trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added Malcolm

Browse Source
This commit is contained in:
Trinitor
2021-08-06 10:35:01 +02:00
parent f043730066
commit 70f1922e80
751 changed files with 195277 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
Vagrant/resources/malcolm/sensor-iso/.gitignore vendored Normal file
View File

@@ -0,0 +1,14 @@
# build artifacts
*.iso
*-build.log
.vagrant
/config/packages.chroot/*.deb
/moloch/*.deb
# a temporary copy of ../shared
/shared
# we're storing PNGs, generating JPGs at build time but we don't need to keep them
/docs/images/*.jpg
/HedgehogLinux.html
/HedgehogLinux.jpg.md

943
Vagrant/resources/malcolm/sensor-iso/README.md Normal file
View File

@@ -0,0 +1,943 @@
# Hedgehog Linux
## Network Traffic Capture Appliance
![](./docs/logo/hedgehog-color-w-text.png)
Hedgehog Linux is a Debian-based operating system built to
* monitor network interfaces
* capture packets to PCAP files
* detect file transfers in network traffic and extract and scan those files for threats
* generate and forward Zeek logs, Arkime sessions and other information to [Malcolm](https://github.com/cisagov/malcolm)
### <a name="TableOfContents"></a>Table of Contents
* [Sensor installation](#Installation)
- [Image boot options](#BootOptions)
- [Installer](#Installer)
* [Boot](#Boot)
- [Kiosk mode](#KioskMode)
* [Configuration](#Configuration)
- [Interfaces, hostname, and time synchronization](#ConfigRoot)
+ [Hostname](#ConfigHostname)
+ [Interfaces](#ConfigIface)
+ [Time synchronization](#ConfigTime)
- [Capture, forwarding, and autostart services](#ConfigUser)
+ [Capture](#ConfigCapture)
* [Automatic file extraction and scanning](#ZeekFileExtraction)
+ [Forwarding](#ConfigForwarding)
* [filebeat](#filebeat): Zeek log forwarding
* [moloch-capture](#moloch-capture): Arkime session forwarding
* [metricbeat](#metricbeat): resource statistics forwarding
* [auditbeat](#auditbeat): audit log forwarding
* [filebeat-syslog](#syslogbeat): syslog forwarding
* [heatbeat](#heatbeat): temperature forwarding
+ [Autostart services](#ConfigAutostart)
* [Appendix A - Generating the ISO](#ISOBuild)
* [Appendix B - Configuring SSH access](#ConfigSSH)
* [Appendix C - Troubleshooting](#Troubleshooting)
* [Appendix D - Hardening](#Hardening)
- [STIG compliance exceptions](#STIGExceptions)
- [CIS benchmark compliance exceptions](#CISExceptions)
* [Appendix E - Upgrades](#UpgradePlan)
* [Copyright](#Footer)
# <a name="Installation"></a>Sensor installation
## <a name="BootOptions"></a>Image boot options
The Hedgehog Linux installation image, when provided on an optical disc, USB thumb drive, or other removable medium, can be used to install or reinstall the sensor software.
![Sensor installation image boot menu](./docs/images/boot_options.png)
The boot menu of the sensor installer image provides several options:
* **Live system** and **Live system (fully in RAM)** may also be used to run the sensor in a "live USB" mode without installing any software or making any persistent configuration changes on the sensor hardware.
* **Install Hedgehog Linux** and **Install Hedgehog Linux (encrypted)** are used to [install the sensor](#Installer) onto the current system. Both selections install the same operating system and sensor software, the only difference being that the **encrypted** option encrypts the hard disks with a password (provided in a subsequent step during installation) that must be provided each time the sensor boots. There is some CPU overhead involved in an encrypted installation, so it is recommended that encrypted installations only be used for mobile installations (eg., on a sensor that may be shipped or carried for an incident response) and that the unencrypted option be used for fixed sensors in secure environments.
* **Install Hedgehog Linux (advanced configuration)** allows you to configure installation fully using all of the [Debian installer](https://www.debian.org/releases/stable/amd64/) settings and should only be selected for advanced users who know what they're doing.
* **Rescue system** is included for debugging and/or system recovery and should not be needed in most cases.
## <a name="Installer"></a>Installer
The sensor installer is designed to require as little user input as possible. For this reason, there are NO user prompts and confirmations about partitioning and reformatting hard disks for use by the sensor. The installer assumes that all non-removable storage media (eg., SSD, HDD, NVMe, etc.) are available for use and ⛔🆘😭💀 ***will partition and format them without warning*** 💀😭🆘⛔.
The installer will ask for a few pieces of information prior to installing the sensor operating system:
* **Root password** a password for the privileged root account which is rarely needed (only during the configuration of the sensors network interfaces and setting the sensor host name)
* **User password** a password for the non-privileged sensor account under which the various sensor capture and forwarding services run
* **Encryption password** (optional) if the encrypted installation option was selected at boot time, the encryption password must be entered every time the sensor boots
Each of these passwords must be entered twice to ensure they were entered correctly.
![Example of the installer's password prompt](./docs/images/users_and_passwords.png)
After the passwords have been entered, the installer will proceed to format the system drive and install Hedgehog Linux.
![Installer progress](./docs/images/installer_progress.png)
At the end of the installation process, you will be prompted with a few self-explanatory yes/no questions:
* **Disable IPv6?**
* **Automatically login to the GUI session?**
* **Should the GUI session be locked due to inactivity?**
* **Display the [Standard Mandatory DoD Notice and Consent Banner](https://www.stigviewer.com/stig/application_security_and_development/2018-12-24/finding/V-69349)?** *(only applies when installed on U.S. government information systems)*
Following these prompts, the installer will reboot and Hedgehog Linux will boot.
# <a name="Boot"></a>Boot
Each time the sensor boots, a grub boot menu will be shown briefly, after which the sensor will proceed to load.
## <a name="KioskMode"></a>Kiosk mode
![Kiosk mode sensor menu: resource statistics](./docs/images/kiosk_mode_sensor_menu.png)
The sensor automatically logs in as the sensor user account and runs in **kiosk mode**, which is intended to show an at-a-glance view of the its resource utilization. Clicking the **☰** icon in allows you to switch between the resource statistics view and the services view.
![Kiosk mode sensor menu: services](./docs/images/kiosk_mode_services_menu.png)
The kiosk's services screen (designed with large clickable labels for small portable touch screens) can be used to start and stop essential services, get a status report of the currently running services, and clean all captured data from the sensor.
!["Clean Sensor" confirmation prompt before deleting sensor data](./docs/images/kiosk_mode_wipe_prompt.png)
!["Sensor Status" report from the kiosk services menu](./docs/images/kiosk_mode_status.png)
# <a name="Configuration"></a>Configuration
Kiosk mode can be exited by connecting an external USB keyboard and pressing **Alt+F4**, upon which the *sensor* user's desktop is shown.
![Sensor login session desktop](./docs/images/desktop.png)
Several icons are available in the top menu bar:
* **Terminal** - opens a command prompt in a terminal emulator
* **Browser** - opens a web browser
* **Kiosk** returns the sensor to kiosk mode
* **README** displays this document
* **Sensor status** displays a list with the status of each sensor service
* **Configure capture and forwarding** opens a dialog for configuring the sensor's capture and forwarding services, as well as specifying which services should autostart upon boot
* **Configure interfaces and hostname** opens a dialog for configuring the sensor's network interfaces and setting the sensor's hostname
* **Restart sensor services** - stops and restarts all of the [autostart services](#ConfigAutostart)
## <a name="ConfigRoot"></a>Interfaces, hostname, and time synchronization
### <a name="ConfigHostname"></a>Hostname
The first step of sensor configuration is to configure the network interfaces and sensor hostname. Double-clicking the **Configure Interfaces and Hostname** desktop icon (or, if you are at a command line prompt, running `configure-interfaces`) will prompt you for the root password you created during installation, after which the configuration welcome screen is shown. Select **Continue** to proceed.
You may next select whether to configure the network interfaces, hostname, or time synchronization.
![Selection to configure network interfaces, hostname, or time synchronization](./docs/images/root_config_mode.png)
Selecting **Hostname**, you will be presented with a summary of the current sensor identification information, after which you may specify a new sensor hostname. This name will be used to tag all events forwarded from this sensor in the events' **host.name** field.
![Specifying a new sensor hostname](./docs/images/hostname_setting.png)
### <a name="ConfigIface"></a>Interfaces
Returning to the configuration mode selection, choose **Interface**. You will be prompted if you would like help identifying network interfaces. If you select **Yes**, you will be prompted to select a network interface, after which that interface's link LED will blink for 10 seconds to help you in its identification. This network interface identification aid will continue to prompt you to identify further network interfaces until you select **No**.
You will be presented with a list of interfaces to configure as the sensor management interface. This is the interface the sensor itself will use to communicate with the network in order to, for example, forward captured logs to an aggregate server. In order to do so, the management interface must be assigned an IP address. This is generally **not** the interface used for capturing data. Select the interface to which you wish to assign an IP address. The interfaces are listed by name and MAC address and the associated link speed is also displayed if it can be determined. For interfaces without a connected network cable, generally a `-1` will be displayed instead of the interface speed.
![Management interface selection](./docs/images/select_iface.png)
Depending on the configuration of your network, you may now specify how the management interface will be assigned an IP address. In order to communicate with an event aggregator over the management interface, either **static** or **dhcp** must be selected.
![Interface address source](./docs/images/iface_mode.png)
If you select static, you will be prompted to enter the IP address, netmask, and gateway to assign to the management interface.
![Static IP configuration](./docs/images/iface_static.png)
In either case, upon selecting **OK** the network interface will be brought down, configured, and brought back up, and the result of the operation will be displayed. You may choose **Quit** upon returning to the configuration tools welcome screen.
### <a name="ConfigTime"></a>Time synchronization
Returning to the configuration mode selection, choose **Time Sync**. Here you can configure the sensor to keep its time synchronized with either an NTP server (using the NTP protocol) or a local [Malcolm](https://github.com/cisagov/malcolm) aggregator or another HTTP/HTTPS server. On the next dialog, choose the time synchronization method you wish to configure.
![Time synchronization method](./docs/images/time_sync_mode.png)
If **htpdate** is selected, you will be prompted to enter the IP address or hostname and port of an HTTP/HTTPS server (for a Malcolm instance, port `9200` may be used) and the time synchronization check frequency in minutes. A test connection will be made to determine if the time can be retrieved from the server.
![*htpdate* configuration](./docs/images/htpdate_setup.png)
If *ntpdate* is selected, you will be prompted to enter the IP address or hostname of the NTP server.
![NTP configuration](./docs/images/ntp_host.png)
Upon configuring time synchronization, a "Time synchronization configured successfully!" message will be displayed, after which you will be returned to the welcome screen.
## <a name="ConfigUser"></a>Capture, forwarding, and autostart services
Double-clicking the **Configure Capture and Forwarding** icon (or, if you are at a command prompt, running `configure-capture`) will launch the configuration tool for capture and forwarding. The root password is not required as it was for the interface and hostname configuration, as sensor services are run under the non-privileged sensor account. Select **Continue** to proceed. You may select from a list of configuration options.
![Select configuration mode](./docs/images/capture_config_main.png)
### <a name="ConfigCapture"></a>Capture
Choose **Configure Capture** to configure parameters related to traffic capture and local analysis. You will be prompted if you would like help identifying network interfaces. If you select **Yes**, you will be prompted to select a network interface, after which that interface's link LED will blink for 10 seconds to help you in its identification. This network interface identification aid will continue to prompt you to identify further network interfaces until you select **No**.
You will be presented with a list of network interfaces and prompted to select one or more capture interfaces. An interface used to capture traffic is generally a different interface than the one selected previously as the management interface, and each capture interface should be connected to a network tap or span port for traffic monitoring. Capture interfaces are usually not assigned an IP address as they are only used to passively “listen” to the traffic on the wire. The interfaces are listed by name and MAC address and the associated link speed is also displayed if it can be determined. For interfaces without a connected network cable, generally a `-1` will be displayed instead of the interface speed.
![Select capture interfaces](./docs/images/capture_iface_select.png)
Upon choosing the capture interfaces and selecting OK, you may optionally provide a capture filter. This filter will be used to limit what traffic the PCAP service ([`tcpdump`](https://www.tcpdump.org/)) and the traffic analysis service ([`zeek`](https://www.zeek.org/)) will see. Capture filters are specified using [Berkeley Packet Filter (BPF)](http://biot.com/capstats/bpf.html) syntax. Clicking **OK** will attempt to validate the capture filter, if specified, and will present a warning if the filter is invalid.
![Specify capture filters](./docs/images/capture_filter.png)
Next you must specify the paths where captured PCAP files and Zeek logs will be stored locally on the sensor. If the installation worked as expected, these paths should be prepopulated to reflect paths on the volumes formatted at install time for the purpose storing these artifacts. Usually these paths will exist on separate storage volumes. Enabling the PCAP and Zeek log pruning autostart services (see the section on autostart services below) will enable monitoring of these paths to ensure that their contents do not consume more than 90% of their respective volumes space. Choose **OK** to continue.
![Specify capture paths](./docs/images/capture_paths.png)
#### <a name="ZeekFileExtraction"></a>Automatic file extraction and scanning
Hedgehog Linux can leverage Zeek's knowledge of network protocols to automatically detect file transfers and extract those files from network traffic as Zeek sees them.
To specify which files should be extracted, specify the Zeek file carving mode:
![Zeek file carving mode](./docs/images/zeek_file_carve_mode.png)
If you're not sure what to choose, either of **mapped (except common plain text files)** (if you want to carve and scan almost all files) or **interesting** (if you only want to carve and scan files with [mime types of common attack vectors](./interface/sensor_ctl/extractor_override.interesting.zeek)) is probably a good choice.
Next, specify which carved files to preserve (saved on the sensor under `/capture/bro/capture/extract_files/quarantine` by default). In order to not consume all of the sensor's available storage space, the oldest preserved files will be pruned along with the oldest Zeek logs as described below with **AUTOSTART_PRUNE_ZEEK** in the [autostart services](#ConfigAutostart) section.
You'll be prompted to specify which engine(s) to use to analyze extracted files. Extracted files can be examined through any of three methods:
![File scanners](./docs/images/zeek_file_carve_scanners.png)
* scanning files with [**ClamAV**](https://www.clamav.net/); to enable this method, select **ZEEK_FILE_SCAN_CLAMAV** when specifying scanners for Zeek-carved files
* submitting file hashes to [**VirusTotal**](https://www.virustotal.com/en/#search); to enable this method, select **ZEEK_FILE_SCAN_VTOT** when specifying scanners for Zeek-carved files, then manually edit `/opt/sensor/sensor_ctl/control_vars.conf` and specify your [VirusTotal API key](https://developers.virustotal.com/reference) in `VTOT_API2_KEY`
* scanning files with [**Yara**](https://github.com/VirusTotal/yara); to enable this method, select **ZEEK_FILE_SCAN_YARA** when specifying scanners for Zeek-carved files
* scanning portable executable (PE) files with [**Capa**](https://github.com/fireeye/capa); to enable this method, select **ZEEK_FILE_SCAN_CAPA** when specifying scanners for Zeek-carved files
Files which are flagged as potentially malicious will be logged as Zeek `signatures.log` entries, and can be viewed in the **Signatures** dashboard in [Kibana](https://github.com/cisagov/malcolm#KibanaVisualizations) when forwarded to Malcolm.
![File quarantine](./docs/images/file_quarantine.png)
Finally, you will then be presented with the list of configuration variables that will be used for capture, including the values which you have configured up to this point in this section. Upon choosing **OK** these values will be written back out to the sensor configuration file located at `/opt/sensor/sensor_ctl/control_vars.conf`. It is not recommended that you edit this file manually. After confirming these values, you will be presented with a confirmation that these settings have been written to the configuration file, and you will be returned to the welcome screen.
![Capture parameters summary](./docs/images/capture_confirm.png)
### <a name="ConfigForwarding"></a>Forwarding
Select **Configure Forwarding** to set up forwarding logs and statistics from the sensor to an aggregator server, such as [Malcolm](https://github.com/cisagov/malcolm) or another [Elastic Stack](https://www.elastic.co/products/)-based server.
![Configure forwarders](./docs/images/forwarder_config.png)
There are five forwarder services used on the sensor, each for forwarding a different type of log or sensor metric.
### <a name="filebeat"></a>filebeat: Zeek log forwarding
[Filebeat](https://www.elastic.co/products/beats/filebeat) is used to forward [Zeek](https://www.zeek.org/) logs to a remote [Logstash](https://www.elastic.co/products/logstash) instance for further enrichment prior to insertion into an [Elasticsearch](https://www.elastic.co/products/elasticsearch) database.
To configure filebeat, first provide the log path (the same path previously configured for Zeek log file generation). You must also provide the IP address of the Logstash instance to which the logs are to be forwarded, and the port on which Logstash is listening. These logs are forwarded using the Beats protocol, generally over port 5044. Depending on your network configuration, you may need to open this port in your firewall to allow this connection from the sensor to the aggregator.
![Configure filebeat for Zeek log forwrding](./docs/images/filebeat_dest.png)
Next you are asked whether the connection used for Zeek log forwarding should be done **unencrypted** or over **SSL**. Unencrypted communication requires less processing overhead and is simpler to configure, but the contents of the logs may be visible to anyone who is able to intercept that traffic.
![Filebeat SSL certificate verification](./docs/images/filebeat_ssl.png)
If **SSL** is chosen, you must choose whether to enable [SSL certificate verification](https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html). If you are using a self-signed certificate (such as the one automatically created during [Malcolm's configuration](https://github.com/cisagov/malcolm#configure-authentication), choose **None**.
![Unencrypted vs. SSL encryption for Zeek log forwarding](./docs/images/filebeat_ssl_verify.png)
The last step for SSL-encrypted Zeek log forwarding is to specify the SSL certificate authority, certificate, and key files. These files must match those used by the Logstash instance receiving the Zeek logs on the aggregator. If Malcolm's `auth_setup` script was used to generate these files they would be found in the `filebeat/certs/` subdirectory of the Malcolm installation and must be manually copied to the sensor (stored under `/opt/sensor/sensor_ctl/filebeat/` or in any other path accessible to the sensor account). Specify the location of the certificate authorities file (eg., `ca.crt`), the certificate file (eg., `client.crt`), and the key file (eg., `client.key`).
![SSL certificate files](./docs/images/filebeat_certs.png)
The Logstash instance receiving the events must be similarly configured with matching SSL certificate and key files. Under Malcolm, the `BEATS_SSL` variable must be set to true in Malcolm's `docker-compose.yml` file and the SSL files must exist in the `logstash/certs/` subdirectory of the Malcolm installation.
Once you have specified all of the filebeat parameters, you will be presented with a summary of the settings related to the forwarding of these logs. Selecting **OK** will cause the parameters to be written to filebeats configuration keystore under `/opt/sensor/sensor_ctl/filebeat` and you will be returned to the configuration tools welcome screen.
![Confirm filebeat settings](./docs/images/filebeat_confirm.png)
### <a name="moloch-capture"></a>moloch-capture: Arkime session forwarding
[moloch-capture](https://github.com/arkime/arkime/tree/master/capture) is not only used to capture PCAP files, but also the parse raw traffic into sessions and forward this session metadata to an [Elasticsearch](https://www.elastic.co/products/elasticsearch) database so that it can be viewed in [Arkime viewer](https://molo.ch/), whether standalone or as part of a [Malcolm](https://github.com/cisagov/malcolm) instance. If you're using Hedgehog Linux with Malcolm, please read [Correlating Zeek logs and Arkime sessions](https://github.com/cisagov/malcolm#ZeekArkimeFlowCorrelation) in the Malcolm documentation for more information.
First, select the Elasticsearch connection transport protocol, either **HTTPS** or **HTTP**. If the metrics are being forwarded to Malcolm, select **HTTPS** to encrypt messages from the sensor to the aggregator using TLS v1.2 using ECDHE-RSA-AES128-GCM-SHA256. If **HTTPS** is chosen, you must choose whether to enable SSL certificate verification. If you are using a self-signed certificate (such as the one automatically created during [Malcolm's configuration](https://github.com/cisagov/malcolm#configure-authentication)), choose **None**.
![Elasticsearch connection protocol](./docs/images/metricbeat_elastic_protocol.png) ![Elasticsearch SSL verification](./docs/images/metricbeat_elastic_ssl.png)
Next, enter the **Elasticsearch host** IP address (ie., the IP address of the aggregator) and port. These metrics are written to an Elasticsearch database using a RESTful API, usually using port 9200. Depending on your network configuration, you may need to open this port in your firewall to allow this connection from the sensor to the aggregator.
![Elasticsearch host and port](./docs/images/moloch-capture-ip-port.png)
You will be asked to enter authentication credentials for the sensors connections to the aggregators Elasticsearch API. After youve entered the username and the password, the sensor will attempt a test connection to Elasticsearch using the connection information provided.
![Elasticsearch username](./docs/images/elasticsearch-username.png) ![Elasticsearch password](./docs/images/elasticsearch_password.png) ![Successful Elasticsearch connection](./docs/images/metricbeat_elasticsearch_success.png)
Finally, you will be shown a dialog for a list of IP addresses used to populate an access control list (ACL) for hosts allowed to connect back to the sensor for retrieving session payloads from its PCAP files for display in Arkime viewer. The list will be prepopulated with the IP address entered a few screens prior to this one.
![PCAP retrieval ACL](./docs/images/malcolm_moloch_reachback_acl.png)
Finally, youll be given the opportunity to review the all of the moloch-capture forwrading options youve specified. Selecting **OK** will cause the parameters to be saved and you will be returned to the configuration tools welcome screen.
![moloch-capture settings confirmation](./docs/images/moloch_confirm.png) ![moloch-capture settings applied successfully](./docs/images/moloch_success.png)
### <a name="metricbeat"></a>metricbeat: resource statistics forwarding
The sensor uses [metricbeat](https://www.elastic.co/products/beats/metricbeat) to forward system resource metrics (CPU, network I/O, disk I/O, memory utilization, etc.) to an Elasticsearch database using a RESTful API using HTTP/HTTPS as the transport protocol. Select **metricbeat** from the forwarding configuration mode options.
Metricbeat gathers system resource metrics at an interval you specify. The default interval is 30 seconds, but it can be set to any value between 1 and 60 seconds.
![Metricbeat interval](./docs/images/metricbeat_interval.png)
Next, select the Elasticsearch connection transport protocol, either **HTTPS** or **HTTP**. If the metrics are being forwarded to Malcolm, select **HTTPS** to encrypt messages from the sensor to the aggregator using TLS v1.2 using ECDHE-RSA-AES128-GCM-SHA256. If **HTTPS** is chosen, you must choose whether to enable SSL certificate verification. If you are using a self-signed certificate (such as the one automatically created during [Malcolm's configuration](https://github.com/cisagov/malcolm#configure-authentication), choose **None**.
![Elasticsearch connection protocol](./docs/images/metricbeat_elastic_protocol.png) ![Elasticsearch SSL verification](./docs/images/metricbeat_elastic_ssl.png)
Next, enter the **Elasticsearch host** IP address (ie., the IP address of the aggregator) and port. These metrics are written to an Elasticsearch database using a RESTful API, usually using port 9200. Depending on your network configuration, you may need to open this port in your firewall to allow this connection from the sensor to the aggregator.
![Elasticsearch host and port](./docs/images/metricbeat_elastic_host.png)
Next, you will be asked if you wish to configure **Kibana** connectivity. [Kibana](https://www.elastic.co/products/kibana) is the Elastic Stacks data visualization tool. If you choose **Yes** and proceed to configure Kibana connectivity, metricbeat will create custom search indexes, visualizations, and dashboards for Kibana to display the sensors resource metrics.
You will be prompted to specify the **connection protocol** and (for HTTPS) **SSL verification** for Kibana. These values should probably be the same ones you chose for Elasticsearch. You will also be prompted for the **Kibana host** IP address and **port**. The IP address will probably be the same one you specified for Elasticsearch. The default Kibana port is 5601.
The final settings required to configure Kibana are whether or not to configure **Kibana dashboards** and the local directory on the sensor containing the dashboards to be imported. The default values are probably what you want.
Finally, you will be asked to enter authentication credentials for the sensors connections to the aggregators Elasticsearch and Kibana APIs.
After youve entered the username and the password, the sensor will attempt test connections to the Elasticsearch and Kibana APIs using the connection information provided.
![Elasticsearch/Kibana username](./docs/images/metricbeat_elastic_username.png) ![Elasticsearch/Kibana password](./docs/images/metricbeat_elastic_password.png) ![Successful Elasticsearch connection](./docs/images/metricbeat_elasticsearch_success.png) ![Successful Kibana connection](./docs/images/metricbeat_kibana_success.png)
Finally, youll be given the opportunity to review the all of the metricbeat options youve specified. Selecting **OK** will cause the parameters to be written to metricbeats configuration keystore under `/opt/sensor/sensor_ctl/metricbeat` and you will be returned to the configuration tools welcome screen.
![Metricbeat settings confirmation](./docs/images/metricbeat_confirm.png) ![Metricbeat settings applied successfully](./docs/images/metricbeat_success.png)
### <a name="auditbeat"></a>auditbeat: audit log forwarding
The sensor uses [auditbeat](https://www.elastic.co/products/beats/auditbeat) to forward auditd logs, process and socket statistics, and sensor system file integrity information to an Elasticsearch database. Its configuration is almost identical to that of metricbeat in the previous section. Select **auditbeat** from the forwarding configuration mode options and follow the same steps outlined above to set up this forwarder.
The sensor implements STIG (Security Technical Implementation Guidelines) rules according to DISA RHEL 7 STIG V1 R1, ported to a Debian 9 base platform. Enabling audit log forwarding via auditbeat is required to satisfy the requirements regarding forwarding audit logs to a remote log server as defined in that specification.
### <a name="syslogbeat"></a>filebeat-syslog: syslog forwarding
The sensor uses [filebeats syslog input](https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-syslog.html) to forward the sensors system logs to an Elasticsearch database. Its configuration is almost identical to that of metricbeat in a previous section. Select **filebeat-syslog** from the forwarding configuration mode options and follow the same steps outlined above to set up this forwarder.
Enabling syslog forwarding via filebeat is required to satisfy the STIG requirements regarding sending system logs to a remote log server as defined in that specification.
### <a name="heatbeat"></a>heatbeat: temperature forwarding
The sensor employs a custom agent using the beats protocol to forward hardware metrics such as CPU and storage device temperatures, system voltages, and fan speeds (when applicable) to an Elasticsearch database. Its configuration is almost identical to that of metricbeat in a previous section. Select **heatbeat** from the forwarding configuration mode options and follow the same steps outlined above to set up this forwarder.
### <a name="ConfigAutostart"></a>Autostart services
Once the forwarders have been configured, the final step is to **Configure Autostart Services**. Choose this option from the configuration mode menu after the welcome screen of the sensor configuration tool.
Despite configuring capture and/or forwarder services as described in previous sections, only services enabled in the autostart configuration will run when the sensor starts up. The available autostart processes are as follows (recommended services are in **bold text**):
* **AUTOSTART_AUDITBEAT** [auditbeat](#auditbeat) audit log forwarder
* **AUTOSTART_CLAMAV_UPDATES** Virus database update service for ClamAV (requires sensor to be connected to the internet)
* **AUTOSTART_FILEBEAT** [filebeat](#filebeat) Zeek log forwarder
* **AUTOSTART_HEATBEAT** [sensor hardware](#heatbeat) (eg., CPU and storage device temperature) metrics forwarder
* **AUTOSTART_HEATBEAT_SENSORS** the background process monitoring [hardware sensors](#heatbeat) for temperatures, voltages, fan speeds, etc. (this is required in addition to **AUTOSTART_HEATBEAT** metrics forwarding)
* **AUTOSTART_METRICBEAT** system resource utilization [metrics forwarder](#metricbeat)
* **AUTOSTART_ARKIME** [moloch-capture](##moloch-capture) PCAP engine for traffic capture, as well as traffic parsing and metadata insertion into Elasticsearch for viewing in [Arkime](https://molo.ch/). If you are using Hedgehog Linux along with [Malcolm](https://github.com/cisagov/malcolm) or another Arkime installation, this is probably the packet capture engine you want to use.
* *AUTOSTART_NETSNIFF* [netsniff-ng](http://netsniff-ng.org/) PCAP engine for saving packet capture (PCAP) files
* **AUTOSTART_PRUNE_ZEEK** storage space monitor to ensure that Zeek logs do not consume more than 90% of the total size of the storage volume to which Zeek logs are written
* **AUTOSTART_PRUNE_PCAP** storage space monitor to ensure that PCAP files do not consume more than 90% of the total size of the storage volume to which PCAP files are written
* **AUTOSTART_SYSLOGBEAT** filebeat [system log forwarder](#syslogbeat)
* *AUTOSTART_TCPDUMP* [tcpdump](https://www.tcpdump.org/) PCAP engine for saving packet capture (PCAP) files
* **AUTOSTART_ZEEK** [Zeek](https://www.zeek.org/) traffic analysis engine
Note that only one packet capture engine ([moloch-capture](https://molo.ch/), [netsniff-ng](http://netsniff-ng.org/), or [tcpdump](https://www.tcpdump.org/)) can be used.
![Autostart services](./docs/images/autostarts.png)
Once you have selected the autostart services, you will be prompted to confirm your selections. Doing so will cause these values to be written back out to the `/opt/sensor/sensor_ctl/control_vars.conf` configuration file.
![Autostart services confirmation](./docs/images/autostarts_confirm.png)
After you have completed configuring the sensor it is recommended that you reboot the sensor to ensure all new settings take effect. If rebooting is not an option, you may click the **Restart Sensor Services** menu icon in the top menu bar, or open a terminal and run:
```
/opt/sensor/sensor_ctl/shutdown && sleep 10 && /opt/sensor/sensor_ctl/supervisor.sh
```
This will cause the sensor services controller to stop, wait a few seconds, and restart. You can check the status of the sensors processes by choosing **Sensor Status** from the sensors kiosk mode, double-clicking the **Sensor Service Status** desktop icon, or running `/opt/sensor/sensor_ctl/status` from the command line:
```
$ /opt/sensor/sensor_ctl/status
beats:auditbeat RUNNING pid 14470, uptime 8 days, 20:22:32
beats:filebeat RUNNING pid 14460, uptime 8 days, 20:22:32
beats:heatbeat RUNNING pid 14481, uptime 8 days, 20:22:32
beats:metricbeat RUNNING pid 14476, uptime 8 days, 20:22:32
beats:sensors RUNNING pid 14484, uptime 8 days, 20:22:32
beats:syslogbeat RUNNING pid 14471, uptime 8 days, 20:22:32
clamav:clamav-service RUNNING pid 14454, uptime 8 days, 20:22:32
clamav:clamav-updates RUNNING pid 14450, uptime 8 days, 20:22:32
moloch:moloch-capture RUNNING pid 14432, uptime 8 days, 20:22:32
moloch:moloch-viewer RUNNING pid 14431, uptime 8 days, 20:22:32
netsniff:netsniff-enp8s0 STOPPED Not started
prune:prune-pcap RUNNING pid 14446, uptime 8 days, 20:22:32
prune:prune-zeek RUNNING pid 14442, uptime 8 days, 20:22:32
tcpdump:tcpdump-enp8s0 STOPPED Not started
zeek:logger RUNNING pid 14434, uptime 8 days, 20:22:32
zeek:virustotal RUNNING pid 14435, uptime 8 days, 20:22:32
zeek:yara RUNNING pid 14435, uptime 8 days, 20:22:32
zeek:capa RUNNING pid 14435, uptime 8 days, 20:22:32
zeek:clamav RUNNING pid 14435, uptime 8 days, 20:22:32
zeek:watcher RUNNING pid 14441, uptime 8 days, 20:22:32
zeek:zeekctl RUNNING pid 14433, uptime 8 days, 20:22:32
```
# <a name="ISOBuild"></a>Appendix A - Generating the ISO
Official downloads of the Hedgehog Linux installer ISO are not provided: however, it can be built easily on an internet-connected Linux host running current versions of [VirtualBox](https://www.virtualbox.org/) and [Vagrant](https://www.vagrantup.com/) (with the [`vagrant-reload`](https://github.com/aidanns/vagrant-reload) plugin).
To perform a clean build the Hedgehog Linux installer ISO, navigate to your local [Malcolm](https://github.com/cisagov/Malcolm/) working copy and run:
```
$ ./sensor-iso/build_via_vagrant.sh -f
Starting build machine...
Bringing machine 'default' up with 'virtualbox' provider...
```
Building the ISO may take 90 minutes or more depending on your system. As the build finishes, you will see the following message indicating success:
```
Finished, created "/sensor-build/hedgehog-3.2.1.iso"
```
# <a name="ConfigSSH"></a>Appendix B - Configuring SSH access
SSH access to the sensors non-privileged sensor account is only available using secure key-based authentication which can be enabled by adding a public SSH key to the **/home/sensor/.ssh/authorized_keys** file as illustrated below:
```
sensor@sensor:~$ mkdir -p ~/.ssh
sensor@sensor:~$ ssh analyst@172.16.10.48 "cat ~/.ssh/id_rsa.pub" >> ~/.ssh/authorized_keys
The authenticity of host '172.16.10.48 (172.16.10.48)' can't be established.
ECDSA key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.10.48' (ECDSA) to the list of known hosts.
analyst@172.16.10.48's password:
sensor@sensor:~$ cat ~/.ssh/authorized_keys
ssh-rsa AAA...kff analyst@SOC
```
SSH access should only be configured when necessary.
# <a name="Troubleshooting"></a>Appendix C - Troubleshooting
Should the sensor not function as expected, first try rebooting the device. If the behavior continues, here are a few things that may help you diagnose the problem (items which may require Linux command line use are marked with **†**)
* Stop / start services Using the sensors kiosk mode, attempt a **Services Stop** followed by a **Services Start**, then check **Sensor Status** to see which service(s) may not be running correctly.
* Sensor configuration file See `/opt/sensor/sensor_ctl/control_vars.conf` for sensor service settings. It is not recommended to manually edit this file unless you are sure of what you are doing.
* Sensor control scripts There are scripts under ``/opt/sensor/sensor_ctl/`` to control sensor services (eg., `shutdown`, `start`, `status`, `stop`, etc.)
* Sensor debug logs Log files under `/opt/sensor/sensor_ctl/log/` may contain clues to processes that are not working correctly. If you can determine which service is failing, you can attempt to reconfigure it using the instructions in the Configure Capture and Forwarding section of this document.
* `sensorwatch` script Running `sensorwatch` on the command line will display the most recently modified PCAP and Zeek log files in their respective directories, how much storage space they are consuming, and the amount of used/free space on the volumes containing those files.
# <a name="Hardening"></a>Appendix D - Hardening
Hedgehog Linux targets the following guidelines for establishing a secure configuration posture:
* DISA STIG (Security Technical Implementation Guides) [ported](https://github.com/hardenedlinux/STIG-4-Debian) from [DISA RHEL 7 STIG](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/) v1r1 to a Debian 9 base platform
* [CIS Debian Linux 9 Benchmark](https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/) with additional recommendations by the [hardenedlinux/harbian-audit](https://github.com/hardenedlinux/harbian-audit) project
## <a name="STIGExceptions"></a>STIG compliance exceptions
[Currently](https://github.com/hardenedlinux/STIG-4-Debian/blob/master/stig-debian.txt) there are 158 compliance checks that can be verified automatically and 23 compliance checks that must be verified manually.
Hedgehog Linux claims the following exceptions to STIG compliance:
| # | ID | Title | Justification |
| --- | --- | --- | --- |
| 1 | [SV-86535r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71911) | When passwords are changed a minimum of eight of the total number of characters must be changed. | Account/password policy exception: As a sensor running Hedgehog Linux is intended to be used as an appliance rather than a general user-facing software platform, some exceptions to password enforcement policies are claimed. |
| 2 | [SV-86537r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71913) | When passwords are changed a minimum of four character classes must be changed. | Account/password policy exception |
| 3 | [SV-86549r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71925) | Passwords for new users must be restricted to a 24 hours/1 day minimum lifetime. | Account/password policy exception |
| 4 | [SV-86551r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71927) | Passwords must be restricted to a 24 hours/1 day minimum lifetime. | Account/password policy exception |
| 5 | [SV-86553r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71929) | Passwords for new users must be restricted to a 60-day maximum lifetime. | Account/password policy exception |
| 6 | [SV-86555r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71931) | Existing passwords must be restricted to a 60-day maximum lifetime. | Account/password policy exception |
| 7 | [SV-86557r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71933) | Passwords must be prohibited from reuse for a minimum of five generations. | Account/password policy exception |
| 8 | [SV-86565r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71941) | The operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires. | Account/password policy exception |
| 9 | [SV-86567r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71943) | Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period. | Account/password policy exception |
| 10 | [SV-86569r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71945) | If three unsuccessful root logon attempts within 15 minutes occur the associated account must be locked. | Account/password policy exception |
| 11 | [SV-86603r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2018-11-28/finding/V-71979) | The … operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | As the base distribution is not using embedded signatures, `debsig-verify` would reject all packages (see comment in `/etc/dpkg/dpkg.cfg`). Enabling it after installation would disallow any future updates. |
| 12 | [SV-86607r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71983) | USB mass storage must be disabled. | The ability to copy data captured by the sensor to a mounted USB mass storage device is a requirement of the system. |
| 13 | [SV-86609r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71985) | File system automounter must be disabled unless required. | The ability to copy data captured by the sensor to a mounted USB mass storage device is a requirement of the system. |
| 14 | [SV-86705r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72081) | The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure. | As maximizing availability is a system requirement, audit processing failures will be logged on the device rather than halting the system. |
| 15 | [SV-86713r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72089) | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. | As a sensor running Hedgehog Linux is intended to be used as an appliance rather than a general network host, notifications of this sort are sent in system logs forwarded to the Elasticsearch database on the aggregator. `auditd` is set up to syslog when this storage volume is reached. |
| 16 | [SV-86715r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72093) | The operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. | As a sensor running Hedgehog Linux is intended to be used as an appliance rather than a general network host, notifications of this sort are sent in system logs forwarded to the Elasticsearch database on the aggregator. `auditd` is set up to syslog when this storage volume is reached. |
| 17 | [SV-86837r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-12-16/finding/V-38666) | The system must use and update a DoD-approved virus scan program. | As this is a network traffic capture appliance rather than an end-user device and will not be internet-connected, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary. |
| 18 | [SV-86839r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72215) | The system must update the virus scan program every seven days or more frequently. | As this is a network traffic capture appliance rather than an end-user device and will not be internet-connected, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary. |
| 19 | [SV-86847r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72223) | All network connections associated with a communication session must be terminated at the end of the session or after 10 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements. | The sensor may be controlled from the command line in a manual capture scenario, so timing out a session based on command prompt inactivity would be inadvisable. |
| 20 | [SV-86893r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72269) | The operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS). | While [time synchronization](#ConfigTime) is supported on Hedgehog Linux, an exception is claimed for this rule as the network sensor device may be configured to sync to servers other than the ones listed in the STIG. |
| 21 | [SV-86905r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72281) | For systems using DNS resolution, at least two name servers must be configured. | STIG recommendations for DNS servers are not enforced on Hedgehog Linux to allow for use in a variety of network scenarios. |
| 22 | [SV-86919r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72295) | Network interfaces must not be in promiscuous mode. | The purpose of Hedgehog Linux is to sniff and capture network traffic. |
| 23 | [SV-86931r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72307) | An X Windows display manager must not be installed unless approved. | A locked-down X Windows session is required for the sensor's kiosk display. |
| 24 | [SV-86519r3](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71895) | The operating system must set the idle delay setting for all connection types. | As this is a network traffic capture appliance rather than an end-user device, timing out displays or connections would not be desireable. |
| 25 | [SV-86523r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71899) | The operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces. | This option is configurable during install time. Some installations of Hedgehog Linux may be on appliance hardware not equipped with a keyboard by default, in which case it may not be desirable to lock the session.|
| 26 | [SV-86525r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71901) | The operating system must initiate a session lock for graphical user interfaces when the screensaver is activated. | This option is configurable during install time. Some installations of Hedgehog Linux may be on appliance hardware not equipped with a keyboard by default, in which case it may not be desirable to lock the session. |
| 27 | [SV-86589r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71965) | The operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication. | As this is a network traffic capture appliance rather than an end-user device or a multiuser network host, this requirement is not applicable. |
| 28 | [SV-86851r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72227) | The operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications. | Does not apply as Hedgehog Linux does not use LDAP for authentication. |
| 29 | [SV-86921r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72297) | The system must be configured to prevent unrestricted mail relaying. | Does not apply as Hedgehog Linux does not run a mail service. |
| 30 | [SV-86929r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72305) | If the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon must be configured to operate in secure mode. | Does not apply as Hedgehog Linux does not run a TFTP server. |
| 31 | [SV-86935r3](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72311) | The Network File System (NFS) must be configured to use RPCSEC_GSS. | Does not apply as Hedgehog Linux does not run an NFS server. |
| 32 | [SV-87041r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72417) | The operating system must have the required packages for multifactor authentication installed. | As this is a network traffic capture appliance rather than an end-user device or a multiuser network host, this requirement is not applicable. |
| 33 | [SV-87051r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72427) | The operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM). | As this is a network traffic capture appliance rather than an end-user device or a multiuser network host, this requirement is not applicable. |
| 34 | [SV-87059r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72435) | The operating system must implement smart card logons for multifactor authentication for access to privileged accounts. | As this is a network traffic capture appliance rather than an end-user device or a multiuser network host, this requirement is not applicable. |
| 35 | [SV-87829r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-73177) | Wireless network adapters must be disabled. | As an appliance intended to capture network traffic in a variety of network environments, wireless adapters may be needed to capture and/or report wireless traffic. |
| 36 | [SV-86699r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72075) | The system must not allow removable media to be used as the boot loader unless approved. | Hedgehog Linux supports a live boot mode that can be booted from removable media. |
Please review the notes for these additional rules. While not claiming an exception, they may be implemented or checked in a different way than outlined by the RHEL STIG as Hedgehog Linux is not built on RHEL or for other reasons.
| # | ID | Title | Note |
| --- | --- | --- | --- |
| 1 | [SV-86585r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71961) | Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes. | Although the [compliance check script](https://github.com/hardenedlinux/STIG-4-Debian) does not detect it, booting into recovery mode *does* in fact require the root password. |
| 2 | [SV-86587r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71963) | Systems using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes. | Although the [compliance check script](https://github.com/hardenedlinux/STIG-4-Debian) does not detect it, booting into recovery mode *does* in fact require the root password. |
| 3 | [SV-86651r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72027) | All files and directories contained in local interactive user home directories must have mode 0750 or less permissive. | Depending on when the [compliance check script](https://github.com/hardenedlinux/STIG-4-Debian) is run, some nonessential ephemeral files may exist in the `sensor` home directory which will cause this check to fail. For practical purposes Hedgehog Linux's configuration does, however, comply. This file list can be checked manually by running `find /home/sensor -type f -perm /027 -exec ls -l '{}' ';'`.|
| 4 | [SV-86693r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72069) | The file integrity tool must be configured to verify Access Control Lists (ACLs). | [Auditbeat](https://www.elastic.co/products/beats/auditbeat) is managing file integrity checks instead of the `aide` specified for use in the RHEL STIG. Additionally, as this is not a multi-user system, the ACL check would be irrelevant. |
| 5 | [SV-86597r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-71973) | A file integrity tool must verify the baseline operating system configuration at least weekly. | [Auditbeat](https://www.elastic.co/products/beats/auditbeat) is managing file integrity checks instead of the `aide` specified for use in the RHEL STIG. |
| 6 | [SV-86697r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72073) | The file integrity tool must use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. | [Auditbeat](https://www.elastic.co/products/beats/auditbeat) is managing file integrity checks instead of the `aide` specified for use in the RHEL STIG. Auditbeat uses SHA1 which is FIPS 140-2 approved. |
| 7 | [SV-86623r3](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-71999) | Vendor packaged system security patches and updates must be installed and up to date. | When the Hedgehog Linux sensor appliance software is built, all of the latest applicable security patches and updates are included in it. How future updates are to be handled is still in design. |
| 8 | [SV-86707r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72083) | The operating system must off-load audit records onto a different system or media from the system being audited. | [Auditbeat](https://www.elastic.co/products/beats/auditbeat) offloads audit records to an Elasticsearch database on another system, though this is not detected by the [compliance check script](https://github.com/hardenedlinux/STIG-4-Debian). |
| 9 | [SV-86709r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-72085) | The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited. | [Auditbeat](https://www.elastic.co/products/beats/auditbeat) offloads (via an encrypted channel) audit records to an Elasticsearch database on another system, though this is not detected by the [compliance check script](https://github.com/hardenedlinux/STIG-4-Debian). |
| 10 | [SV-86833r1](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72209) | The system must send rsyslog output to a log aggregation server. | Syslogs are forwarded to an Elasticsearch database running on another system via [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-syslog.html), though this is not detected by the [compliance check script](https://github.com/hardenedlinux/STIG-4-Debian). |
| 11 | [SV-87815r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-12-14/finding/V-73163) | The audit system must take appropriate action when there is an error sending audit records to a remote system. | [Auditbeat](https://www.elastic.co/products/beats/auditbeat) offloads audit records to an Elasticsearch database on another system, though this is not detected by the [compliance check script](https://github.com/hardenedlinux/STIG-4-Debian). Local logs are generated when this network connection is broken, and it resumes automatically. |
| 12 | [SV-86691r2](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72067) | The operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. | Hedgehog Linux does use FIPS-compatible libraries for cryptographic functions. However, the kernel parameter being checked by the [compliance check script](https://github.com/hardenedlinux/STIG-4-Debian) is incompatible with some of the systems initialization scripts.|
In addition, DISA STIG rules SV-86663r1, SV-86695r2, SV-86759r3, SV-86761r3, SV-86763r3, SV-86765r3, SV-86595r1, and SV-86615r2 relate to the SELinux kernel which is not used in Hedgehog Linux, and are thus skipped.
## <a name="CISExceptions"></a>CIS benchmark compliance exceptions
[Currently](https://github.com/hardenedlinux/harbian-audit/tree/master/bin/hardening) there are 271 checks to determine compliance with the CIS Debian Linux 9 Benchmark.
Hedgehog Linux claims exceptions from the recommendations in this benchmark in the following categories:
**1.1 Install Updates, Patches and Additional Security Software** - When the Hedgehog Linux sensor appliance software is built, all of the latest applicable security patches and updates are included in it. How future updates are to be handled is still in design.
**1.3 Enable verify the signature of local packages** - As the base distribution is not using embedded signatures, `debsig-verify` would reject all packages (see comment in `/etc/dpkg/dpkg.cfg`). Enabling it after installation would disallow any future updates.
**2.14 Add nodev option to /run/shm Partition**, **2.15 Add nosuid Option to /run/shm Partition**, **2.16 Add noexec Option to /run/shm Partition** - Hedgehog Linux does not mount `/run/shm` as a separate partition, so these recommendations do not apply.
**2.18 Disable Mounting of cramfs Filesystems**, **2.19 Disable Mounting of freevxfs Filesystems**, **2.20 Disable Mounting of jffs2 Filesystems**, **2.21 Disable Mounting of hfs Filesystems**, **2.22 Disable Mounting of hfsplus Filesystems**, **2.23 Disable Mounting of squashfs Filesystems**, **2.24 Disable Mounting of udf Filesystems** - Hedgehog Linux is not compiling a custom Linux kernel, so these filesystems are inherently supported as they are part Debian Linux's default kernel.
**4.6 Disable USB Devices** - The ability to copy data captured by the sensor to a mounted USB mass storage device is a requirement of the system.
**6.1 Ensure the X Window system is not installed**, **6.2 Ensure Avahi Server is not enabled**, **6.3 Ensure print server is not enabled** - A locked-down X Windows session is required for the sensor's kiosk display. The library packages `libavahi-common-data`, `libavahi-common3`, and `libcups2` are dependencies of some of the X components used by Hedgehog Linux, but the `avahi` and `cups` services themselves are disabled.
**6.17 Ensure virus scan Server is enabled**, **6.18 Ensure virus scan Server update is enabled** - As this is a network traffic capture appliance rather than an end-user device and will not be internet-connected, regular user files will not be created. A virus scan program would impact device performance and would be unnecessary.
**7.2.4 Log Suspicious Packets**, **7.2.7 Enable RFC-recommended Source Route Validation**, **7.4.1 Install TCP Wrappers** - As this is a network traffic capture appliance sniffing packets on a network interface configured in promiscuous mode, these recommendations do not apply.
Password-related recommendations under **9.2** and **10.1** - The library package `libpam-pwquality` is used in favor of `libpam-cracklib` which is what the [compliance scripts](https://github.com/hardenedlinux/harbian-audit/tree/master/bin/hardening) are looking for. Also, as a sensor running Hedgehog Linux is intended to be used as an appliance rather than a general user-facing software platform, some exceptions to password enforcement policies are claimed.
**9.3.13 Limit Access via SSH** - Hedgehog Linux does not create multiple regular user accounts: only `root` and a `sensor` service account are used. SSH access for `root` is disabled. SSH login with a password is also disallowed: only key-based authentication is accepted. The `sensor` service account accepts no keys by default. As such, the `AllowUsers`, `AllowGroups`, `DenyUsers`, and `DenyGroups` values in `sshd_config` do not apply.
**9.5 Restrict Access to the su Command** - Hedgehog Linux does not create multiple regular user accounts: only `root` and a `sensor` service account are used.
**10.1.10 Set maxlogins for all accounts** and **10.5 Set Timeout on ttys** - Hedgehog Linux does not create multiple regular user accounts: only `root` and a `sensor` service account are used.
**12.10 Find SUID System Executables**, **12.11 Find SGID System Executables** - The few files found by [these](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.10_find_suid_files.sh) [scripts](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/12.11_find_sgid_files.sh) are valid exceptions required by Hedgehog Linux's system requirements.
Please review the notes for these additional guidelines. While not claiming an exception, Hedgehog Linux may implement them in a manner different than is described by the [CIS Debian Linux 9 Benchmark](https://www.cisecurity.org/cis-benchmarks/cis-benchmarks-faq/) or the [hardenedlinux/harbian-audit](https://github.com/hardenedlinux/harbian-audit) audit scripts.
**4.1 Restrict Core Dumps** - Hedgehog Linux disables core dumps using a configuration file for `ulimit` named `/etc/security/limits.d/limits.conf`. The [audit script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/4.1_restrict_core_dumps.sh) checking for this does not check the `limits.d` subdirectory, which is why this is incorrectly flagged as noncompliant.
**5.4 Ensure ctrl-alt-del is disabled** - Hedgehog Linux disables the `ctrl+alt+delete` key sequence by executing `systemctl disable ctrl-alt-del.target` during installation and the command `systemctl mask ctrl-alt-del.target` at boot time.
**6.19 Configure Network Time Protocol (NTP)** - While [time synchronization](#ConfigTime) is supported on Hedgehog Linux, an exception is claimed for this rule as the network sensor device may be configured to sync to servers in a different way than specified in the benchmark.
**7.4.4 Create /etc/hosts.deny**, **7.7.1 Ensure Firewall is active**, **7.7.4.1 Ensure default deny firewall policy**, **7.7.4.3 Ensure default deny firewall policy**, **7.7.4.4 Ensure outbound and established connections are configured** - Hedgehog Linux **is** configured with an appropriately locked-down software firewall (managed by "Uncomplicated Firewall" `ufw`). However, the methods outlined in the CIS benchmark recommendations do not account for this configuration.
**8.1.1.2 Disable System on Audit Log Full**, **8.1.1.3 Keep All Auditing Information**, **8.1.1.5 Ensure set remote server for audit service**, **8.1.1.6 Ensure enable_krb5 set to yes for remote audit service**, **8.1.1.7 Ensure set action for audit storage volume is fulled**, **8.1.1.9 Set space left for auditd service**, a few other audit-related items under section **8.1**, **8.2.5 Configure rsyslog to Send Logs to a Remote Log Host** - As maximizing availability is a system requirement, audit processing failures will be logged on the device rather than halting the system. Because Hedgehog Linux is intended to be used as an appliance rather than a general network host, notifications about its status are sent in system logs forwarded to the Elasticsearch database on the aggregator. `auditd` is set up to syslog when this storage volume is reached. [Auditbeat](https://www.elastic.co/products/beats/auditbeat) offloads audit records to an Elasticsearch database on another system, though this is not detected by the [CIS benchmark compliance scripts](https://github.com/hardenedlinux/harbian-audit/tree/master/bin/hardening). Local logs are generated when the network connection is broken, and it resumes automatically. Syslog messages are also similarly forwarded.
**8.4.1 Install aide package** and **8.4.2 Implement Periodic Execution of File Integrity** - [Auditbeat](https://www.elastic.co/products/beats/auditbeat) is managing file integrity checks instead of the `aide` utility.
**8.7 Verifies integrity all packages** - The [script](https://github.com/hardenedlinux/harbian-audit/blob/master/bin/hardening/8.7_verify_integrity_packages.sh) which verifies package integrity only "fails" because of missing (status `??5??????` displayed by the utility) language ("locale") files, which are removed as part of Hedgehog Linux's trimming-down process. All non-locale-related system files pass intergrity checks.
# <a name="UpgradePlan"></a>Appendix E - Upgrades
At this time there is not an "official" upgrade procedure to get from one release of Hedgehog Linux to the next. Upgrading the underlying operating system packages is generally straightforward, but not all of the Hedgehog Linux components are packaged into .deb archives yet as they should be, so for now it's a manual (and kind of nasty) process to Frankenstein an upgrade into existance. The author of this project intends to remedy this at some future point when time and resources allow.
If possible, it would save you **a lot** of trouble to just [re-ISO](#Installation) your Hedgehog installation and start fresh, backing up the files (in `/opt/sensor/sensor_ctl`) first and reconfiguring or restoring them as needed afterwards.
However, if reinstalling the system is not an option, here is the basic process for doing a manual upgrade of Hedgehog Linux. It should be understood that this process is very likely to break your system, and there is **no** guarantee of any kind that any of this will work, or that these instructions are even complete or any support whatsoever regarding them. Really, it will be **much** easier if you re-ISO your installation. But for the brave among you, here you go. ⛔🆘😭💀
## Prerequisites
* A good understanding of the Linux command line
* An existing installation of Hedgehog Linux **with internet access**
* A copy of the Hedgehog Linux [ISO](#ISOBuild) for the version approximating the one you're upgrading to (i.e., the latest version), **and**
- Either a separate VM with that ISO installed **OR**
- A separate Linux workstation where you can manually mount that ISO to pull stuff off of it
## Upgrade
1. Obtain a root shell
- `su -`
2. Temporarily set the umask value to Debian default instead of the more restrictive Hedgehog Linux default. This will allow updates to be applied with the right permissions.
- `umask 0022`
3. Create backups of some files
- `cp /etc/apt/sources.list /etc/apt/sources.list.bak`
4. Set up alternate package sources, if needed
- In an offline/airgapped scenario, you could use [apt-mirror](https://apt-mirror.github.io) to mirror Debian repos and [bandersnatch](https://github.com/pypa/bandersnatch/) to mirror PyPI sources, or [combine them](https://github.com/mmguero/espejo) with Docker. If you were to do this, you'd probably want to make the following changes (and **revert them after the upgrade**):
+ create `/etc/apt/apt.conf.d/80ssl-exceptions` to ignore self-signed certificate warnings from using your apt-mirror
```
Acquire::https {
Verify-Peer "false";
Verify-Host "false";
}
```
+ modify `/etc/apt/source.list` to point to your apt-mirror:
```
deb https://XXXXXX:443/debian buster main contrib non-free
deb https://XXXXXX:443/debian-security buster/updates main contrib non-free
deb https://XXXXXX:443/debian buster-updates main contrib non-free
deb https://XXXXXX:443/debian buster-backports main contrib non-free
```
5. Update underlying system packages with `apt-get`
- `apt-get update && apt-get dist-upgrade`
6. If there were [new system deb packages added](https://github.com/cisagov/Malcolm/tree/master/sensor-iso/config/package-lists) to this release of Hedgehog Linux (you might have to [manually compare](https://github.com/cisagov/Malcolm/commits/master/sensor-iso/config/package-lists) on GitHub), install them. If you're not sure, of course, you could just install everything, like this (although you may have to tweak some version numbers or something if the base distribution of your Hedgehog branch is different than `master`; in this example I'm not jumping between Debian releases, just upgrading within a release):
```
$ for LIST in apps desktopmanager net system; do curl -L -J -O https://raw.github.com/cisagov/Malcolm/master/sensor-iso/config/package-lists/$LIST.list.chroot; done
...
$ apt-get install $(cat *.list.chroot)
```
7. Update underlying python packages with `python3 -m pip`
* `apt-get install -y build-essential git-core pkg-config python3-dev`
* `python3 -m pip list --outdated --format=freeze | grep -v '^\-e' | cut -d = -f 1 | xargs -r -n1 python3 -m pip install -U`
- if this fails for some reason, you may need to reinstall pip first with `python3 -m pip install --force -U pip`
- some *very* old builds of Hedgehog Linux had separate Python 3.5 and 3.7 installations: in this case, you'd need to do this for both `python3 -m pip` and `python3.7 -m pip` (or whatever `python3.x` you have)
* If there were [new python packages](https://raw.githubusercontent.com/cisagov/Malcolm/master/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot) added to this release of Hedgehog Linux (you might have to [manually compare](https://github.com/cisagov/Malcolm/blame/master/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot) on GitHub), install them. If you are using a PyPI mirror, replace `XXXXXX` here with your mirror's IP. The `colorama` package is used here as an example, your package list might vary.
- `python3 -m pip install --no-compile --no-cache-dir --force-reinstall --upgrade --index-url=https://XXXXXX:443/pypi/simple --trusted-host=XXXXXX:443 colorama`
8. Okay, **now** things start to get a little bit ugly. You're going to need access to the ISO of the release of Hedgehog Linux you're upgrading to, as we're going to grab some packages off of it. On another Linux system, [build it](#ISOBuild).
9. Use a disk image mounter to mount the ISO, **or** if you want to just install the ISO in a VM and grab the files we need off of it, that's fine too. But I'll go through the example as if I've mounted the ISO.
10. Navigate to the `/live/` directory, and mount the `filesystem.squashfs` file
- `sudo mount filesystem.squashfs /media/squash -t squashfs -o loop`
- **OR**
- `squashfuse filesystem.squashfs /home/user/media/squash`
11. Very recent builds of Hedgehog Linux keep some build artifacts in `/opt/hedgehog_install_artifacts/`. You're going to want to grab those files and throw them in a temporary directory on the system you're upgrading, via SSH or whatever means you devise.
```
root@hedgehog:/tmp# scp -r user@otherbox:/media/squash/opt/hedgehog_install_artifacts/ ./
user@otherbox's password:
auditbeat-tweaked-7.6.2-amd64.deb 100% 13MB 49.3MB/s 00:00
filebeat-tweaked-7.6.2-amd64.deb 100% 13MB 65.9MB/s 00:00
metricbeat-tweaked-7.6.2-amd64.deb 100% 18MB 72.0MB/s 00:00
moloch_2.2.3-1_amd64.deb 100% 113MB 32.2MB/s 00:03
netsniff-ng_0.6.6-1_amd64.deb 100% 330KB 52.1MB/s 00:00
packetbeat-tweaked-7.6.2-amd64.deb 100% 14MB 59.2MB/s 00:00
protologbeat 100% 56MB 38.1MB/s 00:01
zeek_3.0.20-1_amd64.deb 100% 26MB 63.1MB/s 00:00
```
12. Replace the old `/usr/local/bin/protologbeat` with the new one:
```
root@hedgehog:/tmp# cp -biv hedgehog_install_artifacts/protologbeat /usr/local/bin/protologbeat
cp: overwrite '/usr/local/bin/protologbeat'? y
'hedgehog_install_artifacts/protologbeat' -> '/usr/local/bin/protologbeat' (backup: '/usr/local/bin/protologbeat~')
root@hedgehog:/tmp# ls -l /usr/local/bin/protologbeat
-rwxr-xr-x 1 root root 58895456 May 8 15:45 /usr/local/bin/protologbeat
root@hedgehog:/tmp# /usr/local/bin/protologbeat version
protologbeat version 7.6.0 (amd64), libbeat 7.6.0 [unknown built unknown]
```
13. Blow away the old `zeek` package, we're going to start clean with that one particularly. The others should be fine to upgrade in place.
```
root@hedgehog:/opt# apt-get --purge remove zeek
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
zeek*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 160 MB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 118490 files and directories currently installed.)
Removing zeek (3.0.20-1) ...
dpkg: warning: while removing zeek, directory '/opt/zeek/spool' not empty so not removed
dpkg: warning: while removing zeek, directory '/opt/zeek/share/zeek/site' not empty so not removed
dpkg: warning: while removing zeek, directory '/opt/zeek/lib' not empty so not removed
dpkg: warning: while removing zeek, directory '/opt/zeek/bin' not empty so not removed
root@hedgehog:/opt# rm -rf /opt/zeek*
```
14. Install the new .deb files. You're going to have some warnings, but that's okay.
```
root@hedgehog:/tmp# dpkg -i hedgehog_install_artifacts/*.deb
(Reading database ... 118149 files and directories currently installed.)
Preparing to unpack .../auditbeat-tweaked-7.6.2-amd64.deb ...
Unpacking auditbeat (7.6.2) over (6.8.4) ...
dpkg: warning: unable to delete old directory '/usr/share/auditbeat/kibana/6/dashboard': Directory not empty
dpkg: warning: unable to delete old directory '/usr/share/auditbeat/kibana/6': Directory not empty
Preparing to unpack .../filebeat-tweaked-7.6.2-amd64.deb ...
Unpacking filebeat (7.6.2) over (6.8.4) ...
dpkg: warning: unable to delete old directory '/usr/share/filebeat/kibana/6/dashboard': Directory not empty
dpkg: warning: unable to delete old directory '/usr/share/filebeat/kibana/6': Directory not empty
Preparing to unpack .../metricbeat-tweaked-7.6.2-amd64.deb ...
Unpacking metricbeat (7.6.2) over (6.8.4) ...
Preparing to unpack .../moloch_2.2.3-1_amd64.deb ...
Unpacking moloch (2.2.3-1) over (2.0.1-1) ...
Preparing to unpack .../netsniff-ng_0.6.6-1_amd64.deb ...
Unpacking netsniff-ng (0.6.6-1) over (0.6.6-1) ...
Preparing to unpack .../packetbeat-tweaked-7.6.2-amd64.deb ...
Unpacking packetbeat (7.6.2) over (6.8.4) ...
Preparing to unpack .../zeek_3.0.20-1_amd64.deb ...
Unpacking zeek (3.0.20-1) over (3.0.0-1) ...
Setting up auditbeat (7.6.2) ...
Installing new version of [...]
[...]
Setting up filebeat (7.6.2) ...
Installing new version of [...]
[...]
Setting up metricbeat (7.6.2) ...
Installing new version of [...]
[...]
Setting up moloch (2.2.3-1) ...
READ /data/moloch/README.txt and RUN /data/moloch/bin/Configure
Setting up netsniff-ng (0.6.6-1) ...
Setting up packetbeat (7.6.2) ...
Installing new version of [...]
[...]
Setting up zeek (3.0.20-1) ...
Processing triggers for systemd (232-25+deb9u12) ...
Processing triggers for man-db (2.7.6.1-2) ...
```
15. Fix anything that might need fixing as far as the deb package requirements go
- `apt-get -f install`
16. We just installed a Zeek .deb, but the third-part plugins packages and local config weren't part of that package. So we're going to `rsync` those from the other box where we have the ISO and `filesystem.squashfs` mounted as well:
```
root@hedgehog:/tmp# rsync -a user@otherbox:/media/squash/opt/zeek/ /opt/zeek
user@otherbox's password:
root@hedgehog:/tmp# ls -l /opt/zeek/share/zeek/site/
total 52
lrwxrwxrwx 1 root root 13 May 6 21:52 bzar -> packages/bzar
lrwxrwxrwx 1 root root 22 May 6 21:50 cve-2020-0601 -> packages/cve-2020-0601
-rw-r--r-- 1 root root 2031 Apr 30 16:02 extractor.zeek
-rw-r--r-- 1 root root 39134 May 1 14:20 extractor_params.zeek
lrwxrwxrwx 1 root root 14 May 6 21:52 hassh -> packages/hassh
lrwxrwxrwx 1 root root 12 May 6 21:52 ja3 -> packages/ja3
-rw-rw-r-- 1 root root 2005 May 6 21:54 local.zeek
drwxr-xr-x 13 root root 4096 May 6 21:52 packages
lrwxrwxrwx 1 root root 27 May 6 21:52 zeek-EternalSafety -> packages/zeek-EternalSafety
lrwxrwxrwx 1 root root 26 May 6 21:52 zeek-community-id -> packages/zeek-community-id
lrwxrwxrwx 1 root root 27 May 6 21:51 zeek-plugin-bacnet -> packages/zeek-plugin-bacnet
lrwxrwxrwx 1 root root 25 May 6 21:51 zeek-plugin-enip -> packages/zeek-plugin-enip
lrwxrwxrwx 1 root root 29 May 6 21:51 zeek-plugin-profinet -> packages/zeek-plugin-profinet
lrwxrwxrwx 1 root root 27 May 6 21:52 zeek-plugin-s7comm -> packages/zeek-plugin-s7comm
lrwxrwxrwx 1 root root 24 May 6 21:52 zeek-plugin-tds -> packages/zeek-plugin-tds
```
17. The `zeekctl` component of zeek doesn't like being run by an unprivileged user unless the whole directory is owned by that user. As Hedgehog Linux runs everything it can as an unprivileged user, we're going to reset zeek to a "clean" state after each reboot. Zeek's config files will get regenerated when Zeek itself is started. So, now make a complete backup of `/opt/zeek` as it's going to have its ownership changed during runtime:
```
root@hedgehog:/tmp# rsync -a /opt/zeek/ /opt/zeek.orig
root@hedgehog:/tmp# chown -R sensor:sensor /opt/zeek/*
root@hedgehog:/tmp# chown -R root:root /opt/zeek.orig/*
root@hedgehog:/tmp# ls -l /opt/ | grep zeek
drwxr-xr-x 8 root root 4096 May 8 15:48 zeek
drwxr-xr-x 8 root root 4096 May 8 15:48 zeek.orig
```
18. Grab other new scripts and stuff from our mount of the ISO using `rsync`:
```
root@hedgehog:/tmp# rsync -a user@otherbox:/media/squash/usr/local/bin/ /usr/local/bin
user@otherbox's password:
root@hedgehog:/tmp# ls -l /usr/local/bin/ | tail
lrwxrwxrwx 1 root root 18 May 8 14:34 zeek -> /opt/zeek/bin/zeek
-rwxr-xr-x 1 root staff 10349 Oct 29 2019 zeek_carve_logger.py
-rwxr-xr-x 1 root staff 10467 Oct 29 2019 zeek_carve_scanner.py
-rw-r--r-- 1 root staff 25756 Oct 29 2019 zeek_carve_utils.py
-rwxr-xr-x 1 root staff 8787 Oct 29 2019 zeek_carve_watcher.py
-rwxr-xr-x 1 root staff 4883 May 4 17:39 zeek_install_plugins.sh
root@hedgehog:/tmp# rsync -a user@otherbox:/media/squash/opt/yara-rules/ /opt/yara-rules
user@otherbox's password:
root@hedgehog:/tmp# rsync -a user@otherbox:/media/squash/opt/capa-rules/ /opt/capa-rules
user@otherbox's password:
root@hedgehog:/tmp# ls -l /opt/ | grep '\-rules'
drwxr-xr-x 8 root root 4096 May 8 15:48 capa-rules
drwxr-xr-x 8 root root 24576 May 8 15:48 yara-rules
root@hedgehog:/tmp# for BEAT in auditbeat filebeat metricbeat packetbeat protologbeat; do rsync -a user@otherbox:/media/squash/usr/share/$BEAT/kibana/ /usr/share/$BEAT/kibana; done
user@otherbox's password:
user@otherbox's password:
user@otherbox's password:
user@otherbox's password:
user@otherbox's password:
root@hedgehog:/tmp# rsync -avP --delete user@otherbox:/media/squash/etc/audit/rules.d/ /etc/audit/rules.d/
user@otherbox's password:
root@hedgehog:/tmp# rsync -avP --delete user@otherbox:/media/squash/etc/sudoers.d/ /etc/sudoers.d/
user@otherbox's password:
root@hedgehog:/tmp# chmod 400 /etc/sudoers.d/*
```
19. Set capabilities and symlinks for network capture programs to be used by the unprivileged user:
commands:
```
chown root:netdev /usr/sbin/netsniff-ng && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip CAP_SYS_ADMIN+eip' /usr/sbin/netsniff-ng
chown root:netdev /opt/zeek/bin/zeek && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/zeek/bin/zeek
chown root:netdev /sbin/ethtool && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool
chown root:netdev /opt/zeek/bin/capstats && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/zeek/bin/capstats
chown root:netdev /usr/sbin/tcpdump && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/tcpdump
chown root:netdev /usr/share/auditbeat/bin/auditbeat && \
setcap 'CAP_AUDIT_READ+eip' /usr/share/auditbeat/bin/auditbeat
chown root:netdev /usr/share/packetbeat/bin/packetbeat && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/share/packetbeat/bin/packetbeat
chown root:netdev /opt/moloch/bin/moloch-capture && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/moloch/bin/moloch-capture
ln -s -f /opt/zeek/bin/zeek /usr/local/bin/
ln -s -f /usr/sbin/netsniff-ng /usr/local/bin/
ln -s -f /usr/sbin/tcpdump /usr/local/bin/
ln -s -f /opt/moloch/bin/moloch-capture /usr/local/bin/
ln -s -f /opt/moloch/bin/npm /usr/local/bin
ln -s -f /opt/moloch/bin/node /usr/local/bin
ln -s -f /opt/moloch/bin/npx /usr/local/bin
```
example:
```
root@hedgehog:/tmp# chown root:netdev /usr/sbin/netsniff-ng && \
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip CAP_SYS_ADMIN+eip' /usr/sbin/netsniff-ng
root@hedgehog:/tmp# chown root:netdev /opt/zeek/bin/zeek && \
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/zeek/bin/zeek
root@hedgehog:/tmp# chown root:netdev /sbin/ethtool && \
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool
root@hedgehog:/tmp# chown root:netdev /opt/zeek/bin/capstats && \
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/zeek/bin/capstats
root@hedgehog:/tmp# chown root:netdev /usr/sbin/tcpdump && \
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/tcpdump
root@hedgehog:/tmp# chown root:netdev /usr/share/auditbeat/bin/auditbeat && \
> setcap 'CAP_AUDIT_READ+eip' /usr/share/auditbeat/bin/auditbeat
root@hedgehog:/tmp# chown root:netdev /usr/share/packetbeat/bin/packetbeat && \
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/share/packetbeat/bin/packetbeat
root@hedgehog:/tmp# chown root:netdev /opt/moloch/bin/moloch-capture && \
> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/moloch/bin/moloch-capture
root@hedgehog:/tmp# ln -s -f /opt/zeek/bin/zeek /usr/local/bin/
root@hedgehog:/tmp# ln -s -f /usr/sbin/netsniff-ng /usr/local/bin/
root@hedgehog:/tmp# ln -s -f /usr/sbin/tcpdump /usr/local/bin/
root@hedgehog:/tmp# ln -s -f /opt/moloch/bin/moloch-capture /usr/local/bin/
root@hedgehog:/tmp# ln -s -f /opt/moloch/bin/npm /usr/local/bin
root@hedgehog:/tmp# ln -s -f /opt/moloch/bin/node /usr/local/bin
root@hedgehog:/tmp# ln -s -f /opt/moloch/bin/npx /usr/local/bin
```
20. Back up unprivileged user sensor-specific config and scripts:
- `mv /opt/sensor/ /opt/sensor_upgrade_backup_$(date +%Y-%m-%d)`
21. Grab unprivileged user sensor-specific config and scripts from our mount of the ISO using `rsync` and change its ownership to the unprivileged user:
```
root@hedgehog:/tmp# rsync -av user@otherbox:/media/squash/opt/sensor /opt/
user@otherbox's password:
receiving incremental file list
created directory ./opt
sensor/
[...]
sent 1,244 bytes received 1,646,409 bytes 470,758.00 bytes/sec
total size is 1,641,629 speedup is 1.00
root@hedgehog:/tmp# chown -R sensor:sensor /opt/sensor*
root@hedgehog:/tmp# ls -l /opt/ | grep sensor
drwxr-xr-x 4 sensor sensor 4096 May 6 22:00 sensor
drwxr-x--- 4 sensor sensor 4096 May 8 14:33 sensor_upgrade_backup_2020-05-08
```
22. Leave the root shell and `cd` to `/opt`
```
root@hedgehog:~# exit
logout
sensor@hedgehog:~$ whoami
sensor
sensor@hedgehog:~$ cd /opt
```
23. Compare the old and new `control_vars.conf` files
```
sensor@hedgehog:opt$ diff sensor_upgrade_backup_2020-05-08/sensor_ctl/control_vars.conf sensor/sensor_ctl/control_vars.conf
1,2c1,2
< export CAPTURE_INTERFACE=enp0s3
< export CAPTURE_FILTER="not port 5044 and not port 5601 and not port 8005 and not port 9200 and not port 9600"
---
> export CAPTURE_INTERFACE=xxxx
> export CAPTURE_FILTER=""
4c4
[...]
```
Examine the differences. If there aren't any new `export` variables, then you're probably safe to just replace the default version of `control_vars.conf` with the backed-up version:
```
sensor@hedgehog:opt$ cp sensor_upgrade_backup_2020-05-08/sensor_ctl/control_vars.conf sensor/sensor_ctl/control_vars.conf
cp: overwrite 'sensor/sensor_ctl/control_vars.conf'? y
```
If there are major differences or new variables, continue on to the next step, in a minute you'll need to run `capture-config` to configure from scratch anyway.
24. Restore certificates/keystores for forwarders from the backup `sensor_ctl` path to the new one
```
sensor@hedgehog:opt$ for BEAT in auditbeat filebeat filebeat-syslog heatbeat metricbeat; do cp /opt/sensor_upgrade_backup_2020-05-08/sensor_ctl/$BEAT/data/* /opt/sensor/sensor_ctl/$BEAT/data/; done
sensor@hedgehog:opt$ cp /opt/sensor_upgrade_backup_2020-05-07/sensor_ctl/filebeat/{ca.crt,client.crt,client.key} /opt/sensor/sensor_ctl/filebeat/
```
25. Despite what we just did, you may consider running `capture-config` to re-configure [capture, forwarding, and autostart services](#ConfigUser) from scratch anyway. You can use the backed-up version of `control_vars.conf` to refer back to as a basis for things you might want to restore (e.g., `CAPTURE_INTERFACE`, `CAPTURE_FILTER`, `PCAP_PATH`, `ZEEK_LOG_PATH`, your autostart settings, etc.).
26. Once you feel confident you've completed all of these steps, issue a reboot on the Hedgehog
## Post-upgrade
Once the Hedgehog has come back up, check to make sure everything is working:
* `/opt/sensor/sensor_ctl/status` should return `RUNNING` for the things you set to autorun (no `FATAL` errors)
* `sensorwatch` should show current writes to Zeek log files and PCAP files (depending on your configuration)
* `tail -f /opt/sensor/sensor_ctl/log/*` should show no egregious errors
* `zeek --version`, `zeek -N local` and `moloch-capture --version` ought to run and print out version information as expected
* if you are forwarding to a [Malcolm](https://github.com/cisagov/malcolm) aggregator, you should start seeing data momentarily
# <a name="Footer"></a>Copyright
Hedgehog Linux - part of [Malcolm](https://github.com/cisagov/Malcolm) - is Copyright 2021 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security.
See [`License.txt`](https://raw.githubusercontent.com/cisagov/Malcolm/master/License.txt) for the terms of its release.
### Contact information of author(s):
[Seth Grover](mailto:malcolm.netsec@gmail.com?subject=Network%20sensor%20development)

