From 1ca290c7660ac4168f75cb2f1395b3c1986d9c6e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 2 Apr 2020 08:28:22 -0400 Subject: [PATCH] osquery updates and fixes --- .../Fleet/Endpoints/MacOS/osquery.yaml | 52 +++-- .../Fleet/Endpoints/Windows/osquery.yaml | 33 +++- .../palantir/Fleet/Endpoints/options.yaml | 13 +- .../Endpoints/packs/performance-metrics.yaml | 4 +- .../packs/security-tooling-checks.yaml | 4 +- .../packs/windows-application-security.yaml | 3 +- .../Endpoints/packs/windows-compliance.yaml | 3 +- .../packs/windows-registry-monitoring.yaml | 3 +- .../palantir/Fleet/Servers/Linux/osquery.yaml | 186 ++++++++---------- .../packs/palantir/Fleet/Servers/options.yaml | 1 + salt/fleet/files/packs/palantir/README.md | 38 ++-- salt/fleet/files/scripts/so-fleet-setup | 9 +- 12 files changed, 189 insertions(+), 160 deletions(-) diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml index f6e32d0d5..4f1aa0348 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml @@ -239,9 +239,10 @@ spec: query: chrome_extensions - description: Disk encryption status and information. interval: 3600 - name: disk_encryption + name: disk_encryption_snapshot platform: darwin - query: disk_encryption + query: disk_encryption_snapshot + snapshot: true - description: Local system users. interval: 28800 name: users_snapshot @@ -282,6 +283,12 @@ spec: name: sip_config platform: darwin query: sip_config + - description: Shows information about the wifi network that a host is currently connected to. + interval: 28800 + name: wifi_status_snapshot + platform: darwin + query: wifi_status_snapshot + snapshot: true - description: Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted. interval: 3600 @@ -290,7 +297,8 @@ spec: query: user_ssh_keys removed: false targets: - labels: null + labels: + - macOS --- apiVersion: v1 kind: query @@ -365,13 +373,10 @@ spec: description: Returns information about installed event taps. Can be used to detect keyloggers name: event_taps - query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process - = processes.pid WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT LIKE - '%.app%' AND processes.path!='/Library/Application Support/org.pqrs/Karabiner-Elements/bin/karabiner_grabber' - AND processes.path NOT LIKE '/Users/%/bin/kwm' AND processes.path!='/Library/Rapport/bin/rooksd' - AND processes.path!='/usr/sbin/universalaccessd' AND processes.path NOT LIKE '/usr/local/Cellar/%' - AND processes.path NOT LIKE '/System/Library/%' AND processes.path NOT LIKE '%/steamapps/%' - AND event_taps.enabled=1; + query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid + WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd', + '/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path + NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1; --- apiVersion: v1 kind: query @@ -455,6 +460,13 @@ spec: --- apiVersion: v1 kind: query +spec: + description: Shows information about the wifi network that a host is currently connected to. + name: wifi_status_snapshot + query: SELECT * FROM wifi_status; +--- +apiVersion: v1 +kind: query spec: description: Snapshot query for macosx_kextstat name: macosx_kextstat_snapshot @@ -479,7 +491,7 @@ kind: query spec: description: Safari browser extension details for all users. name: safari_extensions - query: SELECT * FROM users JOIN safari_extensions USING (uid); + query: SELECT * FROM users CROSS JOIN safari_extensions USING (uid); --- apiVersion: v1 kind: query @@ -500,7 +512,7 @@ kind: query spec: description: List authorized_keys for each user on the system name: authorized_keys - query: SELECT * FROM users JOIN authorized_keys USING (uid); + query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid); --- apiVersion: v1 kind: query @@ -508,7 +520,7 @@ spec: description: Application, System, and Mobile App crash logs. name: crashes query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path - FROM users JOIN crashes USING (uid); + FROM users CROSS JOIN crashes USING (uid); --- apiVersion: v1 kind: query @@ -516,7 +528,7 @@ spec: description: Displays the percentage of free space available on the primary disk partition name: disk_free_space_pct - query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1'; + query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1'; --- apiVersion: v1 kind: query @@ -553,7 +565,7 @@ kind: query spec: description: Snapshot query for Chrome extensions name: chrome_extensions_snapshot - query: SELECT * FROM users JOIN chrome_extensions USING (uid); + query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); --- apiVersion: v1 kind: query @@ -589,14 +601,14 @@ kind: query spec: description: All C/NPAPI browser plugin details for all users. name: browser_plugins - query: SELECT * FROM users JOIN