trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
Vagrant/resources/malcolm/scripts/beats/linux_vm_example/Vagrantfile vendored Normal file
View File

@@ -0,0 +1,89 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
unless Vagrant.has_plugin?("vagrant-reload")
raise 'vagrant-reload plugin is not installed!'
end
# hack: https://github.com/hashicorp/vagrant/issues/8878#issuecomment-345112810
class VagrantPlugins::ProviderVirtualBox::Action::Network
def dhcp_server_matches_config?(dhcp_server, config)
true
end
end
Vagrant.configure("2") do |config|
config.vm.box = "bento/ubuntu-20.04"
config.vm.network "private_network", type: "dhcp"
config.vm.synced_folder ".", "/vagrant", disabled: true
if Vagrant.has_plugin?("vagrant-vbguest")
config.vbguest.auto_update = false
end
config.vm.provider "virtualbox" do |vb|
vb.customize ["modifyvm", :id, "--nictype1", "virtio" ]
vb.customize ["modifyvm", :id, "--nicpromisc1", "allow-all"]
vb.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
vb.customize ["modifyvm", :id, "--natdnsproxy1", "on"]
vb.customize ["modifyvm", :id, "--memory", 2048]
vb.customize ["modifyvm", :id, "--cpus", 2]
vb.customize ["modifyvm", :id, "--vram", 32]
vb.customize ["modifyvm", :id, "--ioapic", "on"]
vb.customize ["modifyvm", :id, "--nestedpaging", "on"]
vb.customize ["modifyvm", :id, "--pae", "on"]
vb.customize ["modifyvm", :id, "--hwvirtex", "on"]
vb.customize ["modifyvm", :id, "--nested-hw-virt", "on"]
end
config.vm.provision "shell", inline: <<-STEP1
export DEBIAN_FRONTEND=noninteractive
export BEAT_VERSION=7.6.2
apt-get update
apt-get install -y auditd gnupg2 curl ca-certificates libcap2-bin libpcap0.8 python3-minimal python-is-python3
curl -sSL https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" >> /etc/apt/sources.list
apt-get update
for BEAT in auditbeat filebeat packetbeat metricbeat; do
apt-get install -y $BEAT-oss=$BEAT_VERSION
done;
STEP1
config.vm.provision "file", source: "./audit.rules", destination: "/tmp/audit.rules"
config.vm.provision "file", source: "../beat_run.py", destination: "/tmp/beat_run.py"
config.vm.provision "file", source: "../beat_config.py", destination: "/tmp/beat_config.py"
config.vm.provision "file", source: "../beat_common.py", destination: "/tmp/beat_common.py"
["auditbeat","filebeat","packetbeat","metricbeat"].to_enum.with_index(1).each do |beat, i|
config.vm.provision "file", source: "./#{beat}.yml", destination: "/tmp/#{beat}.yml"
end
config.vm.provision "shell", inline: <<-STEP2
export DEBIAN_FRONTEND=noninteractive
mv /tmp/beat*.py /usr/local/bin/
chown root:root /usr/local/bin/beat*.py
chmod 755 /usr/local/bin/beat_config.py /usr/local/bin/beat_run.py
chmod 644 /usr/local/bin/beat_common.py
filebeat modules enable system
mv /tmp/audit.rules /etc/audit/rules.d/audit.rules
find /etc/audit -type d -exec chmod 750 "{}" \\;
find /etc/audit -type f -exec chmod 640 "{}" \\;
for BEAT in auditbeat filebeat packetbeat metricbeat; do
mkdir -p /opt/$BEAT
mv /tmp/$BEAT.yml /opt/$BEAT/
chown -R root:root /opt/$BEAT
chmod 700 /opt/$BEAT
chmod 600 /opt/$BEAT/*
done;
STEP2
config.vm.provision :reload
end

