-profiling
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 18.04
|
|
||||||
suite: default-fleetmanager
|
|
||||||
|
|
||||||
before_install:
|
|
||||||
- env
|
|
||||||
- pwd
|
|
||||||
- find -ls
|
|
||||||
## use appropriate role path and not github name
|
|
||||||
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
|
|
||||||
## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821
|
|
||||||
# - sudo apt install lxd
|
|
||||||
- echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list
|
|
||||||
- sudo apt-get update -qq
|
|
||||||
- sudo apt -t trusty-backports -y install lxd acl -q
|
|
||||||
## change of group implies logout+login to apply... can't do with travis = run as root (sic)
|
|
||||||
## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..."
|
|
||||||
- sudo usermod -G lxd travis
|
|
||||||
# Pull container
|
|
||||||
# - lxc remote add images images.linuxcontainers.org
|
|
||||||
- sudo -E su $USER -c "lxc remote list"
|
|
||||||
- sudo -E su $USER -c "lxc image list"
|
|
||||||
## pre-download base images
|
|
||||||
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"'
|
|
||||||
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true'
|
|
||||||
## configure lxd-bridge
|
|
||||||
- sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge
|
|
||||||
# - cat /etc/default/lxd-bridge
|
|
||||||
# - service --status-all
|
|
||||||
- sudo service lxd restart
|
|
||||||
|
|
||||||
- sudo pip install ansible
|
|
||||||
- gem install kitchen
|
|
||||||
- gem install kitchen-ansible
|
|
||||||
- gem install kitchen-sync
|
|
||||||
- gem install kitchen-lxd_cli
|
|
||||||
- gem list
|
|
||||||
- which kitchen
|
|
||||||
## ssh key for lxd_cli ?
|
|
||||||
- ls ~/.ssh
|
|
||||||
- ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P ""
|
|
||||||
## sudo/su get us a non-usual PATH ...
|
|
||||||
- '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true'
|
|
||||||
- sudo -E su $USER -c "env"
|
|
||||||
## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during .
|
|
||||||
# - sudo -E su $USER -c "which kitchen"
|
|
||||||
- sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all"
|
|
||||||
# - sudo -E su $USER -c "kitchen diagnose --all"
|
|
||||||
# - sudo -E -u $USER kitchen diagnose --all
|
|
||||||
|
|
||||||
script:
|
|
||||||
# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE}
|
|
||||||
- sudo -E su $USER -c "env PATH=$PATH kitchen verify ${suite}-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/${suite}-${distribution}-${version//./}.log; find /tmp/kitchen)"
|
|
||||||
|
|
||||||
notifications:
|
|
||||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
||||||
|
|
@ -1,160 +0,0 @@
|
|||||||
---
|
|
||||||
## from https://github.com/geerlingguy/ansible-role-apache/blob/master/.travis.yml
|
|
||||||
sudo: required
|
|
||||||
|
|
||||||
env:
|
|
||||||
# - distribution: centos
|
|
||||||
# version: 6
|
|
||||||
# init: /sbin/init
|
|
||||||
# run_opts: ""
|
|
||||||
# suite: default
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
init: /usr/lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default
|
|
||||||
ansible_version: 2.5.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
# - distribution: ubuntu
|
|
||||||
# version: 18.04
|
|
||||||
# init: /lib/systemd/systemd
|
|
||||||
# run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
# suite: default
|
|
||||||
# ansible_version: 2.5.5
|
|
||||||
# ansible_extra_vars: ""
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
init: /lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default
|
|
||||||
ansible_version: 2.5.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
# - distribution: ubuntu
|
|
||||||
# version: 14.04
|
|
||||||
# init: /sbin/init
|
|
||||||
# run_opts: ""
|
|
||||||
# suite: default
|
|
||||||
# - distribution: ubuntu
|
|
||||||
# version: 12.04
|
|
||||||
# init: /sbin/init
|
|
||||||
# run_opts: ""
|
|
||||||
# suite: default
|
|
||||||
# - distribution: alpine
|
|
||||||
# version: 3.4
|
|
||||||
# init: /sbin/init
|
|
||||||
# run_opts: ""
|
|
||||||
# suite: default
|
|
||||||
## https://travis-ci.org/juju4/ansible-osquery/jobs/246615342, https://github.com/facebook/osquery/issues/2321
|
|
||||||
- distribution: debian
|
|
||||||
version: 9
|
|
||||||
init: /lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default
|
|
||||||
ansible_version: 2.5.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
init: /usr/lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default-osquery-syslog
|
|
||||||
ansible_version: 2.5.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
init: /lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default-osquery-syslog
|
|
||||||
ansible_version: 2.5.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
init: /usr/lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default-osquery-syslog-fs
|
|
||||||
ansible_version: 2.5.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
init: /lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default-osquery-syslog-fs
|
|
||||||
ansible_version: 2.5.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
init: /lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default-profiling
|
|
||||||
ansible_version: 2.5.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
# past ansible version
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
init: /lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default
|
|
||||||
ansible_version: 2.4.5
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
# upcoming ansible version
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
init: /lib/systemd/systemd
|
|
||||||
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
|
|
||||||
suite: default
|
|
||||||
ansible_version: 2.6.0rc3
|
|
||||||
ansible_extra_vars: ""
|
|
||||||
|
|
||||||
services:
|
|
||||||
- docker
|
|
||||||
|
|
||||||
before_install:
|
|
||||||
# - sudo apt-get update
|
|
||||||
# Pull container
|
|
||||||
- 'sudo docker pull ${distribution}:${version}'
|
|
||||||
- env
|
|
||||||
- pwd
|
|
||||||
- find -ls
|
|
||||||
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
|
|
||||||
- cp test/travis/initctl_faker test/
|
|
||||||
# Customize container
|
|
||||||
- 'sudo docker build --rm=true --file=test/travis/Dockerfile.${distribution}-${version} --tag=${distribution}-${version}:ansible test'
|
|
||||||
|
|
||||||
before_script:
|
|
||||||
- container_id=$(mktemp)
|
|
||||||
# Run container in detached state
|
|
||||||
- 'sudo docker run --detach --volume="${PWD%/*}":/etc/ansible/roles:ro ${run_opts} ${distribution}-${version}:ansible "${init}" > "${container_id}"'
|
|
||||||
|
|
||||||
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install --upgrade pip'
|
|
||||||
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install ansible==${ansible_version}'
|
|
||||||
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible --version'
|
|
||||||
|
|
||||||
script:
|
|
||||||
# Ansible syntax check.
|
|
||||||
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml --syntax-check'
|
|
||||||
|
|
||||||
# Test role.
|
|
||||||
- 'travis_wait 30 sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml -vv ${ansible_extra_vars}'
|
|
||||||
|
|
||||||
# Test role idempotence.
|
|
||||||
- >
|
|
||||||
travis_wait 30 sudo docker exec "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml ${ansible_extra_vars}
|
|
||||||
| tee /tmp/idempotency.log
|
|
||||||
| grep -q 'changed=0.*failed=0'
|
|
||||||
&& (echo 'Idempotence test: pass' && exit 0)
|
|
||||||
|| (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0)
|
|
||||||
|
|
||||||
# serverspec tests
|
|
||||||
## travis/docker: Errno::EROFS: Read-only file system @ dir_s_mkdir - /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/.bundle
|
|
||||||
# - 'sudo docker exec --tty "$(cat ${container_id})" /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/run-local-tests.sh'
|
|
||||||
|
|
||||||
after_failure:
|
|
||||||
# Check what happened on systemd systems.
|
|
||||||
- 'docker exec --tty "$(cat ${container_id})" env TERM=xterm systemctl -l --no-pager status osqueryd.service'
|
|
||||||
- 'docker exec --tty "$(cat ${container_id})" env TERM=xterm journalctl -xe --no-pager'
|
|
||||||
|
|
||||||
after_script:
|
|
||||||
# Clean up
|
|
||||||
- 'sudo docker stop "$(cat ${container_id})"'
|
|
||||||
|
|
||||||
notifications:
|
|
||||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
@ -1,71 +0,0 @@
|
|||||||
---
|
|
||||||
## note: can't fully test osquery inside docker as will not be able have kernel /dev/osquery
|
|
||||||
dist: trusty
|
|
||||||
sudo: required
|
|
||||||
rvm:
|
|
||||||
- 2.4
|
|
||||||
|
|
||||||
env:
|
|
||||||
# - distribution: centos
|
|
||||||
# version: 6
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
suite: default
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
suite: default
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 14.04
|
|
||||||
suite: default
|
|
||||||
# - distribution: ubuntu
|
|
||||||
# version: 12.04
|
|
||||||
# - distribution: alpine
|
|
||||||
# version: 3.4
|
|
||||||
- distribution: debian
|
|
||||||
version: 8
|
|
||||||
suite: default
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
suite: default-osquery-syslog
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
suite: default-osquery-syslog
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 14.04
|
|
||||||
suite: default-osquery-syslog
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
suite: default-osquery-syslog-fs
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
suite: default-osquery-syslog-fs
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 14.04
|
|
||||||
suite: default-osquery-syslog-fs
|
|
||||||
|
|
||||||
before_install:
|
|
||||||
- env
|
|
||||||
- pwd
|
|
||||||
- find -ls
|
|
||||||
## use appropriate role path and not github name
|
|
||||||
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
|
|
||||||
- sudo pip install ansible
|
|
||||||
## need to use chef gem for some reason? BAD PATH https://github.com/chef/chef-dk/issues/15
|
|
||||||
# - chef gem install kitchen
|
|
||||||
- gem install kitchen
|
|
||||||
- gem install kitchen-ansible
|
|
||||||
- gem install kitchen-sync
|
|
||||||
- gem install kitchen-docker
|
|
||||||
- gem list
|
|
||||||
- which kitchen
|
|
||||||
- KITCHEN_YAML=.kitchen.docker.yml kitchen diagnose --all
|
|
||||||
|
|
||||||
script:
|
|
||||||
## avoid locale issue under xenial docker, https://github.com/pypa/pip/issues/3575
|
|
||||||
- export LC_ALL=C.UTF-8
|
|
||||||
- export LANG=C.UTF-8
|
|
||||||
- KITCHEN_YAML=.kitchen.docker.yml kitchen verify ${suite}-${distribution}-${version//./}
|
|
||||||
|
|
||||||
notifications:
|
|
||||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
||||||
|
|
@ -1,76 +0,0 @@
|
|||||||
---
|
|
||||||
dist: trusty
|
|
||||||
sudo: required
|
|
||||||
rvm:
|
|
||||||
- 2.4
|
|
||||||
|
|
||||||
env:
|
|
||||||
## those images need pre-configuration before being usable (openssh...)
|
|
||||||
# - distribution: centos
|
|
||||||
# version: 6
|
|
||||||
- distribution: centos
|
|
||||||
version: 7
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 18.04
|
|
||||||
- distribution: ubuntu
|
|
||||||
version: 16.04
|
|
||||||
# - distribution: ubuntu
|
|
||||||
# version: 14.04
|
|
||||||
# - distribution: ubuntu
|
|
||||||
# version: 12.04
|
|
||||||
# - distribution: alpine
|
|
||||||
# version: 3.4
|
|
||||||
|
|
||||||
before_install:
|
|
||||||
- env
|
|
||||||
- pwd
|
|
||||||
- find -ls
|
|
||||||
## use appropriate role path and not github name
|
|
||||||
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
|
|
||||||
## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821
|
|
||||||
# - sudo apt install lxd
|
|
||||||
- echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list
|
|
||||||
- sudo apt-get update -qq
|
|
||||||
- sudo apt -t trusty-backports -y install lxd acl -q
|
|
||||||
## change of group implies logout+login to apply... can't do with travis = run as root (sic)
|
|
||||||
## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..."
|
|
||||||
- sudo usermod -G lxd travis
|
|
||||||
# Pull container
|
|
||||||
# - lxc remote add images images.linuxcontainers.org
|
|
||||||
- sudo -E su $USER -c "lxc remote list"
|
|
||||||
- sudo -E su $USER -c "lxc image list"
|
|
||||||
## pre-download base images
|
|
||||||
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"'
|
|
||||||
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true'
|
|
||||||
## configure lxd-bridge
|
|
||||||
- sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge
|
|
||||||
# - cat /etc/default/lxd-bridge
|
|
||||||
# - service --status-all
|
|
||||||
- sudo service lxd restart
|
|
||||||
|
|
||||||
- sudo pip install ansible
|
|
||||||
- gem install kitchen
|
|
||||||
- gem install kitchen-ansible
|
|
||||||
- gem install kitchen-sync
|
|
||||||
- gem install kitchen-lxd_cli
|
|
||||||
- gem list
|
|
||||||
- which kitchen
|
|
||||||
## ssh key for lxd_cli ?
|
|
||||||
- ls ~/.ssh
|
|
||||||
- ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P ""
|
|
||||||
## sudo/su get us a non-usual PATH ...
|
|
||||||
- '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true'
|
|
||||||
- sudo -E su $USER -c "env"
|
|
||||||
## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during .
