Fixes to enroll nodes, freebsd and lots of docker nodes

Author: javuto

cmd/tls/scripts/quick-add.ps1

@@ -17,8 +17,10 @@ $projectName = "{{ .Project }}"
 $projectSecret = "{{ .Environment.Secret }}"
 $progFiles = [System.Environment]::GetEnvironmentVariable('ProgramFiles')
 $osqueryPath = (Join-Path $progFiles "osquery")
-$osqueryDaemonPath = (Join-Path $osqueryPath "osqueryd")
-$osqueryDaemon = (Join-Path $osqueryDaemonPath "osqueryd.exe")
+$daemonFolder = (Join-Path $osqueryPath "osqueryd")
+$extensionsFolder = (Join-Path $osqueryPath "extensions")
+$logFolder = (Join-Path $osqueryPath "log")
+$osqueryDaemon = (Join-Path $daemonFolder "osqueryd.exe")
 $secretFile = (Join-Path $osqueryPath "osquery.secret")
 $flagsFile = (Join-Path $osqueryPath "osquery.flags")
 $certFile = (Join-Path $osqueryPath "{{ .Project }}.crt")
@@ -66,8 +68,43 @@ function Test-IsAdmin {
   )
 }
 
-# A helper function to set "safe" permissions for osquery binaries
 # From https://github.com/facebook/osquery/blob/master/tools/provision/chocolatey/osquery_utils.ps1
+# Helper function to add an explicit Deny-Write ACE for the Everyone group
+function Set-DenyWriteAcl {
+  [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
+  [OutputType('System.Boolean')]
+  param(
+    [string] $targetDir = '',
+    [string] $action = ''
+  )
+  if (($action -ine 'Add') -and ($action -ine 'Remove')) {
+    Write-Debug '[-] Invalid action in Set-DenyWriteAcl.'
+    return $false
+  }
+  if ($PSCmdlet.ShouldProcess($targetDir)) {
+    $acl = Get-Acl $targetDir
+    $inheritanceFlag = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
+    $propagationFlag = [System.Security.AccessControl.PropagationFlags]::None
+    $permType = [System.Security.AccessControl.AccessControlType]::Deny
+
+    $worldSIDObj = New-Object System.Security.Principal.SecurityIdentifier ('S-1-1-0')
+    $worldUser = $worldSIDObj.Translate([System.Security.Principal.NTAccount])
+    $permission = $worldUser.Value, "write", $inheritanceFlag, $propagationFlag, $permType
+    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
+    # We only support adding or removing the ACL
+    if ($action -ieq 'add') {
+      $acl.SetAccessRule($accessRule)
+    } else {
+      $acl.RemoveAccessRule($accessRule)
+    }
+    Set-Acl $targetDir $acl
+    return $true
+  }
+  return $false
+}
+
+# From https://github.com/facebook/osquery/blob/master/tools/provision/chocolatey/osquery_utils.ps1
+# A helper function to set "safe" permissions for osquery binaries
 function Set-SafePermissions {
   [CmdletBinding(SupportsShouldProcess = $true, ConfirmImpact = "Medium")]
   [OutputType('System.Boolean')]
@@ -80,7 +117,13 @@ function Set-SafePermissions {
     # First, to ensure success, we remove the entirety of the ACL
     $acl.SetAccessRuleProtection($true, $false)
     foreach ($access in $acl.Access) {
-      $acl.RemoveAccessRule($access)
+      Try {
+        $acl.RemoveAccessRule($access)
+      } Catch [System.Management.Automation.MethodInvocationException] {
+        if ($_.FullyQualifiedErrorId -ne 'IdentityNotMappedException') {
+          Throw "Error trying to remove access ($access)"
+        }
+      }
     }
     Set-Acl $target $acl
 
@@ -169,9 +212,19 @@ function QuickAdd-Node {
     Write-Host "[+] osquery is installed"
   }
 