146
Vagrant/resources/malcolm/scripts/beats/linux_vm_example/audit.rules Normal file
View File

@@ -0,0 +1,146 @@
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 0
## Set failure mode to syslog
-f 1
# exclusions
-a always,exclude -F msgtype=AVC
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=EOE
# commands
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/pmount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/pumount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
-a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pmount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pumount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/xorg/Xorg.wrap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F path=/usr/sbin/visudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
# privileged files
-w /bin/kmod -p x -k modules
-w /etc/apparmor.d/ -p wa -k MAC-policy
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/hosts -p wa -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/localtime -p wa -k time-change
-w /etc/network -p wa -k system-locale
-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /etc/opasswd -p wa -k usergroup_modification
-w /etc/passwd -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /var/log/btmp -p wa -k session
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/sudo.log -p wa -k sudoaction
-w /var/log/tallylog -p wa -k logins
-w /var/log/wtmp -p wa -k session
-w /var/run/faillock -p wa -k logins
-w /var/run/utmp -p wa -k session
# syscalls
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
# Make the configuration immutable -- reboot is required to change audit rules
-e 2

154
Vagrant/resources/malcolm/scripts/beats/linux_vm_example/auditbeat.yml Normal file
View File

@@ -0,0 +1,154 @@
# See https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html
# ==============================================================================
auditbeat.modules:
#------------------------------- auditd Module -------------------------------
- module: auditd
socket_type: multicast
resolve_ids: true
failure_mode: log
backlog_limit: 16384
rate_limit: 0
include_raw_message: false
include_warnings: false
backpressure_strategy: auto
# audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
# no rules specified, auditd will run and manage rules
# see https://www.elastic.co/guide/en/beats/auditbeat/master/auditbeat-module-auditd.html
# don't forward some things that are always going to be happening to cut down on noise
# and some other approved common stuff that would clutter the logs
processors:
- drop_event:
when:
and:
- equals:
auditd.message_type: 'syscall'
- equals:
auditd.summary.object.type: 'file'
- or:
- and:
- or:
- equals:
auditd.data.syscall: 'open'
- equals:
auditd.data.syscall: 'openat'
- regexp:
auditd.summary.object.primary: '^/(proc/|etc/localtime|usr/lib/x86_64-linux-gnu/gconv/gconv-modules\.cache)'
- or:
- equals:
auditd.summary.how: '/usr/share/auditbeat/bin/auditbeat'
- and:
- or:
- equals:
auditd.data.syscall: 'open'
- equals:
auditd.data.syscall: 'openat'
- not:
has_fields: ['auditd.summary.object.primary']
- and:
- equals:
auditd.data.syscall: 'open'
- regexp:
auditd.summary.object.primary: '^/.+/__pycache__/$'
- equals:
auditd.summary.how: 'python3.8'
- module: file_integrity
paths:
- /bin
- /etc
- /sbin
- /usr/bin
- /usr/local/bin
- /usr/sbin
recursive: true
# TODO: system module is apparently only available in the non-OSS basic license :-(
# - module: system
# datasets:
# - host # General host information, e.g. uptime, IPs
# - user # User information
# - login # Logins/logouts
# - package # dpkg/rpm package manager logs
# period: 1m
# state.period: 12h
# user.detect_password_changes: true
# - module: system
# datasets:
# - process # Started and stopped processes
# - socket # Opened and closed sockets
# period: 1s
# # drop noise
# processors:
# - drop_event:
# when:
# or:
# - and:
# - equals:
# event.module: 'system'
# - equals:
# event.dataset: 'socket'
# - equals:
# destination.ip: '127.0.0.1'
# - equals:
# source.ip: '127.0.0.1'
# - and:
# - equals:
# event.module: 'system'
# - equals:
# event.dataset: 'socket'
# - equals:
# destination.ip: "${BEAT_ES_HOST}"
# - and:
# - equals:
# event.module: 'system'
# - equals:
# event.dataset: 'socket'
# - equals:
# destination.ip: "${BEAT_KIBANA_HOST}"
# - and:
# - equals:
# event.module: 'system'
# - equals:
# event.dataset: 'process'
# - or:
# - equals:
# process.executable: '/bin/sleep'
# - equals:
# process.executable: '/usr/bin/sort'
# - equals:
# process.executable: '/usr/bin/tail'
# - equals:
# process.executable: '/usr/bin/clear'
# - equals:
# process.executable: '/usr/bin/head'
# - equals:
# process.executable: '/bin/date'
# - equals:
# process.executable: '/bin/ls'
# - equals:
# process.executable: '/usr/bin/stat'
# - equals:
# process.executable: '/usr/bin/cut'
# - equals:
# process.executable: '/usr/bin/xargs'
# - equals:
# process.executable: '/usr/bin/tr'
# - equals:
# process.executable: '/bin/grep'
# - equals:
# process.executable: '/bin/sed'
# - equals:
# process.executable: '/bin/df'
# - equals:
# process.executable: '/usr/bin/du'
# - equals:
# process.executable: '/usr/bin/gawk'

