multiple updates to osquery 

* move playbooks to roles
 * update documentation
 * update haproxy
 - set 6443 as default port for kolide fleet
 * add galera support
Change-Id: I2fdefcb6bec98486c16b54cf33e2b7940b88d50b
This commit is contained in:
Victor Palma
2018年08月21日 10:40:39 -05:00
parent b5e99adc01
commit 3aa5fcd8fc

3
osquery/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
inventory.dev.yml
*.retry
telemetry.yaml

View File

@@ -9,7 +9,7 @@
version:master
- name:osquery
scm:git
src:https://github.com/juju4/ansible-osquery
src:https://github.com/kloud-pro/ansible-osquery
version:master
- name:redis
scm:git
@@ -27,3 +27,11 @@
scm:git
src:https://git.openstack.org/openstack/openstack-ansible-galera_server
version:master
- name:apt_package_pinning
scm:git
src:https://git.openstack.org/openstack/openstack-ansible-apt_package_pinning
version:master
- name:plugins
scm:git
src:https://git.openstack.org/openstack/openstack-ansible-plugins
version:master

Binary file not shown.

After

Width: | Height: | Size: 166 KiB

Binary file not shown.

After

Width: | Height: | Size: 121 KiB

View File

@@ -0,0 +1,129 @@
#!/usr/bin/env bash
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
export OPTS=()
export ANSIBLE_EMBED_HOME="${HOME}/ansible25"
OPTS+=('ANSIBLE_EMBED_HOME')
source /etc/os-release
if [[ ! -e "${ANSIBLE_EMBED_HOME}/bin/ansible" ]]; then
if [ ${VERSION_ID} = "14.04" ]; then
apt-get update
apt-get -y install python-virtualenv
echo "done installing python-virtualenv"
else
apt-get update
apt-get -y install python3-virtualenv python-virtualenv
echo "done installing python-virtualenv python3-virtualenv"
fi
if [[ -e "${HOME}/.pip" ]]; then
echo "..................moving .pip out of place to boostrap"
mv ${HOME}/.pip ${HOME}/.off-pip
fi
if [[ -f "/usr/bin/python2" ]]; then
virtualenv --python="/usr/bin/python2" "${ANSIBLE_EMBED_HOME}"
elif [[ -f "/usr/bin/python3" ]]; then
virtualenv --python="/usr/bin/python3" "${ANSIBLE_EMBED_HOME}"
else
virtualenv "${ANSIBLE_EMBED_HOME}"
fi
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade --force pip"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade ansible==2.5.5.0 --isolated"
eval "${ANSIBLE_EMBED_HOME}/bin/pip install --upgrade jmespath --isolated"
echo "Ansible can be found here: ${ANSIBLE_EMBED_HOME}/bin"
if [[ -e "${HOME}/.off-pip" ]]; then
mv ${HOME}/off-pip ${HOME}/.pip
echo "..................moving .pip back in to place"
fi
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/ansible-config_template "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
pushd "${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template"
git checkout a5c9d97e18683f0fdf9769d94ba174c72e2d093c # HEAD of master from 20-06-18
popd
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/openstack_ansible_plugins" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/openstack-ansible-plugins "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
pushd "${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins"
git checkout cef7946b3b3b3e4d02406c228741985a94b72cff # HEAD of master from 20-06-18
popd
fi
if [[ ! -d "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/repositories"
git clone https://git.openstack.org/openstack/ansible-role-systemd_service "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
pushd "${ANSIBLE_EMBED_HOME}/repositories/roles/systemd_service"
git checkout 02f5ff1c0e073af53bed2141a045e608162970ea # HEAD of master from 20-06-18
popd
fi
if [[ -f "/etc/openstack_deploy/openstack_inventory.json" ]]; then
if [[ ! -f "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" ]]; then
mkdir -p "${ANSIBLE_EMBED_HOME}/inventory"
cat > "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh" <<EOF
#!/usr/bin/env bash
cat /etc/openstack_deploy/openstack_inventory.json
EOF
chmod +x "${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
fi
export USER_VARS="$(for i in $(ls -1 /etc/openstack_deploy/user_*secret*.yml); do echo -n "-e@$i"; done)"
OPTS+=('USER_VARS')
echo "env USER_VARS set"
echo "Extra users variables can be expanded by including the option \$USER_VARS on a playbook run."
export ANSIBLE_INVENTORY="${ANSIBLE_EMBED_HOME}/inventory/openstack_inventory.sh"
OPTS+=('ANSIBLE_INVENTORY')
echo "env ANSIBLE_INVENTORY set"
fi
export ANSIBLE_HOST_KEY_CHECKING="False"
OPTS+=('ANSIBLE_HOST_KEY_CHECKING')
echo "env ANSIBLE_HOST_KEY_CHECKING set"
export ANSIBLE_ROLES_PATH="${ANSIBLE_EMBED_HOME}/repositories/roles"
OPTS+=('ANSIBLE_ROLES_PATH')
echo "env ANSIBLE_ROLES_PATH set"
export ANSIBLE_ACTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/ansible-config_template/action"
OPTS+=('ANSIBLE_ACTION_PLUGINS')
echo "env ANSIBLE_ACTION_PLUGINS set"
export ANSIBLE_CONNECTION_PLUGINS="${ANSIBLE_EMBED_HOME}/repositories/openstack-ansible-plugins/connection/"
OPTS+=('ANSIBLE_CONNECTION_PLUGINS')
echo "env ANSIBLE_CONNECTION_PLUGINS set"
source ${ANSIBLE_EMBED_HOME}/bin/activate
echo "Embedded Ansible has been activated. Run 'deactivate' to leave the embedded environment".
function deactivate_embedded_venv {
deactivate
for i in ${OPTS[@]}; do
unset ${i}
done
unset deactivate_embedded_venv
unalias deactivate
}
alias deactivate=deactivate_embedded_venv

