diff --git a/bootstrap-embedded-ansible/bootstrap-embedded-ansible.sh b/bootstrap-embedded-ansible/bootstrap-embedded-ansible.sh index dd123cf5..50c30988 100755 --- a/bootstrap-embedded-ansible/bootstrap-embedded-ansible.sh +++ b/bootstrap-embedded-ansible/bootstrap-embedded-ansible.sh @@ -42,6 +42,7 @@ if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated" eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated" eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade hvac --isolated" + eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade netaddr --isolated" echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin" fi diff --git a/elk_metrics_6x/README.rst b/elk_metrics_6x/README.rst index d02c3e2e..ecba8352 100644 --- a/elk_metrics_6x/README.rst +++ b/elk_metrics_6x/README.rst @@ -595,7 +595,7 @@ deployed to the environment as if this was a production installation. .. code-block:: bash - tests/run-tests.sh + CLUSTERED=yes tests/run-tests.sh After the test build is completed the cluster will test it's layout and ensure diff --git a/elk_metrics_6x/tests/_container-setup.yml b/elk_metrics_6x/tests/_container-setup.yml index 4a7df76c..a1b724c7 100644 --- a/elk_metrics_6x/tests/_container-setup.yml +++ b/elk_metrics_6x/tests/_container-setup.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Setup host for nspawn - hosts: physical_hosts + hosts: localhost connection: local become: true vars: diff --git a/elk_metrics_6x/tests/functional.yml b/elk_metrics_6x/tests/functional.yml index c992e1b2..e37bc9e1 100644 --- a/elk_metrics_6x/tests/functional.yml +++ b/elk_metrics_6x/tests/functional.yml @@ -60,6 +60,11 @@ reload: "yes" sysctl_file: /etc/sysctl.d/99-elasticsearch.conf + - name: Create tmp osquery dir + file: + path: "/tmp/elk-metrics-6x-logs" + state: directory + - name: Flush iptables rules command: "{{ item }}" args: @@ -90,17 +95,19 @@ args: chdir: "src/{{ current_test_repo }}/elk_metrics_6x" - - name: Run ansible-galaxy + - name: Run ansible-galaxy (tests) become: yes become_user: root - command: "/root/ansible25/bin/ansible-galaxy install --force -r ansible-role-requirements.yml" + command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml" args: - chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests" + chdir: "src/{{ current_test_repo }}/osquery/tests" - - name: Install netaddr - pip: - name: netaddr - virtualenv: "/root/ansible25" + - name: Run ansible-galaxy (elk_metrics_6x) + become: yes + become_user: root + command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml" + args: + chdir: "src/{{ current_test_repo }}/osquery" - name: Run environment setup become: yes @@ -110,6 +117,7 @@ ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action" ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection" ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-container-setup.log" + ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles args: chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests" when: @@ -124,6 +132,7 @@ ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action" ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection" ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-container-setup.log" + ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles args: chdir: "src/{{ current_test_repo }}/elk_metrics_6x/tests" when: @@ -144,6 +153,7 @@ ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action" ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection" ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-deployment.log" + ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles args: chdir: "src/{{ current_test_repo }}/elk_metrics_6x" @@ -155,5 +165,6 @@ ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action" ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection" ANSIBLE_LOG_PATH: "/tmp/elk-metrics-6x-logs/ansible-elk-test-show-cluster.log" + ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles args: chdir: "src/{{ current_test_repo }}/elk_metrics_6x" diff --git a/elk_metrics_6x/tests/run-tests.sh b/elk_metrics_6x/tests/run-tests.sh index 6bf0b4fd..ef9bff94 100755 --- a/elk_metrics_6x/tests/run-tests.sh +++ b/elk_metrics_6x/tests/run-tests.sh @@ -34,6 +34,12 @@ ${HOME}/ansible25/bin/ansible-galaxy install --force \ --roles-path="${HOME}/ansible25/repositories/roles" \ --role-file="${TEST_DIR}/elk_metrics_6x/tests/ansible-role-requirements.yml" +if [[ ! -e "${TEST_DIR}/osquery/tests/src" ]]; then + ln -s ${TEST_DIR}/../ ${TEST_DIR}/osquery/tests/src +fi + ${HOME}/ansible25/bin/ansible-playbook -i 'localhost,' \ -vv \ + -e ansible_connection=local \ + -e test_clustered_elk=${CLUSTERED:-no} \ ${TEST_DIR}/elk_metrics_6x/tests/test.yml diff --git a/osquery/README.rst b/osquery/README.rst index 274e11ac..a697362a 100644 --- a/osquery/README.rst +++ b/osquery/README.rst @@ -208,10 +208,42 @@ The individual playbooks found within this repository can be independently run at anytime. +Local testing +------------- + +To test these playbooks within a local environment you will need a single server +with at leasts 8GiB of RAM and 40GiB of storage on root. Running an `m1.medium` +(openstack) flavor size is generally enough to get an environment online. + +To run the local functional tests execute the `run-tests.sh` script out of the +tests directory. This will create a 1 node kolide-fleet cluster and install +osquery on the local host. + +.. code-block:: bash + + CLUSTERED=yes tests/run-tests.sh + + +After the test build is completed the cluster will test it's layout and ensure +processes are functioning normally. Logs for the cluster can be found at +`/tmp/osquery-logs`. + +To rerun the playbooks after a test build, source the `tests/manual-test.rc` +file and follow the onscreen instructions. + +To clean-up a test environment and start from a bare server slate the +`run-cleanup.sh` script can be used. This script is disruptive and will purge +all `osquery` related services within the local test environment. + +.. code-block:: bash + + tests/run-cleanup.sh + + Architecture | Data flow ^^^^^^^^^^^^^^^^^^^^^^^^ -This diagram outlines the data flow from within an Elastic-Stack deployment. +This diagram outlines the data flow from within an osquery deployment. .. image:: assets/architecture-osquery.png :scale: 50 % @@ -224,7 +256,7 @@ TODO The following is a list of open items. - [x] Test Redhat familly Operating Systems - [x] missing mariadb cluster (should all work needs additional vars) - - [ ] use haproxy instead of the kolide fleet server ip + - [x] use haproxy instead of the kolide fleet server ip - [ ] add/update tags - - [ ] convert to roles - - [ ] add testing + - [x] convert to roles + - [x] add testing diff --git a/osquery/installOSquery.yml b/osquery/installOSquery.yml index 38e92364..1d13ae29 100644 --- a/osquery/installOSquery.yml +++ b/osquery/installOSquery.