|
|
||||||
# - sudo -E su $USER -c "which kitchen"
|
|
||||||
- sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all"
|
|
||||||
# - sudo -E su $USER -c "kitchen diagnose --all"
|
|
||||||
# - sudo -E -u $USER kitchen diagnose --all
|
|
||||||
|
|
||||||
script:
|
|
||||||
# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE}
|
|
||||||
- sudo -E su $USER -c "env PATH=$PATH kitchen verify default-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/default-${distribution}-${version//./}.log; find /tmp/kitchen)"
|
|
||||||
|
|
||||||
notifications:
|
|
||||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
||||||
|
|
@ -1,42 +0,0 @@
|
|||||||
---
|
|
||||||
sudo: required
|
|
||||||
dist: trusty
|
|
||||||
|
|
||||||
language: generic
|
|
||||||
|
|
||||||
before_install:
|
|
||||||
- sudo apt-get -qq update
|
|
||||||
- sudo apt-get install -y python python-pip
|
|
||||||
|
|
||||||
install:
|
|
||||||
# Install ansible
|
|
||||||
- sudo pip install ansible
|
|
||||||
|
|
||||||
# Check ansible version
|
|
||||||
- ansible --version
|
|
||||||
|
|
||||||
# Create ansible.cfg with correct roles_path
|
|
||||||
- printf '[defaults]\nroles_path=../' >ansible.cfg
|
|
||||||
|
|
||||||
# Install role dependencies
|
|
||||||
# ...
|
|
||||||
|
|
||||||
script:
|
|
||||||
# Basic role syntax check
|
|
||||||
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
|
|
||||||
|
|
||||||
# Run the role/playbook with ansible-playbook
|
|
||||||
- ansible-playbook tests/test.yml -i tests/inventory --connection=local --become
|
|
||||||
|
|
||||||
# Run the role/playbook again, checking to make sure it's idempotent
|
|
||||||
- >
|
|
||||||
ansible-playbook tests/test.yml -i tests/inventory --connection=local --become
|
|
||||||
| grep -q 'changed=0.*failed=0'
|
|
||||||
&& (echo 'Idempotence test: pass' && exit 0)
|
|
||||||
|| (echo 'Idempotence test: fail' && exit 1)
|
|
||||||
|
|
||||||
# Playbook specific tests
|
|
||||||
# ...
|
|
||||||
|
|
||||||
notifications:
|
|
||||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
@ -1,61 +0,0 @@
|
|||||||
---
|
|
||||||
sudo: required
|
|
||||||
dist: trusty
|
|
||||||
|
|
||||||
language: generic
|
|
||||||
|
|
||||||
env:
|
|
||||||
- suite: default
|
|
||||||
- suite: default-osquery-syslog
|
|
||||||
- suite: default-osquery-syslog-fs
|
|
||||||
|
|
||||||
before_install:
|
|
||||||
- sudo apt-get -qq update
|
|
||||||
- sudo apt-get install -y python python-pip
|
|
||||||
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
|
|
||||||
## serverspec test
|
|
||||||
- sudo apt-get install -qq ruby2.0 rake
|
|
||||||
- sudo gem2.0 install serverspec
|
|
||||||
|
|
||||||
install:
|
|
||||||
# Install ansible
|
|
||||||
- sudo pip install ansible
|
|
||||||
|
|
||||||
# Check ansible version
|
|
||||||
- ansible --version
|
|
||||||
|
|
||||||
# Create ansible.cfg with correct roles_path
|
|
||||||
- printf '[defaults]\nroles_path=../' >ansible.cfg
|
|
||||||
- "echo \"[test-kitchen]\nlocalhost\" > inventory"
|
|
||||||
|
|
||||||
- gem2.0 --version
|
|
||||||
|
|
||||||
# Install role dependencies
|
|
||||||
# ...
|
|
||||||
|
|
||||||
script:
|
|
||||||
# Basic role syntax check
|
|
||||||
- "ansible-playbook -i inventory --syntax-check test/integration/${suite}/default.yml"
|
|
||||||
|
|
||||||
# Run the role/playbook with ansible-playbook
|
|
||||||
- "ansible-playbook -i inventory --connection=local --sudo -vvvv test/integration/${suite}/default.yml"
|
|
||||||
|
|
||||||
# Run the role/playbook again, checking to make sure it's idempotent
|
|
||||||
- >
|
|
||||||
ansible-playbook -i inventory test/integration/${suite}/default.yml --connection=local --become
|
|
||||||
| grep -q 'changed=0.*failed=0'
|
|
||||||
&& (echo 'Idempotence test: pass' && exit 0)
|
|
||||||
|| (echo 'Idempotence test: fail' && exit 1)
|
|
||||||
|
|
||||||
# Playbook specific tests
|
|
||||||
# - "cd test/integration/${suite}/serverspec/ && bundle exec rake spec"
|
|
||||||
|
|
||||||
after_failure:
|
|
||||||
- "ls -l /var/log/ /var/log/osquery/"
|
|
||||||
- "sudo cat /var/log/osquery*.log /var/log/osquery/*.log"
|
|
||||||
- "sudo cat /etc/rsyslog.d/30-osquery-target.conf"
|
|
||||||
- "sudo systemctl -l status"
|
|
||||||
- "sudo journalctl -xe --no-pager"
|
|
||||||
|
|
||||||
notifications:
|
|
||||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
|
59
osquery/roles/osquery/Jenkinsfile
vendored
59
osquery/roles/osquery/Jenkinsfile
vendored
@ -1,59 +0,0 @@
|
|||||||
// Work in progress
|
|
||||||
|
|
||||||
node {
|
|
||||||
|
|
||||||
try{
|
|
||||||
currentBuild.result = "SUCCESS"
|
|
||||||
def workspace = pwd()
|
|
||||||
def directory = "kbrebanov.osquery"
|
|
||||||
|
|
||||||
stage 'Clean Workspace'
|
|
||||||
deleteDir()
|
|
||||||
|
|
||||||
stage("Download source and capture commit ID") {
|
|
||||||
sh "mkdir $directory"
|
|
||||||
dir("$directory") {
|
|
||||||
checkout scm
|
|
||||||
// Get the commit ID
|
|
||||||
sh 'git rev-parse --verify HEAD > GIT_COMMIT'
|
|
||||||
git_commit = readFile('GIT_COMMIT').take(7)
|
|
||||||
echo "Current commit ID: ${git_commit}"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
dir("$directory") {
|
|
||||||
|
|
||||||
stage("Get dependencies"){
|
|
||||||
sh "sh -x get-dependencies.sh"
|
|
||||||
}
|
|
||||||
stage("Build and verify 1"){
|
|
||||||
defaultplatform = sh (
|
|
||||||
script: '''#!/bin/bash
|
|
||||||
kitchen list | awk "!/Instance/ {print \\$1; exit}"
|
|
||||||
''',
|
|
||||||
returnStdout: true
|
|
||||||
).trim()
|
|
||||||
echo "default platform: ${defaultplatform}"
|
|
||||||
|
|
||||||
sh "kitchen test ${defaultplatform}"
|
|
||||||
// must keep instance for security testing after
|
|
||||||
//sh "kitchen verify ${defaultplatform}"
|
|
||||||
}
|
|
||||||
|
|
||||||
stage("Build and verify all platforms"){
|
|
||||||
sh "kitchen test"
|
|
||||||
}
|
|
||||||
|
|
||||||
stage("Cleanup if no errors"){
|
|
||||||
sh "kitchen destroy"
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
catch(err) {
|
|
||||||
currentBuild.result = "FAILURE"
|
|
||||||
throw err
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,43 +0,0 @@
|
|||||||
[![Build Status - Master](https://travis-ci.org/juju4/ansible-osquery.svg?branch=master)](https://travis-ci.org/juju4/ansible-osquery)
|
|
||||||
[![Build Status - Devel](https://travis-ci.org/juju4/ansible-osquery.svg?branch=devel)](https://travis-ci.org/juju4/ansible-osquery/branches)
|
|
||||||
osquery
|
|
||||||
=======
|
|
||||||
|
|
||||||
[![Build Status](https://travis-ci.org/kbrebanov/ansible-osquery.svg?branch=master)](https://travis-ci.org/kbrebanov/ansible-osquery)
|
|
||||||
|
|
||||||
Installs osquery
|
|
||||||
|
|
||||||
Requirements
|
|
||||||
------------
|
|
||||||
|
|
||||||
This role requires Ansible 2.0 or higher.
|
|
||||||
|
|
||||||
Role Variables
|
|
||||||
--------------
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
Dependencies
|
|
||||||
------------
|
|
||||||
|
|
||||||
None
|
|
||||||
|
|
||||||
Example Playbook
|
|
||||||
----------------
|
|
||||||
|
|
||||||
Install osquery
|
|
||||||
```yaml
|
|
||||||
- hosts: all
|
|
||||||
roles:
|
|
||||||
- kbrebanov.osquery
|
|
||||||
```
|
|
||||||
|
|
||||||
License
|
|
||||||
-------
|
|
||||||
|
|
||||||
BSD
|
|
||||||
|
|
||||||
Author Information
|
|
||||||
------------------
|
|
||||||
|
|
||||||
Kevin Brebanov
|
|
@ -1,14 +1,9 @@
|
|||||||
---
|
---
|
||||||
# defaults file for osquery
|
# Enable or disable the installation of the osquery debug packages.
|
||||||
|
osquery_debug_packages_install: false
|
||||||
osquery_service_enable: true
|
|
||||||
osquery_debug_packages_install: true
|
|
||||||
## define this if don't want to use upstream ones
|
|
||||||
#osquery_repository: ''
|
|
||||||
#osquery_repositorykey: ''
|
|
||||||
|
|
||||||
osquery_template: 'osquery.conf.j2'
|
osquery_template: 'osquery.conf.j2'
|
||||||
#osquery_upload_packs: []
|
|
||||||
osquery_upload_packs:
|
osquery_upload_packs:
|
||||||
- osquery-snapshots-pack
|
- osquery-snapshots-pack
|
||||||
- osquery-monitoring2-pack
|
- osquery-monitoring2-pack
|
||||||
@ -25,9 +20,6 @@ osquery_packs:
|
|||||||
|
|
||||||
osquery_config_plugin: 'filesystem'
|
osquery_config_plugin: 'filesystem'
|
||||||
osquery_logger_plugin: 'filesystem'
|
osquery_logger_plugin: 'filesystem'
|
||||||
#osquery_logger_plugin: 'syslog'
|
|
||||||
#osquery_logger_plugin: 'filesystem,syslog'
|
|
||||||
#osquery_logger_plugin: 'tls'
|
|
||||||
osquery_flags: []
|
osquery_flags: []
|
||||||
## if using zentral, kolide or else
|
## if using zentral, kolide or else
|
||||||
## https://github.com/zentralopensource/zentral/blob/f460b10a95d4ea1e515aea3363f55733465d1d9c/zentral/contrib/osquery/deb_script/template.sh
|
## https://github.com/zentralopensource/zentral/blob/f460b10a95d4ea1e515aea3363f55733465d1d9c/zentral/contrib/osquery/deb_script/template.sh
|
||||||
@ -64,6 +56,7 @@ osquery_fim_filepaths:
|
|||||||
- name: etc
|
- name: etc
|
||||||
list:
|
list:
|
||||||
- "/etc/%%"
|
- "/etc/%%"
|
||||||
|
|
||||||
## Take care if using a lot /tmp. can trigger
|
## Take care if using a lot /tmp. can trigger
|
||||||
## 'Expiring events for subscriber: file_events (overflowed limit 1000)'
|
## 'Expiring events for subscriber: file_events (overflowed limit 1000)'
|
||||||
## => losing many queries results (fim or not)
|
## => losing many queries results (fim or not)
|
||||||
@ -83,16 +76,11 @@ osquery_fim_filepaths:
|
|||||||
- name: webroot
|
- name: webroot
|
||||||
list:
|
list:
|
||||||
- "/var/www/%%"
|
- "/var/www/%%"
|
||||||
|
|
||||||
osquery_fim_excludepaths:
|
osquery_fim_excludepaths:
|
||||||
- name: tmp
|
- name: tmp
|
||||||
list:
|
list:
|
||||||
- /tmp/too_many_events/
|
- /tmp/too_many_events/
|
||||||
osquery_rsyslog: true
|
|
||||||
## conflict with auditd. choose one.
|
|
||||||
## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
|
|
||||||
osquery_process_auditing: false
|
|
||||||
osquery_process_interval: 900
|
|
||||||
osquery_socket_interval: 900
|
|
||||||
|
|
||||||
## queries snapshots: 1/week (or 1/month? nok)
|
## queries snapshots: 1/week (or 1/month? nok)
|
||||||
## Max interval 1/w: https://github.com/theopolis/osquery/commit/b76dee8a1fddccb500bc4a058daa1b39083b9dbb
|
## Max interval 1/w: https://github.com/theopolis/osquery/commit/b76dee8a1fddccb500bc4a058daa1b39083b9dbb
|
||||||
@ -100,24 +88,6 @@ osquery_snapshot_interval: 604800
|
|||||||
osquery_snapshot_interval2: 604800
|
osquery_snapshot_interval2: 604800
|
||||||
#osquery_snapshot_interval2: 2592000
|
#osquery_snapshot_interval2: 2592000
|
||||||
|
|
||||||
osquery_logrotate: true
|
|
||||||
osquery_logrotate_days: 90
|
|
||||||
|
|
||||||
## https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags
|
|
||||||
## per facility
|
|
||||||
## osquery wants a facility code, while keyword for rsyslog...
|
|
||||||
osquery_syslog_target_facility_osqueryconf: 19
|
|
||||||
osquery_syslog_target_facility_syslogconf: local3
|
|
||||||
osquery_syslog_target: ''
|
|
||||||
#osquery_syslog_target: '@@10.1.1.100'
|
|
||||||
## mostly for testing purpose
|
|
||||||
#osquery_syslog_target: '/var/log/osquery/osquery_syslog.log'
|
|
||||||
## per programname: mostly query execution log and daemon state. avoid mixing with default syslog messages
|
|
||||||
#osquery_syslog_target2: ''
|
|
||||||
osquery_syslog_target2: '/var/log/osquery/osqueryd.log'
|
|
||||||
osquery_syslog_dirs:
|
|
||||||
- /var/log/osquery
|
|
||||||
|
|
||||||
## making schedule query faster to have logs faster...
|
## making schedule query faster to have logs faster...
|
||||||
osquery_testing: false
|
osquery_testing: false
|
||||||
osquery_testing_pause: false
|
osquery_testing_pause: false
|
||||||
@ -129,4 +99,3 @@ osquery_profiling: false
|
|||||||
## full config might be too long for travis (max 50min)
|
## full config might be too long for travis (max 50min)
|
||||||
#osquery_profiling_conf: /etc/osquery/osquery.conf
|
#osquery_profiling_conf: /etc/osquery/osquery.conf
|
||||||
osquery_profiling_conf: /usr/share/osquery/packs/incident-response.conf
|
osquery_profiling_conf: /usr/share/osquery/packs/incident-response.conf
|
||||||
|
|
||||||
|
12
osquery/roles/osquery/files/logrotate-osquery
Normal file
12
osquery/roles/osquery/files/logrotate-osquery
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
/var/log/osquery/*.log.log
|
||||||
|
{
|
||||||
|
copytruncate
|
||||||
|
daily
|
||||||
|
rotate 2
|
||||||
|
delaycompress
|
||||||
|
compress
|
||||||
|
dateext
|
||||||
|
notifempty
|
||||||
|
missingok
|
||||||
|
maxage 5
|
||||||
|
}
|
@ -1,22 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
## one script to be used by travis, jenkins, packer...
|
|
||||||
|
|
||||||
umask 022
|
|
||||||
|
|
||||||
if [ $# != 0 ]; then
|
|
||||||
rolesdir=$1
|
|
||||||
else
|
|
||||||
rolesdir=$(dirname $0)/..
|
|
||||||
fi
|
|
||||||
|
|
||||||
[ ! -d $rolesdir/juju4.redhat-epel ] && git clone https://github.com/juju4/ansible-redhat-epel $rolesdir/juju4.redhat-epel
|
|
||||||
[ ! -d $rolesdir/geerlingguy.redis ] && git clone https://github.com/juju4/ansible-role-redis.git $rolesdir/geerlingguy.redis
|
|
||||||
[ ! -d $rolesdir/geerlingguy.mysql ] && git clone https://github.com/geerlingguy/ansible-role-mysql.git $rolesdir/geerlingguy.mysql
|
|
||||||
[ ! -d $rolesdir/juju4.kolide ] && git clone https://github.com/juju4/ansible-kolide $rolesdir/juju4.kolide
|
|
||||||
## galaxy naming: kitchen fails to transfer symlink folder
|
|
||||||
#[ ! -e $rolesdir/kbrebanov.osquery ] && ln -s ansible-osquery $rolesdir/kbrebanov.osquery
|
|
||||||
[ ! -e $rolesdir/kbrebanov.osquery ] && cp -R $rolesdir/ansible-osquery $rolesdir/kbrebanov.osquery
|
|
||||||
|
|
||||||
## don't stop build on this script return code
|
|
||||||
true
|
|
||||||
|
|
@ -1,10 +1,14 @@
|
|||||||
---
|
---
|
||||||
# handlers file for osquery
|
- name: Enable and start the service
|
||||||
|
systemd:
|
||||||
|
name: osqueryd
|
||||||
|
enabled: true
|
||||||
|
state: restarted
|
||||||
|
listen: restart osquery
|
||||||
|
|
||||||
- name: restart osquery
|
- name: Enable and start the service
|
||||||
# service: name=osqueryd state=restarted
|
systemd:
|
||||||
## for rocksdb backend
|
name: rsyslog
|
||||||
shell: "systemctl stop osqueryd; sleep 5; systemctl start osqueryd"
|
enabled: true
|
||||||
|
state: restarted
|
||||||
- name: restart rsyslog
|
listen: restart rsyslog
|
||||||
service: name=rsyslog state=restarted
|
|
||||||
|
@ -1,120 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: check if osquery is present
|
|
||||||
stat: path=/etc/osquery
|
|
||||||
register: hasOsquery
|
|
||||||
- block:
|
|
||||||
- name: ensure directories exist
|
|
||||||
file:
|
|
||||||
dest: "{{ item.d }}"
|
|
||||||
state: directory
|
|
||||||
mode: "{{ item.m }}"
|
|
||||||
with_items:
|
|
||||||
- { d: '/var/log/osquery', m: '0755' }
|
|
||||||
- name: push extra osquery packs file
|
|
||||||
template:
|
|
||||||
src: "{{ item }}.conf.j2"
|
|
||||||
dest: "/usr/share/osquery/packs/{{ item | basename }}.conf"
|
|
||||||
backup: yes
|
|
||||||
with_items: "{{ osquery_upload_packs }}"
|
|
||||||
notify:
|
|
||||||
- restart osquery
|
|
||||||
- debug: var=osquery_packs
|
|
||||||
- name: configure osquery
|
|
||||||
template:
|
|
||||||
src: "{{ osquery_template }}"
|
|
||||||
dest: /etc/osquery/osquery.conf
|
|
||||||
mode: '0644'
|
|
||||||
backup: yes
|
|
||||||
validate: 'osqueryi --config_path %s --config_check --verbose'
|
|
||||||
# validate: 'egrep -v '^\s*//' %s | tee /tmp/a | python -mjson.tool'
|
|
||||||
notify:
|
|
||||||
- restart osquery
|
|
||||||
- name: "ensure osquery var dir exists"
|
|
||||||
file:
|
|
||||||
state: "directory"
|
|
||||||
path: "/var/osquery"
|
|
||||||
- name: "express the osquery secret to disk"
|
|
||||||
lineinfile:
|
|
||||||
path: "/etc/osquery/osquery_enroll_secret"
|
|
||||||
line: "{{ osquery_enroll_secret }}"
|
|
||||||
state: present
|
|
||||||
owner: "root"
|
|
||||||
group: "root"
|
|
||||||
mode: "0600"
|
|
||||||
create: true
|
|
||||||
when:
|
|
||||||
- osquery_enroll_secret is defined
|
|
||||||
- name: configure osquery flags
|
|
||||||
template:
|
|
||||||
src: "osquery.flags.j2"
|
|
||||||
dest: /etc/osquery/osquery.flags
|
|
||||||
mode: '0644'
|
|
||||||
backup: yes
|
|
||||||
notify:
|
|
||||||
- restart osquery
|
|
||||||
- name: re-validate whole osquery config
|
|
||||||
command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose'
|
|
||||||
changed_when: false
|
|
||||||
register: confcheck
|
|
||||||
failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout"
|
|
||||||
- block:
|
|
||||||
- name: ensure logrotate package is present
|
|
||||||
package:
|
|
||||||
name: logrotate
|
|
||||||
state: present
|
|
||||||
- name: add logrotate configuration for osquery log
|
|
||||||
template:
|
|
||||||
src: logrotate-osquery.j2
|
|
||||||
dest: /etc/logrotate.d/osquery
|
|
||||||
mode: '0644'
|
|
||||||
backup: yes
|
|
||||||
validate: 'logrotate -dv %s'
|
|
||||||
when: osquery_logrotate
|
|
||||||
- name: ensure service is enabled and started
|
|
||||||
service: name=osqueryd state=started enabled=yes
|
|
||||||
- set_fact:
|
|
||||||
monit_osqueryd: true
|
|
||||||
when: hasOsquery.stat.exists
|
|
||||||
|
|
||||||
## FIXME! warnings like (from packs/incident-response.conf)
|
|
||||||
#virtual_table.cpp:484] The shell_history table returns data based on the current user by default, consider JOINing against the users table
|
|
||||||
# but still apply with
|
|
||||||
# SELECT s.uid,s.time,s.command,s.history_file FROM shell_history s JOIN users USING (uid) limit 10;
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: review inotify sysctl settings for osquery
|
|
||||||
sysctl: name="{{ item.n }}" value="{{ item.v }}" sysctl_set=yes state=present reload=yes
|
|
||||||
with_items:
|
|
||||||
- { n: 'fs.inotify.max_user_watches', v: '524288' }
|
|
||||||
- { n: 'fs.inotify.max_user_instances', v: '256' }
|
|
||||||
- { n: 'fs.inotify.max_queued_events', v: '32768' }
|
|
||||||
when: osquery_fim and not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))
|
|
||||||
|
|
||||||
## ensure no auditd at the same time
|
|
||||||
## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
|
|
||||||
- block:
|
|
||||||
- name: ensure auditd is not present
|
|
||||||
package: name="{{ _osquery_auditd_pkg }}" state=absent
|
|
||||||
when: osquery_process_auditing
|
|
||||||
|
|
||||||
- name: get rsyslog version
|
|
||||||
command: "rsyslogd -v | awk -F'[ ,]' '/rsyslogd/ { print $2 }'"
|
|
||||||
environment:
|
|
||||||
PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
|
|
||||||
changed_when: false
|
|
||||||
register: rsyslog_v
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: setup rsyslog pipe for osquery communication
|
|
||||||
template:
|
|
||||||
src: osquery-rsyslog.conf.j2
|
|
||||||
dest: /etc/rsyslog.d/90-osquery.conf
|
|
||||||
mode: '0644'
|
|
||||||
backup: yes
|
|
||||||
notify:
|
|
||||||
- restart rsyslog
|
|
||||||
when: osquery_rsyslog
|
|
||||||
|
|
||||||
- include: syslog-target.yml
|
|
||||||
when: osquery_syslog_target != ''
|
|
@ -1,69 +1,32 @@
|
|||||||
---
|
---
|
||||||
# tasks file for osquery
|
- name: Gather variables for each operating system
|
||||||
|
include_vars: "{{ item }}"
|
||||||
- name: Include distribution specific variables
|
with_first_found:
|
||||||
include_vars: "{{ ansible_distribution }}.yml"
|
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
|
||||||
|
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
||||||
|
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
|
||||||
|