51
Vagrant/resources/malcolm/sensor-iso/beats/Dockerfile Normal file
View File

@@ -0,0 +1,51 @@
FROM debian:buster-slim
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="malcolm.netsec@gmail.com"
ENV DEBIAN_FRONTEND noninteractive
ENV GOPATH=/go
ENV GOBIN=/go/bin
ENV GOARCH=amd64
ENV GOVERS="2:1.15~1~bpo10+1"
ENV PATH="$GOBIN:${PATH}"
ENV PYTHON_EXE=python3
RUN set -x && \
sed -i "s/buster main/buster main contrib non-free/g" /etc/apt/sources.list && \
echo "deb http://deb.debian.org/debian buster-backports main" >> /etc/apt/sources.list && \
apt-get -q update && \
apt-get install -y curl git vim-tiny && \
apt-get install -t buster-backports -y \
"golang-doc=$GOVERS" \
"golang-go=$GOVERS" \
"golang-src=$GOVERS" \
"golang=$GOVERS" \
build-essential \
python3 \
python3-dev \
python3-pip \
python3-setuptools \
python3-virtualenv \
python3-wheel \
virtualenv && \
rm -rf /var/lib/apt/lists/* && \
update-alternatives --install /usr/bin/python python /usr/bin/python3 2 && \
update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 2 && \
python3 -m pip install -U pyyaml cookiecutter && \
mkdir -p "$GOPATH/bin" && \
bash -c "curl -sSL https://raw.githubusercontent.com/Masterminds/glide.sh/master/get | sed 's@https://glide.sh/@https://raw.githubusercontent.com/Masterminds/glide.sh/master/@g'| bash" && \
go get -u -d github.com/magefile/mage && \
cd $GOPATH/src/github.com/magefile/mage && \
go run bootstrap.go
ENV BEATS=metricbeat
ENV BEATS_VERSION=7.10.2
ADD ./build.sh /build.sh
RUN [ "chmod", "+x", "/build.sh" ]
RUN [ "mkdir", "-p", "/go" ]
RUN [ "mkdir", "/build" ]
CMD "/build.sh"

26
Vagrant/resources/malcolm/sensor-iso/beats/beat-build.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
VERSION="7.10.2"
THIRD_PARTY_BRANCH="master"
while getopts b:v:t: opts; do
case ${opts} in
b) BEAT=${OPTARG} ;;
v) VERSION=${OPTARG} ;;
t) THIRD_PARTY_BRANCH=${OPTARG} ;;
esac
done
if [[ -z $BEAT || -z $VERSION || -z $THIRD_PARTY_BRANCH ]] ; then
echo "usage:" >&2
echo " beat-build.sh -b <BEAT> [-v <BEAT_VERSION>] [-v <THIRD_PARTY_BEAT_BRANCH>]" >&2
echo "" >&2
echo "example:" >&2
echo " beat-build.sh -b metricbeat -v $VERSION" >&2
exit 1
fi
BEAT_DIR="$(pwd)/$(echo "$BEAT" | sed "s@^https*://@@" | sed 's@/@_@g')"
mkdir -p "$BEAT_DIR"
docker run --rm -v "$BEAT_DIR":/build -e "BEATS_VERSION=$VERSION" -e "THIRD_PARTY_BRANCH=$THIRD_PARTY_BRANCH" -e "BEATS=$BEAT" beats-build:latest

11
Vagrant/resources/malcolm/sensor-iso/beats/build-docker-image.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# force-navigate to script directory
SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
pushd "$SCRIPT_PATH" >/dev/null 2>&1
docker build -t beats-build:latest .
popd >/dev/null 2>&1

69
Vagrant/resources/malcolm/sensor-iso/beats/build.sh Executable file
View File

@@ -0,0 +1,69 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
echo Target version: $BEATS_VERSION
BRANCH=$(echo $BEATS_VERSION | awk -F \. {'print $1 "." $2'})
echo Target branch: $BRANCH
if [ ! -d "$GOPATH/src/github.com/elastic/beats" ]; then go get -v github.com/elastic/beats; fi
cd $GOPATH/src/github.com/elastic/beats
git checkout $BRANCH
IFS=","
BEATS_ARRAY=($BEATS)
for BEAT in "${BEATS_ARRAY[@]}"
do
if [[ -d "$GOPATH/src/github.com/elastic/beats/$BEAT" ]] ; then
# an official beat
cd "$GOPATH/src/github.com/elastic/beats/$BEAT"
make
cp "$BEAT" /build
# package
DOWNLOAD="$BEAT-$BEATS_VERSION-linux-x86.tar.gz"
if [ ! -e $DOWNLOAD ]; then curl -s -O -J "https://artifacts.elastic.co/downloads/beats/$BEAT/$DOWNLOAD"; fi
tar xf "$DOWNLOAD"
cp "$BEAT" "$BEAT-$BEATS_VERSION-linux-x86"
tar zcf "$BEAT-$BEATS_VERSION-linux-amd64.tar.gz" "$BEAT-$BEATS_VERSION-linux-x86"
cp "$BEAT-$BEATS_VERSION-linux-amd64.tar.gz" /build
elif [[ "$BEAT" =~ ^https*://(gogs\..*|github\.com) ]] ; then
BRANCH=${THIRD_PARTY_BRANCH:-"master"}
# clone from git manually rather than do a "go get"
mkdir -p "$GOPATH/src/$(dirname "$(echo "$BEAT" | sed "s@^https*://@@")")"
cd "$GOPATH/src/$(dirname "$(echo "$BEAT" | sed "s@^https*://@@")")"
git clone --depth=1 --single-branch --branch "$BRANCH" "$BEAT"
BEAT_EXE_NAME="$(basename "$BEAT" | sed "s/\.git$//")"
cd "$BEAT_EXE_NAME"
go get
go install
if [[ -f "$GOBIN/$BEAT_EXE_NAME" ]] ; then
cp "$GOBIN/$BEAT_EXE_NAME" /build
strip "/build/$BEAT_EXE_NAME"
fi
else
# a community beat?
if [[ "$BEAT" =~ gogs\..* ]]; then
INSECURE_FLAG="--insecure"
else
INSECURE_FLAG=""
fi
go get $INSECURE_FLAG "$BEAT"
BEAT_EXE_NAME="$(basename "$BEAT")"
if [[ -f "$GOBIN/$BEAT_EXE_NAME" ]] ; then
cp "$GOBIN/$BEAT_EXE_NAME" /build
strip "/build/$BEAT_EXE_NAME"
fi
fi
ls -lh /build
done

