multiple updates to osquery
* move playbooks to roles * update documentation * update haproxy - set 6443 as default port for kolide fleet * add galera support Change-Id: I2fdefcb6bec98486c16b54cf33e2b7940b88d50b
This commit is contained in:
parent
b5e99adc01
commit
3aa5fcd8fc
3
osquery/.gitignore
vendored
Normal file
3
osquery/.gitignore
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
inventory.dev.yml
|
||||
*.retry
|
||||
telemetry.yaml
|
@ -9,7 +9,7 @@
|
||||
version: master
|
||||
- name: osquery
|
||||
scm: git
|
||||
src: https://github.com/juju4/ansible-osquery
|
||||
src: https://github.com/kloud-pro/ansible-osquery
|
||||
version: master
|
||||
- name: redis
|
||||
scm: git
|
||||
@ -27,3 +27,11 @@
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-galera_server
|
||||
version: master
|
||||
- name: apt_package_pinning
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
|
||||
version: master
|
||||
- name: plugins
|
||||
scm: git
|
||||
src: https://git.openstack.org/openstack/openstack-ansible-plugins
|
||||
version: master
|
||||
|
BIN
osquery/assets/architecture-osquery.png
Normal file
BIN
osquery/assets/architecture-osquery.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 166 KiB |
BIN
osquery/assets/overview-osquery.png
Normal file
BIN
osquery/assets/overview-osquery.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 121 KiB |
129
osquery/bootstrap-embedded-ansible.sh
Executable file
129
osquery/bootstrap-embedded-ansible.sh
Executable file
@ -0,0 +1,129 @@
|
||||
#!/usr/bin/env bash
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
export OPTS=()
|
||||
export ANSIBLE_EMBED_HOME="${HOME}/ansible25"
|
||||
OPTS+=('ANSIBLE_EMBED_HOME')
|
||||
|
||||
source /etc/os-release
|
||||
if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then
|
||||
if [ ${VERSION_ID} = "14.04" ]; then
|
||||
apt-get update
|
||||
apt-get -y install python-virtualenv
|
||||
echo "done installing python-virtualenv"
|
||||
else
|
||||
apt-get update
|
||||
apt-get -y install python3-virtualenv python-virtualenv
|
||||
echo "done installing python-virtualenv python3-virtualenv"
|
||||
fi
|
||||
|
||||
if [[ -e "${HOME}/.pip" ]]; then
|
||||
echo "..................moving .pip out of place to boostrap"
|
||||
mv ${HOME}/.pip ${HOME}/.off-pip
|
||||
fi
|
||||
|
||||
if [[ -f "/usr/bin/python2" ]]; then
|
||||
virtualenv --python="/usr/bin/python2" "${ANSIBLE_EMBED_HOME}"
|
||||
elif [[ -f "/usr/bin/python3" ]]; then
|
||||
virtualenv --python="/usr/bin/python3" "${ANSIBLE_EMBED_HOME}"
|
||||
else
|
||||
virtualenv "${ANSIBLE_EMBED_HOME}"
|
||||
fi
|
||||
|
||||
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade --force pip"
|
||||
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated"
|
||||
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated"
|
||||
echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin"
|
||||
|
||||
if [[ -e "${HOME}/.off-pip" ]]; then
|
||||
mv ${HOME}/off-pip ${HOME}/.pip
|
||||
echo "..................moving .pip back in to place"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" ]]; then
|
||||
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
|
||||
git clone https://git.openstack.org/openstack/ansible-config_template "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
|
||||
pushd "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
|
||||
git checkout a5c9d97e18683f0fdf9769d94ba174c72e2d093c # HEAD of master from 20-06-18
|
||||
popd
|
||||
fi
|
||||
|
||||
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/openstack_ansible_plugins" ]]; then
|
||||
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
|
||||
git clone https://git.openstack.org/openstack/openstack-ansible-plugins "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
|
||||
pushd "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
|
||||
git checkout cef7946b3b3b3e4d02406c228741985a94b72cff # HEAD of master from 20-06-18
|
||||
popd
|
||||
fi
|
||||
|
||||
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" ]]; then
|
||||
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
|
||||
git clone https://git.openstack.org/openstack/ansible-role-systemd_service "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
|
||||
pushd "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
|
||||
git checkout 02f5ff1c0e073af53bed2141a045e608162970ea # HEAD of master from 20-06-18
|
||||
popd
|
||||
fi
|
||||
|
||||
if [[ -f "/etc/openstack_deploy/openstack_inventory.json" ]]; then
|
||||
if [[ ! -f "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" ]]; then
|
||||
mkdir -p "${ANSIBLE_EMBED_HOME}/inventory"
|
||||
cat > "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" <<EOF
|
||||
#!/usr/bin/env bash
|
||||
cat /etc/openstack_deploy/openstack_inventory.json
|
||||
EOF
|
||||
chmod +x "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
|
||||
fi
|
||||
|
||||
export USER_VARS="$(for i in $(ls -1 /etc/openstack_deploy/user_*secret*.yml); do echo -n "-e@$i "; done)"
|
||||
OPTS+=('USER_VARS')
|
||||
echo "env USER_VARS set"
|
||||
echo "Extra users variables can be expanded by including the option \$USER_VARS on a playbook run."