browser_plugins USING (uid); + query: SELECT * FROM users CROSS JOIN browser_plugins USING (uid); --- apiVersion: v1 kind: query spec: description: List installed Firefox addons for all users name: firefox_addons - query: SELECT * FROM users JOIN firefox_addons USING (uid); + query: SELECT * FROM users CROSS JOIN firefox_addons USING (uid); --- apiVersion: v1 kind: query @@ -625,13 +637,13 @@ kind: query spec: description: List installed Chrome Extensions for all users name: chrome_extensions - query: SELECT * FROM users JOIN chrome_extensions USING (uid); + query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); --- apiVersion: v1 kind: query spec: description: Disk encryption status and information. - name: disk_encryption + name: disk_encryption_snapshot query: SELECT * FROM disk_encryption; --- apiVersion: v1 @@ -691,4 +703,4 @@ spec: description: Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted. name: user_ssh_keys - query: SELECT * FROM users JOIN user_ssh_keys USING (uid); + query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid); diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml index 5e6ea4168..3aa9da280 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml @@ -227,8 +227,35 @@ spec: platform: windows query: scheduled_tasks_snapshot snapshot: true + - description: Appcompat shims (.sdb files) installed on Windows hosts. + interval: 3600 + name: appcompat_shims + platform: windows + query: appcompat_shims + - description: Disk encryption status and information snapshot query. + interval: 28800 + name: bitlocker_info_snapshot + platform: windows + query: bitlocker_info_snapshot + snapshot: true targets: - labels: null + labels: + - MS Windows +--- +apiVersion: v1 +kind: query +spec: + description: Appcompat shims (.sdb files) installed on Windows hosts. + name: appcompat_shims + query: SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND + executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe'); +--- +apiVersion: v1 +kind: query +spec: + description: Disk encryption status and information snapshot query. + name: bitlocker_info_snapshot + query: SELECT * FROM bitlocker_info; --- apiVersion: v1 kind: query @@ -302,7 +329,7 @@ kind: query spec: description: Snapshot query for Chrome extensions name: chrome_extensions_snapshot - query: SELECT * FROM users JOIN chrome_extensions USING (uid); + query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); --- apiVersion: v1 kind: query @@ -466,7 +493,7 @@ kind: query spec: description: List installed Chrome Extensions for all users name: chrome_extensions - query: SELECT * FROM users JOIN chrome_extensions USING (uid); + query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); --- apiVersion: v1 kind: query diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml index dd53bae81..f2bb85d8c 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml @@ -3,17 +3,9 @@ kind: options spec: config: decorators: - always: + load: + - SELECT uuid AS host_uuid FROM system_info; - SELECT hostname AS hostname FROM system_info; - - SELECT codename FROM os_version; - - SELECT uuid AS LiveQuery FROM system_info; - - SELECT address AS EndpointIP1 FROM interface_addresses where address not - like '%:%' and address not like '127%' and address not like '169%' order by - interface desc limit 1; - - SELECT address AS EndpointIP2 FROM interface_addresses where address not - like '%:%' and address not like '127%' and address not like '169%' order by - interface asc limit 1; - - SELECT hardware_serial FROM system_info; file_paths: binaries: - /usr/bin/%% @@ -29,7 +21,6 @@ spec: efi: - /System/Library/CoreServices/boot.efi options: - decorations_top_level: true disable_distributed: false disable_tables: windows_events distributed_interval: 10 diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml index 25c6a5fbd..e8116bbb1 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml @@ -26,7 +26,9 @@ spec: query: backup_tool_perf snapshot: true targets: - labels: null + labels: + - MS Windows + - macOS --- apiVersion: v1 kind: query diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml index a65f59dd4..79172d46a 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml @@ -26,7 +26,9 @@ spec: platform: windows query: endpoint_security_tool_backend_server_registry_misconfigured targets: - labels: null + labels: + - MS Windows + - macOS --- apiVersion: v1 kind: query diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml index 43c034a52..d1008e3cd 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml @@ -40,7 +40,8 @@ spec: platform: windows query: uac_settings_registry targets: - labels: null + labels: + - MS Windows --- apiVersion: v1 kind: query diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml index eef5f3fcc..38ff4857e 