- "{{ ansible_distribution | lower }}.yml"
|
||||||
|
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
||||||
|
- "{{ ansible_os_family | lower }}.yml"
|
||||||
tags:
|
tags:
|
||||||
- osquery
|
- always
|
||||||
- name: Include version-specific variables for RedHat
|
|
||||||
include_vars: "CentOS-{{ ansible_distribution_version.split('.')[0] }}.yml"
|
|
||||||
when: ansible_os_family == "RedHat"
|
|
||||||
|
|
||||||
- include: CentOS.yml
|
- include_tasks: "osquery_{{ ansible_pkg_mgr }}.yml"
|
||||||
when: ansible_os_family == "RedHat"
|
|
||||||
tags:
|
|
||||||
- osquery
|
|
||||||
|
|
||||||
- include: Debian.yml
|
- name: Install osquery
|
||||||
when: ansible_os_family == "Debian"
|
|
||||||
tags:
|
|
||||||
- osquery
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: Install osquery
|
|
||||||
package:
|
package:
|
||||||
name: "{{ item }}"
|
name: "{{ osquery_packages }}"
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{ osquery_packages }}"
|
|
||||||
tags:
|
|
||||||
- osquery
|
|
||||||
|
|
||||||
- name: Install osquery debug packages
|
- name: Install osquery debug packages
|
||||||
package:
|
package:
|
||||||
name: "{{ item }}"
|
name: "{{ item }}"
|
||||||
state: present
|
state: present
|
||||||
with_items: "{{ osquery_debug_packages }}"
|
with_items: "{{ osquery_debug_packages }}"
|
||||||
when: osquery_debug_packages_install
|
when:
|
||||||
tags:
|
- osquery_debug_packages_install | bool
|
||||||
- osquery
|
|
||||||
|
|
||||||
- include: configure.yml
|
- include: osquery_configure.yml
|
||||||
tags:
|
tags:
|
||||||
- osquery
|
- osquery
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: Enable service
|
|
||||||
service: name=osqueryd enabled={{ osquery_service_enable }}
|
|
||||||
tags:
|
|
||||||
- osquery
|
|
||||||
- service
|
|
||||||
- name: Start service
|
|
||||||
service: name=osqueryd state=started
|
|
||||||
when: osquery_service_enable
|
|
||||||
tags:
|
|
||||||
- osquery
|
|
||||||
- service
|
|
||||||
|
|
||||||
- meta: flush_handlers
|
|
||||||
|
|
||||||
- name: pause a bit to have few queries results
|
|
||||||
command: sleep 5
|
|
||||||
changed_when: false
|
|
||||||
when: osquery_testing_pause or osquery_testing
|
|
||||||
|
|
||||||
- include: testing.yml
|
|
||||||
when: osquery_testing
|
|
||||||
|
|
||||||
- include: profiling.yml
|
|
||||||
when: osquery_profiling
|
|
||||||
when: ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" or ansible_distribution == "Debian"
|
|
||||||
|
@ -1,10 +1,7 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
# tasks file for osquery (Debian, Ubuntu specific)
|
|
||||||
|
|
||||||
- name: Ensure dirmngr is present for apt-key
|
- name: Ensure dirmngr is present for apt-key
|
||||||
package:
|
package:
|
||||||
name: dirmngr
|
name: "{{ osquery_required_packages }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Download osquery APT key
|
- name: Download osquery APT key
|
||||||
@ -16,14 +13,6 @@
|
|||||||
tags:
|
tags:
|
||||||
- osquery
|
- osquery
|
||||||
|
|
||||||
- name: Ensure apt-transport-https is installed
|
|
||||||
become: yes
|
|
||||||
apt:
|
|
||||||
name: apt-transport-https
|
|
||||||
state: present
|
|
||||||
tags:
|
|
||||||
- osquery
|
|
||||||
|
|
||||||
- name: Configure osquery APT repository
|
- name: Configure osquery APT repository
|
||||||
become: yes
|
become: yes
|
||||||
apt_repository:
|
apt_repository:
|
88
osquery/roles/osquery/tasks/osquery_configure.yml
Normal file
88
osquery/roles/osquery/tasks/osquery_configure.yml
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure directories exist
|
||||||
|
file:
|
||||||
|
dest: "/var/osquery"
|
||||||
|
state: directory
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: Ensure target syslog dir exists
|
||||||
|
file:
|
||||||
|
dest: "/var/log/osquery"
|
||||||
|
state: directory
|
||||||
|
mode: "{{ varlog_mode }}"
|
||||||
|
group: "{{ varlog_group }}"
|
||||||
|
|
||||||
|
- name: Push extra osquery packs file
|
||||||
|
template:
|
||||||
|
src: "{{ item }}.conf.j2"
|
||||||
|
dest: "/usr/share/osquery/packs/{{ item | basename }}.conf"
|
||||||
|
backup: yes
|
||||||
|
with_items: "{{ osquery_upload_packs }}"
|
||||||
|
notify:
|
||||||
|
- restart osquery
|
||||||
|
|
||||||
|
- name: Print osquery packs
|
||||||
|
debug: var=osquery_packs
|
||||||
|
|
||||||
|
- name: Configure osquery
|
||||||
|
template:
|
||||||
|
src: "{{ osquery_template }}"
|
||||||
|
dest: /etc/osquery/osquery.conf
|
||||||
|
mode: '0644'
|
||||||
|
backup: yes
|
||||||
|
validate: 'osqueryi --config_path %s --config_check --verbose'
|
||||||
|
notify:
|
||||||
|
- restart osquery
|
||||||
|
|
||||||
|
- name: Express the osquery secret to disk
|
||||||
|
lineinfile:
|
||||||
|
path: "/etc/osquery/osquery_enroll_secret"
|
||||||
|
line: "{{ osquery_enroll_secret }}"
|
||||||
|
state: present
|
||||||
|
owner: "root"
|
||||||
|
group: "root"
|
||||||
|
mode: "0600"
|
||||||
|
create: true
|
||||||
|
notify:
|
||||||
|
- restart osquery
|
||||||
|
when:
|
||||||
|
- osquery_enroll_secret is defined
|
||||||
|
|
||||||
|
- name: Configure osquery flags
|
||||||
|
template:
|
||||||
|
src: "osquery.flags.j2"
|
||||||
|
dest: /etc/osquery/osquery.flags
|
||||||
|
mode: '0644'
|
||||||
|
backup: yes
|
||||||
|
notify:
|
||||||
|
- restart osquery
|
||||||
|
|
||||||
|
- name: Re-validate whole osquery config
|
||||||
|
command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose'
|
||||||
|
changed_when: false
|
||||||
|
register: confcheck
|
||||||
|
failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout"
|
||||||
|
|
||||||
|
- name: Add logrotate configuration for osquery log
|
||||||
|
copy:
|
||||||
|
src: logrotate-osquery
|
||||||
|
dest: /etc/logrotate.d/osquery
|
||||||
|
mode: '0644'
|
||||||
|
backup: yes
|
||||||
|
|
||||||
|
- name: Review inotify sysctl settings for osquery
|
||||||
|
sysctl:
|
||||||
|
name: "{{ item.n }}"
|
||||||
|
value: "{{ item.v }}"
|
||||||
|
sysctl_set: yes
|
||||||
|
state: present
|
||||||
|
reload: yes
|
||||||
|
sysctl_file: /etc/sysctl.d/99-osquery.conf
|
||||||
|
failed_when: false
|
||||||
|
with_items:
|
||||||
|
- n: 'fs.inotify.max_user_watches'
|
||||||
|
v: 524288
|
||||||
|
- n: 'fs.inotify.max_user_instances'
|
||||||
|
v: 256
|
||||||
|
- n: 'fs.inotify.max_queued_events'
|
||||||
|
v: 32768
|
1
osquery/roles/osquery/tasks/osquery_dnf.yml
Symbolic link
1
osquery/roles/osquery/tasks/osquery_dnf.yml
Symbolic link
@ -0,0 +1 @@
|
|||||||
|
osquery_yum.yml
|
@ -1,14 +1,12 @@
|
|||||||
---
|
---
|
||||||
# tasks file for osquery (CentOS specific)
|
|
||||||
|
|
||||||
- name: Install osquery repository key
|
|
||||||
rpm_key:
|
|
||||||
state: present
|
|
||||||
key: "{{ _osquery_repositorykey }}"
|
|
||||||
|
|
||||||
- name: Install osquery repository
|
- name: Install osquery repository
|
||||||
get_url:
|
get_url:
|
||||||
url: "{{ _osquery_repository }}"
|
url: "{{ _osquery_repository }}"
|
||||||
dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}"
|
dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}"
|
||||||
mode: '0644'
|
mode: '0644'
|
||||||
backup: yes
|
backup: yes
|
||||||
|
|
||||||
|
- name: Install osquery repository key
|
||||||
|
rpm_key:
|
||||||
|
state: present
|
||||||
|
key: "{{ _osquery_repositorykey }}"
|
@ -1,27 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: get source repository for profiling tools
|
|
||||||
git:
|
|
||||||
repo: https://github.com/facebook/osquery.git
|
|
||||||
dest: /root/osquery
|
|
||||||
|
|
||||||
- name: ensure profiling dependencies are present - pkg
|
|
||||||
package:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
with_items:
|
|
||||||
- python-pip
|
|
||||||
- name: ensure profiling dependencies are present - pip
|
|
||||||
pip:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
with_items:
|
|
||||||
- psutil
|
|
||||||
- name: profiling
|
|
||||||
command: "./tools/analysis/profile.py --config {{ osquery_profiling_conf }} --shell /usr/bin/osqueryi --count 1 --rounds 4"
|
|
||||||
args:
|
|
||||||
chdir: /root/osquery
|
|
||||||
changed_when: false
|
|
||||||
register: perf
|
|
||||||
- debug: var=perf.stdout_lines
|
|
||||||
|
|
@ -1,19 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- name: Ensure target syslog dir exists
|
|
||||||
file:
|
|
||||||
dest: "{{ item }}"
|
|
||||||
state: directory
|
|
||||||
mode: "{{ varlog_mode }}"
|
|
||||||
group: "{{ varlog_group }}"
|
|
||||||
with_items: "{{ osquery_syslog_dirs }}"
|
|
||||||
|
|
||||||
- name: setup rsyslog to send osquery logs to a specific target
|
|
||||||
template:
|
|
||||||
src: rsyslog-osquery-target.conf.j2
|
|
||||||
dest: /etc/rsyslog.d/30-osquery-target.conf
|
|
||||||
mode: '0644'
|
|
||||||
backup: yes
|
|
||||||
validate: 'rsyslogd -d -N 1 -f %s'
|
|
||||||
notify:
|
|
||||||
- restart rsyslog
|
|
@ -1,40 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: systemd | check service status
|
|
||||||
command: "systemctl status osqueryd -l"
|
|
||||||
changed_when: false
|
|
||||||
register: systemctl
|
|
||||||
- debug: var=systemctl.stdout_lines
|
|
||||||
when: ansible_service_mgr == "systemd"
|
|
||||||
- block:
|
|
||||||
- name: service | check service status
|
|
||||||
command: "service osqueryd status"
|
|
||||||
changed_when: false
|
|
||||||
register: service
|
|
||||||
- debug: var=service.stdout_lines
|
|
||||||
when: ansible_service_mgr != "systemd"
|
|
||||||
|
|
||||||
- block:
|
|
||||||
- name: fallocate big file
|
|
||||||
command: "fallocate -l {{ osquery_testing_fim_load_bigger }} /etc/testing-big-file"
|
|
||||||
args:
|
|
||||||
creates: /etc/testing-big-file
|
|
||||||
- name: creation of many small files
|
|
||||||
command: "split -b {{ osquery_testing_fim_load_smaller }} /etc/testing-big-file testing-"
|
|
||||||
args:
|
|
||||||
chdir: /etc
|
|
||||||
creates: /etc/testing-big-aa
|
|
||||||
- name: clean up
|
|
||||||
shell: find /etc/ -name 'testing-*' -exec rm {} \;