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Get osquery facts - hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}" + hosts: kolide-fleet_all[0] become: true vars_files: - vars/variables.yml @@ -37,6 +37,21 @@ - src: "{{ kolide_fleet_ssl_key }}" dest: "/tmp/{{ kolide_fleet_ssl_key | basename }}" + - name: Retrieve Enrollment Token + command: /usr/local/bin/fleetctl get enroll-secret + changed_when: false + register: _enrollment_token + + - name: Set kolide fleet enrollment token fact + set_fact: + kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}" + + - name: Write enroll secret + copy: + dest: "/tmp/{{ osquery_enroll_secret_file | basename }}" + content: "{{ kolide_fleet_enroll_secret }}" + mode: "0640" + - name: Install osquery hosts: "hosts:all_containers" @@ -66,23 +81,8 @@ src: "/tmp/{{ kolide_fleet_ssl_cert | basename }}" - dest: "{{ kolide_fleet_ssl_key }}" src: "/tmp/{{ kolide_fleet_ssl_key | basename }}" - - - name: retrieve Enrollment Token - command: /usr/local/bin/fleetctl get enroll-secret - changed_when: false - register: _enrollment_token - delegate_to: "{{ groups['kolide-fleet_all'][0] }}" - run_once: true - - - name: Set kolide fleet enrollment token fact - set_fact: - kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}" - - - name: write enroll secret - copy: - dest: "{{ osquery_enroll_secret_file }}" - content: "{{ kolide_fleet_enroll_secret }}" - mode: "0640" + - dest: "{{ osquery_enroll_secret_file }}" + src: "/tmp/{{ osquery_enroll_secret_file | basename }}" post_tasks: - name: Cleanup certifactes @@ -93,6 +93,7 @@ with_items: - "/tmp/{{ kolide_fleet_ssl_cert | basename }}" - "/tmp/{{ kolide_fleet_ssl_key | basename }}" + - "/tmp/{{ osquery_enroll_secret_file | basename }}" roles: - role: "osquery" diff --git a/osquery/inventory.example.yml b/osquery/inventory.example.yml deleted file mode 100644 index 3a94a8f5..00000000 --- a/osquery/inventory.example.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- - -################################## ALL HOSTS ################################## -all: - hosts: - # Local host - localhost: - ansible_connection: local - -################################## REQUIRED ################################### - logging01: - ansible_host: 172.16.27.100 - ansible_user: root - - vars: {} - - -################################### GROUPS #################################### - -# The hosts group is used to target physical host machines. Enter all physical -# host machines here. -hosts: - hosts: - logging01: {} - -# This is the location where fleet(s) will live -kolide-fleet_all: - children: - kolide_hosts: - hosts: - logging01: {} - -mariadb_all: - children: - kolide-fleet_all: {} diff --git a/osquery/inventory.example.yml b/osquery/inventory.example.yml new file mode 120000 index 00000000..a25a3621 --- /dev/null +++ b/osquery/inventory.example.yml @@ -0,0 +1 @@ +tests/inventory/test-metal-inventory.yml \ No newline at end of file diff --git a/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml b/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml index 3d72d219..492595c9 100644 --- a/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml +++ b/osquery/roles/fleet/tasks/fleetRegisterAdmin.yml @@ -13,22 +13,15 @@ # See the License for the specific language governing permissions and # limitations under the License. -- name: check to see if we have alredy registered fleetctl admin - stat: - path: ~/.fleet/config - register: fleet_config_set - - name: set fleetctl default context command: /usr/local/bin/fleetctl config set --address https://localhost:{{ kolide_fleet_port }} --tls-skip-verify changed_when: false - when: - - fleet_config_set.stat.exists == false - name: register admin account command: /usr/local/bin/fleetctl setup --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }} changed_when: false + failed_when: false register: fleet_register_admin - ignore_errors: true # ignore errors as we might have already set this it will be caought later - name: login admin account command: /usr/local/bin/fleetctl login --email {{ kolide_fleet_admin_email }} --password {{ kolide_fleet_admin_password }} diff --git a/osquery/roles/osquery/defaults/main.yml b/osquery/roles/osquery/defaults/main.yml index 13e8722e..9fff5d29 100644 --- a/osquery/roles/osquery/defaults/main.yml +++ b/osquery/roles/osquery/defaults/main.yml @@ -12,16 +12,17 @@ osquery_template: 'osquery.conf.j2' osquery_upload_packs: - osquery-snapshots-pack - osquery-monitoring2-pack + osquery_packs: - "osquery-monitoring" - "incident-response" - "it-compliance" -# - "osx-attacks" - "ossec-rootkit" - "vuln-management" - "hardware-monitoring" - "osquery-snapshots-pack" - - osquery-monitoring2-pack + - "osquery-monitoring2-pack" + osquery_config_plugin: 'filesystem' osquery_logger_plugin: 'filesystem' #osquery_logger_plugin: 'syslog' diff --git a/osquery/roles/osquery/handlers/main.yml b/osquery/roles/osquery/handlers/main.yml index 2bb19ede..c09bfea4 100644 --- a/osquery/roles/osquery/handlers/main.yml +++ b/osquery/roles/osquery/handlers/main.yml @@ -8,6 +8,3 @@ - name: restart rsyslog service: name=rsyslog state=restarted - -- name: reload osqueryd apparmor profile - shell: cat /etc/apparmor.d/usr.bin.osqueryd | sudo apparmor_parser -r diff --git a/osquery/roles/osquery/tasks/CentOS.yml b/osquery/roles/osquery/tasks/CentOS.yml index 1803d235..2d4cf4a2 100644 --- a/osquery/roles/osquery/tasks/CentOS.yml +++ b/osquery/roles/osquery/tasks/CentOS.yml @@ -12,6 +12,3 @@ dest: "/etc/yum.repos.d/{{ _osquery_repository | basename }}" mode: '0644' backup: yes - -- include: selinux.yml - when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) diff --git a/osquery/roles/osquery/tasks/Debian.yml b/osquery/roles/osquery/tasks/Debian.yml index 706d5272..3d6eff42 100644 --- a/osquery/roles/osquery/tasks/Debian.yml +++ b/osquery/roles/osquery/tasks/Debian.yml @@ -31,6 +31,3 @@ state: present tags: - osquery - -- include: apparmor.yml - when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) diff --git a/osquery/roles/osquery/tasks/apparmor.yml b/osquery/roles/osquery/tasks/apparmor.yml deleted file mode 100644 index 1ba2f8c2..00000000 --- a/osquery/roles/osquery/tasks/apparmor.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -# https://help.ubuntu.com/lts/serverguide/apparmor.html.en - -- name: Ensure apparmor packages are present - package: - name: "{{ item }}" - state: present - with_items: - - apparmor - - apparmor-utils - - apparmor-profiles - -- name: Ensure apparmor profile is set - template: - src: apparmor-usr.bin.osqueryd.j2 - dest: /etc/apparmor.d/usr.bin.osqueryd - mode: '0600' - owner: root - backup: yes - notify: - - reload osqueryd apparmor profile - -- name: Apply apparmor profile for osquery - command: aa-complain /usr/bin/osqueryd - failed_when: false - -# Refine policy with `aa-logprof -f /var/log/syslog` diff --git a/osquery/roles/osquery/tasks/configure.yml b/osquery/roles/osquery/tasks/configure.yml index 9bfa0f69..853fc09a 100644 --- a/osquery/roles/osquery/tasks/configure.yml +++ b/osquery/roles/osquery/tasks/configure.yml @@ -118,6 +118,3 @@ - include: syslog-target.yml when: osquery_syslog_target != '' - -- include: selinux-end.yml - when: not (ansible_virtualization_type is defined and (ansible_virtualization_type == "lxc" or ansible_virtualization_type == "docker")) and ansible_os_family == "RedHat" diff --git a/osquery/roles/osquery/tasks/selinux-end.yml b/osquery/roles/osquery/tasks/selinux-end.yml deleted file mode 100644 index fd52e8ea..00000000 --- a/osquery/roles/osquery/tasks/selinux-end.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- - -- name: RedHat | Ensure selinux context is correctly set - command: "/sbin/restorecon -F -R -v {{ item }}" - with_items: - - /usr/bin/osqueryd - - /usr/lib/systemd/system/osqueryd.service - - /var/log/osquery - - /etc/osquery - - /usr/share/osquery/packs diff --git a/osquery/roles/osquery/tasks/selinux.yml b/osquery/roles/osquery/tasks/selinux.yml deleted file mode 100644 index 25a7d3f7..00000000 --- a/osquery/roles/osquery/tasks/selinux.