Cleanup the osquery role

This change removes things we don't need and simplifies the task
execution.

Change-Id: I5be516311eaadd634990a4b9006d1ceec4de5847
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2018-10-18 09:52:40 -05:00
parent 569c7557b6
commit c901b0b706
No known key found for this signature in database
GPG Key ID: 9443251A787B9FB3
94 changed files with 163 additions and 2432 deletions

View File

@ -1,70 +0,0 @@
---
driver:
name: docker
## https://github.com/test-kitchen/kitchen-docker/issues/54
use_sudo: false
transport:
name: sftp
provisioner:
name: ansible_playbook
roles_path: ../
hosts: test-kitchen
# ansible_verbose: true
ansible_verbose: false
ansible_verbosity: 3
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
# require_chef_omnibus: false
require_ansible_omnibus: true
# require_chef_for_busser: false
enable_yum_epel: true
ansible_connection: ssh
platforms:
- name: ubuntu-18.04
driver_config:
# https://github.com/test-kitchen/kitchen-docker/issues/285
provision_command: mkdir -p /run/sshd
- name: ubuntu-16.04
## systemd?
driver:
config:
security.privileged: true
- name: ubuntu-14.04
- name: ubuntu-12.04
- name: centos-7
## systemd
driver:
config:
security.privileged: true
### epel mirror issue. see readme
# - name: centos-6
### Ansible 2.2+/cryptography: https://github.com/ansible/ansible/issues/276
# provisioner:
# ansible_version: 2.1.2.0
## tool chain kitchen and image need customization... nok currently
# - name: alpine-3.4
# - name: debian-8
- name: debian-9
suites:
- name: default
run_list:
attributes:
- name: default-osquery-syslog
run_list:
attributes:
- name: default-osquery-syslog-fs
run_list:
attributes:
- name: default-profiling
run_list:
attributes:
includes:
- ubuntu-16.04
- name: default-fleetmanager
run_list:
attributes:
includes:
- ubuntu-16.04

View File

@ -1,57 +0,0 @@
---
# $ KITCHEN_YAML=".kitchen.vagrant.yml" kitchen verify
driver:
name: vagrant
provider: <%= ENV['KITCHEN_PROVIDER'] || 'virtualbox' %>
## make file transfer faster. need https://github.com/coderanger/kitchen-sync
transport:
name: sftp
provisioner:
name: ansible_playbook
roles_path: ../
hosts: test-kitchen
# ansible_verbose: true
ansible_verbose: false
ansible_verbosity: 3
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
platforms:
- name: ubuntu-18.04
- name: ubuntu-16.04
- name: ubuntu-14.04
- name: centos-7.1
## ansible < 2.x
# - name: debian-8
# driver_config:
# box: debian-8
# box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
- name: debian-9
driver:
box: remram/debian-9-amd64
suites:
- name: default
run_list:
attributes:
- name: default-osquery-syslog
run_list:
attributes:
- name: default-osquery-syslog-fs
run_list:
attributes:
- name: default-profiling
run_list:
attributes:
includes:
- ubuntu-18.04
- name: default-fleetmanager
run_list:
attributes:
includes:
- ubuntu-18.04
driver_config:
network:
- ["forwarded_port", {guest: 8080, host: 9080}]

View File

@ -1,56 +0,0 @@
---
driver:
name: lxd_cli
transport:
name: sftp
provisioner:
name: ansible_playbook
roles_path: ../
hosts: test-kitchen
ansible_verbose: true
# ansible_verbose: false
ansible_verbosity: 2
ansible_extra_flags: <%= ENV['ANSIBLE_EXTRA_FLAGS'] %>
require_ansible_omnibus: true
require_chef_omnibus: false
# require_chef_for_busser: false
enable_yum_epel: true
ansible_connection: ssh
platforms:
- name: ubuntu-18.04
- name: ubuntu-16.04
# - name: ubuntu-14.04
# - name: ubuntu-12.04
- name: centos-7
# - name: centos-6
# - name: alpine-3.7
suites:
- name: default
run_list:
attributes:
- name: default-osquery-syslog
run_list:
attributes:
includes:
- ubuntu-18.04
- centos-7
- name: default-osquery-syslog-fs
run_list:
attributes:
includes:
- ubuntu-18.04
- centos-7
- name: default-profiling
run_list:
attributes:
includes:
- ubuntu-18.04
- name: default-fleetmanager
run_list:
attributes:
includes:
- ubuntu-18.04