|
|
||||||
ignore_errors: true
|
|
||||||
# more diverse load? openssl speed, stress...
|
|
||||||
- name: retrieve log results
|
|
||||||
command: "{{ item }}"
|
|
||||||
with_items:
|
|
||||||
- head -20 /var/log/osquery/osqueryd.results.log
|
|
||||||
- tail -20 /var/log/osquery/osqueryd.results.log
|
|
||||||
ignore_errors: true
|
|
||||||
changed_when: false
|
|
||||||
register: log
|
|
||||||
when: osquery_testing_fim_load
|
|
@ -1,34 +0,0 @@
|
|||||||
#include <tunables/global>
|
|
||||||
|
|
||||||
/usr/bin/osqueryd {
|
|
||||||
#include <abstractions/base>
|
|
||||||
#include <abstractions/lxc/container-base>
|
|
||||||
#include <abstractions/lxc/start-container>
|
|
||||||
|
|
||||||
/etc/host.conf r,
|
|
||||||
/etc/hosts r,
|
|
||||||
/etc/nsswitch.conf r,
|
|
||||||
/etc/osquery/osquery.conf r,
|
|
||||||
/etc/osquery/osquery.flags r,
|
|
||||||
/proc/** rw,
|
|
||||||
/proc/cpuinfo r,
|
|
||||||
/root/osqueryd.*.root.log.ERROR.* w,
|
|
||||||
/root/osqueryd.*.root.log.INFO.* w,
|
|
||||||
/root/osqueryd.*.root.log.WARNING.* w,
|
|
||||||
/run/osqueryd.pidfile w,
|
|
||||||
/run/resolvconf/resolv.conf r,
|
|
||||||
/run/utmp r,
|
|
||||||
/sys/devices/** r,
|
|
||||||
/sys/firmware/dmi/tables/DMI r,
|
|
||||||
/tmp/* w,
|
|
||||||
/tmp/user/0/osqueryd.*.root.log.ERROR.* w,
|
|
||||||
/tmp/user/0/osqueryd.*.root.log.INFO.* w,
|
|
||||||
/tmp/user/0/osqueryd.*.root.log.WARNING.* w,
|
|
||||||
/usr/bin/osqueryd Px,
|
|
||||||
/usr/share/osquery/packs/* r,
|
|
||||||
/var/log/osquery/* w,
|
|
||||||
/var/osquery/osquery.db/ rw,
|
|
||||||
/var/osquery/osquery.db/* rw,
|
|
||||||
/var/tmp/* rw,
|
|
||||||
|
|
||||||
}
|
|
@ -1,39 +0,0 @@
|
|||||||
{{ ansible_managed | comment('plain', decoration='## ') }}
|
|
||||||
## /etc/logrotate.d/osquery
|
|
||||||
/var/log/osquery/osqueryd.results.log {
|
|
||||||
rotate {{ osquery_logrotate_days|int }}
|
|
||||||
daily
|
|
||||||
missingok
|
|
||||||
notifempty
|
|
||||||
delaycompress
|
|
||||||
compress
|
|
||||||
create 640 root adm
|
|
||||||
sharedscripts
|
|
||||||
}
|
|
||||||
{% if osquery_syslog_target is defined and osquery_syslog_target != '' and '/var/log/' in osquery_syslog_target %}
|
|
||||||
{{ osquery_syslog_target }} {
|
|
||||||
rotate {{ osquery_logrotate_days|int }}
|
|
||||||
daily
|
|
||||||
missingok
|
|
||||||
notifempty
|
|
||||||
delaycompress
|
|
||||||
compress
|
|
||||||
create 640 root adm
|
|
||||||
sharedscripts
|
|
||||||
# Ubuntu: parent directory has insecure permissions (It's world writable or writable by group which is not "root")
|
|
||||||
su root {{ osquery_syslog_dir_group | default(varlog_group) }}
|
|
||||||
}
|
|
||||||
{% endif %}
|
|
||||||
{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' and '/var/log/' in osquery_syslog_target2 %}
|
|
||||||
{{ osquery_syslog_target2 }} {
|
|
||||||
rotate {{ osquery_logrotate_days|int }}
|
|
||||||
daily
|
|
||||||
missingok
|
|
||||||
notifempty
|
|
||||||
delaycompress
|
|
||||||
compress
|
|
||||||
create 640 root adm
|
|
||||||
sharedscripts
|
|
||||||
su root {{ osquery_syslog_dir_group2 | default(varlog_group) }}
|
|
||||||
}
|
|
||||||
{% endif %}
|
|
@ -1,6 +0,0 @@
|
|||||||
template(
|
|
||||||
name="OsqueryCsvFormat"
|
|
||||||
type="string"
|
|
||||||
string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
|
|
||||||
)
|
|
||||||
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")
|
|
@ -67,7 +67,7 @@
|
|||||||
{% else %}
|
{% else %}
|
||||||
"interval": 3600
|
"interval": 3600
|
||||||
{% endif %}
|
{% endif %}
|
||||||
}{% if osquery_fim or osquery_process_auditing %},{% endif %}
|
}{% if osquery_fim %},{% endif %}
|
||||||
|
|
||||||
{% if osquery_fim %}
|
{% if osquery_fim %}
|
||||||
"fim" : {
|
"fim" : {
|
||||||
@ -75,19 +75,8 @@
|
|||||||
"query": "select * from file_events;",
|
"query": "select * from file_events;",
|
||||||
"removed": false,
|
"removed": false,
|
||||||
"interval": {% if osquery_testing_fim_load %}30{% else %}{{ osquery_fim_interval }}{% endif %}
|
"interval": {% if osquery_testing_fim_load %}30{% else %}{{ osquery_fim_interval }}{% endif %}
|
||||||
}{% if osquery_process_auditing %},{% endif %}
|
|
||||||
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if osquery_process_auditing %}
|
|
||||||
"process_events":{
|
|
||||||
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
|
|
||||||
"interval": {{ osquery_process_interval }}
|
|
||||||
},
|
|
||||||
"socket_events":{
|
|
||||||
"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
|
|
||||||
"interval": {{ osquery_socket_interval }}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
},
|
},
|
||||||
|
|
||||||
|
@ -1,6 +0,0 @@
|
|||||||
/usr/bin/osqueryd -- gen_context(system_u:object_r:osquery_exec_t,s0)
|
|
||||||
/etc/osquery(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0)
|
|
||||||
/usr/share/osquery/packs(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0)
|
|
||||||
/var/log/osquery(/.*)? -- gen_context(system_u:object_r:osquery_log_t,s0)
|
|
||||||
/var/osquery/osquery.em -- gen_context(system_u:object_r:osquery_sock_t,s0)
|
|
||||||
/usr/lib/systemd/system/osqueryd.service -- gen_context(system_u:object_r:osquery_unit_file_t,s0)
|
|
@ -2,15 +2,5 @@
|
|||||||
{% for flag in osquery_flags %}
|
{% for flag in osquery_flags %}
|
||||||
{{ flag }}
|
{{ flag }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% if osquery_process_auditing %}
|
--logger_path=/var/log/osquery
|
||||||
--disable_audit=false
|
--logger_plugin=filesystem
|
||||||
--audit_allow_config=true
|
|
||||||
--audit_persist=true
|
|
||||||
--audit_allow_sockets
|
|
||||||
{% endif %}
|
|
||||||
{% if osquery_rsyslog %}
|
|
||||||
--enable_syslog
|
|
||||||
{% endif %}
|
|
||||||
{% if osquery_syslog_target != '' and osquery_syslog_target_facility_osqueryconf != '' %}
|
|
||||||
--logger_syslog_facility={{ osquery_syslog_target_facility_osqueryconf }}
|
|
||||||
{% endif %}
|
|
@ -1,27 +0,0 @@
|
|||||||
{{ ansible_managed | comment('plain', decoration='## ') }}
|
|
||||||
check process osqueryd
|
|
||||||
with pidfile "/var/run/osqueryd.pid"
|
|
||||||
group system
|
|
||||||
group osqueryd
|
|
||||||
{% if ansible_service_mgr == 'systemd' %}
|
|
||||||
start program = "/bin/systemctl start ssh" with timeout 60 seconds
|
|
||||||
stop program = "/bin/systemctl stop ssh"
|
|
||||||
{% else %}
|
|
||||||
start program = "/etc/init.d/ssh start" with timeout 60 seconds
|
|
||||||
stop program = "/etc/init.d/ssh stop"
|
|
||||||
{% endif %}
|
|
||||||
if cpu > 90% for 15 cycles then alert
|
|
||||||
if totalmem > 90% for 15 cycles then alert
|
|
||||||
if loadavg(15min) greater than 10 for 50 cycles then alert
|
|
||||||
if 5 restarts with 5 cycles then alert
|
|
||||||
depends on osqueryd_binary
|
|
||||||
depends on osqueryd_conf
|
|
||||||
|
|
||||||
check file osqueryd_binary
|
|
||||||
with path /usr/bin/osqueryd
|
|
||||||
group osqueryd
|
|
||||||
if failed checksum then alert
|
|
||||||
|
|
||||||
check file osqueryd_conf with path /etc/osquery/osquery.conf
|
|
||||||
include /etc/monit/templates/rootrc
|
|
||||||
group osqueryd
|
|
@ -1,16 +0,0 @@
|
|||||||
{% if osquery_syslog_target is defined and osquery_syslog_target != '' %}
|
|
||||||
{{ osquery_syslog_target_facility_syslogconf }}.* {{ osquery_syslog_target }}
|
|
||||||
{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %}
|
|
||||||
& ~
|
|
||||||
{% else %}
|
|
||||||
& stop
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
||||||
{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' %}
|
|
||||||
if $programname == 'osqueryd' then {{ osquery_syslog_target2 }}
|
|
||||||
{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %}
|
|
||||||
& ~
|
|
||||||
{% else %}
|
|
||||||
& stop
|
|
||||||
{% endif %}
|
|
||||||
{% endif %}
|
|
@ -1,14 +0,0 @@
|
|||||||
#!/usr/bin/env bats
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Idempotence test
|
|
||||||
# from https://github.com/neillturner/kitchen-ansible/issues/92
|
|
||||||
#
|
|
||||||
|
|
||||||
@test "Second run should change nothing" {
|
|
||||||
skip "service module issue"
|
|
||||||
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
|
|
||||||
[ "$status" -eq 0 ]
|
|
||||||
}
|
|
||||||
|
|
@ -1,43 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- hosts: all
|
|
||||||
#- hosts: test-kitchen
|
|
||||||
vars:
|
|
||||||
- mysql_root_password: 'Toor=2017.'
|
|
||||||
- kolide_mysql_root_pass: "{{ mysql_root_password }}"
|
|
||||||
- mysql_databases:
|
|
||||||
- name: "{{ kolide_mysql_db }}"
|
|
||||||
- mysql_users:
|
|
||||||
- name: "{{ kolide_mysql_user }}"
|
|
||||||
host: "localhost"
|
|
||||||
#host: "%"
|
|
||||||
password: "{{ kolide_mysql_pass }}"
|
|
||||||
priv: "{{ kolide_mysql_db }}.*:ALL"
|
|
||||||
- mysql_enablerepo: epel
|
|
||||||
- osquery_flags:
|
|
||||||
- '--enroll_secret_path=/etc/osquery/osquery_enroll_secret'
|
|
||||||
- "--tls_server_certs={{ ssl_dir }}/{{ ansible_fqdn }}.crt"
|
|
||||||
- '--tls_hostname=acme.kolide.co:8080'
|
|
||||||
- '--host_identifier=hostname'
|
|
||||||
- '--enroll_tls_endpoint=/api/v1/osquery/enroll'
|
|
||||||
- '--config_plugin=tls'
|
|
||||||
- '--config_tls_endpoint=/api/v1/osquery/config'
|
|
||||||
- '--config_tls_refresh=10'
|
|
||||||
- '--disable_distributed=false'
|
|
||||||
- '--distributed_plugin=tls'
|
|
||||||
- '--distributed_interval=10'
|
|
||||||
- '--distributed_tls_max_attempts=3'
|
|
||||||
- '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read'
|
|
||||||
- '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write'
|
|
||||||
- '--logger_plugin=tls'
|
|
||||||
pre_tasks:
|
|
||||||
- name: map acme.kolide.co to localhost
|
|
||||||
lineinfile:
|
|
||||||
dest: /etc/hosts
|
|
||||||
line: 127.0.0.1 acme.kolide.co
|
|
||||||
ignore_errors: true
|
|
||||||
roles:
|
|
||||||
- { role: geerlingguy.mysql, when: ansible_os_family == 'Debian' }
|
|
||||||
- juju4.kolide
|
|
||||||
- kbrebanov.osquery
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
|||||||
source 'https://rubygems.org'
|
|
||||||
|
|
||||||
gem 'serverspec'
|
|
||||||
gem 'rake'
|
|
||||||
## for junit output and jenkins support
|
|
||||||
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
|
|
||||||
#gem 'yarjuf'
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
|||||||
require 'rake'
|
|
||||||
require 'rspec/core/rake_task'
|
|
||||||
|
|
||||||
RSpec::Core::RakeTask.new(:spec) do |t|
|
|
||||||
t.pattern = '*_spec.rb'
|
|
||||||
end
|
|
||||||
|
|
||||||
task :default => :spec
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
|
|
||||||
## mostly exclude for docker/systemd distributions
|
|
||||||
it { should be_enabled }
|
|
||||||
end
|
|
||||||
describe service('osqueryd') do
|
|
||||||
it { should be_running }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/usr/bin/osqueryd') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
describe file('/usr/bin/osqueryi') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/etc/osquery/osquery.conf') do
|
|
||||||
it { should contain '"config_plugin":' }
|
|
||||||
it { should contain '"packs": {' }
|
|
||||||
it { should contain '"filesystem"' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe process("osqueryd") do
|
|
||||||
its(:user) { should eq "root" }
|
|
||||||
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
|
|
||||||
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
|
|
||||||
end
|
|
||||||
|
|
||||||
#describe file('/var/log/osquery/osqueryd.INFO') do
|
|
||||||
# it { should be_symlink }
|
|
||||||
# its(:content) { should match /Log line format:/ }
|
|
||||||
#end
|
|
||||||
#describe file('/var/log/osquery/osqueryd.WARNING') do
|
|
||||||
# it { should be_symlink }
|
|
||||||
# its(:content) { should match /Log line format:/ }
|
|
||||||
# its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
|
|
||||||
#end
|
|
||||||
#describe file('/var/log/osquery/osqueryd.results.log') do
|
|
||||||
# it { should be_file }
|
|
||||||
## its(:content) { should match /hostIdentifier/ }
|
|
||||||
# let(:sudo_options) { '-u root -H' }
|
|
||||||
#end
|
|
||||||
|
|
||||||
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
|
|
||||||
its(:stdout) { should match /osqueryd is already running/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
@ -1,32 +0,0 @@
|
|||||||
#!/bin/sh -x
|
|
||||||
## get consistent ruby2+bundler env on each distribution
|
|
||||||
|
|
||||||
location=`dirname "$0"`
|
|
||||||
cd $location
|
|
||||||
v=2.3
|
|
||||||
|
|
||||||
## docker environment in travis missing few utils
|
|
||||||
[ -f /etc/debian_version ] && apt-get install -y curl
|
|
||||||
[ -f /etc/redhat-release ] && yum -y install which
|
|
||||||
|
|
||||||
curl -sSL https://get.rvm.io | bash
|
|
||||||
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
|
|
||||||
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
|
|
||||||
|
|
||||||
## troubleshoot
|
|
||||||
type rvm | head -1
|
|
||||||
env
|
|
||||||
|
|
||||||
#export PATH=/usr/local/rvm/bin:$PATH
|
|
||||||
|
|
||||||
bash -l -c "rvm install $v"
|
|
||||||
bash -l -c "rvm use $v"
|
|
||||||
bash -l -c "rvm use $v --default"
|
|
||||||
bash -l -c "gem install bundler"
|
|
||||||
bash -l -c "bundle install --path ./gems"
|
|
||||||
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
|
|
||||||
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
|
|
||||||
else
|
|
||||||
bash -l -c "bundle exec rake spec"
|
|
||||||
fi
