Allister Banks arubdesu

## internal compliance check wiki.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                arubdesu
                / internal compliance check wiki.md
            
            
              Created
              May 13, 2022 07:58
            
          
    How to Understand More Complicated osquery Compliance Checks

Example query:
with compliance_check as (
  select sha256,
  case when sha256 = 'omgwtfbbqrandomchars00112233445566' then 'OK' else 'FAILED' end ztl_status
  from hash
  where path = '/path/to/conf'
)


## expander
OUTPUT=$(/usr/bin/basename "$1" | /usr/bin/sed -e "s/.pkg//g")
/usr/sbin/pkgutil --expand "$1" /tmp/"$OUTPUT"
open -a "Archive Utility.app" /tmp/"$OUTPUT"/Payload

## simianfacter
#!/usr/local/munki/simian/bin/python
#
# Copyright 2010 Google Inc. All Rights Reserved.

"""Script to output Simian dependent facter-like output of various variables."""

import json
import os
import re
import subprocess

## ruler.py
#!/usr/bin/python
"""Shoves down santa rules 5 at a time to whitelist certs/binaries
NOTICE - if you have a sync server like Zentral configured, you cannot add rules
"""
import os
import subprocess
from multiprocessing.dummy import Pool as ThreadPool

if os.geteuid() != 0:
    exit("Please run this script as root.")

## whitelistBinaries.txt
10b716799ecc07f472e6475ac6395cf76d7b180da7fc665fa7399e931d0540e5,/opt/puppetlabs/puppet/bin/augparse
10e5efeba67a600d3dcafc1cf3ee1bbb854c3d41a65fa3e9466e8e565d76c3eb,/opt/puppetlabs/puppet/bin/ruby
2533995e290b235bc98dcd9142df49101017ce2d9b860b0bbe8e841a780e6009,/Applications/Docker.app/Contents/Resources/bin/docker
3b45cef4efbd9a437a18669e6a7bce4e24456bb1c6cedfe039fda4ed9277c652,/Library/DropboxHelperTools/Dropbox_u841296058/dbaccessperm
58926d227548537c86b69b88906f1cbafbd689f5289323c13a3c2a31019f872b,/Applications/Managed Software Center.app
5d76ffc5b716f065bb0a2218fb05f1249e7e9ba83e960e7ed0a9b0c2aae58f56,/Applications/Docker.app/Contents/Resources/bin/http2client
7b30e3c645301d2e41006c9da04b6b50c6bca32843aafd7ee7dcf900d50c4549,/Applications/TextMate.app/Contents/Resources/mate
7edcc27c2b2e7e26446448953816044e7d2f234f5c51d8848ea97b5bc902db3c,/usr/local/bin/osqueryi
a2fb872c714389d7b0415b62421331d9b1dad3cb88fe22bca1c4a8f8f489e171,/private/tmp/PKInstallSandbox.8Uv2rI/Scripts/com.microsoft.office.all.fonts.pkg

## SantaLogScraper.py
#!/usr/bin/python
import glob
import gzip


certs = [
    "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",# apples
    "33b9aee3b089c922952c9240a40a0daa271bebf192cf3f7d964722e8f2170e48",# santas - everything after this isn't included...
    "15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153",# GoogleSoftwareUpdateAgent (~)
    "1808a95f11169c7212a45b44c1c547c1f3e810915014bd892435253a3f8761ca",# Citrix ServiceRecords/ReceiverHelper

## BrowserWhitelist_Table.ext
#!/usr/bin/python


import osquery
import browser_whitelist


@osquery.register_plugin
class BrowserWhitelist(osquery.TablePlugin):
    def name(self):

## allTheDMGs.py
#!/usr/bin/python
# -*- coding: utf-8 -*-
import glob
import os
import subprocess
import sys
sys.path.append('/usr/local/munki/munkilib')
import FoundationPlist

path = '/Users/abanks/Library/AutoPkg/Cache'

