multiple updates to osquery

* move playbooks to roles
   * update documentation
   * update haproxy
     - set 6443 as default port for kolide fleet
   * add galera support

Change-Id: I2fdefcb6bec98486c16b54cf33e2b7940b88d50b
This commit is contained in:
Victor Palma 2018-08-21 10:40:39 -05:00
parent b5e99adc01
commit 3aa5fcd8fc
41 changed files with 503 additions and 96 deletions

3
osquery/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
inventory.dev.yml
*.retry
telemetry.yaml

View File

@ -9,7 +9,7 @@
version: master
- name: osquery
scm: git
src: https://github.com/juju4/ansible-osquery
src: https://github.com/kloud-pro/ansible-osquery
version: master
- name: redis
scm: git
@ -27,3 +27,11 @@
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-galera_server
version: master
- name: apt_package_pinning
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
version: master
- name: plugins
scm: git
src: https://git.openstack.org/openstack/openstack-ansible-plugins
version: master

Binary file not shown.

After

Width:  |  Height:  |  Size: 166 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 121 KiB

View File

@ -0,0 +1,129 @@
#!/usr/bin/env bash
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
export OPTS=()
export ANSIBLE_EMBED_HOME="${HOME}/ansible25"
OPTS+=('ANSIBLE_EMBED_HOME')
source /etc/os-release
if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then
if [ ${VERSION_ID} = "14.04" ]; then
apt-get update
apt-get -y install python-virtualenv
echo "done installing python-virtualenv"
else
apt-get update
apt-get -y install python3-virtualenv python-virtualenv
echo "done installing python-virtualenv python3-virtualenv"
fi
if [[ -e "${HOME}/.pip" ]]; then
echo "..................moving .pip out of place to boostrap"
mv ${HOME}/.pip ${HOME}/.off-pip
fi
if [[ -f "/usr/bin/python2" ]]; then
virtualenv --python="/usr/bin/python2" "${ANSIBLE_EMBED_HOME}"
elif [[ -f "/usr/bin/python3" ]]; then
virtualenv --python="/usr/bin/python3" "${ANSIBLE_EMBED_HOME}"
else
virtualenv "${ANSIBLE_EMBED_HOME}"
fi
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade --force pip"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated"
echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin"
if [[ -e "${HOME}/.off-pip" ]]; then
mv ${HOME}/off-pip ${HOME}/.pip
echo "..................moving .pip back in to place"
fi
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/ansible-config_template "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
pushd "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
git checkout a5c9d97e18683f0fdf9769d94ba174c72e2d093c # HEAD of master from 20-06-18
popd
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/openstack_ansible_plugins" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/openstack-ansible-plugins "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
pushd "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
git checkout cef7946b3b3b3e4d02406c228741985a94b72cff # HEAD of master from 20-06-18
popd
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/ansible-role-systemd_service "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
pushd "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
git checkout 02f5ff1c0e073af53bed2141a045e608162970ea # HEAD of master from 20-06-18
popd
fi
if [[ -f "/etc/openstack_deploy/openstack_inventory.json" ]]; then
if [[ ! -f "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/inventory"
cat > "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" <<EOF
#!/usr/bin/env bash
cat /etc/openstack_deploy/openstack_inventory.json
EOF
chmod +x "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
fi
export USER_VARS="$(for i in $(ls -1 /etc/openstack_deploy/user_*secret*.yml); do echo -n "-e@$i "; done)"
OPTS+=('USER_VARS')
echo "env USER_VARS set"
echo "Extra users variables can be expanded by including the option \$USER_VARS on a playbook run."
export ANSIBLE_INVENTORY="${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
OPTS+=('ANSIBLE_INVENTORY')
echo "env ANSIBLE_INVENTORY set"
fi
export ANSIBLE_HOST_KEY_CHECKING="False"
OPTS+=('ANSIBLE_HOST_KEY_CHECKING')
echo "env ANSIBLE_HOST_KEY_CHECKING set"
export ANSIBLE_ROLES_PATH="${ANSIBLE_EMBED_HOME}/repositories/roles"
OPTS+=('ANSIBLE_ROLES_PATH')
echo "env ANSIBLE_ROLES_PATH set"
export ANSIBLE_ACTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template/action"
OPTS+=('ANSIBLE_ACTION_PLUGINS')
echo "env ANSIBLE_ACTION_PLUGINS set"
export ANSIBLE_CONNECTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins/connection/"
OPTS+=('ANSIBLE_CONNECTION_PLUGINS')
echo "env ANSIBLE_CONNECTION_PLUGINS set"
source ${ANSIBLE_EMBED_HOME}/bin/activate
echo "Embedded Ansible has been activated. Run 'deactivate' to leave the embedded environment".
function deactivate_embedded_venv {
deactivate
for i in ${OPTS[@]}; do
unset ${i}
done
unset deactivate_embedded_venv
unalias deactivate
}
alias deactivate=deactivate_embedded_venv