View File

@@ -1,6 +1,14 @@
fleet_hosts:
logging1:
ip:172.22.8.27
ip:10.0.236.110
logging2:
ip:10.0.236.111
logging3:
ip:10.0.236.112
mariadb_hosts:
logging1:
ip:172.22.8.27
ip:10.0.236.110
logging2:
ip:10.0.236.111
logging3:
ip:10.0.236.112

View File

@@ -3,7 +3,7 @@ haproxy_extra_services:
haproxy_service_name: kolide-fleet
haproxy_ssl: False
haproxy_backend_nodes: "{{ groups['fleet'] | default([]) }}" # Fleet nodes
haproxy_port: 8443 # This is set using the "kolide_fleet_port" variable
haproxy_port: 6443 # This is set using the "kolide_fleet_port" variable
haproxy_check_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_backend_port: 443 # This is set using the "kolide_fleet_port" variable
haproxy_balance_type: tcp

View File

@@ -13,17 +13,21 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- name:Install MariaDB server
hosts:mariadb
- name:Install MariaDB Galera Cluster
hosts:"mariadb"
become:true
user:root
gather_facts:"{{ osa_gather_facts | default(True) }}"
vars_files:
- vars/variables.yml
environment:"{{ deployment_environment_variables | default({}) }}"
gather_facts:"{{ osa_gather_facts | default(True) }}"
serial:1
user:root
roles:
- role:"mariadb"
- role:galera_server
galera_root_user:"{{ mariadb_root_user }}"
galera_root_password:"{{ mariadb_root_password }}"
galera_cluster_members:"{{ groups['mariadb'] }}"
galera_wsrep_node_name:"{{ inventory_hostname }}"
galera_cluster_name:telemetry_galera_cluster
environment:"{{ deployment_environment_variables | default({}) }}"

