NOTE: The following document describes an experimental, work-in-progress feature. To enable the cscli setup
command, set the environment variable CROWDSEC_FEATURE_CSCLI_SETUP=true
or add the line " - cscli_setup" to /etc/crowdsec/feature.yaml
. Any feedback is welcome.
cscli setup
The "cscli setup" command can configure a crowdsec instance based on the services that are installed or running on the server.
There are three main subcommands:
cscli setup detect
: detect the services, the OS family, version or the Linux distribution
cscli setup install-hub
: install the recommended collections, parsers, etc. based on the detection result
cscli setup datasources
: generate the appropriate acquisition rules
The setup command is used in the wizard.sh
script, but can also be invoked by hand or customized via a configuration file
by adding new services, log locations and detection rules.
Detection and installation are performed as separate steps, as you can see in the following diagram:
+-------------+
| |
| detect.yaml |
| |
+-------------+
|
v
setup detect
|
v
+--------------+
| +---> setup install-hub +-----------------------+
| setup.yaml | | |
| +---> setup datasources --->| etc/crowdsec/acquis.d |
+--------------+ | |
+-----------------------+
You can inspect and customize the intermediary file (setup.yaml
), which is useful
in case of many instances, deployment automation or unusual setups.
A subcommand can be used to check your changes in this case:
cscli setup validate
: validate or report errors on a setup file
Basic usage
Identify the existing services and write out what was detected:
# cscli setup detect > setup.yaml
See what was found.
# cscli setup install-hub setup.yaml --dry-run
dry-run: would install collection crowdsecurity/apache2
dry-run: would install collection crowdsecurity/linux
dry-run: would install collection crowdsecurity/pgsql
dry-run: would install parser crowdsecurity/whitelists
Install the objects (parsers, scenarios...) required to support the detected services:
# cscli setup install-hub setup.yaml
INFO[29-06-2022 03:16:14 PM] crowdsecurity/apache2-logs : OK
INFO[29-06-2022 03:16:14 PM] Enabled parsers : crowdsecurity/apache2-logs
INFO[29-06-2022 03:16:14 PM] crowdsecurity/http-logs : OK
[...]
INFO[29-06-2022 03:16:18 PM] Enabled crowdsecurity/linux
Generate the datasource configuration:
# cscli setup datasources setup.yaml --to-dir /etc/crowdsec/acquis.d
With the above command, each detected service gets a corresponding file in the
acquis.d
directory. Running cscli setup
again may add more services as they
are detected, but datasource files or hub items are never removed
automatically.
The detect.yaml file
A detect.yaml file is downloaded when you first install crowdsec, and is updated by the cscli hub update
command.
NOTE: XXX XXX - this is currently not the case, the file is distributed in the crowdsec repository, but it should change.
You can see the default location with cscli setup detect --help | grep detect-config
The YAML file contains a version number (always 1.0) and a list of sections, one per supported service.
Each service defines its detection rules, the recommended hub items and
recommended datasources. The same software can be defined in multiple service
sections: for example, apache on debian and fedora have different detection
rules and different datasources so it requires two sections to support both platforms.
The following are minimal detect.yaml
examples just to show a few concepts.
version: 1.0
services:
apache2:
when:
- ProcessRunning("apache2")
install:
collections:
- crowdsecurity/apache2
datasources:
source: file
labels:
type: apache2
filenames:
- /var/log/apache2/*.log
- /var/log/httpd/*.log
ProcessRunning()
matches the process name of a running application. The
when:
clause can contain any number of expressions, they are all evaluated
and must all return true for a service to be detected (implied and clause, no
short-circuit). A missing or empty when:
section is evaluated as true.
The expression
engine
is the same one used by CrowdSec parser filters. You can force the detection of
a process by using the cscli setup detect... --force-process <processname>
flag. It will always behave as if <processname>
was running.
The install:
section can contain any number of collections, parsers, scenarios
and postoverflows. In practices, it's most often a single collection.
The datasource:
section is copied as-is in the acquisition file.
NOTE: XXX TODO - the current version does not validate the datasource:
mapping. Bad content is written to acquis.d until crowdsec chokes on it.