View File

@ -1,6 +1,14 @@
fleet_hosts:
logging1:
ip: 172.22.8.27
ip: 10.0.236.110
logging2:
ip: 10.0.236.111
logging3:
ip: 10.0.236.112
mariadb_hosts:
logging1:
ip: 172.22.8.27
ip: 10.0.236.110
logging2:
ip: 10.0.236.111
logging3:
ip: 10.0.236.112

View File

@ -3,7 +3,7 @@ haproxy_extra_services:
haproxy_service_name: kolide-fleet
haproxy_ssl: False
haproxy_backend_nodes: "{{ groups['fleet'] | default([]) }}" # Fleet nodes
haproxy_port: 8443 # This is set using the "kolide_fleet_port" variable
haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable
haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_balance_type: tcp

View File

@ -13,17 +13,21 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Install MariaDB server
hosts: mariadb
- name: Install MariaDB Galera Cluster
hosts: "mariadb"
become: true
user: root
gather_facts: "{{ osa_gather_facts | default(True) }}"
vars_files:
- vars/variables.yml
environment: "{{ deployment_environment_variables | default({}) }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
serial: 1
user: root
roles:
- role: "mariadb"
- role: galera_server
galera_root_user: "{{ mariadb_root_user }}"
galera_root_password: "{{ mariadb_root_password }}"
galera_cluster_members: "{{ groups['mariadb'] }}"
galera_wsrep_node_name: "{{ inventory_hostname }}"
galera_cluster_name: telemetry_galera_cluster
environment: "{{ deployment_environment_variables | default({}) }}"

View File

@ -10,33 +10,5 @@
gather_facts: "{{ osa_gather_facts | default(True) }}"
tasks:
# install SSL certs
- include_tasks: fleetSSL.yml
# install software requirements
- include_tasks: fleetRequirements.yml
# install kolide fleet server
- include_tasks: fleetServerInstall.yml
# drop the configuration
- include_tasks: fleetConfig.yml
# add files for systemd
- include_tasks: fleetService.yml
when:
- ansible_service_mgr == "systemd"
# migrate the database
- include_tasks: fleetMigrateDB.yml
run_once: true
# start fleet via systemd
- include_tasks: fleetStartService.yml
# configure kolide fleet & set admin account
- include_tasks: fleetRegisterAdmin.yml
# retrieve and set enrollment token
- include_tasks: fleetGetEnrollmentToken.yml
roles:
- role: fleet

View File

@ -14,7 +14,7 @@
# limitations under the License.
- name: Install osquery
hosts: hosts
hosts: "osquery"
become: true
vars_files:
- vars/variables.yml
@ -34,6 +34,21 @@
var: hostvars[groups['fleet'][0]]['ansible_host']
verbosity: 2
- name: Store ssl cert
slurp:
src: "{{ kolide_fleet_ssl_cert }}"
register: _kolide_fleet_ssl_cert
- name: Store ssl key
slurp:
src: "{{ kolide_fleet_ssl_key }}"
register: _kolide_fleet_ssl_key
- name: Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}"
- name: Distribute self signed ssl cert
copy:
dest: "{{ kolide_fleet_ssl_cert }}"

View File

@ -24,9 +24,12 @@ hosts:
logging01:
# This is the location where fleet(s) will live
mariadb:
hosts:
logging01:
fleet:
hosts:
logging01:
osquery:
hosts:
all:
logging01:

35
osquery/inventory.yaml Normal file
View File

@ -0,0 +1,35 @@
---
################################## ALL HOSTS ##################################
all:
hosts:
# Local host
localhost:
ansible_connection: local
################################## REQUIRED ###################################
logging01:
ansible_host: 104.130.207.70
ansible_user: root
vars: {}
################################### GROUPS ####################################
# The hosts group is used to target physical host machines. Enter all physical
# host machines here.
hosts:
hosts:
logging01:
# This is the location where fleet(s) will live
mariadb:
hosts:
logging01:
fleet:
hosts:
logging01:
osquery:
hosts:
logging01:

View File

@ -22,7 +22,7 @@ an OpenStack all of the inventory needs will be provided for.
Highlevel overview of Osquery & Kolide Fleet infrastructure these playbooks will
build and operate against.
.. image:: assets/place-holder.svg
.. image:: assets/overview-osquery.png
:scale: 50 %
:alt: Osquery & Kolide Fleet Architecture Diagram
:align: center
@ -70,15 +70,15 @@ Create the containers
.. code-block:: bash
cd /opt/openstack-ansible/playbooks
openstack-ansible lxc-containers-create.yml -e 'container_group=fleet'
openstack-ansible lxc-containers-create.yml --limit fleet_all
Update the `/etc/hosts` file
Update the `/etc/hosts` file *(optional)*
.. code-block:: bash
cd /opt/openstack-ansible/playbooks
openstack-ansible openstack-hosts-setup.yml -e 'container_group=fleet'
openstack-ansible openstack-hosts-setup.yml
@ -136,13 +136,20 @@ environment variable `ANSIBLE_ACTION_PLUGINS` or through the use of an
Deploying | The environment
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Create some basic passwords keys that are needed by fleet
.. code-block:: bashG
echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" > /etc/openstack_deploy/fleet_user_vars.yml
echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
Install master/data Fleet nodes on the elastic-logstash containers,
deploy logstash, deploy Kibana, and then deploy all of the service beats.
.. code-block:: bashG
cd /opt/openstack-ansible-ops/osquery
ansible-playbook site.yml $USER_VARS
ansible-playbook site.yml -e@/etc/openstack_deploy/fleet_user_vars.yml
* The `openstack-ansible` command can be used if the version of ansible on the
@ -172,7 +179,7 @@ Architecture | Data flow
This diagram outlines the data flow from within an Elastic-Stack deployment.
.. image:: assets/place-holder.svg
.. image:: assets/architecture-osquery.png
:scale: 50 %
:alt: Kolide & Osquery Data Flow Diagram
:align: center
@ -180,8 +187,9 @@ This diagram outlines the data flow from within an Elastic-Stack deployment.
TODO
----
The following is a list of open items.
- [ ] Test Redhat familly Operating Systems
- [ ] missing mariadb cluster (should all work needs additional vars)
- [x] Test Redhat familly Operating Systems
- [x] missing mariadb cluster (should all work needs additional vars)
- [ ] use haproxy instead of the kolide fleet server ip
- [ ] add/update tags
- [ ] convert to roles
- [ ] add testing

View File

@ -0,0 +1,73 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Install Kolide Fleet
hosts: "fleet"
become: true
vars_files:
- vars/variables.yml
environment: "{{ deployment_environment_variables | default({}) }}"
gather_facts: "{{ osa_gather_facts | default(True) }}"
pre_tasks:
- name: Store ssl cert
slurp:
src: "{{ kolide_fleet_ssl_cert }}"
register: _kolide_fleet_ssl_cert
- name: Store ssl ca cert
slurp:
src: "{{ kolide_fleet_ssl_ca_cert }}"
register: _kolide_fleet_ssl_ca_cert
when: kolide_fleet_user_ssl_ca_cert is defined
- name: Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
- name: Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_ca_cert_fact: "{{ _kolide_fleet_ssl_ca_cert.content }}"
when: kolide_fleet_user_ssl_ca_cert is defined
- name: Distribute self signed ssl cert
copy:
dest: "{{ kolide_fleet_ssl_cert }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}"
mode: "0640"
- name: Distribute self signed CA ssl cert
copy:
dest: "{{ kolide_fleet_ca_ssl_cert }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_ca_cert_fact'] | b64decode }}"
mode: "0640"
when: kolide_fleet_user_ssl_ca_cert is defined
- name: retrieve Enrollment Token
command: /usr/local/bin/fleetctl get enroll-secret
register: _enrollment_token
- name: Set kolide fleet enrollment token fact
set_fact:
kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
- name: write enroll secret
copy:
dest: "{{ osquery_enroll_secret_dir }}"
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}"
mode: "0640"

View File

@ -0,0 +1,41 @@
# Kolide Fleet vars
kolide_fleet_db_name: fleet
kolide_fleet_db_user: fleet
#kolide_fleet_db_password: fleetSecrete
kolide_fleet_port: "443"
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
kolide_fleet_version: "2.0.0-rc5"
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
kolide_fleet_admin_email: admin@openstack.org
#kolide_fleet_admin_password: AdminSecrete
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
# MariaDB/Gallera Variables
mariadb_bind_address: "0.0.0.0"
mariadb_root_remote: 1
mariadb_root_user: root
#mariadb_root_password: fleetSecrete
mariadb_databases:
- name: "{{ kolide_fleet_db_name }}"
mariadb_users:
- name: "{{ kolide_fleet_db_user }}"
password: "{{ kolide_fleet_db_password }}"
priv: " {{ kolide_fleet_db_name }}.*:ALL"
host: "%"
galera_root_password: "{{ mariadb_root_password }}"

