clong/install-go-audit-osquery.sh

## install-go-audit-osquery.sh
#! /bin/bash

sudo su
apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd
cd /root

# Update Golang from 1.2 to 1.7 or compilation of go-audit will fail
wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz
tar -xvf go1.7.linux-amd64.tar.gz
mv go /usr/local
mkdir ~/.go
export GOROOT=/usr/local/go
export GOPATH=~/.go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
sudo update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0
sudo update-alternatives --set go /usr/local/go/bin/go

# Download go-audit and its dependencies
go get -u github.com/slackhq/go-audit
go get -u github.com/kardianos/govendor
cd ~/.go/src/github.com/slackhq/go-audit/

# Build go-audit
make
cp go-audit.yaml.example go-audit.yaml

# Download and install osquery
cd /root
wget https://osquery-packages.s3.amazonaws.com/trusty/osquery_2.1.2_amd64.deb
dpkg -i osquery_2.1.2_amd64.deb

# Generate sample osquery config file
echo '{
  "schedule":{
    "process_events":{
      "query": "select * from process_events",
      "interval": 10
    },
    "socket_events":{
      "query": "select * from socket_events",
      "interval": 10
    },
    "user_events":{
      "query": "select * from user_events",
      "interval": 10
    }
  }
}' > /etc/osquery/osquery.conf

# Generate osquery flagfile
echo '--disable_audit=false
--audit_allow_config=true
--audit_persist=true
--audit_allow_sockets' > /etc/osquery/osquery.flags

# Start a tmux session with go-audit in one window and osqueryd in the other
sn=tmuxsession
tmux new-session -s "$sn" -d
tmux new-window -t "$sn:1" -n "go-audit" -d
tmux new-window -t "$sn:2" -n "osquery" -d
tmux send-keys -t "$sn:1" 'cd ~/.go/src/github.com/slackhq/go-audit' Enter
tmux send-keys -t "$sn:1" './go-audit -config go-audit.yaml | jq .'
tmux send-keys -t "$sn:2" 'cd /etc/osquery' Enter
tmux send-keys -t "$sn:2" 'osqueryd --config_path="/etc/osquery/osquery.conf" --flagfile="/etc/osquery/osquery.flags"'
tmux attach
	#! /bin/bash

	sudo su
	apt-get update && apt-get upgrade -y && apt-get install -y build-essential golang git jq auditd
	cd /root

	# Update Golang from 1.2 to 1.7 or compilation of go-audit will fail
	wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz
	tar -xvf go1.7.linux-amd64.tar.gz
	mv go /usr/local
	mkdir ~/.go
	export GOROOT=/usr/local/go
	export GOPATH=~/.go
	export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
	sudo update-alternatives --install "/usr/bin/go" "go" "/usr/local/go/bin/go" 0
	sudo update-alternatives --set go /usr/local/go/bin/go

	# Download go-audit and its dependencies
	go get -u github.com/slackhq/go-audit
	go get -u github.com/kardianos/govendor
	cd ~/.go/src/github.com/slackhq/go-audit/

	# Build go-audit
	make
	cp go-audit.yaml.example go-audit.yaml

	# Download and install osquery
	cd /root
	wget https://osquery-packages.s3.amazonaws.com/trusty/osquery_2.1.2_amd64.deb
	dpkg -i osquery_2.1.2_amd64.deb

	# Generate sample osquery config file
	echo '{
	"schedule":{
	"process_events":{
	"query": "select * from process_events",
	"interval": 10
	},
	"socket_events":{
	"query": "select * from socket_events",
	"interval": 10
	},
	"user_events":{
	"query": "select * from user_events",
	"interval": 10
	}
	}
	}' > /etc/osquery/osquery.conf

	# Generate osquery flagfile
	echo '--disable_audit=false
	--audit_allow_config=true
	--audit_persist=true
	--audit_allow_sockets' > /etc/osquery/osquery.flags

	# Start a tmux session with go-audit in one window and osqueryd in the other
	sn=tmuxsession
	tmux new-session -s "$sn" -d
	tmux new-window -t "$sn:1" -n "go-audit" -d
	tmux new-window -t "$sn:2" -n "osquery" -d
	tmux send-keys -t "$sn:1" 'cd ~/.go/src/github.com/slackhq/go-audit' Enter
	tmux send-keys -t "$sn:1" './go-audit -config go-audit.yaml \| jq .'
	tmux send-keys -t "$sn:2" 'cd /etc/osquery' Enter
	tmux send-keys -t "$sn:2" 'osqueryd --config_path="/etc/osquery/osquery.conf" --flagfile="/etc/osquery/osquery.flags"'
	tmux attach