|
||||
|
||||
export ANSIBLE_INVENTORY="${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
|
||||
OPTS+=('ANSIBLE_INVENTORY')
|
||||
echo "env ANSIBLE_INVENTORY set"
|
||||
fi
|
||||
|
||||
export ANSIBLE_HOST_KEY_CHECKING="False"
|
||||
OPTS+=('ANSIBLE_HOST_KEY_CHECKING')
|
||||
echo "env ANSIBLE_HOST_KEY_CHECKING set"
|
||||
|
||||
export ANSIBLE_ROLES_PATH="${ANSIBLE_EMBED_HOME}/repositories/roles"
|
||||
OPTS+=('ANSIBLE_ROLES_PATH')
|
||||
echo "env ANSIBLE_ROLES_PATH set"
|
||||
|
||||
export ANSIBLE_ACTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template/action"
|
||||
OPTS+=('ANSIBLE_ACTION_PLUGINS')
|
||||
echo "env ANSIBLE_ACTION_PLUGINS set"
|
||||
|
||||
export ANSIBLE_CONNECTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins/connection/"
|
||||
OPTS+=('ANSIBLE_CONNECTION_PLUGINS')
|
||||
echo "env ANSIBLE_CONNECTION_PLUGINS set"
|
||||
|
||||
source ${ANSIBLE_EMBED_HOME}/bin/activate
|
||||
echo "Embedded Ansible has been activated. Run 'deactivate' to leave the embedded environment".
|
||||
|
||||
function deactivate_embedded_venv {
|
||||
deactivate
|
||||
for i in ${OPTS[@]}; do
|
||||
unset ${i}
|
||||
done
|
||||
unset deactivate_embedded_venv
|
||||
unalias deactivate
|
||||
}
|
||||
|
||||
|
||||
alias deactivate=deactivate_embedded_venv
|
@ -1,6 +1,14 @@
|
||||
fleet_hosts:
|
||||
logging1:
|
||||
ip: 172.22.8.27
|
||||
ip: 10.0.236.110
|
||||
logging2:
|
||||
ip: 10.0.236.111
|
||||
logging3:
|
||||
ip: 10.0.236.112
|
||||
mariadb_hosts:
|
||||
logging1:
|
||||
ip: 172.22.8.27
|
||||
ip: 10.0.236.110
|
||||
logging2:
|
||||
ip: 10.0.236.111
|
||||
logging3:
|
||||
ip: 10.0.236.112
|
||||
|
@ -3,7 +3,7 @@ haproxy_extra_services:
|
||||
haproxy_service_name: kolide-fleet
|
||||
haproxy_ssl: False
|
||||
haproxy_backend_nodes: "{{ groups['fleet'] | default([]) }}" # Fleet nodes
|
||||
haproxy_port: 8443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable
|
||||
haproxy_balance_type: tcp
|
||||
|
@ -13,17 +13,21 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Install MariaDB server
|
||||
hosts: mariadb
|
||||
- name: Install MariaDB Galera Cluster
|
||||
hosts: "mariadb"
|
||||
become: true
|
||||
user: root
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
|
||||
vars_files:
|
||||
- vars/variables.yml
|
||||
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
serial: 1
|
||||
user: root
|
||||
|
||||
roles:
|
||||
- role: "mariadb"
|
||||
- role: galera_server
|
||||
galera_root_user: "{{ mariadb_root_user }}"
|
||||
galera_root_password: "{{ mariadb_root_password }}"
|
||||
galera_cluster_members: "{{ groups['mariadb'] }}"
|
||||
galera_wsrep_node_name: "{{ inventory_hostname }}"
|
||||
galera_cluster_name: telemetry_galera_cluster
|
||||
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
@ -10,33 +10,5 @@
|
||||
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
|
||||
tasks:
|
||||
# install SSL certs
|
||||
- include_tasks: fleetSSL.yml
|
||||
|
||||
# install software requirements
|