223
Vagrant/resources/malcolm/sensor-iso/build.sh Executable file
View File

@@ -0,0 +1,223 @@
#!/bin/bash
IMAGE_NAME=hedgehog
IMAGE_VERSION=1.0.0
IMAGE_DISTRIBUTION=buster
BUILD_ERROR_CODE=1
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit $BUILD_ERROR_CODE
fi
set -e
RUN_PATH="$(pwd)"
SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
pushd "$SCRIPT_PATH" >/dev/null 2>&1
WORKDIR="$(mktemp -d -t hedgehog-XXXXXX)"
function cleanup {
# unmount any chroot stuff left behind after an error
(umount -f $(mount | grep chroot | cut -d ' ' -f 3) >/dev/null 2>&1) && sleep 5
# clean up the temporary build directory
if ! rm -rf "$WORKDIR"; then
echo "Failed to remove temporary directory '$WORKDIR'"
exit $BUILD_ERROR_CODE
fi
}
if [ -d "$WORKDIR" ]; then
# ensure that if we "grabbed a lock", we release it (works for clean exit, SIGTERM, and SIGINT/Ctrl-C)
trap "cleanup" EXIT
pushd "$WORKDIR" >/dev/null 2>&1
mkdir -p ./output "./work/$IMAGE_NAME-Live-Build"
pushd "./work/$IMAGE_NAME-Live-Build" >/dev/null 2>&1
rsync -a "$SCRIPT_PATH/config" .
mkdir -p ./config/packages.chroot/
mkdir -p ./config/hooks/live
pushd ./config/hooks/live
ln -v -s -f /usr/share/live/build/hooks/live/* ./
popd >/dev/null 2>&1
mkdir -p ./config/hooks/normal
pushd ./config/hooks/normal
ln -v -s -f /usr/share/live/build/hooks/normal/* ./
rm -f ./0910-remove-apt-sources-lists
popd >/dev/null 2>&1
chown -R root:root *
# put the date in the grub.cfg entries and configure installation options
sed -i "s/\(Install Hedgehog Linux\)/\1 $(date +'%Y-%m-%d %H:%M:%S')/g" ./config/includes.binary/boot/grub/grub.cfg
cp ./config/includes.binary/install/preseed_multipar.cfg ./config/includes.binary/install/preseed_multipar_crypto.cfg
cp ./config/includes.binary/install/preseed_base.cfg ./config/includes.binary/install/preseed_minimal.cfg
sed -i "s@\(partman-auto/method[[:space:]]*string[[:space:]]*\)lvm@\1crypto@g" ./config/includes.binary/install/preseed_multipar_crypto.cfg
sed -i "s@\(/etc/capture_storage_format\)@\1.crypt@g" ./config/includes.binary/install/preseed_multipar_crypto.cfg
sed -i "s@\(/etc/capture_storage_format\)@\1.none@g" ./config/includes.binary/install/preseed_minimal.cfg
# create a hook for installing Python packages required by interface
if [ -f "$SCRIPT_PATH/interface/requirements.txt" ]; then
echo "#!/bin/sh" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot
echo "export LC_ALL=C.UTF-8" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot
echo "export LANG=C.UTF-8" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot
echo -n "pip3 install --system --no-compile --no-cache-dir --force-reinstall --upgrade" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot
while read LINE; do
echo -n -e " \\\\\n $LINE" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot
done <"$SCRIPT_PATH/interface/requirements.txt"
echo "" >> ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot
chmod +x ./config/hooks/normal/0168-pip-sensor-interface-installs.hook.chroot
fi
# make sure we install the newer kernel, firmwares, and kernel headers
echo "linux-image-$(uname -r)" > ./config/package-lists/kernel.list.chroot
echo "linux-headers-$(uname -r)" >> ./config/package-lists/kernel.list.chroot
echo "linux-compiler-gcc-8-x86=$(dpkg -s linux-compiler-gcc-8-x86 | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "linux-kbuild-5.10=$(dpkg -s linux-kbuild-5.10 | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-linux=$(dpkg -s firmware-linux | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-linux-nonfree=$(dpkg -s firmware-linux-nonfree | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-misc-nonfree=$(dpkg -s firmware-misc-nonfree | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
echo "firmware-amd-graphics=$(dpkg -s firmware-amd-graphics | grep ^Version: | cut -d' ' -f2)" >> ./config/package-lists/kernel.list.chroot
# and make sure we remove the old stuff when it's all over
echo "#!/bin/sh" > ./config/hooks/normal/9999-remove-old-kernel-artifacts.hook.chroot
echo "export LC_ALL=C.UTF-8" >> ./config/hooks/normal/9999-remove-old-kernel-artifacts.hook.chroot
echo "export LANG=C.UTF-8" >> ./config/hooks/normal/9999-remove-old-kernel-artifacts.hook.chroot
echo "apt-get -y --purge remove *4.19* || true" >> ./config/hooks/normal/9999-remove-old-kernel-artifacts.hook.chroot
echo "apt-get -y autoremove" >> ./config/hooks/normal/9999-remove-old-kernel-artifacts.hook.chroot
echo "apt-get clean" >> ./config/hooks/normal/9999-remove-old-kernel-artifacts.hook.chroot
chmod +x ./config/hooks/normal/9999-remove-old-kernel-artifacts.hook.chroot
mkdir -p ./config/includes.chroot/opt/hedgehog_install_artifacts
# copy the interface code into place for the resultant image
mkdir -p ./config/includes.chroot/opt
rsync -a "$SCRIPT_PATH/interface/" ./config/includes.chroot/opt/sensor/
chown -R root:root ./config/includes.chroot/opt/sensor/
rm -rf ./config/includes.chroot/opt/sensor/.git ./config/includes.chroot/opt/sensor/HedgehogLinux.md ./config/includes.chroot/opt/sensor/requirements.txt ./config/includes.chroot/opt/sensor/setup.py
sed -i "s@/home/sensor/sensor_interface@/opt/sensor@g" ./config/includes.chroot/opt/sensor/kiosk.service
# replace capture interface for now, it'll need to be automatically detected/configured on boot
sed -i "s/CAPTURE_INTERFACE=.*/CAPTURE_INTERFACE=xxxx/g" ./config/includes.chroot/opt/sensor/sensor_ctl/control_vars.conf
# copy shared scripts
rsync -a "$SCRIPT_PATH/shared/bin/" ./config/includes.chroot/usr/local/bin/
chown -R root:root ./config/includes.chroot/usr/local/bin/
if [[ -f "$SCRIPT_PATH/shared/version.txt" ]]; then
SHARED_IMAGE_VERSION="$(cat "$SCRIPT_PATH/shared/version.txt" | head -n 1)"
[[ -n $SHARED_IMAGE_VERSION ]] && IMAGE_VERSION="$SHARED_IMAGE_VERSION"
fi
# write out some version stuff specific to this installation version
echo "BUILD_ID=\"$(date +'%Y-%m-%d')-${IMAGE_VERSION}\"" > ./config/includes.chroot/opt/sensor/.os-info
echo "VARIANT=\"Hedgehog Linux (Sensor) v${IMAGE_VERSION}\"" >> ./config/includes.chroot/opt/sensor/.os-info
echo "VARIANT_ID=\"hedgehog-sensor\"" >> ./config/includes.chroot/opt/sensor/.os-info
echo "ID_LIKE=\"debian\"" >> ./config/includes.chroot/opt/sensor/.os-info
echo "HOME_URL=\"https://malcolm.fyi\"" >> ./config/includes.chroot/opt/sensor/.os-info
echo "DOCUMENTATION_URL=\"https://malcolm.fyi/hedgehog/\"" >> ./config/includes.chroot/opt/sensor/.os-info
echo "SUPPORT_URL=\"https://github.com/cisagov\"" >> ./config/includes.chroot/opt/sensor/.os-info
echo "BUG_REPORT_URL=\"https://github.com/cisagov/malcolm/issues\"" >> ./config/includes.chroot/opt/sensor/.os-info
# grab maxmind geoip database files, iana ipv4 address ranges, wireshark oui lists, etc.
mkdir -p "$SCRIPT_PATH/moloch/etc"
pushd "$SCRIPT_PATH/moloch/etc"
MAXMIND_GEOIP_DB_LICENSE_KEY=""
if [[ -f "$SCRIPT_PATH/shared/maxmind_license.txt" ]]; then
MAXMIND_GEOIP_DB_LICENSE_KEY="$(cat "$SCRIPT_PATH/shared/maxmind_license.txt" | head -n 1)"
if [[ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]]; then
for DB in ASN Country City; do
curl -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-$DB&license_key=$MAXMIND_GEOIP_DB_LICENSE_KEY&suffix=tar.gz"
tar xvf "GeoLite2-$DB.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1
rm -f "GeoLite2-$DB.mmdb.tar.gz"
done
fi
fi
curl -s -S -L -o ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv"
curl -s -S -L -o oui.txt "https://raw.githubusercontent.com/wireshark/wireshark/master/manuf"
popd >/dev/null 2>&1
# clone and build Arkime .deb package in its own clean environment (rather than in hooks/)
bash "$SCRIPT_PATH/moloch/build-docker-image.sh"
docker run --rm -v "$SCRIPT_PATH"/moloch:/build arkime-build:latest -o /build
cp "$SCRIPT_PATH/moloch"/*.deb ./config/includes.chroot/opt/hedgehog_install_artifacts/
mv "$SCRIPT_PATH/moloch"/*.deb ./config/packages.chroot/
# clone and build custom protologbeat from github for logging temperature, etc.
mkdir -p ./config/includes.chroot/usr/local/bin/
bash "$SCRIPT_PATH/beats/build-docker-image.sh"
bash "$SCRIPT_PATH/beats/beat-build.sh" -b "https://github.com/mmguero-dev/protologbeat" -t "es_7_10_2_compat"
cp github.com_mmguero-dev_protologbeat/protologbeat ./config/includes.chroot/opt/hedgehog_install_artifacts/
mv github.com_mmguero-dev_protologbeat/protologbeat ./config/includes.chroot/usr/local/bin
# format and copy documentation
pushd "$SCRIPT_PATH/"
pushd ./docs/images
ls -1 *.png | xargs -n 1 bash -c 'convert "$0" "${0%.*}.jpg"'
popd >/dev/null 2>&1
cp README.md HedgehogLinux.jpg.md
sed -i "s/.png/.jpg/g" HedgehogLinux.jpg.md
sed -i "s@/docs/logo/@/docs/images/@g" HedgehogLinux.jpg.md
sed -i "s/^# Hedgehog Linux$//" HedgehogLinux.jpg.md
pandoc -s --self-contained --metadata title="Hedgehog Linux" --css doc.css -o HedgehogLinux.html HedgehogLinux.jpg.md
rm -f HedgehogLinux.jpg.md
popd >/dev/null 2>&1
mkdir -p ./config/includes.chroot/usr/share/doc/hedgehog
cp "$SCRIPT_PATH/"*.html ./config/includes.chroot/usr/share/doc/hedgehog/
mkdir -p ./config/includes.chroot/usr/share/fonts/truetype/ubuntu/ ./config/includes.chroot/usr/share/images/hedgehog/ ./config/includes.chroot/usr/share/images/desktop-base/
cp "$SCRIPT_PATH/docs/logo/"*.png ./config/includes.chroot/usr/share/images/hedgehog/
ln -r -s ./config/includes.chroot/usr/share/images/hedgehog/*wallpaper*.png ./config/includes.chroot/usr/share/images/desktop-base/
find "$SCRIPT_PATH/docs/logo/font" -type f -name "*.ttf" -exec cp "{}" ./config/includes.chroot/usr/share/fonts/truetype/ubuntu/ \;
mkdir -p ./config/includes.installer
cp -v ./config/includes.binary/install/* ./config/includes.installer/
cp -v ./config/includes.chroot/usr/local/bin/preseed_partman_determine_disk.sh ./config/includes.installer/
lb config \
--image-name "$IMAGE_NAME" \
--debian-installer live \
--debian-installer-gui false \
--debian-installer-distribution $IMAGE_DISTRIBUTION \
--distribution $IMAGE_DISTRIBUTION \
--linux-packages "linux-image-$(uname -r | sed 's/-amd64$//')" \
--architectures amd64 \
--binary-images iso-hybrid \
--bootloaders "syslinux,grub-efi" \
--memtest none \
--chroot-filesystem squashfs \
--backports true \
--security true \
--updates true \
--source false \
--apt-indices none \
--apt-source-archives false \
--archive-areas 'main contrib non-free' \
--debootstrap-options "--include=apt-transport-https,gnupg,ca-certificates,openssl" \
--apt-options "--yes --allow-downgrades --allow-remove-essential --allow-change-held-packages"
lb build 2>&1 | tee "$WORKDIR/output/$IMAGE_NAME-$IMAGE_VERSION-build.log"
if [ -f "$IMAGE_NAME-amd64.hybrid.iso" ]; then
mv "$IMAGE_NAME-amd64.hybrid.iso" "$RUN_PATH/$IMAGE_NAME-$IMAGE_VERSION.iso" && \
echo "Finished, created \"$RUN_PATH/$IMAGE_NAME-$IMAGE_VERSION.iso\""
BUILD_ERROR_CODE=0
else
echo "Error creating ISO, see log file"
BUILD_ERROR_CODE=2
fi
mv "$WORKDIR/output/$IMAGE_NAME-$IMAGE_VERSION-build.log" "$RUN_PATH/"
popd >/dev/null 2>&1
popd >/dev/null 2>&1
else
echo "Unable to create temporary directory \"$WORKDIR\""
fi
popd >/dev/null 2>&1
exit $BUILD_ERROR_CODE

93
Vagrant/resources/malcolm/sensor-iso/build_via_vagrant.sh Executable file
View File

@@ -0,0 +1,93 @@
#!/bin/bash
SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
function vm_state() {
vagrant status --machine-readable | grep ",state," | egrep -o '([a-z_]*)$'
}
function vm_is_running() {
STATE="$(vm_state)"
if [[ "$STATE" == "running" ]] ; then
return 0
else
return 1
fi
}
function vm_execute() {
echo "Running $1" >&2
vagrant ssh --no-tty --command "$1"
}
function cleanup_shared {
rm -rf "$SCRIPT_PATH"/shared
}
unset FORCE_PROVISION
while getopts 'f' OPTION; do
case "$OPTION" in
f)
FORCE_PROVISION=0
;;
?)
echo "script usage: $(basename $0) [-f]" >&2
exit 1
;;
esac
done
shift "$(($OPTIND -1))"
pushd "$SCRIPT_PATH"/vagrant
VM_NAME="$(grep "config.vm.box" Vagrantfile | tr -d "[:space:]" | sed "s/.*=//")"
if [[ -n $FORCE_PROVISION ]]; then
echo "Destroying build machine to force provisioning..." >&2
vagrant destroy -f
sleep 1
fi
# make sure the VM is up and running, or start it otherwise
if ! vm_is_running; then
echo "Starting build machine..." >&2
vagrant up
NEED_SHUTDOWN=true
sleep 1
fi
until vm_is_running; do
echo "Waiting for $VM_NAME..." >&2
sleep 1
done
echo "$VM_NAME is running!" >&2
# make sure we can connect via SSH
echo "Checking SSH availability..." >&2
until vm_execute 'sudo whoami' | grep -q "root" ; do
echo "Waiting for SSH availability..." >&2
sleep 1
done
echo "SSH available." >&2
# need to make a temporary local copy of the ../shared directory (and clean it up when we're done)
cleanup_shared
cp -r "$SCRIPT_PATH"/../shared "$SCRIPT_PATH"/
YML_IMAGE_VERSION="$(grep -P "^\s+image:\s*malcolm" "$SCRIPT_PATH"/../docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)"
[[ -n $YML_IMAGE_VERSION ]] && echo "$YML_IMAGE_VERSION" > "$SCRIPT_PATH"/shared/version.txt
[[ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ]] && echo "$MAXMIND_GEOIP_DB_LICENSE_KEY" > "$SCRIPT_PATH"/shared/maxmind_license.txt
trap cleanup_shared EXIT
vm_execute "sudo bash -c \"whoami && cd /sensor-build && pwd && ./build.sh\""
if [[ -n $NEED_SHUTDOWN ]]; then
echo "Shutting down $VM_NAME..." >&2
vagrant halt
sleep 1
while vm_is_running; do
echo "Waiting for $VM_NAME to shutdown..." >&2
sleep 1
done
echo "$VM_NAME is stopped." >&2
fi
popd

52
Vagrant/resources/malcolm/sensor-iso/config/archives/llvm.key.binary Normal file
View File

@@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQINBFE9lCwBEADi0WUAApM/mgHJRU8lVkkw0CHsZNpqaQDNaHefD6Rw3S4LxNmM
EZaOTkhP200XZM8lVdbfUW9xSjA3oPldc1HG26NjbqqCmWpdo2fb+r7VmU2dq3NM
R18ZlKixiLDE6OUfaXWKamZsXb6ITTYmgTO6orQWYrnW6ckYHSeaAkW0wkDAryl2
B5v8aoFnQ1rFiVEMo4NGzw4UX+MelF7rxaaregmKVTPiqCOSPJ1McC1dHFN533FY
Wh/RVLKWo6npu+owtwYFQW+zyQhKzSIMvNujFRzhIxzxR9Gn87MoLAyfgKEzrbbT
DhqqNXTxS4UMUKCQaO93TzetX/EBrRpJj+vP640yio80h4Dr5pAd7+LnKwgpTDk1
G88bBXJAcPZnTSKu9I2c6KY4iRNbvRz4i+ZdwwZtdW4nSdl2792L7Sl7Nc44uLL/
ZqkKDXEBF6lsX5XpABwyK89S/SbHOytXv9o4puv+65Ac5/UShspQTMSKGZgvDauU
cs8kE1U9dPOqVNCYq9Nfwinkf6RxV1k1+gwtclxQuY7UpKXP0hNAXjAiA5KS5Crq
7aaJg9q2F4bub0mNU6n7UI6vXguF2n4SEtzPRk6RP+4TiT3bZUsmr+1ktogyOJCc
Ha8G5VdL+NBIYQthOcieYCBnTeIH7D3Sp6FYQTYtVbKFzmMK+36ERreL/wARAQAB
tD1TeWx2ZXN0cmUgTGVkcnUgLSBEZWJpYW4gTExWTSBwYWNrYWdlcyA8c3lsdmVz
dHJlQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRPZQsAhsDBgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRAVz00Yr090Ibx+EADArS/hvkDF8juWMXxh17CgR0WZlHCC
9CTBWkg5a0bNN/3bb97cPQt/vIKWjQtkQpav6/5JTVCSx2riL4FHYhH0iuo4iAPR
udC7Cvg8g7bSPrKO6tenQZNvQm+tUmBHgFiMBJi92AjZ/Qn1Shg7p9ITivFxpLyX
wpmnF1OKyI2Kof2rm4BFwfSWuf8Fvh7kDMRLHv+MlnK/7j/BNpKdozXxLcwoFBmn
l0WjpAH3OFF7Pvm1LJdf1DjWKH0Dc3sc6zxtmBR/KHHg6kK4BGQNnFKujcP7TVdv
gMYv84kun14pnwjZcqOtN3UJtcx22880DOQzinoMs3Q4w4o05oIF+sSgHViFpc3W
R0v+RllnH05vKZo+LDzc83DQVrdwliV12eHxrMQ8UYg88zCbF/cHHnlzZWAJgftg
hB08v1BKPgYRUzwJ6VdVqXYcZWEaUJmQAPuAALyZESw94hSo28FAn0/gzEc5uOYx
K+xG/lFwgAGYNb3uGM5m0P6LVTfdg6vDwwOeTNIExVk3KVFXeSQef2ZMkhwA7wya
KJptkb62wBHFE+o9TUdtMCY6qONxMMdwioRE5BYNwAsS1PnRD2+jtlI0DzvKHt7B
MWd8hnoUKhMeZ9TNmo+8CpsAtXZcBho0zPGz/R8NlJhAWpdAZ1CmcPo83EW86Yq7
BxQUKnNHcwj2ebkCDQRRPZQsARAA4jxYmbTHwmMjqSizlMJYNuGOpIidEdx9zQ5g
zOr431/VfWq4S+VhMDhs15j9lyml0y4ok215VRFwrAREDg6UPMr7ajLmBQGau0Fc
bvZJ90l4NjXp5p0NEE/qOb9UEHT7EGkEhaZ1ekkWFTWCgsy7rRXfZLxB6sk7pzLC
DshyW3zjIakWAnpQ5j5obiDy708pReAuGB94NSyb1HoW/xGsGgvvCw4r0w3xPStw
F1PhmScE6NTBIfLliea3pl8vhKPlCh54Hk7I8QGjo1ETlRP4Qll1ZxHJ8u25f/ta
RES2Aw8Hi7j0EVcZ6MT9JWTI83yUcnUlZPZS2HyeWcUj+8nUC8W4N8An+aNps9l/
21inIl2TbGo3Yn1JQLnA1YCoGwC34g8QZTJhElEQBN0X29ayWW6OdFx8MDvllbBV
ymmKq2lK1U55mQTfDli7S3vfGz9Gp/oQwZ8bQpOeUkc5hbZszYwP4RX+68xDPfn+
M9udl+qW9wu+LyePbW6HX90LmkhNkkY2ZzUPRPDHZANU5btaPXc2H7edX4y4maQa
xenqD0lGh9LGz/mps4HEZtCI5CY8o0uCMF3lT0XfXhuLksr7Pxv57yue8LLTItOJ
d9Hmzp9G97SRYYeqU+8lyNXtU2PdrLLq7QHkzrsloG78lCpQcalHGACJzrlUWVP/
fN3Ht3kAEQEAAYkCHwQYAQIACQUCUT2ULAIbDAAKCRAVz00Yr090IbhWEADbr50X
OEXMIMGRLe+YMjeMX9NG4jxs0jZaWHc/WrGR+CCSUb9r6aPXeLo+45949uEfdSsB
pbaEdNWxF5Vr1CSjuO5siIlgDjmT655voXo67xVpEN4HhMrxugDJfCa6z97P0+ML
PdDxim57uNqkam9XIq9hKQaurxMAECDPmlEXI4QT3eu5qw5/knMzDMZj4Vi6hovL
wvvAeLHO/jsyfIdNmhBGU2RWCEZ9uo/MeerPHtRPfg74g+9PPfP6nyHD2Wes6yGd
oVQwtPNAQD6Cj7EaA2xdZYLJ7/jW6yiPu98FFWP74FN2dlyEA2uVziLsfBrgpS4l
tVOlrO2YzkkqUGrybzbLpj6eeHx+Cd7wcjI8CalsqtL6cG8cUEjtWQUHyTbQWAgG
5VPEgIAVhJ6RTZ26i/G+4J8neKyRs4vz+57UGwY6zI4AB1ZcWGEE3Bf+CDEDgmnP
LSwbnHefK9IljT9XU98PelSryUO/5UPw7leE0akXKB4DtekToO226px1VnGp3Bov
1GBGvpHvL2WizEwdk+nfk8LtrLzej+9FtIcq3uIrYnsac47Pf7p0otcFeTJTjSq3
krCaoG4Hx0zGQG2ZFpHrSrZTVy6lxvIdfi0beMgY6h78p6M9eYZHQHc02DjFkQXN
bXb5c6gCHESH5PXwPU4jQEE7Ib9J6sbk7ZT2Mw==
=j+4q
-----END PGP PUBLIC KEY BLOCK-----

52
Vagrant/resources/malcolm/sensor-iso/config/archives/llvm.key.chroot Normal file
View File

@@ -0,0 +1,52 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQINBFE9lCwBEADi0WUAApM/mgHJRU8lVkkw0CHsZNpqaQDNaHefD6Rw3S4LxNmM
EZaOTkhP200XZM8lVdbfUW9xSjA3oPldc1HG26NjbqqCmWpdo2fb+r7VmU2dq3NM
R18ZlKixiLDE6OUfaXWKamZsXb6ITTYmgTO6orQWYrnW6ckYHSeaAkW0wkDAryl2
B5v8aoFnQ1rFiVEMo4NGzw4UX+MelF7rxaaregmKVTPiqCOSPJ1McC1dHFN533FY
Wh/RVLKWo6npu+owtwYFQW+zyQhKzSIMvNujFRzhIxzxR9Gn87MoLAyfgKEzrbbT
DhqqNXTxS4UMUKCQaO93TzetX/EBrRpJj+vP640yio80h4Dr5pAd7+LnKwgpTDk1
G88bBXJAcPZnTSKu9I2c6KY4iRNbvRz4i+ZdwwZtdW4nSdl2792L7Sl7Nc44uLL/
ZqkKDXEBF6lsX5XpABwyK89S/SbHOytXv9o4puv+65Ac5/UShspQTMSKGZgvDauU
cs8kE1U9dPOqVNCYq9Nfwinkf6RxV1k1+gwtclxQuY7UpKXP0hNAXjAiA5KS5Crq
7aaJg9q2F4bub0mNU6n7UI6vXguF2n4SEtzPRk6RP+4TiT3bZUsmr+1ktogyOJCc
Ha8G5VdL+NBIYQthOcieYCBnTeIH7D3Sp6FYQTYtVbKFzmMK+36ERreL/wARAQAB
tD1TeWx2ZXN0cmUgTGVkcnUgLSBEZWJpYW4gTExWTSBwYWNrYWdlcyA8c3lsdmVz
dHJlQGRlYmlhbi5vcmc+iQI4BBMBAgAiBQJRPZQsAhsDBgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRAVz00Yr090Ibx+EADArS/hvkDF8juWMXxh17CgR0WZlHCC
9CTBWkg5a0bNN/3bb97cPQt/vIKWjQtkQpav6/5JTVCSx2riL4FHYhH0iuo4iAPR
udC7Cvg8g7bSPrKO6tenQZNvQm+tUmBHgFiMBJi92AjZ/Qn1Shg7p9ITivFxpLyX
wpmnF1OKyI2Kof2rm4BFwfSWuf8Fvh7kDMRLHv+MlnK/7j/BNpKdozXxLcwoFBmn
l0WjpAH3OFF7Pvm1LJdf1DjWKH0Dc3sc6zxtmBR/KHHg6kK4BGQNnFKujcP7TVdv
gMYv84kun14pnwjZcqOtN3UJtcx22880DOQzinoMs3Q4w4o05oIF+sSgHViFpc3W
R0v+RllnH05vKZo+LDzc83DQVrdwliV12eHxrMQ8UYg88zCbF/cHHnlzZWAJgftg
hB08v1BKPgYRUzwJ6VdVqXYcZWEaUJmQAPuAALyZESw94hSo28FAn0/gzEc5uOYx
K+xG/lFwgAGYNb3uGM5m0P6LVTfdg6vDwwOeTNIExVk3KVFXeSQef2ZMkhwA7wya
KJptkb62wBHFE+o9TUdtMCY6qONxMMdwioRE5BYNwAsS1PnRD2+jtlI0DzvKHt7B
MWd8hnoUKhMeZ9TNmo+8CpsAtXZcBho0zPGz/R8NlJhAWpdAZ1CmcPo83EW86Yq7
BxQUKnNHcwj2ebkCDQRRPZQsARAA4jxYmbTHwmMjqSizlMJYNuGOpIidEdx9zQ5g
zOr431/VfWq4S+VhMDhs15j9lyml0y4ok215VRFwrAREDg6UPMr7ajLmBQGau0Fc
bvZJ90l4NjXp5p0NEE/qOb9UEHT7EGkEhaZ1ekkWFTWCgsy7rRXfZLxB6sk7pzLC
DshyW3zjIakWAnpQ5j5obiDy708pReAuGB94NSyb1HoW/xGsGgvvCw4r0w3xPStw
F1PhmScE6NTBIfLliea3pl8vhKPlCh54Hk7I8QGjo1ETlRP4Qll1ZxHJ8u25f/ta
RES2Aw8Hi7j0EVcZ6MT9JWTI83yUcnUlZPZS2HyeWcUj+8nUC8W4N8An+aNps9l/
21inIl2TbGo3Yn1JQLnA1YCoGwC34g8QZTJhElEQBN0X29ayWW6OdFx8MDvllbBV
ymmKq2lK1U55mQTfDli7S3vfGz9Gp/oQwZ8bQpOeUkc5hbZszYwP4RX+68xDPfn+
M9udl+qW9wu+LyePbW6HX90LmkhNkkY2ZzUPRPDHZANU5btaPXc2H7edX4y4maQa
xenqD0lGh9LGz/mps4HEZtCI5CY8o0uCMF3lT0XfXhuLksr7Pxv57yue8LLTItOJ
d9Hmzp9G97SRYYeqU+8lyNXtU2PdrLLq7QHkzrsloG78lCpQcalHGACJzrlUWVP/
fN3Ht3kAEQEAAYkCHwQYAQIACQUCUT2ULAIbDAAKCRAVz00Yr090IbhWEADbr50X
OEXMIMGRLe+YMjeMX9NG4jxs0jZaWHc/WrGR+CCSUb9r6aPXeLo+45949uEfdSsB
pbaEdNWxF5Vr1CSjuO5siIlgDjmT655voXo67xVpEN4HhMrxugDJfCa6z97P0+ML
PdDxim57uNqkam9XIq9hKQaurxMAECDPmlEXI4QT3eu5qw5/knMzDMZj4Vi6hovL
wvvAeLHO/jsyfIdNmhBGU2RWCEZ9uo/MeerPHtRPfg74g+9PPfP6nyHD2Wes6yGd
oVQwtPNAQD6Cj7EaA2xdZYLJ7/jW6yiPu98FFWP74FN2dlyEA2uVziLsfBrgpS4l
tVOlrO2YzkkqUGrybzbLpj6eeHx+Cd7wcjI8CalsqtL6cG8cUEjtWQUHyTbQWAgG
5VPEgIAVhJ6RTZ26i/G+4J8neKyRs4vz+57UGwY6zI4AB1ZcWGEE3Bf+CDEDgmnP
LSwbnHefK9IljT9XU98PelSryUO/5UPw7leE0akXKB4DtekToO226px1VnGp3Bov
1GBGvpHvL2WizEwdk+nfk8LtrLzej+9FtIcq3uIrYnsac47Pf7p0otcFeTJTjSq3
krCaoG4Hx0zGQG2ZFpHrSrZTVy6lxvIdfi0beMgY6h78p6M9eYZHQHc02DjFkQXN
bXb5c6gCHESH5PXwPU4jQEE7Ib9J6sbk7ZT2Mw==
=j+4q
-----END PGP PUBLIC KEY BLOCK-----

1
Vagrant/resources/malcolm/sensor-iso/config/archives/llvm.list.binary Normal file
View File

@@ -0,0 +1 @@
deb http://apt.llvm.org/buster/ llvm-toolchain-buster-11 main

1
Vagrant/resources/malcolm/sensor-iso/config/archives/llvm.list.chroot Normal file
View File

@@ -0,0 +1 @@
deb http://apt.llvm.org/buster/ llvm-toolchain-buster-11 main

7416
Vagrant/resources/malcolm/sensor-iso/config/archives/virtualbox.key.binary Normal file
View File

File diff suppressed because it is too large Load Diff

7416
Vagrant/resources/malcolm/sensor-iso/config/archives/virtualbox.key.chroot Normal file
View File

File diff suppressed because it is too large Load Diff

1
Vagrant/resources/malcolm/sensor-iso/config/archives/virtualbox.list.binary Normal file
View File

@@ -0,0 +1 @@
deb https://people.debian.org/~lucas/virtualbox-buster/ ./

1
Vagrant/resources/malcolm/sensor-iso/config/archives/virtualbox.list.chroot Normal file
View File

@@ -0,0 +1 @@
deb https://people.debian.org/~lucas/virtualbox-buster/ ./

37
Vagrant/resources/malcolm/sensor-iso/config/hooks/normal/0168-firefox-install.hook.chroot Executable file
View File

@@ -0,0 +1,37 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
export LC_ALL=C.UTF-8
export LANG=C.UTF-8
curl -o /tmp/firefox.tar.bz2 -L "https://download.mozilla.org/?product=firefox-latest-ssl&os=linux64&lang=en-US"
if [ $(file -b --mime-type /tmp/firefox.tar.bz2) = 'application/x-bzip2' ]; then
mkdir -p /opt
rm -rvf /opt/firefox
tar -xvf /tmp/firefox.tar.bz2 -C /opt/
rm -vf /tmp/firefox.tar.bz2
if [[ -f /opt/firefox/firefox ]]; then
rm -vf /usr/local/bin/firefox
ln -vrs /opt/firefox/firefox /usr/local/bin/firefox
dpkg -s firefox-esr >/dev/null 2>&1 && apt-get -y --purge remove firefox-esr || true
cat << 'EOF' > /usr/share/applications/firefox.desktop
[Desktop Entry]
Name=Firefox
Comment=Web Browser
GenericName=Web Browser
X-GNOME-FullName=Firefox Web Browser
Exec=/opt/firefox/firefox %u
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=/opt/firefox/browser/chrome/icons/default/default128.png
Categories=Network;WebBrowser;
MimeType=text/html;text/xml;application/xhtml+xml;application/xml;application/vnd.mozilla.xul+xml;application/rss+xml;application/rdf+xml;image/gif;image/jpeg;image/png;x-scheme-handler/http;x-scheme-handler/https;
StartupWMClass=Firefox
StartupNotify=true
EOF
fi
fi # /tmp/firefox.tar.bz2 check
rm -f /tmp/firefox.tar.bz2

15
Vagrant/resources/malcolm/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot Executable file
View File

@@ -0,0 +1,15 @@
#!/bin/sh
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
export LC_ALL=C.UTF-8
export LANG=C.UTF-8
export CC="clang-11"
export CXX="clang++-11"
export ASM="clang-11"
# python 3
pip3 install --no-compile --no-cache-dir --force-reinstall --upgrade \
clamd \
debinterface==3.4.0 \
pyzmq

42
Vagrant/resources/malcolm/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot Executable file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
sed -i 's/^exit 0//' /etc/rc.local 2>/dev/null
cat << 'EOF' >> /etc/rc.local
# if this is the initial boot, format and set up capture drive(s)
if [ -f /etc/capture_storage_format.crypt ]; then
CAPTURE_STORAGE_FORMAT_FILE="/etc/capture_storage_format.crypt"
CAPTURE_STORAGE_FORMAT_FLAG="-c"
else
CAPTURE_STORAGE_FORMAT_FILE="/etc/capture_storage_format"
CAPTURE_STORAGE_FORMAT_FLAG=""
fi
if [ -f "$CAPTURE_STORAGE_FORMAT_FILE" ]; then
logger "Initializing disk(s) to store captured artifacts"
date >>/var/log/sensor-capture-disk-config.log 2>&1
python3 /usr/local/bin/sensor-capture-disk-config.py -u $CAPTURE_STORAGE_FORMAT_FLAG >>/var/log/sensor-capture-disk-config.log 2>&1
rm -f "$CAPTURE_STORAGE_FORMAT_FILE"
fi
# other sensor-specific initialization prior to starting capture/forwarding jobs
/usr/local/bin/sensor-init.sh
# run supervisor of capture-related services as non-privileged user
if [ -f /opt/sensor/sensor_ctl/supervisor.sh ]; then
( getent passwd 1000 >/dev/null 2>&1 ) && sudo -H -u '#1000' /opt/sensor/sensor_ctl/supervisor.sh
fi
# hddtemp daemon for querying HDD temperatures
/usr/sbin/hddtemp --daemon --numeric --quiet --unit=C -4 --listen=127.0.0.1 --port=7634 /dev/sd?
systemctl mask ctrl-alt-del.target
exit 0
EOF
sed -i "1i #!/bin/sh" /etc/rc.local
chmod +x /etc/rc.local /usr/local/bin/*.sh /usr/local/bin/configure-*.py