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
|||||||
#!/usr/bin/env bats
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Idempotence test
|
|
||||||
# from https://github.com/neillturner/kitchen-ansible/issues/92
|
|
||||||
#
|
|
||||||
|
|
||||||
@test "Second run should change nothing" {
|
|
||||||
skip "service module issue"
|
|
||||||
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
|
|
||||||
[ "$status" -eq 0 ]
|
|
||||||
}
|
|
||||||
|
|
@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- hosts: all
|
|
||||||
#- hosts: test-kitchen
|
|
||||||
vars:
|
|
||||||
- osquery_flags:
|
|
||||||
- '--logger_plugin=filesystem,syslog'
|
|
||||||
- osquery_logger_plugin: 'filesystem,syslog'
|
|
||||||
- osquery_syslog_target: '/var/log/osquery_syslog-results.log'
|
|
||||||
- osquery_syslog_target2: '/var/log/osquery_syslog-prog.log'
|
|
||||||
- osquery_testing: true
|
|
||||||
- osquery_syslog_dirs:
|
|
||||||
- /var/log
|
|
||||||
- osquery_testing_pause: true
|
|
||||||
roles:
|
|
||||||
- kbrebanov.osquery
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
|||||||
source 'https://rubygems.org'
|
|
||||||
|
|
||||||
gem 'serverspec'
|
|
||||||
gem 'rake'
|
|
||||||
## for junit output and jenkins support
|
|
||||||
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
|
|
||||||
#gem 'yarjuf'
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
|||||||
require 'rake'
|
|
||||||
require 'rspec/core/rake_task'
|
|
||||||
|
|
||||||
RSpec::Core::RakeTask.new(:spec) do |t|
|
|
||||||
t.pattern = '*_spec.rb'
|
|
||||||
end
|
|
||||||
|
|
||||||
task :default => :spec
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
|
|
||||||
## mostly exclude for docker/systemd distributions
|
|
||||||
it { should be_enabled }
|
|
||||||
end
|
|
||||||
describe service('osqueryd') do
|
|
||||||
it { should be_running }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/usr/bin/osqueryd') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
describe file('/usr/bin/osqueryi') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/etc/osquery/osquery.conf') do
|
|
||||||
it { should contain '"config_plugin":' }
|
|
||||||
it { should contain '"packs": {' }
|
|
||||||
it { should contain '"filesystem,syslog"' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe process("osqueryd") do
|
|
||||||
its(:user) { should eq "root" }
|
|
||||||
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
|
|
||||||
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log/osquery/osqueryd.INFO') do
|
|
||||||
it { should be_symlink }
|
|
||||||
its(:content) { should match /Log line format:/ }
|
|
||||||
end
|
|
||||||
describe file('/var/log/osquery/osqueryd.WARNING') do
|
|
||||||
it { should be_symlink }
|
|
||||||
its(:content) { should match /Log line format:/ }
|
|
||||||
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
|
|
||||||
end
|
|
||||||
describe file('/var/log/osquery/osqueryd.results.log') do
|
|
||||||
it { should be_file }
|
|
||||||
# its(:content) { should match /hostIdentifier/ }
|
|
||||||
let(:sudo_options) { '-u root -H' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
|
|
||||||
its(:stdout) { should match /osqueryd is already running/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
@ -1,18 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe file('/var/log/osquery_syslog-prog.log') do
|
|
||||||
it { should be_file }
|
|
||||||
# its(:content) { should match /osqueryd: osqueryd started \[version=/ }
|
|
||||||
its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ }
|
|
||||||
end
|
|
||||||
describe file('/var/log/osquery_syslog-results.log') do
|
|
||||||
it { should be_file }
|
|
||||||
its(:content) { should match /hostIdentifier/ }
|
|
||||||
# its(:content) { should match /pack/ }
|
|
||||||
# its(:content) { should match /message=Executing scheduled query system_info:/ }
|
|
||||||
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
|
|
||||||
let(:sudo_options) { '-u root -H' }
|
|
||||||
end
|
|
@ -1,47 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do
|
|
||||||
it { should be_enabled }
|
|
||||||
end
|
|
||||||
describe service('rsyslog') do
|
|
||||||
it { should be_running }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/usr/sbin/rsyslogd') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do
|
|
||||||
its(:user) { should eq "syslog" }
|
|
||||||
end
|
|
||||||
describe process("rsyslogd"), :if => os[:family] == 'redhat' do
|
|
||||||
its(:user) { should eq "root" }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log'), :if => os[:family] == 'ubuntu' do
|
|
||||||
it { should be_directory }
|
|
||||||
it { should be_mode 775 }
|
|
||||||
it { should be_owned_by 'root' }
|
|
||||||
it { should be_grouped_into 'syslog' }
|
|
||||||
# it { should be_writable.by('group') }
|
|
||||||
it { should be_writable.by_user('syslog') }
|
|
||||||
end
|
|
||||||
describe file('/var/log'), :if => os[:family] == 'redhat' do
|
|
||||||
it { should be_directory }
|
|
||||||
it { should be_mode 755 }
|
|
||||||
it { should be_owned_by 'root' }
|
|
||||||
it { should be_grouped_into 'root' }
|
|
||||||
# it { should be_writable.by('group') }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do
|
|
||||||
it { should be_file }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log/messages'), :if => os[:family] == 'redhat' do
|
|
||||||
it { should be_file }
|
|
||||||
end
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
#!/bin/sh -x
|
|
||||||
## get consistent ruby2+bundler env on each distribution
|
|
||||||
|
|
||||||
location=`dirname "$0"`
|
|
||||||
cd $location
|
|
||||||
v=2.3
|
|
||||||
|
|
||||||
## docker environment in travis missing few utils
|
|
||||||
[ -f /etc/debian_version ] && apt-get install -y curl
|
|
||||||
[ -f /etc/redhat-release ] && yum -y install which
|
|
||||||
|
|
||||||
curl -sSL https://get.rvm.io | bash
|
|
||||||
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
|
|
||||||
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
|
|
||||||
|
|
||||||
## troubleshoot
|
|
||||||
type rvm | head -1
|
|
||||||
env
|
|
||||||
|
|
||||||
#export PATH=/usr/local/rvm/bin:$PATH
|
|
||||||
|
|
||||||
bash -l -c "rvm install $v"
|
|
||||||
bash -l -c "rvm use $v"
|
|
||||||
bash -l -c "rvm use $v --default"
|
|
||||||
bash -l -c "gem install bundler"
|
|
||||||
bash -l -c "bundle install --path ./gems"
|
|
||||||
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
|
|
||||||
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
|
|
||||||
else
|
|
||||||
bash -l -c "bundle exec rake spec"
|
|
||||||
fi
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
|||||||
#!/usr/bin/env bats
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Idempotence test
|
|
||||||
# from https://github.com/neillturner/kitchen-ansible/issues/92
|
|
||||||
#
|
|
||||||
|
|
||||||
@test "Second run should change nothing" {
|
|
||||||
skip "service module issue"
|
|
||||||
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
|
|
||||||
[ "$status" -eq 0 ]
|
|
||||||
}
|
|
||||||
|
|
@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- hosts: all
|
|
||||||
#- hosts: test-kitchen
|
|
||||||
vars:
|
|
||||||
# - osquery_flags:
|
|
||||||
# - '--logger_plugin=syslog'
|
|
||||||
- osquery_logger_plugin: 'syslog'
|
|
||||||
- osquery_syslog_target: '/var/log/osquery_syslog-results.log'
|
|
||||||
- osquery_syslog_target2: '/var/log/osquery_syslog-prog.log'
|
|
||||||
- osquery_testing: true
|
|
||||||
- osquery_syslog_dirs:
|
|
||||||
- /var/log
|
|
||||||
- osquery_testing_pause: true
|
|
||||||
roles:
|
|
||||||
- kbrebanov.osquery
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
|||||||
source 'https://rubygems.org'
|
|
||||||
|
|
||||||
gem 'serverspec'
|
|
||||||
gem 'rake'
|
|
||||||
## for junit output and jenkins support
|
|
||||||
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
|
|
||||||
#gem 'yarjuf'
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
|||||||
require 'rake'
|
|
||||||
require 'rspec/core/rake_task'
|
|
||||||
|
|
||||||
RSpec::Core::RakeTask.new(:spec) do |t|
|
|
||||||
t.pattern = '*_spec.rb'
|
|
||||||
end
|
|
||||||
|
|
||||||
task :default => :spec
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
|
|
||||||
## mostly exclude for docker/systemd distributions
|
|
||||||
it { should be_enabled }
|
|
||||||
end
|
|
||||||
describe service('osqueryd') do
|
|
||||||
it { should be_running }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/usr/bin/osqueryd') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
describe file('/usr/bin/osqueryi') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/etc/osquery/osquery.conf') do
|
|
||||||
it { should contain '"config_plugin":' }
|
|
||||||
it { should contain '"packs": {' }
|
|
||||||
it { should contain '"syslog"' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe process("osqueryd") do
|
|
||||||
its(:user) { should eq "root" }
|
|
||||||
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
|
|
||||||
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
|
|
||||||
its(:stdout) { should match /osqueryd is already running/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
@ -1,27 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe file('/var/log/osquery_syslog-prog.log') do
|
|
||||||
it { should be_file }
|
|
||||||
# its(:content) { should match /osqueryd: osqueryd started \[version=/ }
|
|
||||||
its(:content) { should match /Executing scheduled query system_info:/ }
|
|
||||||
its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ }
|
|
||||||
its(:content) { should_not match /osqueryd initialize failed: Could not initialize database/ }
|
|
||||||
end
|
|
||||||
describe file('/var/log/osquery_syslog-results.log') do
|
|
||||||
it { should be_file }
|
|
||||||
its(:content) { should match /hostIdentifier/ }
|
|
||||||
# its(:content) { should match /pack/ }
|
|
||||||
its(:content) { should match /message=Executing scheduled query system_info:/ }
|
|
||||||
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
|
|
||||||
let(:sudo_options) { '-u root -H' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe command('journalctl -l') do
|
|
||||||
its(:stdout) { should match /osqueryd/ }
|
|
||||||
its(:stdout) { should match /Executing scheduled query system_info:/ }
|
|
||||||
its(:stdout) { should match /hostIdentifier/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
@ -1,47 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do
|
|
||||||
it { should be_enabled }
|
|
||||||
end
|
|
||||||
describe service('rsyslog') do
|
|
||||||
it { should be_running }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/usr/sbin/rsyslogd') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do
|
|
||||||
its(:user) { should eq "syslog" }
|
|
||||||
end
|
|
||||||
describe process("rsyslogd"), :if => os[:family] == 'redhat' do
|
|
||||||
its(:user) { should eq "root" }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log'), :if => os[:family] == 'ubuntu' do
|
|
||||||
it { should be_directory }
|
|
||||||
it { should be_mode 775 }
|
|
||||||
it { should be_owned_by 'root' }
|
|
||||||
it { should be_grouped_into 'syslog' }
|
|
||||||
# it { should be_writable.by('group') }
|
|
||||||
it { should be_writable.by_user('syslog') }
|
|
||||||
end
|
|
||||||
describe file('/var/log'), :if => os[:family] == 'redhat' do
|
|
||||||
it { should be_directory }
|
|
||||||
it { should be_mode 755 }
|
|
||||||
it { should be_owned_by 'root' }
|
|
||||||
it { should be_grouped_into 'root' }
|
|
||||||
# it { should be_writable.by('group') }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do
|
|
||||||
it { should be_file }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log/messages'), :if => os[:family] == 'redhat' do
|
|
||||||
it { should be_file }
|
|
||||||
end
|
|
||||||
|
|
@ -1,32 +0,0 @@
|
|||||||
#!/bin/sh -x
|
|
||||||
## get consistent ruby2+bundler env on each distribution
|
|
||||||
|
|
||||||
location=`dirname "$0"`
|
|
||||||
cd $location
|
|
||||||
v=2.3
|
|
||||||
|
|
||||||
## docker environment in travis missing few utils
|
|
||||||
[ -f /etc/debian_version ] && apt-get install -y curl
|
|
||||||
[ -f /etc/redhat-release ] && yum -y install which
|
|
||||||
|
|
||||||
curl -sSL https://get.rvm.io | bash
|
|
||||||
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
|
|
||||||
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
|
|
||||||
|
|
||||||
## troubleshoot
|
|
||||||
type rvm | head -1
|
|
||||||
env
|
|
||||||
|
|
||||||
#export PATH=/usr/local/rvm/bin:$PATH
|
|
||||||
|
|
||||||
bash -l -c "rvm install $v"
|
|
||||||
bash -l -c "rvm use $v"
|
|
||||||
bash -l -c "rvm use $v --default"
|
|
||||||
bash -l -c "gem install bundler"
|
|
||||||
bash -l -c "bundle install --path ./gems"
|
|
||||||
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
|
|
||||||
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
|
|
||||||
else
|
|
||||||
bash -l -c "bundle exec rake spec"
|
|
||||||
fi
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
|||||||
#!/usr/bin/env bats
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Idempotence test
|
|
||||||
# from https://github.com/neillturner/kitchen-ansible/issues/92
|
|
||||||
#
|
|
||||||
|
|
||||||
@test "Second run should change nothing" {
|
|
||||||
skip "service module issue"
|
|
||||||
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
|
|
||||||
[ "$status" -eq 0 ]
|
|
||||||
}