## bootstrap_pupppetcerts.py
#!/usr/bin/python
"""bootstraps puppet, which gets munki ready for SSL,
and runs the munki function that shoves puppet's CA into the sys keychain.
Assumes this is at /Library/MMCSupport/bootstrap_puppet.py,
and called by outset(github.com/chilcote/outset)'s boot-every option"""

import os
import shutil
import subprocess
import sys

## SantaCertShaProcessor.py
#!/usr/bin/python
#
# Copyright 2016 Allister Banks, mostly stolen from Hannes Juutilainen
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
	OUTPUT=$(/usr/bin/basename "$1" \| /usr/bin/sed -e "s/.pkg//g")
	/usr/sbin/pkgutil --expand "$1" /tmp/"$OUTPUT"
	open -a "Archive Utility.app" /tmp/"$OUTPUT"/Payload
	#!/usr/local/munki/simian/bin/python
	#
	# Copyright 2010 Google Inc. All Rights Reserved.

	"""Script to output Simian dependent facter-like output of various variables."""

	import json
	import os
	import re
	import subprocess
	#!/usr/bin/python
	"""Shoves down santa rules 5 at a time to whitelist certs/binaries
	NOTICE - if you have a sync server like Zentral configured, you cannot add rules
	"""
	import os
	import subprocess
	from multiprocessing.dummy import Pool as ThreadPool

	if os.geteuid() != 0:
	exit("Please run this script as root.")
	10b716799ecc07f472e6475ac6395cf76d7b180da7fc665fa7399e931d0540e5,/opt/puppetlabs/puppet/bin/augparse
	10e5efeba67a600d3dcafc1cf3ee1bbb854c3d41a65fa3e9466e8e565d76c3eb,/opt/puppetlabs/puppet/bin/ruby
	2533995e290b235bc98dcd9142df49101017ce2d9b860b0bbe8e841a780e6009,/Applications/Docker.app/Contents/Resources/bin/docker
	3b45cef4efbd9a437a18669e6a7bce4e24456bb1c6cedfe039fda4ed9277c652,/Library/DropboxHelperTools/Dropbox_u841296058/dbaccessperm
	58926d227548537c86b69b88906f1cbafbd689f5289323c13a3c2a31019f872b,/Applications/Managed Software Center.app
	5d76ffc5b716f065bb0a2218fb05f1249e7e9ba83e960e7ed0a9b0c2aae58f56,/Applications/Docker.app/Contents/Resources/bin/http2client
	7b30e3c645301d2e41006c9da04b6b50c6bca32843aafd7ee7dcf900d50c4549,/Applications/TextMate.app/Contents/Resources/mate
	7edcc27c2b2e7e26446448953816044e7d2f234f5c51d8848ea97b5bc902db3c,/usr/local/bin/osqueryi
	a2fb872c714389d7b0415b62421331d9b1dad3cb88fe22bca1c4a8f8f489e171,/private/tmp/PKInstallSandbox.8Uv2rI/Scripts/com.microsoft.office.all.fonts.pkg
	#!/usr/bin/python
	import glob
	import gzip


	certs = [
	"2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32",# apples
	"33b9aee3b089c922952c9240a40a0daa271bebf192cf3f7d964722e8f2170e48",# santas - everything after this isn't included...
	"15b8ce88e10f04c88a5542234fbdfc1487e9c2f64058a05027c7c34fc4201153",# GoogleSoftwareUpdateAgent (~)
	"1808a95f11169c7212a45b44c1c547c1f3e810915014bd892435253a3f8761ca",# Citrix ServiceRecords/ReceiverHelper
	#!/usr/bin/python


	import osquery
	import browser_whitelist


	@osquery.register_plugin
	class BrowserWhitelist(osquery.TablePlugin):
	def name(self):
	#!/usr/bin/python
	# -- coding: utf-8 --
	import glob
	import os
	import subprocess
	import sys
	sys.path.append('/usr/local/munki/munkilib')
	import FoundationPlist

	path = '/Users/abanks/Library/AutoPkg/Cache'
	#!/usr/bin/python
	"""bootstraps puppet, which gets munki ready for SSL,
	and runs the munki function that shoves puppet's CA into the sys keychain.
	Assumes this is at /Library/MMCSupport/bootstrap_puppet.py,
	and called by outset(github.com/chilcote/outset)'s boot-every option"""

	import os
	import shutil
	import subprocess
	import sys
	#!/usr/bin/python
	#
	# Copyright 2016 Allister Banks, mostly stolen from Hannes Juutilainen
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#