2016-09-26 18:48:55 +00:00
|
|
|
package service
|
2016-09-04 05:13:42 +00:00
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2016-10-05 00:17:55 +00:00
|
|
|
"fmt"
|
2016-09-06 21:28:07 +00:00
|
|
|
"net/http"
|
2016-10-05 00:17:55 +00:00
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
"time"
|
2016-09-04 05:13:42 +00:00
|
|
|
|
2016-09-29 04:21:39 +00:00
|
|
|
hostctx "github.com/kolide/kolide-ose/server/contexts/host"
|
2016-09-26 18:48:55 +00:00
|
|
|
"github.com/kolide/kolide-ose/server/errors"
|
|
|
|
"github.com/kolide/kolide-ose/server/kolide"
|
2016-09-04 05:13:42 +00:00
|
|
|
"golang.org/x/net/context"
|
|
|
|
)
|
|
|
|
|
2016-09-21 03:08:11 +00:00
|
|
|
type osqueryError struct {
|
2016-09-29 04:21:39 +00:00
|
|
|
message string
|
|
|
|
nodeInvalid bool
|
2016-09-21 03:08:11 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (e osqueryError) Error() string {
|
|
|
|
return e.message
|
|
|
|
}
|
|
|
|
|
2016-09-29 04:21:39 +00:00
|
|
|
func (e osqueryError) NodeInvalid() bool {
|
|
|
|
return e.nodeInvalid
|
|
|
|
}
|
|
|
|
|
|
|
|
func (svc service) AuthenticateHost(ctx context.Context, nodeKey string) (*kolide.Host, error) {
|
|
|
|
if nodeKey == "" {
|
|
|
|
return nil, osqueryError{
|
|
|
|
message: "authentication error: missing node key",
|
|
|
|
nodeInvalid: true,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
host, err := svc.ds.AuthenticateHost(nodeKey)
|
|
|
|
if err != nil {
|
|
|
|
return nil, osqueryError{
|
|
|
|
message: "authentication error: " + err.Error(),
|
|
|
|
nodeInvalid: true,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return host, nil
|
|
|
|
}
|
|
|
|
|
2016-09-04 05:13:42 +00:00
|
|
|
func (svc service) EnrollAgent(ctx context.Context, enrollSecret, hostIdentifier string) (string, error) {
|
2016-09-14 16:11:06 +00:00
|
|
|
if enrollSecret != svc.config.Osquery.EnrollSecret {
|
2016-09-29 04:21:39 +00:00
|
|
|
return "", osqueryError{message: "invalid enroll secret", nodeInvalid: true}
|
2016-09-04 05:13:42 +00:00
|
|
|
}
|
|
|
|
|
2016-09-14 16:11:06 +00:00
|
|
|
host, err := svc.ds.EnrollHost(hostIdentifier, "", "", "", svc.config.Osquery.NodeKeySize)
|
2016-09-04 05:13:42 +00:00
|
|
|
if err != nil {
|
2016-09-29 04:21:39 +00:00
|
|
|
return "", osqueryError{message: "enrollment failed: " + err.Error(), nodeInvalid: true}
|
2016-09-04 05:13:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return host.NodeKey, nil
|
|
|
|
}
|
|
|
|
|
2016-09-29 04:21:39 +00:00
|
|
|
func (svc service) GetClientConfig(ctx context.Context) (*kolide.OsqueryConfig, error) {
|
2016-10-03 03:14:35 +00:00
|
|
|
host, ok := hostctx.FromContext(ctx)
|
|
|
|
if !ok {
|
|
|
|
return nil, osqueryError{message: "internal error: missing host from request context"}
|
|
|
|
}
|
|
|
|
|
|
|
|
config := &kolide.OsqueryConfig{
|
|
|
|
Options: kolide.OsqueryOptions{
|
|
|
|
PackDelimiter: "/",
|
|
|
|
DisableDistributed: false,
|
|
|
|
},
|
|
|
|
Packs: kolide.Packs{},
|
|
|
|
}
|
|
|
|
|
2016-10-17 19:30:47 +00:00
|
|
|
packs, err := svc.ListPacksForHost(ctx, host.ID)
|
2016-10-03 03:14:35 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, osqueryError{message: "database error: " + err.Error()}
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, pack := range packs {
|
|
|
|
// first, we must figure out what queries are in this pack
|
2016-10-14 15:59:27 +00:00
|
|
|
queries, err := svc.ds.ListQueriesInPack(pack)
|
2016-10-03 03:14:35 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, osqueryError{message: "database error: " + err.Error()}
