Refactor osquery and add retry-loop for OU

Vagrant/Vagrantfile

@@ -63,7 +63,6 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-choco-extras.ps1", privileged: false
@@ -130,7 +129,6 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
     cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", path: "scripts/install-wefsubscriptions.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-splunkuf.ps1", privileged: false
@@ -194,7 +192,6 @@ Vagrant.configure("2") do |config|
     cfg.vm.provision "reload"
     cfg.vm.provision "shell", path: "scripts/provision.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/download_palantir_wef.ps1", privileged: false
-    cfg.vm.provision "shell", path: "scripts/download_palantir_osquery.ps1", privileged: false
     cfg.vm.provision "shell", inline: 'wevtutil el | Select-String -notmatch "Microsoft-Windows-LiveId" | Foreach-Object {wevtutil cl "$_"}', privileged: false
     cfg.vm.provision "shell", path: "scripts/install-utilities.ps1", privileged: false
     cfg.vm.provision "shell", path: "scripts/install-redteam.ps1", privileged: false

Vagrant/scripts/configure-ou.ps1

@@ -13,43 +13,46 @@ ping /n 1 windomain.local
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server and Workstation OUs..."
 # Create the Servers OU if it doesn't exist
-Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU"
+$servers_ou_created = 0
-try {
+while ($servers_ou_created != 1) {
+  Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Server OU"
+  try {
     Get-ADOrganizationalUnit -Identity 'OU=Servers,DC=windomain,DC=local' | Out-Null
     Write-Host "Servers OU already exists. Moving On."
-}
+  }
-catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
+  catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
     New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
     Write-Host "Created Servers OU."
-}
+    $servers_ou_created = 1
-catch [Microsoft.ActiveDirectory.Management.ADServerDownException] {
+  }
-  Write-Host "Unable to reach Active Directory. Sleeping for 10 and attmepting one more time..."
+  catch [Microsoft.ActiveDirectory.Management.ADServerDownException] {
-  Start-Sleep 10
+    Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..."
-  New-ADOrganizationalUnit -Name "Servers" -Server "dc.windomain.local"
+    Start-Sleep 5
-  Write-Host "Created Servers OU after a retry."
+  }
-}
+  catch {
-catch {
     Write-Host "Something went wrong attempting to reach AD or create the OU."
+  }
 }
 
 # Create the Workstations OU if it doesn't exist
+$workstations_ou_created = 0
+while ($workstations_ou_created != 1) {
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Creating Workstations OU"
-try {
+  try {
     Get-ADOrganizationalUnit -Identity 'OU=Workstations,DC=windomain,DC=local' | Out-Null
     Write-Host "Workstations OU already exists. Moving On."
-}
+  }
-catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
+  catch [Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException] {
     New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"
     Write-Host "Created Workstations OU."
-}
+  }
-catch [Microsoft.ActiveDirectory.Management.ADServerDownException] {
+  catch [Microsoft.ActiveDirectory.Management.ADServerDownException] {
-  Write-Host "Unable to reach Active Directory. Sleeping for 10 and attmepting one more time..."
+    Write-Host "Unable to reach Active Directory. Sleeping for 5 and trying again..."
-  Start-Sleep 10
+    Start-Sleep 5
-  New-ADOrganizationalUnit -Name "Workstations" -Server "dc.windomain.local"
+  }
-  Write-Host "Created Workstations OU after a retry."
+  catch {
-}
-catch {
     Write-Host "Something went wrong attempting to reach AD or create the OU."
+  }
 }
 
 # Sysprep breaks auto-login. Let's restore it here:

Vagrant/scripts/download_palantir_osquery.ps1

@@ -1,17 +0,0 @@
-# Purpose: Downloads and unzips a copy of the Palantir osquery Github Repo. These configs are added to the Fleet server in bootstrap.sh.
-# The items from this config file are used later in install-osquery.ps1
-Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Downloading and unzipping the Palantir osquery Repo from Github..."
-
-$osqueryRepoPath = 'C:\Users\vagrant\AppData\Local\Temp\osquery-Master.zip'
-if (-not (Test-Path $osqueryRepoPath))
-{
-    # GitHub requires TLS 1.2 as of 2/1/2018
-    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-    Invoke-WebRequest -Uri "https://github.com/palantir/osquery-configuration/archive/master.zip" -OutFile $osqueryRepoPath
-    Expand-Archive -path "$osqueryRepoPath" -destinationpath 'c:\Users\vagrant\AppData\Local\Temp' -Force
-}
-else
-{
-    Write-Host "$osqueryRepoPath already exists. Moving On."
-}
-Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Palantir osquery config download complete!"