||||
- include_tasks: fleetRequirements.yml
|
||||
|
||||
# install kolide fleet server
|
||||
- include_tasks: fleetServerInstall.yml
|
||||
|
||||
# drop the configuration
|
||||
- include_tasks: fleetConfig.yml
|
||||
|
||||
# add files for systemd
|
||||
- include_tasks: fleetService.yml
|
||||
when:
|
||||
- ansible_service_mgr == "systemd"
|
||||
|
||||
# migrate the database
|
||||
- include_tasks: fleetMigrateDB.yml
|
||||
run_once: true
|
||||
|
||||
# start fleet via systemd
|
||||
- include_tasks: fleetStartService.yml
|
||||
|
||||
# configure kolide fleet & set admin account
|
||||
- include_tasks: fleetRegisterAdmin.yml
|
||||
|
||||
# retrieve and set enrollment token
|
||||
- include_tasks: fleetGetEnrollmentToken.yml
|
||||
roles:
|
||||
- role: fleet
|
||||
|
@ -14,7 +14,7 @@
|
||||
# limitations under the License.
|
||||
|
||||
- name: Install osquery
|
||||
hosts: hosts
|
||||
hosts: "osquery"
|
||||
become: true
|
||||
vars_files:
|
||||
- vars/variables.yml
|
||||
@ -34,6 +34,21 @@
|
||||
var: hostvars[groups['fleet'][0]]['ansible_host']
|
||||
verbosity: 2
|
||||
|
||||
- name: Store ssl cert
|
||||
slurp:
|
||||
src: "{{ kolide_fleet_ssl_cert }}"
|
||||
register: _kolide_fleet_ssl_cert
|
||||
|
||||
- name: Store ssl key
|
||||
slurp:
|
||||
src: "{{ kolide_fleet_ssl_key }}"
|
||||
register: _kolide_fleet_ssl_key
|
||||
|
||||
- name: Register a fact for the cert and key
|
||||
set_fact:
|
||||
kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
|
||||
kolide_fleet_ssl_key_fact: "{{ _kolide_fleet_ssl_key.content }}"
|
||||
|
||||
- name: Distribute self signed ssl cert
|
||||
copy:
|
||||
dest: "{{ kolide_fleet_ssl_cert }}"
|
@ -24,9 +24,12 @@ hosts:
|
||||
logging01:
|
||||
|
||||
# This is the location where fleet(s) will live
|
||||
mariadb:
|
||||
hosts:
|
||||
logging01:
|
||||
fleet:
|
||||
hosts:
|
||||
logging01:
|
||||
osquery:
|
||||
hosts:
|
||||
all:
|
||||
logging01:
|
||||
|
35
osquery/inventory.yaml
Normal file
35
osquery/inventory.yaml
Normal file
@ -0,0 +1,35 @@
|
||||
---
|
||||
|
||||
################################## ALL HOSTS ##################################
|
||||
all:
|
||||
hosts:
|
||||
# Local host
|
||||
localhost:
|
||||
ansible_connection: local
|
||||
|
||||
################################## REQUIRED ###################################
|
||||
logging01:
|
||||
ansible_host: 104.130.207.70
|
||||
ansible_user: root
|
||||
|
||||
vars: {}
|
||||
|
||||
|
||||
################################### GROUPS ####################################
|
||||
|
||||
# The hosts group is used to target physical host machines. Enter all physical
|
||||
# host machines here.
|
||||
hosts:
|
||||
hosts:
|
||||
logging01:
|
||||
|
||||
# This is the location where fleet(s) will live
|
||||
mariadb:
|
||||
hosts:
|
||||
logging01:
|
||||
fleet:
|
||||
hosts:
|
||||
logging01:
|
||||
osquery:
|
||||
hosts:
|
||||
logging01:
|
@ -22,7 +22,7 @@ an OpenStack all of the inventory needs will be provided for.
