diff --git a/.github/workflows/api-build-and-push-ghcr.yml b/.github/workflows/api-build-and-push-ghcr.yml index f1f5a5d5f..5a3ab5eee 100644 --- a/.github/workflows/api-build-and-push-ghcr.yml +++ b/.github/workflows/api-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/api.Dockerfile diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index ca9d674a5..51e258b03 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/arkime.Dockerfile diff --git a/.github/workflows/dashboards-build-and-push-ghcr.yml b/.github/workflows/dashboards-build-and-push-ghcr.yml index 20fb0371d..5f4e729ee 100644 --- a/.github/workflows/dashboards-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/dashboards.Dockerfile diff --git a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml index 624d2ac30..2a4fb6a47 100644 --- a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/dashboards-helper.Dockerfile diff --git a/.github/workflows/dirinit-build-and-push-ghcr.yml b/.github/workflows/dirinit-build-and-push-ghcr.yml index af49b0e66..c57ed918a 100644 --- a/.github/workflows/dirinit-build-and-push-ghcr.yml +++ b/.github/workflows/dirinit-build-and-push-ghcr.yml @@ -23,14 +23,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -38,23 +38,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/dirinit.Dockerfile diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml index e056c0393..c74860015 100644 --- a/.github/workflows/file-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/file-monitor.Dockerfile diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml index b04551dd6..eb42c5ee1 100644 --- a/.github/workflows/file-upload-build-and-push-ghcr.yml +++ b/.github/workflows/file-upload-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/file-upload.Dockerfile diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml index b7cf3a385..c56c1c6a8 100644 --- a/.github/workflows/filebeat-build-and-push-ghcr.yml +++ b/.github/workflows/filebeat-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/filebeat.Dockerfile diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml index a04a6d758..b8e589f19 100644 --- a/.github/workflows/freq-build-and-push-ghcr.yml +++ b/.github/workflows/freq-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/freq.Dockerfile diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml index b6173f98b..04ac783ce 100644 --- a/.github/workflows/htadmin-build-and-push-ghcr.yml +++ b/.github/workflows/htadmin-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/htadmin.Dockerfile diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml index 3151903e4..f358e2226 100644 --- a/.github/workflows/logstash-build-and-push-ghcr.yml +++ b/.github/workflows/logstash-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/logstash.Dockerfile diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index 9f68aaaa8..488575fe8 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -29,17 +29,17 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master @@ -78,7 +78,7 @@ jobs: sudo rm -rf /tmp/live-build /tmp/live-build*.deb - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -139,14 +139,14 @@ jobs: sarif_file: 'trivy-results.sarif' - name: ghcr.io login - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push ISO image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: ./malcolm-iso push: true diff --git a/.github/workflows/netbox-build-and-push-ghcr.yml b/.github/workflows/netbox-build-and-push-ghcr.yml index d67a45ec6..65cc11a71 100644 --- a/.github/workflows/netbox-build-and-push-ghcr.yml +++ b/.github/workflows/netbox-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/netbox.Dockerfile diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml index 4c63f216a..7ef3e9a7f 100644 --- a/.github/workflows/nginx-build-and-push-ghcr.yml +++ b/.github/workflows/nginx-build-and-push-ghcr.yml @@ -38,14 +38,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -58,23 +58,23 @@ jobs: id: extract_commit_sha - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/nginx.Dockerfile diff --git a/.github/workflows/opensearch-build-and-push-ghcr.yml b/.github/workflows/opensearch-build-and-push-ghcr.yml index 40b743459..225b89a2d 100644 --- a/.github/workflows/opensearch-build-and-push-ghcr.yml +++ b/.github/workflows/opensearch-build-and-push-ghcr.yml @@ -30,14 +30,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -45,23 +45,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/opensearch.Dockerfile diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml index 7ded814d0..e8de170c4 100644 --- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/pcap-capture.Dockerfile diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml index aea7ac085..ca5138e18 100644 --- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/pcap-monitor.Dockerfile diff --git a/.github/workflows/postgresql-build-and-push-ghcr.yml b/.github/workflows/postgresql-build-and-push-ghcr.yml index 36db42be1..29aefda44 100644 --- a/.github/workflows/postgresql-build-and-push-ghcr.yml +++ b/.github/workflows/postgresql-build-and-push-ghcr.yml @@ -30,14 +30,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -45,23 +45,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/postgresql.Dockerfile diff --git a/.github/workflows/redis-build-and-push-ghcr.yml b/.github/workflows/redis-build-and-push-ghcr.yml index b89103496..a04d0369b 100644 --- a/.github/workflows/redis-build-and-push-ghcr.yml +++ b/.github/workflows/redis-build-and-push-ghcr.yml @@ -30,14 +30,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -45,23 +45,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/redis.Dockerfile diff --git a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml index ce522185f..d5ce7f2b2 100644 --- a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml @@ -27,17 +27,17 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master @@ -74,7 +74,7 @@ jobs: sudo rm -rf /tmp/live-build /tmp/live-build*.deb - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -97,6 +97,8 @@ jobs: cp ./scripts/malcolm_utils.py ./sensor-iso/shared/bin/ cp ./scripts/documentation_build.sh ./sensor-iso/docs/ cp -r ./arkime/patch ./sensor-iso/shared/arkime_patch + mkdir -p ./sensor-iso/suricata + cp -r ./suricata/rules-default ./sensor-iso/suricata/ pushd ./sensor-iso echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt @@ -104,7 +106,7 @@ jobs: echo "VCS_REVSION=${{ steps.extract_commit_sha.outputs.sha }}" > ./shared/environment.chroot echo "BUILD_JOBS=2" > ./shared/environment.chroot sudo /usr/bin/env bash ./build.sh - rm -rf ./shared/ ./docs/ ./_config.yml ./_includes ./_layouts /Gemfile ./README.md + rm -rf ./shared/ ./docs/ ./_config.yml ./_includes ./_layouts /Gemfile ./README.md ./suricata sudo chmod 644 ./hedgehog-*.* popd - @@ -129,14 +131,14 @@ jobs: sarif_file: 'trivy-results.sarif' - name: ghcr.io login - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push ISO image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: ./sensor-iso push: true diff --git a/.github/workflows/suricata-build-and-push-ghcr.yml b/.github/workflows/suricata-build-and-push-ghcr.yml index e76abb523..bd07b7006 100644 --- a/.github/workflows/suricata-build-and-push-ghcr.yml +++ b/.github/workflows/suricata-build-and-push-ghcr.yml @@ -31,14 +31,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -46,23 +46,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/suricata.Dockerfile diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index 2cd12c3ab..4cb14636c 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -30,14 +30,14 @@ jobs: steps: - name: Cancel previous run in progress - uses: styfle/cancel-workflow-action@0.11.0 + uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Extract branch name shell: bash @@ -45,23 +45,23 @@ jobs: id: extract_branch - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Log in to registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . file: ./Dockerfiles/zeek.Dockerfile diff --git a/.gitignore b/.gitignore index 11b451b19..c47bd8a97 100644 --- a/.gitignore +++ b/.gitignore @@ -30,7 +30,7 @@ config.