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml @@ -137,7 +137,8 @@ spec: platform: windows query: send_error_alert_registry targets: - labels: null + labels: + - MS Windows --- apiVersion: v1 kind: query diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml index 123ec1a6e..89f01494b 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml @@ -185,7 +185,8 @@ spec: platform: windows query: send_error_alert_registry_exists targets: - labels: null + labels: + - MS Windows --- apiVersion: v1 kind: query diff --git a/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml index 5f98fa75b..62ae6d458 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml @@ -5,254 +5,251 @@ spec: name: LinuxPack queries: - description: Retrieves all the jobs scheduled in crontab in the target system. - interval: 0 + interval: 86400 name: crontab_snapshot platform: linux query: crontab_snapshot snapshot: true - description: Various Linux kernel integrity checked attributes. - interval: 0 + interval: 86400 name: kernel_integrity platform: linux query: kernel_integrity - description: Linux kernel modules both loaded and within the load search path. - interval: 0 + interval: 3600 name: kernel_modules platform: linux query: kernel_modules - description: Retrieves the current list of mounted drives in the target system. - interval: 0 + interval: 86400 name: mounts platform: linux query: mounts - - description: The percentage of total CPU time (system+user) consumed by osqueryd - interval: 0 - name: osquery_cpu_pct - platform: linux - query: osquery_cpu_pct - snapshot: true - description: Socket events collected from the audit framework - interval: 0 + interval: 10 name: socket_events platform: linux query: socket_events - description: Record the network interfaces and their associated IP and MAC addresses - interval: 0 + interval: 600 name: network_interfaces_snapshot platform: linux query: network_interfaces_snapshot snapshot: true - version: 1.4.5 - description: Information about the running osquery configuration - interval: 0 + interval: 86400 name: osquery_info platform: linux query: osquery_info snapshot: true - description: Display all installed RPM packages - interval: 0 + interval: 86400 name: rpm_packages platform: centos query: rpm_packages snapshot: true - description: Record shell history for all users on system (instead of just root) - interval: 0 + interval: 3600 name: shell_history platform: linux query: shell_history - description: File events collected from file integrity monitoring - interval: 0 + interval: 10 name: file_events platform: linux query: file_events removed: false - description: Retrieve the EC2 metadata for this endpoint - interval: 0 + interval: 3600 name: ec2_instance_metadata platform: linux query: ec2_instance_metadata - description: Retrieve the EC2 tags for this endpoint - interval: 0 + interval: 3600 name: ec2_instance_tags platform: linux query: ec2_instance_tags - description: Snapshot query to retrieve the EC2 tags for this instance - interval: 0 + interval: 86400 name: ec2_instance_tags_snapshot platform: linux query: ec2_instance_tags_snapshot snapshot: true - description: Retrieves the current filters and chains per filter in the target system. - interval: 0 + interval: 86400 name: iptables platform: linux query: iptables - description: Display any SUID binaries that are owned by root - interval: 0 + interval: 86400 name: suid_bin platform: linux query: suid_bin - description: Display all installed DEB packages - interval: 0 + interval: 86400 name: deb_packages platform: ubuntu query: deb_packages snapshot: true - description: Find shell processes that have open sockets - interval: 0 + interval: 600 name: behavioral_reverse_shell platform: linux query: behavioral_reverse_shell - description: Retrieves all the jobs scheduled in crontab in the target system. - interval: 0 + interval: 3600 name: crontab platform: linux query: crontab - - description: Records the system resources used by each query - interval: 0 - name: per_query_perf - platform: linux - query: per_query_perf - - description: Records avg rate of socket events since daemon started - interval: 0 - name: socket_rates - platform: linux - query: socket_rates - snapshot: true - description: Local system users. - interval: 0 + interval: 86400 name: users platform: linux query: users - description: Process events collected from the audit framework - interval: 0 + interval: 10 name: process_events platform: linux query: process_events - description: Retrieves the list of the latest logins with PID, username and timestamp. - interval: 0 + interval: 3600 name: last platform: linux query: last - description: Any processes that run with an LD_PRELOAD environment variable - interval: 0 + interval: 60 name: