feat: tmp install osquery, check all permissions, remove script and osquery

samrose · samrose · commit 9bd0f534d759 · 2024-05-21T10:30:45.000-04:00
diff --git a/ansible-nix/files/permission_check.py b/ansible-nix/files/permission_check.py
@@ -0,0 +1,183 @@
+import subprocess
+import json
+import sys
+
+# Expected groups for each user
+expected_results = {
+    "postgres": [
+        {"groupname": "postgres", "username": "postgres"},
+        {"groupname": "ssl-cert", "username": "postgres"}
+    ],
+    "ubuntu": [
+        {"groupname":"ubuntu","username":"ubuntu"},
+        {"groupname":"adm","username":"ubuntu"},
+        {"groupname":"dialout","username":"ubuntu"},
+        {"groupname":"cdrom","username":"ubuntu"},
+        {"groupname":"floppy","username":"ubuntu"},
+        {"groupname":"sudo","username":"ubuntu"},
+        {"groupname":"audio","username":"ubuntu"},
+        {"groupname":"dip","username":"ubuntu"},
+        {"groupname":"video","username":"ubuntu"},
+        {"groupname":"plugdev","username":"ubuntu"},
+        {"groupname":"lxd","username":"ubuntu"},
+        {"groupname":"netdev","username":"ubuntu"}
+    ],
+    "root": [
+        {"groupname":"root","username":"root"}
+    ],
+    "daemon": [
+        {"groupname":"daemon","username":"daemon"}
+    ],
+    "bin": [
+        {"groupname":"bin","username":"bin"}
+    ],
+    "sys": [
+        {"groupname":"sys","username":"sys"}
+    ],
+    "sync": [
+        {"groupname":"nogroup","username":"sync"}
+    ],
+    "games": [
+        {"groupname":"games","username":"games"}
+    ],
+    "man": [
+        {"groupname":"man","username":"man"}
+    ],
+    "lp": [
+        {"groupname":"lp","username":"lp"}
+    ],
+    "mail": [
+        {"groupname":"mail","username":"mail"}
+    ],
+    "news": [
+        {"groupname":"news","username":"news"}
+    ],
+    "uucp": [
+        {"groupname":"uucp","username":"uucp"}
+    ],
+    "proxy": [
+        {"groupname":"proxy","username":"proxy"}
+    ],
+    "www-data": [
+        {"groupname":"www-data","username":"www-data"}
+    ],
+    "backup": [
+        {"groupname":"backup","username":"backup"}
+    ],
+    "list": [
+        {"groupname":"list","username":"list"}
+    ],
+    "irc": [
+        {"groupname":"irc","username":"irc"}
+    ],
+    "gnats": [
+        {"groupname":"gnats","username":"gnats"}
+    ],
+    "nobody": [
+        {"groupname":"nogroup","username":"nobody"}
+    ],
+    "systemd-network": [
+        {"groupname":"systemd-network","username":"systemd-network"}
+    ],
+    "systemd-resolve": [
+        {"groupname":"systemd-resolve","username":"systemd-resolve"}
+    ],
+    "systemd-timesync": [
+        {"groupname":"systemd-timesync","username":"systemd-timesync"}
+    ],
+    "messagebus": [
+        {"groupname":"messagebus","username":"messagebus"}
+    ],
+    "ec2-instance-connect": [
+        {"groupname":"nogroup","username":"ec2-instance-connect"}
+    ],
+    "sshd": [
+        {"groupname":"nogroup","username":"sshd"}
+    ],
+    "wal-g": [
+        {"groupname":"wal-g","username":"wal-g"},
+        {"groupname":"postgres","username":"wal-g"}
+    ],
+    "pgbouncer": [
+        {"groupname":"pgbouncer","username":"pgbouncer"},
+        {"groupname":"ssl-cert","username":"pgbouncer"},
+        {"groupname":"postgres","username":"pgbouncer"}
+    ],
+    "gotrue": [
+        {"groupname":"gotrue","username":"gotrue"}
+    ],
+    "envoy": [
+        {"groupname":"envoy","username":"envoy"}
+    ],
+    "kong": [
+        {"groupname":"kong","username":"kong"}
+    ],
+    "nginx": [
+        {"groupname":"nginx","username":"nginx"}
+    ],
+    "vector": [
+        {"groupname":"vector","username":"vector"},
+        {"groupname":"adm","username":"vector"},
+        {"groupname":"systemd-journal","username":"vector"},
+        {"groupname":"postgres","username":"vector"}
+    ],
+    "adminapi": [
+        {"groupname":"adminapi","username":"adminapi"},
+        {"groupname":"root","username":"adminapi"},
+        {"groupname":"systemd-journal","username":"adminapi"},
+        {"groupname":"admin","username":"adminapi"},
+        {"groupname":"postgres","username":"adminapi"},
+        {"groupname":"pgbouncer","username":"adminapi"},
+        {"groupname":"wal-g","username":"adminapi"},
+        {"groupname":"postgrest","username":"adminapi"},