View File

@@ -10,33 +10,5 @@
gather_facts:"{{ osa_gather_facts | default(True) }}"
tasks:
# install SSL certs
- include_tasks:fleetSSL.yml
# install software requirements
- include_tasks:fleetRequirements.yml
# install kolide fleet server
- include_tasks:fleetServerInstall.yml
# drop the configuration
- include_tasks:fleetConfig.yml
# add files for systemd
- include_tasks:fleetService.yml
when:
- ansible_service_mgr == "systemd"
# migrate the database
- include_tasks:fleetMigrateDB.yml
run_once:true
# start fleet via systemd
- include_tasks:fleetStartService.yml
# configure kolide fleet & set admin account
- include_tasks:fleetRegisterAdmin.yml
# retrieve and set enrollment token
- include_tasks:fleetGetEnrollmentToken.yml
roles:
- role:fleet

View File

@@ -14,7 +14,7 @@
# limitations under the License.
- name:Install osquery
hosts:hosts
hosts:"osquery"
become:true
vars_files:
- vars/variables.yml
@@ -34,6 +34,21 @@
var:hostvars[groups['fleet'][0]]['ansible_host']
verbosity:2
- name:Store ssl cert
slurp:
src:"{{ kolide_fleet_ssl_cert }}"
register:_kolide_fleet_ssl_cert
- name:Store ssl key
slurp:
src:"{{ kolide_fleet_ssl_key }}"
register:_kolide_fleet_ssl_key
- name:Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_cert_fact:"{{ _kolide_fleet_ssl_cert.content }}"
kolide_fleet_ssl_key_fact:"{{ _kolide_fleet_ssl_key.content }}"
- name:Distribute self signed ssl cert
copy:
dest:"{{ kolide_fleet_ssl_cert }}"

View File

@@ -24,9 +24,12 @@ hosts:
logging01:
# This is the location where fleet(s) will live
mariadb:
hosts:
logging01:
fleet:
hosts:
logging01:
osquery:
hosts:
all:
logging01:

35
osquery/inventory.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
################################## ALL HOSTS ##################################
all:
hosts:
# Local host
localhost:
ansible_connection:local
################################## REQUIRED ###################################
logging01:
ansible_host:104.130.207.70
ansible_user:root
vars:{}
################################### GROUPS ####################################
# The hosts group is used to target physical host machines. Enter all physical
# host machines here.
hosts:
hosts:
logging01:
# This is the location where fleet(s) will live
mariadb:
hosts:
logging01:
fleet:
hosts:
logging01:
osquery:
hosts:
logging01:

View File

@@ -22,7 +22,7 @@ an OpenStack all of the inventory needs will be provided for.
Highlevel overview of Osquery & Kolide Fleet infrastructure these playbooks will
build and operate against.
.. image:: assets/place-holder.svg
.. image:: assets/overview-osquery.png
:scale: 50 %
:alt: Osquery & Kolide Fleet Architecture Diagram
:align: center
@@ -70,15 +70,15 @@ Create the containers
.. code-block:: bash
cd /opt/openstack-ansible/playbooks
openstack-ansible lxc-containers-create.yml -e 'container_group=fleet'
openstack-ansible lxc-containers-create.yml --limit fleet_all
Update the `/etc/hosts` file
Update the `/etc/hosts` file *(optional)*
.. code-block:: bash
cd /opt/openstack-ansible/playbooks
openstack-ansible openstack-hosts-setup.yml -e 'container_group=fleet'
openstack-ansible openstack-hosts-setup.yml
@@ -136,13 +136,20 @@ environment variable `ANSIBLE_ACTION_PLUGINS` or through the use of an
Deploying | The environment
^^^^^^^^^^^^^^^^^^^^^^^^^^^
Create some basic passwords keys that are needed by fleet
.. code-block:: bashG
echo "kolide_fleet_jwt_key: $(openssl rand -base64 32)" > /etc/openstack_deploy/fleet_user_vars.yml
echo "mariadb_root_password: $(openssl rand -base64 16)" >> /etc/openstack_deploy/fleet_user_vars.yml
Install master/data Fleet nodes on the elastic-logstash containers,
deploy logstash, deploy Kibana, and then deploy all of the service beats.
.. code-block:: bashG
cd /opt/openstack-ansible-ops/osquery
ansible-playbook site.yml $USER_VARS
ansible-playbook site.yml -e@/etc/openstack_deploy/fleet_user_vars.yml
* The `openstack-ansible` command can be used if the version of ansible on the
@@ -172,7 +179,7 @@ Architecture | Data flow
This diagram outlines the data flow from within an Elastic-Stack deployment.
.. image:: assets/place-holder.svg
.. image:: assets/architecture-osquery.png
:scale: 50 %
:alt: Kolide & Osquery Data Flow Diagram
:align: center
@@ -180,8 +187,9 @@ This diagram outlines the data flow from within an Elastic-Stack deployment.
TODO
----
The following is a list of open items.
- [] Test Redhat familly Operating Systems
- [] missing mariadb cluster (should all work needs additional vars)
- [x] Test Redhat familly Operating Systems
- [x] missing mariadb cluster (should all work needs additional vars)
- [ ] use haproxy instead of the kolide fleet server ip
- [ ] add/update tags
- [ ] convert to roles
- [ ] add testing