Detecting a running process may seem a good idea, but if a process manager like
systemd is available it's better to ask it for the information we want.
version: 1.0
services:
apache2-systemd:
when:
- UnitFound("apache2.service")
- OS.ID != "centos"
install:
collections:
- crowdsecurity/apache2
datasource:
source: file
labels:
type: syslog
filenames:
- /var/log/apache2/*.log
apache2-systemd-centos:
when:
- UnitFound("httpd.service")
- OS.ID == "centos"
install:
collections:
- crowdsecurity/apache2
datasource:
source: file
labels:
type: syslog
filenames:
- /var/log/httpd/*.log
Here we see two more detection methods:
-
UnitFound()
matches the name of systemd units, if the are in state enabled,
generated or static. You can see here that CentOS is using a different unit
name for Apache so it must have its own service section. You can force the
detection of a unit by using the cscli setup detect... --force-unit <unitname>
flag.
-
OS.Family, OS.ID and OS.RawVersion are read from /etc/os-release in case of
Linux, and detected by other methods for FreeBSD and Windows. Under FreeBSD
and Windows, the value of OS.ID is the same as OS.Family. If OS detection
fails, it can be overridden with the flags --force-os-family
, --force-os-id
and --force-os-version
.
If you want to ignore one or more services (i.e. not install anything and not
generate acquisition rules) you can specify it with cscli setup detect... --skip-service <servicename>
. For example, --skip-service apache2-systemd
.
If you want to disable systemd unit detection, use cscli setup detect... --snub-systemd
.
If you used the --force-process
or --force-unit
flags, but none of the
defined services is looking for them, you'll have an error like "detecting
services: process(es) forced but not supported".
NOTE: XXX XXX - having an error for this is maybe too much, but can tell that a configuration is outdated. Could this be a warning with optional flag to make it an error?
We used the OS.ID
value to check for the linux distribution, but since the same configuration
is required for CentOS and the other RedHat derivatives, it's better to check for the existence
of a file that is known to exist in all of them:
version: 1.0
services:
apache2-systemd-deb:
when:
- UnitFound("apache2.service")
- PathExists("/etc/debian_version")
install:
# [...]
apache2-systemd-rpm:
when:
- UnitFound("httpd.service")
- PathExists("/etc/redhat-release")
install:
# [...]
PathExists()
evaluates to true if a file, directory or link exists at the
given path. It does not check for broken links.
Rules can be used to detect operating systems and environments:
version: 1.0
services:
linux:
when:
- OS.Family == "linux"
install:
collections:
- crowdsecurity/linux
datasource:
type: file
labels:
type: syslog
log_files:
- /var/log/syslog
- /var/log/kern.log
- /var/log/messages
freebsd:
when:
- OS.Family == "freebsd"
install:
collections:
- crowdsecurity/freebsd
windows:
when:
- OS.Family == "windows"
install:
collections:
- crowdsecurity/windows
The OS object contains a methods to check for version numbers:
OS.VersionCheck("<constraint>")
. It uses the
Masterminds/semver package and accepts
a variety of operators.
Instead of: OS.RawVersion == "1.2.3" you should use OS.VersionCheck("~1")
,
OS.VersionCheck("~1.2")
depending if you want to match the major or the minor
version. It's unlikely that you need to match the exact patch level.
Leading zeroes are permitted, to allow comparison of Ubuntu versions: strict semver rules would treat "22.04" as invalid.
The setup.yaml
file
This file does not actually have a specific name, as it's usually written to standard output.
For example, on a Debian system running Apache under systemd you can execute:
$ cscli setup detect --yaml
setup:
- detected_service: apache2-systemd-deb
install:
collections:
- crowdsecurity/apache2
datasource:
filenames:
- /var/log/apache2/*.log
labels:
type: apache2
- detected_service: linux
install:
collections:
- crowdsecurity/linux
datasource:
filenames:
- /var/log/syslog
- /var/log/kern.log
- /var/log/messages
labels:
type: syslog
- detected_service: whitelists
install:
parsers:
- crowdsecurity/whitelists
The default output format is JSON, which is compatible with YAML but less readable to humans.
detected_service
: used to generate a name for the files written to acquis.d
install
: can contain collections, parsers, scenarios, postoverflows
datasource
: copied to acquis.d
$ cscli setup datasources --help
generate datasource (acquisition) configuration from a setup file
Usage:
cscli setup datasources [setup_file] [flags]
Flags:
-h, --help help for datasources
--to-dir string write the configuration to a directory, in multiple files
[...]
If the --to-dir
option is not specified, a single monolithic acquis.yaml
is printed to the standard output.