From 25e1aa4d733caafcb1979064c40ff6033d9010b6 Mon Sep 17 00:00:00 2001 From: marius Date: Mon, 24 Apr 2023 17:07:07 +0200 Subject: [PATCH] adding osquery file set --- osquery/Readme.txt | 9 +++++ osquery/configure_osquery.yaml | 62 ++++++++++++++++++++++++++++++++++ osquery/install_osquery.yaml | 28 +++++++++++++++ osquery/osquery.conf | 55 ++++++++++++++++++++++++++++++ osquery/osquery.flags | 2 ++ osquery/run.sh | 10 ++++++ 6 files changed, 166 insertions(+) create mode 100644 osquery/Readme.txt create mode 100644 osquery/configure_osquery.yaml create mode 100644 osquery/install_osquery.yaml create mode 100644 osquery/osquery.conf create mode 100644 osquery/osquery.flags create mode 100755 osquery/run.sh diff --git a/osquery/Readme.txt b/osquery/Readme.txt new file mode 100644 index 0000000..acdf4d0 --- /dev/null +++ b/osquery/Readme.txt @@ -0,0 +1,9 @@ +This is a lab file set to make osquery do the following + + +* detect hidden files and processes +* report new cron jobs +* ... cover parts of ATT&CK matrix, that make sense for the lab + * detection engineering +* log the results as JSON +* Logrotate management diff --git a/osquery/configure_osquery.yaml b/osquery/configure_osquery.yaml new file mode 100644 index 0000000..2a569ec --- /dev/null +++ b/osquery/configure_osquery.yaml @@ -0,0 +1,62 @@ +--- +- name: Configure osquery on the local system + hosts: localhost + connection: local + become: yes + tasks: + - name: Install osquery + apt: + name: osquery + state: present + update_cache: yes + + - name: Create osquery user + user: + name: osquery + system: yes + create_home: no + state: present + + - name: Copy osquery.flags file + copy: + src: osquery.flags + dest: /etc/osquery/osquery.flags + owner: root + group: root + mode: 0644 + + - name: Copy osquery.conf file + copy: + src: osquery.conf + dest: /etc/osquery/osquery.conf + owner: root + group: root + mode: 0644 + + - name: Create log directory + file: + path: /var/log/osquery + state: directory + owner: osquery + group: osquery + mode: 0750 + + - name: Set up logrotate + copy: + content: | + /var/log/osquery/osqueryd.{INFO,ERROR,WARNING}* /var/log/osquery/osqueryd.results.log { + daily + rotate 3 + compress + missingok + notifempty + create 0640 osquery osquery + postrotate + systemctl restart osqueryd > /dev/null 2>&1 || true + endscript + } + dest: /etc/logrotate.d/osquery + owner: root + group: root + mode: 0644 + diff --git a/osquery/install_osquery.yaml b/osquery/install_osquery.yaml new file mode 100644 index 0000000..5072bf3 --- /dev/null +++ b/osquery/install_osquery.yaml @@ -0,0 +1,28 @@ +--- +- name: Install osquery on Ubuntu 20.04 LTS + hosts: localhost + become: yes + gather_facts: no + tasks: + - name: Ensure /etc/apt/keyrings directory exists + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + + - name: Download osquery public key + ansible.builtin.get_url: + url: https://pkg.osquery.io/deb/pubkey.gpg + dest: /etc/apt/keyrings/osquery.asc + mode: '0644' + + - name: Add osquery repository + ansible.builtin.apt_repository: + repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/osquery.asc] https://pkg.osquery.io/deb deb main' + state: present + + - name: Install osquery + ansible.builtin.apt: + name: osquery + state: present + update_cache: yes + diff --git a/osquery/osquery.conf b/osquery/osquery.conf new file mode 100644 index 0000000..4ef99cf --- /dev/null +++ b/osquery/osquery.conf @@ -0,0 +1,55 @@ +{ + "options": { + "disable_events": "false", + "utc": "true", + "logger_mode": "0640", + "logger_format": "json" + }, + "schedule": { + "scheduled_task_persistence": { + "query": "SELECT path, name, action, enabled, hidden FROM scheduled_tasks;", + "interval": 3600 + }, + "startup_items": { + "query": "SELECT name, path, status, source FROM startup_items;", + "interval": 3600 + }, + "services_persistence": { + "query": "SELECT name, display_name, path, start_type, status FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START');", + "interval": 3600 + }, + "system_cron_jobs": { + "query": "SELECT command, path, interval, time FROM crontab;", + "interval": 3600 + }, + "user_cron_jobs": { + "query": "SELECT username, command, path, interval, time FROM crontab WHERE username != 'root';", + "interval": 3600 + }, + "logon_scripts": { + "query": "SELECT script_path, username FROM logon_scripts;", + "interval": 3600 + }, + "setuid_files": { + "query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '04000') = '04000';", + "interval": 3600 + }, + "setgid_files": { + "query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '02000') = '02000';", + "interval": 3600 + }, + "privilege_escalation_processes": { + "query": "SELECT pid, name, path, cmdline, uid, gid, euid, egid, suid, sgid, cwd, start_time FROM processes WHERE (uid != euid OR gid != egid);", + "interval": 300 + } + }, + "decorators": { + "load": [ + "SELECT uuid AS host_uuid FROM system_info;", + "SELECT hostname FROM system_info;", + "SELECT user AS username FROM logged_in_users WHERE user NOT IN ('_mbsetupuser', 'root') ORDER BY time DESC LIMIT 1;" + ] + }, + "packs": {} +} + diff --git a/osquery/osquery.flags b/osquery/osquery.flags new file mode 100644 index 0000000..45b1258 --- /dev/null +++ b/osquery/osquery.flags @@ -0,0 +1,2 @@ +--config_path=/etc/osquery/osquery.conf +--logger_path=/var/log/osquery diff --git a/osquery/run.sh b/osquery/run.sh new file mode 100755 index 0000000..e3e95f2 --- /dev/null +++ b/osquery/run.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +if [ $# -ne 1 ]; then + echo "Usage: $0 " + exit 1 +fi + +playbook_file=$1 + +ansible-playbook $playbook_file --ask-become-pass