264
Vagrant/resources/malcolm/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot Executable file
View File

@@ -0,0 +1,264 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# some environment variables needed for build using llvm/clang
export CC="clang-11"
export CXX="clang++-11"
export ASM="clang-11"
export CCACHE_DIR="/var/spool/ccache"
export CCACHE_COMPRESS=1
NETSNIFF_VER="0.6.8"
NETSNIFF_URL="https://github.com/netsniff-ng/netsniff-ng/archive/v$NETSNIFF_VER.tar.gz"
ZEEK_VERSION=4.0.3-0
ZEEK_LTS=1
SPICY_VERSION=1.1.0
ZEEK_DIR="/opt/zeek"
SPICY_DIR="/opt/spicy"
export PATH="${ZEEK_DIR}"/bin:"${SPICY_DIR}"/bin:$PATH
BEATS_VER="7.10.2"
BEATS_OSS="-oss"
BEATS_DEB_URL_TEMPLATE_REPLACER="XXXXX"
BEATS_DEB_URL_TEMPLATE="https://artifacts.elastic.co/downloads/beats/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEATS_DEB_URL_TEMPLATE_REPLACER$BEATS_OSS-$BEATS_VER-amd64.deb"
YARA_VERSION="4.1.1"
YARA_URL="https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz"
YARA_RULES_URL="https://codeload.github.com/Neo23x0/signature-base/tar.gz/master"
YARA_RULES_DIR="/opt/yara-rules"
CAPA_VERSION="1.6.3"
CAPA_URL="https://github.com/fireeye/capa/releases/download/v${CAPA_VERSION}/capa-v${CAPA_VERSION}-linux.zip"
CAPA_DIR="/usr/local/bin"
CAPA_BIN="${CAPA_DIR}/capa"
mkdir -p /opt/hedgehog_install_artifacts/
# install a newer cmake from backports
apt-get -q update
apt-get install -q -y -t buster-backports --no-install-recommends cmake
# a moloch .deb is built and installed in a different context
# Install netsniff-ng
cd /tmp
curl -L -o netsniff-$NETSNIFF_VER.tar.gz "$NETSNIFF_URL"
tar -xzvf netsniff-$NETSNIFF_VER.tar.gz
cd netsniff-ng-$NETSNIFF_VER
./configure --prefix=/usr --disable-geoip
make netsniff-ng
# make netsniff-ng_install
checkinstall -y -D --strip=yes --stripso=yes --install=yes --fstrans=no --pkgname="netsniff-ng" --pkgversion="$NETSNIFF_VER" --pkgarch="amd64" --pkgsource="$NETSNIFF_URL" make netsniff-ng_install
cp *.deb /opt/hedgehog_install_artifacts/
cd ..
rm -Rf netsniff-$NETSNIFF_VER.tar.gz netsniff-ng-$NETSNIFF_VER
##
# Download and install zeek, spicy and 3rd-party zeek plugins
mkdir -p /tmp/zeek-packages /tmp/spicy-packages "${CCACHE_DIR}"
# zeek
cd /tmp/zeek-packages
if [ -n "${ZEEK_LTS}" ]; then ZEEK_LTS="-lts"; fi && export ZEEK_LTS
curl -sSL --remote-name-all \
"https://download.opensuse.org/repositories/security:/zeek/Debian_10/amd64/libbroker${ZEEK_LTS}-dev_${ZEEK_VERSION}_amd64.deb" \
"https://download.opensuse.org/repositories/security:/zeek/Debian_10/amd64/zeek${ZEEK_LTS}-core-dev_${ZEEK_VERSION}_amd64.deb" \
"https://download.opensuse.org/repositories/security:/zeek/Debian_10/amd64/zeek${ZEEK_LTS}-core_${ZEEK_VERSION}_amd64.deb" \
"https://download.opensuse.org/repositories/security:/zeek/Debian_10/amd64/zeek${ZEEK_LTS}-libcaf-dev_${ZEEK_VERSION}_amd64.deb" \
"https://download.opensuse.org/repositories/security:/zeek/Debian_10/amd64/zeek${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb" \
"https://download.opensuse.org/repositories/security:/zeek/Debian_10/amd64/zeek${ZEEK_LTS}-btest_${ZEEK_VERSION}_amd64.deb" \
"https://download.opensuse.org/repositories/security:/zeek/Debian_10/amd64/zeek${ZEEK_LTS}-zkg_${ZEEK_VERSION}_amd64.deb" \
"https://download.opensuse.org/repositories/security:/zeek/Debian_10/amd64/zeekctl${ZEEK_LTS}_${ZEEK_VERSION}_amd64.deb"
dpkg -i ./*.deb
# spicy
cd /tmp/spicy-packages
curl -sSL --remote-name-all \
"https://github.com/zeek/spicy/releases/download/v${SPICY_VERSION}/spicy_linux_debian10.deb"
dpkg -i ./*.deb
# plugins
cd /tmp
zkg autoconfig --force
zkg install --force --skiptests zeek/spicy-plugin
bash /usr/local/bin/zeek_install_plugins.sh
for FILE in /opt/zeek/var/lib/zkg/logs/*; do
[[ -r "$FILE" ]] && echo "$FILE" && cat "$FILE" && echo ""
done
# cleanup/strip build artifacts
find "${ZEEK_DIR}"/lib -type d -name CMakeFiles -exec rm -rf "{}" \; 2>/dev/null || true
find "${ZEEK_DIR}"/var/lib/zkg -type d -name build -exec rm -rf "{}" \; 2>/dev/null || true
find "${ZEEK_DIR}"/var/lib/zkg/clones -type d -name .git -execdir bash -c "pwd; du -sh; git pull --depth=1 --ff-only; git reflog expire --expire=all --all; git tag -l | xargs -r git tag -d; git gc --prune=all; du -sh" \;
rm -rf "${ZEEK_DIR}"/var/lib/zkg/scratch
find "${ZEEK_DIR}/" "${SPICY_DIR}/" -type f -exec file "{}" \; | grep -Pi "ELF 64-bit.*not stripped" | sed 's/:.*//' | xargs -l -r strip --strip-unneeded
mkdir -p "${ZEEK_DIR}"/var/lib/zkg/clones/package/spicy-plugin/build/plugin/bin/ && \
ln -s -r "${ZEEK_DIR}"/lib/zeek/plugins/packages/spicy-plugin/bin/spicyz \
"${ZEEK_DIR}"/var/lib/zkg/clones/package/spicy-plugin/build/plugin/bin/spicyz
mkdir -p "${ZEEK_DIR}"/var/lib/zkg/clones/package/spicy-plugin/plugin/lib/ && \
ln -s -r "${ZEEK_DIR}"/lib/zeek/plugins/packages/spicy-plugin/lib/bif \
"${ZEEK_DIR}"/var/lib/zkg/clones/package/spicy-plugin/plugin/lib/bif
cat << 'EOF' >> "${ZEEK_DIR}"/etc/zeekctl.cfg
# all interfaces using lb_method=custom should use AF_PACKET
lb_custom.InterfacePrefix=af_packet::
EOF
# set up default zeek local policy
cp -f /usr/local/etc/zeek/*.zeek /usr/local/etc/zeek/*.txt "${ZEEK_DIR}"/share/zeek/site/
# cleanup
cd /usr/local/src
tar czf zeek-$ZEEK_VER-hedgehog.tar.gz -C /opt zeek spicy
mv ./zeek-$ZEEK_VER-hedgehog.tar.gz /tmp/spicy-packages /tmp/zeek-packages /opt/hedgehog_install_artifacts/
rm -Rf zeek-$ZEEK_VER*
###
# yara
mkdir -p usr/local/src
cd /usr/local/src
curl -sSL "${YARA_URL}" | tar xzf - -C /usr/local/src/
cd "./yara-${YARA_VERSION}"
./bootstrap.sh
./configure --prefix=/usr --with-crypto --enable-magic --enable-cuckoo --enable-dotnet
make
#make install
checkinstall -y -D --strip=yes --stripso=yes --install=yes --fstrans=no --pkgname="yara" --pkgversion="$YARA_VERSION" --pkgarch="amd64" --pkgsource="$YARA_URL"
cp *.deb /opt/hedgehog_install_artifacts/
cd /tmp
rm -rf /usr/local/src/yara*
mkdir -p ./Neo23x0
curl -sSL "$YARA_RULES_URL" | tar xzvf - -C ./Neo23x0 --strip-components 1
mkdir -p "${YARA_RULES_DIR}"/custom
cp ./Neo23x0/yara/* ./Neo23x0/vendor/yara/* "${YARA_RULES_DIR}"/
cp ./Neo23x0/LICENSE "${YARA_RULES_DIR}"/_LICENSE
rm -rf /tmp/Neo23x0
cd "${YARA_RULES_DIR}"/..
tar czf yara-rules-hedgehog.tar.gz "$(basename "${YARA_RULES_DIR}")"
mv ./yara-rules-hedgehog.tar.gz /opt/hedgehog_install_artifacts/
###
# capa
cd /tmp
rm -rf /tmp/capa*
curl -fsSL -o ./capa.zip "${CAPA_URL}"
unzip ./capa.zip
chmod 755 ./capa
mkdir -p "${CAPA_DIR}"
mv ./capa "${CAPA_BIN}"
rm -rf /tmp/capa*
cp "${CAPA_BIN}" /opt/hedgehog_install_artifacts/
# update clamav signatures
freshclam --stdout --quiet --no-warnings
###
# tweak some dashboards for, then install filebeat/metricbeat/auditbeat/packetbeat
for BEAT in filebeat metricbeat auditbeat packetbeat; do
BEATS_URL="$(echo "$BEATS_DEB_URL_TEMPLATE" | sed "s/$BEATS_DEB_URL_TEMPLATE_REPLACER/$BEAT/g")"
BEATS_DEB="$BEAT-$BEATS_VER-amd64.deb"
BEATS_NEW_DEB="$BEAT-tweaked-$BEATS_VER-amd64.deb"
BEATS_TMP_DIR="$BEAT-deb"
pushd /tmp && \
curl -f -L -o "$BEATS_DEB" "$BEATS_URL" && \
dpkg-deb -x "$BEATS_DEB" "$BEATS_TMP_DIR" && \
dpkg-deb -e "$BEATS_DEB" "$BEATS_TMP_DIR/DEBIAN" && \
( [[ "$BEAT" == "metricbeat" ]] && sed -i -e "s@ |\\\\\\\n\[Containers overview\](#/dashboard/CPU-slash-Memory-per-container)@@g" "$BEATS_TMP_DIR"/usr/share/$BEAT/kibana/?/dashboard/* || true ) && \
pushd "$BEATS_TMP_DIR" && ( rm -f DEBIAN/md5sums && find . -type f ! -regex '.*.hg.*' ! -regex '.*?debian-binary.*' ! -regex '.*?DEBIAN.*' -print0 | xargs -l -0 md5sum >> DEBIAN/md5sums ) && popd && \
dpkg-deb -b "$BEATS_TMP_DIR" "$BEATS_NEW_DEB" && \
rm -rf "$BEATS_TMP_DIR" && \
dpkg -i "$BEATS_NEW_DEB" && \
cp "$BEATS_NEW_DEB" /opt/hedgehog_install_artifacts/ && \
rm -rf "$BEATS_TMP_DIR" "$BEATS_DEB" "$BEATS_NEW_DEB" && \
popd
done
# add symlinks to our custom dashboards
FILES=$(shopt -s nullglob dotglob; echo /usr/share/filebeat/kibana/7/dashboard-custom/*)
if (( ${#FILES} )) ; then
ln -s -r -f /usr/share/filebeat/kibana/7/dashboard-custom/* /usr/share/filebeat/kibana/7/dashboard/
fi
FILES=$(shopt -s nullglob dotglob; echo /usr/share/metricbeat/kibana/7/dashboard-custom/*)
if (( ${#FILES} )) ; then
ln -s -r -f /usr/share/metricbeat/kibana/7/dashboard-custom/* /usr/share/metricbeat/kibana/7/dashboard/
fi
FILES=$(shopt -s nullglob dotglob; echo /usr/share/auditbeat/kibana/7/dashboard-custom/*)
if (( ${#FILES} )) ; then
ln -s -r -f /usr/share/auditbeat/kibana/7/dashboard-custom/* /usr/share/auditbeat/kibana/7/dashboard/
fi
FILES=$(shopt -s nullglob dotglob; echo /usr/share/packetbeat/kibana/7/dashboard-custom/*)
if (( ${#FILES} )) ; then
ln -s -r -f /usr/share/packetbeat/kibana/7/dashboard-custom/* /usr/share/packetbeat/kibana/7/dashboard/
fi
###
# set up capabilities for network-related tools
chown root:netdev /usr/sbin/netsniff-ng && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip CAP_SYS_ADMIN+eip' /usr/sbin/netsniff-ng
chown root:netdev "${ZEEK_DIR}"/bin/zeek && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' "${ZEEK_DIR}"/bin/zeek
chown root:netdev /sbin/ethtool && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool
chown root:netdev "${ZEEK_DIR}"/bin/capstats && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' "${ZEEK_DIR}"/bin/capstats
chown root:netdev /usr/sbin/tcpdump && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/sbin/tcpdump
chown root:netdev /usr/share/auditbeat/bin/auditbeat && \
setcap 'CAP_AUDIT_READ+eip' /usr/share/auditbeat/bin/auditbeat
chown root:netdev /usr/share/packetbeat/bin/packetbeat && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/share/packetbeat/bin/packetbeat
chown root:netdev /opt/moloch/bin/moloch-capture && \
setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/moloch/bin/moloch-capture
ln -s -f "${ZEEK_DIR}"/bin/zeek /usr/local/bin/
ln -s -f /usr/sbin/netsniff-ng /usr/local/bin/
ln -s -f /usr/sbin/tcpdump /usr/local/bin/
ln -s -f /opt/moloch/bin/moloch-capture /usr/local/bin/
ln -s -f /opt/moloch/bin/npm /usr/local/bin
ln -s -f /opt/moloch/bin/node /usr/local/bin
ln -s -f /opt/moloch/bin/npx /usr/local/bin
###
# zeekctl won't like being run by a non-root user unless the whole stupid thing is owned by the non-root user.
# as such, we're going to reset zeek to a "clean" state after each reboot. the config files will get
# regenerated when we are about to deploy zeek itself.
# so, now make a complete backup of /opt/zeek as it's going to have its ownership changed during runtime
# TODO: check this with .deb install
rsync -a "${ZEEK_DIR}"/ "${ZEEK_DIR}".orig
# enable sensor init scripts
# run kiosk system process information daemon under systemd
if [ -f /opt/sensor/kiosk.service ]; then
mv /opt/sensor/kiosk.service /etc/systemd/system/
chown root:root /etc/systemd/system/kiosk.service
chmod 644 /etc/systemd/system/kiosk.service
systemctl daemon-reload
systemctl enable kiosk
fi
# run resource logging services as unprivileged user.
# supervisor is run via /etc/rc.local (vs. here with a @reboot directive)
# so as to work for both live-usb and installed versions
# (see 0900-setup-rc-local.hook.chroot)
if [ -d /opt/sensor/sensor_ctl/scripts ]; then
cat << 'EOF' >> /etc/cron.d/sensor_ctl
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
*/10 * * * * root /opt/sensor/sensor_ctl/scripts/log_temperature.sh
2 0 * * 0 root rm -f /var/lib/clamav/mirrors.dat
EOF
fi
###

14
Vagrant/resources/malcolm/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# clone STIG-4-Debian, harbian-audit and debian-cis and clean up some stuff we don't need
mkdir -p /opt
git clone --depth 1 --recursive --single-branch https://github.com/hardenedlinux/STIG-4-Debian /opt/STIG-4-Debian
git clone --depth 1 --recursive --single-branch https://github.com/hardenedlinux/harbian-audit /opt/harbian-audit
git clone --depth 1 --recursive --single-branch https://github.com/ovh/debian-cis /opt/debian-cis
sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='/opt/harbian-audit'#" /opt/harbian-audit/debian/default.cfg
sed -i "s#CIS_ROOT_DIR=.*#CIS_ROOT_DIR='/opt/debian-cis'#" /opt/debian-cis/debian/default
# cp /opt/harbian-audit/debian/default.cfg /etc/default/cis-hardening
# cp /opt/debian-cis/debian/default /etc/default/cis-hardening
rm -rf /opt/STIG-4-Debian/.git /opt/harbian-audit/.git /opt/debian-cis/.git

65
Vagrant/resources/malcolm/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot Executable file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# remove development packages not necessary for building dynamic Zeek plugins
apt-get -y --purge remove \
checkinstall \
gdb \
libc6-dbg \
ninja-build \
$(dpkg --get-selections | grep -Pv "(^(dpkg|libclang|libfl|libgcc|libmaxminddb|libpcap|libssl|libyaml|llvm|zlib1g)|deinstall$)" | cut -f1 | grep -P -- '-dev(:\w+)?$') || true
rm -rf /var/spool/ccache
# remove unwanted packages
apt-get -y --purge remove bluez-firmware \
cracklib-runtime \
deluge \
enchant \
ffmpeg \
gnome-accessibility-themes \
gucharmap \
libasound2-plugins \
libcupsfilters1 \
libcupsimage2 \
libgphoto2-6 \
libgphoto2-port12 \
libx264* \
libx265* \
lintian \
lxmusic \
mailutils \
mpv \
pavucontrol \
poppler-data \
prelink \
pulseaudio \
python-wicd \
smplayer \
strace \
wamerican \
wicd \
wicd-daemon \
wicd-gtk \
xdg-user-dirs \
yelp \
youtube-dl || true
apt-get -y autoremove
apt-get clean
# remove any residual configs
dpkg -l | awk '/^rc/ { print $2 }' | xargs -r -l dpkg --purge
# disable automatic running of some services (but don't abort if we fail)
systemctl disable supervisor.service || true
systemctl disable systemd-timesyncd.service || true
systemctl disable ctrl-alt-del.target || true
systemctl disable hddtemp.service || true
systemctl disable apt-daily.service || true
systemctl disable apt-daily.timer || true
systemctl disable apt-daily-upgrade.timer || true
systemctl disable apt-daily-upgrade.service || true
systemctl disable clamav-daemon.service || true
systemctl disable clamav-freshclam.service || true

151
Vagrant/resources/malcolm/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot Executable file
View File

@@ -0,0 +1,151 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# configure firewall
sed -i "s/LOGLEVEL=.*/LOGLEVEL=off/" /etc/ufw/ufw.conf
/usr/sbin/ufw --force enable
/usr/sbin/ufw default deny incoming
/usr/sbin/ufw default allow outgoing
UFW_ALLOW_RULES=(
ntp
ssh
)
for i in ${UFW_ALLOW_RULES[@]}; do
ufw allow "$i"
done
# performance parameters for networking, disk, etc.
cat << 'EOF' >> /etc/sysctl.conf
# don't restrict dmesg to root
kernel.dmesg_restrict=0
# the maximum number of open file handles
fs.file-max=2097152
# increase maximums for inotify watches
fs.inotify.max_user_watches=131072
fs.inotify.max_queued_events=131072
fs.inotify.max_user_instances=512
# the maximum number of memory map areas a process may have
vm.max_map_count=262144
# decrease "swappiness" (swapping out runtime memory vs. dropping pages)
vm.swappiness=1
# the % of system memory fillable with "dirty" pages before flushing
vm.dirty_background_ratio=40
# maximum % of dirty system memory before committing everything
vm.dirty_ratio=80
net.core.netdev_max_backlog=250000
net.core.optmem_max=33554432
net.core.rmem_default=425984
net.core.rmem_max=33554432
net.core.somaxconn=65535
net.core.wmem_default=425984
net.core.wmem_max=33554432
net.ipv4.tcp_rmem=10240 425984 33554432
net.ipv4.tcp_wmem=10240 425984 33554432
net.ipv4.udp_mem=10240 425984 33554432
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.ip_forward=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1
EOF
# password requirement hardening
sed -i -e 's/[[:space:]]*nullok[[:alnum:]_]*//g' /etc/pam.d/common-auth
sed -i -r "s/(pam_faildelay.so.*delay)[[:space:]]*=[[:space:]]*[[:digit:]]+/\1=4000000/g" /etc/pam.d/login
sed -i -r "s/([[:space:]]*session[[:space:]]*)[[:alnum:]_]*([[:space:]]*pam_lastlog.so[[:space:]]*)/\1required\2\tshowfailed/g" /etc/pam.d/login
sed -i "s/^[[:space:]]*password[[:space:]]*requisite[[:space:]]*pam_pwquality\.so.*/password requisite pam_pwquality.so retry=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=8 minclass=4 maxrepeat=2 maxclassrepeat=4 minlen=15/g" /etc/pam.d/common-password
# enable cryptsetup support on boot
sed -i "s/#CRYPTSETUP=.*/CRYPTSETUP=y/" /etc/cryptsetup-initramfs/conf-hook
# enable guests to mount vmware/etc. fuse-based mounts with allow_other
sed -i "s/#user_allow_other.*/user_allow_other/" /etc/fuse.conf
# some permissions
find /etc/audit -type d -exec chmod 750 "{}" \;
find /etc/audit -type f -exec chmod 640 "{}" \;
chmod 600 /etc/ssh/sshd_config
# set DIR_MODE to 750 for new users
sed -i "s/^DIR_MODE=.*/DIR_MODE=0750/" /etc/adduser.conf
# new directories default to 750, new files to 640
echo -e "\n\n# new directories default to 700, new files to 600" >> /etc/profile
echo "umask 077" >> /etc/profile
echo "export UMASK=077" >> /etc/profile
# enable cron logging
sed -r -i "s@^#(cron\.\*\s+.*/var/log/cron\.log)@\1@" /etc/rsyslog.conf
# enable rsyslog forwarding to localhost:9514 over UDP (for filebeat syslog input)
echo >> /etc/rsyslog.conf
echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf
echo >> /etc/rsyslog.conf
# put sudoers log into its own logfile
awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers
mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers
cat << 'EOF' > /etc/logrotate.d/sudoers
/var/log/sudo.log
{
weekly
missingok
rotate 4
compress
delaycompress
copytruncate
minsize 100k
}
EOF
# tweak some auditd settings
sed -r -i "s/((disk_full_action|disk_error_action)\s*=\s*).*/\1 SYSLOG/" /etc/audit/auditd.conf
sed -r -i "s/(network_failure_action\s*=\s*).*/\1 syslog/" /etc/audisp/audisp-remote.conf
# tweak some apparmor settings (allow clamd to scan)
[[ -e /etc/apparmor.d/local/usr.sbin.clamd ]] && ln -srf /etc/apparmor.d/local/usr.sbin.clamd /etc/apparmor.d/disable/
# disable ntp for now, and disable servers, but it could be turned back on later
systemctl disable ntp || true
sed -i "s/^\(pool \)/# \1/" /etc/ntp.conf
sed -i "s/^\(restrict -6\)/# \1/" /etc/ntp.conf
sed -i "s/^\(restrict ::1\)/# \1/" /etc/ntp.conf
sed -r -i "s/^(NTPD_OPTS=).*/\1'-4 -g'/" /etc/default/ntp
usermod -d /var/lib/ntp ntp
# disable htpdate service, we're going to use cron instead
systemctl disable htpdate || true
sed -i "s/#[[:space:]]*HTP_IFUP=.*/HTP_IFUP=no/" /etc/default/htpdate
sed -i "s/#[[:space:]]*HTP_DAEMON=.*/HTP_DAEMON=no/" /etc/default/htpdate
# remove identifying operating system information
truncate -s 0 /etc/motd
sed -i "s/Debian/Hedgehog/g" /etc/issue
sed -i "s/Debian/Hedgehog/g" /etc/issue.net
# set up /etc/os-release information (override values in /etc/os-release with custom values)
if [[ -f /opt/sensor/.os-info ]]; then
awk '
BEGIN {FS = OFS = "="}
{v1[$1] = $2}
END {for (key in v1) {print key, v1[key]}}
' /etc/os-release /opt/sensor/.os-info | sort | sponge /etc/os-release
fi

6
Vagrant/resources/malcolm/sensor-iso/config/hooks/normal/0992-login.hook.chroot Executable file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
sed -i 's/^#autologin-user=.*/autologin-user=sensor/' /etc/lightdm/lightdm.conf
sed -i 's/^#autologin-user-timeout=.*/autologin-user-timeout=0/' /etc/lightdm/lightdm.conf

57
Vagrant/resources/malcolm/sensor-iso/config/includes.binary/boot/grub/grub.cfg Normal file
View File

@@ -0,0 +1,57 @@
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
set default=0
set timeout=-1
loadfont $prefix/dejavu-bold-16.pf2
loadfont $prefix/dejavu-bold-14.pf2
loadfont $prefix/unicode.pf2
set gfxmode=auto
insmod all_video
insmod gfxterm
set color_normal=cyan/black
set color_highlight=yellow/black
set menu_color_normal=black/light-gray
set menu_color_highlight=yellow/dark-gray
terminal_output gfxterm
insmod play
play 960 440 1 0 4 440 1
menuentry "Live system" {
linux /live/vmlinuz boot=live components username=sensor nosplash random.trust_cpu=on elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem
initrd /live/initrd.img
}
menuentry "Live system (fully in RAM)" {
linux /live/vmlinuz boot=live toram components username=sensor nosplash random.trust_cpu=on elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem
initrd /live/initrd.img
}
menuentry "Install Hedgehog Linux (quick install)" {
linux /install/vmlinuz preseed/file=/cdrom/install/preseed_multipar.cfg auto=true priority=critical vga=normal locales=en_US.UTF-8 keyboard-layouts=us
initrd /install/initrd.gz
}
menuentry "Install Hedgehog Linux (encrypted quick install)" {
linux /install/vmlinuz preseed/file=/cdrom/install/preseed_multipar_crypto.cfg auto=true priority=critical vga=normal locales=en_US.UTF-8 keyboard-layouts=us
initrd /install/initrd.gz
}
menuentry "Install Hedgehog Linux (advanced configuration)" {
linux /install/vmlinuz preseed/file=/cdrom/install/preseed_minimal.cfg auto=true priority=high vga=normal
initrd /install/initrd.gz
}
menuentry "Install Hedgehog Linux (virtual machine single partition quick install)" {
linux /install/vmlinuz preseed/file=/cdrom/install/preseed_vmware.cfg auto=true priority=critical vga=normal locales=en_US.UTF-8 keyboard-layouts=us
initrd /install/initrd.gz
}
menuentry "Rescue system in text mode" {
linux /install/vmlinuz rescue/enable=true vga=normal
initrd /install/initrd.gz
}

63
Vagrant/resources/malcolm/sensor-iso/config/includes.binary/install/preseed_base.cfg Normal file
View File

@@ -0,0 +1,63 @@
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
d-i netcfg/enable boolean false
d-i netcfg/choose_interface select auto
d-i netcfg/disable_autoconfig boolean true
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/get_ipaddress string 192.168.17.76
d-i netcfg/get_netmask string 255.255.255.0
d-i netcfg/get_gateway string 192.168.17.1
d-i netcfg/get_nameservers string 192.168.17.1
d-i netcfg/confirm_static boolean true
d-i hw-detect/load_firmware boolean true
d-i clock-setup/utc boolean true
d-i time/zone string Universal
d-i clock-setup/ntp boolean false
d-i clock-setup/ntp-server string 0.debian.pool.ntp.org
d-i popularity-contest/participate boolean false
localepurge localepurge/dontbothernew boolean false
localepurge localepurge/mandelete boolean true
localepurge localepurge/none_selected boolean false
localepurge localepurge/nopurge multiselect en, en_US, en_us.UTF-8, C.UTF-8
localepurge localepurge/quickndirtycalc boolean true
localepurge localepurge/remove_no note
localepurge localepurge/showfreedspace boolean false
localepurge localepurge/use-dpkg-feature boolean false
localepurge localepurge/verbose boolean false
d-i passwd/username string sensor
d-i passwd/user-fullname string sensor
d-i passwd/user-default-groups string audio cdrom video netdev plugdev vboxsf
d-i passwd/root-login boolean true
# crypted passwords via: mkpasswd -m sha-512 -S $(pwgen -ns 16 1) <password>
# uncomment to preseed passwords; otherwise installer will prompt
# d-i passwd/user-password-crypted password $6$FmMaqNyrr4TFmnJA$I2AViJlyJnRRq6G2omVVUIbvhfMGzS7iXxiexrzvMAtl5sE/kCzdKhWHTfQI2eh.HNTr5EY8gl/eGY2fwOa2u/
# d-i passwd/root-password-crypted password $6$IdgQYj2LVNUML3O1$sW2W75vVk4K4c1XAjqfrswL7GlhXWCW3jf5MVzMYAloY/soCpctkzQLKy0TXo4IS8bvGw4SJH5yZG1ZpHmRVB1
d-i apt-setup/use_mirror boolean false
d-i finish-install/reboot_in_progress note
d-i preseed/late_command string \
echo 'deb http://deb.debian.org/debian buster main contrib non-free' > /target/etc/apt/sources.list; \
echo 'deb http://security.debian.org/debian-security buster/updates main' >> /target/etc/apt/sources.list; \
echo 'deb http://deb.debian.org/debian buster-updates main contrib non-free' >> /target/etc/apt/sources.list; \
echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' >> /target/etc/apt/sources.list; \
in-target touch /etc/capture_storage_format; \
in-target bash /usr/local/bin/sensor-init.sh; \
in-target bash -c "(dmidecode -s system-product-name | grep -q VMware) || apt-get purge -y open-vm-tools-desktop"; \
in-target bash -c "(dmidecode -s system-product-name | grep -q VirtualBox) || apt-get purge -y virtualbox-guest*"; \
in-target sed -r -i 's@(^.+\s+/(tmp|var/tmp)\s+ext4\s+.*defaults)@\1,nosuid,nodev,noexec@g' /etc/fstab; \
in-target sed -r -i 's@(^.+/media/cdrom[0-9]*.+)(noauto)(.*)@\1\2,nosuid,nodev,noexec\3@g' /etc/fstab; \
in-target sed -r -i 's@(^.+\s+/(home)\s+ext4\s+.*defaults)@\1,nosuid,nodev@g' /etc/fstab; \
in-target bash -c "( echo '\EFI\debian\grubx64.efi' > /boot/efi/startup.nsh ) || true"; \
in-target sed -i 's#^\(GRUB_CMDLINE_LINUX_DEFAULT="quiet\)"$#\1 random.trust_cpu=on elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem apparmor=1 security=apparmor ipv6.disable=1 audit=1"#' /etc/default/grub; \
in-target sed -i 's#^\(GRUB_CMDLINE_LINUX="\)"$#\1apparmor=1 security=apparmor audit=1"#' /etc/default/grub; \
in-target sed -i 's#^\(GRUB_DISTRIBUTOR=\).*$#\1"Hedgehog"#' /etc/default/grub; \
in-target cp /usr/share/images/desktop-base/hedgehog-wallpaper-plain.png /boot/grub; \
in-target bash /usr/local/bin/preseed_late_user_config.sh; \
in-target grub-mkconfig -o /boot/grub/grub.cfg;

161
Vagrant/resources/malcolm/sensor-iso/config/includes.binary/install/preseed_multipar.cfg Normal file
View File

@@ -0,0 +1,161 @@
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
d-i debian-installer/locale string en_US.UTF-8
d-i console-setup/ask_detect boolean false
d-i keyboard-configuration/xkb-keymap skip-config
d-i keyboard-configuration/layout string "American English"
d-i preseed/include string preseed_base.cfg
###################################################################################################
# install root filesystem on smallest non-USB disk
d-i partman/early_command string \
ROOT_DISK=$(sh /preseed_partman_determine_disk.sh); \
pvremove -ff -y "$ROOT_DISK"*; \
debconf-set partman-auto/disk "$ROOT_DISK"; \
debconf-set grub-installer/bootdev "$ROOT_DISK"; \
sed -i.bak 's/-f $id\/skip_erase/-d $id/g' /lib/partman/lib/crypto-base.sh;
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i partman-auto/method string lvm
d-i partman-auto-lvm/new_vg_name string main
d-i partman-auto-lvm/guided_size string max
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-md/confirm boolean true
d-i partman-md/confirm_nooverwrite boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-basicmethods/method_only boolean false
d-i partman-efi/non_efi_system boolean true
d-i partman-basicfilesystems/choose_label string gpt
d-i partman-basicfilesystems/default_label string gpt
d-i partman-partitioning/choose_label string gpt
d-i partman-partitioning/default_label string gpt
d-i partman/choose_label string gpt
d-i partman/default_label string gpt
d-i partman/mount_style select uuid
d-i partman-auto/choose_recipe select custom
d-i partman-auto/expert_recipe string \
custom :: \
1 1 1 free \
$bios_boot{ } \
method{ biosgrub } \
. \
256 256 256 fat32 \
$primary{ } \
$iflabel{ gpt } \
$reusemethod{ } \
method{ efi } format{ } \
mountpoint{ /boot/efi } \
. \
1024 1024 1024 ext4 \
$primary{ } \
$bootable{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /boot } \
. \
8192 8241 16384 linux-swap \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ swap } \
method{ swap } \
format{ } \
. \
12000 16000 24000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ root } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ / } \
. \
4000 8000 12000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ var } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /var } \
. \
2000 4000 6000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ varlog } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /var/log } \
. \
2000 4000 6000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ varlogaudit } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /var/log/audit } \
. \
2000 4000 6000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ vartmp } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /var/tmp } \
. \
2000 4000 6000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ tmp } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /tmp } \
. \
4000 8000 12000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ opt } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /opt } \
. \
6000 8000 1000000000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ home } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /home } \
.
###################################################################################################

91
Vagrant/resources/malcolm/sensor-iso/config/includes.binary/install/preseed_vmware.cfg Normal file
View File

@@ -0,0 +1,91 @@
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
d-i debian-installer/locale string en_US.UTF-8
d-i console-setup/ask_detect boolean false
d-i keyboard-configuration/xkb-keymap skip-config
d-i keyboard-configuration/layout string "American English"
d-i preseed/include string preseed_base.cfg
###################################################################################################
# install root filesystem on smallest non-USB disk
d-i partman/early_command string \
ROOT_DISK=$(sh /preseed_partman_determine_disk.sh); \
pvremove -ff -y "$ROOT_DISK"*; \
debconf-set partman-auto/disk "$ROOT_DISK"; \
debconf-set grub-installer/bootdev "$ROOT_DISK"; \
sed -i.bak 's/-f $id\/skip_erase/-d $id/g' /lib/partman/lib/crypto-base.sh;
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i partman-auto/method string lvm
d-i partman-auto-lvm/new_vg_name string main
d-i partman-auto-lvm/guided_size string max
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-md/confirm boolean true
d-i partman-md/confirm_nooverwrite boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-basicmethods/method_only boolean false
d-i partman-efi/non_efi_system boolean true
d-i partman-basicfilesystems/choose_label string gpt
d-i partman-basicfilesystems/default_label string gpt
d-i partman-partitioning/choose_label string gpt
d-i partman-partitioning/default_label string gpt
d-i partman/choose_label string gpt
d-i partman/default_label string gpt
d-i partman/mount_style select uuid
d-i partman-auto/choose_recipe select custom
d-i partman-auto/expert_recipe string \
custom :: \
1 1 1 free \
$bios_boot{ } \
method{ biosgrub } \
. \
256 256 256 fat32 \
$primary{ } \
$iflabel{ gpt } \
$reusemethod{ } \
method{ efi } format{ } \
mountpoint{ /boot/efi } \
. \
1024 1024 1024 ext4 \
$primary{ } \
$bootable{ } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ /boot } \
. \
8192 8241 16384 linux-swap \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ swap } \
method{ swap } \
format{ } \
. \
12000 16000 1000000000 ext4 \
$defaultignore{ } \
$lvmok{ } \
in_vg { main } lv_name{ root } \
method{ format } \
format{ } \
use_filesystem{ } \
filesystem{ ext4 } \
mountpoint{ / } \
.
###################################################################################################

34
Vagrant/resources/malcolm/sensor-iso/config/includes.binary/isolinux/advanced.cfg Normal file
View File

@@ -0,0 +1,34 @@
label live
menu label ^Live system
kernel /live/vmlinuz
append boot=live components username=sensor nosplash random.trust_cpu=on elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem initrd=/live/initrd.img --
label liveram
menu label ^Live system (fully in RAM)
kernel /live/vmlinuz
append boot=live toram components username=sensor nosplash random.trust_cpu=on elevator=deadline cgroup_enable=memory swapaccount=1 cgroup.memory=nokmem initrd=/live/initrd.img --
label install
menu label ^Install Hedgehog Linux (quick install)
kernel /install/vmlinuz
append file=/preseed_multipar.cfg initrd=/install/initrd.gz auto=true priority=critical locales=en_US.UTF-8 keyboard-layouts=us --
label installenc
menu label ^Install Hedgehog Linux (encrypted quick install)
kernel /install/vmlinuz
append file=/preseed_multipar_crypto.cfg initrd=/install/initrd.gz auto=true priority=critical locales=en_US.UTF-8 keyboard-layouts=us --
label installadv
menu label ^Install Hedgehog Linux (advanced configuration)
kernel /install/vmlinuz
append file=/preseed_minimal.cfg initrd=/install/initrd.gz auto=true priority=high --
label installvm
menu label ^Install Hedgehog Linux (virtual machine single partition quick install)
kernel /install/vmlinuz
append file=/preseed_vmware.cfg initrd=/install/initrd.gz auto=true priority=critical locales=en_US.UTF-8 keyboard-layouts=us --
label rescue
menu label ^Rescue system in text mode
kernel /install/vmlinuz
append rescue/enable=true initrd=/install/initrd.gz --

0
Vagrant/resources/malcolm/sensor-iso/config/includes.binary/isolinux/install.cfg Normal file
View File

146
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/audit/rules.d/audit.rules Normal file
View File

@@ -0,0 +1,146 @@
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 0
## Set failure mode to syslog
-f 1
# exclusions
-a always,exclude -F msgtype=AVC
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=EOE
# commands
-a always,exit -F path=/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/pmount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/pumount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/etc/audisp/audisp-remote.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/audit/auditd.conf -F perm=wa -k config_file_change
-a always,exit -F path=/etc/default/grub -F perm=wa -k config_file_change
-a always,exit -F path=/etc/fstab -F perm=wa -k config_file_change
-a always,exit -F path=/etc/hosts.deny -F perm=wa -k config_file_change
-a always,exit -F path=/etc/login.defs -F perm=wa -k config_file_change
-a always,exit -F path=/etc/profile -F perm=wa -k config_file_change
-a always,exit -F path=/etc/sysctl.conf -F perm=wa -k config_file_change
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k MAC-policy
-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
-a always,exit -F path=/usr/bin/bsd-write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
-a always,exit -F path=/usr/bin/dotlock.mailutils -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/fusermount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/ntfs-3g -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pmount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pumount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/dbus-1.0/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/eject/dmcrypt-get-device -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh
-a always,exit -F path=/usr/lib/policykit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/x86_64-linux-gnu/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/xorg/Xorg.wrap -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/addgroup -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/adduser -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/exim4 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/groupadd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/mount.cifs -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/netfilter-persistent -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_persistent_use
-a always,exit -F path=/usr/sbin/nft -F perm=x -F auid>=1000 -F auid!=4294967295 -k nft_cmd_use
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod
-a always,exit -F path=/usr/sbin/visudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
# privileged files
-w /bin/kmod -p x -k modules
-w /etc/apparmor.d/ -p wa -k MAC-policy
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/group -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/hosts -p wa -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/localtime -p wa -k time-change
-w /etc/network -p wa -k system-locale
-w /etc/nftables.conf -p wa -k nft_config_file_change
-w /etc/opasswd -p wa -k usergroup_modification
-w /etc/passwd -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/sudoers.d/ -p wa -k sudoers
-w /sbin/insmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /var/log/btmp -p wa -k session
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/sudo.log -p wa -k sudoaction
-w /var/log/tallylog -p wa -k logins
-w /var/log/wtmp -p wa -k session
-w /var/run/faillock -p wa -k logins
-w /var/run/utmp -p wa -k session
# syscalls
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S execve -C gid!=egid -F key=execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=b64 -S init_module -S delete_module -S create_module -S finit_module -k modules
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F dir=/etc/audit/rules.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/pam.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/profile.d/ -F perm=wa -k config_file_change
-a always,exit -F dir=/etc/security/ -F perm=wa -k config_file_change
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
# Make the configuration immutable -- reboot is required to change audit rules
-e 2

33
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/bash.bash_aliases Normal file
View File

@@ -0,0 +1,33 @@
# some more ls aliases
# sensor
alias configure-interfaces="su -l -c /usr/local/bin/configure-interfaces.py"
alias configure-capture="/usr/local/bin/configure-capture.py"
#safety
alias mv='mv -i'
alias rm='rm -I -v'
alias cp='cp -i'
alias chmod='chmod --preserve-root'
alias chown='chown --preserve-root'
#convenience
alias ls="ls --block-size=\"'1\" --color=auto --group-directories-first"
alias la='ls -A'
alias l='ls -oah'
alias ll='ls -l --si --color=auto --group-directories-first'
alias lt='ls -ltr'
alias lld='ls -lUd */'
alias lsize='ls -lSrh'
alias df='df -Th'
alias ln='ln -s'
alias ..='cd ..'
alias cd..='cd ..'
alias cd-='cd -'
alias cdp='cd -P'
alias dump='hexdump -C'
alias findbroken='find . -type l ! -exec test -r {} \; -print'
alias utime='date +%s'
alias dutop='du -csh ./* 2>/dev/null | sort -rh'
alias mountcol='mount | column -t'
alias dmesg='dmesg -wHx'

384
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/bash.bash_functions Normal file
View File