View File

@ -1,97 +0,0 @@
---
dist: trusty
sudo: required
rvm:
- 2.4
env:
## those images need pre-configuration before being usable (openssh...)
# - distribution: centos
# version: 6
- distribution: centos
version: 7
suite: default
- distribution: ubuntu
version: 18.04
suite: default
- distribution: ubuntu
version: 16.04
suite: default
# - distribution: ubuntu
# version: 14.04
# - distribution: ubuntu
# version: 12.04
# - distribution: alpine
# version: 3.4
- distribution: centos
version: 7
suite: default-osquery-syslog
- distribution: ubuntu
version: 18.04
suite: default-osquery-syslog
- distribution: centos
version: 7
suite: default-osquery-syslog-fs
- distribution: ubuntu
version: 18.04
suite: default-osquery-syslog-fs
- distribution: ubuntu
version: 18.04
suite: default-profiling
- distribution: ubuntu
version: 18.04
suite: default-fleetmanager
before_install:
- env
- pwd
- find -ls
## use appropriate role path and not github name
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821
# - sudo apt install lxd
- echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list
- sudo apt-get update -qq
- sudo apt -t trusty-backports -y install lxd acl -q
## change of group implies logout+login to apply... can't do with travis = run as root (sic)
## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..."
- sudo usermod -G lxd travis
# Pull container
# - lxc remote add images images.linuxcontainers.org
- sudo -E su $USER -c "lxc remote list"
- sudo -E su $USER -c "lxc image list"
## pre-download base images
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"'
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true'
## configure lxd-bridge
- sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge
# - cat /etc/default/lxd-bridge
# - service --status-all
- sudo service lxd restart
- sudo pip install ansible
- gem install kitchen
- gem install kitchen-ansible
- gem install kitchen-sync
- gem install kitchen-lxd_cli
- gem list
- which kitchen
## ssh key for lxd_cli ?
- ls ~/.ssh
- ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P ""
## sudo/su get us a non-usual PATH ...
- '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true'
- sudo -E su $USER -c "env"
## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during .
# - sudo -E su $USER -c "which kitchen"
- sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all"
# - sudo -E su $USER -c "kitchen diagnose --all"
# - sudo -E -u $USER kitchen diagnose --all
script:
# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE}
- sudo -E su $USER -c "env PATH=$PATH kitchen verify ${suite}-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/${suite}-${distribution}-${version//./}.log; find /tmp/kitchen)"
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -1,160 +0,0 @@
---
## from https://github.com/geerlingguy/ansible-role-apache/blob/master/.travis.yml
sudo: required
env:
# - distribution: centos
# version: 6
# init: /sbin/init
# run_opts: ""
# suite: default
- distribution: centos
version: 7
init: /usr/lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.5.5
ansible_extra_vars: ""
# - distribution: ubuntu
# version: 18.04
# init: /lib/systemd/systemd
# run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
# suite: default
# ansible_version: 2.5.5
# ansible_extra_vars: ""
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.5.5
ansible_extra_vars: ""
# - distribution: ubuntu
# version: 14.04
# init: /sbin/init
# run_opts: ""
# suite: default
# - distribution: ubuntu
# version: 12.04
# init: /sbin/init
# run_opts: ""
# suite: default
# - distribution: alpine
# version: 3.4
# init: /sbin/init
# run_opts: ""
# suite: default
## https://travis-ci.org/juju4/ansible-osquery/jobs/246615342, https://github.com/facebook/osquery/issues/2321
- distribution: debian
version: 9
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: centos
version: 7
init: /usr/lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-osquery-syslog
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-osquery-syslog
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: centos
version: 7
init: /usr/lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-osquery-syslog-fs
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-osquery-syslog-fs
ansible_version: 2.5.5
ansible_extra_vars: ""
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default-profiling
ansible_version: 2.5.5
ansible_extra_vars: ""
# past ansible version
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.4.5
ansible_extra_vars: ""
# upcoming ansible version
- distribution: ubuntu
version: 16.04
init: /lib/systemd/systemd
run_opts: "'--privileged --volume=/sys/fs/cgroup:/sys/fs/cgroup:ro'"
suite: default
ansible_version: 2.6.0rc3
ansible_extra_vars: ""
services:
- docker
before_install:
# - sudo apt-get update
# Pull container
- 'sudo docker pull ${distribution}:${version}'
- env
- pwd
- find -ls
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
- cp test/travis/initctl_faker test/
# Customize container
- 'sudo docker build --rm=true --file=test/travis/Dockerfile.${distribution}-${version} --tag=${distribution}-${version}:ansible test'
before_script:
- container_id=$(mktemp)
# Run container in detached state
- 'sudo docker run --detach --volume="${PWD%/*}":/etc/ansible/roles:ro ${run_opts} ${distribution}-${version}:ansible "${init}" > "${container_id}"'
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install --upgrade pip'
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm pip install ansible==${ansible_version}'
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible --version'
script:
# Ansible syntax check.
- 'sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml --syntax-check'
# Test role.
- 'travis_wait 30 sudo docker exec --tty "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml -vv ${ansible_extra_vars}'
# Test role idempotence.
- >
travis_wait 30 sudo docker exec "$(cat ${container_id})" env TERM=xterm ansible-playbook /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/default.yml ${ansible_extra_vars}
| tee /tmp/idempotency.log
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && cat /tmp/idempotency.log && exit 0)
# serverspec tests
## travis/docker: Errno::EROFS: Read-only file system @ dir_s_mkdir - /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/.bundle
# - 'sudo docker exec --tty "$(cat ${container_id})" /etc/ansible/roles/kbrebanov.osquery/test/integration/${suite}/serverspec/run-local-tests.sh'
after_failure:
# Check what happened on systemd systems.
- 'docker exec --tty "$(cat ${container_id})" env TERM=xterm systemctl -l --no-pager status osqueryd.service'
- 'docker exec --tty "$(cat ${container_id})" env TERM=xterm journalctl -xe --no-pager'
after_script:
# Clean up
- 'sudo docker stop "$(cat ${container_id})"'
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -1,71 +0,0 @@
---
## note: can't fully test osquery inside docker as will not be able have kernel /dev/osquery
dist: trusty
sudo: required
rvm:
- 2.4
env:
# - distribution: centos
# version: 6
- distribution: centos
version: 7
suite: default
- distribution: ubuntu
version: 16.04
suite: default
- distribution: ubuntu
version: 14.04
suite: default
# - distribution: ubuntu
# version: 12.04
# - distribution: alpine
# version: 3.4
- distribution: debian
version: 8
suite: default
- distribution: centos
version: 7
suite: default-osquery-syslog
- distribution: ubuntu
version: 16.04
suite: default-osquery-syslog
- distribution: ubuntu
version: 14.04
suite: default-osquery-syslog
- distribution: centos
version: 7
suite: default-osquery-syslog-fs
- distribution: ubuntu
version: 16.04
suite: default-osquery-syslog-fs
- distribution: ubuntu
version: 14.04
suite: default-osquery-syslog-fs
before_install:
- env
- pwd
- find -ls
## use appropriate role path and not github name
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
- sudo pip install ansible
## need to use chef gem for some reason? BAD PATH https://github.com/chef/chef-dk/issues/15
# - chef gem install kitchen
- gem install kitchen
- gem install kitchen-ansible
- gem install kitchen-sync
- gem install kitchen-docker
- gem list
- which kitchen
- KITCHEN_YAML=.kitchen.docker.yml kitchen diagnose --all
script:
## avoid locale issue under xenial docker, https://github.com/pypa/pip/issues/3575
- export LC_ALL=C.UTF-8
- export LANG=C.UTF-8
- KITCHEN_YAML=.kitchen.docker.yml kitchen verify ${suite}-${distribution}-${version//./}
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -1,76 +0,0 @@
---
dist: trusty
sudo: required
rvm:
- 2.4
env:
## those images need pre-configuration before being usable (openssh...)
# - distribution: centos
# version: 6
- distribution: centos
version: 7
- distribution: ubuntu
version: 18.04
- distribution: ubuntu
version: 16.04
# - distribution: ubuntu
# version: 14.04
# - distribution: ubuntu
# version: 12.04
# - distribution: alpine
# version: 3.4
before_install:
- env
- pwd
- find -ls
## use appropriate role path and not github name
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
## No Xenial, https://github.com/travis-ci/travis-ci/issues/5821
# - sudo apt install lxd
- echo "deb http://archive.ubuntu.com/ubuntu trusty-backports main restricted universe multiverse" | sudo tee /etc/apt/sources.list.d/trusty-backports.list
- sudo apt-get update -qq
- sudo apt -t trusty-backports -y install lxd acl -q
## change of group implies logout+login to apply... can't do with travis = run as root (sic)
## https://github.com/travis-ci/travis-ci/issues/1839 or chain: sudo -E su $USER -c "..."
- sudo usermod -G lxd travis
# Pull container
# - lxc remote add images images.linuxcontainers.org
- sudo -E su $USER -c "lxc remote list"
- sudo -E su $USER -c "lxc image list"
## pre-download base images
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] || lxc image copy images:${distribution}/${version}/amd64 local: --alias=${distribution}-${version}-nossh"'
- 'sudo -E su $USER -c "[ ${distribution} == ubuntu ] && lxc image copy ubuntu:${version} local: --alias=${distribution}-${version}" || true'
## configure lxd-bridge
- sudo perl -pi -e 's@^LXD_IPV4_ADDR=""@LXD_IPV4_ADDR="10.252.116.1"@;s@^LXD_IPV4_NETMASK=""@LXD_IPV4_NETMASK="255.255.255.0"@;s@^LXD_IPV4_NETWORK=""@LXD_IPV4_NETWORK="10.252.116.1/24"@;s@^LXD_IPV4_DHCP_RANGE=""@LXD_IPV4_DHCP_RANGE="10.252.116.2,10.252.116.254"@;s@^LXD_IPV4_DHCP_MAX=""@LXD_IPV4_DHCP_MAX="252"@;s@LXD_IPV6_PROXY="true"@LXD_IPV6_PROXY="false"@' /etc/default/lxd-bridge
# - cat /etc/default/lxd-bridge
# - service --status-all
- sudo service lxd restart
- sudo pip install ansible
- gem install kitchen
- gem install kitchen-ansible
- gem install kitchen-sync
- gem install kitchen-lxd_cli
- gem list
- which kitchen
## ssh key for lxd_cli ?
- ls ~/.ssh
- ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -P ""
## sudo/su get us a non-usual PATH ...
- '[ "X${distribution}" == "Xcentos" ] && sudo -E su $USER -c "sh -x ./test/lxd/centos-ssh-image.sh" || true'
- sudo -E su $USER -c "env"
## The command "sudo -E su $USER -c "which kitchen"" failed and exited with 1 during .
# - sudo -E su $USER -c "which kitchen"
- sudo -E su $USER -c "env PATH=$PATH kitchen diagnose --all"
# - sudo -E su $USER -c "kitchen diagnose --all"
# - sudo -E -u $USER kitchen diagnose --all
script:
# - KITCHEN_LOCAL_YAML=.kitchen.local.yml bundle exec kitchen verify ${INSTANCE}
- sudo -E su $USER -c "env PATH=$PATH kitchen verify default-${distribution}-${version//./} -l debug || (cat $HOME/.kitchen/logs/default-${distribution}-${version//./}.log; find /tmp/kitchen)"
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -1,42 +0,0 @@
---
sudo: required
dist: trusty
language: generic
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y python python-pip
install:
# Install ansible
- sudo pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
# Install role dependencies
# ...
script:
# Basic role syntax check
- ansible-playbook tests/test.yml -i tests/inventory --syntax-check
# Run the role/playbook with ansible-playbook
- ansible-playbook tests/test.yml -i tests/inventory --connection=local --become
# Run the role/playbook again, checking to make sure it's idempotent
- >
ansible-playbook tests/test.yml -i tests/inventory --connection=local --become
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
# Playbook specific tests
# ...
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -1,61 +0,0 @@
---
sudo: required
dist: trusty
language: generic
env:
- suite: default
- suite: default-osquery-syslog
- suite: default-osquery-syslog-fs
before_install:
- sudo apt-get -qq update
- sudo apt-get install -y python python-pip
- "[ -f get-dependencies.sh ] && sh -x get-dependencies.sh"
## serverspec test
- sudo apt-get install -qq ruby2.0 rake
- sudo gem2.0 install serverspec
install:
# Install ansible
- sudo pip install ansible
# Check ansible version
- ansible --version
# Create ansible.cfg with correct roles_path
- printf '[defaults]\nroles_path=../' >ansible.cfg
- "echo \"[test-kitchen]\nlocalhost\" > inventory"
- gem2.0 --version
# Install role dependencies
# ...
script:
# Basic role syntax check
- "ansible-playbook -i inventory --syntax-check test/integration/${suite}/default.yml"
# Run the role/playbook with ansible-playbook
- "ansible-playbook -i inventory --connection=local --sudo -vvvv test/integration/${suite}/default.yml"
# Run the role/playbook again, checking to make sure it's idempotent
- >
ansible-playbook -i inventory test/integration/${suite}/default.yml --connection=local --become
| grep -q 'changed=0.*failed=0'
&& (echo 'Idempotence test: pass' && exit 0)
|| (echo 'Idempotence test: fail' && exit 1)
# Playbook specific tests
# - "cd test/integration/${suite}/serverspec/ && bundle exec rake spec"
after_failure:
- "ls -l /var/log/ /var/log/osquery/"
- "sudo cat /var/log/osquery*.log /var/log/osquery/*.log"
- "sudo cat /etc/rsyslog.d/30-osquery-target.conf"
- "sudo systemctl -l status"
- "sudo journalctl -xe --no-pager"
notifications:
webhooks: https://galaxy.ansible.com/api/v1/notifications/