View File

@@ -0,0 +1,73 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name:Install Kolide Fleet
hosts:"fleet"
become:true
vars_files:
- vars/variables.yml
environment:"{{ deployment_environment_variables | default({}) }}"
gather_facts:"{{ osa_gather_facts | default(True) }}"
pre_tasks:
- name:Store ssl cert
slurp:
src:"{{ kolide_fleet_ssl_cert }}"
register:_kolide_fleet_ssl_cert
- name:Store ssl ca cert
slurp:
src:"{{ kolide_fleet_ssl_ca_cert }}"
register:_kolide_fleet_ssl_ca_cert
when:kolide_fleet_user_ssl_ca_cert is defined
- name:Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_cert_fact:"{{ _kolide_fleet_ssl_cert.content }}"
- name:Register a fact for the cert and key
set_fact:
kolide_fleet_ssl_ca_cert_fact:"{{ _kolide_fleet_ssl_ca_cert.content }}"
when:kolide_fleet_user_ssl_ca_cert is defined
- name:Distribute self signed ssl cert
copy:
dest:"{{ kolide_fleet_ssl_cert }}"
content:"{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_cert_fact'] | b64decode }}"
mode:"0640"
- name:Distribute self signed CA ssl cert
copy:
dest:"{{ kolide_fleet_ca_ssl_cert }}"
content:"{{ hostvars[groups['fleet'][0]]['kolide_fleet_ssl_ca_cert_fact'] | b64decode }}"
mode:"0640"
when:kolide_fleet_user_ssl_ca_cert is defined
- name:retrieve Enrollment Token
command:/usr/local/bin/fleetctl get enroll-secret
register:_enrollment_token
- name:Set kolide fleet enrollment token fact
set_fact:
kolide_fleet_enroll_secret:"{{ _enrollment_token.stdout }}"
- name:write enroll secret
copy:
dest:"{{ osquery_enroll_secret_dir }}"
content:"{{ hostvars[groups['fleet'][0]]['kolide_fleet_enroll_secret'] }}"
mode:"0640"

