adding osquery file set

2023-04-24 17:07:07 +02:00 · 2023-04-24 17:07:07 +02:00 · 25e1aa4d73
commit 25e1aa4d73
parent f8ba3d56e5
6 changed files with 166 additions and 0 deletions
--- a/osquery/Readme.txt
+++ b/osquery/Readme.txt
@ -0,0 +1,9 @@
+This is a lab file set to make osquery do the following
+
+
+* detect hidden files and processes
+* report new cron jobs
+* ... cover parts of ATT&CK matrix, that make sense for the lab
+  * detection engineering
+* log the results as JSON
+* Logrotate management
--- a/osquery/configure_osquery.yaml
+++ b/osquery/configure_osquery.yaml
@ -0,0 +1,62 @@
+---
+- name: Configure osquery on the local system
+  hosts: localhost
+  connection: local
+  become: yes
+  tasks:
+    - name: Install osquery
+      apt:
+        name: osquery
+        state: present
+        update_cache: yes
+
+    - name: Create osquery user
+      user:
+        name: osquery
+        system: yes
+        create_home: no
+        state: present
+
+    - name: Copy osquery.flags file
+      copy:
+        src: osquery.flags
+        dest: /etc/osquery/osquery.flags
+        owner: root
+        group: root
+        mode: 0644
+
+    - name: Copy osquery.conf file
+      copy:
+        src: osquery.conf
+        dest: /etc/osquery/osquery.conf
+        owner: root
+        group: root
+        mode: 0644
+
+    - name: Create log directory
+      file:
+        path: /var/log/osquery
+        state: directory
+        owner: osquery
+        group: osquery
+        mode: 0750
+
+    - name: Set up logrotate
+      copy:
+        content: |
+          /var/log/osquery/osqueryd.{INFO,ERROR,WARNING}* /var/log/osquery/osqueryd.results.log {
+            daily
+            rotate 3
+            compress
+            missingok
+            notifempty
+            create 0640 osquery osquery
+            postrotate
+                systemctl restart osqueryd > /dev/null 2>&1 || true
+            endscript
+          }
+        dest: /etc/logrotate.d/osquery
+        owner: root
+        group: root
+        mode: 0644
+
--- a/osquery/install_osquery.yaml
+++ b/osquery/install_osquery.yaml
@ -0,0 +1,28 @@
+---
+- name: Install osquery on Ubuntu 20.04 LTS
+  hosts: localhost
+  become: yes
+  gather_facts: no
+  tasks:
+    - name: Ensure /etc/apt/keyrings directory exists
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+
+    - name: Download osquery public key
+      ansible.builtin.get_url:
+        url: https://pkg.osquery.io/deb/pubkey.gpg
+        dest: /etc/apt/keyrings/osquery.asc
+        mode: '0644'
+
+    - name: Add osquery repository
+      ansible.builtin.apt_repository:
+        repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/osquery.asc] https://pkg.osquery.io/deb deb main'
+        state: present
+
+    - name: Install osquery
+      ansible.builtin.apt:
+        name: osquery
+        state: present
+        update_cache: yes
+
--- a/osquery/osquery.conf
+++ b/osquery/osquery.conf
@ -0,0 +1,55 @@
+{
+  "options": {
+    "disable_events": "false",
+    "utc": "true",
+    "logger_mode": "0640",
+    "logger_format": "json"
+  },
+  "schedule": {
+    "scheduled_task_persistence": {
+      "query": "SELECT path, name, action, enabled, hidden FROM scheduled_tasks;",
+      "interval": 3600
+    },
+    "startup_items": {
+      "query": "SELECT name, path, status, source FROM startup_items;",
+      "interval": 3600
+    },
+    "services_persistence": {
+      "query": "SELECT name, display_name, path, start_type, status FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START');",
+      "interval": 3600
+    },
+    "system_cron_jobs": {
+      "query": "SELECT command, path, interval, time FROM crontab;",
+      "interval": 3600
+    },
+    "user_cron_jobs": {
+      "query": "SELECT username, command, path, interval, time FROM crontab WHERE username != 'root';",
+      "interval": 3600
+    },
+    "logon_scripts": {
+      "query": "SELECT script_path, username FROM logon_scripts;",
+      "interval": 3600
+    },
+    "setuid_files": {
+      "query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '04000') = '04000';",
+      "interval": 3600
+    },
+    "setgid_files": {
+      "query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '02000') = '02000';",
+      "interval": 3600
+    },
+    "privilege_escalation_processes": {
+      "query": "SELECT pid, name, path, cmdline, uid, gid, euid, egid, suid, sgid, cwd, start_time FROM processes WHERE (uid != euid OR gid != egid);",
+      "interval": 300
+    }
+  },
+  "decorators": {
+    "load": [
+      "SELECT uuid AS host_uuid FROM system_info;",
+      "SELECT hostname FROM system_info;",
+      "SELECT user AS username FROM logged_in_users WHERE user NOT IN ('_mbsetupuser', 'root') ORDER BY time DESC LIMIT 1;"
+    ]
+  },
+  "packs": {}
+}
+
--- a/osquery/osquery.flags
+++ b/osquery/osquery.flags
@ -0,0 +1,2 @@
+--config_path=/etc/osquery/osquery.conf
+--logger_path=/var/log/osquery
--- a/osquery/run.sh
+++ b/osquery/run.sh
@ -0,0 +1,10 @@
+#!/bin/bash
+
+if [ $# -ne 1 ]; then
+  echo "Usage: $0 <playbook_file>"
+  exit 1
+fi
+
+playbook_file=$1
+
+ansible-playbook $playbook_file --ask-become-pass