|
|
|
|
}
|
|
|
|
|
|
|
|
// the serializable osquery config struct expects content in a
|
|
|
|
// particular format, so we do the conversion here
|
|
|
|
configQueries := kolide.Queries{}
|
|
|
|
for _, query := range queries {
|
|
|
|
configQueries[query.Name] = kolide.QueryContent{
|
|
|
|
Query: query.Query,
|
|
|
|
Interval: query.Interval,
|
|
|
|
Platform: query.Platform,
|
|
|
|
Version: query.Version,
|
|
|
|
Snapshot: query.Snapshot,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// finally, we add the pack to the client config struct with all of
|
|
|
|
// the packs queries
|
|
|
|
config.Packs[pack.Name] = kolide.PackContent{
|
|
|
|
Platform: pack.Platform,
|
|
|
|
Queries: configQueries,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return config, nil
|
2016-09-04 05:13:42 +00:00
|
|
|
}
|
|
|
|
|
2016-09-29 04:21:39 +00:00
|
|
|
func (svc service) SubmitStatusLogs(ctx context.Context, logs []kolide.OsqueryStatusLog) error {
|
2016-10-01 02:18:27 +00:00
|
|
|
host, ok := hostctx.FromContext(ctx)
|
|
|
|
if !ok {
|
|
|
|
return osqueryError{message: "internal error: missing host from request context"}
|
|
|
|
}
|
|
|
|
|
2016-09-06 21:28:07 +00:00
|
|
|
for _, log := range logs {
|
|
|
|
err := json.NewEncoder(svc.osqueryStatusLogWriter).Encode(log)
|
|
|
|
if err != nil {
|
|
|
|
return errors.NewFromError(err, http.StatusInternalServerError, "error writing status log")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-01 02:18:27 +00:00
|
|
|
err := svc.ds.MarkHostSeen(&host, svc.clock.Now())
|
|
|
|
if err != nil {
|
|
|
|
return osqueryError{message: "failed to update host seen: " + err.Error()}
|
2016-09-06 21:28:07 +00:00
|
|
|
}
|
2016-10-01 02:18:27 +00:00
|
|
|
|
2016-09-04 05:13:42 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-10-01 02:18:27 +00:00
|
|
|
func (svc service) SubmitResultLogs(ctx context.Context, logs []kolide.OsqueryResultLog) error {
|
2016-09-29 04:21:39 +00:00
|
|
|
host, ok := hostctx.FromContext(ctx)
|
|
|
|
if !ok {
|
|
|
|
return osqueryError{message: "internal error: missing host from request context"}
|
|
|
|
}
|
|
|
|
|
2016-10-01 02:18:27 +00:00
|
|
|
for _, log := range logs {
|
|
|
|
err := json.NewEncoder(svc.osqueryResultLogWriter).Encode(log)
|
|
|
|
if err != nil {
|
|
|
|
return errors.NewFromError(err, http.StatusInternalServerError, "error writing result log")
|
|
|
|
}
|
2016-09-29 04:21:39 +00:00
|
|
|
}
|
|
|
|
|
2016-10-01 02:18:27 +00:00
|
|
|
err := svc.ds.MarkHostSeen(&host, svc.clock.Now())
|
2016-09-29 04:21:39 +00:00
|
|
|
if err != nil {
|
2016-10-01 02:18:27 +00:00
|
|
|
return osqueryError{message: "failed to update host seen: " + err.Error()}
|
2016-09-29 04:21:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-09-21 03:08:11 +00:00
|
|
|
// hostLabelQueryPrefix is appended before the query name when a query is
|
|
|
|
// provided as a label query. This allows the results to be retrieved when
|
|
|
|
// osqueryd writes the distributed query results.
|
|
|
|
const hostLabelQueryPrefix = "kolide_label_query_"
|
|
|
|
|
|
|
|
// hostDetailQueryPrefix is appended before the query name when a query is
|
|
|
|
// provided as a detail query.
|
|
|
|
const hostDetailQueryPrefix = "kolide_detail_query_"
|
|
|
|
|
2016-10-05 00:17:55 +00:00
|
|
|
// detailQueries defines the detail queries that should be run on the host, as
|
|
|
|
// well as how the results of those queries should be ingested into the
|
|
|
|
// kolide.Host data model. This map should not be modified at runtime.