|
||||
Highlevel overview of Osquery & Kolide Fleet infrastructure these playbooks will
|
||||
build and operate against.
|
||||
|
||||
.. image:: assets/place-holder.svg
|
||||
.. image:: assets/overview-osquery.png
|
||||
:scale: 50 %
|
||||
:alt: Osquery & Kolide Fleet Architecture Diagram
|
||||
:align: center
|
||||
@ -70,15 +70,15 @@ Create the containers
|
||||
.. code-block:: bash
|
||||
|
||||
cd /opt/openstack-ansible/playbooks
|
||||
openstack-ansible lxc-containers-create.yml -e 'container_group=fleet'
|
||||
openstack-ansible lxc-containers-create.yml --limit fleet_all
|
||||
|
||||
|
||||
Update the `/etc/hosts` file
|
||||
Update the `/etc/hosts` file *(optional)*
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
cd /opt/openstack-ansible/playbooks
|
||||
openstack-ansible openstack-hosts-setup.yml -e 'container_group=fleet'
|
||||
openstack-ansible openstack-hosts-setup.yml
|
||||
|
||||
|
||||
|
||||
@ -136,13 +136,20 @@ environment variable `ANSIBLE_ACTION_PLUGINS` or through the use of an
|
||||
Deploying | The environment
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Create some basic passwords keys that are needed by fleet
|
||||
.. code-block:: bashG
|
||||
|
||||
echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" > /etc/openstack_deploy/fleet_user_vars.yml
|
||||
echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
|
||||
|
||||
|
||||
Install master/data Fleet nodes on the elastic-logstash containers,
|
||||
deploy logstash, deploy Kibana, and then deploy all of the service beats.
|
||||
|
||||
.. code-block:: bashG
|
||||
|
||||
cd /opt/openstack-ansible-ops/osquery
|
||||
ansible-playbook site.yml $USER_VARS
|
||||
ansible-playbook site.yml -e@/etc/openstack_deploy/fleet_user_vars.yml
|
||||
|
||||
|
||||
* The `openstack-ansible` command can be used if the version of ansible on the
|
||||
@ -172,7 +179,7 @@ Architecture | Data flow
|
||||
|
||||
This diagram outlines the data flow from within an Elastic-Stack deployment.
|
||||
|
||||
.. image:: assets/place-holder.svg
|
||||
.. image:: assets/architecture-osquery.png
|
||||
:scale: 50 %
|
||||
:alt: Kolide & Osquery Data Flow Diagram
|
||||
:align: center
|
||||
@ -180,8 +187,9 @@ This diagram outlines the data flow from within an Elastic-Stack deployment.
|
||||
TODO
|
||||
----
|
||||
The following is a list of open items.