+  # Lastly, ensure that the Deny Write ACLs have been removed before modifying
+  Write-Host "[+] Setting Deny Write ACLs"
+  if (Test-Path $daemonFolder) {
+    Set-DenyWriteAcl $daemonFolder 'Remove'
+  }
+  if (Test-Path $extensionsFolder) {
+    Set-DenyWriteAcl $extensionsFolder 'Remove'
+  }
+  Set-DenyWriteAcl $osqueryDaemon 'Remove'
+
   # Making sure non-privileged write access is not allowed
-  Write-Host "[+] Setting osquery safe permissions"
-  Set-SafePermissions $osqueryDaemonPath
+  Write-Host "[+] Setting $daemonFolder safe permissions"
+  Set-SafePermissions $daemonFolder
 
   # Stop osquery service
   $osquerydService = Get-WmiObject -Class Win32_Service -Filter "Name='$serviceName'"
@@ -204,13 +257,29 @@ function QuickAdd-Node {
   }
   $osqueryCertificate | Out-File -FilePath $certFile -Encoding ASCII
 
-  # Start osquery
+  # Start osqueryd service
   if ($osquerydService) {
-    New-Service -BinaryPathName "$osqueryDaemon --flagfile=$flagsFile" `
-                -Name $serviceName `
-                -DisplayName $serviceName `
-                -Description $serviceDescription `
-                -StartupType Automatic
+    if (-not (Get-Service $serviceName -ErrorAction SilentlyContinue)) {
+      Write-Debug 'Installing osquery daemon service.'
+      # If the 'install' parameter is passed, we create a Windows service with
+      # the flag file in the default location in \Program Files\osquery\
+      # the flag file in the default location in Program Files
+      $cmd = '"{0}" --flagfile="C:\Program Files\osquery\osquery.flags"' -f $osqueryDaemon
+
+      $svcArgs = @{
+        Name = $serviceName
+        BinaryPathName = $cmd
+        DisplayName = $serviceName
+        Description = $serviceDescription
+        StartupType = "Automatic"
+      }
+      New-Service @svcArgs
+
+      # If the osquery.flags file doesn't exist, we create a blank one.
+      if (-not (Test-Path "$targetFolder\osquery.flags")) {
+        Add-Content "$targetFolder\osquery.flags" $null
+      }
+    }
     Start-Service $serviceName
     Write-Host "[+] '$serviceName' system service is started." -foregroundcolor Cyan
   } else {

cmd/tls/scripts/quick-add.sh

@@ -6,19 +6,28 @@
 
 _PROJECT="{{ .Project }}"
 _SECRET="{{ .Environment.Secret }}"
+
 _SECRET_LINUX=/etc/osquery/osquery.secret
 _FLAGS_LINUX=/etc/osquery/osquery.flags
 _CERT_LINUX=/etc/osquery/certs/${_PROJECT}.crt
+
 _SECRET_OSX=/private/var/osquery/osquery.secret
 _FLAGS_OSX=/private/var/osquery/osquery.flags
 _CERT_OSX=/private/var/osquery/certs/${_PROJECT}.crt
 _PLIST_OSX=/Library/LaunchDaemons/com.facebook.osqueryd.plist
 _OSQUERY_PLIST=/private/var/osquery/com.facebook.osqueryd.plist
+
+_SECRET_FREEBSD=/usr/local/etc/osquery.secret
+_FLAGS_FREEBSD=/usr/local/etc/osquery.flags
+_CERT_FREEBSD=/usr/local/etc/certs/${_PROJECT}.crt
+
 _OSQUERY_PKG="https://osquery-packages.s3.amazonaws.com/darwin/osquery-3.3.2.pkg"
 _OSQUERY_DEB="https://osquery-packages.s3.amazonaws.com/deb/osquery_3.3.2_1.linux.amd64.deb"
 _OSQUERY_RPM="https://osquery-packages.s3.amazonaws.com/rpm/osquery-3.3.2-1.linux.x86_64.rpm"
+
 _OSQUERY_SERVICE_LINUX="osqueryd"
 _OSQUERY_SERVICE_OSX="com.facebook.osqueryd"
+_OSQUERY_SERVICE_FREEBSD="osqueryd"
 
