crowdsec/pkg/setup
mmetc e976614645
cscli metrics: rename buckets -> scenarios (#2848)
* cscli metrics: rename buckets -> scenarios
* update lint configuration
* lint
2024-02-15 14:34:12 +01:00
..
detect.go cscli setup: accept stdin; fix proftpd detection test and service unmask (#2496) 2023-09-29 12:58:35 +02:00
detect_test.go CI: enable testifylint (#2696) 2024-01-05 15:26:13 +01:00
export_test.go cscli setup (#1923) 2023-02-06 07:33:04 +01:00
install.go Refactor hub management and cscli commands (#2545) 2023-11-24 15:57:32 +01:00
README.md cscli metrics: rename buckets -> scenarios (#2848) 2024-02-15 14:34:12 +01:00
units.go cscli setup (#1923) 2023-02-06 07:33:04 +01:00
units_test.go cscli setup (#1923) 2023-02-06 07:33:04 +01:00

NOTE: The following document describes an experimental, work-in-progress feature. To enable the cscli setup command, set the environment variable CROWDSEC_FEATURE_CSCLI_SETUP=true or add the line " - cscli_setup" to /etc/crowdsec/feature.yaml. Any feedback is welcome.


cscli setup

The "cscli setup" command can configure a crowdsec instance based on the services that are installed or running on the server.

There are three main subcommands:

  • cscli setup detect: detect the services, the OS family, version or the Linux distribution
  • cscli setup install-hub: install the recommended collections, parsers, etc. based on the detection result
  • cscli setup datasources: generate the appropriate acquisition rules

The setup command is used in the wizard.sh script, but can also be invoked by hand or customized via a configuration file by adding new services, log locations and detection rules.

Detection and installation are performed as separate steps, as you can see in the following diagram:

 +-------------+
 |             |
 | detect.yaml |
 |             |
 +-------------+
        |
        v
  setup detect
        |
        v
 +--------------+
 |              +---> setup install-hub     +-----------------------+
 |  setup.yaml  |                           |                       |
 |              +---> setup datasources --->| etc/crowdsec/acquis.d |
 +--------------+                           |                       |
                                            +-----------------------+

You can inspect and customize the intermediary file (setup.yaml), which is useful in case of many instances, deployment automation or unusual setups.

A subcommand can be used to check your changes in this case:

  • cscli setup validate: validate or report errors on a setup file

Basic usage

Identify the existing services and write out what was detected:

# cscli setup detect > setup.yaml

See what was found.

# cscli setup install-hub setup.yaml --dry-run
dry-run: would install collection crowdsecurity/apache2
dry-run: would install collection crowdsecurity/linux
dry-run: would install collection crowdsecurity/pgsql
dry-run: would install parser crowdsecurity/whitelists

Install the objects (parsers, scenarios...) required to support the detected services:

# cscli setup install-hub setup.yaml
INFO[29-06-2022 03:16:14 PM] crowdsecurity/apache2-logs : OK              
INFO[29-06-2022 03:16:14 PM] Enabled parsers : crowdsecurity/apache2-logs 
INFO[29-06-2022 03:16:14 PM] crowdsecurity/http-logs : OK             
[...]
INFO[29-06-2022 03:16:18 PM] Enabled crowdsecurity/linux      

Generate the datasource configuration:

# cscli setup datasources setup.yaml --to-dir /etc/crowdsec/acquis.d

With the above command, each detected service gets a corresponding file in the acquis.d directory. Running cscli setup again may add more services as they are detected, but datasource files or hub items are never removed automatically.

The detect.yaml file

A detect.yaml file is downloaded when you first install crowdsec, and is updated by the cscli hub update command.

NOTE: XXX XXX - this is currently not the case, the file is distributed in the crowdsec repository, but it should change.

You can see the default location with cscli setup detect --help | grep detect-config

The YAML file contains a version number (always 1.0) and a list of sections, one per supported service.

Each service defines its detection rules, the recommended hub items and recommended datasources. The same software can be defined in multiple service sections: for example, apache on debian and fedora have different detection rules and different datasources so it requires two sections to support both platforms.

The following are minimal detect.yaml examples just to show a few concepts.

version: 1.0

services:

  apache2:
    when:
      - ProcessRunning("apache2")
    install:
      collections:
        - crowdsecurity/apache2
    datasources:
      source: file
      labels:
        type: apache2
      filenames:
        - /var/log/apache2/*.log
        - /var/log/httpd/*.log
  • ProcessRunning() matches the process name of a running application. The when: clause can contain any number of expressions, they are all evaluated and must all return true for a service to be detected (implied and clause, no short-circuit). A missing or empty when: section is evaluated as true. The expression engine is the same one used by CrowdSec parser filters. You can force the detection of a process by using the cscli setup detect... --force-process <processname> flag. It will always behave as if <processname> was running.

The install: section can contain any number of collections, parsers, scenarios and postoverflows. In practices, it's most often a single collection.