|
||||
- [ ] Test Redhat familly Operating Systems
|
||||
- [ ] missing mariadb cluster (should all work needs additional vars)
|
||||
- [x] Test Redhat familly Operating Systems
|
||||
- [x] missing mariadb cluster (should all work needs additional vars)
|
||||
- [ ] use haproxy instead of the kolide fleet server ip
|
||||
- [ ] add/update tags
|
||||
- [ ] convert to roles
|
||||
- [ ] add testing
|
||||
|
73
osquery/registerSSLcerts.yml
Normal file
73
osquery/registerSSLcerts.yml
Normal file
@ -0,0 +1,73 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Install Kolide Fleet
|
||||
hosts: "fleet"
|
||||
become: true
|
||||
|
||||
vars_files:
|
||||
- vars/variables.yml
|
||||
|
||||
environment: "{{ deployment_environment_variables | default({}) }}"
|
||||
|
||||
gather_facts: "{{ osa_gather_facts | default(True) }}"
|
||||
|
||||
pre_tasks:
|
||||
- name: Store ssl cert
|
||||
slurp:
|
||||
src: "{{ kolide_fleet_ssl_cert }}"
|
||||
register: _kolide_fleet_ssl_cert
|
||||
|
||||
- name: Store ssl ca cert
|
||||
slurp:
|
||||
src: "{{ kolide_fleet_ssl_ca_cert }}"
|
||||
register: _kolide_fleet_ssl_ca_cert
|
||||
when: kolide_fleet_user_ssl_ca_cert is defined
|
||||
|
||||
- name: Register a fact for the cert and key
|
||||
set_fact:
|
||||
kolide_fleet_ssl_cert_fact: "{{ _kolide_fleet_ssl_cert.content }}"
|
||||
|
||||
- name: Register a fact for the cert and key
|
||||
set_fact:
|
||||
kolide_fleet_ssl_ca_cert_fact: "{{ _kolide_fleet_ssl_ca_cert.content }}"
|
||||
when: kolide_fleet_user_ssl_ca_cert is defined
|
||||
|
||||
- name: Distribute self signed ssl cert
|
||||
copy:
|
||||
dest: "{{ kolide_fleet_ssl_cert }}"
|
||||
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}"
|
||||
mode: "0640"
|
||||
|
||||
- name: Distribute self signed CA ssl cert
|
||||
copy:
|
||||
dest: "{{ kolide_fleet_ca_ssl_cert }}"
|
||||
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_ca_cert_fact'] | b64decode }}"
|
||||
mode: "0640"
|
||||
when: kolide_fleet_user_ssl_ca_cert is defined
|
||||
|
||||
- name: retrieve Enrollment Token
|
||||
command: /usr/local/bin/fleetctl get enroll-secret
|
||||
register: _enrollment_token
|
||||
|
||||
- name: Set kolide fleet enrollment token fact
|
||||
set_fact:
|
||||
kolide_fleet_enroll_secret: "{{ _enrollment_token.stdout }}"
|
||||
|
||||
- name: write enroll secret
|
||||
copy:
|
||||
dest: "{{ osquery_enroll_secret_dir }}"
|
||||
content: "{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}"
|
||||
mode: "0640"
|
41
osquery/roles/fleet/defaults/main.yml
Normal file
41
osquery/roles/fleet/defaults/main.yml
Normal file
@ -0,0 +1,41 @@
|
||||
# Kolide Fleet vars
|
||||
kolide_fleet_db_name: fleet
|
||||
kolide_fleet_db_user: fleet
|
||||
|
||||
#kolide_fleet_db_password: fleetSecrete
|
||||
|
||||
kolide_fleet_port: "443"
|
||||
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
|
||||
kolide_fleet_version: "2.0.0-rc5"
|
||||
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
|
||||
|
||||
kolide_fleet_admin_email: admin@openstack.org
|
||||
#kolide_fleet_admin_password: AdminSecrete
|
||||
|
||||
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
|
||||
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
|
||||
kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
|
||||
kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
|
||||
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
|
||||
|
||||
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
|
||||
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
||||
|
||||
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
|
||||
|
||||
|
||||
# MariaDB/Gallera Variables
|
||||
mariadb_bind_address: "0.0.0.0"
|
||||
mariadb_root_remote: 1
|
||||
mariadb_root_user: root
|
||||
#mariadb_root_password: fleetSecrete