View File

@ -1,59 +0,0 @@
// Work in progress
node {
try{
currentBuild.result = "SUCCESS"
def workspace = pwd()
def directory = "kbrebanov.osquery"
stage 'Clean Workspace'
deleteDir()
stage("Download source and capture commit ID") {
sh "mkdir $directory"
dir("$directory") {
checkout scm
// Get the commit ID
sh 'git rev-parse --verify HEAD > GIT_COMMIT'
git_commit = readFile('GIT_COMMIT').take(7)
echo "Current commit ID: ${git_commit}"
}
}
dir("$directory") {
stage("Get dependencies"){
sh "sh -x get-dependencies.sh"
}
stage("Build and verify 1"){
defaultplatform = sh (
script: '''#!/bin/bash
kitchen list | awk "!/Instance/ {print \\$1; exit}"
''',
returnStdout: true
).trim()
echo "default platform: ${defaultplatform}"
sh "kitchen test ${defaultplatform}"
// must keep instance for security testing after
//sh "kitchen verify ${defaultplatform}"
}
stage("Build and verify all platforms"){
sh "kitchen test"
}
stage("Cleanup if no errors"){
sh "kitchen destroy"
}
}
}
catch(err) {
currentBuild.result = "FAILURE"
throw err
}
}

View File

@ -1,43 +0,0 @@
[![Build Status - Master](https://travis-ci.org/juju4/ansible-osquery.svg?branch=master)](https://travis-ci.org/juju4/ansible-osquery)
[![Build Status - Devel](https://travis-ci.org/juju4/ansible-osquery.svg?branch=devel)](https://travis-ci.org/juju4/ansible-osquery/branches)
osquery
=======
[![Build Status](https://travis-ci.org/kbrebanov/ansible-osquery.svg?branch=master)](https://travis-ci.org/kbrebanov/ansible-osquery)
Installs osquery
Requirements
------------
This role requires Ansible 2.0 or higher.
Role Variables
--------------
None
Dependencies
------------
None
Example Playbook
----------------
Install osquery
```yaml
- hosts: all
roles:
- kbrebanov.osquery
```
License
-------
BSD
Author Information
------------------
Kevin Brebanov

View File

@ -1,14 +1,9 @@
--- ---
# defaults file for osquery # Enable or disable the installation of the osquery debug packages.
osquery_debug_packages_install: false
osquery_service_enable: true
osquery_debug_packages_install: true
## define this if don't want to use upstream ones
#osquery_repository: ''
#osquery_repositorykey: ''
osquery_template: 'osquery.conf.j2' osquery_template: 'osquery.conf.j2'
#osquery_upload_packs: []
osquery_upload_packs: osquery_upload_packs:
- osquery-snapshots-pack - osquery-snapshots-pack
- osquery-monitoring2-pack - osquery-monitoring2-pack
@ -25,9 +20,6 @@ osquery_packs:
osquery_config_plugin: 'filesystem' osquery_config_plugin: 'filesystem'
osquery_logger_plugin: 'filesystem' osquery_logger_plugin: 'filesystem'
#osquery_logger_plugin: 'syslog'
#osquery_logger_plugin: 'filesystem,syslog'
#osquery_logger_plugin: 'tls'
osquery_flags: [] osquery_flags: []
## if using zentral, kolide or else ## if using zentral, kolide or else
## https://github.com/zentralopensource/zentral/blob/f460b10a95d4ea1e515aea3363f55733465d1d9c/zentral/contrib/osquery/deb_script/template.sh ## https://github.com/zentralopensource/zentral/blob/f460b10a95d4ea1e515aea3363f55733465d1d9c/zentral/contrib/osquery/deb_script/template.sh
@ -64,6 +56,7 @@ osquery_fim_filepaths:
- name: etc - name: etc
list: list:
- "/etc/%%" - "/etc/%%"
## Take care if using a lot /tmp. can trigger ## Take care if using a lot /tmp. can trigger
## 'Expiring events for subscriber: file_events (overflowed limit 1000)' ## 'Expiring events for subscriber: file_events (overflowed limit 1000)'
## => losing many queries results (fim or not) ## => losing many queries results (fim or not)
@ -83,16 +76,11 @@ osquery_fim_filepaths:
- name: webroot - name: webroot
list: list:
- "/var/www/%%" - "/var/www/%%"
osquery_fim_excludepaths: osquery_fim_excludepaths:
- name: tmp - name: tmp
list: list:
- /tmp/too_many_events/ - /tmp/too_many_events/
osquery_rsyslog: true
## conflict with auditd. choose one.
## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
osquery_process_auditing: false
osquery_process_interval: 900
osquery_socket_interval: 900
## queries snapshots: 1/week (or 1/month? nok) ## queries snapshots: 1/week (or 1/month? nok)
## Max interval 1/w: https://github.com/theopolis/osquery/commit/b76dee8a1fddccb500bc4a058daa1b39083b9dbb ## Max interval 1/w: https://github.com/theopolis/osquery/commit/b76dee8a1fddccb500bc4a058daa1b39083b9dbb
@ -100,24 +88,6 @@ osquery_snapshot_interval: 604800
osquery_snapshot_interval2: 604800 osquery_snapshot_interval2: 604800
#osquery_snapshot_interval2: 2592000 #osquery_snapshot_interval2: 2592000
osquery_logrotate: true
osquery_logrotate_days: 90
## https://osquery.readthedocs.io/en/stable/installation/cli-flags/#loggingresults-flags
## per facility
## osquery wants a facility code, while keyword for rsyslog...
osquery_syslog_target_facility_osqueryconf: 19
osquery_syslog_target_facility_syslogconf: local3
osquery_syslog_target: ''
#osquery_syslog_target: '@@10.1.1.100'
## mostly for testing purpose
#osquery_syslog_target: '/var/log/osquery/osquery_syslog.log'
## per programname: mostly query execution log and daemon state. avoid mixing with default syslog messages
#osquery_syslog_target2: ''
osquery_syslog_target2: '/var/log/osquery/osqueryd.log'
osquery_syslog_dirs:
- /var/log/osquery
## making schedule query faster to have logs faster... ## making schedule query faster to have logs faster...
osquery_testing: false osquery_testing: false
osquery_testing_pause: false osquery_testing_pause: false
@ -129,4 +99,3 @@ osquery_profiling: false
## full config might be too long for travis (max 50min) ## full config might be too long for travis (max 50min)
#osquery_profiling_conf: /etc/osquery/osquery.conf #osquery_profiling_conf: /etc/osquery/osquery.conf
osquery_profiling_conf: /usr/share/osquery/packs/incident-response.conf osquery_profiling_conf: /usr/share/osquery/packs/incident-response.conf

View File

@ -0,0 +1,12 @@
/var/log/osquery/*.log.log
{
copytruncate
daily
rotate 2
delaycompress
compress
dateext
notifempty
missingok
maxage 5
}

View File

@ -1,22 +0,0 @@
#!/bin/sh
## one script to be used by travis, jenkins, packer...
umask 022
if [ $# != 0 ]; then
rolesdir=$1
else
rolesdir=$(dirname $0)/..
fi
[ ! -d $rolesdir/juju4.redhat-epel ] && git clone https://github.com/juju4/ansible-redhat-epel $rolesdir/juju4.redhat-epel
[ ! -d $rolesdir/geerlingguy.redis ] && git clone https://github.com/juju4/ansible-role-redis.git $rolesdir/geerlingguy.redis
[ ! -d $rolesdir/geerlingguy.mysql ] && git clone https://github.com/geerlingguy/ansible-role-mysql.git $rolesdir/geerlingguy.mysql
[ ! -d $rolesdir/juju4.kolide ] && git clone https://github.com/juju4/ansible-kolide $rolesdir/juju4.kolide
## galaxy naming: kitchen fails to transfer symlink folder
#[ ! -e $rolesdir/kbrebanov.osquery ] && ln -s ansible-osquery $rolesdir/kbrebanov.osquery
[ ! -e $rolesdir/kbrebanov.osquery ] && cp -R $rolesdir/ansible-osquery $rolesdir/kbrebanov.osquery
## don't stop build on this script return code
true

View File

@ -1,10 +1,14 @@
--- ---
# handlers file for osquery - name: Enable and start the service
systemd:
name: osqueryd
enabled: true
state: restarted
listen: restart osquery
- name: restart osquery - name: Enable and start the service
# service: name=osqueryd state=restarted systemd:
## for rocksdb backend name: rsyslog
shell: "systemctl stop osqueryd; sleep 5; systemctl start osqueryd" enabled: true
state: restarted
- name: restart rsyslog listen: restart rsyslog
service: name=rsyslog state=restarted