Vagrant/scripts/install-osquery.ps1

@@ -1,18 +1,18 @@
 # Purpose: Installs osquery on the host
 # Note: by default, osquery will be configured to connect to the Fleet server on the "logger" host via TLS.
-# If you would like to have osquery run without TLS & Fleet, uncomment line 15 and comment lines 21-30.
 
 Write-Host "$('[{0:HH:mm}]' -f (Get-Date)) Installing osquery..."
-$packsDir = "c:\Program Files\osquery\packs"
+$flagfile = "c:\Program Files\osquery\osquery.flags"
 choco install -y --limit-output --no-progress osquery | Out-String  # Apparently Out-String makes the process wait
 $service = Get-WmiObject -Class Win32_Service -Filter "Name='osqueryd'"
 If (-not ($service)) {
   Write-Host "Setting osquery to run as a service"
   New-Service -Name "osqueryd" -BinaryPathName "C:\Program Files\osquery\osqueryd\osqueryd.exe --flagfile=`"C:\Program Files\osquery\osquery.flags`""
 
-  # Copy over the config and packs from the Palantir repo
+  # Download the flags file from the Palantir osquery-configuration Github
-  Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Classic\Endpoints\Windows\*" "c:\Program Files\osquery"
+  # GitHub requires TLS 1.2 as of 2/1/2018
-  Copy-Item "c:\Users\vagrant\AppData\Local\Temp\osquery-configuration-master\Classic\Endpoints\packs" -Path "c:\Program Files\osquery"
+  [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+  Invoke-WebRequest -Uri "https://raw.githubusercontent.com/palantir/osquery-configuration/master/Classic/Endpoints/Windows/osquery.flags" -OutFile $flagfile
 
   ## Use the TLS config
   ## Add entry to hosts file for Kolide for SSL validation
@@ -20,14 +20,14 @@ If (-not ($service)) {
   ## Add kolide secret and avoid BOM
   $Utf8NoBomEncoding = New-Object System.Text.UTF8Encoding $False
   [System.IO.File]::WriteAllLines("c:\Program Files\osquery\kolide_secret.txt", "enrollmentsecret", $Utf8NoBomEncoding)
-  ## Change TLS server hostname
+  ## Change TLS server hostname in the flags file
-  (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content "c:\Program Files\osquery\osquery.flags"
+  (Get-Content $flagfile) -replace 'tls.endpoint.server.com', 'kolide:8412' | Set-Content $flagfile
-  ## Change path to secrets
+  ## Change path to secrets in the flags file
-  (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'path\\to\\file\\containing\\secret.txt', 'Program Files\osquery\kolide_secret.txt' | Set-Content "c:\Program Files\osquery\osquery.flags"
+  (Get-Content $flagfile) -replace 'path\\to\\file\\containing\\secret.txt', 'Program Files\osquery\kolide_secret.txt' | Set-Content $flagfile
-  ## Change path to certfile
+  ## Change path to certfile in the flags file
-  (Get-Content "c:\Program Files\osquery\osquery.flags") -replace 'c:\\ProgramData\\osquery\\certfile.crt', 'c:\Program Files\osquery\certfile.crt' | Set-Content "c:\Program Files\osquery\osquery.flags"
+  (Get-Content $flagfile) -replace 'c:\\ProgramData\\osquery\\certfile.crt', 'c:\Program Files\osquery\certfile.crt' | Set-Content $flagfile
   ## Remove the verbose flag and replace it with the logger_min_status=1 option (See https://github.com/osquery/osquery/issues/5212)
-  (Get-Content "c:\Program Files\osquery\osquery.flags") -replace '--verbose=true', '--logger_min_status=1' | Set-Content "c:\Program Files\osquery\osquery.flags"
+  (Get-Content $flagfile) -replace '--verbose=true', '--logger_min_status=1' | Set-Content $flagfile
   ## Add certfile.crt
   Copy-Item "c:\vagrant\resources\fleet\server.crt" "c:\Program Files\osquery\certfile.crt"
   ## Start the service