|
|
|
|
var detailQueries = map[string]struct {
|
|
|
|
Query string
|
|
|
|
IngestFunc func(host *kolide.Host, rows []map[string]string) error
|
|
|
|
}{
|
|
|
|
"osquery_info": {
|
|
|
|
Query: "select * from osquery_info limit 1",
|
|
|
|
IngestFunc: func(host *kolide.Host, rows []map[string]string) error {
|
|
|
|
if len(rows) != 1 {
|
|
|
|
return osqueryError{
|
|
|
|
message: fmt.Sprintf("expected 1 row but got %d", len(rows)),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
host.Platform = rows[0]["build_platform"]
|
|
|
|
host.OsqueryVersion = rows[0]["version"]
|
|
|
|
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"system_info": {
|
|
|
|
Query: "select * from system_info limit 1",
|
|
|
|
IngestFunc: func(host *kolide.Host, rows []map[string]string) error {
|
|
|
|
if len(rows) != 1 {
|
|
|
|
return osqueryError{
|
|
|
|
message: fmt.Sprintf("expected 1 row but got %d", len(rows)),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var err error
|
|
|
|
host.PhysicalMemory, err = strconv.Atoi(rows[0]["physical_memory"])
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
host.HostName = rows[0]["hostname"]
|
|
|
|
host.UUID = rows[0]["uuid"]
|
|
|
|
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"os_version": {
|
|
|
|
Query: "select * from os_version limit 1",
|
|
|
|
IngestFunc: func(host *kolide.Host, rows []map[string]string) error {
|
|
|
|
if len(rows) != 1 {
|
|
|
|
return osqueryError{
|
|
|
|
message: fmt.Sprintf("expected 1 row but got %d", len(rows)),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
host.OSVersion = fmt.Sprintf(
|
|
|
|
"%s %s.%s.%s",
|
|
|
|
rows[0]["name"],
|
|
|
|
rows[0]["major"],
|
|
|
|
rows[0]["minor"],
|
|
|
|
rows[0]["patch"],
|
|
|
|
)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"uptime": {
|
|
|
|
Query: "select * from uptime limit 1",
|
|
|
|
IngestFunc: func(host *kolide.Host, rows []map[string]string) error {
|
|
|
|
if len(rows) != 1 {
|
|
|
|
return osqueryError{
|
|
|
|
message: fmt.Sprintf("expected 1 row but got %d", len(rows)),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
uptimeSeconds, err := strconv.Atoi(rows[0]["total_seconds"])
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
host.Uptime = time.Duration(uptimeSeconds) * time.Second
|
|
|
|
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
},
|
|
|
|
"network_interface": {
|
|
|
|
Query: `select * from interface_details id join interface_addresses ia
|
|
|
|
on ia.interface = id.interface where broadcast != ""
|
|
|
|
order by (ibytes + obytes) desc limit 1`,
|
|
|
|
IngestFunc: func(host *kolide.Host, rows []map[string]string) error {
|
|
|
|
if len(rows) != 1 {
|
|
|
|
return osqueryError{
|
|
|
|
message: fmt.Sprintf("expected 1 row but got %d", len(rows)),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
host.PrimaryMAC = rows[0]["mac"]
|
|
|
|
host.PrimaryIP = rows[0]["address"]
|
|
|
|
|
|
|
|
return nil
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// detailUpdateInterval determines how often the detail queries should be
|
|
|
|
// updated
|
|
|
|
const detailUpdateInterval = 1 * time.Hour
|
|
|
|
|
2016-09-21 03:08:11 +00:00
|
|
|
// hostDetailQueries returns the map of queries that should be executed by
|
|
|
|
// osqueryd to fill in the host details
|
2016-10-05 00:17:55 +00:00
|
|
|
func (svc service) hostDetailQueries(host kolide.Host) map[string]string {
|
2016-09-21 03:08:11 +00:00
|
|
|
queries := make(map[string]string)
|
2016-10-05 00:17:55 +00:00
|
|
|
if host.DetailUpdateTime.After(svc.clock.Now().Add(-detailUpdateInterval)) {
|
|
|
|
// No need to update already fresh details
|
|
|
|
return queries
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, query := range detailQueries {
|
|
|
|
queries[hostDetailQueryPrefix+name] = query.Query
|
2016-09-21 03:08:11 +00:00
|
|
|
}
|
|
|
|
return queries
|
|
|
|
}
|
|
|
|
|
2016-09-04 05:13:42 +00:00
|
|
|
func (svc service) GetDistributedQueries(ctx context.Context) (map[string]string, error) {
|
2016-09-29 04:21:39 +00:00
|
|
|
host, ok := hostctx.FromContext(ctx)
|
2016-09-26 17:14:39 +00:00
|
|
|
if !ok {
|
2016-09-29 04:21:39 +00:00
|
|
|
return nil, osqueryError{message: "internal error: missing host from request context"}
|
2016-09-21 03:08:11 +00:00
|
|
|
}
|
|
|
|
|
2016-10-05 00:17:55 +00:00
|
|
|
queries := svc.hostDetailQueries(host)
|
2016-09-21 03:08:11 +00:00
|
|
|
|
|
|
|
// Retrieve the label queries that should be updated
|
|
|
|
cutoff := svc.clock.Now().Add(-svc.config.Osquery.LabelUpdateInterval)
|
2016-09-26 17:14:39 +00:00
|
|
|
labelQueries, err := svc.ds.LabelQueriesForHost(&host, cutoff)
|
2016-09-21 03:08:11 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, query := range labelQueries {
|
|
|
|
queries[hostLabelQueryPrefix+name] = query
|
|
|
|
}
|
2016-09-04 05:13:42 +00:00
|
|
|
|
2016-09-21 03:08:11 +00:00
|
|
|
// TODO: retrieve the active distributed queries for this host
|
2016-09-04 05:13:42 +00:00
|
|
|
|
|
|
|
return queries, nil
|
|
|
|
}
|
|
|
|
|
2016-10-05 00:17:55 +00:00
|
|
|
// ingestDetailQuery takes the results of a detail query and modifies the
|
|
|
|
// provided kolide.Host appropriately.