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- hosts: all
|
|
||||||
#- hosts: test-kitchen
|
|
||||||
vars:
|
|
||||||
- osquery_testing: true
|
|
||||||
- osquery_profiling: true
|
|
||||||
- osquery_testing_fim_load: true
|
|
||||||
roles:
|
|
||||||
- kbrebanov.osquery
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
|||||||
source 'https://rubygems.org'
|
|
||||||
|
|
||||||
gem 'serverspec'
|
|
||||||
gem 'rake'
|
|
||||||
## for junit output and jenkins support
|
|
||||||
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
|
|
||||||
#gem 'yarjuf'
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
|||||||
require 'rake'
|
|
||||||
require 'rspec/core/rake_task'
|
|
||||||
|
|
||||||
RSpec::Core::RakeTask.new(:spec) do |t|
|
|
||||||
t.pattern = '*_spec.rb'
|
|
||||||
end
|
|
||||||
|
|
||||||
task :default => :spec
|
|
||||||
|
|
@ -1,17 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe file('/var/log/osquery/osqueryd.results.log') do
|
|
||||||
it { should contain '"system_info",' }
|
|
||||||
it { should contain '"physical_memory":' }
|
|
||||||
it { should contain '"target_path":"\/etc\/testing-big-file"' }
|
|
||||||
it { should contain '"target_path":"\/etc\/testing-aa"' }
|
|
||||||
it { should contain '"target_path":"\/etc\/testing-zz' }
|
|
||||||
it { should contain '"action":"CREATED"' }
|
|
||||||
it { should contain '"action":"UPDATED"' }
|
|
||||||
it { should contain '"action":"DELETED"' }
|
|
||||||
it { should_not contain '"target_path":"\/tmp\/' }
|
|
||||||
it { should_not contain '"target_path":"\/var\/' }
|
|
||||||
end
|
|
@ -1,59 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
|
|
||||||
## mostly exclude for docker/systemd distributions
|
|
||||||
it { should be_enabled }
|
|
||||||
end
|
|
||||||
describe service('osqueryd') do
|
|
||||||
it { should be_running }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/usr/bin/osqueryd') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
describe file('/usr/bin/osqueryi') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/etc/osquery/osquery.conf') do
|
|
||||||
it { should contain '"config_plugin":' }
|
|
||||||
it { should contain '"packs": {' }
|
|
||||||
it { should contain '"filesystem"' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe process("osqueryd") do
|
|
||||||
its(:user) { should eq "root" }
|
|
||||||
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
|
|
||||||
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log/osquery/osqueryd.INFO') do
|
|
||||||
it { should be_symlink }
|
|
||||||
its(:content) { should match /Log line format:/ }
|
|
||||||
end
|
|
||||||
describe file('/var/log/osquery/osqueryd.WARNING') do
|
|
||||||
it { should be_symlink }
|
|
||||||
its(:content) { should match /Log line format:/ }
|
|
||||||
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
|
|
||||||
end
|
|
||||||
describe file('/var/log/osquery/osqueryd.results.log') do
|
|
||||||
it { should be_file }
|
|
||||||
# its(:content) { should match /hostIdentifier/ }
|
|
||||||
let(:sudo_options) { '-u root -H' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
|
|
||||||
its(:stdout) { should match /osqueryd is already running/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
@ -1,32 +0,0 @@
|
|||||||
#!/bin/sh -x
|
|
||||||
## get consistent ruby2+bundler env on each distribution
|
|
||||||
|
|
||||||
location=`dirname "$0"`
|
|
||||||
cd $location
|
|
||||||
v=2.3
|
|
||||||
|
|
||||||
## docker environment in travis missing few utils
|
|
||||||
[ -f /etc/debian_version ] && apt-get install -y curl
|
|
||||||
[ -f /etc/redhat-release ] && yum -y install which
|
|
||||||
|
|
||||||
curl -sSL https://get.rvm.io | bash
|
|
||||||
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
|
|
||||||
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
|
|
||||||
|
|
||||||
## troubleshoot
|
|
||||||
type rvm | head -1
|
|
||||||
env
|
|
||||||
|
|
||||||
#export PATH=/usr/local/rvm/bin:$PATH
|
|
||||||
|
|
||||||
bash -l -c "rvm install $v"
|
|
||||||
bash -l -c "rvm use $v"
|
|
||||||
bash -l -c "rvm use $v --default"
|
|
||||||
bash -l -c "gem install bundler"
|
|
||||||
bash -l -c "bundle install --path ./gems"
|
|
||||||
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
|
|
||||||
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
|
|
||||||
else
|
|
||||||
bash -l -c "bundle exec rake spec"
|
|
||||||
fi
|
|
||||||
|
|
@ -1,14 +0,0 @@
|
|||||||
#!/usr/bin/env bats
|
|
||||||
#
|
|
||||||
|
|
||||||
#
|
|
||||||
# Idempotence test
|
|
||||||
# from https://github.com/neillturner/kitchen-ansible/issues/92
|
|
||||||
#
|
|
||||||
|
|
||||||
@test "Second run should change nothing" {
|
|
||||||
skip "service module issue"
|
|
||||||
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
|
|
||||||
[ "$status" -eq 0 ]
|
|
||||||
}
|
|
||||||
|
|
@ -1,7 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- hosts: all
|
|
||||||
#- hosts: test-kitchen
|
|
||||||
roles:
|
|
||||||
- kbrebanov.osquery
|
|
||||||
|
|
@ -1,8 +0,0 @@
|
|||||||
source 'https://rubygems.org'
|
|
||||||
|
|
||||||
gem 'serverspec'
|
|
||||||
gem 'rake'
|
|
||||||
## for junit output and jenkins support
|
|
||||||
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
|
|
||||||
#gem 'yarjuf'
|
|
||||||
|
|
@ -1,9 +0,0 @@
|
|||||||
require 'rake'
|
|
||||||
require 'rspec/core/rake_task'
|
|
||||||
|
|
||||||
RSpec::Core::RakeTask.new(:spec) do |t|
|
|
||||||
t.pattern = '*_spec.rb'
|
|
||||||
end
|
|
||||||
|
|
||||||
task :default => :spec
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
|||||||
require 'serverspec'
|
|
||||||
|
|
||||||
# Required by serverspec
|
|
||||||
set :backend, :exec
|
|
||||||
|
|
||||||
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
|
|
||||||
## mostly exclude for docker/systemd distributions
|
|
||||||
it { should be_enabled }
|
|
||||||
end
|
|
||||||
describe service('osqueryd') do
|
|
||||||
it { should be_running }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/usr/bin/osqueryd') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
describe file('/usr/bin/osqueryi') do
|
|
||||||
it { should be_executable }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/etc/osquery/osquery.conf') do
|
|
||||||
it { should contain '"config_plugin":' }
|
|
||||||
it { should contain '"packs": {' }
|
|
||||||
it { should contain '"filesystem"' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe process("osqueryd") do
|
|
||||||
its(:user) { should eq "root" }
|
|
||||||
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
|
|
||||||
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe file('/var/log/osquery/osqueryd.INFO') do
|
|
||||||
it { should be_symlink }
|
|
||||||
its(:content) { should match /Log line format:/ }
|
|
||||||
end
|
|
||||||
describe file('/var/log/osquery/osqueryd.WARNING') do
|
|
||||||
it { should be_symlink }
|
|
||||||
its(:content) { should match /Log line format:/ }
|
|
||||||
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
|
|
||||||
end
|
|
||||||
describe file('/var/log/osquery/osqueryd.results.log') do
|
|
||||||
it { should be_file }
|
|
||||||
# its(:content) { should match /hostIdentifier/ }
|
|
||||||
let(:sudo_options) { '-u root -H' }
|
|
||||||
end
|
|
||||||
|
|
||||||
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
|
|
||||||
its(:stdout) { should match /osqueryd is already running/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
||||||
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
|
|
||||||
its(:stdout) { should match /active \(running\)/ }
|
|
||||||
its(:exit_status) { should eq 0 }
|
|
||||||
end
|
|
@ -1,32 +0,0 @@
|
|||||||
#!/bin/sh -x
|
|
||||||
## get consistent ruby2+bundler env on each distribution
|
|
||||||
|
|
||||||
location=`dirname "$0"`
|
|
||||||
cd $location
|
|
||||||
v=2.3
|
|
||||||
|
|
||||||
## docker environment in travis missing few utils
|
|
||||||
[ -f /etc/debian_version ] && apt-get install -y curl
|
|
||||||
[ -f /etc/redhat-release ] && yum -y install which
|
|
||||||
|
|
||||||
curl -sSL https://get.rvm.io | bash
|
|
||||||
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
|
|
||||||
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
|
|
||||||
|
|
||||||
## troubleshoot
|
|
||||||
type rvm | head -1
|
|
||||||
env
|
|
||||||
|
|
||||||
#export PATH=/usr/local/rvm/bin:$PATH
|
|
||||||
|
|
||||||
bash -l -c "rvm install $v"
|
|
||||||
bash -l -c "rvm use $v"
|
|
||||||
bash -l -c "rvm use $v --default"
|
|
||||||
bash -l -c "gem install bundler"
|
|
||||||
bash -l -c "bundle install --path ./gems"
|
|
||||||
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
|
|
||||||
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
|
|
||||||
else
|
|
||||||
bash -l -c "bundle exec rake spec"
|
|
||||||
fi
|
|
||||||
|
|
@ -1,25 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
# add ssh to default lxd image
|
|
||||||
|
|
||||||
image=centos-7
|
|
||||||
guest=default-$image
|
|
||||||
template="$image"-nossh
|
|
||||||
publishalias="$image"
|
|
||||||
|
|
||||||
lxc init $template $guest
|
|
||||||
lxc start $guest
|
|
||||||
openssl rand -base64 48 | perl -ne 'print "$_" x2' | lxc exec $guest -- passwd root
|
|
||||||
|
|
||||||
lxc exec $guest -- dhclient eth0
|
|
||||||
lxc exec $guest -- ping -c 1 8.8.8.8
|
|
||||||
lxc exec $guest -- yum update
|
|
||||||
lxc exec $guest -- yum -y upgrade
|
|
||||||
lxc exec $guest -- yum install -y openssh-server sudo ruby yum-utils
|
|
||||||
lxc exec $guest -- systemctl enable sshd
|
|
||||||
lxc exec $guest -- systemctl start sshd
|
|
||||||
lxc exec $guest -- mkdir /root/.ssh || true
|
|
||||||
lxc exec $guest -- gem install busser
|
|
||||||
|
|
||||||
lxc stop $guest --force
|
|
||||||
lxc publish $guest --alias $publishalias
|
|
||||||
lxc delete $guest
|
|
@ -1,9 +0,0 @@
|
|||||||
FROM alpine:3.4
|
|
||||||
RUN apk update
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN apk add git ansible python python-dev py-pip
|
|
||||||
RUN mkdir /etc/ansible
|
|
||||||
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN (echo "[local]"; echo "localhost ansible_connection=local") > /etc/ansible/hosts
|
|
@ -1,15 +0,0 @@
|
|||||||
FROM centos:6
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN yum -y update; yum clean all;
|
|
||||||
RUN yum -y install epel-release
|
|
||||||
RUN yum -y install git ansible sudo python-pip
|
|
||||||
RUN yum clean all
|
|
||||||
|
|
||||||
# Disable requiretty
|
|
||||||
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
|
|
||||||
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts
|
|
||||||
|
|
||||||
CMD ["/usr/sbin/init"]
|
|
@ -1,29 +0,0 @@
|
|||||||
FROM centos:7
|
|
||||||
|
|
||||||
# Install systemd -- See https://hub.docker.com/_/centos/
|
|
||||||
RUN yum -y swap -- remove fakesystemd -- install systemd systemd-libs
|
|
||||||
RUN yum -y update; yum clean all; \
|
|
||||||
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
|
|
||||||
rm -f /lib/systemd/system/multi-user.target.wants/*; \
|
|
||||||
rm -f /etc/systemd/system/*.wants/*; \
|
|
||||||
rm -f /lib/systemd/system/local-fs.target.wants/*; \
|
|
||||||
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
|
|
||||||
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
|
|
||||||
rm -f /lib/systemd/system/basic.target.wants/*; \
|
|
||||||
rm -f /lib/systemd/system/anaconda.target.wants/*;
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN yum -y install epel-release
|
|
||||||
RUN yum -y install git sudo python-pip python-devel libffi-devel
|
|
||||||
RUN yum -y groupinstall 'Development Tools'
|
|
||||||
RUN yum clean all
|
|
||||||
|
|
||||||
# Disable requiretty
|
|
||||||
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
|
|
||||||
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN mkdir /etc/ansible
|
|
||||||
RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts
|
|
||||||
|
|
||||||
VOLUME ["/sys/fs/cgroup"]
|
|
||||||
CMD ["/usr/sbin/init"]
|
|
@ -1,11 +0,0 @@
|
|||||||
FROM debian:8
|
|
||||||
RUN apt-get update
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git python sudo python-pip python-dev libffi-dev libssl-dev
|
|
||||||
RUN pip install --upgrade cffi
|
|
||||||
RUN pip install ansible
|
|
||||||
RUN install -d -m 0755 /etc/ansible
|
|
||||||
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
|
|
@ -1,12 +0,0 @@
|
|||||||
FROM debian:9
|
|
||||||
RUN apt-get update
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git
|
|
||||||
RUN apt-get update
|
|
||||||
RUN apt-get install -y python sudo python-pip python-dev libffi-dev
|
|
||||||
RUN pip install --upgrade setuptools
|
|
||||||
|
|
||||||
RUN mkdir -p /etc/ansible
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
|
|
@ -1,11 +0,0 @@
|
|||||||
FROM ubuntu:12.04
|
|
||||||
RUN apt-get update
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common python-software-properties git
|
|
||||||
RUN apt-add-repository -y ppa:ansible/ansible
|
|
||||||
RUN apt-get update
|
|
||||||
RUN apt-get install -y ansible python-pip
|
|
||||||
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
|
|
@ -1,15 +0,0 @@
|
|||||||
FROM ubuntu:14.04
|
|
||||||
RUN apt-get update
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git
|
|
||||||
#RUN apt-add-repository -y ppa:ansible/ansible
|
|
||||||
RUN apt-get update
|
|
||||||
RUN apt-get install -y python-pip python-dev libffi-dev
|
|
||||||
|
|
||||||
COPY initctl_faker .