View File

@ -0,0 +1,43 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name: Create DB for service
mysql_db:
login_user: "{{ mariadb_root_user }}"
login_password: "{{ mariadb_root_password }}"
login_host: "{{ mariadb_login_host | default('localhost') }}"
name: "{{ kolide_fleet_db_name }}"
state: "present"
delegate_to: "{{ groups['mariadb'][0] }}"
no_log: False
tags:
- fleet_db_install
- name: Grant access to the DB for the service
mysql_user:
login_user: "{{ mariadb_root_user }}"
login_password: "{{ mariadb_root_password }}"
login_host: "{{ mariadb_login_host | default('localhost') }}"
name: "{{ kolide_fleet_db_user }}"
password: "{{ kolide_fleet_db_password }}"
host: "{{ item }}"
state: "present"
priv: "{{ kolide_fleet_db_name }}.*:ALL"
append_privs: "{{ kolide_fleet_db_append_privs | default(omit) }}"
delegate_to: "{{ groups['mariadb'][0] }}"
with_items: "{{ grant_list | default(['localhost', '%']) }}"
no_log: False
tags:
- fleet_db_install

View File

@ -13,13 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#- name: Install prerequisites
# apt: name= {{item}} update_cache=yes
# with_items:
# - apt-transport-https
# - ca-certificates
# - curl
# - software-properties-common
- name: Run the systemd service role
include_role:
name: redis

View File

@ -0,0 +1,33 @@
---
# install SSL certs
- include_tasks: createFleetDB.yml
# install SSL certs
- include_tasks: fleetSSL.yml
# install software requirements
- include_tasks: fleetRequirements.yml
# install kolide fleet server
- include_tasks: fleetServerInstall.yml
# drop the configuration
- include_tasks: fleetConfig.yml
# add files for systemd
- include_tasks: fleetService.yml
when:
- ansible_service_mgr == "systemd"
# migrate the database
- include_tasks: fleetMigrateDB.yml
run_once: true
# start fleet via systemd
- include_tasks: fleetStartService.yml
# configure kolide fleet & set admin account
- include_tasks: fleetRegisterAdmin.yml
# retrieve and set enrollment token
- include_tasks: fleetGetEnrollmentToken.yml

View File

@ -0,0 +1,38 @@
# Kolide Fleet vars
kolide_fleet_db_name: fleet
kolide_fleet_db_user: fleet
#kolide_fleet_db_password: fleetSecrete
kolide_fleet_port: "443"
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
kolide_fleet_version: "2.0.0-rc5"
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
kolide_fleet_admin_email: admin@openstack.org
#kolide_fleet_admin_password: AdminSecrete
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
# MariaDB/Gallera Variables
#mariadb_root_password: fleetSecrete
mariadb_bind_address: "0.0.0.0"
mariadb_root_remote: 1
mariadb_root_user: root
mariadb_databases:
- name: "{{ kolide_fleet_db_name }}"
mariadb_users:
- name: "{{ kolide_fleet_db_user }}"
password: "{{ kolide_fleet_db_password }}"
priv: " {{ kolide_fleet_db_name }}.*:ALL"
host: "%"
galera_root_password: "{{ mariadb_root_password }}"

15
osquery/site-fleet.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook: installDB.yml
- import_playbook: installKolideFleet.yml

15
osquery/site-osquery.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook: registerSSLcerts.yml
- import_playbook: installOSquery.yml

View File

@ -13,6 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook: installMariaDB.yml
- import_playbook: installKolideFleet.yml
- import_playbook: installOsquery.yml
- import_playbook: site-fleet.yml
- import_playbook: site-osquery.yml

View File

@ -1,32 +1,17 @@
mariadb_root_user: root
#
kolide_fleet_enable: true
kolide_fleet_cluster: false
# Kolide Fleet vars
kolide_fleet_db_name: fleet
kolide_fleet_db_user: fleet
kolide_fleet_db_password: fleetSecrete
kolide_fleet_port: "443"
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
kolide_fleet_version: "2.0.0-rc3"
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
kolide_fleet_admin_email: admin@openstack.org
#kolide_fleet_admin_password: AdminSecrete
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}/subjectAltName=IP.2={{ ansible_host }}}/subjectAltName=IP.3=localhost"
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
# Osquery vars
osquery_enroll_secret_dir: /etc/osquery/osquery_enroll_secret
osquery_debug_packages_install: false
osquery_debug_packages_install: false
@ -53,16 +38,3 @@ osquery_flags:
- "--logger_tls_endpoint=/api/v1/osquery/log"
- "--logger_tls_period=10"
- "--enroll_secret_path={{ osquery_enroll_secret_dir }}"
# MariaDB/Gallera Variables
#mariadb_root_password: fleetSecrete
mariadb_bind_address: "0.0.0.0"
mariadb_root_remote: 1
mariadb_databases:
- name: "{{ kolide_fleet_db_name }}"
mariadb_users:
- name: "{{ kolide_fleet_db_user }}"
password: "{{ kolide_fleet_db_password }}"
priv: " {{ kolide_fleet_db_name }}.*:ALL"
host: "%"