View File

@ -1,120 +0,0 @@
---
- name: check if osquery is present
stat: path=/etc/osquery
register: hasOsquery
- block:
- name: ensure directories exist
file:
dest: "{{ item.d }}"
state: directory
mode: "{{ item.m }}"
with_items:
- { d: '/var/log/osquery', m: '0755' }
- name: push extra osquery packs file
template:
src: "{{ item }}.conf.j2"
dest: "/usr/share/osquery/packs/{{ item | basename }}.conf"
backup: yes
with_items: "{{ osquery_upload_packs }}"
notify:
- restart osquery
- debug: var=osquery_packs
- name: configure osquery
template:
src: "{{ osquery_template }}"
dest: /etc/osquery/osquery.conf
mode: '0644'
backup: yes
validate: 'osqueryi --config_path %s --config_check --verbose'
# validate: 'egrep -v '^\s*//' %s | tee /tmp/a | python -mjson.tool'
notify:
- restart osquery
- name: "ensure osquery var dir exists"
file:
state: "directory"
path: "/var/osquery"
- name: "express the osquery secret to disk"
lineinfile:
path: "/etc/osquery/osquery_enroll_secret"
line: "{{ osquery_enroll_secret }}"
state: present
owner: "root"
group: "root"
mode: "0600"
create: true
when:
- osquery_enroll_secret is defined
- name: configure osquery flags
template:
src: "osquery.flags.j2"
dest: /etc/osquery/osquery.flags
mode: '0644'
backup: yes
notify:
- restart osquery
- name: re-validate whole osquery config
command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose'
changed_when: false
register: confcheck
failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout"
- block:
- name: ensure logrotate package is present
package:
name: logrotate
state: present
- name: add logrotate configuration for osquery log
template:
src: logrotate-osquery.j2
dest: /etc/logrotate.d/osquery
mode: '0644'
backup: yes
validate: 'logrotate -dv %s'
when: osquery_logrotate
- name: ensure service is enabled and started
service: name=osqueryd state=started enabled=yes
- set_fact:
monit_osqueryd: true
when: hasOsquery.stat.exists
## FIXME! warnings like (from packs/incident-response.conf)
#virtual_table.cpp:484] The shell_history table returns data based on the current user by default, consider JOINing against the users table
# but still apply with
# SELECT s.uid,s.time,s.command,s.history_file FROM shell_history s JOIN users USING (uid) limit 10;
- block:
- name: review inotify sysctl settings for osquery
sysctl: name="{{ item.n }}" value="{{ item.v }}" sysctl_set=yes state=present reload=yes
with_items:
- { n: 'fs.inotify.max_user_watches', v: '524288' }
- { n: 'fs.inotify.max_user_instances', v: '256' }
- { n: 'fs.inotify.max_queued_events', v: '32768' }
when: osquery_fim and not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker"))
## ensure no auditd at the same time
## https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
- block:
- name: ensure auditd is not present
package: name="{{ _osquery_auditd_pkg }}" state=absent
when: osquery_process_auditing
- name: get rsyslog version
command: "rsyslogd -v | awk -F'[ ,]' '/rsyslogd/ { print $2 }'"
environment:
PATH: '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
changed_when: false
register: rsyslog_v
- block:
- name: setup rsyslog pipe for osquery communication
template:
src: osquery-rsyslog.conf.j2
dest: /etc/rsyslog.d/90-osquery.conf
mode: '0644'
backup: yes
notify:
- restart rsyslog
when: osquery_rsyslog
- include: syslog-target.yml
when: osquery_syslog_target != ''

View File

@ -1,69 +1,32 @@
--- ---
# tasks file for osquery - name: Gather variables for each operating system
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_version | lower }}.yml"
- "{{ ansible_distribution | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_major_version | lower }}.yml"
- "{{ ansible_distribution | lower }}.yml"
- "{{ ansible_os_family | lower }}-{{ ansible_distribution_version.split('.')[0] }}.yml"
- "{{ ansible_os_family | lower }}.yml"
tags:
- always
- name: Include distribution specific variables - include_tasks: "osquery_{{ ansible_pkg_mgr }}.yml"
include_vars: "{{ ansible_distribution }}.yml"
- name: Install osquery
package:
name: "{{ osquery_packages }}"
state: present
- name: Install osquery debug packages
package:
name: "{{ item }}"
state: present
with_items: "{{ osquery_debug_packages }}"
when:
- osquery_debug_packages_install | bool
- include: osquery_configure.yml
tags: tags:
- osquery - osquery
- name: Include version-specific variables for RedHat - config
include_vars: "CentOS-{{ ansible_distribution_version.split('.')[0] }}.yml"
when: ansible_os_family == "RedHat"
- include: CentOS.yml
when: ansible_os_family == "RedHat"
tags:
- osquery
- include: Debian.yml
when: ansible_os_family == "Debian"
tags:
- osquery
- block:
- name: Install osquery
package:
name: "{{ item }}"
state: present
with_items: "{{ osquery_packages }}"
tags:
- osquery
- name: Install osquery debug packages
package:
name: "{{ item }}"
state: present
with_items: "{{ osquery_debug_packages }}"
when: osquery_debug_packages_install
tags:
- osquery
- include: configure.yml
tags:
- osquery
- config
- name: Enable service
service: name=osqueryd enabled={{ osquery_service_enable }}
tags:
- osquery
- service
- name: Start service
service: name=osqueryd state=started
when: osquery_service_enable
tags:
- osquery
- service
- meta: flush_handlers
- name: pause a bit to have few queries results
command: sleep 5
changed_when: false
when: osquery_testing_pause or osquery_testing
- include: testing.yml
when: osquery_testing
- include: profiling.yml
when: osquery_profiling
when: ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" or ansible_distribution == "Debian"

View File

@ -1,10 +1,7 @@
--- ---
# tasks file for osquery (Debian, Ubuntu specific)
- name: Ensure dirmngr is present for apt-key - name: Ensure dirmngr is present for apt-key
package: package:
name: dirmngr name: "{{ osquery_required_packages }}"
state: present state: present
- name: Download osquery APT key - name: Download osquery APT key
@ -16,14 +13,6 @@
tags: tags:
- osquery - osquery
- name: Ensure apt-transport-https is installed
become: yes
apt:
name: apt-transport-https
state: present
tags:
- osquery
- name: Configure osquery APT repository - name: Configure osquery APT repository
become: yes become: yes
apt_repository: apt_repository:

View File

@ -0,0 +1,88 @@
---
- name: Ensure directories exist
file:
dest: "/var/osquery"
state: directory
mode: "0755"
- name: Ensure target syslog dir exists
file:
dest: "/var/log/osquery"
state: directory
mode: "{{ varlog_mode }}"
group: "{{ varlog_group }}"
- name: Push extra osquery packs file
template:
src: "{{ item }}.conf.j2"
dest: "/usr/share/osquery/packs/{{ item | basename }}.conf"
backup: yes
with_items: "{{ osquery_upload_packs }}"
notify:
- restart osquery
- name: Print osquery packs
debug: var=osquery_packs
- name: Configure osquery
template:
src: "{{ osquery_template }}"
dest: /etc/osquery/osquery.conf
mode: '0644'
backup: yes
validate: 'osqueryi --config_path %s --config_check --verbose'
notify:
- restart osquery
- name: Express the osquery secret to disk
lineinfile:
path: "/etc/osquery/osquery_enroll_secret"
line: "{{ osquery_enroll_secret }}"
state: present
owner: "root"
group: "root"
mode: "0600"
create: true
notify:
- restart osquery
when:
- osquery_enroll_secret is defined
- name: Configure osquery flags
template:
src: "osquery.flags.j2"
dest: /etc/osquery/osquery.flags
mode: '0644'
backup: yes
notify:
- restart osquery
- name: Re-validate whole osquery config
command: 'osqueryi --config_path /etc/osquery/osquery.conf --config_check --verbose'
changed_when: false
register: confcheck
failed_when: "'error' in confcheck.stdout or 'fail' in confcheck.stdout"
- name: Add logrotate configuration for osquery log
copy:
src: logrotate-osquery
dest: /etc/logrotate.d/osquery
mode: '0644'
backup: yes
- name: Review inotify sysctl settings for osquery
sysctl:
name: "{{ item.n }}"
value: "{{ item.v }}"
sysctl_set: yes
state: present
reload: yes
sysctl_file: /etc/sysctl.d/99-osquery.conf
failed_when: false
with_items:
- n: 'fs.inotify.max_user_watches'
v: 524288
- n: 'fs.inotify.max_user_instances'
v: 256
- n: 'fs.inotify.max_queued_events'
v: 32768

View File

@ -0,0 +1 @@
osquery_yum.yml

View File

@ -1,14 +1,12 @@
--- ---
# tasks file for osquery (CentOS specific)
- name: Install osquery repository key
rpm_key:
state: present
key: "{{ _osquery_repositorykey }}"
- name: Install osquery repository - name: Install osquery repository
get_url: get_url:
url: "{{ _osquery_repository }}" url: "{{ _osquery_repository }}"
dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}" dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}"
mode: '0644' mode: '0644'
backup: yes backup: yes
- name: Install osquery repository key
rpm_key:
state: present
key: "{{ _osquery_repositorykey }}"

View File

@ -1,27 +0,0 @@
---
- name: get source repository for profiling tools
git:
repo: https://github.com/facebook/osquery.git
dest: /root/osquery
- name: ensure profiling dependencies are present - pkg
package:
name: "{{ item }}"
state: present
with_items:
- python-pip
- name: ensure profiling dependencies are present - pip
pip:
name: "{{ item }}"
state: present
with_items:
- psutil
- name: profiling
command: "./tools/analysis/profile.py --config {{ osquery_profiling_conf }} --shell /usr/bin/osqueryi --count 1 --rounds 4"
args:
chdir: /root/osquery
changed_when: false
register: perf
- debug: var=perf.stdout_lines

View File

@ -1,19 +0,0 @@
---
- name: Ensure target syslog dir exists
file:
dest: "{{ item }}"
state: directory
mode: "{{ varlog_mode }}"
group: "{{ varlog_group }}"
with_items: "{{ osquery_syslog_dirs }}"
- name: setup rsyslog to send osquery logs to a specific target
template:
src: rsyslog-osquery-target.conf.j2
dest: /etc/rsyslog.d/30-osquery-target.conf
mode: '0644'
backup: yes
validate: 'rsyslogd -d -N 1 -f %s'
notify:
- restart rsyslog

