From da65d1dd20ab7cc0f5019d8357770b7ade2ceb0c Mon Sep 17 00:00:00 2001 From: Antoine Eiche Date: Wed, 19 Jul 2023 11:58:49 +0200 Subject: [PATCH] nixos/osquery: init --- .../manual/release-notes/rl-2311.section.md | 2 + nixos/modules/module-list.nix | 1 + nixos/modules/rename.nix | 1 - nixos/modules/services/monitoring/osquery.nix | 97 +++++++++++++++++++ 4 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 nixos/modules/services/monitoring/osquery.nix diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index 5ccaa92914e1..38fd9a3ff03d 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -26,6 +26,8 @@ - [trust-dns](https://trust-dns.org/), a Rust based DNS server built to be safe and secure from the ground up. Available as [services.trust-dns](#opt-services.trust-dns.enable). +- [osquery](https://www.osquery.io/), a SQL powered operating system instrumentation, monitoring, and analytics. + ## Backward Incompatibilities {#sec-release-23.11-incompatibilities} - The `boot.loader.raspberryPi` options have been marked deprecated, with intent for removal for NixOS 24.11. They had a limited use-case, and do not work like people expect. They required either very old installs ([before mid-2019](https://github.com/NixOS/nixpkgs/pull/62462)) or customized builds out of scope of the standard and generic AArch64 support. That option set never supported the Raspberry Pi 4 family of devices. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 5510944b2152..cef987555f3f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -761,6 +761,7 @@ ./services/monitoring/nagios.nix ./services/monitoring/netdata.nix ./services/monitoring/opentelemetry-collector.nix + ./services/monitoring/osquery.nix ./services/monitoring/parsedmarc.nix ./services/monitoring/prometheus/alertmanager-irc-relay.nix ./services/monitoring/prometheus/alertmanager.nix diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix index 0e8b823c2bdd..a32d433bbdde 100644 --- a/nixos/modules/rename.nix +++ b/nixos/modules/rename.nix @@ -72,7 +72,6 @@ in (mkRemovedOptionModule [ "services" "mesos" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "moinmoin" ] "The corresponding package was removed from nixpkgs.") (mkRemovedOptionModule [ "services" "mwlib" ] "The corresponding package was removed from nixpkgs.") - (mkRemovedOptionModule [ "services" "osquery" ] "The osquery module has been removed") (mkRemovedOptionModule [ "services" "pantheon" "files" ] '' This module was removed, please add pkgs.pantheon.elementary-files to environment.systemPackages directly. '') diff --git a/nixos/modules/services/monitoring/osquery.nix b/nixos/modules/services/monitoring/osquery.nix new file mode 100644 index 000000000000..98524d0c700c --- /dev/null +++ b/nixos/modules/services/monitoring/osquery.nix @@ -0,0 +1,97 @@ +{ config, lib, pkgs, ... }: + +with lib; +let + cfg = config.services.osquery; + dirname = path: with lib.strings; with lib.lists; concatStringsSep "/" + (init (splitString "/" (normalizePath path))); + + # conf is the osquery configuration file used when the --config_plugin=filesystem. + # filesystem is the osquery default value for the config_plugin flag. + conf = pkgs.writeText "osquery.conf" (builtins.toJSON cfg.settings); + + # flagfile is the file containing osquery command line flags to be + # provided to the application using the special --flagfile option. + flagfile = pkgs.writeText "osquery.flags" + (concatStringsSep "\n" + (mapAttrsToList (name: value: "--${name}=${value}") + # Use the conf derivation if not otherwise specified. + ({ config_path = conf; } // cfg.flags))); + + osqueryi = pkgs.runCommand "osqueryi" { nativeBuildInputs = [ pkgs.makeWrapper ]; } '' + mkdir -p $out/bin + makeWrapper ${pkgs.osquery}/bin/osqueryi $out/bin/osqueryi \ + --add-flags "--flagfile ${flagfile}" + ''; +in +{ + options.services.osquery = { + enable = mkEnableOption (mdDoc "osqueryd daemon"); + + settings = mkOption { + default = { }; + description = mdDoc '' + Configuration to be written to the osqueryd JSON configuration file. + To understand the configuration format, refer to https://osquery.readthedocs.io/en/stable/deployment/configuration/#configuration-components. + ''; + example = { + options.utc = false; + }; + type = types.attrs; + }; + + flags = mkOption { + default = { }; + description = mdDoc '' + Attribute set of flag names and values to be written to the osqueryd flagfile. + For more information, refer to https://osquery.readthedocs.io/en/stable/installation/cli-flags. + ''; + example = { + config_refresh = "10"; + }; + type = with types; + submodule { + freeformType = attrsOf str; + options = { + database_path = mkOption { + default = "/var/lib/osquery/osquery.db"; + readOnly = true; + description = mdDoc "Path used for the database file."; + type = path; + }; + logger_path = mkOption { + default = "/var/log/osquery"; + readOnly = true; + description = mdDoc "Base directory used for logging."; + type = path; + }; + pidfile = mkOption { + default = "/run/osquery/osqueryd.pid"; + readOnly = true; + description = mdDoc "Path used for pid file."; + type = path; + }; + }; + }; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [ osqueryi ]; + systemd.services.osqueryd = { + after = [ "network.target" "syslog.service" ]; + description = "The osquery daemon"; + serviceConfig = { + ExecStart = "${pkgs.osquery}/bin/osqueryd --flagfile ${flagfile}"; + PIDFile = cfg.flags.pidfile; + LogsDirectory = cfg.flags.logger_path; + StateDirectory = dirname cfg.flags.database_path; + Restart = "always"; + }; + wantedBy = [ "multi-user.target" ]; + }; + systemd.tmpfiles.rules = [ + "d ${dirname (cfg.flags.pidfile)} 0755 root root -" + ]; + }; +}