|
||||
mariadb_databases:
|
||||
- name: "{{ kolide_fleet_db_name }}"
|
||||
|
||||
mariadb_users:
|
||||
- name: "{{ kolide_fleet_db_user }}"
|
||||
password: "{{ kolide_fleet_db_password }}"
|
||||
priv: " {{ kolide_fleet_db_name }}.*:ALL"
|
||||
host: "%"
|
||||
|
||||
galera_root_password: "{{ mariadb_root_password }}"
|
43
osquery/roles/fleet/tasks/createFleetDB.yml
Normal file
43
osquery/roles/fleet/tasks/createFleetDB.yml
Normal file
@ -0,0 +1,43 @@
|
||||
---
|
||||
# Copyright 2018, Rackspace US, Inc.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- name: Create DB for service
|
||||
mysql_db:
|
||||
login_user: "{{ mariadb_root_user }}"
|
||||
login_password: "{{ mariadb_root_password }}"
|
||||
login_host: "{{ mariadb_login_host | default('localhost') }}"
|
||||
name: "{{ kolide_fleet_db_name }}"
|
||||
state: "present"
|
||||
delegate_to: "{{ groups['mariadb'][0] }}"
|
||||
no_log: False
|
||||
tags:
|
||||
- fleet_db_install
|
||||
|
||||
- name: Grant access to the DB for the service
|
||||
mysql_user:
|
||||
login_user: "{{ mariadb_root_user }}"
|
||||
login_password: "{{ mariadb_root_password }}"
|
||||
login_host: "{{ mariadb_login_host | default('localhost') }}"
|
||||
name: "{{ kolide_fleet_db_user }}"
|
||||
password: "{{ kolide_fleet_db_password }}"
|
||||
host: "{{ item }}"
|
||||
state: "present"
|
||||
priv: "{{ kolide_fleet_db_name }}.*:ALL"
|
||||
append_privs: "{{ kolide_fleet_db_append_privs | default(omit) }}"
|
||||
delegate_to: "{{ groups['mariadb'][0] }}"
|
||||
with_items: "{{ grant_list | default(['localhost', '%']) }}"
|
||||
no_log: False
|
||||
tags:
|
||||
- fleet_db_install
|
@ -13,13 +13,6 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
#- name: Install prerequisites
|
||||
# apt: name= {{item}} update_cache=yes
|
||||
# with_items:
|
||||
# - apt-transport-https
|
||||
# - ca-certificates
|
||||
# - curl
|
||||
# - software-properties-common
|
||||
- name: Run the systemd service role
|
||||
include_role:
|
||||
name: redis
|
33
osquery/roles/fleet/tasks/main.yml
Normal file
33
osquery/roles/fleet/tasks/main.yml
Normal file
@ -0,0 +1,33 @@
|
||||
---
|
||||
# install SSL certs
|
||||
- include_tasks: createFleetDB.yml
|
||||
|
||||
# install SSL certs
|
||||
- include_tasks: fleetSSL.yml
|
||||
|
||||
# install software requirements
|
||||
- include_tasks: fleetRequirements.yml
|
||||
|
||||
# install kolide fleet server
|
||||
- include_tasks: fleetServerInstall.yml
|
||||
|
||||
# drop the configuration
|
||||
- include_tasks: fleetConfig.yml
|
||||
|
||||
# add files for systemd
|
||||
- include_tasks: fleetService.yml
|
||||
when:
|
||||
- ansible_service_mgr == "systemd"
|
||||
|
||||
# migrate the database
|
||||
- include_tasks: fleetMigrateDB.yml
|
||||
run_once: true
|
||||
|
||||
# start fleet via systemd
|
||||
- include_tasks: fleetStartService.yml
|
||||
|
||||
# configure kolide fleet & set admin account
|
||||
- include_tasks: fleetRegisterAdmin.yml
|
||||
|
||||
# retrieve and set enrollment token
|
||||
- include_tasks: fleetGetEnrollmentToken.yml
|
38
osquery/roles/fleet/vars/main.yml
Normal file
38
osquery/roles/fleet/vars/main.yml
Normal file
@ -0,0 +1,38 @@
|
||||
# Kolide Fleet vars
|
||||
kolide_fleet_db_name: fleet
|
||||
kolide_fleet_db_user: fleet
|
||||
#kolide_fleet_db_password: fleetSecrete
|
||||
|
||||
kolide_fleet_port: "443"
|
||||
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
|
||||
kolide_fleet_version: "2.0.0-rc5"
|
||||
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
|
||||
|
||||
kolide_fleet_admin_email: admin@openstack.org
|
||||
#kolide_fleet_admin_password: AdminSecrete
|
||||
|
||||
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
|
||||
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