View File

@ -1,40 +0,0 @@
---
- block:
- name: systemd | check service status
command: "systemctl status osqueryd -l"
changed_when: false
register: systemctl
- debug: var=systemctl.stdout_lines
when: ansible_service_mgr == "systemd"
- block:
- name: service | check service status
command: "service osqueryd status"
changed_when: false
register: service
- debug: var=service.stdout_lines
when: ansible_service_mgr != "systemd"
- block:
- name: fallocate big file
command: "fallocate -l {{ osquery_testing_fim_load_bigger }} /etc/testing-big-file"
args:
creates: /etc/testing-big-file
- name: creation of many small files
command: "split -b {{ osquery_testing_fim_load_smaller }} /etc/testing-big-file testing-"
args:
chdir: /etc
creates: /etc/testing-big-aa
- name: clean up
shell: find /etc/ -name 'testing-*' -exec rm {} \;
ignore_errors: true
# more diverse load? openssl speed, stress...
- name: retrieve log results
command: "{{ item }}"
with_items:
- head -20 /var/log/osquery/osqueryd.results.log
- tail -20 /var/log/osquery/osqueryd.results.log
ignore_errors: true
changed_when: false
register: log
when: osquery_testing_fim_load

View File

@ -1,34 +0,0 @@
#include <tunables/global>
/usr/bin/osqueryd {
#include <abstractions/base>
#include <abstractions/lxc/container-base>
#include <abstractions/lxc/start-container>
/etc/host.conf r,
/etc/hosts r,
/etc/nsswitch.conf r,
/etc/osquery/osquery.conf r,
/etc/osquery/osquery.flags r,
/proc/** rw,
/proc/cpuinfo r,
/root/osqueryd.*.root.log.ERROR.* w,
/root/osqueryd.*.root.log.INFO.* w,
/root/osqueryd.*.root.log.WARNING.* w,
/run/osqueryd.pidfile w,
/run/resolvconf/resolv.conf r,
/run/utmp r,
/sys/devices/** r,
/sys/firmware/dmi/tables/DMI r,
/tmp/* w,
/tmp/user/0/osqueryd.*.root.log.ERROR.* w,
/tmp/user/0/osqueryd.*.root.log.INFO.* w,
/tmp/user/0/osqueryd.*.root.log.WARNING.* w,
/usr/bin/osqueryd Px,
/usr/share/osquery/packs/* r,
/var/log/osquery/* w,
/var/osquery/osquery.db/ rw,
/var/osquery/osquery.db/* rw,
/var/tmp/* rw,
}

View File

@ -1,39 +0,0 @@
{{ ansible_managed | comment('plain', decoration='## ') }}
## /etc/logrotate.d/osquery
/var/log/osquery/osqueryd.results.log {
rotate {{ osquery_logrotate_days|int }}
daily
missingok
notifempty
delaycompress
compress
create 640 root adm
sharedscripts
}
{% if osquery_syslog_target is defined and osquery_syslog_target != '' and '/var/log/' in osquery_syslog_target %}
{{ osquery_syslog_target }} {
rotate {{ osquery_logrotate_days|int }}
daily
missingok
notifempty
delaycompress
compress
create 640 root adm
sharedscripts
# Ubuntu: parent directory has insecure permissions (It's world writable or writable by group which is not "root")
su root {{ osquery_syslog_dir_group | default(varlog_group) }}
}
{% endif %}
{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' and '/var/log/' in osquery_syslog_target2 %}
{{ osquery_syslog_target2 }} {
rotate {{ osquery_logrotate_days|int }}
daily
missingok
notifempty
delaycompress
compress
create 640 root adm
sharedscripts
su root {{ osquery_syslog_dir_group2 | default(varlog_group) }}
}
{% endif %}

View File

@ -1,6 +0,0 @@
template(
name="OsqueryCsvFormat"
type="string"
string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")

View File

@ -67,7 +67,7 @@
{% else %} {% else %}
"interval": 3600 "interval": 3600
{% endif %} {% endif %}
}{% if osquery_fim or osquery_process_auditing %},{% endif %} }{% if osquery_fim %},{% endif %}
{% if osquery_fim %} {% if osquery_fim %}
"fim" : { "fim" : {
@ -75,19 +75,8 @@
"query": "select * from file_events;", "query": "select * from file_events;",
"removed": false, "removed": false,
"interval": {% if osquery_testing_fim_load %}30{% else %}{{ osquery_fim_interval }}{% endif %} "interval": {% if osquery_testing_fim_load %}30{% else %}{{ osquery_fim_interval }}{% endif %}
}{% if osquery_process_auditing %},{% endif %}
{% endif %}
{% if osquery_process_auditing %}
"process_events":{
"query": "SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, uid FROM process_events WHERE path NOT IN ('/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline NOT LIKE '%secret%';",
"interval": {{ osquery_process_interval }}
},
"socket_events":{
"query": "SELECT action, auid, family, local_address, local_port, path, pid, remote_address, remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000');",
"interval": {{ osquery_socket_interval }}
} }
{% endif %} {% endif %}
}, },

View File

@ -1,6 +0,0 @@
/usr/bin/osqueryd -- gen_context(system_u:object_r:osquery_exec_t,s0)
/etc/osquery(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0)
/usr/share/osquery/packs(/.*)? -- gen_context(system_u:object_r:osquery_conf_t,s0)
/var/log/osquery(/.*)? -- gen_context(system_u:object_r:osquery_log_t,s0)
/var/osquery/osquery.em -- gen_context(system_u:object_r:osquery_sock_t,s0)
/usr/lib/systemd/system/osqueryd.service -- gen_context(system_u:object_r:osquery_unit_file_t,s0)

View File

@ -2,15 +2,5 @@
{% for flag in osquery_flags %} {% for flag in osquery_flags %}
{{ flag }} {{ flag }}
{% endfor %} {% endfor %}
{% if osquery_process_auditing %} --logger_path=/var/log/osquery
--disable_audit=false --logger_plugin=filesystem
--audit_allow_config=true
--audit_persist=true
--audit_allow_sockets
{% endif %}
{% if osquery_rsyslog %}
--enable_syslog
{% endif %}
{% if osquery_syslog_target != '' and osquery_syslog_target_facility_osqueryconf != '' %}
--logger_syslog_facility={{ osquery_syslog_target_facility_osqueryconf }}
{% endif %}

View File

@ -1,27 +0,0 @@
{{ ansible_managed | comment('plain', decoration='## ') }}
check process osqueryd
with pidfile "/var/run/osqueryd.pid"
group system
group osqueryd
{% if ansible_service_mgr == 'systemd' %}
start program = "/bin/systemctl start ssh" with timeout 60 seconds
stop program = "/bin/systemctl stop ssh"
{% else %}
start program = "/etc/init.d/ssh start" with timeout 60 seconds
stop program = "/etc/init.d/ssh stop"
{% endif %}
if cpu > 90% for 15 cycles then alert
if totalmem > 90% for 15 cycles then alert
if loadavg(15min) greater than 10 for 50 cycles then alert
if 5 restarts with 5 cycles then alert
depends on osqueryd_binary
depends on osqueryd_conf
check file osqueryd_binary
with path /usr/bin/osqueryd
group osqueryd
if failed checksum then alert
check file osqueryd_conf with path /etc/osquery/osquery.conf
include /etc/monit/templates/rootrc
group osqueryd

View File

@ -1,16 +0,0 @@
{% if osquery_syslog_target is defined and osquery_syslog_target != '' %}
{{ osquery_syslog_target_facility_syslogconf }}.* {{ osquery_syslog_target }}
{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %}
& ~
{% else %}
& stop
{% endif %}
{% endif %}
{% if osquery_syslog_target2 is defined and osquery_syslog_target2 != '' %}
if $programname == 'osqueryd' then {{ osquery_syslog_target2 }}
{% if rsyslog_v.stdout is defined and rsyslog_v.stdout is version_compare('8.0', '<') %}
& ~
{% else %}
& stop
{% endif %}
{% endif %}

View File

@ -1,14 +0,0 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

View File

@ -1,43 +0,0 @@
---
- hosts: all
#- hosts: test-kitchen
vars:
- mysql_root_password: 'Toor=2017.'
- kolide_mysql_root_pass: "{{ mysql_root_password }}"
- mysql_databases:
- name: "{{ kolide_mysql_db }}"
- mysql_users:
- name: "{{ kolide_mysql_user }}"
host: "localhost"
#host: "%"
password: "{{ kolide_mysql_pass }}"
priv: "{{ kolide_mysql_db }}.*:ALL"
- mysql_enablerepo: epel
- osquery_flags:
- '--enroll_secret_path=/etc/osquery/osquery_enroll_secret'
- "--tls_server_certs={{ ssl_dir }}/{{ ansible_fqdn }}.crt"
- '--tls_hostname=acme.kolide.co:8080'
- '--host_identifier=hostname'
- '--enroll_tls_endpoint=/api/v1/osquery/enroll'
- '--config_plugin=tls'
- '--config_tls_endpoint=/api/v1/osquery/config'
- '--config_tls_refresh=10'
- '--disable_distributed=false'
- '--distributed_plugin=tls'
- '--distributed_interval=10'
- '--distributed_tls_max_attempts=3'
- '--distributed_tls_read_endpoint=/api/v1/osquery/distributed/read'
- '--distributed_tls_write_endpoint=/api/v1/osquery/distributed/write'
- '--logger_plugin=tls'
pre_tasks:
- name: map acme.kolide.co to localhost
lineinfile:
dest: /etc/hosts
line: 127.0.0.1 acme.kolide.co
ignore_errors: true
roles:
- { role: geerlingguy.mysql, when: ansible_os_family == 'Debian' }
- juju4.kolide
- kbrebanov.osquery

