2023-02-24 02:29:28 +00:00
|
|
|
ARCH ?= $(shell uname -m)
|
|
|
|
|
COLLECT_DIR ?= "./out/$(shell hostname -s)-$(shell date +%Y-%m-%-d-%H-%M-%S)"
|
2023-02-24 02:45:34 +00:00
|
|
|
SUDO ?= "sudo"
|
2023-02-24 02:29:28 +00:00
|
|
|
|
|
|
|
|
out/osqtool-$(ARCH):
|
2022-10-13 13:11:17 +00:00
|
|
|
mkdir -p out
|
2022-10-13 14:04:18 +00:00
|
|
|
GOBIN=$(CURDIR)/out go install github.com/chainguard-dev/osqtool/cmd/osqtool@latest
|
2023-02-24 02:29:28 +00:00
|
|
|
mv out/osqtool out/osqtool-$(ARCH)
|
2022-10-13 13:11:17 +00:00
|
|
|
|
2023-02-24 02:29:28 +00:00
|
|
|
out/odk-detection.conf: out/osqtool-$(ARCH) $(wildcard detection/*.sql)
|
2023-03-04 18:03:30 +00:00
|
|
|
./out/osqtool-$(ARCH) --max-query-duration=8s --verify pack detection/ > out/.odk-detection.conf
|
2023-02-24 02:29:28 +00:00
|
|
|
mv out/.odk-detection.conf out/odk-detection.conf
|
2022-10-13 13:11:17 +00:00
|
|
|
|
2023-02-24 02:29:28 +00:00
|
|
|
out/odk-policy.conf: out/osqtool-$(ARCH) $(wildcard policy/*.sql)
|
2023-02-24 17:15:56 +00:00
|
|
|
./out/osqtool-$(ARCH) --verify pack policy/ > out/.odk-policy.conf
|
2023-02-24 02:29:28 +00:00
|
|
|
mv out/.odk-policy.conf out/odk-policy.conf
|
2022-10-13 14:04:18 +00:00
|
|
|
|
2023-02-24 02:29:28 +00:00
|
|
|
out/odk-incident-response.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql)
|
2023-03-04 18:03:30 +00:00
|
|
|
./out/osqtool-$(ARCH) --max-query-duration=12s --verify pack incident_response/ > out/.odk-incident-response.conf
|
2023-02-24 23:19:22 +00:00
|
|
|
mv out/.odk-incident-response.conf out/odk-incident-response.conf
|
2022-10-13 13:11:17 +00:00
|
|
|
|
2023-02-24 22:47:07 +00:00
|
|
|
# A privacy-aware variation of IR rules
|
|
|
|
|
out/odk-incident-response-privacy.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql)
|
|
|
|
|
./out/osqtool-$(ARCH) --exclude-tags=disabled,disabled-privacy pack incident_response/ > out/.odk-incident-response-privacy.conf
|
|
|
|
|
mv out/.odk-incident-response-privacy.conf out/odk-incident-response-privacy.conf
|
|
|
|
|
|
2023-03-04 18:03:30 +00:00
|
|
|
out/osquery.conf:
|
|
|
|
|
cat osquery.conf | sed s/"out\/"/""/g > out/osquery.conf
|
|
|
|
|
|
2023-02-24 22:47:07 +00:00
|
|
|
packs: out/odk-detection.conf out/odk-policy.conf out/odk-incident-response.conf out/odk-incident-response-privacy.conf
|
2022-10-13 13:11:17 +00:00
|
|
|
|
2023-03-04 18:03:30 +00:00
|
|
|
out/odk-packs.zip: packs out/osquery.conf
|
2023-02-24 22:47:07 +00:00
|
|
|
cd out && rm -f .*.conf && zip odk-packs.zip *.conf
|
2022-10-13 13:11:17 +00:00
|
|
|
|
2022-10-20 13:10:45 +00:00
|
|
|
.PHONY: reformat
|
|
|
|
|
reformat:
|
|
|
|
|
find . -type f -name "*.sql" | perl -ne 'chomp; system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");'
|
|
|
|
|
|
2023-02-10 15:33:04 +00:00
|
|
|
.PHONY: reformat-updates
|
|
|
|
|
reformat-updates:
|
|
|
|
|
git status -s | awk '{ print $$2 }' | grep ".sql" | perl -ne 'chomp; system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");'
|
|
|
|
|
|
2023-02-24 23:19:22 +00:00
|
|
|
.PHONY: detect
|
|
|
|
|
detect: ./out/osqtool-$(ARCH)
|
|
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) run detection
|
|
|
|
|
|
2023-03-04 18:03:30 +00:00
|
|
|
.PHONY: run-detect-pack
|
|
|
|
|
run-detect-pack: out/odk-detection.conf
|
|
|
|
|
$(SUDO) osqueryi --config_path osquery.conf --pack detection
|
|
|
|
|
|
|
|
|
|
.PHONY: run-ir-pack
|
|
|
|
|
run-ir-pack: out/odk-incident-response.conf
|
|
|
|
|
$(SUDO) osqueryi --config_path osquery.conf --pack incident-response
|
|
|
|
|
|
2023-02-24 22:30:43 +00:00
|
|
|
.PHONY: collect
|
2023-02-24 23:19:22 +00:00
|
|
|
collect: ./out/osqtool-$(ARCH)
|
2023-02-24 02:29:28 +00:00
|
|
|
mkdir -p $(COLLECT_DIR)
|
|
|
|
|
@echo "Saving output to: $(COLLECT_DIR)"
|
2023-02-24 02:45:34 +00:00
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) run incident_response | tee $(COLLECT_DIR)/incident_response.txt
|
|
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) run policy | tee $(COLLECT_DIR)/policy.txt
|
|
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) run detection | tee $(COLLECT_DIR)/detection.txt
|
2023-02-24 02:29:28 +00:00
|
|
|
|
2023-02-24 21:44:00 +00:00
|
|
|
# Looser values for CI use
|
|
|
|
|
.PHONY: verify-ci
|
|
|
|
|
verify-ci: ./out/osqtool-$(ARCH)
|
|
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response
|
|
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) --max-results=2 --max-query-duration=12s verify policy
|
|
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) --max-results=15 --max-query-duration=12s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
|
|
|
|
|
|
|
|
|
|
# Local verification
|
2023-02-24 17:15:56 +00:00
|
|
|
.PHONY: verify
|
|
|
|
|
verify: ./out/osqtool-$(ARCH)
|
2023-02-24 21:49:53 +00:00
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=90m verify incident_response
|
2023-02-24 17:15:56 +00:00
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s verify policy
|
2023-05-16 21:18:39 +00:00
|
|
|
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=8s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
|
2023-02-24 17:15:56 +00:00
|
|
|
|
2022-10-14 14:25:08 +00:00
|
|
|
all: out/odk-packs.zip
|
2023-02-24 02:29:28 +00:00
|
|
|
|