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- name: Ensure selinux package are present - package: - name: "{{ item }}" - state: present - with_items: - - selinux-policy - - selinux-policy-devel - - setools-console - - libselinux-python - - policycoreutils-python - -- name: Ensure osquery directory exists - file: - dest: /etc/osquery - state: directory - mode: '0755' - -- name: Ensure osquery selinux policy is set - template: - src: "{{ item }}.j2" - dest: "/etc/osquery/{{ item }}" - mode: '0600' - owner: root - with_items: - - osquery.fc - - osquery.sh - - osquery.te - register: te - -# FIXME! -- name: Generate osquery policy file - command: sh -x ./osquery.sh - args: - chdir: /etc/osquery - when: te is changed - ignore_errors: true - -# `sepolicy generate -n osquery --init /usr/bin/osqueryd` = OK/base -# Refine policy with `audit2allow -i /var/log/audit/audit.log -M osquery` -# `semodule -i osquery.pp` -# FIXME! 'Failed to resolve typeattributeset statement at /etc/selinux/targeted/tmp/modules/400/osquery/cil:2' -# `/usr/libexec/selinux/hll/pp osquery.pp` diff --git a/osquery/roles/osquery/templates/osquery.sh.j2 b/osquery/roles/osquery/templates/osquery.sh.j2 deleted file mode 100644 index dd756f45..00000000 --- a/osquery/roles/osquery/templates/osquery.sh.j2 +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/sh -e - -DIRNAME=`dirname $0` -cd $DIRNAME -USAGE="$0 [ --update ]" -if [ `id -u` != 0 ]; then -echo 'You must be root to run this script' -exit 1 -fi - -if [ $# -eq 1 ]; then - if [ "$1" = "--update" ] ; then - time=`ls -l --time-style="+%x %X" osquery.te | awk '{ printf "%s %s", $6, $7 }'` - rules=`ausearch --start $time -m avc --raw -se osquery` - if [ x"$rules" != "x" ] ; then - echo "Found avc's to update policy with" - echo -e "$rules" | audit2allow -R - echo "Do you want these changes added to policy [y/n]?" - read ANS - if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then - echo "Updating policy" - echo -e "$rules" | audit2allow -R >> osquery.te - # Fall though and rebuild policy - else - exit 0 - fi - else - echo "No new avcs found" - exit 0 - fi - else - echo -e $USAGE - exit 1 - fi -elif [ $# -ge 2 ] ; then - echo -e $USAGE - exit 1 -fi - -echo "Building and Loading Policy" -set -x -make -f /usr/share/selinux/devel/Makefile osquery.pp || exit -/usr/sbin/semodule -i osquery.pp - -# Generate a man page off the installed module -sepolicy manpage -p . -d osquery_t -# Fixing the file context on /usr/bin/osqueryd -/sbin/restorecon -F -R -v /usr/bin/osqueryd -# Fixing the file context on /usr/lib/systemd/system/osqueryd.service -/sbin/restorecon -F -R -v /usr/lib/systemd/system/osqueryd.service -# Fixing the file context on /var/log/osquery -/sbin/restorecon -F -R -v /var/log/osquery -/sbin/restorecon -F -R -v /etc/osquery -/sbin/restorecon -F -R -v /usr/share/osquery/packs - - -# Generate a rpm package for the newly generated policy - -pwd=$(pwd) -#rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build" -ba osquery_selinux.spec - diff --git a/osquery/roles/osquery/templates/osquery.te.j2 b/osquery/roles/osquery/templates/osquery.te.j2 deleted file mode 100644 index 1027034d..00000000 --- a/osquery/roles/osquery/templates/osquery.te.j2 +++ /dev/null @@ -1,674 +0,0 @@ -module osquery 1.0; - -require { - type osquery_t; - type osquery_conf_t; - type osquery_unit_file_t; - - type insmod_exec_t; - type home_root_t; - type gssd_exec_t; - type udev_exec_t; - type sound_device_t; - type setsebool_exec_t; - type proc_t; - type unconfined_service_t; - type netutils_exec_t; - type load_policy_exec_t; - type memory_device_t; - type tmp_t; - type gpg_exec_t; - type autofs_device_t; - type systemd_hwdb_exec_t; - type tcpd_exec_t; - type gssproxy_exec_t; - type showmount_exec_t; - type rsync_exec_t; - type crond_unit_file_t; - type udev_rules_t; - type systemd_logind_t; - type setfiles_exec_t; - type sshd_keygen_exec_t; - type chronyd_exec_t; - type xserver_etc_t; - type crond_t; - type tun_tap_device_t; - type default_context_t; - type anacron_exec_t; - type virt_qemu_ga_exec_t; - type auditd_t; - type syslogd_t; - type NetworkManager_t; - type sysctl_t; - type pppd_etc_t; - type consolehelper_exec_t; - type userhelper_conf_t; - type systemd_systemctl_exec_t; - type postfix_pickup_exec_t; - type syslog_conf_t; - type systemd_unit_file_t; - type tuned_exec_t; - type plymouthd_exec_t; - type vlock_exec_t; - type systemd_passwd_agent_exec_t; - type pinentry_exec_t; - type passwd_exec_t; - type dmidecode_exec_t; - type systemd_notify_exec_t; - type hwclock_exec_t; - type firewalld_etc_rw_t; - type crack_exec_t; - type postfix_qmgr_t; - type sulogin_exec_t; - type netcontrol_device_t; - type rpcd_unit_file_t; - type auditd_exec_t; - type crontab_exec_t; - type crash_device_t; - type exports_t; - type event_device_t; - type cgroup_t; - type loadkeys_exec_t; - type postfix_qmgr_exec_t; - type pam_timestamp_exec_t; - type random_device_t; - type initrc_exec_t; - type hugetlbfs_t; - type lvm_unit_file_t; - type dmesg_exec_t; - type proc_mdstat_t; - type mouse_device_t; - type nfsd_exec_t; - type slapd_cert_t; - type login_exec_t; - type usbmon_device_t; - type ldconfig_exec_t; - type initctl_t; - type debuginfo_exec_t; - type postfix_pickup_t; - type updpwd_exec_t; - type oddjob_mkhomedir_exec_t; - type irqbalance_exec_t; - type proc_kmsg_t; - type gssproxy_t; - type postfix_etc_t; - type init_exec_t; - type postfix_spool_t; - type var_run_t; - type mtrr_device_t; - type hypervvssd_exec_t; - type hostname_exec_t; - type system_cron_spool_t; - type sshd_key_t; - type proc_kcore_t; - type dbusd_exec_t; - type plymouth_exec_t; - type tuned_rw_etc_t; - type pppd_exec_t; - type pam_console_exec_t; - type adjtime_t; - type chronyc_exec_t; - type auditd_unit_file_t; - type fuse_device_t; - type userhelper_exec_t; - type tuned_etc_t; - type systemd_logind_exec_t; - type var_log_t; - type init_t; - type pppd_initrc_exec_t; - type fs_t; - type systemd_tmpfiles_exec_t; - type user_home_dir_t; - type lvm_etc_t; - type chronyd_t; - type dbusd_etc_t; - type etc_aliases_t; - type auditctl_exec_t; - type usernetctl_exec_t; - type clock_device_t; - type traceroute_exec_t; - type sshd_t; - type mdadm_exec_t; - type initrc_var_run_t; - type mount_exec_t; - type scsi_generic_device_t; - type vhost_device_t; - type uhid_device_t; - type ifconfig_exec_t; - type device_t; - type namespace_init_exec_t; - type lvm_exec_t; - type checkpolicy_exec_t; - type rpm_script_tmp_t; - type user_tmp_t; - type unlabeled_t; - type sshd_unit_file_t; - type policykit_exec_t; - type modules_conf_t; - type chfn_exec_t; - type dhcp_etc_t; - type logrotate_exec_t; - type getty_unit_file_t; - type selinux_config_t; - type ppp_device_t; - type ssh_keygen_exec_t; - type cupsd_rw_etc_t; - type authconfig_exec_t; - type ssh_exec_t; - type rpcbind_t; - type audisp_exec_t; - type chronyd_keys_t; - type dri_device_t; - type rpm_exec_t; - type getty_t; - type virt_qemu_ga_unconfined_exec_t; - type NetworkManager_exec_t; - type user_fonts_t; - type rpc_pipefs_t; - type ping_exec_t; - type gpg_agent_exec_t; - type su_exec_t; - type firewalld_exec_t; - type getty_exec_t; - type quota_exec_t; - type devpts_t; - type nvram_device_t; - type cpu_device_t; - type rpcbind_exec_t; - type NetworkManager_etc_rw_t; - type unconfined_t; - type NetworkManager_initrc_exec_t; - type sshd_exec_t; - type udev_t; - type rpcd_exec_t; - type fixed_disk_device_t; - type selinux_login_config_t; - type sysctl_irq_t; - type ptmx_t; - type ssh_agent_exec_t; - type NetworkManager_unit_file_t; - type binfmt_misc_fs_t; - type semanage_store_t; - type framebuf_device_t; - type udev_var_run_t; - type rdisc_exec_t; - type NetworkManager_etc_t; - type rsync_etc_t; - type postfix_postdrop_exec_t; - type tuned_t; - type wtmp_t; - type dhcpc_exec_t; - type useradd_exec_t; - type dhcpc_t; - type sudo_exec_t; - type vfio_device_t; - type thumb_exec_t; - type crond_exec_t; - type bootloader_etc_t; - type sysfs_t; - type postfix_postqueue_exec_t; - type postfix_map_exec_t; - type admin_passwd_exec_t; - type