14
Vagrant/resources/malcolm/scripts/beats/linux_vm_example/filebeat.yml Normal file
View File

@@ -0,0 +1,14 @@
# See https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html
# https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-reference-yml.html
# ==============================================================================
filebeat.modules:
#------------------------------- System Module -------------------------------
- module: system
syslog:
enabled: true
auth:
enabled: true

44
Vagrant/resources/malcolm/scripts/beats/linux_vm_example/metricbeat.yml Normal file
View File

@@ -0,0 +1,44 @@
# See https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-reference-yml.html
# ==============================================================================
metricbeat.config.modules:
path: ${path.config}/conf.d/*.yml
reload.period: 10s
reload.enabled: false
metricbeat.max_start_delay: 10s
metricbeat.modules:
#------------------------------- System Module -------------------------------
- module: system
period: 30s
metricsets:
- cpu # CPU usage
- load # CPU load averages
- memory # Memory usage
- network # Network IO
- process # Per process metrics
- process_summary # Process summary
- uptime # System Uptime
- diskio # Disk IO
enabled: true
processes: ['.*']
process.include_top_n:
enabled: true
by_cpu: 10
by_memory: 10
cpu.metrics: ["percentages"]
core.metrics: ["percentages"]
- module: system
period: 1m
metricsets:
- filesystem # File system usage for each mountpoint
- fsstat # File system summary metrics
processors:
- drop_event.when.regexp:
system.filesystem.mount_point: '^/(sys|cgroup|proc|dev|etc|host|lib|boot)($|/)'

87
Vagrant/resources/malcolm/scripts/beats/linux_vm_example/packetbeat.yml Normal file
View File

@@ -0,0 +1,87 @@
# See https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-reference-yml.html
# ==============================================================================
#------------------------------- network device ------------------------------
packetbeat.interfaces.device: any
packetbeat.interfaces.type: pcap
packetbeat.interfaces.snaplen: 65535
#------------------------------- flows ---------------------------------------
packetbeat.flows:
enabled: true
timeout: 30s
period: 10s
#------------------------------- transaction protocols -----------------------
packetbeat.protocols:
- type: icmp
enabled: true
- type: amqp
enabled: true
ports: [5672]
- type: cassandra
enabled: true
ports: [9042]
- type: dhcpv4
enabled: true
ports: [67, 68]
- type: dns
enabled: true
ports: [53]
include_authorities: true
include_additionals: true
- type: http
enabled: true
ports: [80, 8080, 8000, 5000, 8002]
- type: memcache
enabled: true
ports: [11211]
- type: mysql
enabled: true
ports: [3306,3307]
- type: pgsql
enabled: true
ports: [5432]
- type: redis
enabled: true
ports: [6379]
- type: thrift
enabled: true
ports: [9090]
- type: mongodb
enabled: true
ports: [27017]
- type: nfs
enabled: true
ports: [2049]
- type: tls
enabled: true
ports:
- 443 # HTTPS
- 993 # IMAPS
- 995 # POP3S
- 5223 # XMPP over SSL
- 8883 # Secure MQTT
- 9243 # Elasticsearch
#------------------------------- monitored processes -------------------------
packetbeat.procs.enabled: true
packetbeat.ignore_outgoing: false