@@ -0,0 +1,384 @@
########################################################################
# text processing
########################################################################
function cols () {
first="awk '{print "
last="}'"
cmd="${first}"
commatime=""
for var in "$@"
do
if [ -z $commatime ]
then
commatime="no"
cmd=${cmd}\$${var}
else
cmd=${cmd}\,\$${var}
fi
done
cmd="${cmd}${last}"
eval $cmd
}
function headtail () {
awk -v offset="$1" '{ if (NR <= offset) print; else { a[NR] = $0; delete a[NR-offset] } } END { { print "--------------------------------" } for (i=NR-offset+1; i<=NR; i++) print a[i] }' ;
}
function wait_file() {
local file="$1"; shift
local wait_seconds="${1:-10}"; shift # 10 seconds as default timeout
until test $((wait_seconds--)) -eq 0 -o -f "$file" ; do sleep 1; done
((++wait_seconds))
}
function taildiff () {
LEFT_FILE=$1
RIGHT_FILE=$2
RIGHT_LINES=$(wc -l "$RIGHT_FILE" | cut -d ' ' -f1)
diff -bwBy --suppress-common-lines <(head -n $RIGHT_LINES "$LEFT_FILE") <(head -n $RIGHT_LINES "$RIGHT_FILE")
}
function fs() {
if du -b /dev/null > /dev/null 2>&1; then
local arg=-sbh;
else
local arg=-sh;
fi
if [[ -n "$@" ]]; then
du $arg -- "$@";
else
du $arg .[^.]* ./*;
fi;
}
function lin () {
sed -n $1p
}
function fsize () {
echo "$1" | awk 'function human(x) {
s=" B KiB MiB GiB TiB EiB PiB YiB ZiB"
while (x>=1024 && length(s)>1)
{x/=1024; s=substr(s,5)}
s=substr(s,1,4)
xf=(s==" B ")?"%5d ":"%0.2f"
return sprintf( xf"%s", x, s)
}
{gsub(/^[0-9]+/, human($1)); print}'
}
function multigrep() { local IFS='|'; grep -rinE "$*" . ; }
function ord() { printf "%d\n" "'$1"; }
function chr() { printf \\$(($1/64*100+$1%64/8*10+$1%8))\\n; }
########################################################################
# math
########################################################################
function calc () { python -c "from math import *; n = $1; print n; print '$'+hex(trunc(n))[2:]; print '&'+oct(trunc(n))[1:]; print '%'+bin(trunc(n))[2:];"; }
function add () {
awk '{s+=$1} END {print s}'
}
########################################################################
# directory navigation/file manipulation
########################################################################
function cd() { if [[ "$1" =~ ^\.\.+$ ]];then local a dir;a=${#1};while [ $a -ne 1 ];do dir=${dir}"../";((a--));done;builtin cd $dir;else builtin cd "$@";fi ;}
function fcd() { [ -f $1 ] && { cd $(dirname $1); } || { cd $1 ; } }
function up { cd $(eval printf '../'%.0s {1..$1}) && pwd; }
function realgo() { fcd $(realpath $(which $1)) && pwd ; }
function realwhich() { realpath $(which $1) ; }
function renmod() {
FILENAME="$@";
TIMESTAMP=$(date -d @$(stat -c%Y "$FILENAME") +"%Y%m%d%H%M%S")
mv -iv "$FILENAME" "$FILENAME.$TIMESTAMP"
}
function upto() {
local EXPRESSION="$1"
if [ -z "$EXPRESSION" ]; then
echo "A folder expression must be provided." >&2
return 1
fi
if [ "$EXPRESSION" = "/" ]; then
cd "/"
return 0
fi
local CURRENT_FOLDER="$(pwd)"
local MATCHED_DIR=""
local MATCHING=true
while [ "$MATCHING" = true ]; do
if [[ "$CURRENT_FOLDER" =~ "$EXPRESSION" ]]; then
MATCHED_DIR="$CURRENT_FOLDER"
CURRENT_FOLDER=$(dirname "$CURRENT_FOLDER")
else
MATCHING=false
fi
done
if [ -n "$MATCHED_DIR" ]; then
cd "$MATCHED_DIR"
return 0
else
echo "No Match." >&2
return 1
fi
}
# complete upto
_upto () {
# necessary locals for _init_completion
local cur prev words cword
_init_completion || return
COMPREPLY+=( $( compgen -W "$( echo ${PWD//\// } )" -- $cur ) )
}
complete -F _upto upto
########################################################################
# history
########################################################################
function h() { if [ -z "$1" ]; then history; else history | grep -i "$@"; fi; }
########################################################################
# searching
########################################################################
function fname() { find . -iname "*$@*"; }
########################################################################
# examine running processes
########################################################################
function auxer() {
ps aux | grep -i "$(echo "$1" | sed "s/^\(.\)\(.*$\)/\[\1\]\2/")"
}
function psgrep() { ps axuf | grep -v grep | grep "$@" -i --color=auto; }
function killtree() {
if [ "$1" ]
then
kill $(pstree -p $1 | sed 's/(/\n(/g' | grep '(' | sed 's/(\(.*\)).*/\1/' | tr "\n" " ")
else
echo "No PID specified">&2
fi
}
function howmuchmem () {
PROCNAME="$@";
RAMKILOBYTES=($(ps axo rss,comm|grep $PROCNAME| awk '{ TOTAL += $1 } END { print TOTAL }'));
RAMBYTES=$(echo "$RAMKILOBYTES*1024" | bc);
RAM=$(fsize $RAMBYTES);
echo "$RAM";
}
function mempercent () {
PROCNAME="$@";
ps -eo pmem,comm | grep "$PROCNAME" | awk '{sum+=$1} END {print sum " % of RAM"}'
}
function htopid () {
PROCPID="$1"
htop -p $(pstree -p $PROCPID | perl -ne 'push @t, /\((\d+)\)/g; END { print join ",", @t }')
}
function lport () {
if [ "$1" ]
then
netstat -anp 2>/dev/null|grep "$1"|grep LISTEN|awk '{print $4}'|grep -P -o "\d+"|grep -v "^0$"
else
echo "No process specified">&2
fi
}
########################################################################
# APT package management
########################################################################
function aptsearch() { apt-cache search "$1"; }
function aptsize() {
dpkg-query --show --showformat='${Package;-50}\t${Installed-Size} ${Status}\n' | sort -k 2 -n | grep -v deinstall
}
########################################################################
# date/time
########################################################################
function dateu()
{
if [ "$1" ]
then
echo $(date -u -d @$1);
else
echo "No UNIX time specified">&2
fi
}
function udate()
{
if [ "$1" ]
then
date -u +%s -d "$1"
else
date -u +%s
fi
}
function sec2dhms() {
declare -i SS="$1" D=$(( SS / 86400 )) H=$(( SS % 86400 / 3600 )) M=$(( SS % 3600 / 60 )) S=$(( SS % 60 )) [ "$D" -gt 0 ] && echo -n "${D}:" [ "$H" -gt 0 ] && printf "%02g:" "$H" printf "%02g:%02g\n" "$M" "$S"
}
########################################################################
# system
########################################################################
function ddisousb() {
if [ "$1" ] && [[ -r "$1" ]] ; then
if [ "$2" ] && [[ -r "$2" ]] ; then
echo "dd if=\"$1\" of=\"$2\" bs=4M status=progress oflag=sync"
dd if="$1" of="$2" bs=4M status=progress oflag=sync
else
echo "No destination device specified">&2
fi
else
echo "No iso file specified">&2
fi
}
function find_linux_root_device() {
local PDEVICE=`stat -c %04D /`
for file in $(find /dev -type b 2>/dev/null) ; do
local CURRENT_DEVICE=$(stat -c "%02t%02T" $file)
if [ $CURRENT_DEVICE = $PDEVICE ]; then
ROOTDEVICE="$file"
break;
fi
done
echo "$ROOTDEVICE"
}
function rotationals() {
for f in /sys/block/sd?/queue/rotational; do printf "$f is "; cat $f; done
}
function schedulers() {
for f in /sys/block/sd?/queue/scheduler; do printf "$f is "; cat $f; done
}
function watch_file_size() {
perl -e '
$file = shift; die "no file [$file]" unless ((-f $file) || (-d $file));
$isDir = (-d $file);
$sleep = shift; $sleep = 1 unless $sleep =~ /^[0-9]+$/;
$format = "%0.2f %0.2f\n";
while(1){
if ($isDir) {
$size = `du -0scb $file`;
$size =~ s/\s+.*//;
} else {
$size = ((stat($file))[7]);
}
$change = $size - $lastsize;
printf $format, $size/1024/1024, $change/1024/1024/$sleep;
sleep $sleep;
$lastsize = $size;
}' "$1" "$2"
}
function dux() {
du -x --max-depth=1|sort -rn|awk -F / -v c=$COLUMNS 'NR==1{t=$1} NR>1{r=int($1/t*c+.5); b="\033[1;31m"; for (i=0; i<r; i++) b=b"#"; printf " %5.2f%% %s\033[0m %s\n", $1/t*100, b, $2}'|tac
}
function dirtydev() {
while true; do cat /sys/block/$1/stat|cols 9; grep -P "(Dirty)\b" /proc/meminfo; sleep 1; done
}
function cpuuse() {
if [ "$1" ]; then
SLEEPSEC="$1"
else
SLEEPSEC=1
fi
{ cat /proc/stat; sleep "$SLEEPSEC"; cat /proc/stat; } | \
awk '/^cpu / {usr=$2-usr; sys=$4-sys; idle=$5-idle; iow=$6-iow} \
END {total=usr+sys+idle+iow; printf "%.2f\n", (total-idle)*100/total}'
}
########################################################################
# misc. shell/tmux/etc
########################################################################
function tmux() {
TMUX="$(which tmux)"
# old habits die hard, make "screen -l" and "screen -r" work the way I want them to for tmux
if [ "$#" -eq 1 ] && ([ "$1" = "-list" ] || [ "$1" = "-l" ]); then
shift
"$TMUX" ls
elif ([ "$#" -eq 1 ] || [ "$#" -ge 2 ]) && [ "$1" = "-r" ]; then
shift
if [ "$#" -eq 0 ]; then
"$TMUX" ls >/dev/null 2>&1 && "$TMUX" attach || echo "No tmux sessions found"
else
SID="$1"; shift
"$TMUX" attach -t "$SID" "$@"
fi
else
"$TMUX" "$@"
fi
}
function screen() {
tmux "$@"
}
########################################################################
# sensor-specific
########################################################################
function sensorwatch () {
if [ "$1" ]; then
SLEEPSEC="$1"
else
SLEEPSEC=1
fi
if [ -f /opt/sensor/sensor_ctl/control_vars.conf ] ; then
. /opt/sensor/sensor_ctl/control_vars.conf
if [ -d "$ZEEK_LOG_PATH" ] && [ -d "$PCAP_PATH" ] ; then
while true; do
clear
find "$PCAP_PATH" "$ZEEK_LOG_PATH" -type f \( -name "*.pcap*" -o -name "*.log*" \) -print0 | \
xargs -0 stat --format '%Y: %y %s %n' | \
sort -nr | \
cut -d: -f2- | \
sed -r "s/\..*\\+0000//" | \
head -n 10 | \
awk 'function human(x) {
s=" B KiB MiB GiB TiB EiB PiB YiB ZiB"
while (x>=1024 && length(s)>1)
{x/=1024; s=substr(s,5)}
s=substr(s,1,4)
xf=(s==" B ")?"%5d ":"%0.2f"
return sprintf( xf"%s", x, s)
};
{
$3 = human($3);
print
}'
echo
du -sh "$PCAP_PATH" "$ZEEK_LOG_PATH"
echo
df -h "$PCAP_PATH" "$ZEEK_LOG_PATH"
sleep $SLEEPSEC
done
fi
fi
}

17
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/chromium/policies/managed/policy.json Normal file
View File

@@ -0,0 +1,17 @@
{
"AllowDinosaurEasterEgg": false,
"BrowserSignin": false,
"EnableMediaRouter": false,
"HomepageIsNewTabPage": false,
"HomepageLocation": "http://127.0.0.1:5000",
"NewTabPageLocation": "about:blank",
"PromotionalTabsEnabled": false,
"RestoreOnStartup": 4,
"RestoreOnStartupURLs": [
"http://127.0.0.1:5000"
],
"RestrictSigninToPattern": ".*@example.com",
"SafeBrowsingExtendedReportingEnabled": false,
"ShowCastIconInToolbar": false,
"SyncDisabled": true
}

1
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/installer Normal file
View File

@@ -0,0 +1 @@
sensor

5
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/live/config.conf Normal file
View File

@@ -0,0 +1,5 @@
LIVE_LOCALES="en_US.UTF-8"
LIVE_HOSTNAME="sensor-live"
LIVE_USERNAME="sensor"
LIVE_USER_FULLNAME="sensor"
LIVE_USER_DEFAULT_GROUPS="adm audio cdrom disk netdev plugdev sudo video vboxsf"

341
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/login.defs Normal file
View File

@@ -0,0 +1,341 @@
#
# /etc/login.defs - Configuration control definitions for the login package.
#
# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
# If unspecified, some arbitrary (and possibly incorrect) value will
# be assumed. All other items are optional - if not specified then
# the described action or option will be inhibited.
#
# Comment lines (lines beginning with "#") and blank lines are ignored.
#
# Modified for Linux. --marekm
# REQUIRED for useradd/userdel/usermod
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
# MAIL_DIR takes precedence.
#
# Essentially:
# - MAIL_DIR defines the location of users mail spool files
# (for mbox use) by appending the username to MAIL_DIR as defined
# below.
# - MAIL_FILE defines the location of the users mail spool files as the
# fully-qualified filename obtained by prepending the user home
# directory before $MAIL_FILE
#
# NOTE: This is no more used for setting up users MAIL environment variable
# which is, starting from shadow 4.0.12-1 in Debian, entirely the
# job of the pam_mail PAM modules
# See default PAM configuration files provided for
# login, su, etc.
#
# This is a temporary situation: setting these variables will soon
# move to /etc/default/useradd and the variables will then be
# no more supported
MAIL_DIR /var/mail
#MAIL_FILE .mail
#
# Enable logging and display of /var/log/faillog login failure info.
# This option conflicts with the pam_tally PAM module.
#
FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login failures are recorded.
#
# WARNING: Unknown usernames may become world readable.
# See #290803 and #298773 for details about how this could become a security
# concern
LOG_UNKFAIL_ENAB no
#
# Enable logging of successful logins
#
LOG_OK_LOGINS no
#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100 tty01".
#
#TTYTYPE_FILE /etc/ttytype
#
# If defined, login failures will be logged here in a utmp format
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE /var/log/btmp
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su". If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME su
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file. If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
#
# Terminal permissions
#
# TTYGROUP Login tty will be assigned this group ownership.
# TTYPERM Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
# In Debian /usr/bin/bsd-write or similar programs are setgid tty
# However, the default and recommended value for TTYPERM is still 0600
# to not allow anyone to write to anyone else console or terminal
# Users can still allow other people to write them by issuing
# the "mesg y" command.
TTYGROUP tty
TTYPERM 0600
#
# Login configuration initializations:
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
#
# UMASK is the default umask value for pam_umask and is used by
# useradd and newusers to set the mode of the new home directories.
# 022 is the "historical" value in Debian for UMASK
# 027, or even 077, could be considered better for privacy
# There is no One True Answer here : each sysadmin must make up his/her
# mind.
#
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
# for private user groups, i. e. the uid is the same as gid, and username is
# the same as the primary group name: for these, the user permissions will be
# used as group permissions, e. g. 022 will become 002.
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
UMASK 077
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
#SYS_UID_MIN 100
#SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
#SYS_GID_MIN 100
#SYS_GID_MAX 999
#
# Max number of login retries if password is bad. This will most likely be
# overriden by PAM, since the default pam_unix module has it's own built
# in of 3 retries. However, this is a safe fallback in case you are using
# an authentication module that does not enforce PAM_MAXTRIES.
#
LOGIN_RETRIES 5
#
# Max time in seconds for login
#
LOGIN_TIMEOUT 60
#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone). If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
#
CHFN_RESTRICT rwh
#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME yes
CREATE_HOME yes
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If set to yes, userdel will remove the user's group if it contains no
# more members, and useradd will create by default a group with the name
# of the user.
#
# Other former uses of this variable such as setting the umask when
# user==primary group are not used in PAM environments, such as Debian
#
USERGROUPS_ENAB yes
#
# Instead of the real user shell, the program specified by this parameter
# will be launched, although its visible name (argv[0]) will be the shell's.
# The program may do whatever it wants (logging, additional authentification,
# banner, ...) before running the actual shell.
#
# FAKE_SHELL /bin/fakeshell
#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names. Root logins will be allowed only
# upon these devices.
#
# This variable is used by login and su.
#
#CONSOLE /etc/consoles
#CONSOLE console:tty01:tty02:tty03:tty04
#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting). Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
# This variable is used by login and su.
#
#CONSOLE_GROUPS floppy:audio:cdrom
#
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no
#
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD SHA512
#
# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# users.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000
################# OBSOLETED BY PAM ##############
# #
# These options are now handled by PAM. Please #
# edit the appropriate file in /etc/pam.d/ to #
# enable the equivelants of them.
#
###############
#MOTD_FILE
#DIALUPS_CHECK_ENAB
#LASTLOG_ENAB
#MAIL_CHECK_ENAB
#OBSCURE_CHECKS_ENAB
#PORTTIME_CHECKS_ENAB
#SU_WHEEL_ONLY
#CRACKLIB_DICTPATH
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#ENVIRON_FILE
#NOLOGINS_FILE
#ISSUE_FILE
#PASS_MIN_LEN
#PASS_MAX_LEN
#ULIMIT
#ENV_HZ
#CHFN_AUTH
#CHSH_AUTH
#FAIL_DELAY
################# OBSOLETED #######################
# #
# These options are no more handled by shadow. #
# #
# Shadow utilities will display a warning if they #
# still appear. #
# #
###################################################
# CLOSE_SESSIONS
# LOGIN_STRING
# NO_PASSWORD_CONSOLE
# QMAIL_DIR

8
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/security/limits.d/limits.conf Normal file
View File

@@ -0,0 +1,8 @@
* soft nofile 65535
* hard nofile 65535
* soft memlock unlimited
* hard memlock unlimited
* soft core 0
* hard core 0
* hard maxlogins 10

2
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.Xresources Normal file
View File

@@ -0,0 +1,2 @@
xscreensaver.mode: blank
xscreensaver.lock: false

88
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.bashrc Normal file
View File

@@ -0,0 +1,88 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# new directories default to 700, new files to 600
umask 077
export UMASK=077
# If not running interactively, don't do anything
[ -z "$PS1" ] && return
# don't put duplicate lines in the history and ignore same sucessive entries.
export HISTCONTROL=ignoreboth:erasedups
export HISTIGNORE="&:ls:ll:cd:history:h:[bf]g:exit:pwd:clear"
export HISTFILESIZE=1000000000
export HISTSIZE=1000000
export HISTTIMEFORMAT="[%Y-%m-%d %H:%M:%S] "
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"'
;;
*)
;;
esac
# enable programmable completion features
if [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
###############################################################################
# PATH
###############################################################################
PATH=/opt/zeek/bin:/opt/spicy/bin:/opt/moloch/bin:/usr/sbin:$PATH
if [ -d ~/bin ]; then
PATH=~/bin:$PATH
fi
if [ -d ~/.local/bin ]; then
PATH=~/.local/bin:$PATH
fi
export PATH
###############################################################################
# ALIASES AND FUNCTIONS
###############################################################################
if [ -f /etc/bash.bash_aliases ]; then
. /etc/bash.bash_aliases
fi
if [ -f /etc/bash.bash_functions ]; then
. /etc/bash.bash_functions
fi
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
if [ -f ~/.bash_functions ]; then
. ~/.bash_functions
fi
###############################################################################
# BASH OPTIONS
###############################################################################
shopt -s extglob
shopt -s dotglob
shopt -s cdspell
shopt -s histverify
shopt -s histappend
shopt -u progcomp
PROMPT_COMMAND="history -a;$PROMPT_COMMAND"
###############################################################################
# BASH PROMPT
###############################################################################
PS1="\[\033[00;32m\]\u\[\033[00;34m\]@\h\[\033[1;30m\]:\[\033[00;35m\]\W\[\033[00m\]\[\033[01;37m\]\$ \[\033[00;37m\]"

27
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/clipit/clipitrc Normal file
View File

@@ -0,0 +1,27 @@
[rc]
use_copy=true
use_primary=false
synchronize=false
automatic_paste=false
show_indexes=false
save_uris=true
use_rmb_menu=false
save_history=false
history_limit=50
history_timeout_seconds=300
history_timeout=true
items_menu=10
statics_show=false
statics_items=0
hyperlinks_only=true
confirm_clear=false
single_line=true
reverse_history=true
item_length=0
ellipsize=0
history_key=<Ctrl><Alt>H
actions_key=<Ctrl><Alt>A
menu_key=<Ctrl><Alt>P
search_key=<Ctrl><Alt>F
offline_key=<Ctrl><Alt>O
offline_mode=false

15
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/gtk-3.0/settings.ini Normal file
View File

@@ -0,0 +1,15 @@
[Settings]
gtk-theme-name=Adwaita-dark
gtk-icon-theme-name=gnome
gtk-font-name=Sans 10
gtk-cursor-theme-size=18
gtk-toolbar-style=GTK_TOOLBAR_BOTH_HORIZ
gtk-toolbar-icon-size=GTK_ICON_SIZE_LARGE_TOOLBAR
gtk-button-images=1
gtk-menu-images=1
gtk-enable-event-sounds=0
gtk-enable-input-feedback-sounds=0
gtk-xft-antialias=1
gtk-xft-hinting=1
gtk-xft-hintstyle=hintslight
gtk-xft-rgba=rgb

134
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/lxpanel/LXDE/panels/hedgehog Normal file
View File

@@ -0,0 +1,134 @@
# lxpanel <profile> config file. Manually editing is not recommended.
# Use preference dialog in lxpanel to adjust config when you can.
Global {
edge=top
monitor=0
height=32
align=left
widthtype=percent
width=100
transparent=0
background=0
autohide=0
heightwhenhidden=4
tintcolor=#a0a0a0
alpha=255
setpartialstrut=1
iconsize=24
}
Plugin {
type=menu
Config {
system {
}
separator {
}
item {
command=run
}
separator {
}
item {
command=logout
image=gnome-logout
}
image=/usr/share/icons/gnome/32x32/places/start-here.png
}
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=launchtaskbar
Config {
Button {
id=terminator.desktop
}
Button {
id=firefox.desktop
}
Button {
id=hedgehog-kiosk.desktop
}
Button {
id=hedgehog-readme.desktop
}
Button {
id=sensor-services-status.desktop
}
Button {
id=configure-capture.desktop
}
Button {
id=configure-interfaces.desktop
}
Button {
id=sensor-services-full-restart.desktop
}
IconsOnly=0
FlatButton=0
UseMouseWheel=0
GroupedTasks=1
DisableUpscale=0
UseSmallerIcons=-1
spacing=1
ShowAllDesks=0
}
}
Plugin {
type=space
Config {
}
expand=1
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=pager
Config {
}
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=dclock
Config {
ClockFmt=%R
TooltipFmt=%A %x
BoldFont=0
IconOnly=0
CenterText=0
}
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=tray
Config {
}
}
Plugin {
type=separator
Config {
}
}
Plugin {
type=launchbar
Config {
Button {
id=lxde-logout.desktop
}
}
}

48
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/lxsession/LXDE/desktop.conf Normal file
View File

@@ -0,0 +1,48 @@
[Session]
window_manager=openbox-lxde
disable_autostart=no
polkit/command=lxpolkit
clipboard/command=lxclipboard
xsettings_manager/command=build-in
proxy_manager/command=build-in
keyring/command=ssh-agent
quit_manager/command=lxsession-logout
lock_manager/command=lxlock
terminal_manager/command=lxterminal
[GTK]
sNet/ThemeName=Adwaita-dark
sNet/IconThemeName=gnome
sGtk/FontName=Sans 10
iGtk/ToolbarStyle=3
iGtk/ButtonImages=1
iGtk/MenuImages=1
iGtk/CursorThemeSize=18
iXft/Antialias=1
iXft/Hinting=1
sXft/HintStyle=hintslight
sXft/RGBA=rgb
iNet/EnableEventSounds=1
iNet/EnableInputFeedbackSounds=1
sGtk/ColorScheme=
iGtk/ToolbarIconSize=3
sGtk/CursorThemeName=DMZ-White
[Mouse]
AccFactor=20
AccThreshold=10
LeftHanded=0
[Keyboard]
Delay=500
Interval=30
Beep=1
[State]
guess_default=true
[Dbus]
lxde=true
[Environment]
menu_prefix=lxde-

13
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/pcmanfm/LXDE/desktop-items-0.conf Normal file
View File

@@ -0,0 +1,13 @@
[*]
wallpaper_mode=fit
wallpaper_common=1
wallpaper=/usr/share/images/desktop-base/hedgehog-wallpaper.png
desktop_bg=#1c0522
desktop_fg=#ffffff
desktop_shadow=#000000
desktop_font=Ubuntu Medium 12
show_wm_menu=0
sort=mtime;ascending;
show_documents=0
show_trash=0
show_mounts=1

26
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.config/pcmanfm/LXDE/pcmanfm.conf Normal file
View File

@@ -0,0 +1,26 @@
[config]
bm_open_method=0
[volume]
mount_on_startup=0
mount_removable=0
autorun=0
[ui]
always_show_tabs=0
max_tab_chars=32
win_width=640
win_height=480
splitter_pos=150
media_in_new_tab=0
desktop_folder_new_win=0
change_tab_on_drop=1
close_on_unmount=1
focus_previous=0
side_pane_mode=places
view_mode=list
show_hidden=0
sort=name;ascending;
toolbar=newtab;navigation;home;
show_statusbar=1
pathbar_mode_buttons=0

0
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.hushlogin Normal file
View File

1
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.selected_editor Normal file
View File

@@ -0,0 +1 @@
SELECTED_EDITOR="/usr/bin/vim.tiny"

47
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.tmux.conf Normal file
View File

@@ -0,0 +1,47 @@
unbind C-b
set -g prefix C-a
bind a send-prefix
bind-key C-a last-window
# Make shift+arrows, ctrl+arrows etc work in Vim.
set -g xterm-keys on
# See if this fixes slow ESC issues.
# http://unix.stackexchange.com/questions/23138/esc-key-causes-a-small-delay-in-terminal-due-to-its-alt-behavior
set -s escape-time 0
# Start window and pane indices at 1.
set -g base-index 1
set -g pane-base-index 1
# Status bar styling and content.
set -g status-bg black
set -g status-fg white
set -g status-left '#S '
# Highlight the active window in the status bar.
set-window-option -g window-status-current-bg yellow
set-window-option -g window-status-current-fg black
# More intuitive split-window mappings.
bind "'" split-window -h
bind - split-window -v
# Maximize pane, e.g. for copying.
bind-key z resize-pane -Z
# Switch pane and zoom
# https://twitter.com/tskogberg/status/792025881573199872
bind C-z select-pane -t :.+ \; resize-pane -Z
# toggle synchronize panes
bind C-x set-window-option synchronize-panes\; display-message "synchronize-panes is now #{?pane_synchronized,on,off}"
# Reload tmux conf.
unbind r
bind r source-file ~/.tmux.conf\; display "Reloaded conf."
# Use vim keybindings in copy mode
setw -g mode-keys vi

2
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.vimrc Normal file
View File

@@ -0,0 +1,2 @@
set nocompatible

281
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/skel/.xscreensaver Normal file
View File

@@ -0,0 +1,281 @@
# XScreenSaver Preferences File
# Written by xscreensaver-demo 5.36 for sensor on Wed Jul 3 15:35:13 2019.
# https://www.jwz.org/xscreensaver/
timeout: 0:10:00
cycle: 0:10:00
lock: False
lockTimeout: 0:00:00
passwdTimeout: 0:00:30
visualID: default
installColormap: True
verbose: False
timestamp: True
splash: True
splashDuration: 0:00:05
demoCommand: xscreensaver-demo
prefsCommand: xscreensaver-demo -prefs
nice: 10
memoryLimit: 0
fade: False
unfade: False
fadeSeconds: 0:00:03
fadeTicks: 20
captureStderr: True
ignoreUninstalledPrograms:True
font: *-medium-r-*-140-*-m-*
dpmsEnabled: False
dpmsQuickOff: False
dpmsStandby: 2:00:00
dpmsSuspend: 2:00:00
dpmsOff: 4:00:00
grabDesktopImages: False
grabVideoFrames: False
chooseRandomImages: False
imageDirectory:
mode: blank
selected: -1
textMode: date
textLiteral: XScreenSaver
textFile:
textProgram: fortune
textURL: http://planet.debian.org/rss20.xml
programs: \
maze -root \n\
- GL: superquadrics -root \n\
attraction -root \n\
blitspin -root \n\
greynetic -root \n\
helix -root \n\
hopalong -root \n\
imsmap -root \n\
- noseguy -root \n\
- pyro -root \n\
qix -root \n\
- rocks -root \n\
rorschach -root \n\
decayscreen -root \n\
flame -root \n\
halo -root \n\
slidescreen -root \n\
pedal -root \n\
bouboule -root \n\
- braid -root \n\
coral -root \n\
deco -root \n\
drift -root \n\
- fadeplot -root \n\
galaxy -root \n\
goop -root \n\
grav -root \n\
ifs -root \n\
unicode -root \n\
- GL: jigsaw -root \n\
julia -root \n\
- kaleidescope -root \n\
- GL: moebius -root \n\
moire -root \n\
- GL: morph3d -root \n\
mountain -root \n\
munch -root \n\
penrose -root \n\
- GL: pipes -root \n\
rd-bomb -root \n\
- GL: rubik -root \n\
- sierpinski -root \n\
slip -root \n\
- GL: sproingies -root \n\
starfish -root \n\
strange -root \n\
swirl -root \n\
triangle -root \n\
xjack -root \n\
xlyap -root \n\
- GL: atlantis -root \n\
bsod -root \n\
- GL: bubble3d -root \n\
- GL: cage -root \n\
- crystal -root \n\
cynosure -root \n\
discrete -root \n\
distort -root \n\
epicycle -root \n\
flow -root \n\
- GL: glplanet -root \n\
interference -root \n\
kumppa -root \n\
- GL: lament -root \n\
moire2 -root \n\
- GL: sonar -root \n\
- GL: stairs -root \n\
truchet -root \n\
- vidwhacker -root \n\
blaster -root \n\
bumps -root \n\
ccurve -root \n\
compass -root \n\
deluxe -root \n\
- demon -root \n\
- GL: extrusion -root \n\
- loop -root \n\
penetrate -root \n\
petri -root \n\
phosphor -root \n\
- GL: pulsar -root \n\
ripples -root \n\
shadebobs -root \n\
- GL: sierpinski3d -root \n\
spotlight -root \n\
squiral -root \n\
wander -root \n\
- webcollage -root \n\
xflame -root \n\
xmatrix -root \n\
- GL: gflux -root \n\
- nerverot -root \n\
xrayswarm -root \n\
xspirograph -root \n\
- GL: circuit -root \n\
- GL: dangerball -root \n\
- GL: engine -root \n\
- GL: flipscreen3d -root \n\
- GL: gltext -root \n\
- GL: menger -root \n\
- GL: molecule -root \n\
rotzoomer -root \n\
speedmine -root \n\
- GL: starwars -root \n\
- GL: stonerview -root \n\
vermiculate -root \n\
whirlwindwarp -root \n\
zoom -root \n\
anemone -root \n\
apollonian -root \n\
- GL: boxed -root \n\
- GL: cubenetic -root \n\
- GL: endgame -root \n\
euler2d -root \n\
fluidballs -root \n\
- GL: flurry -root \n\
- GL: glblur -root \n\
- GL: glsnake -root \n\
halftone -root \n\
- GL: juggler3d -root \n\
- GL: lavalite -root \n\
- polyominoes -root \n\
- GL: queens -root \n\
- GL: sballs -root \n\
- GL: spheremonics -root \n\
- thornbird -root \n\
twang -root \n\
- GL: antspotlight -root \n\
apple2 -root \n\
- GL: atunnel -root \n\
barcode -root \n\
- GL: blinkbox -root \n\
- GL: blocktube -root \n\
- GL: bouncingcow -root \n\
cloudlife -root \n\
- GL: cubestorm -root \n\
eruption -root \n\
- GL: flipflop -root \n\
- GL: flyingtoasters -root \n\
fontglide -root \n\
- GL: gleidescope -root \n\
- GL: glknots -root \n\
- GL: glmatrix -root \n\
- GL: glslideshow -root \n\
- GL: hypertorus -root \n\
- GL: jigglypuff -root \n\
metaballs -root \n\
- GL: mirrorblob -root \n\
piecewise -root \n\
- GL: polytopes -root \n\
pong -root \n\
popsquares -root \n\
- GL: surfaces -root \n\
xanalogtv -root \n\
abstractile -root \n\
anemotaxis -root \n\
- GL: antinspect -root \n\
fireworkx -root \n\
fuzzyflakes -root \n\
interaggregate -root \n\
intermomentary -root \n\
memscroller -root \n\
- GL: noof -root \n\
pacman -root \n\
- GL: pinion -root \n\
- GL: polyhedra -root \n\
- GL: providence -root \n\
substrate -root \n\
wormhole -root \n\
- GL: antmaze -root \n\
- GL: boing -root \n\
boxfit -root \n\
- GL: carousel -root \n\
celtic -root \n\
- GL: crackberg -root \n\
- GL: cube21 -root \n\
fiberlamp -root \n\
- GL: fliptext -root \n\
- GL: glhanoi -root \n\
- GL: tangram -root \n\
- GL: timetunnel -root \n\
- GL: glschool -root \n\
- GL: topblock -root \n\
- GL: cubicgrid -root \n\
cwaves -root \n\
- GL: gears -root \n\
- GL: glcells -root \n\
- GL: lockward -root \n\
m6502 -root \n\
- GL: moebiusgears -root \n\
- GL: voronoi -root \n\
- GL: hypnowheel -root \n\
- GL: klein -root \n\
- lcdscrub -root \n\
- GL: photopile -root \n\
- GL: skytentacles -root \n\
- GL: rubikblocks -root \n\
- GL: companioncube -root \n\
- GL: hilbert -root \n\
- GL: tronbit -root \n\
- GL: geodesic -root \n\
hexadrop -root \n\
- GL: kaleidocycle -root \n\
- GL: quasicrystal -root \n\
- GL: unknownpleasures -root \n\
binaryring -root \n\
- GL: cityflow -root \n\
- GL: geodesicgears -root \n\
- GL: projectiveplane -root \n\
- GL: romanboy -root \n\
tessellimage -root \n\
- GL: winduprobot -root \n\
- GL: splitflap -root \n\
- GL: cubestack -root \n\
- GL: cubetwist -root \n\
- GL: discoball -root \n\
- GL: dymaxionmap -root \n\
- GL: energystream -root \n\
- GL: hexstrut -root \n\
- GL: hydrostat -root \n\
- GL: raverhoop -root \n\
- GL: splodesic -root \n\
- GL: unicrud -root \n\
pointerPollTime: 0:00:05
pointerHysteresis: 10
windowCreationTimeout:0:00:30
initialDelay: 0:00:00
GetViewPortIsFullOfLies:False
procInterrupts: True
xinputExtensionDev: False
overlayStderr: True
authWarningSlack: 20

127
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/ssh/sshd_config Normal file
View File

@@ -0,0 +1,127 @@
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Protocol 2
#Port 22
AddressFamily inet
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256,hmac-sha2-512
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 60
PermitRootLogin no
StrictModes yes
MaxAuthTries 4
#MaxSessions 10
PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
RhostsRSAAuthentication no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox
PermitUserEnvironment no
Compression no
ClientAliveInterval 300
ClientAliveCountMax 0
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
Banner=/etc/issue
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

2
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/sudoers.d/nic_capture_setup Normal file
View File

@@ -0,0 +1,2 @@
# allow unprivileged mgmt of interface flags via ethtool prior to starting capture
%netdev ALL=(root) NOPASSWD: /usr/local/bin/nic-capture-setup.sh

2
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/sudoers.d/ufw_moloch_viewer Normal file
View File

@@ -0,0 +1,2 @@
# allow unprivileged mgmt of UFW access for the local Arkime viewer instance
%netdev ALL=(root) NOPASSWD: /usr/local/bin/ufw_allow_viewer.sh

5
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/etc/xdg/lxsession/LXDE/autostart Normal file
View File

@@ -0,0 +1,5 @@
@lxpanel --profile LXDE
@pcmanfm --desktop --profile LXDE
@xscreensaver -no-splash
@/usr/local/bin/capture-format-wait.sh
@/opt/firefox/firefox --setDefaultBrowser --no-remote --private --kiosk http://127.0.0.1:5000

126
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/opt/zeek/bin/zeek.sh Executable file
View File

@@ -0,0 +1,126 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# configuration variables may be specified in control_vars.conf rather than on the command line
CONTROL_VARS_FILE="control_vars.conf"
# script usd for file extraction
EXTRACTOR_ZEEK_SCRIPT="extractor.zeek"
# get utilities for finding default zeek path and executable
[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath
[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname
if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then
echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME"
exit 1
fi
export SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))"
# source configuration variables file if found (precedence: pwd, script directory, /opt/sensor/sensor_ctl)
if [[ -r ./"$CONTROL_VARS_FILE" ]]; then
source ./"$CONTROL_VARS_FILE"
elif [[ -r "$SCRIPT_PATH"/"$CONTROL_VARS_FILE" ]]; then
source "$SCRIPT_PATH"/"$CONTROL_VARS_FILE"
elif [[ -r /opt/sensor/sensor_ctl/"$CONTROL_VARS_FILE" ]]; then
source /opt/sensor/sensor_ctl/"$CONTROL_VARS_FILE"
fi
# determine location of zeek executable and relative installation path
ZEEK_EXE="$(which zeek)"
[[ ! -x "$ZEEK_EXE" ]] && ZEEK_EXE="/opt/zeek/bin/zeek"
[[ ! -x "$ZEEK_EXE" ]] && ZEEK_EXE="/usr/bin/zeek"
[[ ! -x "$ZEEK_EXE" ]] && ZEEK_EXE="/usr/local/bin/zeek"
if [[ ! -x "$ZEEK_EXE" ]]; then
echo "zeek executable not found or not executable"
exit 1
fi
ZEEK_INSTALL_PATH="$(realpath "$(dirname "$(realpath "$ZEEK_EXE")")"/..)"
if [[ ! -d "$ZEEK_INSTALL_PATH" ]]; then
echo "zeek root path \"$ZEEK_INSTALL_PATH\" does not exist"
exit 1
fi
# allow user-specified overrides for interface, file extraction mode, and destination log path
while getopts i:p:f:d:o: opts; do
case ${opts} in
i) CAPTURE_INTERFACE=${OPTARG} ;;
p) PCAP_FILE=${OPTARG} ;;
f) ZEEK_EXTRACTOR_MODE=${OPTARG} ;;
d) ZEEK_LOG_PATH=${OPTARG} ;;
o) ZEEK_EXTRACTOR_OVERRIDE_FILE=${OPTARG} ;;
esac
done
# capture interface or PCAP file *must* be specified
if [[ -n $PCAP_FILE ]] && [[ -r $PCAP_FILE ]] ; then
ZEEK_INPUT_FLAG="-r"
ZEEK_INPUT_OBJECT=$PCAP_FILE
elif [[ -n $CAPTURE_INTERFACE ]] ; then
ZEEK_INPUT_FLAG="-i"
ZEEK_INPUT_OBJECT=$CAPTURE_INTERFACE
else
echo "Zeek capture interface (via \$CAPTURE_INTERFACE or -i <name>) or PCAP file (via -p <filename>) not specified"
exit 1
fi
# default file extraction mode is "do not extract files"
[[ -z $ZEEK_EXTRACTOR_MODE ]] && ZEEK_EXTRACTOR_MODE="none"
export ZEEK_EXTRACTOR_MODE
# if zeek log path is unspecified, write logs to pwd
[[ -z $ZEEK_LOG_PATH ]] && ZEEK_LOG_PATH=.
ZEEK_LOG_PATH="$($REALPATH "$ZEEK_LOG_PATH")"
# if file extraction is enabled and file extraction script exists, set up the argument for zeek to use it
ZEEK_EXTRACTOR_SCRIPT="$ZEEK_INSTALL_PATH"/share/zeek/site/"$EXTRACTOR_ZEEK_SCRIPT"
([[ ! -r "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ "$ZEEK_EXTRACTOR_MODE" = "none" ]]) && ZEEK_EXTRACTOR_SCRIPT=""
([[ ! -r "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]] || [[ -z "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ ! "$ZEEK_EXTRACTOR_MODE" = "mapped" ]]) && ZEEK_EXTRACTOR_OVERRIDE_FILE=""
# zeek ruleset is loaded from control_vars.conf if it existed, or "local" if not
[[ -z $ZEEK_RULESET ]] && ZEEK_RULESET="local"
ARCHIVE_PATH="$ZEEK_LOG_PATH/archived/$(date +"%Y-%m-%d-%H-%M-%S")"
mkdir -p "$ZEEK_LOG_PATH"/extract_files "$ARCHIVE_PATH"
pushd "$ZEEK_LOG_PATH" >/dev/null 2>&1
function finish {
echo "\"$ZEEK_EXE\" exited" >&2
pushd "$ZEEK_LOG_PATH" >/dev/null 2>&1
####################################################################################
# rename/move current zeek log files to an archive directory
####################################################################################
# we don't want to interfere with files being used by other processes (except filebeat, screw that guy)
mapfile -t OPEN_FILES < <( lsof -u "$USER" -a +D "$(pwd)" -a -d 0-65535 2>/dev/null | grep -Pv "^[\w-]+beat" | tail -n +2 | awk '{print $9}' | sed "s@^$ZEEK_LOG_PATH/@@" )
declare -A OPEN_FILES_MAP
for OPEN_FILE in ${OPEN_FILES[@]}; do
OPEN_FILES_MAP["$OPEN_FILE"]=1
done
shopt -s nullglob
for LOG_FILE in *; do
# process only files, and don't mess with open files (see OPEN_FILES declaration above)
if [[ ! -d "$LOG_FILE" ]] && [[ -z ${OPEN_FILES_MAP[$LOG_FILE]} ]]; then
mv -v "$LOG_FILE" "$ARCHIVE_PATH"/
fi
done
popd >/dev/null 2>&1
# we don't need to hang on to the persistent .state directory
[[ -d "$ZEEK_LOG_PATH"/.state ]] && sleep 1 && (pidof zeek >/dev/null 2>&1 || rm -rf "$ZEEK_LOG_PATH"/.state)
}
trap finish EXIT
# execute zeek
echo "Running \"$ZEEK_EXE\"..." >&2
if [[ -n "$ZEEK_EXTRACTOR_SCRIPT" ]] && [[ -n "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]]; then
"$ZEEK_EXE" -C $ZEEK_INPUT_FLAG "$ZEEK_INPUT_OBJECT" "$ZEEK_RULESET" "$ZEEK_EXTRACTOR_SCRIPT" "$ZEEK_EXTRACTOR_OVERRIDE_FILE"
elif [[ -n "$ZEEK_EXTRACTOR_SCRIPT" ]]; then
"$ZEEK_EXE" -C $ZEEK_INPUT_FLAG "$ZEEK_INPUT_OBJECT" "$ZEEK_RULESET" "$ZEEK_EXTRACTOR_SCRIPT"
else
"$ZEEK_EXE" -C $ZEEK_INPUT_FLAG "$ZEEK_INPUT_OBJECT" "$ZEEK_RULESET"
fi
popd >/dev/null 2>&1

206
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/opt/zeek/bin/zeekdeploy.sh Executable file
View File