apm_bios_t; - type policykit_t; - type iptables_exec_t; - type semanage_exec_t; - type journalctl_exec_t; - type lvm_control_t; - type lvm_t; - type screen_exec_t; - type auditd_etc_t; - type xserver_misc_device_t; - type fsadm_exec_t; - type bootloader_exec_t; - type system_cronjob_t; - type syslogd_exec_t; - type system_dbusd_t; - type lvm_lock_t; - type user_cron_spool_t; - type kmsg_device_t; - type mysqld_etc_t; - type pppd_etc_rw_t; - type configfs_t; - type proc_net_t; - type postfix_master_exec_t; - type shadow_t; - type sendmail_exec_t; - type loop_control_device_t; - type kernel_t; - type var_t; - type pstore_t; - type chkpwd_exec_t; - type groupadd_exec_t; - type debugfs_t; - type hypervkvp_exec_t; - type postfix_master_t; - type sysctl_fs_t; - type blkmapd_exec_t; - type nfsd_unit_file_t; - type ssh_home_t; - type systemd_hwdb_etc_t; - type mandb_exec_t; - type tmpfs_t; - type lvm_metadata_t; - type policykit_auth_exec_t; - type chronyd_unit_file_t; - type print_spool_t; - type rpcbind_var_lib_t; - class fifo_file getattr; - class process setsched; - class unix_stream_socket connectto; - class netlink_kobject_uevent_socket { bind create getattr setopt }; - class chr_file { getattr ioctl open read write }; - class capability { dac_override sys_rawio sys_ptrace }; - class file { append create getattr lock open read relabelto rename setattr unlink write }; - class filesystem getattr; - class sock_file { create getattr unlink write }; - class lnk_file { create getattr read unlink }; - class blk_file { getattr ioctl open read }; - class dir { add_name getattr open read remove_name search setattr write }; -} - -#============= osquery_t ============== -allow osquery_t NetworkManager_etc_rw_t:dir { getattr open read }; -allow osquery_t NetworkManager_etc_rw_t:file getattr; -allow osquery_t NetworkManager_etc_t:dir { getattr open read }; -allow osquery_t NetworkManager_exec_t:file getattr; -allow osquery_t NetworkManager_initrc_exec_t:dir { getattr open read }; -allow osquery_t NetworkManager_initrc_exec_t:file getattr; -allow osquery_t NetworkManager_t:dir { getattr open read search }; -allow osquery_t NetworkManager_t:file { getattr open read }; - -allow osquery_t NetworkManager_t:lnk_file { getattr read }; -allow osquery_t NetworkManager_unit_file_t:file getattr; -allow osquery_t adjtime_t:file getattr; -allow osquery_t admin_passwd_exec_t:file getattr; -allow osquery_t anacron_exec_t:file getattr; -allow osquery_t apm_bios_t:chr_file getattr; -allow osquery_t audisp_exec_t:file getattr; -allow osquery_t auditctl_exec_t:file getattr; -allow osquery_t auditd_etc_t:dir { getattr open read }; -allow osquery_t auditd_etc_t:file getattr; -allow osquery_t auditd_exec_t:file getattr; -allow osquery_t auditd_t:dir { getattr open read search }; -allow osquery_t auditd_t:file { getattr open read }; - -allow osquery_t auditd_t:lnk_file { getattr read }; -allow osquery_t auditd_unit_file_t:file getattr; -allow osquery_t authconfig_exec_t:file getattr; -allow osquery_t autofs_device_t:chr_file getattr; -allow osquery_t binfmt_misc_fs_t:filesystem getattr; -allow osquery_t blkmapd_exec_t:file getattr; -allow osquery_t bootloader_etc_t:file getattr; -allow osquery_t bootloader_exec_t:file getattr; -allow osquery_t cgroup_t:filesystem getattr; -allow osquery_t checkpolicy_exec_t:file getattr; -allow osquery_t chfn_exec_t:file getattr; -allow osquery_t chkpwd_exec_t:file getattr; -allow osquery_t chronyc_exec_t:file getattr; -allow osquery_t chronyd_exec_t:file getattr; -allow osquery_t chronyd_keys_t:file getattr; -allow osquery_t chronyd_t:dir { getattr open read search }; -allow osquery_t chronyd_t:file { getattr open read }; - -allow osquery_t chronyd_t:lnk_file { getattr read }; -allow osquery_t chronyd_unit_file_t:file getattr; -allow osquery_t clock_device_t:chr_file getattr; -allow osquery_t configfs_t:filesystem getattr; -allow osquery_t consolehelper_exec_t:file getattr; -allow osquery_t cpu_device_t:chr_file getattr; -allow osquery_t crack_exec_t:file getattr; -allow osquery_t crash_device_t:chr_file getattr; -allow osquery_t crond_exec_t:file getattr; -allow osquery_t crond_t:dir { getattr open read search }; -allow osquery_t crond_t:file { getattr open read }; - -allow osquery_t crond_t:lnk_file { getattr read }; -allow osquery_t crond_unit_file_t:file getattr; -allow osquery_t crontab_exec_t:file getattr; -allow osquery_t cupsd_rw_etc_t:file getattr; -allow osquery_t dbusd_etc_t:dir { getattr open read }; -allow osquery_t dbusd_etc_t:file getattr; -allow osquery_t dbusd_exec_t:file getattr; -allow osquery_t debugfs_t:filesystem getattr; -allow osquery_t debuginfo_exec_t:file getattr; -allow osquery_t default_context_t:dir read; -allow osquery_t default_context_t:file getattr; - -#!!!! WARNING: 'device_t' is a base type. -allow osquery_t device_t:filesystem getattr; -allow osquery_t devpts_t:filesystem getattr; -allow osquery_t dhcp_etc_t:dir { getattr open read }; -allow osquery_t dhcp_etc_t:file getattr; -allow osquery_t dhcpc_exec_t:file getattr; -allow osquery_t dhcpc_t:dir { getattr open read search }; -allow osquery_t dhcpc_t:file { getattr open read }; - -allow osquery_t dhcpc_t:lnk_file { getattr read }; -allow osquery_t dmesg_exec_t:file getattr; -allow osquery_t dmidecode_exec_t:file getattr; -allow osquery_t dri_device_t:chr_file getattr; -allow osquery_t etc_aliases_t:file getattr; -allow osquery_t event_device_t:chr_file getattr; -allow osquery_t exports_t:file getattr; -allow osquery_t firewalld_etc_rw_t:dir { getattr open read }; -allow osquery_t firewalld_etc_rw_t:file getattr; -allow osquery_t firewalld_exec_t:file getattr; -allow osquery_t fixed_disk_device_t:blk_file { getattr ioctl open read }; -allow osquery_t fixed_disk_device_t:chr_file getattr; -allow osquery_t framebuf_device_t:chr_file getattr; -allow osquery_t fs_t:filesystem getattr; -allow osquery_t fsadm_exec_t:file getattr; -allow osquery_t fuse_device_t:chr_file getattr; -allow osquery_t getty_exec_t:file getattr; -allow osquery_t getty_t:dir { getattr open read search }; -allow osquery_t getty_t:file { getattr open read }; - -allow osquery_t getty_t:lnk_file { getattr read }; -allow osquery_t getty_unit_file_t:file getattr; -allow osquery_t gpg_agent_exec_t:file getattr; -allow osquery_t gpg_exec_t:file getattr; -allow osquery_t groupadd_exec_t:file getattr; -allow osquery_t gssd_exec_t:file getattr; -allow osquery_t gssproxy_exec_t:file getattr; -allow osquery_t gssproxy_t:dir { getattr open read search }; -allow osquery_t gssproxy_t:file { getattr open read }; - -allow osquery_t gssproxy_t:lnk_file { getattr read }; - -#!!!! WARNING: 'home_root_t' is a base type. -allow osquery_t home_root_t:dir read; -allow osquery_t hostname_exec_t:file getattr; -allow osquery_t hugetlbfs_t:dir { getattr open read }; -allow osquery_t hugetlbfs_t:filesystem getattr; -allow osquery_t hwclock_exec_t:file getattr; -allow osquery_t hypervkvp_exec_t:file getattr; -allow osquery_t hypervvssd_exec_t:file getattr; -allow osquery_t ifconfig_exec_t:file getattr; -allow osquery_t init_exec_t:file getattr; -allow osquery_t init_t:dir read; -allow osquery_t init_t:file { getattr open read }; - -allow osquery_t init_t:lnk_file { getattr read }; -allow osquery_t initctl_t:fifo_file getattr; -allow osquery_t initrc_exec_t:file getattr; -allow osquery_t initrc_var_run_t:file { lock open read }; -allow osquery_t insmod_exec_t:file getattr; -allow osquery_t iptables_exec_t:file getattr; -allow osquery_t irqbalance_exec_t:file getattr; -allow osquery_t journalctl_exec_t:file getattr; -allow osquery_t kernel_t:dir { getattr open read search }; -allow osquery_t kernel_t:file { getattr open read }; -allow osquery_t kernel_t:lnk_file { getattr read }; - -#!!!! This avc can be allowed using the boolean 'domain_can_write_kmsg' -allow osquery_t kmsg_device_t:chr_file getattr; -allow osquery_t ldconfig_exec_t:file getattr; -allow osquery_t load_policy_exec_t:file getattr; -allow osquery_t loadkeys_exec_t:file getattr; -allow osquery_t login_exec_t:file getattr; -allow osquery_t logrotate_exec_t:file getattr; -allow osquery_t loop_control_device_t:chr_file getattr; -allow osquery_t lvm_control_t:chr_file { getattr ioctl open read write }; -allow osquery_t lvm_etc_t:dir { getattr open read }; -allow osquery_t lvm_etc_t:file { getattr open read }; -allow osquery_t lvm_exec_t:file getattr; -allow osquery_t lvm_lock_t:dir { add_name getattr read remove_name search write }; -allow osquery_t lvm_lock_t:file { append create getattr lock open read unlink }; -allow osquery_t lvm_metadata_t:dir { add_name getattr open read remove_name write }; -allow osquery_t lvm_metadata_t:file { create getattr lock open read rename unlink write }; -allow osquery_t lvm_t:dir { getattr open read search }; -allow osquery_t lvm_t:file { getattr open read }; - -allow osquery_t lvm_t:lnk_file { getattr read }; -allow osquery_t lvm_unit_file_t:file getattr; -allow osquery_t mandb_exec_t:file getattr; -allow osquery_t mdadm_exec_t:file getattr; -allow osquery_t memory_device_t:chr_file getattr; -allow osquery_t modules_conf_t:dir { getattr open read }; -allow osquery_t modules_conf_t:file getattr; -allow osquery_t mount_exec_t:file getattr; -allow osquery_t mouse_device_t:chr_file getattr; -allow osquery_t mtrr_device_t:file getattr; -allow osquery_t mysqld_etc_t:dir { getattr open read }; -allow osquery_t mysqld_etc_t:file getattr; -allow osquery_t namespace_init_exec_t:file getattr; -allow osquery_t netcontrol_device_t:chr_file getattr; -allow osquery_t netutils_exec_t:file getattr; -allow osquery_t nfsd_exec_t:file getattr; -allow osquery_t nfsd_unit_file_t:file getattr; -allow osquery_t nvram_device_t:chr_file getattr; -allow osquery_t oddjob_mkhomedir_exec_t:file getattr; -allow osquery_t osquery_conf_t:file getattr; -allow osquery_t osquery_unit_file_t:file getattr; -allow osquery_t pam_console_exec_t:file getattr; -allow osquery_t pam_timestamp_exec_t:file getattr; -allow osquery_t passwd_exec_t:file getattr; -allow osquery_t pinentry_exec_t:file getattr; -allow osquery_t ping_exec_t:file getattr; -allow osquery_t plymouth_exec_t:file getattr; -allow osquery_t plymouthd_exec_t:file getattr; -allow osquery_t policykit_auth_exec_t:file getattr; -allow osquery_t policykit_exec_t:file getattr; -allow osquery_t policykit_t:dir { getattr open read search }; -allow osquery_t policykit_t:file { getattr open read }; - -allow osquery_t policykit_t:lnk_file { getattr read }; -allow osquery_t postfix_etc_t:dir { getattr open read }; -allow osquery_t postfix_etc_t:file getattr; -allow osquery_t postfix_map_exec_t:file getattr; -allow osquery_t postfix_master_exec_t:file getattr; -allow osquery_t postfix_master_t:dir { getattr open read search }; -allow osquery_t postfix_master_t:file { getattr open read }; - -allow osquery_t postfix_master_t:lnk_file { getattr read }; -allow osquery_t postfix_pickup_exec_t:file getattr; -allow osquery_t postfix_pickup_t:dir { getattr open read search }; -allow osquery_t postfix_pickup_t:file { getattr open read }; - -allow osquery_t postfix_pickup_t:lnk_file { getattr read }; -allow osquery_t postfix_postdrop_exec_t:file getattr; -allow osquery_t postfix_postqueue_exec_t:file getattr; -allow osquery_t postfix_qmgr_exec_t:file getattr; -allow osquery_t postfix_qmgr_t:dir { getattr open read search }; -allow osquery_t postfix_qmgr_t:file { getattr open read }; - -allow osquery_t postfix_qmgr_t:lnk_file { getattr read }; -allow osquery_t postfix_spool_t:dir getattr; -allow osquery_t ppp_device_t:chr_file getattr; -allow osquery_t pppd_etc_rw_t:dir { getattr open read }; -allow osquery_t pppd_etc_t:dir { getattr open read }; -allow osquery_t pppd_exec_t:file getattr; -allow osquery_t pppd_initrc_exec_t:file getattr; -allow osquery_t proc_kcore_t:file getattr; -allow osquery_t proc_kmsg_t:file getattr; -allow osquery_t proc_mdstat_t:file getattr; -allow osquery_t proc_net_t:file { getattr open read }; -allow osquery_t proc_t:dir read; -allow osquery_t proc_t:file { getattr open read }; -allow osquery_t proc_t:filesystem getattr; -allow osquery_t pstore_t:filesystem getattr; -allow osquery_t ptmx_t:chr_file getattr; -allow osquery_t quota_exec_t:file getattr; - -#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' -allow osquery_t random_device_t:chr_file getattr; -allow osquery_t rdisc_exec_t:file getattr; -allow osquery_t rpc_pipefs_t:filesystem getattr; -allow osquery_t rpcbind_exec_t:file getattr; -allow osquery_t rpcbind_t:dir { getattr open read search }; -allow osquery_t rpcbind_t:file { getattr open read }; - -allow osquery_t rpcbind_t:lnk_file { getattr read }; -allow osquery_t rpcd_exec_t:file getattr; -allow osquery_t rpcd_unit_file_t:file getattr; -allow osquery_t rpm_exec_t:file getattr; -allow osquery_t rpm_script_tmp_t:dir read; -allow osquery_t rsync_etc_t:file getattr; -allow osquery_t rsync_exec_t:file getattr; -allow osquery_t screen_exec_t:file getattr; -allow osquery_t scsi_generic_device_t:chr_file getattr; -allow osquery_t self:capability { dac_override sys_rawio }; -allow osquery_t self:netlink_kobject_uevent_socket { bind create getattr setopt }; -allow osquery_t self:process setsched; - -#!!!! The file '/var/osquery/osquery.em' is mislabeled on your system. -#!!!! Fix with $ restorecon -R -v /var/osquery/osquery.em -#!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode' -allow osquery_t self:unix_stream_socket connectto; -allow osquery_t selinux_config_t:dir read; -allow osquery_t selinux_login_config_t:dir { getattr open read }; -allow osquery_t semanage_exec_t:file getattr; -allow osquery_t semanage_store_t:dir { getattr open read }; -allow osquery_t semanage_store_t:file { getattr open read }; -allow osquery_t sendmail_exec_t:file getattr; -allow osquery_t setfiles_exec_t:file getattr; -allow osquery_t setsebool_exec_t:file getattr; -allow osquery_t shadow_t:file getattr; -allow osquery_t showmount_exec_t:file getattr; - -#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' -allow osquery_t slapd_cert_t:dir { getattr open read }; - -#!!!! This avc can be allowed using the boolean 'authlogin_nsswitch_use_ldap' -allow osquery_t slapd_cert_t:file getattr; -allow osquery_t sound_device_t:chr_file getattr; -allow osquery_t ssh_agent_exec_t:file getattr; -allow osquery_t ssh_exec_t:file getattr; -allow osquery_t ssh_home_t:dir { getattr open read }; -allow osquery_t ssh_home_t:file getattr; -allow osquery_t ssh_keygen_exec_t:file getattr; -allow osquery_t sshd_exec_t:file getattr; -allow osquery_t sshd_key_t:file getattr; -allow osquery_t sshd_keygen_exec_t:file getattr; -allow osquery_t sshd_t:dir { getattr open read search }; -allow osquery_t sshd_t:file { getattr open read }; - -allow osquery_t sshd_t:lnk_file { getattr read }; -allow osquery_t sshd_unit_file_t:file getattr; -allow osquery_t su_exec_t:file getattr; -allow osquery_t sudo_exec_t:file getattr; -allow osquery_t sulogin_exec_t:file getattr; -allow osquery_t sysctl_fs_t:dir search; -allow osquery_t sysctl_irq_t:dir getattr; -allow osquery_t sysctl_t:file getattr; -allow osquery_t sysfs_t:dir read; -allow osquery_t sysfs_t:file { getattr open read }; -allow osquery_t sysfs_t:filesystem getattr; -allow osquery_t sysfs_t:lnk_file { getattr read }; -allow osquery_t syslog_conf_t:dir { getattr open read }; -allow osquery_t