View File

@@ -0,0 +1,41 @@
# Kolide Fleet vars
kolide_fleet_db_name:fleet
kolide_fleet_db_user:fleet
#kolide_fleet_db_password: fleetSecrete
kolide_fleet_port:"443"
kolide_fleet_address:"0.0.0.0:{{ kolide_fleet_port }}"
kolide_fleet_version:"2.0.0-rc5"
kolide_fleet_url:"https://github.com/kolide/fleet/releases/download"
kolide_fleet_admin_email:admin@openstack.org
#kolide_fleet_admin_password: AdminSecrete
kolide_fleet_ssl_cert:/etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key:/etc/ssl/private/fleet.key
kolide_fleet_ssl_pem:/etc/ssl/private/fleet.pem
kolide_fleet_ssl_ca_cert:/etc/ssl/certs/fleet-ca.pem
kolide_fleet_ssl_self_signed_subject:"/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
kolide_fleet_ssl_protocol:"{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite:"{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
# MariaDB/Gallera Variables
mariadb_bind_address:"0.0.0.0"
mariadb_root_remote:1
mariadb_root_user:root
#mariadb_root_password: fleetSecrete
mariadb_databases:
- name:"{{ kolide_fleet_db_name }}"
mariadb_users:
- name:"{{ kolide_fleet_db_user }}"
password:"{{ kolide_fleet_db_password }}"
priv:" {{ kolide_fleet_db_name }}.*:ALL"
host:"%"
galera_root_password:"{{ mariadb_root_password }}"

View File

@@ -0,0 +1,43 @@
---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- name:Create DB for service
mysql_db:
login_user:"{{ mariadb_root_user }}"
login_password:"{{ mariadb_root_password }}"
login_host:"{{ mariadb_login_host | default('localhost') }}"
name:"{{ kolide_fleet_db_name }}"
state:"present"
delegate_to:"{{ groups['mariadb'][0] }}"
no_log:False
tags:
- fleet_db_install
- name:Grant access to the DB for the service
mysql_user:
login_user:"{{ mariadb_root_user }}"
login_password:"{{ mariadb_root_password }}"
login_host:"{{ mariadb_login_host | default('localhost') }}"
name:"{{ kolide_fleet_db_user }}"
password:"{{ kolide_fleet_db_password }}"
host:"{{ item }}"
state:"present"
priv:"{{ kolide_fleet_db_name }}.*:ALL"
append_privs:"{{ kolide_fleet_db_append_privs | default(omit) }}"
delegate_to:"{{ groups['mariadb'][0] }}"
with_items:"{{ grant_list | default(['localhost', '%']) }}"
no_log:False
tags:
- fleet_db_install

View File

@@ -13,13 +13,6 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#- name: Install prerequisites
# apt: name= {{item}} update_cache=yes
# with_items:
# - apt-transport-https
# - ca-certificates
# - curl
# - software-properties-common
- name:Run the systemd service role
include_role:
name:redis

View File

@@ -0,0 +1,33 @@
---
# install SSL certs
- include_tasks:createFleetDB.yml
# install SSL certs
- include_tasks:fleetSSL.yml
# install software requirements
- include_tasks:fleetRequirements.yml
# install kolide fleet server
- include_tasks:fleetServerInstall.yml
# drop the configuration
- include_tasks:fleetConfig.yml
# add files for systemd
- include_tasks:fleetService.yml
when:
- ansible_service_mgr == "systemd"
# migrate the database
- include_tasks:fleetMigrateDB.yml
run_once:true
# start fleet via systemd
- include_tasks:fleetStartService.yml
# configure kolide fleet & set admin account
- include_tasks:fleetRegisterAdmin.yml
# retrieve and set enrollment token
- include_tasks:fleetGetEnrollmentToken.yml

View File

@@ -0,0 +1,38 @@
# Kolide Fleet vars
kolide_fleet_db_name:fleet
kolide_fleet_db_user:fleet
#kolide_fleet_db_password: fleetSecrete
kolide_fleet_port:"443"
kolide_fleet_address:"0.0.0.0:{{ kolide_fleet_port }}"
kolide_fleet_version:"2.0.0-rc5"
kolide_fleet_url:"https://github.com/kolide/fleet/releases/download"
kolide_fleet_admin_email:admin@openstack.org
#kolide_fleet_admin_password: AdminSecrete
kolide_fleet_ssl_cert:/etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key:/etc/ssl/private/fleet.key
kolide_fleet_ssl_pem:/etc/ssl/private/fleet.pem
kolide_fleet_ssl_ca_cert:/etc/ssl/certs/fleet-ca.pem
kolide_fleet_ssl_self_signed_subject:"/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
kolide_fleet_ssl_protocol:"{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite:"{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
# MariaDB/Gallera Variables
#mariadb_root_password: fleetSecrete
mariadb_bind_address:"0.0.0.0"
mariadb_root_remote:1
mariadb_root_user:root
mariadb_databases:
- name:"{{ kolide_fleet_db_name }}"
mariadb_users:
- name:"{{ kolide_fleet_db_user }}"
password:"{{ kolide_fleet_db_password }}"
priv:" {{ kolide_fleet_db_name }}.*:ALL"
host:"%"
galera_root_password:"{{ mariadb_root_password }}"