 _SECRET_FILE=""
 _FLAGS=""
@@ -37,6 +46,7 @@ log() {
 installOsquery() {
   log "Installing osquery for $OS"
   if [ "$OS" = "linux" ]; then
+    log "Installing osquery in Linux"
     distro=$(/usr/bin/rpm -q -f /usr/bin/rpm >/dev/null 2>&1)
     if [ "$?" = "0" ]; then
       log "RPM based system detected"
@@ -51,10 +61,15 @@ installOsquery() {
     fi
   fi
   if [ "$OS" = "darwin" ]; then
+    log "Installing osquery in OSX"
     _PKG="$(echo $_OSQUERY_PKG | cut -d"/" -f5)"
     sudo curl -# "$_OSQUERY_PKG" -o "/tmp/$_PKG"
     sudo installer -pkg "/tmp/$_PKG" -target /
   fi
+  if [ "$OS" = "freebsd" ]; then
+    log "Installing osquery in FreeBSD"
+    sudo ASSUME_ALWAYS_YES=YES pkg install osquery
+  fi
 }
 
 verifyOsquery() {
@@ -88,6 +103,12 @@ whatOS() {
     _CERT="$_CERT_OSX"
     _SERVICE="$_OSQUERY_SERVICE_OSX"
   fi
+  if [ "$OS" = "freebsd" ]; then
+    _SECRET_FILE="$_SECRET_FREEBSD"
+    _FLAGS="$_FLAGS_FREEBSD"
+    _CERT="$_CERT_FREEBSD"
+    _SERVICE="$_OSQUERY_SERVICE_FREEBSD"
+  fi
   log "_SECRET_FILE=$_SECRET_FILE"
   log "_FLAGS=$_FLAGS"
   log "_CERT=$_CERT"
@@ -109,6 +130,12 @@ stopOsquery() {
       sudo launchctl unload "$_PLIST_OSX"
     fi
   fi
+  if [ "$OS" = "freebsd" ]; then
+    log "Stopping $_OSQUERY_SERVICE_FREEBSD"
+    if [ "$(service osqueryd onestatus)" = "osqueryd is running." ]; then
+      sudo service "$_OSQUERY_SERVICE_FREEBSD" onestop
+    fi
+  fi
 }
 
 prepareSecret() {
@@ -173,6 +200,11 @@ startOsquery() {
     sudo cp "$_OSQUERY_PLIST" "$_PLIST_OSX"
     sudo launchctl load "$_PLIST_OSX"
   fi
+  if [ "$OS" = "freebsd" ]; then
+    log "Starting $_OSQUERY_SERVICE_FREEBSD"
+    echo 'osqueryd_enable="YES"' | sudo tee -a /etc/rc.conf
+    sudo service "$_OSQUERY_SERVICE_FREEBSD" start
+  fi
 }
 
 bye() {

cmd/tls/scripts/quick-remove.sh

@@ -6,14 +6,21 @@
 
 _PROJECT="{{ .Project }}"
 _SECRET_LINUX=/etc/osquery/osquery.secret
-_SECRET_OSX=/private/var/osquery/osquery.secret
 _FLAGS_LINUX=/etc/osquery/osquery.flags
 _CERT_LINUX=/etc/osquery/certs/${_PROJECT}.crt
+
+_SECRET_OSX=/private/var/osquery/osquery.secret
 _FLAGS_OSX=/private/var/osquery/osquery.flags
 _CERT_OSX=/private/var/osquery/certs/${_PROJECT}.crt
 _PLIST_OSX=/Library/LaunchDaemons/com.facebook.osqueryd.plist
+
+_SECRET_FREEBSD=
+_FLAGS_FREEBSD=
+_CERT_FREEBSD=
+
 _OSQUERY_SERVICE_LINUX="osqueryd"
 _OSQUERY_SERVICE_OSX="com.facebook.osqueryd"
+_OSQUERY_SERVICE_FREEBSD="osqueryd"
 