ld_preload platform: linux query: ld_preload - - description: Records avg rate of process events since daemon started - interval: 0 - name: process_rates - platform: linux - query: process_rates snapshot: true - description: Information about the system hardware and name - interval: 0 + interval: 86400 name: system_info platform: linux query: system_info snapshot: true - description: Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted - interval: 0 + interval: 86400 name: user_ssh_keys platform: linux query: user_ssh_keys - description: Local system users. - interval: 0 + interval: 86400 name: users_snapshot platform: linux query: users_snapshot snapshot: true - description: DNS resolvers used by the host - interval: 0 + interval: 3600 name: dns_resolvers platform: linux query: dns_resolvers - description: Retrieves information from the current kernel in the target system. - interval: 0 + interval: 86400 name: kernel_info platform: linux query: kernel_info snapshot: true - description: Linux kernel modules both loaded and within the load search path. - interval: 0 + interval: 86400 name: kernel_modules_snapshot platform: linux query: kernel_modules_snapshot snapshot: true - description: Generates an event if ld.so.preload is present - used by rootkits such as Jynx - interval: 0 + interval: 3600 name: ld_so_preload_exists platform: linux query: ld_so_preload_exists snapshot: true - description: Records system/user time, db size, and many other system metrics - interval: 0 + interval: 1800 name: runtime_perf platform: linux query: runtime_perf - description: Retrieves all the entries in the target system /etc/hosts file. - interval: 0 + interval: 86400 name: etc_hosts_snapshot platform: linux query: etc_hosts_snapshot snapshot: true - description: Snapshot query to retrieve the EC2 metadata for this endpoint - interval: 0 + interval: 86400 name: ec2_instance_metadata_snapshot platform: linux query: ec2_instance_metadata_snapshot snapshot: true - description: "" - interval: 0 + interval: 10 name: hardware_events platform: linux query: hardware_events removed: false - description: Information about memory usage on the system - interval: 0 + interval: 3600 name: memory_info platform: linux query: memory_info - description: Displays information from /proc/stat file about the time the CPU cores spent in different parts of the system - interval: 0 + interval: 3600 name: cpu_time platform: linux query: cpu_time - description: Retrieves all the entries in the target system /etc/hosts file. - interval: 0 + interval: 3600 name: etc_hosts platform: linux query: etc_hosts - description: Retrieves information from the Operating System where osquery is currently running. - interval: 0 + interval: 86400 name: os_version platform: linux query: os_version snapshot: true - description: A snapshot of all processes running on the host. Useful for outlier analysis. - interval: 0 + interval: 86400 name: processes_snapshot platform: linux query: processes_snapshot snapshot: true - description: Retrieves the current list of USB devices in the target system. - interval: 0 + interval: 120 name: usb_devices platform: linux query: usb_devices - description: A line-delimited authorized_keys table. - interval: 0 + interval: 86400 name: authorized_keys platform: linux query: authorized_keys + - description: Display apt package manager sources. + interval: 86400 + name: apt_sources + platform: ubuntu + query: apt_sources + snapshot: true + - description: Gather information about processes that are listening on a socket. + interval: 86400 + name: listening_ports + platform: linux + query: listening_ports + snapshot: true + - description: Display yum package manager sources. + interval: 86400 + name: yum_sources + platform: centos + query: yum_sources + snapshot: true targets: - labels: null + labels: + - Ubuntu Linux + - CentOS Linux --- apiVersion: v1 kind: query @@ -284,15 +281,6 @@ spec: --- apiVersion: v1 kind: query -spec: - description: The percentage of total CPU time (system+user) consumed by osqueryd - name: osquery_cpu_pct - query: SELECT ((osqueryd_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM - processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS osqueryd_time - FROM processes WHERE name='osqueryd'); ---- -apiVersion: v1 -kind: query spec: description: Socket events collected from the audit framework name: socket_events @@ -329,7 +317,7 @@ kind: query spec: description: Record shell history for all users on system (instead of just root) name: shell_history - query: SELECT * FROM users JOIN shell_history USING (uid); + query: SELECT * FROM users CROSS JOIN shell_history USING (uid); --- apiVersion: v1 kind: query @@ -403,23 +391,6 @@ spec: --- apiVersion: v1 kind: query -spec: - description: Records the system resources used by each query - name: per_query_perf - query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions) - AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory - FROM osquery_schedule; ---- -apiVersion: v1 -kind: query -spec: - description: Records avg rate of socket events since daemon started - name: socket_rates - query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM socket_events, (SELECT (julianday('now') - - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1); ---- -apiVersion: v1 -kind: query spec: description: Local system users. name: users @@ -454,14 +425,6 @@ spec: --- apiVersion: v1 kind: query -spec: - description: Records avg rate of process events since daemon started - name: process_rates - query: SELECT COUNT(1) AS num, count(1)/s AS rate FROM process_events, (SELECT (julianday('now') - - 2440587.5)*86400.0 - start_time AS s FROM osquery_info LIMIT 1); ---- -apiVersion: v1 -kind: query spec: description: Information about the system hardware and name name: system_info @@ -473,7 +436,7 @@ spec: description: Returns the private keys in the users ~/.ssh directory and whether or not they are encrypted name: user_ssh_keys - query: SELECT * FROM users JOIN user_ssh_keys USING (uid); + query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid); --- apiVersion: v1 kind: query @@ -593,4 +556,25 @@ kind: query spec: description: A line-delimited authorized_keys table. name: authorized_keys - query: SELECT * FROM users JOIN authorized_keys USING (uid); + query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid); +--- +apiVersion: v1 +kind: query +spec: + description: Display apt package manager sources. + name: apt_sources + query: SELECT * FROM apt_sources; +--- +apiVersion: v1 +kind: query +spec: + description: Gather information about processes that are listening on a socket. + name: listening_ports + query: SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0; +--- +apiVersion: v1 +kind: query +spec: + description: Display yum package manager sources. + name: yum_sources + query: SELECT name, baseurl, enabled, gpgcheck FROM yum_sources; diff --git a/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml b/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml index d1733f5b6..2329f085f 100644 --- a/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml +++ b/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml @@ -17,6 +17,7 @@ spec: configuration: - /etc/passwd - /etc/shadow + - /etc/ld.so.preload - /etc/ld.so.conf - /etc/ld.so.conf.d/%% - /etc/pam.d/%% diff --git a/salt/fleet/files/packs/palantir/README.md b/salt/fleet/files/packs/palantir/README.md index cade6dde4..a7ea61a37 100755 --- a/salt/fleet/files/packs/palantir/README.md +++ b/salt/fleet/files/packs/palantir/README.md @@ -10,11 +10,11 @@ exactly what we have done with our [unwanted-chrome-extensions](https://github.c However, we have included additional query packs that are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. osquery operates best when operators have carefully considered the datasets to be collected and the potential use-cases for that data. -* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/performance-metrics.conf) -* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/security-tooling-checks.conf) -* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-application-security.conf) -* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-compliance.conf) -* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Endpoints/packs/windows-registry-monitoring.conf) +* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/performance-metrics.conf) +* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/security-tooling-checks.conf) +* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-application-security.conf) +* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-compliance.conf) +* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-registry-monitoring.conf) **Note**: We also utilize packs that are maintained in the official osquery project. In order to ensure you receive the most up to date version of the pack, please view them using the links below: @@ -41,15 +41,15 @@ environment. **Endpoints Configuration Overview** * The configurations in this folder are meant for MacOS and Windows and the interval timings assume that these hosts are only online for ~8 hours per day * The flags included in this configuration enable TLS client mode in osquery and assume it will be connected to a TLS server. We have also included non-TLS flagfiles for local testing. -* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Endpoints/MacOS/osquery.conf) -* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs. -* These configuration files utilize packs