15
osquery/site-fleet.yml Normal file
View File

@@ -0,0 +1,15 @@
---
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook:installDB.yml
- import_playbook:installKolideFleet.yml

15
osquery/site-osquery.yml Normal file
View File

@@ -0,0 +1,15 @@
---
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook:registerSSLcerts.yml
- import_playbook:installOSquery.yml

View File

@@ -13,6 +13,5 @@
# See the License for the specific language governing permissions and
# limitations under the License.
- import_playbook:installMariaDB.yml
- import_playbook:installKolideFleet.yml
- import_playbook:installOsquery.yml
- import_playbook:site-fleet.yml
- import_playbook:site-osquery.yml

View File

@@ -1,32 +1,17 @@
mariadb_root_user:root
#
kolide_fleet_enable:true
kolide_fleet_cluster:false
# Kolide Fleet vars
kolide_fleet_db_name:fleet
kolide_fleet_db_user:fleet
kolide_fleet_db_password:fleetSecrete
kolide_fleet_port:"443"
kolide_fleet_address:"0.0.0.0:{{ kolide_fleet_port }}"
kolide_fleet_version:"2.0.0-rc3"
kolide_fleet_url:"https://github.com/kolide/fleet/releases/download"
kolide_fleet_admin_email:admin@openstack.org
#kolide_fleet_admin_password: AdminSecrete
kolide_fleet_ssl_cert:/etc/ssl/certs/fleet.cert
kolide_fleet_ssl_key:/etc/ssl/private/fleet.key
kolide_fleet_ssl_pem:/etc/ssl/private/fleet.pem
kolide_fleet_ssl_ca_cert:/etc/ssl/certs/fleet-ca.pem
kolide_fleet_ssl_self_signed_subject:"/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}/subjectAltName=IP.2={{ ansible_host }}}/subjectAltName=IP.3=localhost"
kolide_fleet_ssl_protocol:"{{ ssl_protocol | default('ALL -SSLv2 -SSLv3') }}"
kolide_fleet_ssl_cipher_suite:"{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
#kolide_fleet_osquery_enroll_secret: "{{ kolide_fleet_enroll_secret }}"
kolide_fleet_ssl_self_signed_subject:"/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ ansible_host }}/subjectAltName=IP.1={{ ansible_host }}/subjectAltName=IP.2=localhost"
# Osquery vars
osquery_enroll_secret_dir:/etc/osquery/osquery_enroll_secret
osquery_debug_packages_install:false
osquery_debug_packages_install:false
@@ -53,16 +38,3 @@ osquery_flags:
- "--logger_tls_endpoint=/api/v1/osquery/log"
- "--logger_tls_period=10"
- "--enroll_secret_path={{ osquery_enroll_secret_dir }}"
# MariaDB/Gallera Variables
#mariadb_root_password: fleetSecrete
mariadb_bind_address:"0.0.0.0"
mariadb_root_remote:1
mariadb_databases:
- name:"{{ kolide_fleet_db_name }}"
mariadb_users:
- name:"{{ kolide_fleet_db_user }}"
password:"{{ kolide_fleet_db_password }}"
priv:" {{ kolide_fleet_db_name }}.*:ALL"
host:"%"
Reference in New Issue
openstack/openstack-ansible-ops
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.

The note is not visible to the blocked user.