adding osquery file set

2023-04-24 17:07:07 +02:00 · 2023-04-24 17:07:07 +02:00 · 25e1aa4d73
commit 25e1aa4d73
parent f8ba3d56e5
6 changed files with 166 additions and 0 deletions
--- a/osquery/Readme.txt
+++ b/osquery/Readme.txt
@ -0,0 +1,9 @@
 This is a lab file set to make osquery do the following
 * detect hidden files and processes
 * report new cron jobs
 * ... cover parts of ATT&CK matrix, that make sense for the lab
  * detection engineering
 * log the results as JSON
 * Logrotate management
--- a/osquery/configure_osquery.yaml
+++ b/osquery/configure_osquery.yaml
@ -0,0 +1,62 @@
 ---
 - name: Configure osquery on the local system
  hosts: localhost
  connection: local
  become: yes
  tasks:
    - name: Install osquery
      apt:
        name: osquery
        state: present
        update_cache: yes
    - name: Create osquery user
      user:
        name: osquery
        system: yes
        create_home: no
        state: present
    - name: Copy osquery.flags file
      copy:
        src: osquery.flags
        dest: /etc/osquery/osquery.flags
        owner: root
        group: root
        mode: 0644
    - name: Copy osquery.conf file
      copy:
        src: osquery.conf
        dest: /etc/osquery/osquery.conf
        owner: root
        group: root
        mode: 0644
    - name: Create log directory
      file:
        path: /var/log/osquery
        state: directory
        owner: osquery
        group: osquery
        mode: 0750
    - name: Set up logrotate
      copy:
        content: |
          /var/log/osquery/osqueryd.{INFO,ERROR,WARNING}* /var/log/osquery/osqueryd.results.log {
            daily
            rotate 3
            compress
            missingok
            notifempty
            create 0640 osquery osquery
            postrotate
                systemctl restart osqueryd > /dev/null 2>&1 || true
            endscript
          }
        dest: /etc/logrotate.d/osquery
        owner: root
        group: root
        mode: 0644
--- a/osquery/install_osquery.yaml
+++ b/osquery/install_osquery.yaml
@ -0,0 +1,28 @@
 ---
 - name: Install osquery on Ubuntu 20.04 LTS
  hosts: localhost
  become: yes
  gather_facts: no
  tasks:
    - name: Ensure /etc/apt/keyrings directory exists
      ansible.builtin.file:
        path: /etc/apt/keyrings
        state: directory
    - name: Download osquery public key
      ansible.builtin.get_url:
        url: https://pkg.osquery.io/deb/pubkey.gpg
        dest: /etc/apt/keyrings/osquery.asc
        mode: '0644'
    - name: Add osquery repository
      ansible.builtin.apt_repository:
        repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/osquery.asc] https://pkg.osquery.io/deb deb main'
        state: present
    - name: Install osquery
      ansible.builtin.apt:
        name: osquery
        state: present
        update_cache: yes
--- a/osquery/osquery.conf
+++ b/osquery/osquery.conf
@ -0,0 +1,55 @@
 {
  "options": {
    "disable_events": "false",
    "utc": "true",
    "logger_mode": "0640",
    "logger_format": "json"
  },
  "schedule": {
    "scheduled_task_persistence": {
      "query": "SELECT path, name, action, enabled, hidden FROM scheduled_tasks;",
      "interval": 3600
    },
    "startup_items": {
      "query": "SELECT name, path, status, source FROM startup_items;",
      "interval": 3600
    },
    "services_persistence": {
      "query": "SELECT name, display_name, path, start_type, status FROM services WHERE start_type IN ('AUTO_START', 'DEMAND_START');",
      "interval": 3600
    },
    "system_cron_jobs": {
      "query": "SELECT command, path, interval, time FROM crontab;",
      "interval": 3600
    },
    "user_cron_jobs": {
      "query": "SELECT username, command, path, interval, time FROM crontab WHERE username != 'root';",
      "interval": 3600
    },
    "logon_scripts": {
      "query": "SELECT script_path, username FROM logon_scripts;",
      "interval": 3600
    },
    "setuid_files": {
      "query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '04000') = '04000';",
      "interval": 3600
    },
    "setgid_files": {
      "query": "SELECT path, uid, gid, mode, size, atime, mtime, ctime FROM file WHERE (mode & '02000') = '02000';",
      "interval": 3600
    },
    "privilege_escalation_processes": {
      "query": "SELECT pid, name, path, cmdline, uid, gid, euid, egid, suid, sgid, cwd, start_time FROM processes WHERE (uid != euid OR gid != egid);",
      "interval": 300
    }
  },
  "decorators": {
    "load": [
      "SELECT uuid AS host_uuid FROM system_info;",
      "SELECT hostname FROM system_info;",
      "SELECT user AS username FROM logged_in_users WHERE user NOT IN ('_mbsetupuser', 'root') ORDER BY time DESC LIMIT 1;"
    ]
  },
  "packs": {}
 }
--- a/osquery/osquery.flags
+++ b/osquery/osquery.flags
@ -0,0 +1,2 @@
 --config_path=/etc/osquery/osquery.conf
 --logger_path=/var/log/osquery
--- a/osquery/run.sh
+++ b/osquery/run.sh
@ -0,0 +1,10 @@
 #!/bin/bash
 if [ $# -ne 1 ]; then
  echo "Usage: $0 <playbook_file>"
  exit 1
 fi
 playbook_file=$1
 ansible-playbook $playbook_file --ask-become-pass
		`@ -0,0 +1,2 @@`
							`--config_path=/etc/osquery/osquery.conf`
							`--logger_path=/var/log/osquery`