within the [packs](./Endpoints/packs) folder and may generate errors if started without them +* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Classic/Endpoints/MacOS/osquery.conf) +* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Classic/Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs. +* These configuration files utilize packs within the [packs](./Classic/Endpoints/packs) folder and may generate errors if started without them **Servers Configuration Overview** * This configuration assumes the destination operating system is Linux-based and that the hosts are online at all times * Auditing mode is enabled for processes and network events. Ensure auditd is disabled or removed from the system where this will be running as it may conflict with osqueryd. -* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Servers/Linux/osquery.conf) -* Requires the [ossec-rootkit.conf](./Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf` +* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Classic/Servers/Linux/osquery.conf) +* Requires the [ossec-rootkit.conf](./Classic/Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf` * The subscriber for `user_events` is disabled ## Quickstart - Classic @@ -59,10 +59,10 @@ environment. 4. Logs are located in `/var/log/osquery` (Linux/MacOS) and `c:\ProgramData\osquery\logs` (Windows) ## Quickstart - Fleet -1. Install Fleet version 2.0.0 or higher -2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags](https://github.com/kolide/fleet/blob/master/tools/osquery/example_osquery.flags) -2. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server -3. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them: +Install Fleet version 2.0.0 or higher +2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags] +3. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server +4. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them: ``` git clone https://github.com/palantir/osquery-configuration.git @@ -79,7 +79,7 @@ The desired osquery directory structure for Linux, MacOS, and Windows is outline **Linux** ``` $ git clone https://github.com/palantir/osquery-configuration.git -$ cp -R osquery-configuration/Servers/Linux/* /etc/osquery +$ cp -R osquery-configuration/Fleet/Servers/Linux/* /etc/osquery $ sudo osqueryctl start /etc/osquery @@ -93,8 +93,8 @@ $ sudo osqueryctl start **MacOS** ``` $ git clone https://github.com/palantir/osquery-configuration.git -$ cp osquery-configuration/Endpoints/MacOS/* /var/osquery -$ cp osquery-configuration/Endpoints/packs/* /var/osquery/packs +$ cp osquery-configuration/Fleet/Endpoints/MacOS/* /var/osquery +$ cp osquery-configuration/Fleet/Endpoints/packs/* /var/osquery/packs $ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags ## Non-TLS server testing $ sudo osqueryctl start @@ -113,8 +113,8 @@ $ sudo osqueryctl start **Windows** ``` PS> git clone https://github.com/palantir/osquery-configuration.git -PS> copy-item osquery-configuration/Endpoints/Windows/* c:\ProgramData\osquery -PS> copy-item osquery-configuration/Endpoints/packs/* c:\ProgramData\osquery\packs +PS> copy-item osquery-configuration/Fleet/Endpoints/Windows/* c:\ProgramData\osquery +PS> copy-item osquery-configuration/Fleet/Endpoints/packs/* c:\ProgramData\osquery\packs PS> copy-item c:\ProgramData\osquery\osquery_no_tls.flags c:\ProgramData\osquery\osquery.flags -force ## Non-TLS server testing PS> start-service osqueryd diff --git a/salt/fleet/files/scripts/so-fleet-setup b/salt/fleet/files/scripts/so-fleet-setup index 5bab20922..5d7895f99 100644 --- a/salt/fleet/files/scripts/so-fleet-setup +++ b/salt/fleet/files/scripts/so-fleet-setup @@ -4,6 +4,12 @@ #so-fleet-setup.sh $FleetEmail +# Enable Fleet +echo "Starting Docker Containers..." +salt-call state.apply mysql queue=True >> /root/fleet-setup.log +salt-call state.apply fleet queue=True >> /root/fleet-setup.log +salt-call state.apply redis queue=True >> /root/fleet-setup.log + if [ ! "$(docker ps -q -f name=so-fleet)" ]; then echo "so-fleet container not running... Exiting..." exit 1 @@ -15,11 +21,11 @@ docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >> /et docker exec so-fleet fleetctl config set --address https://{{ MAIN_HOSTNAME }}:443 --tls-skip-verify --url-prefix /fleet docker exec so-fleet fleetctl setup --email $1 --password $initpw -docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done' +docker exec so-fleet fleetctl apply -f /packs/hh/osquery.conf # Enable Fleet @@ -34,6 +40,7 @@ sleep 120 echo "Installing launcher via salt..." salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log +salt-call state.apply filebeat queue=True >> /root/fleet-setup.log echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}" echo "Your username is $2 and your password is $initpw"