Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make: Add combined-detection.conf & osqtool versioning #339

Merged
merged 2 commits into from
Dec 15, 2023
Merged

make: Add combined-detection.conf & osqtool versioning #339

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2be637e
Add combined-detection rule
tstromberg Dec 15, 2023
3365d81
makefile: Add osqtool versioning
tstromberg Dec 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 51 additions & 47 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,57 +1,61 @@
ARCH ?= $(shell uname -m)
COLLECT_DIR ?= "./out/$(shell hostname -s)-$(shell date +%Y-%m-%-d-%H-%M-%S)"
SUDO ?= "sudo"
OSQTOOL_VERSION=v1.4.0

out/osqtool-$(ARCH):
out/osqtool-$(ARCH)-$(OSQTOOL_VERSION):
mkdir -p out
GOBIN=$(CURDIR)/out go install github.com/chainguard-dev/osqtool/cmd/osqtool@latest
mv out/osqtool out/osqtool-$(ARCH)
GOBIN=$(CURDIR)/out go install github.com/chainguard-dev/osqtool/cmd/osqtool@$(OSQTOOL_VERSION)
mv out/osqtool out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)

out/odk-detection-c2.conf: out/osqtool-$(ARCH) $(wildcard detection/c2/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-c2.conf pack detection/c2
out/odk-detection-c2.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/c2/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=4s --verify -output out/odk-detection-c2.conf pack detection/c2

out/odk-detection-collection.conf: out/osqtool-$(ARCH) $(wildcard detection/collection/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-collection.conf pack detection/collection
out/odk-detection-collection.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/collection/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=4s --verify -output out/odk-detection-collection.conf pack detection/collection

out/odk-detection-credentials.conf: out/osqtool-$(ARCH) $(wildcard detection/credentials/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-credentials.conf pack detection/credentials
out/odk-detection-credentials.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/credentials/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=4s --verify -output out/odk-detection-credentials.conf pack detection/credentials

out/odk-detection-discovery.conf: out/osqtool-$(ARCH) $(wildcard detection/discovery/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-discovery.conf pack detection/discovery
out/odk-detection-discovery.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/discovery/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=4s --verify -output out/odk-detection-discovery.conf pack detection/discovery

out/odk-detection-evasion.conf: out/osqtool-$(ARCH) $(wildcard detection/evasion/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-evasion.conf pack detection/evasion
out/odk-detection-evasion.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/evasion/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=4s --verify -output out/odk-detection-evasion.conf pack detection/evasion

out/odk-detection-execution.conf: out/osqtool-$(ARCH) $(wildcard detection/execution/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=16s --verify -output out/odk-detection-execution.conf pack detection/execution
out/odk-detection-execution.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/execution/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=16s --verify -output out/odk-detection-execution.conf pack detection/execution

out/odk-detection-exfil.conf: out/osqtool-$(ARCH) $(wildcard detection/exfil/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=16s --verify -output out/odk-detection-exfil.conf pack detection/exfil
out/odk-detection-exfil.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/exfil/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=16s --verify -output out/odk-detection-exfil.conf pack detection/exfil

out/odk-detection-impact.conf: out/osqtool-$(ARCH) $(wildcard detection/impact/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-impact.conf pack detection/impact
out/odk-detection-impact.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/impact/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=4s --verify -output out/odk-detection-impact.conf pack detection/impact

out/odk-detection-initial_access.conf: out/osqtool-$(ARCH) $(wildcard detection/initial_access/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=8s --verify -output out/odk-detection-initial_access.conf pack detection/initial_access
out/odk-detection-initial_access.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/initial_access/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=8s --verify -output out/odk-detection-initial_access.conf pack detection/initial_access

out/odk-detection-persistence.conf: out/osqtool-$(ARCH) $(wildcard detection/persistence/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=14s --verify -output out/odk-detection-persistence.conf pack detection/persistence
out/odk-detection-persistence.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/persistence/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=14s --verify -output out/odk-detection-persistence.conf pack detection/persistence

out/odk-detection-privesc.conf: out/osqtool-$(ARCH) $(wildcard detection/privesc/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=4s --verify -output out/odk-detection-privesc.conf pack detection/privesc
out/odk-detection-privesc.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard detection/privesc/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=4s --verify -output out/odk-detection-privesc.conf pack detection/privesc