|
||||
kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
|
||||
kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
|
||||
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
|
||||
|
||||
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
|
||||
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
||||
|
||||
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
|
||||
# MariaDB/Gallera Variables
|
||||
#mariadb_root_password: fleetSecrete
|
||||
mariadb_bind_address: "0.0.0.0"
|
||||
mariadb_root_remote: 1
|
||||
mariadb_root_user: root
|
||||
mariadb_databases:
|
||||
- name: "{{ kolide_fleet_db_name }}"
|
||||
|
||||
mariadb_users:
|
||||
- name: "{{ kolide_fleet_db_user }}"
|
||||
password: "{{ kolide_fleet_db_password }}"
|
||||
priv: " {{ kolide_fleet_db_name }}.*:ALL"
|
||||
host: "%"
|
||||
|
||||
galera_root_password: "{{ mariadb_root_password }}"
|
15
osquery/site-fleet.yml
Normal file
15
osquery/site-fleet.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- import_playbook: installDB.yml
|
||||
- import_playbook: installKolideFleet.yml
|
15
osquery/site-osquery.yml
Normal file
15
osquery/site-osquery.yml
Normal file
@ -0,0 +1,15 @@
|
||||
---
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- import_playbook: registerSSLcerts.yml
|
||||
- import_playbook: installOSquery.yml
|
@ -13,6 +13,5 @@
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
- import_playbook: installMariaDB.yml
|
||||
- import_playbook: installKolideFleet.yml
|
||||
- import_playbook: installOsquery.yml
|
||||
- import_playbook: site-fleet.yml
|
||||
- import_playbook: site-osquery.yml
|
||||
|
@ -1,32 +1,17 @@
|
||||
mariadb_root_user: root
|
||||
|
||||
#
|
||||
kolide_fleet_enable: true
|
||||
kolide_fleet_cluster: false
|
||||
|
||||
# Kolide Fleet vars
|
||||
kolide_fleet_db_name: fleet
|
||||
kolide_fleet_db_user: fleet
|
||||
kolide_fleet_db_password: fleetSecrete
|
||||
|
||||
kolide_fleet_port: "443"
|
||||
kolide_fleet_address: "0.0.0.0:{{ kolide_fleet_port }}"
|
||||
kolide_fleet_version: "2.0.0-rc3"
|
||||
kolide_fleet_url: "https://github.com/kolide/fleet/releases/download"
|
||||
|
||||
kolide_fleet_admin_email: admin@openstack.org
|
||||
#kolide_fleet_admin_password: AdminSecrete
|
||||
|
||||
kolide_fleet_ssl_cert: /etc/ssl/certs/fleet.cert
|
||||
kolide_fleet_ssl_key: /etc/ssl/private/fleet.key
|
||||
kolide_fleet_ssl_pem: /etc/ssl/private/fleet.pem
|
||||
kolide_fleet_ssl_ca_cert: /etc/ssl/certs/fleet-ca.pem
|
||||
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}/subjectAltName=IP.2={{ ansible_host }}}/subjectAltName=IP.3=localhost"
|
||||
|
||||
kolide_fleet_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
|
||||
kolide_fleet_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
||||
|
||||
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
|
||||
kolide_fleet_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
|
||||
|
||||
# Osquery vars
|
||||
osquery_enroll_secret_dir: /etc/osquery/osquery_enroll_secret
|
||||
osquery_debug_packages_install: false
|
||||
|
||||
osquery_debug_packages_install: false
|
||||
|
||||
@ -53,16 +38,3 @@ osquery_flags:
|
||||
- "--logger_tls_endpoint=/api/v1/osquery/log"
|
||||
- "--logger_tls_period=10"
|
||||
- "--enroll_secret_path={{ osquery_enroll_secret_dir }}"
|
||||
|
||||
# MariaDB/Gallera Variables
|
||||
#mariadb_root_password: fleetSecrete
|
||||
mariadb_bind_address: "0.0.0.0"
|
||||
mariadb_root_remote: 1
|
||||
mariadb_databases:
|
||||
- name: "{{ kolide_fleet_db_name }}"
|
||||
|
||||
mariadb_users:
|
||||
- name: "{{ kolide_fleet_db_user }}"
|
||||
password: "{{ kolide_fleet_db_password }}"
|
||||
priv: " {{ kolide_fleet_db_name }}.*:ALL"
|
||||
host: "%"
|
||||
|
Loading…
Reference in New Issue
Block a user