+        {"groupname":"envoy","username":"adminapi"},
+        {"groupname":"kong","username":"adminapi"},
+        {"groupname":"vector","username":"adminapi"}
+    ],
+    "postgrest": [
+        {"groupname":"postgrest","username":"postgrest"}
+    ],
+    "tcpdump": [
+        {"groupname":"tcpdump","username":"tcpdump"}
+    ],
+    "systemd-coredump": [
+        {"groupname":"systemd-coredump","username":"systemd-coredump"}
+    ]
+}
+# This program depends on osquery being installed on the system
+# Function to run osquery
+def run_osquery(query):
+    process = subprocess.Popen(['osqueryi', '--json', query], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    output, error = process.communicate()
+    return output.decode('utf-8')
+
+def parse_json(json_str):
+    try:
+        return json.loads(json_str)
+    except json.JSONDecodeError as e:
+        print("Error decoding JSON:", e)
+        sys.exit(1)
+
+def compare_results(username, query_result):
+    expected_result = expected_results.get(username)
+    if expected_result is None:
+        print(f"No expected result defined for user '{username}'")
+        sys.exit(1)
+
+    if query_result == expected_result:
+        print(f"The query result for user '{username}' matches the expected result.")
+    else:
+        print(f"The query result for user '{username}' does not match the expected result.")
+        print("Expected:", expected_result)
+        print("Got:", query_result)
+        sys.exit(1)
+
+# Define usernames for which you want to compare results
+usernames = ["postgres", "ubuntu", "root", "daemon", "bin", "sys", "sync", "games","man","lp","mail","news","uucp","proxy","www-data","backup","list","irc","gnats","nobody","systemd-network","systemd-resolve","systemd-timesync","messagebus","ec2-instance-connect","sshd","wal-g","pgbouncer","gotrue","envoy","kong","nginx","vector","adminapi","postgrest","tcpdump","systemd-coredump"]
+
+# Iterate over usernames, run the query, and compare results
+for username in usernames:
+    query = f"SELECT u.username, g.groupname FROM users u JOIN user_groups ug ON u.uid = ug.uid JOIN groups g ON ug.gid = g.gid WHERE u.username = '{username}';"
+    query_result = run_osquery(query)
+    parsed_result = parse_json(query_result)
+    compare_results(username, parsed_result)
diff --git a/ansible-nix/playbook.yml b/ansible-nix/playbook.yml
@@ -117,3 +117,31 @@
     - name: Print result to Ansible log output
       debug:
         msg: "The postgres user is {{ 'not ' if check_user_group.rc != 0 else '' }}part of the users group"
+    
+    - name: Install osquery from nixpkgs binary cache
+      become: yes
+      shell: |
+        sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install nixpkgs#osquery"
+
+    - name: Install osquery permission check script
+      become: yes
+      copy:
+        src: files/permission_check.py
+        dest: /home/ubuntu/permission_check.py
+        mode: "0755"
+
+    - name: Run osquery permission checks
+      become: yes
+      shell: |
+        sudo -u ubuntu bash -c "python3 /home/ubuntu/permission_check.py"
+
+    - name: Remove osquery permission check script
+      become: yes
+      file:
+        path: /home/ubuntu/permission_check.py
+        state: absent
+
+    - name: Remove osquery    
+      become: yes
+      shell: |
+        sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile osquery"
diff --git a/ansible-nix/tasks/stage2/stage2-setup-postgres.yml b/ansible-nix/tasks/stage2/stage2-setup-postgres.yml
@@ -8,11 +8,6 @@
   shell: |
     sudo -u postgres bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install github:supabase/postgres/sam/2-stage-ami-nix#pg_prove"
 
-- name: Install pg_prove from nix binary cache
-  become: yes
-  shell: |
-    sudo -u ubuntu bash -c ". /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh && nix profile install nixpkgs#osquery"
-
 #TODO switch pg_prove sourcing to develop branch once PR is merged
 
 # - name: Generate en_US.UTF-8 locale
diff --git a/common-nix.vars.pkr.hcl b/common-nix.vars.pkr.hcl
@@ -1 +1 @@
-postgres-version = "15.6.1.45-nix-staged"
+postgres-version = "15.6.1.46-nix-staged"

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-postgres-version = "15.6.1.45-nix-staged"`
	`1`	`+postgres-version = "15.6.1.46-nix-staged"`