 _SECRET_FILE=""
 _FLAGS=""
@@ -69,6 +76,13 @@ stopOsquery() {
       sudo rm -f "$_PLIST_OSX"
     fi
   fi
+  if [ "$OS" = "freebsd" ]; then
+    log "Stopping $_OSQUERY_SERVICE_FREEBSD"
+    if [ "$(service osqueryd onestatus)" = "osqueryd is running." ]; then
+      sudo service "$_OSQUERY_SERVICE_FREEBSD" onestop
+    fi
+    cat /etc/rc.conf | grep "osqueryd_enable" | sed 's/YES/NO/g' | sudo tee /etc/rc.conf
+  fi
 }
 
 removeSecret() {

deploy/osquery/osquery-dev.json

@@ -1,11 +1,11 @@
 {
   "options": {
-    "schedule_splay_percent" : 0
+    "schedule_splay_percent": 0
   },
   "schedule": {
-    "osquery_info" : {
-      "query" : "SELECT * FROM uptime;",
-      "interval" : 30
+    "osquery_info": {
+      "query": "SELECT * FROM uptime;",
+      "interval": 60
     }
   },
   "decorators": {
@@ -16,4 +16,4 @@
       "SELECT version AS osquery_version, config_hash FROM osquery_info WHERE config_valid = 1;"
     ]
   }
-}
+}

deploy/provision.sh

@@ -543,7 +543,7 @@ DEST="$DEST_PATH" make install_cli
 if [[ "$MODE" == "dev" ]]; then
   log "Creating environment for dev"
   __db_conf="$DEST_PATH/config/$DB_CONF"
-  __osquery_dev="$SOURCE_PATH/deploy/osquery/osquery-dev.conf"
+  __osquery_dev="$SOURCE_PATH/deploy/osquery/osquery-dev.json"
   __osctrl_crt="/etc/nginx/certs/osctrl.crt"
   "$DEST_PATH"/osctrl-cli -D "$__db_conf" environment add -n "dev" -host "$_T_HOST" -conf "$__osquery_dev" -crt "$__osctrl_crt"
 

docker/admin/wait.sh

@@ -10,7 +10,7 @@ CONFIG="config"
 CERTS="certs"
 DB_JSON="$CONFIG/db.json"
 CRT_FILE="$CERTS/osctrl.crt"
-OSQUERY_JSON="$CONFIG/osquery-dev.json"
+OSQUERY_JSON="$CONFIG/osquery/osquery-dev.json"
 
 # Check if database is ready, otherwise commands will fail
 until $(./bin/osctrl-cli -D "$DB_JSON" check); do
@@ -31,7 +31,9 @@ fi
 # Generate flag and secret file for enrolling nodes
 FLAGS_FILE="$CONFIG/docker.flags"
 SECRET_FILE="$CONFIG/docker.secret"
-./bin/osctrl-cli -D "$DB_JSON" environment flags -n dev -crt "$CRT_FILE" -secret "$SECRET_FILE" > "$FLAGS_FILE"
+# Generating flags and rewriting UUID as identifier for ephemeral, otherwise all the containers
+# will have the same UUID and it will mess things up
+./bin/osctrl-cli -D "$DB_JSON" environment flags -n dev -crt "$CRT_FILE" -secret "$SECRET_FILE" | sed 's/=uuid/=ephemeral/g' > "$FLAGS_FILE"
 ./bin/osctrl-cli -D "$DB_JSON" environment secret -n dev > "$SECRET_FILE"
 
 # Create admin user