The datasource: section is copied as-is in the acquisition file.

NOTE: XXX TODO - the current version does not validate the datasource: mapping. Bad content is written to acquis.d until crowdsec chokes on it.

Detecting a running process may seem a good idea, but if a process manager like systemd is available it's better to ask it for the information we want.

version: 1.0

services:

  apache2-systemd:
    when:
      - UnitFound("apache2.service")
      - OS.ID != "centos"
    install:
      collections:
        - crowdsecurity/apache2
    datasource:
      source: file
      labels:
        type: syslog
      filenames:
        - /var/log/apache2/*.log

  apache2-systemd-centos:
    when:
      - UnitFound("httpd.service")
      - OS.ID == "centos"
    install:
      collections:
        - crowdsecurity/apache2
    datasource:
      source: file
      labels:
        type: syslog
      filenames:
        - /var/log/httpd/*.log

Here we see two more detection methods:

  • UnitFound() matches the name of systemd units, if the are in state enabled, generated or static. You can see here that CentOS is using a different unit name for Apache so it must have its own service section. You can force the detection of a unit by using the cscli setup detect... --force-unit <unitname> flag.

  • OS.Family, OS.ID and OS.RawVersion are read from /etc/os-release in case of Linux, and detected by other methods for FreeBSD and Windows. Under FreeBSD and Windows, the value of OS.ID is the same as OS.Family. If OS detection fails, it can be overridden with the flags --force-os-family, --force-os-id and --force-os-version.

If you want to ignore one or more services (i.e. not install anything and not generate acquisition rules) you can specify it with cscli setup detect... --skip-service <servicename>. For example, --skip-service apache2-systemd. If you want to disable systemd unit detection, use cscli setup detect... --snub-systemd.

If you used the --force-process or --force-unit flags, but none of the defined services is looking for them, you'll have an error like "detecting services: process(es) forced but not supported".

NOTE: XXX XXX - having an error for this is maybe too much, but can tell that a configuration is outdated. Could this be a warning with optional flag to make it an error?

We used the OS.ID value to check for the linux distribution, but since the same configuration is required for CentOS and the other RedHat derivatives, it's better to check for the existence of a file that is known to exist in all of them:

version: 1.0

services:

  apache2-systemd-deb:
    when:
      - UnitFound("apache2.service")
      - PathExists("/etc/debian_version")
    install:
    # [...]

  apache2-systemd-rpm:
    when:
      - UnitFound("httpd.service")
      - PathExists("/etc/redhat-release")
    install:
    # [...]
  • PathExists() evaluates to true if a file, directory or link exists at the given path. It does not check for broken links.

Rules can be used to detect operating systems and environments:

version: 1.0

services:

  linux:
    when:
      - OS.Family == "linux"
    install:
      collections:
        - crowdsecurity/linux
    datasource:
      type: file
      labels:
        type: syslog
      log_files:
      - /var/log/syslog
      - /var/log/kern.log
      - /var/log/messages

  freebsd:
    when:
      - OS.Family == "freebsd"
    install:
      collections:
        - crowdsecurity/freebsd

  windows:
    when:
      - OS.Family == "windows"
    install:
      collections:
        - crowdsecurity/windows

The OS object contains a methods to check for version numbers: OS.VersionCheck("<constraint>"). It uses the Masterminds/semver package and accepts a variety of operators.

Instead of: OS.RawVersion == "1.2.3" you should use OS.VersionCheck("~1"), OS.VersionCheck("~1.2") depending if you want to match the major or the minor version. It's unlikely that you need to match the exact patch level.

Leading zeroes are permitted, to allow comparison of Ubuntu versions: strict semver rules would treat "22.04" as invalid.

The setup.yaml file

This file does not actually have a specific name, as it's usually written to standard output.

For example, on a Debian system running Apache under systemd you can execute:

$ cscli setup detect --yaml
setup:
  - detected_service: apache2-systemd-deb
    install:
      collections:
        - crowdsecurity/apache2
    datasource:
      filenames:
        - /var/log/apache2/*.log
      labels:
        type: apache2
  - detected_service: linux
    install:
      collections:
        - crowdsecurity/linux
    datasource:
      filenames:
        - /var/log/syslog
        - /var/log/kern.log
        - /var/log/messages
      labels:
        type: syslog
  - detected_service: whitelists
    install:
      parsers:
        - crowdsecurity/whitelists

The default output format is JSON, which is compatible with YAML but less readable to humans.

  • detected_service: used to generate a name for the files written to acquis.d
  • install: can contain collections, parsers, scenarios, postoverflows
  • datasource: copied to acquis.d
$ cscli setup datasources --help
generate datasource (acquisition) configuration from a setup file

Usage:
  cscli setup datasources [setup_file] [flags]

Flags:
  -h, --help            help for datasources
      --to-dir string   write the configuration to a directory, in multiple files
[...]

If the --to-dir option is not specified, a single monolithic acquis.yaml is printed to the standard output.