View File

@ -1,8 +0,0 @@
source 'https://rubygems.org'
gem 'serverspec'
gem 'rake'
## for junit output and jenkins support
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
#gem 'yarjuf'

View File

@ -1,9 +0,0 @@
require 'rake'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) do |t|
t.pattern = '*_spec.rb'
end
task :default => :spec

View File

@ -1,59 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
## mostly exclude for docker/systemd distributions
it { should be_enabled }
end
describe service('osqueryd') do
it { should be_running }
end
describe file('/usr/bin/osqueryd') do
it { should be_executable }
end
describe file('/usr/bin/osqueryi') do
it { should be_executable }
end
describe file('/etc/osquery/osquery.conf') do
it { should contain '"config_plugin":' }
it { should contain '"packs": {' }
it { should contain '"filesystem"' }
end
describe process("osqueryd") do
its(:user) { should eq "root" }
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
end
#describe file('/var/log/osquery/osqueryd.INFO') do
# it { should be_symlink }
# its(:content) { should match /Log line format:/ }
#end
#describe file('/var/log/osquery/osqueryd.WARNING') do
# it { should be_symlink }
# its(:content) { should match /Log line format:/ }
# its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
#end
#describe file('/var/log/osquery/osqueryd.results.log') do
# it { should be_file }
## its(:content) { should match /hostIdentifier/ }
# let(:sudo_options) { '-u root -H' }
#end
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
its(:stdout) { should match /osqueryd is already running/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end

View File

@ -1,32 +0,0 @@
#!/bin/sh -x
## get consistent ruby2+bundler env on each distribution
location=`dirname "$0"`
cd $location
v=2.3
## docker environment in travis missing few utils
[ -f /etc/debian_version ] && apt-get install -y curl
[ -f /etc/redhat-release ] && yum -y install which
curl -sSL https://get.rvm.io | bash
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
## troubleshoot
type rvm | head -1
env
#export PATH=/usr/local/rvm/bin:$PATH
bash -l -c "rvm install $v"
bash -l -c "rvm use $v"
bash -l -c "rvm use $v --default"
bash -l -c "gem install bundler"
bash -l -c "bundle install --path ./gems"
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
else
bash -l -c "bundle exec rake spec"
fi

View File

@ -1,14 +0,0 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

View File

@ -1,17 +0,0 @@
---
- hosts: all
#- hosts: test-kitchen
vars:
- osquery_flags:
- '--logger_plugin=filesystem,syslog'
- osquery_logger_plugin: 'filesystem,syslog'
- osquery_syslog_target: '/var/log/osquery_syslog-results.log'
- osquery_syslog_target2: '/var/log/osquery_syslog-prog.log'
- osquery_testing: true
- osquery_syslog_dirs:
- /var/log
- osquery_testing_pause: true
roles:
- kbrebanov.osquery

View File

@ -1,8 +0,0 @@
source 'https://rubygems.org'
gem 'serverspec'
gem 'rake'
## for junit output and jenkins support
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
#gem 'yarjuf'

View File

@ -1,9 +0,0 @@
require 'rake'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) do |t|
t.pattern = '*_spec.rb'
end
task :default => :spec

View File

@ -1,59 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
## mostly exclude for docker/systemd distributions
it { should be_enabled }
end
describe service('osqueryd') do
it { should be_running }
end
describe file('/usr/bin/osqueryd') do
it { should be_executable }
end
describe file('/usr/bin/osqueryi') do
it { should be_executable }
end
describe file('/etc/osquery/osquery.conf') do
it { should contain '"config_plugin":' }
it { should contain '"packs": {' }
it { should contain '"filesystem,syslog"' }
end
describe process("osqueryd") do
its(:user) { should eq "root" }
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
end
describe file('/var/log/osquery/osqueryd.INFO') do
it { should be_symlink }
its(:content) { should match /Log line format:/ }
end
describe file('/var/log/osquery/osqueryd.WARNING') do
it { should be_symlink }
its(:content) { should match /Log line format:/ }
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
end
describe file('/var/log/osquery/osqueryd.results.log') do
it { should be_file }
# its(:content) { should match /hostIdentifier/ }
let(:sudo_options) { '-u root -H' }
end
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
its(:stdout) { should match /osqueryd is already running/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end

View File

@ -1,18 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe file('/var/log/osquery_syslog-prog.log') do
it { should be_file }
# its(:content) { should match /osqueryd: osqueryd started \[version=/ }
its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ }
end
describe file('/var/log/osquery_syslog-results.log') do
it { should be_file }
its(:content) { should match /hostIdentifier/ }
# its(:content) { should match /pack/ }
# its(:content) { should match /message=Executing scheduled query system_info:/ }
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
let(:sudo_options) { '-u root -H' }
end

View File

@ -1,47 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do
it { should be_enabled }
end
describe service('rsyslog') do
it { should be_running }
end
describe file('/usr/sbin/rsyslogd') do
it { should be_executable }
end
describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do
its(:user) { should eq "syslog" }
end
describe process("rsyslogd"), :if => os[:family] == 'redhat' do
its(:user) { should eq "root" }
end
describe file('/var/log'), :if => os[:family] == 'ubuntu' do
it { should be_directory }
it { should be_mode 775 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'syslog' }
# it { should be_writable.by('group') }
it { should be_writable.by_user('syslog') }
end
describe file('/var/log'), :if => os[:family] == 'redhat' do
it { should be_directory }
it { should be_mode 755 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
# it { should be_writable.by('group') }
end
describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do
it { should be_file }
end
describe file('/var/log/messages'), :if => os[:family] == 'redhat' do
it { should be_file }
end

View File

@ -1,32 +0,0 @@
#!/bin/sh -x
## get consistent ruby2+bundler env on each distribution
location=`dirname "$0"`
cd $location
v=2.3
## docker environment in travis missing few utils
[ -f /etc/debian_version ] && apt-get install -y curl
[ -f /etc/redhat-release ] && yum -y install which
curl -sSL https://get.rvm.io | bash
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
## troubleshoot
type rvm | head -1
env
#export PATH=/usr/local/rvm/bin:$PATH
bash -l -c "rvm install $v"
bash -l -c "rvm use $v"
bash -l -c "rvm use $v --default"
bash -l -c "gem install bundler"
bash -l -c "bundle install --path ./gems"
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
else
bash -l -c "bundle exec rake spec"
fi

View File

@ -1,14 +0,0 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

View File

@ -1,17 +0,0 @@
---
- hosts: all
#- hosts: test-kitchen
vars:
# - osquery_flags:
# - '--logger_plugin=syslog'
- osquery_logger_plugin: 'syslog'
- osquery_syslog_target: '/var/log/osquery_syslog-results.log'
- osquery_syslog_target2: '/var/log/osquery_syslog-prog.log'
- osquery_testing: true
- osquery_syslog_dirs:
- /var/log
- osquery_testing_pause: true
roles:
- kbrebanov.osquery

View File

@ -1,8 +0,0 @@
source 'https://rubygems.org'
gem 'serverspec'
gem 'rake'
## for junit output and jenkins support
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
#gem 'yarjuf'

View File

@ -1,9 +0,0 @@
require 'rake'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) do |t|
t.pattern = '*_spec.rb'
end
task :default => :spec

View File

@ -1,44 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
## mostly exclude for docker/systemd distributions
it { should be_enabled }
end
describe service('osqueryd') do
it { should be_running }
end
describe file('/usr/bin/osqueryd') do
it { should be_executable }
end
describe file('/usr/bin/osqueryi') do
it { should be_executable }
end
describe file('/etc/osquery/osquery.conf') do
it { should contain '"config_plugin":' }
it { should contain '"packs": {' }
it { should contain '"syslog"' }
end
describe process("osqueryd") do
its(:user) { should eq "root" }
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
end
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
its(:stdout) { should match /osqueryd is already running/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end

View File

@ -1,27 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe file('/var/log/osquery_syslog-prog.log') do
it { should be_file }
# its(:content) { should match /osqueryd: osqueryd started \[version=/ }
its(:content) { should match /Executing scheduled query system_info:/ }
its(:content) { should_not match /Rocksdb open failed \(5:0\) IO error:/ }
its(:content) { should_not match /osqueryd initialize failed: Could not initialize database/ }
end
describe file('/var/log/osquery_syslog-results.log') do
it { should be_file }
its(:content) { should match /hostIdentifier/ }
# its(:content) { should match /pack/ }
its(:content) { should match /message=Executing scheduled query system_info:/ }
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
let(:sudo_options) { '-u root -H' }
end
describe command('journalctl -l') do
its(:stdout) { should match /osqueryd/ }
its(:stdout) { should match /Executing scheduled query system_info:/ }
its(:stdout) { should match /hostIdentifier/ }
its(:exit_status) { should eq 0 }
end

View File

@ -1,47 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('rsyslog'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') || (os[:family] == 'redhat' && os[:release] != '7') do
it { should be_enabled }
end
describe service('rsyslog') do
it { should be_running }
end
describe file('/usr/sbin/rsyslogd') do
it { should be_executable }
end
describe process("rsyslogd"), :if => os[:family] == 'ubuntu' do
its(:user) { should eq "syslog" }
end
describe process("rsyslogd"), :if => os[:family] == 'redhat' do
its(:user) { should eq "root" }
end
describe file('/var/log'), :if => os[:family] == 'ubuntu' do
it { should be_directory }
it { should be_mode 775 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'syslog' }
# it { should be_writable.by('group') }
it { should be_writable.by_user('syslog') }
end
describe file('/var/log'), :if => os[:family] == 'redhat' do
it { should be_directory }
it { should be_mode 755 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
# it { should be_writable.by('group') }
end
describe file('/var/log/syslog'), :if => os[:family] == 'ubuntu' do
it { should be_file }
end
describe file('/var/log/messages'), :if => os[:family] == 'redhat' do
it { should be_file }
end