@@ -0,0 +1,206 @@
#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
# get utilities for finding default zeek path and executable
[[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath
[[ "$(uname -s)" = 'Darwin' ]] && DIRNAME=gdirname || DIRNAME=dirname
if ! (type "$REALPATH" && type "$DIRNAME") > /dev/null; then
echo "$(basename "${BASH_SOURCE[0]}") requires $REALPATH and $DIRNAME"
exit 1
fi
export SCRIPT_PATH="$($DIRNAME $($REALPATH -e "${BASH_SOURCE[0]}"))"
# control_vars.conf file must be specified as argument to script or be found in an expected place
# source configuration variables file if found (precedence: pwd, script directory, /opt/sensor/sensor_ctl)
if [[ -n "$1" ]]; then
source "$1"
else
CONTROL_VARS_FILE="control_vars.conf"
if [[ -r ./"$CONTROL_VARS_FILE" ]]; then
source ./"$CONTROL_VARS_FILE"
elif [[ -r "$SCRIPT_PATH"/"$CONTROL_VARS_FILE" ]]; then
source "$SCRIPT_PATH"/"$CONTROL_VARS_FILE"
elif [[ -r /opt/sensor/sensor_ctl/"$CONTROL_VARS_FILE" ]]; then
source /opt/sensor/sensor_ctl/"$CONTROL_VARS_FILE"
fi
fi
# capture interface(s) *must* be specified
if [[ -z $CAPTURE_INTERFACE ]] ; then
echo "Zeek capture interface(s) (via \$CAPTURE_INTERFACE) not specified"
exit 1
fi
# do we have AF_PACKET support in the kernel? true if > 0
AF_PACKET_SUPPORT=$(grep -c -x 'CONFIG_PACKET=[ym]' "/boot/config-$(uname -r)")
# determine location of zeekctl script and relative installation path
ZEEK_CTL="$(which zeekctl)"
[[ ! -x "$ZEEK_CTL" ]] && ZEEK_CTL="/opt/zeek/bin/zeekctl"
[[ ! -x "$ZEEK_CTL" ]] && ZEEK_CTL="/usr/bin/zeekctl"
[[ ! -x "$ZEEK_CTL" ]] && ZEEK_CTL="/usr/local/bin/zeekctl"
if [[ ! -x "$ZEEK_CTL" ]]; then
echo "zeekctl script not found or not executable"
exit 1
fi
ZEEK_INSTALL_PATH="$(realpath "$(dirname "$(realpath "$ZEEK_CTL")")"/..)"
if [[ ! -d "$ZEEK_INSTALL_PATH" ]]; then
echo "zeek root path \"$ZEEK_INSTALL_PATH\" does not exist"
exit 1
fi
# default file extraction mode is "do not extract files"
[[ -z $ZEEK_EXTRACTOR_MODE ]] && ZEEK_EXTRACTOR_MODE="none"
# some other defaults
[[ -z $ZEEK_LB_PROCS ]] && ZEEK_LB_PROCS="1"
[[ -z $ZEEK_LB_METHOD ]] && ZEEK_LB_METHOD="custom"
[[ -z $ZEEK_AF_PACKET_BUFFER_SIZE ]] && ZEEK_AF_PACKET_BUFFER_SIZE="$(echo "64*1024*1024" | bc)"
# if zeek log path is unspecified, write logs to pwd
[[ -z $ZEEK_LOG_PATH ]] && ZEEK_LOG_PATH=.
ZEEK_LOG_PATH="$($REALPATH "$ZEEK_LOG_PATH")"
ARCHIVE_PATH="$ZEEK_LOG_PATH/logs"
WORK_PATH="$ZEEK_LOG_PATH/spool"
TMP_PATH="$ZEEK_INSTALL_PATH/spool/tmp"
EXTRACT_FILES_PATH="$ZEEK_LOG_PATH/extract_files"
mkdir -p "$ARCHIVE_PATH" "$WORK_PATH" "$EXTRACT_FILES_PATH" "$TMP_PATH"
export TMP="$TMP_PATH"
# if file extraction is enabled and file extraction script exists, set up the argument for zeek to use it
[[ -z $ZEEK_RULESET ]] && ZEEK_RULESET="local"
EXTRACTOR_ZEEK_SCRIPT="extractor.zeek"
ZEEK_EXTRACTOR_SCRIPT="$ZEEK_INSTALL_PATH"/share/zeek/site/"$EXTRACTOR_ZEEK_SCRIPT"
([[ ! -r "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ "$ZEEK_EXTRACTOR_MODE" = "none" ]]) && ZEEK_EXTRACTOR_SCRIPT=""
([[ ! -r "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]] || [[ -z "$ZEEK_EXTRACTOR_SCRIPT" ]] || [[ ! "$ZEEK_EXTRACTOR_MODE" = "mapped" ]]) && ZEEK_EXTRACTOR_OVERRIDE_FILE=""
# configure zeek cfg files
pushd "$ZEEK_INSTALL_PATH"/etc >/dev/null 2>&1
# make replacements for variables in zeekctl.cfg
ZEEK_LOG_ROTATE=3600
ZEEK_LOG_EXPIRE=0
ZEEK_STATS=0
sed -r -i "s/(LogRotationInterval)\s*=\s*.*/\1 = $ZEEK_LOG_ROTATE/" ./zeekctl.cfg
sed -r -i "s/(LogExpireInterval)\s*=\s*.*/\1 = $ZEEK_LOG_EXPIRE/" ./zeekctl.cfg
if [[ -n "$ZEEK_EXTRACTOR_SCRIPT" ]] && [[ -n "$ZEEK_EXTRACTOR_OVERRIDE_FILE" ]]; then
sed -r -i "s@(SitePolicyScripts)\s*=\s*.*@\1 = $ZEEK_RULESET $ZEEK_EXTRACTOR_SCRIPT $ZEEK_EXTRACTOR_OVERRIDE_FILE@" ./zeekctl.cfg
elif [[ -n "$ZEEK_EXTRACTOR_SCRIPT" ]]; then
sed -r -i "s@(SitePolicyScripts)\s*=\s*.*@\1 = $ZEEK_RULESET $ZEEK_EXTRACTOR_SCRIPT@" ./zeekctl.cfg
else
sed -r -i "s@(SitePolicyScripts)\s*=\s*.*@\1 = $ZEEK_RULESET@" ./zeekctl.cfg
fi
sed -r -i "s@(LogDir)\s*=\s*.*@\1 = $ARCHIVE_PATH@" ./zeekctl.cfg
sed -r -i "s@(SpoolDir)\s*=\s*.*@\1 = $WORK_PATH@" ./zeekctl.cfg
# completely rewrite node.cfg for one worker per interface
# see idaholab/Malcolm#36 for details on fine-tuning
rm -f ./node.cfg
cat << 'EOF' > ./node.cfg
#
# DO NOT EDIT THIS FILE
#
# It is automatically generated by /opt/zeek/bin/zeekdeploy.sh
#
EOF
echo "[logger]" >> ./node.cfg
echo "type=logger" >> ./node.cfg
echo "host=localhost" >> ./node.cfg
[[ -n $ZEEK_PIN_CPUS_LOGGER ]] && \
echo "pin_cpus=$ZEEK_PIN_CPUS_LOGGER" >> ./node.cfg
echo "" >> ./node.cfg
echo "[manager]" >> ./node.cfg
echo "type=manager" >> ./node.cfg
echo "host=localhost" >> ./node.cfg
[[ -n $ZEEK_PIN_CPUS_MANAGER ]] && \
echo "pin_cpus=$ZEEK_PIN_CPUS_MANAGER" >> ./node.cfg
echo "" >> ./node.cfg
echo "[proxy]" >> ./node.cfg
echo "type=proxy" >> ./node.cfg
echo "host=localhost" >> ./node.cfg
[[ -n $ZEEK_PIN_CPUS_PROXY ]] && \
echo "pin_cpus=$ZEEK_PIN_CPUS_PROXY" >> ./node.cfg
echo "" >> ./node.cfg
# number of zeek processes so far (logger, manager, proxy)
ZEEK_PROCS=3
# incrementing ID of current worker for config file
WORKER_ID=1
# AF_PACKET fanout ID (per-interface)
FANOUT_ID=1
# create a worker for each interface
# see idaholab/Malcolm#36 for details on fine-tuning
for IFACE in ${CAPTURE_INTERFACE//,/ }; do
WORKER_CPU_PINS_VAR=ZEEK_PIN_CPUS_WORKER_${WORKER_ID}
WORKER_LB_PROCS_VAR=ZEEK_LB_PROCS_WORKER_${WORKER_ID}
# priority for worker's lb_procs:
if [[ -n "${!WORKER_LB_PROCS_VAR}" ]]; then
# 1. ZEEK_LB_PROCS_WORKER_n is explicitly specified
WORKER_LB_PROCS="${!WORKER_LB_PROCS_VAR}"
elif [[ -n "${!WORKER_CPU_PINS_VAR}" ]]; then
# 2. ZEEK_PIN_CPUS_WORKER_n is specified, count the values
WORKER_LB_PROCS="$(echo "${!WORKER_CPU_PINS_VAR}" | awk -F',' '{print NF}')"
else
# default to $ZEEK_LB_PROCS
WORKER_LB_PROCS="$ZEEK_LB_PROCS"
fi
cat << EOF >> ./node.cfg
[worker-$WORKER_ID]
type=worker
host=localhost
interface=$IFACE
env_vars=ZEEK_EXTRACTOR_MODE=$ZEEK_EXTRACTOR_MODE,ZEEK_EXTRACTOR_PATH=$EXTRACT_FILES_PATH/,TMP=$TMP_PATH
EOF
# if af_packet is available in the kernel, write it out as well
if [ $AF_PACKET_SUPPORT -gt 0 ] && [ $WORKER_LB_PROCS -gt 0 ]; then
echo "lb_procs=$WORKER_LB_PROCS" >> ./node.cfg
echo "lb_method=$ZEEK_LB_METHOD" >> ./node.cfg
[[ -n "${!WORKER_CPU_PINS_VAR}" ]] && \
echo "pin_cpus=${!WORKER_CPU_PINS_VAR}" >> ./node.cfg
echo "af_packet_fanout_id=$FANOUT_ID" >> ./node.cfg
echo "af_packet_fanout_mode=AF_Packet::FANOUT_HASH" >> ./node.cfg
echo "af_packet_buffer_size=$ZEEK_AF_PACKET_BUFFER_SIZE" >> ./node.cfg
fi
WORKER_ID=$((WORKER_ID+1))
FANOUT_ID=$((FANOUT_ID+1))
ZEEK_PROCS=$((ZEEK_PROCS+1))
done
# we'll assume we didn't mess with networks.cfg, leave it alone
popd >/dev/null 2>&1
pushd "$ZEEK_LOG_PATH" >/dev/null 2>&1
function finish {
echo "Stopping via \"$ZEEK_CTL\"" >&2
"$ZEEK_CTL" stop
rm -f "$TMP_PATH"/*
}
trap finish EXIT
# execute zeekctl
echo "Running via \"$ZEEK_CTL\"..." >&2
"$ZEEK_CTL" deploy
# wait until interrupted (or somehow if zeek dies on its own)
while [ $("$ZEEK_CTL" status | tail -n +2 | grep -P "localhost\s+running\s+\d+" | wc -l) -ge $ZEEK_PROCS ]; do
for i in `seq 1 10`; do
sleep 1
done
done
popd >/dev/null 2>&1

47
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek Normal file
View File

@@ -0,0 +1,47 @@
#!/usr/bin/env zeek
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
@load ./extractor_params
global extractor_extract_mode = (getenv("ZEEK_EXTRACTOR_MODE") == "") ? extractor_extract_known : getenv("ZEEK_EXTRACTOR_MODE");
global extractor_max_size = (getenv("EXTRACTED_FILE_MAX_BYTES") == "") ? extractor_max_size_default : to_count(getenv("EXTRACTED_FILE_MAX_BYTES"));
redef FileExtract::prefix = (getenv("ZEEK_EXTRACTOR_PATH") == "") ? "./extract_files/" : getenv("ZEEK_EXTRACTOR_PATH");
event file_sniff(f: fa_file, meta: fa_metadata) {
# extract all files OR
if ((extractor_extract_mode == extractor_extract_all) ||
# we don't know the mime type and we always want to extract unknowns OR
((! meta?$mime_type) && extractor_always_extract_unknown) ||
# we only want to extract knowns and we know the mime type OR
((extractor_extract_mode == extractor_extract_known) && meta?$mime_type) ||
# we only want to extract mime->extension mapped files, we know the mimetype, and the mime type is mapped
((extractor_extract_mode == extractor_extract_mapped) && meta?$mime_type && (meta$mime_type in extractor_mime_to_ext_map))) {
local ext: string = "";
if (! meta?$mime_type)
ext = extractor_mime_to_ext_map["default"];
else if (meta$mime_type in extractor_mime_to_ext_map)
ext = extractor_mime_to_ext_map[meta$mime_type];
else
ext = split_string(meta$mime_type, /\//)[1];
local ftime: time = 0.0;
if (! f?$last_active)
ftime = f$last_active;
else
ftime = network_time();
local uid: string = "unknown";
if (f?$conns)
# todo this is a little hacky, figure out how to do this better
for (cid in f$conns) {
uid = f$conns[cid]$uid;
break;
}
local fname = fmt("%s-%s-%s-%s.%s", f$source, f$id, uid, strftime("%Y%m%d%H%M%S", ftime), ext);
Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=fname, $extract_limit=extractor_max_size]);
}
}

939
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek Normal file
View File

@@ -0,0 +1,939 @@
#!/usr/bin/env zeek
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
export {
const extractor_extract_none = "none" &redef;
const extractor_extract_known = "known" &redef;
const extractor_extract_mapped = "mapped" &redef;
const extractor_extract_all = "all" &redef;
const extractor_always_extract_unknown = F &redef;
const extractor_max_size_default = 268435456 &redef;
# wget -qO- http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types | egrep -v ^# | awk '{ for (i=2; i<=NF; i++) {print "[\x22"$1"\x22]"" = ""\x22"$i"\x22,"}}' | sort
const extractor_mime_to_ext_map : table[string] of string = {
["application/acad"]= "dwg",
["application/andrew-inset"]= "ez",
["application/annodex"]= "anx",
["application/applixware"]= "aw",
["application/atom+xml"]= "atom",
["application/atomcat+xml"]= "atomcat",
["application/atomsvc+xml"]= "atomsvc",
["application/binary"]= "bin",
["application/ccxml+xml"]= "ccxml",
["application/cdmi-capability"]= "cdmia",
["application/cdmi-container"]= "cdmic",
["application/cdmi-domain"]= "cdmid",
["application/cdmi-object"]= "cdmio",
["application/cdmi-queue"]= "cdmiq",
["application/cu-seeme"]= "cu",
["application/davmount+xml"]= "davmount",
["application/directx"]= "x",
["application/docbook+xml"]= "dbk",
["application/dssc+der"]= "dssc",
["application/dssc+xml"]= "xdssc",
["application/ecmascript"]= "es",
["application/emma+xml"]= "emma",
["application/envoy"]= "evy",
["application/epub+zip"]= "epub",
["application/etl"]= "etl",
["application/exi"]= "exi",
["application/font-sfnt"]= "ttf",
["application/fractals"]= "fif",
["application/fsharp-script"]= "fsscript",
["application/futuresplash"]= "spl",
["application/gml+xml"]= "gml",
["application/gpx+xml"]= "gpx",
["application/gxf"]= "gxf",
["application/hta"]= "hta",
["application/hyperstudio"]= "stk",
["application/inkml+xml"]= "inkml",
["application/internet-property-stream"]= "acx",
["application/ipfix"]= "ipfix",
["application/java-archive"]= "jar",
["application/java-serialized-object"]= "ser",
["application/java-vm"]= "class",
["application/javascript"]= "js",
["application/json"]= "json",
["application/jsonml+json"]= "jsonml",
["application/liquidmotion"]= "jck",
["application/lost+xml"]= "lostxml",
["application/mac-binhex40"]= "hqx",
["application/mac-compactpro"]= "cpt",
["application/mads+xml"]= "mads",
["application/marc"]= "mrc",
["application/marcxml+xml"]= "mrcx",
["application/mathematica"]= "ma",
["application/mathml+xml"]= "mathml",
["application/mbox"]= "mbox",
["application/mediaservercontrol+xml"]= "mscml",
["application/metalink+xml"]= "metalink",
["application/metalink4+xml"]= "meta4",
["application/mets+xml"]= "mets",
["application/mods+xml"]= "mods",
["application/mp21"]= "mp21",
["application/mp4"]= "mp4s",
["application/mpeg"]= "amc",
["application/ms-vsi"]= "vsi",
["application/msaccess"]= "accdb",
["application/msaccess.addin"]= "accda",
["application/msaccess.cab"]= "accdc",
["application/msaccess.ftemplate"]= "accft",
["application/msaccess.runtime"]= "accdr",
["application/msaccess.webapplication"]= "accdw",
["application/msexcel"]= "xls",
["application/mspowerpoint"]= "ppt",
["application/msword"]= "doc",
["application/mxf"]= "mxf",
["application/octet-stream"]= "bin",
["application/oda"]= "oda",
["application/oebps-package+xml"]= "opf",
["application/ogg"]= "ogx",
["application/olescript"]= "axs",
["application/omdoc+xml"]= "omdoc",
["application/onenote"]= "one",
["application/opensearchdescription+xml"]= "osdx",
["application/oxps"]= "oxps",
["application/patch-ops-error+xml"]= "xer",
["application/pdf"]= "pdf",
["application/pgp-encrypted"]= "pgp",
["application/pgp-signature"]= "pgp",
["application/pics-rules"]= "prf",
["application/pkcs10"]= "p10",
["application/pkcs7-mime"]= "p7c",
["application/pkcs7-signature"]= "p7s",
["application/pkcs8"]= "p8",
["application/pkix-attr-cert"]= "ac",
["application/pkix-cert"]= "cer",
["application/pkix-crl"]= "crl",
["application/pkix-pkipath"]= "pkipath",
["application/pkixcmp"]= "pki",
["application/pls+xml"]= "pls",
["application/postscript"]= "ps",
["application/PowerShell"]= "psc1",
["application/prs.cww"]= "cww",
["application/pskc+xml"]= "pskcxml",
["application/rat-file"]= "rat",
["application/rdf+xml"]= "rdf",
["application/reginfo+xml"]= "rif",
["application/relax-ng-compact-syntax"]= "rnc",
["application/resource-lists+xml"]= "rl",
["application/resource-lists-diff+xml"]= "rld",
["application/rls-services+xml"]= "rs",
["application/rpki-ghostbusters"]= "gbr",
["application/rpki-manifest"]= "mft",
["application/rpki-roa"]= "roa",
["application/rsd+xml"]= "rsd",
["application/rss+xml"]= "rss",
["application/rtf"]= "rtf",
["application/sbml+xml"]= "sbml",
["application/scvp-cv-request"]= "scq",
["application/scvp-cv-response"]= "scs",
["application/scvp-vp-request"]= "spq",
["application/scvp-vp-response"]= "spp",
["application/sdp"]= "sdp",
["application/set-payment-initiation"]= "setpay",
["application/set-registration-initiation"]= "setreg",
["application/shf+xml"]= "shf",
["application/smil+xml"]= "smil",
["application/sparql-query"]= "rq",
["application/sparql-results+xml"]= "srx",
["application/srgs"]= "gram",
["application/srgs+xml"]= "grxml",
["application/sru+xml"]= "sru",
["application/ssdl+xml"]= "ssdl",
["application/ssml+xml"]= "ssml",
["application/step"]= "step",
["application/streamingmedia"]= "ssm",
["application/tei+xml"]= "tei",
["application/thraud+xml"]= "tfi",
["application/timestamped-data"]= "tsd",
["application/vnd.3gpp.pic-bw-large"]= "plb",
["application/vnd.3gpp.pic-bw-small"]= "psb",
["application/vnd.3gpp.pic-bw-var"]= "pvb",
["application/vnd.3gpp2.tcap"]= "tcap",
["application/vnd.3m.post-it-notes"]= "pwn",
["application/vnd.accpac.simply.aso"]= "aso",
["application/vnd.accpac.simply.imp"]= "imp",
["application/vnd.acucobol"]= "acu",
["application/vnd.acucorp"]= "acutc",
["application/vnd.adobe.air-application-installer-package+zip"]= "air",
["application/vnd.adobe.formscentral.fcdt"]= "fcdt",
["application/vnd.adobe.fxp"]= "fxp",
["application/vnd.adobe.xdp+xml"]= "xdp",
["application/vnd.adobe.xfdf"]= "xfdf",
["application/vnd.ahead.space"]= "ahead",
["application/vnd.airzip.filesecure.azf"]= "azf",
["application/vnd.airzip.filesecure.azs"]= "azs",
["application/vnd.amazon.ebook"]= "azw",
["application/vnd.americandynamics.acc"]= "acc",
["application/vnd.amiga.ami"]= "ami",
["application/vnd.android.package-archive"]= "apk",
["application/vnd.anser-web-certificate-issue-initiation"]= "cii",
["application/vnd.anser-web-funds-transfer-initiation"]= "fti",
["application/vnd.antix.game-component"]= "atx",
["application/vnd.apple.installer+xml"]= "mpkg",
["application/vnd.apple.mpegurl"]= "m3u8",
["application/vnd.aristanetworks.swi"]= "swi",
["application/vnd.astraea-software.iota"]= "iota",
["application/vnd.audiograph"]= "aep",
["application/vnd.blueice.multipass"]= "mpm",
["application/vnd.bmi"]= "bmi",
["application/vnd.businessobjects"]= "rep",
["application/vnd.chemdraw+xml"]= "cdxml",
["application/vnd.chipnuts.karaoke-mmd"]= "mmd",
["application/vnd.cinderella"]= "cdy",
["application/vnd.claymore"]= "cla",
["application/vnd.cloanto.rp9"]= "rp9",
["application/vnd.clonk.c4group"]= "c4g",
["application/vnd.cluetrust.cartomobile-config"]= "c11amc",
["application/vnd.cluetrust.cartomobile-config-pkg"]= "c11amz",
["application/vnd.commonspace"]= "csp",
["application/vnd.contact.cmsg"]= "cdbcmsg",
["application/vnd.cosmocaller"]= "cmc",
["application/vnd.crick.clicker"]= "clkx",
["application/vnd.crick.clicker.keyboard"]= "clkk",
["application/vnd.crick.clicker.palette"]= "clkp",
["application/vnd.crick.clicker.template"]= "clkt",
["application/vnd.crick.clicker.wordbank"]= "clkw",
["application/vnd.criticaltools.wbs+xml"]= "wbs",
["application/vnd.ctc-posml"]= "pml",
["application/vnd.cups-ppd"]= "ppd",
["application/vnd.curl.car"]= "car",
["application/vnd.curl.pcurl"]= "pcurl",
["application/vnd.dart"]= "dart",
["application/vnd.data-vision.rdz"]= "rdz",
["application/vnd.dece.data"]= "uvd",
["application/vnd.dece.ttml+xml"]= "uvt",
["application/vnd.dece.unspecified"]= "uvx",
["application/vnd.dece.zip"]= "uvz",
["application/vnd.denovo.fcselayout-link"]= "fe_launch",
["application/vnd.dna"]= "dna",
["application/vnd.dolby.mlp"]= "mlp",
["application/vnd.dpgraph"]= "dpg",
["application/vnd.dreamfactory"]= "dfac",
["application/vnd.ds-keypoint"]= "kpxx",
["application/vnd.dvb.ait"]= "ait",
["application/vnd.dvb.service"]= "svc",
["application/vnd.dynageo"]= "geo",
["application/vnd.ecowin.chart"]= "mag",
["application/vnd.enliven"]= "nml",
["application/vnd.epson.esf"]= "esf",
["application/vnd.epson.msf"]= "msf",
["application/vnd.epson.quickanime"]= "qam",
["application/vnd.epson.salt"]= "slt",
["application/vnd.epson.ssf"]= "ssf",
["application/vnd.eszigno3+xml"]= "es3",
["application/vnd.ezpix-album"]= "ez2",
["application/vnd.ezpix-package"]= "ez3",
["application/vnd.fdf"]= "fdf",
["application/vnd.fdsn.mseed"]= "mseed",
["application/vnd.fdsn.seed"]= "seed",
["application/vnd.flographit"]= "gph",
["application/vnd.fluxtime.clip"]= "ftc",
["application/vnd.framemaker"]= "fm",
["application/vnd.frogans.fnc"]= "fnc",
["application/vnd.frogans.ltf"]= "ltf",
["application/vnd.fsc.weblaunch"]= "fsc",
["application/vnd.fujitsu.oasys"]= "oas",
["application/vnd.fujitsu.oasys2"]= "oa2",
["application/vnd.fujitsu.oasys3"]= "oa3",
["application/vnd.fujitsu.oasysgp"]= "fg5",
["application/vnd.fujitsu.oasysprs"]= "bh2",
["application/vnd.fujixerox.ddd"]= "ddd",
["application/vnd.fujixerox.docuworks"]= "xdw",
["application/vnd.fujixerox.docuworks.binder"]= "xbd",
["application/vnd.fuzzysheet"]= "fzs",
["application/vnd.genomatix.tuxedo"]= "txd",
["application/vnd.geogebra.file"]= "ggb",
["application/vnd.geogebra.tool"]= "ggt",
["application/vnd.geometry-explorer"]= "gex",
["application/vnd.geonext"]= "gxt",
["application/vnd.geoplan"]= "g2w",
["application/vnd.geospace"]= "g3w",
["application/vnd.gmx"]= "gmx",
["application/vnd.google-earth.kml+xml"]= "kml",
["application/vnd.google-earth.kmz"]= "kmz",
["application/vnd.grafeq"]= "gqf",
["application/vnd.groove-account"]= "gac",
["application/vnd.groove-help"]= "ghf",
["application/vnd.groove-identity-message"]= "gim",
["application/vnd.groove-injector"]= "grv",
["application/vnd.groove-tool-message"]= "gtm",
["application/vnd.groove-tool-template"]= "tpl",
["application/vnd.groove-vcard"]= "vcg",
["application/vnd.hal+xml"]= "hal",
["application/vnd.handheld-entertainment+xml"]= "zmm",
["application/vnd.hbci"]= "hbci",
["application/vnd.hhe.lesson-player"]= "les",
["application/vnd.hp-hpgl"]= "hpgl",
["application/vnd.hp-hpid"]= "hpid",
["application/vnd.hp-hps"]= "hps",
["application/vnd.hp-jlyt"]= "jlt",
["application/vnd.hp-pcl"]= "pcl",
["application/vnd.hp-pclxl"]= "pclxl",
["application/vnd.hydrostatix.sof-data"]= "sfd-hdstx",
["application/vnd.ibm.minipay"]= "mpy",
["application/vnd.ibm.modcap"]= "afp",
["application/vnd.ibm.rights-management"]= "irm",
["application/vnd.ibm.secure-container"]= "sc",
["application/vnd.iccprofile"]= "icc",
["application/vnd.igloader"]= "igl",
["application/vnd.immervision-ivp"]= "ivp",
["application/vnd.immervision-ivu"]= "ivu",
["application/vnd.insors.igm"]= "igm",
["application/vnd.intercon.formnet"]= "xpw",
["application/vnd.intergeo"]= "i2g",
["application/vnd.intu.qbo"]= "qbo",
["application/vnd.intu.qfx"]= "qfx",
["application/vnd.ipunplugged.rcprofile"]= "rcprofile",
["application/vnd.irepository.package+xml"]= "irp",
["application/vnd.is-xpr"]= "xpr",
["application/vnd.isac.fcs"]= "fcs",
["application/vnd.jam"]= "jam",
["application/vnd.jcp.javame.midlet-rms"]= "rms",
["application/vnd.jisp"]= "jisp",
["application/vnd.joost.joda-archive"]= "joda",
["application/vnd.kahootz"]= "ktz",
["application/vnd.kde.karbon"]= "karbon",
["application/vnd.kde.kchart"]= "chrt",
["application/vnd.kde.kformula"]= "kfo",
["application/vnd.kde.kivio"]= "flw",
["application/vnd.kde.kontour"]= "kon",
["application/vnd.kde.kpresenter"]= "kpt",
["application/vnd.kde.kspread"]= "ksp",
["application/vnd.kde.kword"]= "kwd",
["application/vnd.kenameaapp"]= "htke",
["application/vnd.kidspiration"]= "kia",
["application/vnd.kinar"]= "kne",
["application/vnd.koan"]= "skd",
["application/vnd.kodak-descriptor"]= "sse",
["application/vnd.las.las+xml"]= "lasxml",
["application/vnd.llamagraphics.life-balance.desktop"]= "lbd",
["application/vnd.llamagraphics.life-balance.exchange+xml"]= "lbe",
["application/vnd.lotus-1-2-3"]= "123",
["application/vnd.lotus-approach"]= "apr",
["application/vnd.lotus-freelance"]= "pre",
["application/vnd.lotus-notes"]= "nsf",
["application/vnd.lotus-organizer"]= "org",
["application/vnd.lotus-screencam"]= "scm",
["application/vnd.lotus-wordpro"]= "lwp",
["application/vnd.macports.portpkg"]= "portpkg",
["application/vnd.mcd"]= "mcd",
["application/vnd.medcalcdata"]= "mc1",
["application/vnd.mediastation.cdkey"]= "cdkey",
["application/vnd.mfer"]= "mwf",
["application/vnd.mfmp"]= "mfm",
["application/vnd.micrografx.flo"]= "flo",
["application/vnd.micrografx.igx"]= "igx",
["application/vnd.microsoft.portable-executable"]= "exe",
["application/vnd.mif"]= "mif",
["application/vnd.mobius.daf"]= "daf",
["application/vnd.mobius.dis"]= "dis",
["application/vnd.mobius.mbk"]= "mbk",
["application/vnd.mobius.mqy"]= "mqy",
["application/vnd.mobius.msl"]= "msl",
["application/vnd.mobius.plc"]= "plc",
["application/vnd.mobius.txf"]= "txf",
["application/vnd.mophun.application"]= "mpn",
["application/vnd.mophun.certificate"]= "mpc",
["application/vnd.mozilla.xul+xml"]= "xul",
["application/vnd.ms-artgalry"]= "cil",
["application/vnd.ms-cab-compressed"]= "cab",
["application/vnd.ms-excel"]= "xls",
["application/vnd.ms-excel.addin.macroEnabled.12"]= "xlam",
["application/vnd.ms-excel.addin.macroenabled.12"]= "xlam",
["application/vnd.ms-excel.sheet.binary.macroEnabled.12"]= "xlsb",
["application/vnd.ms-excel.sheet.binary.macroenabled.12"]= "xlsb",
["application/vnd.ms-excel.sheet.macroEnabled.12"]= "xlsm",
["application/vnd.ms-excel.sheet.macroenabled.12"]= "xlsm",
["application/vnd.ms-excel.template.macroEnabled.12"]= "xltm",
["application/vnd.ms-excel.template.macroenabled.12"]= "xltm",
["application/vnd.ms-fontobject"]= "eot",
["application/vnd.ms-htmlhelp"]= "chm",
["application/vnd.ms-ims"]= "ims",
["application/vnd.ms-lrm"]= "lrm",
["application/vnd.ms-mediapackage"]= "mpf",
["application/vnd.ms-office.calx"]= "calx",
["application/vnd.ms-officetheme"]= "thmx",
["application/vnd.ms-outlook"]= "msg",
["application/vnd.ms-pki.certstore"]= "sst",
["application/vnd.ms-pki.pko"]= "pko",
["application/vnd.ms-pki.seccat"]= "cat",
["application/vnd.ms-pki.stl"]= "stl",
["application/vnd.ms-powerpoint"]= "ppt",
["application/vnd.ms-powerpoint.addin.macroEnabled.12"]= "ppam",
["application/vnd.ms-powerpoint.addin.macroenabled.12"]= "ppam",
["application/vnd.ms-powerpoint.presentation.macroEnabled.12"]= "pptm",
["application/vnd.ms-powerpoint.presentation.macroenabled.12"]= "pptm",
["application/vnd.ms-powerpoint.slide.macroEnabled.12"]= "sldm",
["application/vnd.ms-powerpoint.slide.macroenabled.12"]= "sldm",
["application/vnd.ms-powerpoint.slideshow.macroEnabled.12"]= "ppsm",
["application/vnd.ms-powerpoint.slideshow.macroenabled.12"]= "ppsm",
["application/vnd.ms-powerpoint.template.macroEnabled.12"]= "potm",
["application/vnd.ms-powerpoint.template.macroenabled.12"]= "potm",
["application/vnd.ms-project"]= "mpt",
["application/vnd.ms-visio.viewer"]= "vdx",
["application/vnd.ms-word.document.macroEnabled.12"]= "docm",
["application/vnd.ms-word.document.macroenabled.12"]= "docm",
["application/vnd.ms-word.template.macroEnabled.12"]= "dotm",
["application/vnd.ms-word.template.macroenabled.12"]= "dotm",
["application/vnd.ms-works"]= "wks",
["application/vnd.ms-wpl"]= "wpl",
["application/vnd.ms-xpsdocument"]= "xps",
["application/vnd.mseq"]= "mseq",
["application/vnd.musician"]= "mus",
["application/vnd.muvee.style"]= "msty",
["application/vnd.mynfc"]= "taglet",
["application/vnd.neurolanguage.nlu"]= "nlu",
["application/vnd.nitf"]= "nitf",
["application/vnd.noblenet-directory"]= "nnd",
["application/vnd.noblenet-sealer"]= "nns",
["application/vnd.noblenet-web"]= "nnw",
["application/vnd.nokia.n-gage.data"]= "ngdat",
["application/vnd.nokia.n-gage.symbian.install"]= "n-gage",
["application/vnd.nokia.radio-preset"]= "rpst",
["application/vnd.nokia.radio-presets"]= "rpss",
["application/vnd.novadigm.edm"]= "edm",
["application/vnd.novadigm.edx"]= "edx",
["application/vnd.novadigm.ext"]= "ext",
["application/vnd.oasis.opendocument.chart"]= "odc",
["application/vnd.oasis.opendocument.chart-template"]= "otc",
["application/vnd.oasis.opendocument.database"]= "odb",
["application/vnd.oasis.opendocument.formula"]= "odf",
["application/vnd.oasis.opendocument.formula-template"]= "odft",
["application/vnd.oasis.opendocument.graphics"]= "odg",
["application/vnd.oasis.opendocument.graphics-template"]= "otg",
["application/vnd.oasis.opendocument.image"]= "odi",
["application/vnd.oasis.opendocument.image-template"]= "oti",
["application/vnd.oasis.opendocument.presentation"]= "odp",
["application/vnd.oasis.opendocument.presentation-template"]= "otp",
["application/vnd.oasis.opendocument.spreadsheet"]= "ods",
["application/vnd.oasis.opendocument.spreadsheet-template"]= "ots",
["application/vnd.oasis.opendocument.text"]= "odt",
["application/vnd.oasis.opendocument.text-master"]= "odm",
["application/vnd.oasis.opendocument.text-template"]= "ott",
["application/vnd.oasis.opendocument.text-web"]= "oth",
["application/vnd.olpc-sugar"]= "xo",
["application/vnd.oma.dd2+xml"]= "dd2",
["application/vnd.openofficeorg.extension"]= "oxt",
["application/vnd.openxmlformats-officedocument.presentationml.presentation"]= "pptx",
["application/vnd.openxmlformats-officedocument.presentationml.slide"]= "sldx",
["application/vnd.openxmlformats-officedocument.presentationml.slideshow"]= "ppsx",
["application/vnd.openxmlformats-officedocument.presentationml.template"]= "potx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"]= "xlsx",
["application/vnd.openxmlformats-officedocument.spreadsheetml.template"]= "xltx",
["application/vnd.openxmlformats-officedocument.wordprocessingml.document"]= "docx",
["application/vnd.openxmlformats-officedocument.wordprocessingml.template"]= "dotx",
["application/vnd.osgeo.mapguide.package"]= "mgp",
["application/vnd.osgi.dp"]= "dp",
["application/vnd.osgi.subsystem"]= "esa",
["application/vnd.palm"]= "pdb",
["application/vnd.pawaafile"]= "paw",
["application/vnd.pg.format"]= "str",
["application/vnd.pg.osasli"]= "ei6",
["application/vnd.picsel"]= "efif",
["application/vnd.pmi.widget"]= "wg",
["application/vnd.pocketlearn"]= "plf",
["application/vnd.powerbuilder6"]= "pbd",
["application/vnd.previewsystems.box"]= "box",
["application/vnd.proteus.magazine"]= "mgz",
["application/vnd.publishare-delta-tree"]= "qps",
["application/vnd.pvi.ptid1"]= "ptid",
["application/vnd.quark.quarkxpress"]= "qxt",
["application/vnd.realvnc.bed"]= "bed",
["application/vnd.recordare.musicxml"]= "mxl",
["application/vnd.recordare.musicxml+xml"]= "musicxml",
["application/vnd.rig.cryptonote"]= "cryptonote",
["application/vnd.rim.cod"]= "cod",
["application/vnd.rn-realmedia"]= "rm",
["application/vnd.rn-realmedia-vbr"]= "rmvb",
["application/vnd.rn-rn_music_package"]= "rmp",
["application/vnd.route66.link66+xml"]= "link66",
["application/vnd.sailingtracker.track"]= "st",
["application/vnd.seemail"]= "see",
["application/vnd.sema"]= "sema",
["application/vnd.semd"]= "semd",
["application/vnd.semf"]= "semf",
["application/vnd.shana.informed.formdata"]= "ifm",
["application/vnd.shana.informed.formtemplate"]= "itp",
["application/vnd.shana.informed.interchange"]= "iif",
["application/vnd.shana.informed.package"]= "ipk",
["application/vnd.simtech-mindmapper"]= "twd",
["application/vnd.smaf"]= "mmf",
["application/vnd.smart.teacher"]= "teacher",
["application/vnd.solent.sdkm+xml"]= "sdkm",
["application/vnd.spotfire.dxp"]= "dxp",
["application/vnd.spotfire.sfs"]= "sfs",
["application/vnd.stardivision.calc"]= "sdc",
["application/vnd.stardivision.draw"]= "sda",
["application/vnd.stardivision.impress"]= "sdd",
["application/vnd.stardivision.math"]= "smf",
["application/vnd.stardivision.writer"]= "sdw",
["application/vnd.stardivision.writer-global"]= "sgl",
["application/vnd.stepmania.package"]= "smzip",
["application/vnd.stepmania.stepchart"]= "sm",
["application/vnd.sun.xml.calc"]= "sxc",
["application/vnd.sun.xml.calc.template"]= "stc",
["application/vnd.sun.xml.draw"]= "sxd",
["application/vnd.sun.xml.draw.template"]= "std",
["application/vnd.sun.xml.impress"]= "sxi",
["application/vnd.sun.xml.impress.template"]= "sti",
["application/vnd.sun.xml.math"]= "sxm",
["application/vnd.sun.xml.writer"]= "sxw",
["application/vnd.sun.xml.writer.global"]= "sxg",
["application/vnd.sun.xml.writer.template"]= "stw",
["application/vnd.sus-calendar"]= "sus",
["application/vnd.svd"]= "svd",
["application/vnd.symbian.install"]= "sis",
["application/vnd.syncml+xml"]= "xsm",
["application/vnd.syncml.dm+wbxml"]= "bdm",
["application/vnd.syncml.dm+xml"]= "xdm",
["application/vnd.tao.intent-module-archive"]= "tao",
["application/vnd.tcpdump.pcap"]= "pcap",
["application/vnd.tmobile-livetv"]= "tmo",
["application/vnd.trid.tpt"]= "tpt",
["application/vnd.triscape.mxs"]= "mxs",
["application/vnd.trueapp"]= "tra",
["application/vnd.ufdl"]= "ufdl",
["application/vnd.uiq.theme"]= "utz",
["application/vnd.umajin"]= "umj",
["application/vnd.unity"]= "unityweb",
["application/vnd.uoml+xml"]= "uoml",
["application/vnd.vcx"]= "vcx",
["application/vnd.visio"]= "vsd",
["application/vnd.visionary"]= "vis",
["application/vnd.vsf"]= "vsf",
["application/vnd.wap.wbxml"]= "wbxml",
["application/vnd.wap.wmlc"]= "wmlc",
["application/vnd.wap.wmlscriptc"]= "wmlsc",
["application/vnd.webturbo"]= "wtb",
["application/vnd.wolfram.player"]= "nbp",
["application/vnd.wordperfect"]= "wpd",
["application/vnd.wqd"]= "wqd",
["application/vnd.wt.stf"]= "stf",
["application/vnd.xara"]= "xar",
["application/vnd.xfdl"]= "xfdl",
["application/vnd.yamaha.hv-dic"]= "hvd",
["application/vnd.yamaha.hv-script"]= "hvs",
["application/vnd.yamaha.hv-voice"]= "hvp",
["application/vnd.yamaha.openscoreformat"]= "osf",
["application/vnd.yamaha.openscoreformat.osfpvg+xml"]= "osfpvg",
["application/vnd.yamaha.smaf-audio"]= "saf",
["application/vnd.yamaha.smaf-phrase"]= "spf",
["application/vnd.yellowriver-custom-menu"]= "cmp",
["application/vnd.zul"]= "zir",
["application/vnd.zzazz.deck+xml"]= "zaz",
["application/voicexml+xml"]= "vxml",
["application/vsix"]= "vsix",
["application/wasm"]= "wasm",
["application/widget"]= "wgt",
["application/windows-library+xml"]= "library-ms",
["application/windows-search-connector+xml"]= "searchConnector-ms",
["application/winhlp"]= "hlp",
["application/wlmoviemaker"]= "WLMP",
["application/wsdl+xml"]= "wsdl",
["application/wspolicy+xml"]= "wspolicy",
["application/x-7z-compressed"]= "7z",
["application/x-abiword"]= "abw",
["application/x-ace-compressed"]= "ace",
["application/x-apple-diskimage"]= "dmg",
["application/x-authorware-bin"]= "aab",
["application/x-authorware-map"]= "aam",
["application/x-authorware-seg"]= "aas",
["application/x-bcpio"]= "bcpio",
["application/x-bittorrent"]= "torrent",
["application/x-blorb"]= "blorb",
["application/x-bridge-url"]= "adobebridge",
["application/x-bzip"]= "bz",
["application/x-bzip2"]= "bz2",
["application/x-cbr"]= "cbr",
["application/x-cdlink"]= "vcd",
["application/x-cfs-compressed"]= "cfs",
["application/x-chat"]= "chat",
["application/x-chess-pgn"]= "pgn",
["application/x-compress"]= "z",
["application/x-compressed"]= "tgz",
["application/x-conference"]= "nsc",
["application/x-cpio"]= "cpio",
["application/x-csh"]= "csh",
["application/x-debian-package"]= "deb",
["application/x-dgc-compressed"]= "dgc",
["application/x-director"]= "dir",
["application/x-doom"]= "wad",
["application/x-dosexec"]= "exe",
["application/x-dtbncx+xml"]= "ncx",
["application/x-dtbook+xml"]= "dtb",
["application/x-dtbresource+xml"]= "res",
["application/x-dvi"]= "dvi",
["application/x-dxf"]= "dxf",
["application/x-elf"]= "elf",
["application/x-envoy"]= "evy",
["application/x-eva"]= "eva",
["application/x-executable"]= "exe",
["application/x-font-bdf"]= "bdf",
["application/x-font-ghostscript"]= "gsf",
["application/x-font-linux-psf"]= "psf",
["application/x-font-pcf"]= "pcf",
["application/x-font-snf"]= "snf",
["application/x-font-type1"]= "pfm",
["application/x-freearc"]= "arc",
["application/x-futuresplash"]= "spl",
["application/x-gca-compressed"]= "gca",
["application/x-glulx"]= "ulx",
["application/x-gnumeric"]= "gnumeric",
["application/x-gramps-xml"]= "gramps",
["application/x-gtar"]= "gtar",
["application/x-gzip"]= "gz",
["application/x-hdf"]= "hdf",
["application/x-install-instructions"]= "install",
["application/x-internet-signup"]= "isp",
["application/x-iphone"]= "iii",
["application/x-iso9660-image"]= "iso",
["application/x-itunes-ipa"]= "ipa",
["application/x-itunes-ipg"]= "ipg",
["application/x-itunes-ipsw"]= "ipsw",
["application/x-itunes-ite"]= "ite",
["application/x-itunes-itlp"]= "itlp",
["application/x-itunes-itms"]= "itms",
["application/x-itunes-itpc"]= "itpc",
["application/x-java-applet"]= "class",
["application/x-java-jnlp-file"]= "jnlp",
["application/x-koan"]= "skp",
["application/x-latex"]= "latex",
["application/x-lzh-compressed"]= "lzh",
["application/x-mie"]= "mie",
["application/x-miva-compiled"]= "mvc",
["application/x-mmxp"]= "mxp",
["application/x-mobipocket-ebook"]= "mobi",
["application/x-ms-application"]= "application",
["application/x-ms-installer"]= "msi",
["application/x-ms-license"]= "slupkg-ms",
["application/x-ms-manifest"]= "manifest",
["application/x-ms-reader"]= "lit",
["application/x-ms-shortcut"]= "lnk",
["application/x-ms-vsto"]= "vsto",
["application/x-ms-wmd"]= "wmd",
["application/x-ms-wmz"]= "wmz",
["application/x-ms-xbap"]= "xbap",
["application/x-msaccess"]= "mdb",
["application/x-msbinder"]= "obd",
["application/x-mscardfile"]= "crd",
["application/x-msclip"]= "clp",
["application/x-msdos-program"]= "exe",
["application/x-msdownload"]= "exe",
["application/x-msmediaview"]= "mvb",
["application/x-msmetafile"]= "wmf",
["application/x-msmoney"]= "mny",
["application/x-mspublisher"]= "pub",
["application/x-msschedule"]= "scd",
["application/x-msterminal"]= "trm",
["application/x-mswrite"]= "wri",
["application/x-netcdf"]= "cdf",
["application/x-nzb"]= "nzb",
["application/x-oleobject"]= "hhc",
["application/x-pcapng"]= "pcap",
["application/x-pe-app-32bit-i386"]= "exe",
["application/x-perfmon"]= "pmw",
["application/x-perl"]= "pl",
["application/x-pkcs12"]= "p12",
["application/x-pkcs7-certificates"]= "p7b",
["application/x-pkcs7-certreqresp"]= "p7r",
["application/x-podcast"]= "pcast",
["application/x-python"]= "py",
["application/x-quicktimeplayer"]= "qtl",
["application/x-rar-compressed"]= "rar",
["application/x-research-info-systems"]= "ris",
["application/x-safari-safariextz"]= "safariextz",
["application/x-safari-webarchive"]= "webarchive",
["application/x-sgimb"]= "sgimb",
["application/x-sh"]= "sh",
["application/x-shar"]= "shar",
["application/x-sharedlib"]= "lib",
["application/x-shockwave-flash"]= "swf",
["application/x-silverlight-app"]= "xap",
["application/x-smaf"]= "mmf",
["application/x-sql"]= "sql",
["application/x-stuffit"]= "sit",
["application/x-stuffitx"]= "sitx",
["application/x-subrip"]= "srt",
["application/x-sv4cpio"]= "sv4cpio",
["application/x-sv4crc"]= "sv4crc",
["application/x-t3vm-image"]= "t3",
["application/x-tads"]= "gam",
["application/x-tar"]= "tar",
["application/x-tcl"]= "tcl",
["application/x-tex"]= "tex",
["application/x-tex-tfm"]= "tfm",
["application/x-texinfo"]= "texinfo",
["application/x-tgif"]= "obj",
["application/x-troff"]= "tr",
["application/x-troff-man"]= "man",
["application/x-troff-me"]= "me",
["application/x-troff-ms"]= "ms",
["application/x-ustar"]= "ustar",
["application/x-wais-source"]= "src",
["application/x-wlpg-detect"]= "wlpginstall",
["application/x-wlpg3-detect"]= "wlpginstall3",
["application/x-x509-ca-cert"]= "crt",
["application/x-xfig"]= "fig",
["application/x-xliff+xml"]= "xlf",
["application/x-xpinstall"]= "xpi",
["application/x-xz"]= "xz",
["application/x-zip-compressed"]= "zip",
["application/x-zmachine"]= "z1",
["application/xaml+xml"]= "xaml",
["application/xcap-diff+xml"]= "xdf",
["application/xenc+xml"]= "xenc",
["application/xhtml+xml"]= "xhtml",
["application/xml"]= "xml",
["application/xml-dtd"]= "dtd",
["application/xop+xml"]= "xop",
["application/xproc+xml"]= "xpl",
["application/xslt+xml"]= "xslt",
["application/xspf+xml"]= "xspf",
["application/xv+xml"]= "xvml",
["application/yang"]= "yang",
["application/yin+xml"]= "yin",
["application/zip"]= "zip",
["audio/aac"]= "aac",
["audio/ac3"]= "ac3",
["audio/adpcm"]= "adp",
["audio/aiff"]= "aiff",
["audio/annodex"]= "axa",
["audio/audible"]= "aa",
["audio/basic"]= "au",
["audio/flac"]= "flac",
["audio/m4a"]= "m4a",
["audio/m4b"]= "m4b",
["audio/m4p"]= "m4p",
["audio/mid"]= "midi",
["audio/midi"]= "midi",
["audio/mp4"]= "m4a",
["audio/mpeg"]= "mp3",
["audio/ogg"]= "ogg",
["audio/s3m"]= "s3m",
["audio/scpls"]= "pls",
["audio/silk"]= "sil",
["audio/vnd.audible.aax"]= "aax",
["audio/vnd.dece.audio"]= "uva",
["audio/vnd.digital-winds"]= "eol",
["audio/vnd.dlna.adts"]= "ADT",
["audio/vnd.dra"]= "dra",
["audio/vnd.dts"]= "dts",
["audio/vnd.dts.hd"]= "dtshd",
["audio/vnd.lucent.voice"]= "lvp",
["audio/vnd.ms-playready.media.pya"]= "pya",
["audio/vnd.nuera.ecelp4800"]= "ecelp4800",
["audio/vnd.nuera.ecelp7470"]= "ecelp7470",
["audio/vnd.nuera.ecelp9600"]= "ecelp9600",
["audio/vnd.rip"]= "rip",
["audio/wav"]= "wav",
["audio/webm"]= "weba",
["audio/x-aac"]= "aac",
["audio/x-aiff"]= "aiff",
["audio/x-caf"]= "caf",
["audio/x-flac"]= "flac",
["audio/x-gsm"]= "gsm",
["audio/x-m4a"]= "m4a",
["audio/x-m4r"]= "m4r",
["audio/x-matroska"]= "mka",
["audio/x-mpegurl"]= "m3u",
["audio/x-ms-wax"]= "wax",
["audio/x-ms-wma"]= "wma",
["audio/x-pn-realaudio"]= "ra",
["audio/x-pn-realaudio-plugin"]= "rmp",
["audio/x-sd2"]= "sd2",
["audio/x-smd"]= "smd",
["audio/x-wav"]= "wav",
["audio/xm"]= "xm",
["chemical/x-cdx"]= "cdx",
["chemical/x-cif"]= "cif",
["chemical/x-cmdf"]= "cmdf",
["chemical/x-cml"]= "cml",
["chemical/x-csml"]= "csml",
["chemical/x-xyz"]= "xyz",
["drawing/x-dwf"]= "dwf",
["font/collection"]= "ttc",
["font/otf"]= "otf",
["font/ttf"]= "ttf",
["font/woff"]= "woff",
["font/woff2"]= "woff2",
["image/bmp"]= "bmp",
["image/cgm"]= "cgm",
["image/cis-cod"]= "cod",
["image/g3fax"]= "g3",
["image/gif"]= "gif",
["image/ief"]= "ief",
["image/jpeg"]= "jpg",
["image/ktx"]= "ktx",
["image/pict"]= "pict",
["image/pjpeg"]= "jfif",
["image/png"]= "png",
["image/prs.btif"]= "btif",
["image/sgi"]= "sgi",
["image/svg+xml"]= "svg",
["image/tiff"]= "tiff",
["image/vnd.adobe.photoshop"]= "psd",
["image/vnd.dece.graphic"]= "uvg",
["image/vnd.djvu"]= "djvu",
["image/vnd.dvb.subtitle"]= "sub",
["image/vnd.dwg"]= "dwg",
["image/vnd.dxf"]= "dxf",
["image/vnd.fastbidsheet"]= "fbs",
["image/vnd.fpx"]= "fpx",
["image/vnd.fst"]= "fst",
["image/vnd.fujixerox.edmics-mmr"]= "mmr",
["image/vnd.fujixerox.edmics-rlc"]= "rlc",
["image/vnd.ms-modi"]= "mdi",
["image/vnd.ms-photo"]= "wdp",
["image/vnd.net-fpx"]= "npx",
["image/vnd.rn-realflash"]= "rf",
["image/vnd.wap.wbmp"]= "wbmp",
["image/vnd.xiff"]= "xif",
["image/webp"]= "webp",
["image/x-3ds"]= "3ds",
["image/x-cmu-raster"]= "ras",
["image/x-cmx"]= "cmx",
["image/x-freehand"]= "fh",
["image/x-gif"]= "gif",
["image/x-icon"]= "ico",
["image/x-jg"]= "art",
["image/x-jpeg"]= "jpg",
["image/x-macpaint"]= "mac",
["image/x-mrsid-image"]= "sid",
["image/x-pcx"]= "pcx",
["image/x-pict"]= "pic",
["image/x-png"]= "png",
["image/x-portable-anymap"]= "pnm",
["image/x-portable-bitmap"]= "pbm",
["image/x-portable-graymap"]= "pgm",
["image/x-portable-pixmap"]= "ppm",
["image/x-quicktime"]= "qti",
["image/x-rgb"]= "rgb",
["image/x-tga"]= "tga",
["image/x-xbitmap"]= "xbm",
["image/x-xpixmap"]= "xpm",
["image/x-xwindowdump"]= "xwd",
["message/rfc822"]= "eml",
["model/iges"]= "iges",
["model/mesh"]= "mesh",
["model/vnd.collada+xml"]= "dae",
["model/vnd.dwf"]= "dwf",
["model/vnd.gdl"]= "gdl",
["model/vnd.gtw"]= "gtw",
["model/vnd.mts"]= "mts",
["model/vnd.vtu"]= "vtu",
["model/vrml"]= "vrml",
["model/x3d+binary"]= "x3db",
["model/x3d+vrml"]= "x3dv",
["model/x3d+xml"]= "x3d",
["text/cache-manifest"]= "appcache",
["text/calendar"]= "ics",
["text/css"]= "css",
["text/csv"]= "csv",
["text/dlm"]= "dlm",
["text/h323"]= "323",
["text/html"]= "html",
["text/iuls"]= "uls",
["text/jscript"]= "jsx",
["text/n3"]= "n3",
["text/plain"]= "txt",
["text/prs.lines.tag"]= "dsc",
["text/richtext"]= "rtx",
["text/rtf"]= "rtf",
["text/scriptlet"]= "sct",
["text/sgml"]= "sgml",
["text/tab-separated-values"]= "tsv",
["text/troff"]= "tr",
["text/uri-list"]= "uri",
["text/vbscript"]= "vbs",
["text/vcard"]= "vcard",
["text/vnd.curl"]= "curl",
["text/vnd.curl.dcurl"]= "dcurl",
["text/vnd.curl.mcurl"]= "mcurl",
["text/vnd.curl.scurl"]= "scurl",
["text/vnd.dvb.subtitle"]= "sub",
["text/vnd.fly"]= "fly",
["text/vnd.fmi.flexstor"]= "flx",
["text/vnd.graphviz"]= "gv",
["text/vnd.in3d.3dml"]= "3dml",
["text/vnd.in3d.spot"]= "spot",
["text/vnd.sun.j2me.app-descriptor"]= "jad",
["text/vnd.wap.wml"]= "wml",
["text/vnd.wap.wmlscript"]= "wmls",
["text/vtt"]= "vtt",
["text/webviewhtml"]= "htt",
["text/x-asm"]= "asm",
["text/x-c"]= "c",
["text/x-component"]= "htc",
["text/x-fortran"]= "f",
["text/x-hdml"]= "hdml",
["text/x-html-insertion"]= "qhtm",
["text/x-java-source"]= "java",
["text/x-ms-contact"]= "contact",
["text/x-ms-group"]= "group",
["text/x-ms-iqy"]= "iqy",
["text/x-ms-rqy"]= "rqy",
["text/x-nfo"]= "nfo",
["text/x-opml"]= "opml",
["text/x-pascal"]= "pas",
["text/x-setext"]= "etx",
["text/x-sfv"]= "sfv",
["text/x-uuencode"]= "uu",
["text/x-vcalendar"]= "vcs",
["text/x-vcard"]= "vcf",
["text/xml"]= "xml",
["video/3gpp"]= "3gp",
["video/3gpp2"]= "3g2",
["video/annodex"]= "axv",
["video/divx"]= "divx",
["video/h261"]= "h261",
["video/h263"]= "h263",
["video/h264"]= "h264",
["video/jpeg"]= "jpgv",
["video/jpm"]= "jpm",
["video/mj2"]= "mj2",
["video/mp4"]= "mp4",
["video/mpeg"]= "mpg",
["video/ogg"]= "ogv",
["video/quicktime"]= "mov",
["video/vnd.dece.hd"]= "uvh",
["video/vnd.dece.mobile"]= "uvm",
["video/vnd.dece.pd"]= "uvp",
["video/vnd.dece.sd"]= "uvs",
["video/vnd.dece.video"]= "uvv",
["video/vnd.dlna.mpeg-tts"]= "m2t",
["video/vnd.dvb.file"]= "dvb",
["video/vnd.fvt"]= "fvt",
["video/vnd.mpegurl"]= "m4u",
["video/vnd.ms-playready.media.pyv"]= "pyv",
["video/vnd.uvvu.mp4"]= "uvu",
["video/vnd.vivo"]= "viv",
["video/webm"]= "webm",
["video/x-dv"]= "dv",
["video/x-f4v"]= "f4v",
["video/x-fli"]= "fli",
["video/x-flv"]= "flv",
["video/x-ivf"]= "IVF",
["video/x-la-asf"]= "lsf",
["video/x-m4v"]= "m4v",
["video/x-matroska"]= "mkv",
["video/x-matroska-3d"]= "mk3d",
["video/x-mng"]= "mng",
["video/x-ms-asf"]= "asf",
["video/x-ms-vob"]= "vob",
["video/x-ms-wm"]= "wm",
["video/x-ms-wmp"]= "wmp",
["video/x-ms-wmv"]= "wmv",
["video/x-ms-wmx"]= "wmx",
["video/x-ms-wvx"]= "wvx",
["video/x-msvideo"]= "avi",
["video/x-sgi-movie"]= "movie",
["video/x-smv"]= "smv",
["x-conference/x-cooltalk"]= "ice",
["x-world/x-vrml"]= "wrl"
} &default="bin" &redef;
}

