osquery-defense-kit/Makefile

ARCH ?= $(shell uname -m)
COLLECT_DIR ?= "./out/$(shell hostname -s)-$(shell date +%Y-%m-%-d-%H-%M-%S)"
SUDO ?= "sudo"
OSQTOOL_VERSION=v1.4.2

out/osqtool-$(ARCH)-$(OSQTOOL_VERSION):
	mkdir -p out
	GOBIN=$(CURDIR)/out go install github.com/chainguard-dev/osqtool/cmd/osqtool@$(OSQTOOL_VERSION)
	mv out/osqtool out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)

out/detection.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/*.sql)
	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=16s --verify --exclude-tags=disabled,disabled-privacy,extra --output  out/detection.conf pack detection

out/policy.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard policy/*.sql)
	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --verify --output out/policy.conf pack policy/

out/vulnerabilities.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard vulnerabilities/*.sql)
	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --output out/vulnerabilities.conf pack vulnerabilities/

out/incident-response.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)  $(wildcard incident_response/*.sql)
	./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --output out/incident-response.conf pack incident_response/

out/osquery.conf:
	cat osquery.conf | sed s/"out\/"/""/g > out/osquery.conf

packs: out/detection.conf out/policy.conf out/incident-response.conf out/vulnerabilities.conf

out/packs.zip: packs out/osquery.conf
	cd out && rm -f .*.conf && zip odk-packs.zip *.conf

.PHONY: reformat
reformat:
	find . -type f -name "*.sql" | perl -ne 'chomp; system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");'

.PHONY: reformat-updates
reformat-updates:
	git status -s | awk '{ print $$2 }' | grep ".sql" | perl -ne 'chomp; print("$$_\n"); system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");'

.PHONY: detect
detect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run detection

.PHONY: run-detect-pack
run-detect-pack: out/detection.conf
	$(SUDO) osqueryi --config_path osquery.conf --pack detection

.PHONY: run-policy-pack
run-policy-pack: out/policy.conf
	$(SUDO) osqueryi --config_path osquery.conf --pack policy

.PHONY: run-vuln-pack
run-vuln-pack: out/vulnerabilities.conf
	$(SUDO) osqueryi --config_path osquery.conf --pack vulnerabilities

.PHONY: run-ir-pack
run-ir-pack: out/incident-response.conf
	$(SUDO) osqueryi --config_path osquery.conf --pack incident-response

.PHONY: collect
collect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
	mkdir -p $(COLLECT_DIR)
	@echo "Saving output to: $(COLLECT_DIR)"
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run incident_response | tee $(COLLECT_DIR)/incident_response.txt
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run policy | tee $(COLLECT_DIR)/policy.txt
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run detection | tee $(COLLECT_DIR)/detection.txt

# Looser values for CI use
.PHONY: verify-ci
verify-ci: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=50 --max-query-duration=30s verify policy
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=1000 --max-query-duration=30s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection

# Local verification
.PHONY: verify
verify: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy
	$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=0 --max-query-duration=16s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection

all: out/packs.zip
Makefile: add "make collection" target, improve others 2023-02-24 02:29:28 +00:00			`ARCH ?= $(shell uname -m)`
			`COLLECT_DIR ?= "./out/$(shell hostname -s)-$(shell date +%Y-%m-%-d-%H-%M-%S)"`
Makefile: collect as root 2023-02-24 02:45:34 +00:00			`SUDO ?= "sudo"`
upgrade osqtool to v1.4.2 2024-10-16 14:24:16 +00:00			`OSQTOOL_VERSION=v1.4.2`
Makefile: add "make collection" target, improve others 2023-02-24 02:29:28 +00:00
makefile: Add osqtool versioning 2023-12-15 22:29:26 +00:00			`out/osqtool-$(ARCH)-$(OSQTOOL_VERSION):`
v0.0.1 2022-10-13 13:11:17 +00:00			`mkdir -p out`
makefile: Add osqtool versioning 2023-12-15 22:29:26 +00:00			`GOBIN=$(CURDIR)/out go install github.com/chainguard-dev/osqtool/cmd/osqtool@$(OSQTOOL_VERSION)`
			`mv out/osqtool out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)`
v0.0.1 2022-10-13 13:11:17 +00:00
Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`out/detection.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/*.sql)`
extend timeout to 16s 2024-09-23 15:20:44 +00:00			`./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=16s --verify --exclude-tags=disabled,disabled-privacy,extra --output out/detection.conf pack detection`
split detection pack into subpacks 2023-09-20 21:43:39 +00:00
Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`out/policy.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard policy/*.sql)`
policy.conf: Fix makefile typo (extra o) 2024-09-24 19:57:29 +00:00			`./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --verify --output out/policy.conf pack policy/`
split detection pack into subpacks 2023-09-20 21:43:39 +00:00
Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`out/vulnerabilities.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard vulnerabilities/*.sql)`
Performance tuning, mark some Linux queries as 'extra' 2024-03-15 23:06:16 +00:00			`./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --output out/vulnerabilities.conf pack vulnerabilities/`
split detection pack into subpacks 2023-09-20 21:43:39 +00:00
Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`out/incident-response.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard incident_response/*.sql)`
Performance tuning, mark some Linux queries as 'extra' 2024-03-15 23:06:16 +00:00			`./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --exclude-tags=disabled,disabled-privacy,extra --output out/incident-response.conf pack incident_response/`
Add privacy-aware version of the IR rules 2023-02-24 22:47:07 +00:00
Add a runnable osquery.conf example 2023-03-04 18:03:30 +00:00			`out/osquery.conf:`
			`cat osquery.conf \| sed s/"out\/"/""/g > out/osquery.conf`

Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`packs: out/detection.conf out/policy.conf out/incident-response.conf out/vulnerabilities.conf`
v0.0.1 2022-10-13 13:11:17 +00:00
Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`out/packs.zip: packs out/osquery.conf`
Add privacy-aware version of the IR rules 2023-02-24 22:47:07 +00:00			`cd out && rm -f ..conf && zip odk-packs.zip .conf`
v0.0.1 2022-10-13 13:11:17 +00:00
Add 'reformat' rule 2022-10-20 13:10:45 +00:00			`.PHONY: reformat`
			`reformat:`
			`find . -type f -name "*.sql" \| perl -ne 'chomp; system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");'`

Makefile: Add reformat-updates target 2023-02-10 15:33:04 +00:00			`.PHONY: reformat-updates`
			`reformat-updates:`
fpr: sddm-helper, smartd, Xorg, elastic, WebEx, BambuStudio, keepass, etc 2024-07-26 17:26:37 +00:00			`git status -s \| awk '{ print $$2 }' \| grep ".sql" \| perl -ne 'chomp; print("$$_\n"); system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");'`
Makefile: Add reformat-updates target 2023-02-10 15:33:04 +00:00
Makefile: Add 'detect' rule, fix collection/IR rules 2023-02-24 23:19:22 +00:00			`.PHONY: detect`
makefile: Add osqtool versioning 2023-12-15 22:29:26 +00:00			`detect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)`
			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run detection`
Makefile: Add 'detect' rule, fix collection/IR rules 2023-02-24 23:19:22 +00:00
Add a runnable osquery.conf example 2023-03-04 18:03:30 +00:00			`.PHONY: run-detect-pack`
Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`run-detect-pack: out/detection.conf`
Add a runnable osquery.conf example 2023-03-04 18:03:30 +00:00			`$(SUDO) osqueryi --config_path osquery.conf --pack detection`

Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`.PHONY: run-policy-pack`
			`run-policy-pack: out/policy.conf`
			`$(SUDO) osqueryi --config_path osquery.conf --pack policy`

			`.PHONY: run-vuln-pack`
			`run-vuln-pack: out/vulnerabilities.conf`
			`$(SUDO) osqueryi --config_path osquery.conf --pack vulnerabilities`

Add a runnable osquery.conf example 2023-03-04 18:03:30 +00:00			`.PHONY: run-ir-pack`
Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`run-ir-pack: out/incident-response.conf`
Add a runnable osquery.conf example 2023-03-04 18:03:30 +00:00			`$(SUDO) osqueryi --config_path osquery.conf --pack incident-response`

Remove wireless-networks rule, rename collection to collect 2023-02-24 22:30:43 +00:00			`.PHONY: collect`
makefile: Add osqtool versioning 2023-12-15 22:29:26 +00:00			`collect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)`
Makefile: add "make collection" target, improve others 2023-02-24 02:29:28 +00:00			`mkdir -p $(COLLECT_DIR)`
			`@echo "Saving output to: $(COLLECT_DIR)"`
makefile: Add osqtool versioning 2023-12-15 22:29:26 +00:00			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run incident_response \| tee $(COLLECT_DIR)/incident_response.txt`
			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run policy \| tee $(COLLECT_DIR)/policy.txt`
			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run detection \| tee $(COLLECT_DIR)/detection.txt`
Makefile: add "make collection" target, improve others 2023-02-24 02:29:28 +00:00
Add verify-ci Makefile rule 2023-02-24 21:44:00 +00:00			`# Looser values for CI use`
			`.PHONY: verify-ci`
makefile: Add osqtool versioning 2023-12-15 22:29:26 +00:00			`verify-ci: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)`
fpr: MHLink, k3d, BlueFin, query tuning 2024-04-26 20:14:02 +00:00			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response`
Even higher values Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> 2024-07-12 18:30:48 +00:00			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=50 --max-query-duration=30s verify policy`
			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=1000 --max-query-duration=30s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection`
Add verify-ci Makefile rule 2023-02-24 21:44:00 +00:00
			`# Local verification`
Fixes so that ODK can run under CI 2023-02-24 17:15:56 +00:00			`.PHONY: verify`
makefile: Add osqtool versioning 2023-12-15 22:29:26 +00:00			`verify: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)`
fpr: MHLink, k3d, BlueFin, query tuning 2024-04-26 20:14:02 +00:00			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response`
			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy`
			`$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --workers 1 --max-results=0 --max-query-duration=16s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection`
Fixes so that ODK can run under CI 2023-02-24 17:15:56 +00:00
Simplify makefile, reduce config targets to 4 2024-01-09 21:56:40 +00:00			`all: out/packs.zip`
Makefile: add "make collection" target, improve others 2023-02-24 02:29:28 +00:00