View File

@ -1,32 +0,0 @@
#!/bin/sh -x
## get consistent ruby2+bundler env on each distribution
location=`dirname "$0"`
cd $location
v=2.3
## docker environment in travis missing few utils
[ -f /etc/debian_version ] && apt-get install -y curl
[ -f /etc/redhat-release ] && yum -y install which
curl -sSL https://get.rvm.io | bash
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
## troubleshoot
type rvm | head -1
env
#export PATH=/usr/local/rvm/bin:$PATH
bash -l -c "rvm install $v"
bash -l -c "rvm use $v"
bash -l -c "rvm use $v --default"
bash -l -c "gem install bundler"
bash -l -c "bundle install --path ./gems"
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
else
bash -l -c "bundle exec rake spec"
fi

View File

@ -1,14 +0,0 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

View File

@ -1,11 +0,0 @@
---
- hosts: all
#- hosts: test-kitchen
vars:
- osquery_testing: true
- osquery_profiling: true
- osquery_testing_fim_load: true
roles:
- kbrebanov.osquery

View File

@ -1,8 +0,0 @@
source 'https://rubygems.org'
gem 'serverspec'
gem 'rake'
## for junit output and jenkins support
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
#gem 'yarjuf'

View File

@ -1,9 +0,0 @@
require 'rake'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) do |t|
t.pattern = '*_spec.rb'
end
task :default => :spec

View File

@ -1,17 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe file('/var/log/osquery/osqueryd.results.log') do
it { should contain '"system_info",' }
it { should contain '"physical_memory":' }
it { should contain '"target_path":"\/etc\/testing-big-file"' }
it { should contain '"target_path":"\/etc\/testing-aa"' }
it { should contain '"target_path":"\/etc\/testing-zz' }
it { should contain '"action":"CREATED"' }
it { should contain '"action":"UPDATED"' }
it { should contain '"action":"DELETED"' }
it { should_not contain '"target_path":"\/tmp\/' }
it { should_not contain '"target_path":"\/var\/' }
end

View File

@ -1,59 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
## mostly exclude for docker/systemd distributions
it { should be_enabled }
end
describe service('osqueryd') do
it { should be_running }
end
describe file('/usr/bin/osqueryd') do
it { should be_executable }
end
describe file('/usr/bin/osqueryi') do
it { should be_executable }
end
describe file('/etc/osquery/osquery.conf') do
it { should contain '"config_plugin":' }
it { should contain '"packs": {' }
it { should contain '"filesystem"' }
end
describe process("osqueryd") do
its(:user) { should eq "root" }
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
end
describe file('/var/log/osquery/osqueryd.INFO') do
it { should be_symlink }
its(:content) { should match /Log line format:/ }
end
describe file('/var/log/osquery/osqueryd.WARNING') do
it { should be_symlink }
its(:content) { should match /Log line format:/ }
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
end
describe file('/var/log/osquery/osqueryd.results.log') do
it { should be_file }
# its(:content) { should match /hostIdentifier/ }
let(:sudo_options) { '-u root -H' }
end
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
its(:stdout) { should match /osqueryd is already running/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end

View File

@ -1,32 +0,0 @@
#!/bin/sh -x
## get consistent ruby2+bundler env on each distribution
location=`dirname "$0"`
cd $location
v=2.3
## docker environment in travis missing few utils
[ -f /etc/debian_version ] && apt-get install -y curl
[ -f /etc/redhat-release ] && yum -y install which
curl -sSL https://get.rvm.io | bash
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
## troubleshoot
type rvm | head -1
env
#export PATH=/usr/local/rvm/bin:$PATH
bash -l -c "rvm install $v"
bash -l -c "rvm use $v"
bash -l -c "rvm use $v --default"
bash -l -c "gem install bundler"
bash -l -c "bundle install --path ./gems"
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
else
bash -l -c "bundle exec rake spec"
fi

View File

@ -1,14 +0,0 @@
#!/usr/bin/env bats
#
#
# Idempotence test
# from https://github.com/neillturner/kitchen-ansible/issues/92
#
@test "Second run should change nothing" {
skip "service module issue"
run bash -c "ansible-playbook -i /tmp/kitchen/hosts /tmp/kitchen/default.yml -c local 2>&1 | tee /tmp/idempotency.test | grep -q 'changed=0.*failed=0' && exit 0 || exit 1"
[ "$status" -eq 0 ]
}

View File

@ -1,7 +0,0 @@
---
- hosts: all
#- hosts: test-kitchen
roles:
- kbrebanov.osquery

View File

@ -1,8 +0,0 @@
source 'https://rubygems.org'
gem 'serverspec'
gem 'rake'
## for junit output and jenkins support
## FIXME! travis: 'Could not find gem 'yarjuf' in any of the gem sources listed in your Gemfile or available on this machine.'
#gem 'yarjuf'

View File

@ -1,9 +0,0 @@
require 'rake'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new(:spec) do |t|
t.pattern = '*_spec.rb'
end
task :default => :spec

View File

@ -1,59 +0,0 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe service('osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] != '16.04') && (os[:family] != 'redhat') do
## mostly exclude for docker/systemd distributions
it { should be_enabled }
end
describe service('osqueryd') do
it { should be_running }
end
describe file('/usr/bin/osqueryd') do
it { should be_executable }
end
describe file('/usr/bin/osqueryi') do
it { should be_executable }
end
describe file('/etc/osquery/osquery.conf') do
it { should contain '"config_plugin":' }
it { should contain '"packs": {' }
it { should contain '"filesystem"' }
end
describe process("osqueryd") do
its(:user) { should eq "root" }
its(:args) { should match /--config_path[= ]\/etc\/osquery\/osquery.conf/ }
its(:args) { should match /--flagfile[= ]\/etc\/osquery\/osquery.flags/ }
end
describe file('/var/log/osquery/osqueryd.INFO') do
it { should be_symlink }
its(:content) { should match /Log line format:/ }
end
describe file('/var/log/osquery/osqueryd.WARNING') do
it { should be_symlink }
its(:content) { should match /Log line format:/ }
its(:content) { should_not match /kernel: Cannot access \/dev\/osquery/ }
end
describe file('/var/log/osquery/osqueryd.results.log') do
it { should be_file }
# its(:content) { should match /hostIdentifier/ }
let(:sudo_options) { '-u root -H' }
end
describe command('systemctl status osqueryd'), :if => (os[:family] == 'ubuntu' && os[:release] == '14.04') do
its(:stdout) { should match /osqueryd is already running/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'ubuntu' && (os[:release] == '16.04' || os[:release] == '18.04') do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end
describe command('systemctl status osqueryd'), :if => os[:family] == 'redhat' do
its(:stdout) { should match /active \(running\)/ }
its(:exit_status) { should eq 0 }
end

View File

@ -1,32 +0,0 @@
#!/bin/sh -x
## get consistent ruby2+bundler env on each distribution
location=`dirname "$0"`
cd $location
v=2.3
## docker environment in travis missing few utils
[ -f /etc/debian_version ] && apt-get install -y curl
[ -f /etc/redhat-release ] && yum -y install which
curl -sSL https://get.rvm.io | bash
#[ -f $HOME/.rvm/scripts/rvm ] && . $HOME/.rvm/scripts/rvm
#[ -d /usr/local/rvm ] && . /etc/profile.d/rvm.sh
## troubleshoot
type rvm | head -1
env
#export PATH=/usr/local/rvm/bin:$PATH
bash -l -c "rvm install $v"
bash -l -c "rvm use $v"
bash -l -c "rvm use $v --default"
bash -l -c "gem install bundler"
bash -l -c "bundle install --path ./gems"
if [ "X$USER" != "Xroot" -a "X$USER" != "X" ]; then
bash -l -c "env rvmsudo_secure_path=1 rvmsudo bundle exec rake spec"
else
bash -l -c "bundle exec rake spec"
fi

View File

@ -1,25 +0,0 @@
#!/bin/sh
# add ssh to default lxd image
image=centos-7
guest=default-$image
template="$image"-nossh
publishalias="$image"
lxc init $template $guest
lxc start $guest
openssl rand -base64 48 | perl -ne 'print "$_" x2' | lxc exec $guest -- passwd root
lxc exec $guest -- dhclient eth0
lxc exec $guest -- ping -c 1 8.8.8.8
lxc exec $guest -- yum update
lxc exec $guest -- yum -y upgrade
lxc exec $guest -- yum install -y openssh-server sudo ruby yum-utils
lxc exec $guest -- systemctl enable sshd
lxc exec $guest -- systemctl start sshd
lxc exec $guest -- mkdir /root/.ssh || true
lxc exec $guest -- gem install busser
lxc stop $guest --force
lxc publish $guest --alias $publishalias
lxc delete $guest

View File

@ -1,9 +0,0 @@
FROM alpine:3.4
RUN apk update
# Install Ansible
RUN apk add git ansible python python-dev py-pip
RUN mkdir /etc/ansible
# Install Ansible inventory file
RUN (echo "[local]"; echo "localhost ansible_connection=local") > /etc/ansible/hosts