|
|
|
|
func (svc service) ingestDetailQuery(host *kolide.Host, name string, rows []map[string]string) error {
|
|
|
|
trimmedQuery := strings.TrimPrefix(name, hostDetailQueryPrefix)
|
|
|
|
query, ok := detailQueries[trimmedQuery]
|
|
|
|
if !ok {
|
|
|
|
return osqueryError{message: "unknown detail query " + trimmedQuery}
|
|
|
|
}
|
|
|
|
|
|
|
|
err := query.IngestFunc(host, rows)
|
|
|
|
if err != nil {
|
|
|
|
return osqueryError{
|
|
|
|
message: fmt.Sprintf("ingesting query %s: %s", name, err.Error()),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-10-05 15:56:29 +00:00
|
|
|
// ingestLabelQuery records the results of label queries run by a host
|
|
|
|
func (svc service) ingestLabelQuery(host kolide.Host, query string, rows []map[string]string, results map[string]bool) error {
|
2016-10-05 00:17:55 +00:00
|
|
|
trimmedQuery := strings.TrimPrefix(query, hostLabelQueryPrefix)
|
2016-10-05 15:56:29 +00:00
|
|
|
// A label query matches if there is at least one result for that
|
|
|
|
// query. We must also store negative results.
|
|
|
|
results[trimmedQuery] = len(rows) > 0
|
2016-10-05 00:17:55 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2016-09-06 21:28:07 +00:00
|
|
|
func (svc service) SubmitDistributedQueryResults(ctx context.Context, results kolide.OsqueryDistributedQueryResults) error {
|
2016-10-05 00:17:55 +00:00
|
|
|
host, ok := hostctx.FromContext(ctx)
|
|
|
|
if !ok {
|
|
|
|
return osqueryError{message: "internal error: missing host from request context"}
|
|
|
|
}
|
|
|
|
|
|
|
|
err := svc.ds.MarkHostSeen(&host, svc.clock.Now())
|
|
|
|
if err != nil {
|
|
|
|
return osqueryError{message: "failed to update host seen: " + err.Error()}
|
|
|
|
}
|
|
|
|
|
2016-10-05 15:56:29 +00:00
|
|
|
labelResults := map[string]bool{}
|
2016-10-05 00:17:55 +00:00
|
|
|
for query, rows := range results {
|
|
|
|
switch {
|
|
|
|
case strings.HasPrefix(query, hostDetailQueryPrefix):
|
|
|
|
err = svc.ingestDetailQuery(&host, query, rows)
|
|
|
|
|
|
|
|
case strings.HasPrefix(query, hostLabelQueryPrefix):
|
2016-10-05 15:56:29 +00:00
|
|
|
err = svc.ingestLabelQuery(host, query, rows, labelResults)
|
2016-10-05 00:17:55 +00:00
|
|
|
|
|
|
|
default:
|
|
|
|
// TODO ingest regular distributed query results
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return osqueryError{message: "failed to ingest result: " + err.Error()}
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2016-10-05 15:56:29 +00:00
|
|
|
if len(labelResults) > 0 {
|
|
|
|
err = svc.ds.RecordLabelQueryExecutions(&host, labelResults, svc.clock.Now())
|
|
|
|
if err != nil {
|
|
|
|
return osqueryError{message: "failed to save labels: " + err.Error()}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-05 00:17:55 +00:00
|
|
|
host.DetailUpdateTime = svc.clock.Now()
|
|
|
|
err = svc.ds.SaveHost(&host)
|
|
|
|
if err != nil {
|
|
|
|
return osqueryError{message: "failed to update host details: " + err.Error()}
|
|
|
|
}
|
|
|
|
|
2016-09-04 05:13:42 +00:00
|
|
|
return nil
|
|
|
|
}
|