syslog_conf_t:file getattr; -allow osquery_t syslogd_exec_t:file getattr; -allow osquery_t syslogd_t:dir { getattr open read search }; -allow osquery_t syslogd_t:file { getattr open read }; - -allow osquery_t syslogd_t:lnk_file { getattr read }; -allow osquery_t system_cron_spool_t:dir { getattr open read }; -allow osquery_t system_cron_spool_t:file { getattr open read }; -allow osquery_t system_cronjob_t:dir { getattr open read search }; -allow osquery_t system_cronjob_t:file { getattr open read }; - -allow osquery_t system_cronjob_t:lnk_file { getattr read }; -allow osquery_t system_dbusd_t:dir { getattr open read search }; -allow osquery_t system_dbusd_t:file { getattr open read }; - -allow osquery_t system_dbusd_t:lnk_file { getattr read }; -allow osquery_t systemd_hwdb_etc_t:file getattr; -allow osquery_t systemd_hwdb_exec_t:file getattr; -allow osquery_t systemd_logind_exec_t:file getattr; -allow osquery_t systemd_logind_t:dir { getattr open read search }; -allow osquery_t systemd_logind_t:file { getattr open read }; - -allow osquery_t systemd_logind_t:lnk_file { getattr read }; -allow osquery_t systemd_notify_exec_t:file getattr; -allow osquery_t systemd_passwd_agent_exec_t:file getattr; -allow osquery_t systemd_systemctl_exec_t:file getattr; -allow osquery_t systemd_tmpfiles_exec_t:file getattr; -allow osquery_t systemd_unit_file_t:dir { open read }; -allow osquery_t systemd_unit_file_t:file getattr; -allow osquery_t systemd_unit_file_t:lnk_file read; -allow osquery_t tcpd_exec_t:file getattr; -allow osquery_t thumb_exec_t:file getattr; - -#!!!! WARNING: 'tmp_t' is a base type. -allow osquery_t tmp_t:dir { add_name read remove_name write }; -allow osquery_t tmp_t:file { create unlink write }; - -#!!!! WARNING: 'tmp_t' is a base type. -allow osquery_t tmp_t:lnk_file { create unlink }; -allow osquery_t tmpfs_t:dir read; -allow osquery_t tmpfs_t:filesystem getattr; -allow osquery_t traceroute_exec_t:file getattr; -allow osquery_t tun_tap_device_t:chr_file getattr; -allow osquery_t tuned_etc_t:dir { getattr open read }; -allow osquery_t tuned_etc_t:file getattr; -allow osquery_t tuned_exec_t:file getattr; -allow osquery_t tuned_rw_etc_t:file getattr; -allow osquery_t tuned_t:dir { getattr open read search }; -allow osquery_t tuned_t:file { getattr open read }; - -allow osquery_t tuned_t:lnk_file { getattr read }; -allow osquery_t udev_exec_t:file getattr; -allow osquery_t udev_rules_t:dir { getattr open read }; -allow osquery_t udev_rules_t:file getattr; -allow osquery_t udev_t:dir { getattr open read search }; -allow osquery_t udev_t:file { getattr open read }; -allow osquery_t udev_t:lnk_file { getattr read }; -allow osquery_t udev_var_run_t:file { getattr open read }; -allow osquery_t uhid_device_t:chr_file getattr; -allow osquery_t unconfined_service_t:dir { getattr open read search }; -allow osquery_t unconfined_service_t:file { getattr open read }; -allow osquery_t unconfined_service_t:lnk_file { getattr read }; -allow osquery_t unconfined_t:dir { getattr open read search }; -allow osquery_t unconfined_t:file { getattr open read }; -allow osquery_t unconfined_t:lnk_file { getattr read }; - -#!!!! WARNING: 'unlabeled_t' is a base type. -#!!!! The file '/etc/sysconfig/cloud-info' is mislabeled on your system. -#!!!! Fix with $ restorecon -R -v /etc/sysconfig/cloud-info -allow osquery_t unlabeled_t:file getattr; -allow osquery_t updpwd_exec_t:file getattr; -allow osquery_t usbmon_device_t:chr_file getattr; -allow osquery_t user_cron_spool_t:dir { getattr open read }; -allow osquery_t user_fonts_t:dir { getattr open read search }; -allow osquery_t user_home_dir_t:dir getattr; -allow osquery_t user_tmp_t:dir read; -allow osquery_t useradd_exec_t:file getattr; -allow osquery_t userhelper_conf_t:dir { getattr open read }; -allow osquery_t userhelper_conf_t:file getattr; -allow osquery_t userhelper_exec_t:file getattr; -allow osquery_t usernetctl_exec_t:file getattr; -allow osquery_t var_log_t:lnk_file unlink; - -#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t. -allow osquery_t var_run_t:dir { add_name remove_name write }; - -#!!!! WARNING 'osquery_t' is not allowed to write or create to var_run_t. Change the label to osquery_var_run_t. -#!!!! $ semanage fcontext -a -t osquery_var_run_t /run/osqueryd.pid -#!!!! $ restorecon -R -v /run/osqueryd.pid -#!!!! The file '/run/osqueryd.pid' is mislabeled on your system. -#!!!! Fix with $ restorecon -R -v /run/osqueryd.pid -allow osquery_t var_run_t:file { append create getattr open read setattr unlink }; - -#!!!! WARNING: 'var_t' is a base type. -allow osquery_t var_t:dir { add_name read remove_name setattr write }; -allow osquery_t var_t:file { create getattr lock open read rename unlink write }; -allow osquery_t var_t:sock_file { create getattr unlink write }; -allow osquery_t vfio_device_t:chr_file getattr; -allow osquery_t vhost_device_t:chr_file getattr; -allow osquery_t virt_qemu_ga_exec_t:file getattr; -allow osquery_t virt_qemu_ga_unconfined_exec_t:dir { getattr open read }; -allow osquery_t vlock_exec_t:file getattr; -allow osquery_t wtmp_t:file { open read }; -allow osquery_t xserver_etc_t:dir { getattr open read }; -allow osquery_t xserver_misc_device_t:chr_file getattr; - -allow osquery_t print_spool_t:dir search; -allow osquery_t rpcbind_var_lib_t:dir search; -allow osquery_t self:capability sys_ptrace; - -#============= unconfined_t ============== - -#!!!! This avc is allowed in the current policy -allow unconfined_t osquery_conf_t:file relabelto; - diff --git a/osquery/roles/osquery/vars/CentOS.yml b/osquery/roles/osquery/vars/CentOS.yml index 739cf1be..28dafbd2 100644 --- a/osquery/roles/osquery/vars/CentOS.yml +++ b/osquery/roles/osquery/vars/CentOS.yml @@ -4,7 +4,6 @@ osquery_packages: - osquery - rsyslog - - libselinux-python osquery_debug_packages: - osquery-debuginfo diff --git a/osquery/roles/osquery/vars/RedHat.yml b/osquery/roles/osquery/vars/RedHat.yml index 739cf1be..28dafbd2 100644 --- a/osquery/roles/osquery/vars/RedHat.yml +++ b/osquery/roles/osquery/vars/RedHat.yml @@ -4,7 +4,6 @@ osquery_packages: - osquery - rsyslog - - libselinux-python osquery_debug_packages: - osquery-debuginfo diff --git a/osquery/setupOSqueryPacks.yml b/osquery/setupOSqueryPacks.yml index 58d2a927..1dfb4591 100644 --- a/osquery/setupOSqueryPacks.yml +++ b/osquery/setupOSqueryPacks.yml @@ -14,7 +14,7 @@ # limitations under the License. - name: Setup osquery packs - hosts: "{{ kolide_fleet_host | default(groups['kolide-fleet_all'][0]) }}" + hosts: kolide-fleet_all[0] become: false vars_files: - vars/variables.yml diff --git a/osquery/tests/_container-setup.yml b/osquery/tests/_container-setup.yml new file mode 100644 index 00000000..a1b724c7 --- /dev/null +++ b/osquery/tests/_container-setup.yml @@ -0,0 +1,73 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Setup host for nspawn + hosts: localhost + connection: local + become: true + vars: + nspawn_networks: + nspawn_address: + bridge: "nspawn0" + private_device: true + enable_dhcp: true + dhcp_range: 10.100.101.2,10.100.101.129 + address: 10.100.101.1 + netmask: 255.255.255.0 + macvlan_mode: bridge + + pre_tasks: + - name: Ensure root ssh key + user: + name: "{{ ansible_env.USER | default('root') }}" + generate_ssh_key: "yes" + ssh_key_bits: 2048 + ssh_key_file: ".ssh/id_rsa" + + - name: Get root ssh key + slurp: + src: '~/.ssh/id_rsa.pub' + register: _root_ssh_key + + - name: Prepare container ssh key fact + set_fact: + nspawn_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}" + + - name: Ensure public ssh key is in authorized_keys + authorized_key: + user: "{{ ansible_env.USER | default('root') }}" + key: "{{ nspawn_container_ssh_key }}" + manage_dir: no + + roles: + - role: "nspawn_hosts" + + +- name: Create container(s) + hosts: all_containers + gather_facts: false + become: true + pre_tasks: + - name: Show container facts + debug: + var: hostvars + + roles: + - role: "nspawn_container_create" + + post_tasks: + - name: Rescan quotas + command: "btrfs quota rescan -w /var/lib/machines" + delegate_to: "{{ physical_host }}" diff --git a/osquery/tests/_key-setup.yml b/osquery/tests/_key-setup.yml new file mode 100644 index 00000000..8376ed35 --- /dev/null +++ b/osquery/tests/_key-setup.yml @@ -0,0 +1,41 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Setup host keys + hosts: physical_hosts + connection: local + become: true + tasks: + - name: Ensure root ssh key + user: + name: "{{ ansible_env.USER | default('root') }}" + generate_ssh_key: "yes" + ssh_key_bits: 2048 + ssh_key_file: ".ssh/id_rsa" + + - name: Get root ssh key + slurp: + src: '~/.ssh/id_rsa.pub' + register: _root_ssh_key + + - name: Prepare container ssh key fact + set_fact: + nspawn_container_ssh_key: "{{ _root_ssh_key['content'] | b64decode }}" + + - name: Ensure public ssh key is in authorized_keys + authorized_key: + user: "{{ ansible_env.USER | default('root') }}" + key: "{{ nspawn_container_ssh_key }}" + manage_dir: no diff --git a/osquery/tests/ansible-role-requirements.yml b/osquery/tests/ansible-role-requirements.yml new file mode 100644 index 00000000..85ba806d --- /dev/null +++ b/osquery/tests/ansible-role-requirements.yml @@ -0,0 +1,33 @@ +--- +- name: apt_package_pinning + scm: git + src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning + version: master +- name: config_template + scm: git + src: https://git.openstack.org/openstack/ansible-config_template + version: master +- name: nspawn_container_create + scm: git + src: https://git.openstack.org/openstack/openstack-ansible-nspawn_container_create + version: master +- name: nspawn_hosts + scm: git + src: https://git.openstack.org/openstack/openstack-ansible-nspawn_hosts + version: master +- name: plugins + scm: git + src: https://git.openstack.org/openstack/openstack-ansible-plugins + version: master +- name: systemd_mount + scm: git + src: https://git.openstack.org/openstack/ansible-role-systemd_mount + version: master +- name: systemd_networkd + scm: git + src: https://git.openstack.org/openstack/ansible-role-systemd_networkd + version: master +- name: systemd_service + scm: git + src: https://git.openstack.org/openstack/ansible-role-systemd_service + version: master diff --git a/osquery/tests/functional.yml b/osquery/tests/functional.yml new file mode 100644 index 00000000..1eed027c --- /dev/null +++ b/osquery/tests/functional.yml @@ -0,0 +1,158 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- import_playbook: run-setup.yml + +- name: Basic setup + hosts: "all" + become: true + + environment: + # ZUUL_PROJECT is used by tests/get-ansible-role-requirements to + # determine when CI provided repos should be used. + ZUUL_PROJECT: "{{ zuul.project.short_name }}" + ANSIBLE_PACKAGE: "{{ ansible_package | default('') }}" + ANSIBLE_HOST_KEY_CHECKING: "False" + ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test.log" + + vars: + inventory_file: "inventory/test-{{ (contianer_inventory | bool) | ternary('container', 'metal') }}-inventory.yml" + + pre_tasks: + - name: Create swap file + command: "dd if=/dev/zero of=/swap.img bs=1M count=4096" + args: + creates: /swap.img + register: swap_create + + - name: Format the swap file + command: mkswap /swap.img + when: + - swap_create is changed + tags: + - swap-format + - skip_ansible_lint + + - name: Enable swap file + command: swapon /swap.img + failed_when: false + tags: + - swap-format + - skip_ansible_lint + + - name: Set system swappiness + sysctl: + name: vm.swappiness + value: 10 + state: present + reload: "yes" + sysctl_file: /etc/sysctl.d/99-elasticsearch.conf + + - name: Create tmp osquery dir + file: + path: "/tmp/osquery-logs" + state: directory + + - name: Flush iptables rules + command: "{{ item }}" + args: + creates: "/tmp/osquery-logs/iptables.flushed" + with_items: + - "iptables -F" + - "iptables -X" + - "iptables -t nat -F" + - "iptables -t nat -X" + - "iptables -t mangle -F" + - "iptables -t mangle -X" + - "iptables -P INPUT ACCEPT" + - "iptables -P FORWARD ACCEPT" + - "iptables -P OUTPUT ACCEPT" + - "touch /tmp/osquery-logs/iptables.flushed" + + - name: First ensure apt cache is always refreshed + apt: + update_cache: yes + when: + - ansible_pkg_mgr == 'apt' + + tasks: + - name: Run embedded ansible installation + become: yes + become_user: root + command: "./bootstrap-embedded-ansible.sh" + args: + chdir: "src/{{ current_test_repo }}/osquery" + + - name: Run ansible-galaxy (tests) + become: yes + become_user: root + command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml" + args: + chdir: "src/{{ current_test_repo }}/osquery/tests" + + - name: Run ansible-galaxy (osquery) + become: yes + become_user: root + command: "/root/ansible25/bin/ansible-galaxy install --force --ignore-errors --roles-path=/root/ansible25/repositories/roles -r ansible-role-requirements.yml" + args: + chdir: "src/{{ current_test_repo }}/osquery" + + - name: Run environment setup + become: yes + become_user: root + command: "/root/ansible25/bin/ansible-playbook -i {{ inventory_file }} -e @test-vars.yml _key-setup.yml" + environment: + ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action" + ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection" + ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-container-setup.log" + ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles + args: + chdir: "src/{{ current_test_repo }}/osquery/tests" + when: + - ansible_service_mgr != 'systemd' or + not (contianer_inventory | bool) + + - name: Run environment setup + become: yes + become_user: root + command: "/root/ansible25/bin/ansible-playbook -i {{ inventory_file }} -e @test-vars.yml _container-setup.yml" + environment: + ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action" + ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection" + ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-container-setup.log" + ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles + args: + chdir: "src/{{ current_test_repo }}/osquery/tests" + when: + - ansible_service_mgr == 'systemd' + - contianer_inventory | bool + + - name: Wait 15 seconds + command: "sleep 15" + changed_when: false + when: + - ansible_service_mgr == 'systemd' + + - name: Run functional test + become: yes + become_user: root + command: "/root/ansible25/bin/ansible-playbook -i tests/{{ inventory_file }} -e @tests/test-vars.yml site.yml" + environment: + ANSIBLE_ACTION_PLUGINS: "/root/ansible25/repositories/ansible-config_template/action" + ANSIBLE_CONNECTION_PLUGINS: "/root/ansible25/repositories/openstack-ansible-plugins/connection" + ANSIBLE_LOG_PATH: "/tmp/osquery-logs/ansible-osquery-test-deployment.log" + ANSIBLE_ROLES_PATH: /root/ansible25/repositories/roles + args: + chdir: "src/{{ current_test_repo }}/osquery" diff --git a/osquery/tests/inventory/test-container-inventory.yml b/osquery/tests/inventory/test-container-inventory.yml new file mode 100644 index 00000000..4007b6db --- /dev/null +++ b/osquery/tests/inventory/test-container-inventory.yml @@ -0,0 +1,52 @@ +--- +all: + hosts: + # Local host + localhost: + ansible_connection: local + ansible_host: 127.0.0.1 + ansible_user: root + + kolide-fleet1: + ansible_host: 172.29.236.100 + ansible_user: root + + +hosts: + vars: + physical_host: localhost + management_cidr: "172.29.236.0/24" + container_networks: + management_address: + address: "172.29.236.1" + netmask: "255.255.255.0" + bridge: "{{ hostvars[physical_host]['ansible_default_ipv4']['alias'] }}" + + hosts: + localhost: {} + + +all_containers: + vars: + physical_host: localhost + container_tech: nspawn + container_networks: + management_address: + address: "{{ ansible_host }}" + netmask: "255.255.255.0" + bridge: "{{ hostvars[physical_host]['ansible_default_ipv4']['alias'] }}" + + children: + mariadb_all: + children: + mariadb: + hosts: + kolide-fleet1: {} + + fleet_all: + children: + kolide-fleet_all: + children: + kolide-fleet: + hosts: + kolide-fleet1: {} diff --git a/osquery/tests/inventory/test-metal-inventory.yml b/osquery/tests/inventory/test-metal-inventory.yml new file mode 100644 index 00000000..99055900 --- /dev/null +++ b/osquery/tests/inventory/test-metal-inventory.yml @@ -0,0 +1,28 @@ +--- +all: + hosts: + # Local host + localhost: + ansible_connection: local + ansible_host: 127.0.0.1 + ansible_user: root + +hosts: + hosts: + localhost: {} + + +mariadb_all: + children: + mariadb: + hosts: + localhost: {} + + +fleet_all: + children: + kolide-fleet_all: + children: + kolide-fleet: + hosts: + localhost: {} diff --git a/osquery/tests/manual-test.rc b/osquery/tests/manual-test.rc new file mode 100644 index 00000000..59460552 --- /dev/null +++ b/osquery/tests/manual-test.rc @@ -0,0 +1,16 @@ +export ANSIBLE_HOST_KEY_CHECKING="False" +export ANSIBLE_ROLES_PATH="${HOME}/ansible25/repositories/roles" +export ANSIBLE_ACTION_PLUGINS="${HOME}/ansible25/repositories/roles/config_template/action" +export ANSIBLE_CONNECTION_PLUGINS="${HOME}/ansible25/repositories/roles/plugins/connection" +export ANSIBLE_LOG_PATH="/tmp/osquery-logs/ansible-elk-test.log" + +if [[ ! -d "/tmp/osquery-logs" ]]; then + mkdir -pv "/tmp/osquery-logs" + chmod 0777 "/tmp/osquery-logs" +fi + +echo "To build a test environment run the following:" +echo -e "# /root/ansible25/bin/ansible-playbook -i tests/inventory/test-container-inventory.yml tests/test.yml --limit localhost\n" + +echo "Run manual functional tests by executing the following:" +echo -e "# /root/ansible25/bin/ansible-playbook -i tests/inventory/test-container-inventory.yml site.yml\n" diff --git a/osquery/tests/post-run.yml b/osquery/tests/post-run.yml new file mode 100644 index 00000000..995a7c0b --- /dev/null +++ b/osquery/tests/post-run.yml @@ -0,0 +1,27 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- import_playbook: run-setup.yml + +- name: Run post tasks + hosts: "all" + tasks: + - name: Copy logs back to the executor + synchronize: + src: "/tmp/osquery-logs" + dest: "{{ zuul.executor.log_root }}/" + mode: pull + rsync_opts: + - "--quiet" diff --git a/osquery/tests/run-cleanup.sh b/osquery/tests/run-cleanup.sh new file mode 100755 index 00000000..d61f4a38 --- /dev/null +++ b/osquery/tests/run-cleanup.sh @@ -0,0 +1,34 @@ +#!/usr/bin/env bash +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +export TEST_DIR="$(readlink -f $(dirname ${0})/../../)" + +# Stop beat processes +(systemctl stop osqueryd.service || true) & + +# Stop and remove containers +for i in {1..3}; do + if machinectl list-images | grep -v ubuntu | awk '/sub/ {print $1}' | xargs -n 1 machinectl kill; then + sleep 1 + fi +done + +for i in {1..3}; do + if machinectl list-images | grep -v ubuntu | awk '/sub/ {print $1}' | xargs -n 1 machinectl remove; then + sleep 1 + fi +done diff --git a/osquery/tests/run-setup.yml b/osquery/tests/run-setup.yml new file mode 100644 index 00000000..f625c012 --- /dev/null +++ b/osquery/tests/run-setup.yml @@ -0,0 +1,53 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Zuul facts + hosts: "all" + tasks: + - name: Set zuul fact + set_fact: + zuul: + project: + canonical_name: "openstack-ansible-ops" + short_name: "ops" + executor: + log_root: "{{ ansible_env.HOME }}/elk-test-logs" + when: + - zuul is not defined + + - name: Print zuul fact + debug: var=zuul + + - name: Set current test repo (cross-repo) + set_fact: + current_test_repo: "git.openstack.org/{{ osa_test_repo }}" + when: + - osa_test_repo is defined + + - name: Set current test repo (non-cross-repo) + set_fact: + current_test_repo: "{{ zuul.project.canonical_name }}" + when: + - osa_test_repo is not defined + + - name: Set inventory for test + set_fact: + contianer_inventory: "{{ test_clustered_kolide | default(false) | bool }}" + + post_tasks: + - name: Ensure the log directory exists + file: + path: "/tmp/osquery-logs" + state: directory diff --git a/osquery/tests/run-tests.sh b/osquery/tests/run-tests.sh new file mode 100755 index 00000000..4252e832 --- /dev/null +++ b/osquery/tests/run-tests.sh @@ -0,0 +1,45 @@ +#!/usr/bin/env bash +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -ve + +export TEST_DIR="$(readlink -f $(dirname ${0})/../../)" + +pushd "${HOME}" + if [[ ! -d "src" ]]; then + mkdir src + fi + pushd src + ln -sf "${TEST_DIR}" + popd +popd + +source ${TEST_DIR}/osquery/tests/manual-test.rc + +bash -v "${TEST_DIR}/osquery/bootstrap-embedded-ansible.sh" + +${HOME}/ansible25/bin/ansible-galaxy install --force \ + --roles-path="${HOME}/ansible25/repositories/roles" \ + --role-file="${TEST_DIR}/osquery/tests/ansible-role-requirements.yml" + +if [[ ! -e "${TEST_DIR}/osquery/tests/src" ]]; then + ln -s ${TEST_DIR}/../ ${TEST_DIR}/osquery/tests/src +fi + +${HOME}/ansible25/bin/ansible-playbook -i 'localhost,' \ + -vv \ + -e ansible_connection=local \ + -e test_clustered_kolide=${CLUSTERED:-no} \ + ${TEST_DIR}/osquery/tests/test.yml diff --git a/osquery/tests/test-vars.yml b/osquery/tests/test-vars.yml new file mode 100644 index 00000000..c6c1b4e9 --- /dev/null +++ b/osquery/tests/test-vars.yml @@ -0,0 +1,23 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +physical_host: localhost + +galera_root_password: secrete +kolide_fleet_db_password: secrete +kolide_fleet_admin_password: secrete +kolide_fleet_jwt_key: secrete + +osa_test_repo: "openstack/openstack-ansible-ops" diff --git a/osquery/tests/test.yml b/osquery/tests/test.yml new file mode 100644 index 00000000..10c20f91 --- /dev/null +++ b/osquery/tests/test.yml @@ -0,0 +1,16 @@ +--- +# Copyright 2018, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- import_playbook: functional.yml diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 8c4a99af..19b5828b 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -83,3 +83,27 @@ vars: osa_test_repo: "openstack/openstack-ansible-ops" test_clustered_elk: true + +- job: + name: "openstack-ansible-ops:osquery-ubuntu-xenial" + parent: base + description: "Runs a gate test on the osquery project." + run: "osquery/tests/test.yml" + post-run: "osquery/tests/post-run.yml" + voting: true + files: + - ^osquery/.* + +- job: + name: "openstack-ansible-ops:osquery-ubuntu-bionic" + parent: "openstack-ansible-ops:osquery-ubuntu-xenial" + nodeset: ubuntu-bionic + +- job: + name: "openstack-ansible-ops:osquery-ubuntu-bionic-clustered" + parent: "openstack-ansible-ops:osquery-ubuntu-xenial" + nodeset: ubuntu-bionic + voting: true + vars: + osa_test_repo: "openstack/openstack-ansible-ops" + test_clustered_kolide: true diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index cc36a658..41d5e342 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -29,6 +29,9 @@ - openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic - openstack-ansible-ops:elk_metrics_6x-ubuntu-xenial-clustered - openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic-clustered + - openstack-ansible-ops:osquery-ubuntu-xenial + - openstack-ansible-ops:osquery-ubuntu-bionic gate: jobs: - - openstack-ansible-ops:elk_metrics_6x-ubuntu-xenial + - openstack-ansible-ops:elk_metrics_6x-ubuntu-bionic + - openstack-ansible-ops:osquery-ubuntu-bionic