|
|
||||||
RUN chmod +x initctl_faker && rm -fr /sbin/initctl && ln -s /initctl_faker /sbin/initctl
|
|
||||||
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN mkdir /etc/ansible
|
|
||||||
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
|
|
@ -1,12 +0,0 @@
|
|||||||
FROM ubuntu:16.04
|
|
||||||
RUN apt-get update
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git
|
|
||||||
#RUN apt-add-repository -y ppa:ansible/ansible
|
|
||||||
RUN apt-get update
|
|
||||||
RUN apt-get install -y python sudo python-pip python-dev libffi-dev
|
|
||||||
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN mkdir /etc/ansible
|
|
||||||
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
|
|
@ -1,11 +0,0 @@
|
|||||||
FROM ubuntu:18.04
|
|
||||||
RUN apt-get update
|
|
||||||
|
|
||||||
# Install Ansible
|
|
||||||
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git systemd
|
|
||||||
RUN apt-get update
|
|
||||||
RUN apt-get install -y python sudo python-pip python-dev libffi-dev
|
|
||||||
|
|
||||||
# Install Ansible inventory file
|
|
||||||
RUN mkdir /etc/ansible
|
|
||||||
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts
|
|
@ -1,25 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
## from https://github.com/oxyc/drupal-vm/blob/84b3ad6cf65fb87ac60777c5aca55bb82a45b4aa/tests/initctl_faker
|
|
||||||
ALIAS_CMD="$(echo ""$0"" | sed -e 's?/sbin/??')"
|
|
||||||
|
|
||||||
case "$ALIAS_CMD" in
|
|
||||||
start|stop|restart|reload|status)
|
|
||||||
exec service $1 $ALIAS_CMD
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
case "$1" in
|
|
||||||
list )
|
|
||||||
exec service --status-all
|
|
||||||
;;
|
|
||||||
reload-configuration )
|
|
||||||
exec service $2 restart
|
|
||||||
;;
|
|
||||||
start|stop|restart|reload|status)
|
|
||||||
exec service $2 $1
|
|
||||||
;;
|
|
||||||
\?)
|
|
||||||
exit 0
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
36
osquery/roles/osquery/test/vagrant/Vagrantfile
vendored
36
osquery/roles/osquery/test/vagrant/Vagrantfile
vendored
@ -1,36 +0,0 @@
|
|||||||
# -*- mode: ruby -*-
|
|
||||||
# vi: set ft=ruby :
|
|
||||||
|
|
||||||
VAGRANTFILE_API_VERSION = "2"
|
|
||||||
ENV['VAGRANT_DEFAULT_PROVIDER'] = 'virtualbox'
|
|
||||||
|
|
||||||
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
|
|
||||||
config.vm.box = "ubuntu/bionic64"
|
|
||||||
#config.vm.box = "ubuntu/xenial64"
|
|
||||||
#config.vm.box = "boxcutter/ubuntu1604"
|
|
||||||
#config.vm.box = "ubuntu/trusty64"
|
|
||||||
#config.vm.box = "centos/7"
|
|
||||||
#config.vm.box = "generic/alpine36"
|
|
||||||
|
|
||||||
config.vm.provision :ansible do |ansible|
|
|
||||||
ansible.playbook = "site.yml"
|
|
||||||
#ansible.verbose = "vvvv"
|
|
||||||
#ansible.host_key_checking = false
|
|
||||||
#ansible.limit = 'all'
|
|
||||||
ansible.become = true
|
|
||||||
ansible.extra_vars = { ansible_user: 'vagrant', ansible_python_interpreter: '/usr/bin/python3' }
|
|
||||||
ansible.groups = {
|
|
||||||
"myrole" => ["osquery" ],
|
|
||||||
}
|
|
||||||
end
|
|
||||||
|
|
||||||
config.vm.define "vosquery" do |cfg|
|
|
||||||
cfg.vm.hostname = "vosquery"
|
|
||||||
cfg.vm.provider "virtualbox" do |v|
|
|
||||||
v.memory = 512
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
[defaults]
|
|
||||||
callback_whitelist = profile_tasks, timer
|
|
||||||
roles_path = ../../../
|
|
@ -1,6 +0,0 @@
|
|||||||
---
|
|
||||||
|
|
||||||
- hosts: all
|
|
||||||
roles:
|
|
||||||
- kbrebanov.osquery
|
|
||||||
|
|
@ -1 +0,0 @@
|
|||||||
localhost
|
|
@ -1,5 +0,0 @@
|
|||||||
---
|
|
||||||
- hosts: localhost
|
|
||||||
remote_user: root
|
|
||||||
roles:
|
|
||||||
- ansible-osquery
|
|
@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
_osquery_auditd_pkg: "audit"
|
|
@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
_osquery_auditd_pkg: "audit"
|
|
@ -1,19 +0,0 @@
|
|||||||
---
|
|
||||||
# vars file for osquery (Debian specific)
|
|
||||||
# https://github.com/facebook/osquery/issues/320
|
|
||||||
# https://github.com/facebook/osquery/issues/2321
|
|
||||||
|
|
||||||
osquery_packages:
|
|
||||||
- osquery
|
|
||||||
- rsyslog
|
|
||||||
|
|
||||||
osquery_debug_packages:
|
|
||||||
- osquery-dbg
|
|
||||||
|
|
||||||
_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}"
|
|
||||||
_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}"
|
|
||||||
|
|
||||||
_osquery_auditd_pkg: "auditd"
|
|
||||||
|
|
||||||
varlog_group: syslog
|
|
||||||
varlog_mode: '0775'
|
|
@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
_osquery_auditd_pkg: "audit"
|
|
@ -1,2 +0,0 @@
|
|||||||
---
|
|
||||||
_osquery_auditd_pkg: "audit"
|
|
@ -1,17 +0,0 @@
|
|||||||
---
|
|
||||||
# vars file for osquery (CentOS specific)
|
|
||||||
|
|
||||||
osquery_packages:
|
|
||||||
- osquery
|
|
||||||
- rsyslog
|
|
||||||
|
|
||||||
osquery_debug_packages:
|
|
||||||
- osquery-debuginfo
|
|
||||||
|
|
||||||
_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}"
|
|
||||||
_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}"
|
|
||||||
|
|
||||||
_osquery_auditd_pkg: "audit"
|
|
||||||
|
|
||||||
varlog_group: root
|
|
||||||
varlog_mode: '0755'
|
|
@ -1,5 +1,8 @@
|
|||||||
---
|
---
|
||||||
# vars file for osquery (Ubuntu specific)
|
osquery_required_packages:
|
||||||
|
- apt-transport-https
|
||||||
|
- dirmngr
|
||||||
|
- logrotate
|
||||||
|
|
||||||
osquery_packages:
|
osquery_packages:
|
||||||
- osquery
|
- osquery
|
||||||
@ -11,7 +14,5 @@ osquery_debug_packages:
|
|||||||
_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}"
|
_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}"
|
||||||
_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}"
|
_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}"
|
||||||
|
|
||||||
_osquery_auditd_pkg: "auditd"
|
|
||||||
|
|
||||||
varlog_group: syslog
|
varlog_group: syslog
|
||||||
varlog_mode: '0775'
|
varlog_mode: '0775'
|
@ -1,6 +0,0 @@
|
|||||||
---
|
|
||||||
# vars file for osquery
|
|
||||||
|
|
||||||
osquery_packages:
|
|
||||||
- osquery
|
|
||||||
- rsyslog
|
|
@ -1,5 +1,6 @@
|
|||||||
---
|
---
|
||||||
# vars file for osquery (CentOS specific)
|
osquery_required_packages:
|
||||||
|
- logrotate
|
||||||
|
|
||||||
osquery_packages:
|
osquery_packages:
|
||||||
- osquery
|
- osquery
|
||||||
@ -11,7 +12,5 @@ osquery_debug_packages:
|
|||||||
_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}"
|
_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}"
|
||||||
_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}"
|
_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}"
|
||||||
|
|
||||||
_osquery_auditd_pkg: "audit"
|
|
||||||
|
|
||||||
varlog_group: root
|
varlog_group: root
|
||||||
varlog_mode: '0755'
|
varlog_mode: '0755'
|
@ -58,7 +58,7 @@
|
|||||||
value: 10
|
value: 10
|
||||||
state: present
|
state: present
|
||||||
reload: "yes"
|
reload: "yes"
|
||||||
sysctl_file: /etc/sysctl.d/99-elasticsearch.conf
|
sysctl_file: /etc/sysctl.d/99-osquery.conf
|
||||||
|
|
||||||
- name: Create tmp osquery dir
|
- name: Create tmp osquery dir
|
||||||
file:
|
file:
|
||||||
|
@ -14,8 +14,6 @@ osquery_debug_packages_install: false
|
|||||||
osquery_config_plugin: 'filesystem'
|
osquery_config_plugin: 'filesystem'
|
||||||
osquery_logger_plugin: 'filesystem'
|
osquery_logger_plugin: 'filesystem'
|
||||||
|
|
||||||
osquery_rsyslog: false
|
|
||||||
|
|
||||||
osquery_flags:
|
osquery_flags:
|
||||||
- "--tls_server_certs={{ kolide_fleet_ssl_cert }}"
|
- "--tls_server_certs={{ kolide_fleet_ssl_cert }}"
|
||||||
- "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443"
|
- "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443"
|
||||||
|
Loading…
Reference in New Issue
Block a user