1
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/root/.selected_editor Normal file
View File

@@ -0,0 +1 @@
SELECTED_EDITOR="/usr/bin/vim.tiny"

1
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/root/.vimrc Normal file
View File

@@ -0,0 +1 @@
set nocompatible

123
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/guess.zeek Normal file
View File

@@ -0,0 +1,123 @@
module Best_Guess;
# given an input map file with the following format:
# proto dport sport name category
# (see https://docs.zeek.org/en/master/frameworks/input.html#reading-data-into-tables
# for details on how the table is loaded),
# load up the table on zeek_init and for each connection_state_remove
# make a "best guess" of protocols based on proto+dport+sport.
# Best guesses are written to bestguess according to Best_Guess::Info
# Table key is transport protocol + destination port + source port
# Zeek will segfault if there is an unset value ('-') in the key,
# so use unknown_transport and 0 for protocol and ports, respectively,
# if they are not defined in the lookup.
type Best_Guess_Key: record {
proto: transport_proto &optional;
dport: count &optional;
sport: count &optional;
};
# Other table values include name, category.
type Best_Guess_Value: record {
name: string &optional;
category: string &optional;
};
export {
redef enum Log::ID += { BEST_GUESS_LOG };
#############################################################################
# This is the format of bestguess.log
type Info: record {
# Timestamp for when the event happened.
ts: time &log;
# Unique ID for the connection.
uid: string &log;
# The connection's 4-tuple of endpoint addresses/ports.
id: conn_id &log;
# transport protocol
proto: transport_proto &log &optional;
# protocol guess values for log
name: string &log &optional;
category: string &log &optional;
# originating structure containing guess info
guess_info: Best_Guess_Value &optional;
};
# Event that can be handled to access the record as it is sent on to the logging framework.
global log_best_guess: event(rec: Best_Guess::Info);
}
# lookup table of Best_Guess_Key -> Best_Guess_Value to be loaded in zeek_init
global proto_guesses: table[transport_proto, count, count] of Best_Guess_Value = table();
# filespec containing best guess mappings
global guest_map_filespec : string = @DIR + "/guess_ics_map.txt";
#############################################################################
event zeek_init() &priority=5 {
# populate the lookup table from guest_map_filespec and then clean up the intermediate source
Input::add_table([$source=guest_map_filespec, $name="guess_ics_map",
$idx=Best_Guess_Key, $val=Best_Guess_Value,
$destination=proto_guesses, $want_record=T]);
Input::remove("guess_ics_map");
# initialize bestguess.log
Log::create_stream(Best_Guess::BEST_GUESS_LOG, [$columns=Best_Guess::Info, $ev=log_best_guess, $path="bestguess"]);
}
#############################################################################
event connection_state_remove(c: connection) {
local p = get_port_transport_proto(c$id$resp_p);
local dp = port_to_count(c$id$resp_p);
local sp = port_to_count(c$id$orig_p);
local guess = Best_Guess_Value($name="");
local category: string = "";
# 1. only check connections for which we don't already know "service"
# 2. skip ICMP, since dp and sp don't mean the same thing for ICMP
if (((!c?$service) || (|c$service| == 0)) && (p != icmp)) {
# Look up permutations of transport protocol + destination port + source port
# from more-specific to less-specific.
if ([p, dp, sp] in proto_guesses)
guess = proto_guesses[p, dp, sp];
else if ([p, dp, 0] in proto_guesses)
guess = proto_guesses[p, dp, 0];
else if ([p, 0, sp] in proto_guesses)
guess = proto_guesses[p, 0, sp];
else if ([unknown_transport, dp, sp] in proto_guesses)
guess = proto_guesses[unknown_transport, dp, sp];
else if ([unknown_transport, dp, 0] in proto_guesses)
guess = proto_guesses[unknown_transport, dp, 0];
else if ([unknown_transport, 0, sp] in proto_guesses)
guess = proto_guesses[unknown_transport, 0, sp];
# if a best guess was made based on protocol and ports, log it
if ((guess?$name) && (guess$name != "")) {
# as category may be undefined, check before accessing
if (guess?$category)
category = guess$category;
# log entry into bestguess.log
local info = Best_Guess::Info($ts=network_time(),
$uid=c$uid,
$id=c$id,
$proto=p,
$name=guess$name,
$category=category,
$guess_info=guess);
Log::write(Best_Guess::BEST_GUESS_LOG, info);
} # found guess
} # if (p != icmp)
} # connection_state_remove

360
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/guess_ics_map.txt Normal file
View File

@@ -0,0 +1,360 @@
#fields proto dport sport name category
unknown_transport 0 2221 Rockwell CSP Rockwell Automation
unknown_transport 0 2222 Rockwell CSP Rockwell Automation
unknown_transport 0 2223 Rockwell CSP Rockwell Automation
unknown_transport 0 5007 Mitsubishi Electronic MELSEC-Q SLAVE Mitsubishi Electric
unknown_transport 0 5413 Wonderware AVEVA
unknown_transport 0 5891 Intelligent Instrumentation EDAS Intelligent Instrumentation
unknown_transport 0 7022 CT Discovery Protocol CTDP -
unknown_transport 0 7200 Fiber Optics Data Multiplexing Services FLIP -
unknown_transport 0 7201 DLIP -
tcp 0 7700 Rockwell FactoryTalk Event Server Rockwell Automation
unknown_transport 0 7710 Rockwell FactoryTalk Directory Server Rockwell Automation
unknown_transport 0 7720 Rockwell RSViewSE Rockwell Automation
unknown_transport 0 7721 Rockwell RSViewSE Rockwell Automation
unknown_transport 0 7722 Rockwell RSViewSE HMI Activation Rockwell Automation
unknown_transport 0 9212 Server View DBMS Access -
unknown_transport 0 9213 ServerStart RemoteControl -
unknown_transport 0 23400 Novar Data Honeywell
unknown_transport 0 23401 Novar Alarm Honeywell
unknown_transport 0 23402 Novar Global Honeywell
unknown_transport 0 34963 PROFInet RT Multicast PROFIBUS and PROFINET
unknown_transport 0 34964 PROFInet Context Manager PROFIBUS and PROFINET
unknown_transport 0 44818 Rockwell Encapsulation Rockwell Automation
unknown_transport 210 0 ANSI Z39.50 -
tcp 400 0 Rockwell RSSql Transaction Manager Rockwell Automation
tcp 401 0 Rockwell RSSql Compression Server Rockwell Automation
tcp 402 0 Rockwell RSSql Configuration Server Rockwell Automation
unknown_transport 500 0 Fatek FB Series FATEK Automation
unknown_transport 554 0 RTP RTSP Streaming Protocol -
unknown_transport 789 0 Red Lion CrimsonV3 Red Lion
unknown_transport 1025 0 Mitsubishi Electronic FX Mitsubishi Electric
unknown_transport 1089 0 Rockwell Foundation Fieldbus Rockwell Automation
unknown_transport 1090 0 Rockwell Foundation Fieldbus Rockwell Automation
unknown_transport 1091 0 Rockwell Foundation Fieldbus Rockwell Automation
tcp 1132 0 Rockwell AADvance Rockwell Automation
unknown_transport 1153 0 ANSI C12.22 -
tcp 1200 0 CodeSys Gateway Server CODESYS
tcp 1330 0 Rockwell FactoryTalk Object RPC Rockwell Automation
tcp 1331 0 Rockwell FactoryTalk Service Control Rockwell Automation
tcp 1332 0 Rockwell FactoryTalk Server Health Rockwell Automation
tcp 1433 0 Rockwell FactoryTalk Asset Centre Server/VantagePoint SQL Rockwell Automation
tcp 1434 0 Rockwell FactoryTalk Asset Centre Server/VantagePoint MSSQL Rockwell Automation
unknown_transport 1541 0 Foxboro/Invensys Foxboro DCS Informix Schneider Electric
unknown_transport 1962 0 Phoenix Contact PC WORX Engineering Workstation PHOENIX CONTACT
unknown_transport 2004 0 LS FEnet LS Electric
udp 2010 0 Rockwell AADvance Discover Tool Rockwell Automation
udp 2011 0 Rockwell AADvance Discover Tool Rockwell Automation
unknown_transport 2085 0 ADA Control ADA-CIP -
unknown_transport 2198 0 OneHome Remote Access -
unknown_transport 2199 0 OneHome Service Port -
unknown_transport 2221 0 Rockwell CSP Rockwell Automation
unknown_transport 2222 0 Rockwell CSP Rockwell Automation
unknown_transport 2223 0 Rockwell CSP Rockwell Automation
tcp 2393 0 OLAP Microsoft
tcp 2394 0 OLAP Microsoft
unknown_transport 2404 0 IEC 60870-5-104 -
unknown_transport 2423 0 RNRP Redundant Network Routing ABB
tcp 2455 0 CodeSys Gateway Server CODESYS
unknown_transport 2540 0 LonWorks LonWorks
unknown_transport 2541 0 LonWorks LonWorks
unknown_transport 2729 0 TCIM Control -
unknown_transport 2757 0 CNRP Common Name Resolution Protocol -
unknown_transport 2846 0 AIMPP Hello -
unknown_transport 2847 0 AIMPP Port Req -
unknown_transport 3004 0 Hitachi EHV Series Hitachi
unknown_transport 3060 0 Rockwell FactoryTalk Directory Server File Transfer Rockwell Automation
unknown_transport 3240 0 Trio Motion Control Trio Motion Technology
unknown_transport 3250 0 HMS HICP Port HMC HMS Networks
unknown_transport 3338 0 OMF Data B ANET-B -
unknown_transport 3340 0 OMF Data M ANET-M -
unknown_transport 3341 0 OMF Data H ANET-H -
tcp 102 0 ICCP -
tcp 3480 0 OPC UA Discovery -
unknown_transport 3614 0 Schleicher Satchwell Sigma Schleicher Electronic
unknown_transport 3622 0 Rockwell FF LAN Redundancy Port Rockwell Automation
unknown_transport 3639 0 xAP Home Automation -
unknown_transport 3743 0 IP Control Systems Ltd ICS Command IP Control Systems Ltd
unknown_transport 3794 0 JAUS Robots -
unknown_transport 3820 0 Siemens AuD SCP Siemens AG
unknown_transport 3848 0 IT Environmental Monitor -
unknown_transport 3873 0 Fagor DNC Fagor Automation
unknown_transport 3875 0 PNBSCADA -
unknown_transport 3881 0 Intelligent Data Acquisition and Control IDAC -
unknown_transport 4000 0 Fisher ROC Plus Emerson Electric
tcp 4120 0 Rockwell Bizware Production Server Rockwell Automation
tcp 4121 0 Rockwell Bizware Server Manager Rockwell Automation
tcp 4122 0 Rockwell Bizware PlantMetrics Server Rockwell Automation
tcp 4123 0 Rockwell Bizware Task Manager Rockwell Automation
tcp 4124 0 Rockwell Bizware Scheduler Rockwell Automation
tcp 4125 0 Rockwell Bizware CTP Server Rockwell Automation
unknown_transport 4450 0 Common ASCII Message Protocol CAMP -
unknown_transport 4451 0 CTI System Message -
unknown_transport 4452 0 CTI Program Load -
unknown_transport 4999 0 Mitsubishi Electronic MELSEC-Q Mitsubishi Electric
udp 5000 0 Rockwell AADvance Peer to P2P Rockwell Automation
unknown_transport 5001 0 Mitsubishi Electronic FX3u Mitsubishi Electric
unknown_transport 5004 0 RTP Time Transport -
unknown_transport 5006 0 Mitsubishi Electronic MELSEC-Q MASTER Mitsubishi Electric
unknown_transport 5007 0 Mitsubishi Electronic MELSEC-Q MASTER Mitsubishi Electric
tcp 5050 0 OASyS SCADA AVEVA
unknown_transport 5050 0 Danfoss ECL Apex Danfoss
tcp 5051 0 OASyS SCADA AVEVA
tcp 5052 0 OASyS SCADA AVEVA
tcp 5065 0 OASyS SCADA AVEVA
unknown_transport 5069 0 I/NET 2000-NPR Control Systems International
unknown_transport 5413 0 Wonderware AVEVA
tcp 5450 0 Rockwell FactoryTalk PI Network Manager Rockwell Automation
tcp 5454 0 Rockwell FactoryTalk Analysis Framework Rockwell Automation
tcp 5455 0 Rockwell FactoryTalk Analysis Framework Rockwell Automation
tcp 5456 0 Rockwell FactoryTalk ACE2 Scheduler Rockwell Automation
tcp 5457 0 Rockwell FactoryTalk Asset Framework Server Rockwell Automation
tcp 5458 0 Rockwell FactoryTalk PI Notification Rockwell Automation
tcp 6543 0 Rockwell FactoryTalk Alarming Server Rockwell Automation
tcp 7002 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
tcp 7003 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
tcp 7004 0 Rockwell FactoryTalk Asset Centre Services Rockwell Automation
unknown_transport 7022 0 CT Discovery Protocol -
unknown_transport 7201 0 DLIP -
tcp 7600 0 Rockwell FactoryTalk Event Multiplexor Rockwell Automation
tcp 7710 0 Rockwell FactoryTalk Directory Server Rockwell Automation
tcp 8081 0 Rockwell Bizware HTTP Server Manager Rockwell Automation
tcp 8083 0 Rockwell Bizware HTTP CTP Server Rockwell Automation
unknown_transport 8500 0 Panasonic FP2 Panasonic
unknown_transport 8501 0 Keyence KV-5000 Keyence
unknown_transport 9094 0 Panasonic FP Panasonic
unknown_transport 9600 0 Omron Factory Interface Network Service OMRON
tcp 10001 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10002 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10003 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10004 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10005 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10006 0 Rockwell AADvance Serial Data Rockwell Automation
tcp 10307 0 ABB Ranger ABB
tcp 10311 0 ABB Ranger ABB
tcp 10364 0 ABB Ranger ABB
tcp 10365 0 ABB Ranger ABB
tcp 10407 0 ABB Ranger ABB
tcp 10409 0 ABB Ranger ABB
tcp 10410 0 ABB Ranger ABB
tcp 10412 0 ABB Ranger ABB
tcp 10414 0 ABB Ranger ABB
tcp 10415 0 ABB Ranger ABB
tcp 10428 0 ABB Ranger ABB
tcp 10431 0 ABB Ranger ABB
tcp 10432 0 ABB Ranger ABB
tcp 10447 0 ABB Ranger ABB
tcp 10449 0 ABB Ranger ABB
tcp 10450 0 ABB Ranger ABB
unknown_transport 11001 0 Metasys N1 Johnson Controls
tcp 12135 0 OASyS SCADA AVEVA
tcp 12136 0 OASyS SCADA AVEVA
tcp 12137 0 OASyS SCADA AVEVA
tcp 12316 0 ABB Ranger ABB
tcp 12645 0 ABB Ranger ABB
tcp 12647 0 ABB Ranger ABB
tcp 12648 0 ABB Ranger ABB
tcp 13722 0 ABB Ranger ABB
tcp 13724 0 ABB Ranger ABB
tcp 13782 0 ABB Ranger ABB
tcp 13783 0 ABB Ranger ABB
tcp 18000 0 Genesis32 GenBroker ICONICS
unknown_transport 20256 0 Unitronics Socket 1 Unitronics
unknown_transport 20257 0 Unitronics Socket 2/3 Unitronics
unknown_transport 20547 0 ProconOS KW Software
tcp 27000 0 Rockwell FlexLM Server Rockwell Automation
tcp 27001 0 Rockwell FlexLM Server Rockwell Automation
tcp 27002 0 Rockwell FlexLM Server Rockwell Automation
tcp 27003 0 Rockwell FlexLM Server Rockwell Automation
tcp 27004 0 Rockwell FlexLM Server Rockwell Automation
tcp 27005 0 Rockwell FlexLM Server Rockwell Automation
tcp 27006 0 Rockwell FlexLM Server Rockwell Automation
tcp 27007 0 Rockwell FlexLM Server Rockwell Automation
tcp 27008 0 Rockwell FlexLM Server Rockwell Automation
tcp 27009 0 Rockwell FlexLM Server Rockwell Automation
unknown_transport 28784 0 Koyo Ethernet -
unknown_transport 34962 0 PROFInet RT Unicast PROFIBUS and PROFINET
tcp 38000 0 GENe SNC
tcp 38001 0 GENe SNC
tcp 38011 0 GENe SNC
tcp 38012 0 GENe SNC
tcp 38014 0 GENe SNC
tcp 38015 0 GENe SNC
tcp 38200 0 GENe SNC
tcp 38210 0 GENe SNC
tcp 38301 0 GENe SNC
tcp 38400 0 GENe SNC
tcp 38589 0 ABB Ranger ABB
tcp 38593 0 ABB Ranger ABB
tcp 38600 0 ABB Ranger ABB
tcp 38700 0 GENe SNC
tcp 38971 0 ABB Ranger ABB
tcp 39129 0 ABB Ranger ABB
tcp 39278 0 ABB Ranger ABB
unknown_transport 44818 0 Rockwell Encapsulation Rockwell Automation
unknown_transport 45678 0 Foxboro/Invensys Foxboro DCS AIMAPI Schneider Electric
tcp 49281 0 Rockwell FactoryTalk Live Data/SE HMI Tag Server Rockwell Automation
tcp 50001 0 Siemens Spectrum Power TG Siemens AG
tcp 50002 0 Siemens Spectrum Power TG Siemens AG
tcp 50003 0 Siemens Spectrum Power TG Siemens AG
tcp 50004 0 Siemens Spectrum Power TG Siemens AG
tcp 50005 0 Siemens Spectrum Power TG Siemens AG
tcp 50006 0 Siemens Spectrum Power TG Siemens AG
tcp 50007 0 Siemens Spectrum Power TG Siemens AG
tcp 50008 0 Siemens Spectrum Power TG Siemens AG
tcp 50009 0 Siemens Spectrum Power TG Siemens AG
tcp 50010 0 Siemens Spectrum Power TG Siemens AG
tcp 50011 0 Siemens Spectrum Power TG Siemens AG
tcp 50012 0 Siemens Spectrum Power TG Siemens AG
tcp 50013 0 Siemens Spectrum Power TG Siemens AG
tcp 50014 0 Siemens Spectrum Power TG Siemens AG
tcp 50015 0 Siemens Spectrum Power TG Siemens AG
tcp 50016 0 Siemens Spectrum Power TG Siemens AG
tcp 50018 0 Siemens Spectrum Power TG Siemens AG
tcp 50019 0 Siemens Spectrum Power TG Siemens AG
tcp 50020 0 Siemens Spectrum Power TG Siemens AG
tcp 50021 0 Siemens Spectrum Power TG Siemens AG
tcp 50025 0 Siemens Spectrum Power TG Siemens AG
tcp 50026 0 Siemens Spectrum Power TG Siemens AG
tcp 50027 0 Siemens Spectrum Power TG Siemens AG
tcp 50028 0 Siemens Spectrum Power TG Siemens AG
tcp 50110 0 Siemens Spectrum Power TG Siemens AG
tcp 50111 0 Siemens Spectrum Power TG Siemens AG
unknown_transport 55000 0 Mitsubishi Electronic FL-Net Cyclic Transmission Mitsubishi Electric
unknown_transport 55001 0 Mitsubishi Electronic FL-Net Message Transmission Mitsubishi Electric
unknown_transport 55002 0 Mitsubishi Electronic FL-Net Participation Request Frame Mitsubishi Electric
unknown_transport 55003 0 Mitsubishi Electronic FL-Net Sending Service Mitsubishi Electric
tcp 55555 0 Rockwell AADvance Telnet Rockwell Automation
unknown_transport 55555 0 Foxboro/Invensys Foxboro DCS FoxAPI Schneider Electric
tcp 56001 0 OASyS SCADA AVEVA
tcp 56001 0 OASyS SCADA AVEVA
tcp 56002 0 OASyS SCADA AVEVA
tcp 56003 0 OASyS SCADA AVEVA
tcp 56004 0 OASyS SCADA AVEVA
tcp 56005 0 OASyS SCADA AVEVA
tcp 56006 0 OASyS SCADA AVEVA
tcp 56007 0 OASyS SCADA AVEVA
tcp 56008 0 OASyS SCADA AVEVA
tcp 56009 0 OASyS SCADA AVEVA
tcp 56010 0 OASyS SCADA AVEVA
tcp 56011 0 OASyS SCADA AVEVA
tcp 56012 0 OASyS SCADA AVEVA
tcp 56013 0 OASyS SCADA AVEVA
tcp 56014 0 OASyS SCADA AVEVA
tcp 56015 0 OASyS SCADA AVEVA
tcp 56016 0 OASyS SCADA AVEVA
tcp 56017 0 OASyS SCADA AVEVA
tcp 56018 0 OASyS SCADA AVEVA
tcp 56019 0 OASyS SCADA AVEVA
tcp 56020 0 OASyS SCADA AVEVA
tcp 56021 0 OASyS SCADA AVEVA
tcp 56022 0 OASyS SCADA AVEVA
tcp 56023 0 OASyS SCADA AVEVA
tcp 56024 0 OASyS SCADA AVEVA
tcp 56025 0 OASyS SCADA AVEVA
tcp 56026 0 OASyS SCADA AVEVA
tcp 56027 0 OASyS SCADA AVEVA
tcp 56028 0 OASyS SCADA AVEVA
tcp 56029 0 OASyS SCADA AVEVA
tcp 56030 0 OASyS SCADA AVEVA
tcp 56031 0 OASyS SCADA AVEVA
tcp 56032 0 OASyS SCADA AVEVA
tcp 56033 0 OASyS SCADA AVEVA
tcp 56034 0 OASyS SCADA AVEVA
tcp 56035 0 OASyS SCADA AVEVA
tcp 56036 0 OASyS SCADA AVEVA
tcp 56037 0 OASyS SCADA AVEVA
tcp 56038 0 OASyS SCADA AVEVA
tcp 56039 0 OASyS SCADA AVEVA
tcp 56040 0 OASyS SCADA AVEVA
tcp 56041 0 OASyS SCADA AVEVA
tcp 56042 0 OASyS SCADA AVEVA
tcp 56043 0 OASyS SCADA AVEVA
tcp 56044 0 OASyS SCADA AVEVA
tcp 56045 0 OASyS SCADA AVEVA
tcp 56046 0 OASyS SCADA AVEVA
tcp 56047 0 OASyS SCADA AVEVA
tcp 56048 0 OASyS SCADA AVEVA
tcp 56049 0 OASyS SCADA AVEVA
tcp 56050 0 OASyS SCADA AVEVA
tcp 56051 0 OASyS SCADA AVEVA
tcp 56052 0 OASyS SCADA AVEVA
tcp 56053 0 OASyS SCADA AVEVA
tcp 56054 0 OASyS SCADA AVEVA
tcp 56055 0 OASyS SCADA AVEVA
tcp 56056 0 OASyS SCADA AVEVA
tcp 56057 0 OASyS SCADA AVEVA
tcp 56058 0 OASyS SCADA AVEVA
tcp 56059 0 OASyS SCADA AVEVA
tcp 56060 0 OASyS SCADA AVEVA
tcp 56061 0 OASyS SCADA AVEVA
tcp 56062 0 OASyS SCADA AVEVA
tcp 56063 0 OASyS SCADA AVEVA
tcp 56064 0 OASyS SCADA AVEVA
tcp 56065 0 OASyS SCADA AVEVA
tcp 56066 0 OASyS SCADA AVEVA
tcp 56067 0 OASyS SCADA AVEVA
tcp 56068 0 OASyS SCADA AVEVA
tcp 56069 0 OASyS SCADA AVEVA
tcp 56070 0 OASyS SCADA AVEVA
tcp 56071 0 OASyS SCADA AVEVA
tcp 56072 0 OASyS SCADA AVEVA
tcp 56073 0 OASyS SCADA AVEVA
tcp 56074 0 OASyS SCADA AVEVA
tcp 56075 0 OASyS SCADA AVEVA
tcp 56076 0 OASyS SCADA AVEVA
tcp 56077 0 OASyS SCADA AVEVA
tcp 56078 0 OASyS SCADA AVEVA
tcp 56079 0 OASyS SCADA AVEVA
tcp 56080 0 OASyS SCADA AVEVA
tcp 56081 0 OASyS SCADA AVEVA
tcp 56082 0 OASyS SCADA AVEVA
tcp 56083 0 OASyS SCADA AVEVA
tcp 56084 0 OASyS SCADA AVEVA
tcp 56085 0 OASyS SCADA AVEVA
tcp 56086 0 OASyS SCADA AVEVA
tcp 56087 0 OASyS SCADA AVEVA
tcp 56088 0 OASyS SCADA AVEVA
tcp 56089 0 OASyS SCADA AVEVA
tcp 56090 0 OASyS SCADA AVEVA
tcp 56091 0 OASyS SCADA AVEVA
tcp 56092 0 OASyS SCADA AVEVA
tcp 56093 0 OASyS SCADA AVEVA
tcp 56094 0 OASyS SCADA AVEVA
tcp 56095 0 OASyS SCADA AVEVA
tcp 56096 0 OASyS SCADA AVEVA
tcp 56097 0 OASyS SCADA AVEVA
tcp 56098 0 OASyS SCADA AVEVA
tcp 56099 0 OASyS SCADA AVEVA
tcp 60093 0 Rockwell FactoryTalk Diagnostics Rockwell Automation
tcp 62900 0 GENe SNC
tcp 62911 0 GENe SNC
tcp 62924 0 GENe SNC
tcp 62930 0 GENe SNC
tcp 62938 0 GENe SNC
tcp 62956 0 GENe SNC
tcp 62957 0 GENe SNC
tcp 62963 0 GENe SNC
tcp 62981 0 GENe SNC
tcp 62982 0 GENe SNC
tcp 62985 0 GENe SNC
tcp 62992 0 GENe SNC
tcp 63012 0 GENe SNC
tcp 63027 0 GENe SNC
tcp 63028 0 GENe SNC
tcp 63029 0 GENe SNC
tcp 63030 0 GENe SNC
tcp 63031 0 GENe SNC
tcp 63032 0 GENe SNC
tcp 63033 0 GENe SNC
tcp 63034 0 GENe SNC
tcp 63035 0 GENe SNC
tcp 63036 0 GENe SNC
tcp 63041 0 GENe SNC
tcp 63075 0 GENe SNC
tcp 63079 0 GENe SNC
tcp 63082 0 GENe SNC
tcp 63088 0 GENe SNC
tcp 63094 0 GENe SNC
tcp 65207 0 Rockwell FactoryTalk VantagePoint Incuity Server Advertiser Rockwell Automation
tcp 65443 0 GENe SNC