out/odk-policy.conf: out/osqtool-$(ARCH) $(wildcard policy/*.sql)
./out/osqtool-$(ARCH) --verify --output out/odk-policy.conf pack policy/
out/odk-policy.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard policy/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --verify --output out/odk-policy.conf pack policy/

out/odk-vulnerabilities.conf: out/osqtool-$(ARCH) $(wildcard vulnerabilities/*.sql)
./out/osqtool-$(ARCH) --output out/odk-vulnerabilities.conf pack vulnerabilities/
out/odk-vulnerabilities.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard vulnerabilities/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --output out/odk-vulnerabilities.conf pack vulnerabilities/

out/odk-incident-response.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql)
./out/osqtool-$(ARCH) --max-query-duration=12s --output out/odk-incident-response.conf --verify pack incident_response/
out/odk-incident-response.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard incident_response/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-query-duration=12s --output out/odk-incident-response.conf --verify pack incident_response/

out/combined-detection.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard */*/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --output out/combined-detection.conf --verify pack detection/ vulnerabilities/

# A privacy-aware variation of IR rules
out/odk-incident-response-privacy.conf: out/osqtool-$(ARCH) $(wildcard incident_response/*.sql)
./out/osqtool-$(ARCH) --exclude-tags=disabled,disabled-privacy --output out/odk-incident-response-privacy.conf pack incident_response/
out/odk-incident-response-privacy.conf: out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) $(wildcard incident_response/*.sql)
./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --exclude-tags=disabled,disabled-privacy --output out/odk-incident-response-privacy.conf pack incident_response/

out/osquery.conf:
cat osquery.conf | sed s/"out\/"/""/g > out/osquery.conf
Expand All @@ -70,8 +74,8 @@ reformat-updates:
git status -s | awk '{ print $$2 }' | grep ".sql" | perl -ne 'chomp; system("cp $$_ /tmp/fix.sql && npx sql-formatter -l sqlite /tmp/fix.sql > $$_");'

.PHONY: detect
detect: ./out/osqtool-$(ARCH)
$(SUDO) ./out/osqtool-$(ARCH) run detection
detect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run detection

.PHONY: run-detect-pack
run-detect-pack: out/odk-detection.conf
Expand All @@ -82,26 +86,26 @@ run-ir-pack: out/odk-incident-response.conf
$(SUDO) osqueryi --config_path osquery.conf --pack incident-response

.PHONY: collect
collect: ./out/osqtool-$(ARCH)
collect: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
mkdir -p $(COLLECT_DIR)
@echo "Saving output to: $(COLLECT_DIR)"
$(SUDO) ./out/osqtool-$(ARCH) run incident_response | tee $(COLLECT_DIR)/incident_response.txt
$(SUDO) ./out/osqtool-$(ARCH) run policy | tee $(COLLECT_DIR)/policy.txt
$(SUDO) ./out/osqtool-$(ARCH) run detection | tee $(COLLECT_DIR)/detection.txt
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run incident_response | tee $(COLLECT_DIR)/incident_response.txt
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run policy | tee $(COLLECT_DIR)/policy.txt
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) run detection | tee $(COLLECT_DIR)/detection.txt

# Looser values for CI use
.PHONY: verify-ci
verify-ci: ./out/osqtool-$(ARCH)
$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response
$(SUDO) ./out/osqtool-$(ARCH) --max-results=2 --max-query-duration=12s verify policy
$(SUDO) ./out/osqtool-$(ARCH) --max-results=15 --max-query-duration=12s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
verify-ci: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-results=150000 --max-query-duration=30s --max-total-daily-duration=90m verify incident_response
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-results=2 --max-query-duration=12s verify policy
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-results=15 --max-query-duration=12s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection

# Local verification
.PHONY: verify
verify: ./out/osqtool-$(ARCH)
$(SUDO) ./out/osqtool-$(ARCH) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy
$(SUDO) ./out/osqtool-$(ARCH) --max-results=0 --max-query-duration=16s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection
verify: ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION)
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-results=150000 --max-query-duration=10s --max-total-daily-duration=15m verify incident_response
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-results=0 --max-query-duration=6s --max-total-daily-duration=10m verify policy
$(SUDO) ./out/osqtool-$(ARCH)-$(OSQTOOL_VERSION) --max-results=0 --max-query-duration=16s --max-total-daily-duration=2h30m --max-query-daily-duration=1h verify detection

all: out/odk-packs.zip

Loading