View File

@ -1,15 +0,0 @@
FROM centos:6
# Install Ansible
RUN yum -y update; yum clean all;
RUN yum -y install epel-release
RUN yum -y install git ansible sudo python-pip
RUN yum clean all
# Disable requiretty
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
# Install Ansible inventory file
RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts
CMD ["/usr/sbin/init"]

View File

@ -1,29 +0,0 @@
FROM centos:7
# Install systemd -- See https://hub.docker.com/_/centos/
RUN yum -y swap -- remove fakesystemd -- install systemd systemd-libs
RUN yum -y update; yum clean all; \
(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
rm -f /lib/systemd/system/multi-user.target.wants/*; \
rm -f /etc/systemd/system/*.wants/*; \
rm -f /lib/systemd/system/local-fs.target.wants/*; \
rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
rm -f /lib/systemd/system/basic.target.wants/*; \
rm -f /lib/systemd/system/anaconda.target.wants/*;
# Install Ansible
RUN yum -y install epel-release
RUN yum -y install git sudo python-pip python-devel libffi-devel
RUN yum -y groupinstall 'Development Tools'
RUN yum clean all
# Disable requiretty
RUN sed -i -e 's/^\(Defaults\s*requiretty\)/#--- \1/' /etc/sudoers
# Install Ansible inventory file
RUN mkdir /etc/ansible
RUN echo -e '[local]\nlocalhost ansible_connection=local' > /etc/ansible/hosts
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

View File

@ -1,11 +0,0 @@
FROM debian:8
RUN apt-get update
# Install Ansible
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git python sudo python-pip python-dev libffi-dev libssl-dev
RUN pip install --upgrade cffi
RUN pip install ansible
RUN install -d -m 0755 /etc/ansible
# Install Ansible inventory file
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

View File

@ -1,12 +0,0 @@
FROM debian:9
RUN apt-get update
# Install Ansible
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git
RUN apt-get update
RUN apt-get install -y python sudo python-pip python-dev libffi-dev
RUN pip install --upgrade setuptools
RUN mkdir -p /etc/ansible
# Install Ansible inventory file
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

View File

@ -1,11 +0,0 @@
FROM ubuntu:12.04
RUN apt-get update
# Install Ansible
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common python-software-properties git
RUN apt-add-repository -y ppa:ansible/ansible
RUN apt-get update
RUN apt-get install -y ansible python-pip
# Install Ansible inventory file
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

View File

@ -1,15 +0,0 @@
FROM ubuntu:14.04
RUN apt-get update
# Install Ansible
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git
#RUN apt-add-repository -y ppa:ansible/ansible
RUN apt-get update
RUN apt-get install -y python-pip python-dev libffi-dev
COPY initctl_faker .
RUN chmod +x initctl_faker && rm -fr /sbin/initctl && ln -s /initctl_faker /sbin/initctl
# Install Ansible inventory file
RUN mkdir /etc/ansible
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

View File

@ -1,12 +0,0 @@
FROM ubuntu:16.04
RUN apt-get update
# Install Ansible
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git
#RUN apt-add-repository -y ppa:ansible/ansible
RUN apt-get update
RUN apt-get install -y python sudo python-pip python-dev libffi-dev
# Install Ansible inventory file
RUN mkdir /etc/ansible
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

View File

@ -1,11 +0,0 @@
FROM ubuntu:18.04
RUN apt-get update
# Install Ansible
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y software-properties-common git systemd
RUN apt-get update
RUN apt-get install -y python sudo python-pip python-dev libffi-dev
# Install Ansible inventory file
RUN mkdir /etc/ansible
RUN echo "[local]\nlocalhost ansible_connection=local" > /etc/ansible/hosts

View File

@ -1,25 +0,0 @@
#!/bin/sh
## from https://github.com/oxyc/drupal-vm/blob/84b3ad6cf65fb87ac60777c5aca55bb82a45b4aa/tests/initctl_faker
ALIAS_CMD="$(echo ""$0"" | sed -e 's?/sbin/??')"
case "$ALIAS_CMD" in
start|stop|restart|reload|status)
exec service $1 $ALIAS_CMD
;;
esac
case "$1" in
list )
exec service --status-all
;;
reload-configuration )
exec service $2 restart
;;
start|stop|restart|reload|status)
exec service $2 $1
;;
\?)
exit 0
;;
esac

View File

@ -1,36 +0,0 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
VAGRANTFILE_API_VERSION = "2"
ENV['VAGRANT_DEFAULT_PROVIDER'] = 'virtualbox'
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
config.vm.box = "ubuntu/bionic64"
#config.vm.box = "ubuntu/xenial64"
#config.vm.box = "boxcutter/ubuntu1604"
#config.vm.box = "ubuntu/trusty64"
#config.vm.box = "centos/7"
#config.vm.box = "generic/alpine36"
config.vm.provision :ansible do |ansible|
ansible.playbook = "site.yml"
#ansible.verbose = "vvvv"
#ansible.host_key_checking = false
#ansible.limit = 'all'
ansible.become = true
ansible.extra_vars = { ansible_user: 'vagrant', ansible_python_interpreter: '/usr/bin/python3' }
ansible.groups = {
"myrole" => ["osquery" ],
}
end
config.vm.define "vosquery" do |cfg|
cfg.vm.hostname = "vosquery"
cfg.vm.provider "virtualbox" do |v|
v.memory = 512
end
end
end

View File

@ -1,3 +0,0 @@
[defaults]
callback_whitelist = profile_tasks, timer
roles_path = ../../../

View File

@ -1,6 +0,0 @@
---
- hosts: all
roles:
- kbrebanov.osquery

View File

@ -1 +0,0 @@
localhost

View File

@ -1,5 +0,0 @@
---
- hosts: localhost
remote_user: root
roles:
- ansible-osquery

View File

@ -1,2 +0,0 @@
---
_osquery_auditd_pkg: "audit"

View File

@ -1,2 +0,0 @@
---
_osquery_auditd_pkg: "audit"

View File

@ -1,19 +0,0 @@
---
# vars file for osquery (Debian specific)
# https://github.com/facebook/osquery/issues/320
# https://github.com/facebook/osquery/issues/2321
osquery_packages:
- osquery
- rsyslog
osquery_debug_packages:
- osquery-dbg
_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}"
_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}"
_osquery_auditd_pkg: "auditd"
varlog_group: syslog
varlog_mode: '0775'

View File

@ -1,2 +0,0 @@
---
_osquery_auditd_pkg: "audit"

View File

@ -1,2 +0,0 @@
---
_osquery_auditd_pkg: "audit"

View File

@ -1,17 +0,0 @@
---
# vars file for osquery (CentOS specific)
osquery_packages:
- osquery
- rsyslog
osquery_debug_packages:
- osquery-debuginfo
_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}"
_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}"
_osquery_auditd_pkg: "audit"
varlog_group: root
varlog_mode: '0755'

View File

@ -1,5 +1,8 @@
--- ---
# vars file for osquery (Ubuntu specific) osquery_required_packages:
- apt-transport-https
- dirmngr
- logrotate
osquery_packages: osquery_packages:
- osquery - osquery
@ -11,7 +14,5 @@ osquery_debug_packages:
_osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}" _osquery_repository: "{{ osquery_repository | default('deb [arch=amd64] https://pkg.osquery.io/deb deb main') }}"
_osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}" _osquery_repositorykey: "{{ osquery_repositorykey | default('1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B') }}"
_osquery_auditd_pkg: "auditd"
varlog_group: syslog varlog_group: syslog
varlog_mode: '0775' varlog_mode: '0775'

View File

@ -1,6 +0,0 @@
---
# vars file for osquery
osquery_packages:
- osquery
- rsyslog

View File

@ -1,5 +1,6 @@
--- ---
# vars file for osquery (CentOS specific) osquery_required_packages:
- logrotate
osquery_packages: osquery_packages:
- osquery - osquery
@ -11,7 +12,5 @@ osquery_debug_packages:
_osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}" _osquery_repository: "{{ osquery_repository | default('https://pkg.osquery.io/rpm/osquery-s3-rpm.repo') }}"
_osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}" _osquery_repositorykey: "{{ osquery_repositorykey | default('https://pkg.osquery.io/rpm/GPG') }}"
_osquery_auditd_pkg: "audit"
varlog_group: root varlog_group: root
varlog_mode: '0755' varlog_mode: '0755'

View File

@ -58,7 +58,7 @@
value: 10 value: 10
state: present state: present
reload: "yes" reload: "yes"
sysctl_file: /etc/sysctl.d/99-elasticsearch.conf sysctl_file: /etc/sysctl.d/99-osquery.conf
- name: Create tmp osquery dir - name: Create tmp osquery dir
file: file:

View File

@ -14,8 +14,6 @@ osquery_debug_packages_install: false
osquery_config_plugin: 'filesystem' osquery_config_plugin: 'filesystem'
osquery_logger_plugin: 'filesystem' osquery_logger_plugin: 'filesystem'
osquery_rsyslog: false
osquery_flags: osquery_flags:
- "--tls_server_certs={{ kolide_fleet_ssl_cert }}" - "--tls_server_certs={{ kolide_fleet_ssl_cert }}"
- "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443" - "--tls_hostname={{ hostvars[groups['kolide-fleet_all'][0]]['ansible_host'] }}:443"