117
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/local.zeek Normal file
View File

@@ -0,0 +1,117 @@
##! Zeek local site policy. Customize as appropriate.
##!
##! See https://github.com/zeek/zeekctl
##! https://docs.zeek.org/en/stable/script-reference/scripts.html
##! https://github.com/zeek/zeek/blob/master/scripts/site/local.zeek
global disable_hash_all_files = (getenv("ZEEK_DISABLE_HASH_ALL_FILES") == "") ? F : T;
global disable_log_passwords = (getenv("ZEEK_DISABLE_LOG_PASSWORDS") == "") ? F : T;
global disable_ssl_validate_certs = (getenv("ZEEK_DISABLE_SSL_VALIDATE_CERTS") == "") ? F : T;
global disable_track_all_assets = (getenv("ZEEK_DISABLE_TRACK_ALL_ASSETS") == "") ? F : T;
global disable_best_guess_ics = (getenv("ZEEK_DISABLE_BEST_GUESS_ICS") == "") ? F : T;
global disable_spicy_dhcp = (getenv("ZEEK_DISABLE_SPICY_DHCP") == "") ? F : T;
global disable_spicy_dns = (getenv("ZEEK_DISABLE_SPICY_DNS") == "") ? F : T;
global disable_spicy_http = (getenv("ZEEK_DISABLE_SPICY_HTTP") == "") ? F : T;
global disable_spicy_ldap = (getenv("ZEEK_DISABLE_SPICY_LDAP") == "") ? F : T;
global disable_spicy_ipsec = (getenv("ZEEK_DISABLE_SPICY_IPSEC") == "") ? F : T;
global disable_spicy_openvpn = (getenv("ZEEK_DISABLE_SPICY_OPENVPN") == "") ? F : T;
global disable_spicy_tftp = (getenv("ZEEK_DISABLE_SPICY_TFTP") == "") ? F : T;
global disable_spicy_wireguard = (getenv("ZEEK_DISABLE_SPICY_WIREGUARD") == "") ? F : T;
redef Broker::default_listen_address = "127.0.0.1";
redef ignore_checksums = T;
@load tuning/defaults
@load misc/scan
@load frameworks/software/vulnerable
@load frameworks/software/version-changes
@load frameworks/software/windows-version-detection
@load-sigs frameworks/signatures/detect-windows-shells
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/dhcp/software
@load protocols/dns/detect-external-names
@load protocols/ftp/detect
@load protocols/ftp/detect-bruteforcing.zeek
@load protocols/ftp/software
@load protocols/http/detect-sqli
@load protocols/http/detect-webapps
@load protocols/http/software
@load protocols/http/software-browser-plugins
@load protocols/mysql/software
@load protocols/ssl/weak-keys
@load protocols/smb/log-cmds
@load protocols/smtp/software
@load protocols/ssh/detect-bruteforcing
@load protocols/ssh/geo-data
@load protocols/ssh/interesting-hostnames
@load protocols/ssh/software
@load protocols/ssl/known-certs
@load protocols/ssl/log-hostcerts-only
@if (!disable_ssl_validate_certs)
@load protocols/ssl/validate-certs
@endif
@if (!disable_track_all_assets)
@load tuning/track-all-assets.zeek
@endif
@if (!disable_hash_all_files)
@load frameworks/files/hash-all-files
@endif
@load policy/protocols/conn/vlan-logging
@load policy/protocols/conn/mac-logging
@load policy/protocols/modbus/known-masters-slaves
@load policy/protocols/mqtt
@load ./login.zeek
@if (!disable_best_guess_ics)
@load ./guess.zeek
@endif
@load packages
event zeek_init() &priority=-5 {
if (disable_spicy_dhcp) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DHCP);
}
if (disable_spicy_dns) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_DNS);
}
if (disable_spicy_http) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_HTTP);
}
if (disable_spicy_ipsec) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_TCP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_UDP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_IPSEC_IKE_UDP);
}
if (disable_spicy_ldap) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_LDAP_TCP);
}
if (disable_spicy_openvpn) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_MD5);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA1);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA256);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_TCP_HMAC_SHA512);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_MD5);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA1);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA256);
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_OPENVPN_UDP_HMAC_SHA512);
}
if (disable_spicy_tftp) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_TFTP);
}
if (disable_spicy_wireguard) {
Spicy::disable_protocol_analyzer(Analyzer::ANALYZER_SPICY_WIREGUARD);
}
}
@if (!disable_log_passwords)
redef HTTP::default_capture_password = T;
redef FTP::default_capture_password = T;
redef SOCKS::default_capture_password = T;
redef SNIFFPASS::log_password_plaintext = T;
@endif
redef SNIFFPASS::notice_log_enable = F;

253
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/local/etc/zeek/login.zeek Normal file
View File

@@ -0,0 +1,253 @@
module Login;
# log telnet, rlogin, and rsh events to login.log
export {
redef enum Log::ID += {
## The logging stream identifier
Log_LOGIN
};
type Info : record {
## Time the event occurred
ts : time &log;
## Unique ID for the connection
uid : string &log;
## The connection's 4-tuple of endpoint addresses/port
id : conn_id &log;
## proto (telnet, rlogin, or rsh)
proto : string &log &optional;
## login_success event was seen (successful login)
success : bool &log &default = F;
## login_confused event was seen (successful login)
confused : bool &log &default = F;
## username given for login attempt
user : string &log &optional;
## client_user given for login attempt (empty for telnet, set for rlogin)
client_user : string &log &optional;
## password given for login attempt
password : string &log &optional;
## whether or not a line has been written to login.log
logged : bool &default = F;
};
## Event that can be handled to access the :zeek:type:`Login::Info`
## record as it is sent on to the logging framework.
global log_login : event(rec : Info);
}
# Add the state tracking information variable to the connection record
redef record connection += {
login : Info &optional;
};
###############################################
# constants borrowed from the old Bro 1.5 login.bro required to make some of the telnet/rlogin/rsh events work correctly
# see https://github.com/zeek/zeek/blob/release/1.5/policy/login.bro#L178
# https://github.com/reservoirlabs/brorefguide/blob/master/analysis.texi#L3850
redef skip_authentication = { "WELCOME TO THE BERKELEY PUBLIC LIBRARY", };
redef direct_login_prompts = { "TERMINAL?", };
redef login_prompts = {
"Login:",
"login:",
"Name:",
"Username:",
"User:",
"Member Name",
"User Access Verification",
"Cisco Systems Console",
direct_login_prompts
};
redef login_non_failure_msgs = {
"Failures",
"failures", # probably is "<n> failures since last login"
"failure since last successful login",
"failures since last successful login",
};
redef login_non_failure_msgs = {
"Failures",
"failures", # probably is "<n> failures since last login"
"failure since last successful login",
"failures since last successful login",
} &redef;
redef login_failure_msgs = {
"invalid",
"Invalid",
"incorrect",
"Incorrect",
"failure",
"Failure",
# "Unable to authenticate",
# "unable to authenticate",
"User authorization failure",
"Login failed",
"INVALID",
"Sorry.",
"Sorry,",
};
const router_prompts: set[string] &redef;
redef login_success_msgs = {
"Last login",
"Last successful login",
"Last successful login",
"checking for disk quotas",
"unsuccessful login attempts",
"failure since last successful login",
"failures since last successful login",
router_prompts,
};
redef login_timeouts = {
"timeout",
"timed out",
"Timeout",
"Timed out",
"Error reading command input", # VMS
};
# end borrowed constants from Bro 1.5 login.bro
###############################################
# telnet, rlogin, rsh
const telnet_port = 23/tcp;
const telnet_ports = { telnet_port };
const rlogin_port = 513/tcp;
const rlogin_ports = { rlogin_port };
const rsh_port = 514/tcp;
const rsh_ports = { rsh_port };
redef likely_server_ports += { telnet_ports, rlogin_ports, rsh_ports };
# set_login_session - if has not yet been registered in the connection, instantiate
# the Info record and assign in c$login
function set_login_session(c : connection) {
if ( ! c?$login ) {
local s : Info = [$ts = network_time(), $uid = c$uid, $id = c$id];
switch c$id$resp_p {
case telnet_port:
s$proto = "telnet";
add c$service["telnet"];
break;
case rlogin_port:
s$proto = "rlogin";
add c$service["rlogin"];
break;
case rsh_port:
s$proto = "rsh";
add c$service["rsh"];
break;
}
c$login = s;
}
}
# login_message - log to login.log
function login_message(s : Info) {
# strip some values that can happen in a "confused" state that aren't really valid values
if (( s?$user ) && (( s$user == "" ) || ( s$user == "<none>" ) || ( s$user == "<timeout>" )))
delete s$user;
if (( s?$client_user ) && (( s$client_user == "" ) || ( s$client_user == "<none>" ) || ( s$client_user == "<timeout>" )))
delete s$client_user;
if (( s?$password ) && (( s$password == "" ) || ( s$password == "<none>" ) || ( s$password == "<timeout>" )))
delete s$password;
if (( s?$proto ) && ( s$proto == "" ))
delete s$proto;
s$ts = network_time();
Log::write(Login::Log_LOGIN, s);
s$logged = T;
}
# create log stream for login.log and register telnet, rlogin, and rsh analyzers
event zeek_init() &priority = 5 {
Log::create_stream(Login::Log_LOGIN, [$columns = Info, $ev = log_login, $path = "login"]);
Analyzer::register_for_ports(Analyzer::ANALYZER_TELNET, telnet_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RLOGIN, rlogin_ports);
Analyzer::register_for_ports(Analyzer::ANALYZER_RSH, rsh_ports);
}
# login_confused - Generated when tracking of Telnet/Rlogin authentication failed
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_confused
event login_confused(c : connection, msg : string, line : string) &priority = 5 {
# print "login_confused", msg, line;
set_login_session(c);
c$login$confused = T;
}
# login_failure - Generated when tracking of Telnet/Rlogin authentication failed
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_failure
event login_failure(c : connection, user : string, client_user : string, password : string, line : string) &priority = 5 {
# print "login_failure", user, client_user, password, line;
set_login_session(c);
if ((!c$login?$user) || (c$login$user == ""))
c$login$user = user;
if ((!c$login?$client_user) || (c$login$client_user == ""))
c$login$client_user = client_user;
if ((!c$login?$password) || (c$login$password == ""))
c$login$password = password;
login_message(c$login);
}
# login_success - Generated for successful Telnet/Rlogin logins
# https://docs.zeek.org/en/current/scripts/base/bif/plugins/Zeek_Login.events.bif.zeek.html#id-login_success
event login_success(c : connection, user : string, client_user : string, password : string, line : string) &priority = 5 {
# print "login_success", user, client_user, password, line;
set_login_session(c);
c$login$success = T;
c$login$user = user;
c$login$client_user = client_user;
# it appears for a successful login with rsh where client_user was checked, what we're getting in
# the "password" field is actually not the password, but the first line of data
if ((c$login$proto != "rsh") || (c$login$client_user == ""))
c$login$password = password;
login_message(c$login);
}
event connection_state_remove(c : connection) &priority = -5 {
if (c?$login) {
if ( c$login$logged == F) {
login_message(c$login);
}
delete c$login;
}
}
# for testing:
# for file in /host/telnet/*; do cd /tmp; mkdir -p /host/logs/"$(basename "$file")"; /bin/rm -f /host/logs/"$(basename "$file")"/*; cd /host/logs/"$(basename "$file")"; zeek -r "$file" local > debug_output.txt; cd /tmp; done
# event activating_encryption(c: connection) { print "activating_encryption"; }
# event authentication_accepted(name: string, c: connection) { print "authentication_accepted", name; }
# event authentication_rejected(name: string, c: connection) { print "authentication_rejected", name; }
# event authentication_skipped(c: connection) { print "authentication_skipped"; }
# event bad_option(c: connection) { print "bad_option"; }
# event bad_option_termination(c: connection) { print "bad_option_termination"; }
# event inconsistent_option(c: connection) { print "inconsistent_option"; }
# event login_confused_text(c: connection, line: string) { print "login_confused_text", line; }
# event login_display(c: connection, display: string) { print "login_display", display; }
# event login_input_line(c: connection, line: string) { print "login_input_line", line; }
# event login_output_line(c: connection, line: string) { print "login_output_line", line; }
# event login_terminal(c: connection, terminal: string) { print "login_terminal", terminal; }
# event rsh_reply(c: connection, client_user: string, server_user: string, line: string) { print "rsh_reply", client_user, server_user, line; }
# event rsh_request(c: connection, client_user: string, server_user: string, line: string; new_session: bool) { print "rsh_request", client_user, server_user, line, new_session; }

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/configure-capture.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Configure Capture and Forwarding
Exec=/usr/bin/terminator --maximise -T "Configure Capture and Forwarding" -x /usr/local/bin/configure-capture.py
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=network-receive.png
Categories=Network;
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/configure-interfaces.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Configure Interfaces and Hostname
Exec=/usr/bin/terminator --maximise -T "Configure Interfaces and Hostname" -x su -l -c /usr/local/bin/configure-interfaces.py
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=network-wired.png
Categories=Network;
StartupNotify=true

11
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/hedgehog-kiosk.desktop Normal file
View File

@@ -0,0 +1,11 @@
[Desktop Entry]
Version=1.0
Name=Sensor Kiosk
Exec=/opt/firefox/firefox --setDefaultBrowser --no-remote --private --kiosk http://127.0.0.1:5000
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=/usr/share/images/hedgehog/hedgehog-color-small.png
Categories=Network;
StartupWMClass=Firefox
StartupNotify=true

11
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/hedgehog-readme.desktop Normal file
View File

@@ -0,0 +1,11 @@
[Desktop Entry]
Version=1.0
Name=Sensor README
Exec=/opt/firefox/firefox --setDefaultBrowser file:////usr/share/doc/hedgehog/HedgehogLinux.html
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=help-browser
Categories=Network;
StartupWMClass=Firefox
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/sensor-services-full-restart.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Restart Sensor Services
Exec=/usr/bin/terminator -T "Restart Sensor Services" -x bash -c "echo 'Stopping services...' && ( /opt/sensor/sensor_ctl/shutdown >/dev/null 2>&1 || true ) && echo 'Please wait...' && sleep 30 && echo 'Starting services...' && /opt/sensor/sensor_ctl/supervisor.sh"
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=reload.png
Categories=Network;
StartupNotify=true

10
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/applications/sensor-services-status.desktop Normal file
View File

@@ -0,0 +1,10 @@
[Desktop Entry]
Version=1.0
Name=Sensor Service Status
Exec=/usr/bin/terminator -T "Sensor Service Status" -x bash -c "/opt/sensor/sensor_ctl/status && echo '' && read -p 'Press Enter to Continue'"
Terminal=false
X-MultipleArgs=false
Type=Application
Icon=view-restore.png
Categories=Network;
StartupNotify=true

142
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/auditbeat/kibana/7/dashboard-custom/Auditbeat-auditd-overview-custom.json Normal file
View File

@@ -0,0 +1,142 @@
{
"version": "7.6.2",
"objects": [
{
"id": "072befc0-ffba-11e8-a854-ad7782ef6a55",
"type": "dashboard",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDIsMV0=",
"attributes": {
"description": "Summary of Linux kernel audit events.",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"version\":true,\"highlightAll\":true}"
},
"optionsJSON": "{\"darkTheme\":true,\"useMargins\":false}",
"panelsJSON": "[{\"gridData\":{\"x\":0,\"y\":0,\"w\":28,\"h\":26,\"i\":\"1\"},\"version\":\"7.3.0\",\"panelIndex\":\"1\",\"panelRefName\":\"panel_0\"},{\"gridData\":{\"x\":28,\"y\":0,\"w\":20,\"h\":26,\"i\":\"4\"},\"version\":\"7.3.0\",\"panelIndex\":\"4\",\"panelRefName\":\"panel_1\"},{\"gridData\":{\"x\":0,\"y\":26,\"w\":48,\"h\":38,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelIndex\":\"5\",\"embeddableConfig\":{\"columns\":[\"beat.hostname\",\"auditd.summary.actor.primary\",\"auditd.summary.actor.secondary\",\"auditd.summary.object.type\",\"event.action\",\"auditd.summary.object.primary\",\"auditd.summary.object.secondary\",\"auditd.summary.how\",\"auditd.result\"]},\"panelRefName\":\"panel_2\"}]",
"timeRestore": false,
"title": "[Auditbeat auditd] Overview dashboard",
"version": 1
},
"references": [
{
"name": "panel_0",
"type": "visualization",
"id": "97680df0-c1c0-11e7-8995-936807a28b16"
},
{
"name": "panel_1",
"type": "visualization",
"id": "08679220-c25a-11e7-8692-232bd1143e8a"
},
{
"name": "panel_2",
"type": "search",
"id": "0f10c430-c1c3-11e7-8995-936807a28b16"
}
],
"migrationVersion": {
"dashboard": "7.3.0"
}
},
{
"id": "97680df0-c1c0-11e7-8995-936807a28b16",
"type": "visualization",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE1OTksMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{}"
},
"title": "Event Actions [Auditbeat Auditd Overview]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"type\":\"metrics\",\"params\":{\"bar_color_rules\":[{\"id\":\"5bfc71a0-c1bd-11e7-938f-ab0645b6c431\"}],\"gauge_color_rules\":[{\"id\":\"5d20a650-c1bd-11e7-938f-ab0645b6c431\"}],\"background_color_rules\":[{\"id\":\"58c95a20-c1bd-11e7-938f-ab0645b6c431\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"auditbeat-*\",\"gauge_inner_width\":10,\"series\":[{\"line_width\":1,\"terms_field\":\"event.action\",\"point_size\":1,\"color\":\"#68BC00\",\"label\":\"Actions\",\"metrics\":[{\"type\":\"count\",\"id\":\"6b9fb2d0-c1bc-11e7-938f-ab0645b6c431\"}],\"seperate_axis\":0,\"split_mode\":\"terms\",\"chart_type\":\"line\",\"stacked\":\"none\",\"axis_position\":\"right\",\"formatter\":\"number\",\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"fill\":0.5}],\"axis_formatter\":\"number\",\"interval\":\"auto\",\"filter\":{\"query\":\"event.module:auditd\",\"language\":\"lucene\"},\"legend_position\":\"left\",\"show_legend\":1,\"show_grid\":1,\"gauge_style\":\"half\",\"axis_position\":\"left\",\"gauge_width\":10,\"type\":\"timeseries\",\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\"},\"aggs\":[],\"title\":\"Event Actions [Auditbeat Auditd Overview]\"}"
},
"references": [],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "08679220-c25a-11e7-8692-232bd1143e8a",
"type": "visualization",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDAsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"title": "Event Categories [Auditbeat Auditd]",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"type\":\"pie\",\"params\":{\"legendPosition\":\"right\",\"type\":\"pie\",\"isDonut\":true,\"addTooltip\":true,\"addLegend\":true},\"aggs\":[{\"params\":{},\"type\":\"count\",\"enabled\":true,\"id\":\"1\",\"schema\":\"metric\"},{\"params\":{\"orderBy\":\"1\",\"field\":\"event.category\",\"customLabel\":\"Category\",\"order\":\"desc\",\"size\":5},\"type\":\"terms\",\"enabled\":true,\"id\":\"2\",\"schema\":\"segment\"},{\"params\":{\"orderBy\":\"1\",\"field\":\"event.action\",\"customLabel\":\"Action\",\"order\":\"desc\",\"size\":20},\"type\":\"terms\",\"enabled\":true,\"id\":\"3\",\"schema\":\"segment\"}],\"title\":\"Event Categories [Auditbeat Auditd]\"}",
"savedSearchRefName": "search_0"
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "auditbeat-*"
},
{
"type": "search",
"name": "search_0",
"id": "0f10c430-c1c3-11e7-8995-936807a28b16"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "0f10c430-c1c3-11e7-8995-936807a28b16",
"type": "search",
"updated_at": "2019-12-23T19:07:39.093Z",
"version": "WzE2MDEsMV0=",
"attributes": {
"columns": [
"beat.hostname",
"auditd.summary.actor.primary",
"auditd.summary.actor.secondary",
"event.action",
"auditd.summary.object.type",
"auditd.summary.object.primary",
"auditd.summary.object.secondary",
"auditd.summary.how",
"auditd.result"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"filter\":[{\"query\":{\"match\":{\"event.module\":{\"query\":\"auditd\",\"type\":\"phrase\"}}},\"meta\":{\"value\":\"auditd\",\"disabled\":false,\"alias\":null,\"params\":{\"query\":\"auditd\",\"type\":\"phrase\"},\"key\":\"event.module\",\"negate\":false,\"type\":\"phrase\",\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index\"},\"$state\":{\"store\":\"appState\"}}],\"version\":true,\"highlightAll\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"sort": [
[
"@timestamp",
"desc"
]
],
"title": "Audit Event Table [Auditbeat Auditd]",
"version": 1
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "auditbeat-*"
},
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
"type": "index-pattern",
"id": "auditbeat-*"
}
],
"migrationVersion": {
"search": "7.4.0"
}
}
]
}

167
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/filebeat/kibana/7/dashboard-custom/Filebeat-syslog-custom.json Normal file
View File

@@ -0,0 +1,167 @@
{
"version": "7.6.2",
"objects": [
{
"id": "1ca59220-ffb0-11e8-a854-ad7782ef6a55",
"type": "dashboard",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzcsMV0=",
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":false}",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":27,\"w\":48,\"h\":41,\"i\":\"1\"},\"panelIndex\":\"1\",\"title\":\"Syslog Events\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":30,\"y\":0,\"w\":18,\"h\":27,\"i\":\"3\"},\"panelIndex\":\"3\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":17,\"y\":0,\"w\":13,\"h\":27,\"i\":\"4\"},\"panelIndex\":\"4\",\"version\":\"7.3.0\",\"panelRefName\":\"panel_2\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":17,\"h\":27,\"i\":\"5\"},\"version\":\"7.3.0\",\"panelIndex\":\"5\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"}]",
"timeRestore": false,
"title": "[Filebeat] Syslog dashboard",
"version": 1
},
"references": [
{
"name": "panel_0",
"type": "search",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_1",
"type": "visualization",
"id": "462e04d0-ffb3-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_2",
"type": "visualization",
"id": "cc3f9cf0-ffb3-11e8-a854-ad7782ef6a55"
},
{
"name": "panel_3",
"type": "visualization",
"id": "96e77ef0-ffb4-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"dashboard": "7.3.0"
}
},
{
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55",
"type": "search",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzMsMV0=",
"attributes": {
"columns": [
"host.name",
"syslog.severity_label",
"syslog.facility_label",
"process.program",
"message"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"_exists_:syslog\",\"language\":\"lucene\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"
},
"sort": [
[
"@timestamp",
"desc"
]
],
"title": "[Filebeat] Syslog search",
"version": 1
},
"references": [
{
"name": "kibanaSavedObjectMeta.searchSourceJSON.index",
"type": "index-pattern",
"id": "filebeat-*"
}
],
"migrationVersion": {
"search": "7.4.0"
}
},
{
"id": "462e04d0-ffb3-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzQsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog by Host Timeline",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog by Host Timeline\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"host.name\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "cc3f9cf0-ffb3-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzUsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog Process Cloud",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog Process Cloud\",\"type\":\"tagcloud\",\"params\":{\"scale\":\"log\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"process.program\",\"size\":25,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
},
{
"id": "96e77ef0-ffb4-11e8-a854-ad7782ef6a55",
"type": "visualization",
"updated_at": "2019-12-23T19:04:34.880Z",
"version": "WzE0MzYsMV0=",
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "[Filebeat] Syslog Facility by Host Pie Chart",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"[Filebeat] Syslog Facility by Host Pie Chart\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":false,\"labels\":{\"show\":false,\"values\":true,\"last_level\":false,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.facility_label\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Syslog Facility\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Host\"}}]}",
"savedSearchRefName": "search_0"
},
"references": [
{
"type": "search",
"name": "search_0",
"id": "c1e3d120-ffb0-11e8-a854-ad7782ef6a55"
}
],
"migrationVersion": {
"visualization": "7.4.2"
}
}
]
}

112
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/protologbeat/kibana/7/dashboard/Protologbeat-temperatures-dashboard.json Normal file
View File

@@ -0,0 +1,112 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Temperature Timeline",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Temperature Timeline\",\"type\":\"line\",\"params\":{\"type\":\"line\",\"grid\":{\"categoryLines\":true,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Max cpu_temp_avg\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"line\",\"mode\":\"normal\",\"data\":{\"label\":\"Maximum CPU °C\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"3\",\"label\":\"Maximum Other °C\"},\"valueAxis\":\"ValueAxis-1\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"4\",\"label\":\"Maximum GPU °C\"},\"valueAxis\":\"ValueAxis-1\"},{\"show\":true,\"mode\":\"normal\",\"type\":\"line\",\"drawLinesBetweenPoints\":true,\"showCircles\":false,\"interpolate\":\"cardinal\",\"data\":{\"id\":\"8\",\"label\":\"Maximum Storage °C\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"schema\":\"segment\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-12h\",\"to\":\"now\",\"mode\":\"quick\"},\"useNormalizedEsInterval\":true,\"interval\":\"auto\",\"time_zone\":\"America/Denver\",\"drop_partials\":false,\"customInterval\":\"2h\",\"min_doc_count\":1,\"extended_bounds\":{}}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"other_temp_avg\",\"customLabel\":\"Maximum Other °C\"}},{\"id\":\"4\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"gpu_temp_avg\",\"customLabel\":\"Maximum GPU °C\"}},{\"id\":\"8\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "752a7e30-03af-11e9-bf7f-6138c205dfb3",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.966Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Host Chooser",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Host Chooser\",\"type\":\"input_control_vis\",\"params\":{\"controls\":[{\"id\":\"1545248066352\",\"indexPattern\":\"protologbeat-*\",\"fieldName\":\"host.name\",\"parent\":\"\",\"label\":\"Host\",\"type\":\"list\",\"options\":{\"type\":\"terms\",\"multiselect\":true,\"dynamicOptions\":true,\"size\":5,\"order\":\"desc\"}}],\"updateFiltersOnChange\":false,\"useTimeFilter\":false,\"pinFilters\":false},\"aggs\":[]}"
},
"id": "293d13a0-03c5-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-19T19:34:54.681Z",
"version": 1
},
{
"attributes": {
"columns": [
"host.name",
"cpu_temp_avg",
"hdd_temp_avg",
"other_temp_avg"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"sort": [
"@timestamp",
"desc"
],
"title": "Protologbeat search",
"version": 1
},
"id": "65345580-03c5-11e9-b42b-a7822d24ca20",
"type": "search",
"updated_at": "2018-12-20T18:16:42.939Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "CPU and Storage Temperature Gauge",
"uiStateJSON": "{\"vis\":{\"defaultColors\":{\"0 - 60\":\"rgb(0,104,55)\",\"60 - 70\":\"rgb(255,255,190)\",\"70 - 90\":\"rgb(165,0,38)\"}}}",
"version": 1,
"visState": "{\"title\":\"CPU and Storage Temperature Gauge\",\"type\":\"gauge\",\"params\":{\"type\":\"gauge\",\"addTooltip\":true,\"addLegend\":false,\"isDisplayWarning\":false,\"gauge\":{\"verticalSplit\":false,\"extendRange\":true,\"percentageMode\":false,\"gaugeType\":\"Arc\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"Labels\",\"colorsRange\":[{\"from\":0,\"to\":60},{\"from\":60,\"to\":70},{\"from\":70,\"to\":90}],\"invertColors\":false,\"labels\":{\"show\":true,\"color\":\"black\"},\"scale\":{\"show\":true,\"labels\":false,\"color\":\"#333\"},\"type\":\"meter\",\"style\":{\"bgWidth\":0.9,\"width\":0.9,\"mask\":false,\"bgMask\":false,\"maskBars\":50,\"bgFill\":\"#eee\",\"bgColor\":false,\"subText\":\"\",\"fontSize\":60,\"labelColor\":true}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "db628ba0-03c5-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.991Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"index\":\"protologbeat-*\",\"query\":{\"query\":\"\",\"language\":\"lucene\"},\"filter\":[]}"
},
"title": "Maximum Sensor CPU and Storage Temperatures",
"uiStateJSON": "{}",
"version": 1,
"visState": "{\"title\":\"Maximum Sensor CPU and Storage Temperatures\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"},\"valueAxis\":\"ValueAxis-1\"},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100,\"rotate\":0},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\",\"defaultYExtents\":false},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Maximum CPU °C\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"normal\",\"data\":{\"label\":\"Maximum CPU °C\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true},{\"show\":true,\"mode\":\"normal\",\"type\":\"histogram\",\"drawLinesBetweenPoints\":true,\"showCircles\":true,\"data\":{\"id\":\"3\",\"label\":\"Maximum Storage °C\"},\"valueAxis\":\"ValueAxis-1\"}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":false,\"orderBucketsBySum\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"cpu_temp_avg\",\"customLabel\":\"Maximum CPU °C\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.name\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Sensor Name\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"max\",\"schema\":\"metric\",\"params\":{\"field\":\"hdd_temp_avg\",\"customLabel\":\"Maximum Storage °C\"}}]}"
},
"id": "923c3ce0-03c6-11e9-b42b-a7822d24ca20",
"type": "visualization",
"updated_at": "2018-12-20T18:16:43.961Z",
"version": 1
},
{
"attributes": {
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[]}"
},
"optionsJSON": "{\"darkTheme\":true,\"hidePanelTitles\":false,\"useMargins\":false}",
"panelsJSON": "[{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":31,\"w\":48,\"h\":35,\"i\":\"1\"},\"id\":\"752a7e30-03af-11e9-bf7f-6138c205dfb3\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":0,\"w\":20,\"h\":11,\"i\":\"2\"},\"id\":\"293d13a0-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"2\",\"title\":\"Sensor Filter\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":66,\"w\":48,\"h\":29,\"i\":\"3\"},\"id\":\"65345580-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"3\",\"title\":\"Sensor Metrics\",\"type\":\"search\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":0,\"y\":11,\"w\":20,\"h\":20,\"i\":\"4\"},\"id\":\"db628ba0-03c5-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.5.3\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":20,\"y\":0,\"w\":28,\"h\":31,\"i\":\"5\"},\"id\":\"923c3ce0-03c6-11e9-b42b-a7822d24ca20\",\"panelIndex\":\"5\",\"type\":\"visualization\",\"version\":\"6.5.3\"}]",
"timeRestore": false,
"title": "Sensor Temperature dashboard",
"version": 1
},
"id": "3c519150-03c5-11e9-b42b-a7822d24ca20",
"type": "dashboard",
"updated_at": "2018-12-20T18:16:43.882Z",
"version": 1
}
],
"version": "6.5.3"
}

16
Vagrant/resources/malcolm/sensor-iso/config/includes.chroot/usr/share/protologbeat/kibana/7/index-pattern/protologbeat.json Normal file
View File

File diff suppressed because one or more lines are too long

10
Vagrant/resources/malcolm/sensor-iso/config/package-lists/apps.list.chroot Normal file
View File

@@ -0,0 +1,10 @@
bc
clamav
clamav-daemon
clamav-freshclam
file-roller
galculator
libclamunrar9
mousepad
mupdf
xdiskusage

33
Vagrant/resources/malcolm/sensor-iso/config/package-lists/build.list.chroot Normal file
View File

@@ -0,0 +1,33 @@
bison
ccache
checkinstall
clang-11
cmake
git
google-perftools
libclang-11-dev
libclang1-11
libfl-dev
libfl2
libgoogle-perftools4
libjansson-dev
libjansson4
libmagic-dev
libmagic1
libmaxminddb-dev
libmaxminddb0
libpcap-dev
libpcap0.8
libssl-dev
libssl1.1
libtcmalloc-minimal4
llvm-11
llvm-11-dev
llvm-11-runtime
llvm-11-tools
locales-all
make
ninja-build
patch
swig
zlib1g-dev

20
Vagrant/resources/malcolm/sensor-iso/config/package-lists/desktopmanager.list.chroot Normal file
View File

@@ -0,0 +1,20 @@
arandr
dconf-cli
fonts-symbola
libnotify-bin
lightdm
lxde
lxpanel
lxsession
open-vm-tools-desktop
x11-apps
x11-session-utils
x11-xfs-utils
x11-xserver-utils
xinit
xorg
xscreensaver
xserver-xorg
xserver-xorg-core
xserver-xorg-video-qxl
xserver-xorg-video-vmware

6
Vagrant/resources/malcolm/sensor-iso/config/package-lists/grub.list.binary Normal file
View File

@@ -0,0 +1,6 @@
grub-common
grub-efi-amd64
grub-efi-amd64-bin
grub-pc-bin
grub2-common
os-prober

25
Vagrant/resources/malcolm/sensor-iso/config/package-lists/net.list.chroot Normal file
View File

@@ -0,0 +1,25 @@
curl
ethtool
htpdate
iproute2
iputils-arping
iputils-ping
iputils-tracepath
libcurl4
libmmdb2-0
libpcap0.8
libssh2-1
macchanger
netcat-openbsd
ntp
openssh-client
openssh-server
openvpn
rsync
snmp
ssh-askpass
socat
tcpdump
traceroute
ufw
wget

19
Vagrant/resources/malcolm/sensor-iso/config/package-lists/python.list.chroot Normal file
View File

@@ -0,0 +1,19 @@
python3
python3-bs4
python3-colorama
python3-dev
python3-dialog
python3-git
python3-magic
python3-netifaces
python3-pip
python3-psutil
python3-pycryptodome
python3-pyinotify
python3-requests
python3-scapy
python3-semantic-version
python3-setuptools
python3-wheel
python3-yara
python3-zmq

157
Vagrant/resources/malcolm/sensor-iso/config/package-lists/system.list.chroot Normal file
View File

@@ -0,0 +1,157 @@
accountsservice
apparmor
apparmor-profiles
apparmor-utils
apt
arj
atop
audispd-plugins
auditd
autopoint
bash-completion
bc
bcrypt
bridge-utils
btrfs-progs
busybox
bzip2
cifs-utils
coreutils
cpio
cpufrequtils
cracklib-runtime
cryptsetup
cryptsetup-bin
cryptsetup-initramfs
curl
debsums
dialog
dmidecode
dosfstools
ebtables
efibootmgr
eject
fatresize
file
flex
fonts-dejavu
fuse
fuseext2
fusefat
fuseiso
fusesmb
gawk
gdb
gdebi
gettext
ghostscript
ghostscript-x
gnupg
gnupg1
gnupg2
gpart
gparted
gvfs
gvfs-backends
gvfs-daemons
gvfs-fuse
gzip
hddtemp
hdparm
hfsplus
hfsprogs
hfsutils
htop
hwdata
javascript-common
jq
less
libatomic1
libffi6
libgtk2.0-bin
libjson-perl
libkrb5-3
liblsan0
libnl-3-200
libnl-genl-3-200
libnl-route-3-200
libpam-pwquality
libtool
libtsan0
libubsan1
libunwind8
libwww-perl
libykpers-1-1
libyubikey0
libzmq5
lm-sensors
localepurge
lshw
lsof
lvm2
lzma
mcrypt
md5deep
menu
miscfiles
moreutils
mtools
multitail
ncdu
neofetch
net-tools
ntfs-3g
p7zip
p7zip-full
p7zip-rar
parprouted
partclone
parted
pciutils
pcregrep
pigz
pkg-config
pmount
policykit-1
prelink
procps
psmisc
pv
pwgen
rar
rtkit
samba-libs
screen
sed
sharutils
shed
smartmontools
smbclient
sparse
speedometer
squashfs-tools
strace
sudo
supervisor
sysstat
tar
terminator
tmux
tofrodos
tree
udisks2
unrar
unzip
upower
usbutils
user-setup
uuid-runtime
wamerican
whois
xbitmaps
xfsprogs
xsltproc
xz-utils
zenity
zenity-common
zip

3
Vagrant/resources/malcolm/sensor-iso/config/package-lists/vbox.list.chroot Normal file
View File

@@ -0,0 +1,3 @@
virtualbox-guest-dkms
virtualbox-guest-utils
virtualbox-guest-x11

324
Vagrant/resources/malcolm/sensor-iso/doc.css Normal file
View File

@@ -0,0 +1,324 @@
html {
font-size: 100%;
overflow-y: scroll;
-webkit-text-size-adjust: 100%;
-ms-text-size-adjust: 100%;
}
body {
color: #444;
font-family: Georgia, Palatino, 'Palatino Linotype', Times, 'Times New Roman', serif;
font-size: 12px;
line-height: 1.7;
padding: 1em;
margin: auto;
max-width: 1366px;
background: #fefefe;
}
a {
color: #0645ad;
text-decoration: none;
}
a:visited {
color: #0b0080;
}
a:hover {
color: #06e;
}
a:active {
color: #faa700;
}
a:focus {
outline: thin dotted;
}
*::-moz-selection {
background: rgba(255, 255, 0, 0.3);
color: #000;
}
*::selection {
background: rgba(255, 255, 0, 0.3);
color: #000;
}
a::-moz-selection {
background: rgba(255, 255, 0, 0.3);
color: #0645ad;
}
a::selection {
background: rgba(255, 255, 0, 0.3);
color: #0645ad;
}
p {
margin: 1em 0;
}
img {
max-width: 100%;
}
h1, h2, h3, h4, h5, h6 {
color: #111;
line-height: 125%;
margin-top: 2em;
font-weight: normal;
}
h4, h5, h6 {
font-weight: bold;
}
h1 {
font-size: 2.5em;
}
h2 {
font-size: 2em;
}
h3 {
font-size: 1.5em;
}
h4 {
font-size: 1.2em;
}
h5 {
font-size: 1em;
}
h6 {
font-size: 0.9em;
}
blockquote {
color: #666666;
margin: 0;
padding-left: 3em;
border-left: 0.5em #EEE solid;
}
hr {
display: block;
height: 2px;
border: 0;
border-top: 1px solid #aaa;
border-bottom: 1px solid #eee;
margin: 1em 0;
padding: 0;
}
pre, code, kbd, samp {
color: #000;
font-family: monospace, monospace;
_font-family: 'courier new', monospace;
font-size: 0.98em;
}
pre {
white-space: pre;
white-space: pre-wrap;
word-wrap: break-word;
}
b, strong {
font-weight: bold;
}
dfn {
font-style: italic;
}
ins {
background: #ff9;
color: #000;
text-decoration: none;
}
mark {
background: #ff0;
color: #000;
font-style: italic;
font-weight: bold;
}
sub, sup {
font-size: 75%;
line-height: 0;
position: relative;
vertical-align: baseline;
}
sup {
top: -0.5em;
}
sub {
bottom: -0.25em;
}
ul, ol {
margin: 1em 0;
padding: 0 0 0 2em;
}
li p:last-child {
margin-bottom: 0;
}
ul ul, ol ol {
margin: .3em 0;
}
dl {
margin-bottom: 1em;
}
dt {
font-weight: bold;
margin-bottom: .8em;
}
dd {
margin: 0 0 .8em 2em;
}
dd:last-child {
margin-bottom: 0;
}
img {
border: 0;
-ms-interpolation-mode: bicubic;
vertical-align: middle;
}
figure {
display: block;
text-align: center;
margin: 1em 0;
}
figure img {
border: none;
margin: 0 auto;
}
p.caption, figcaption {
font-size: 0.8em;
font-style: italic;
margin: 0 0 .8em;
}
table {
margin-bottom: 2em;
border-bottom: 1px solid #ddd;
border-right: 1px solid #ddd;
border-spacing: 0;
border-collapse: collapse;
}
table th {
padding: .2em 1em;
background-color: #eee;
border-top: 1px solid #ddd;
border-left: 1px solid #ddd;
}
table td {
padding: .2em 1em;
border-top: 1px solid #ddd;
border-left: 1px solid #ddd;
vertical-align: top;
}
.author {
font-size: 1.2em;
text-align: center;
}
@media only screen and (min-width: 480px) {
body {
font-size: 14px;
}
}
@media only screen and (min-width: 768px) {
body {
font-size: 16px;
}
}
@media print {
* {
background: transparent !important;
color: black !important;
filter: none !important;
-ms-filter: none !important;
}
body {
font-size: 12pt;
max-width: 100%;
}
a, a:visited {
text-decoration: underline;
}
hr {
height: 1px;
border: 0;
border-bottom: 1px solid black;
}
a[href]:after {
content: " (" attr(href) ")";
}
abbr[title]:after {
content: " (" attr(title) ")";
}
.ir a:after, a[href^="javascript:"]:after, a[href^="#"]:after {
content: "";
}
pre, blockquote {
border: 1px solid #999;
padding-right: 1em;
page-break-inside: avoid;
}
tr, img {
page-break-inside: avoid;
}
img {
max-width: 100% !important;
}
@page :left {
margin: 15mm 20mm 15mm 10mm;
}
@page :right {
margin: 15mm 10mm 15mm 20mm;
}
p, h2, h3 {
orphans: 3;
widows: 3;
}
h2, h3 {
page-break-after: avoid;
}
}

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/autostarts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/autostarts_confirm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/boot_options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.1 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/capture_config_main.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/capture_confirm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/capture_filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/capture_iface_select.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/capture_paths.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/desktop.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 294 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/elasticsearch-username.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/elasticsearch_password.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/file_quarantine.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/filebeat_certs.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/filebeat_confirm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/filebeat_dest.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
Vagrant/resources/malcolm/sensor-iso/docs/images/filebeat_ssl.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

Some files were not shown because too many files have changed in this diff Show More