*/ .vagrant malcolm_*images.tar.gz malcolm_*images.tar.xz -malcolm_netbox_backup_*.psql.gz +malcolm_netbox_backup_*.gz *.iso *-build.log Gemfile.lock diff --git a/.trigger_iso_workflow_build b/.trigger_iso_workflow_build index 4ade3f725..bf8dee067 100644 --- a/.trigger_iso_workflow_build +++ b/.trigger_iso_workflow_build @@ -1,2 +1,2 @@ # this file exists solely for the purpose of being updated and seen by github to trigger a commit build action -1 \ No newline at end of file +2 \ No newline at end of file diff --git a/.trigger_workflow_build b/.trigger_workflow_build index 4ade3f725..bf8dee067 100644 --- a/.trigger_workflow_build +++ b/.trigger_workflow_build @@ -1,2 +1,2 @@ # this file exists solely for the purpose of being updated and seen by github to trigger a commit build action -1 \ No newline at end of file +2 \ No newline at end of file diff --git a/Dockerfiles/api.Dockerfile b/Dockerfiles/api.Dockerfile index 17603c9b5..d22b71abb 100644 --- a/Dockerfiles/api.Dockerfile +++ b/Dockerfiles/api.Dockerfile @@ -20,7 +20,7 @@ RUN python3 -m pip wheel --no-cache-dir --no-deps --wheel-dir /usr/src/app/wheel FROM python:3-slim-bookworm -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' diff --git a/Dockerfiles/arkime.Dockerfile b/Dockerfiles/arkime.Dockerfile index 7cb4a0135..f1038fbbc 100644 --- a/Dockerfiles/arkime.Dockerfile +++ b/Dockerfiles/arkime.Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim AS build -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ENV DEBIAN_FRONTEND noninteractive ENV TERM xterm @@ -92,7 +92,13 @@ ENV DEFAULT_UID $DEFAULT_UID ENV DEFAULT_GID $DEFAULT_GID ENV PUSER "arkime" ENV PGROUP "arkime" -ENV PUSER_PRIV_DROP true +# not dropping privileges globally: supervisord will take care of it +# for all processes, but first we need root to sure capabilities for +# traffic capturing tools are in-place before they are started. +# despite doing setcap here in the Dockerfile, the chown in +# docker-uid-gid-setup.sh will cause them to be lost, so we need +# a final check in docker_entrypoint.sh before startup +ENV PUSER_PRIV_DROP false ENV PUSER_RLIMIT_UNLOCK true ENV DEBIAN_FRONTEND noninteractive @@ -106,18 +112,26 @@ ARG MALCOLM_USERNAME=admin ARG ARKIME_ECS_PROVIDER=arkime ARG ARKIME_ECS_DATASET=session ARG ARKIME_INTERFACE=eth0 -ARG ARKIME_ANALYZE_PCAP_THREADS=1 +ARG ARKIME_AUTO_ANALYZE_PCAP_FILES=false +ARG ARKIME_AUTO_ANALYZE_PCAP_THREADS=1 +ARG ARKIME_PACKET_THREADS=1 ARG OPENSEARCH_MAX_SHARDS_PER_NODE=2500 ARG WISE=on ARG VIEWER=on +ARG ARKIME_VIEWER_PORT=8005 #Whether or not Arkime is in charge of deleting old PCAP files to reclaim space ARG MANAGE_PCAP_FILES=false +ARG ARKIME_PCAP_PROCESSOR=true +ARG ARKIME_LIVE_CAPTURE=false +ARG ARKIME_ROTATED_PCAP=true +ARG ARKIME_COMPRESSION_TYPE=none +ARG ARKIME_COMPRESSION_LEVEL=0 + #Whether or not to auto-tag logs based on filename ARG AUTO_TAG=true ARG PCAP_PIPELINE_VERBOSITY="" ARG PCAP_MONITOR_HOST=pcap-monitor ARG PCAP_NODE_NAME=malcolm -ARG PCAP_NODE_HOST= ARG MAXMIND_GEOIP_DB_LICENSE_KEY="" # Declare envs vars for each arg @@ -130,16 +144,23 @@ ENV ARKIME_PASSWORD "ignored" ENV ARKIME_ECS_PROVIDER $ARKIME_ECS_PROVIDER ENV ARKIME_ECS_DATASET $ARKIME_ECS_DATASET ENV ARKIME_DIR "/opt/arkime" -ENV ARKIME_ANALYZE_PCAP_THREADS $ARKIME_ANALYZE_PCAP_THREADS +ENV ARKIME_AUTO_ANALYZE_PCAP_FILES $ARKIME_AUTO_ANALYZE_PCAP_FILES +ENV ARKIME_AUTO_ANALYZE_PCAP_THREADS $ARKIME_AUTO_ANALYZE_PCAP_THREADS +ENV ARKIME_PACKET_THREADS $ARKIME_PACKET_THREADS +ENV ARKIME_PCAP_PROCESSOR $ARKIME_PCAP_PROCESSOR +ENV ARKIME_LIVE_CAPTURE $ARKIME_LIVE_CAPTURE +ENV ARKIME_COMPRESSION_TYPE $ARKIME_COMPRESSION_TYPE +ENV ARKIME_COMPRESSION_LEVEL $ARKIME_COMPRESSION_LEVEL +ENV ARKIME_ROTATED_PCAP $ARKIME_ROTATED_PCAP ENV OPENSEARCH_MAX_SHARDS_PER_NODE $OPENSEARCH_MAX_SHARDS_PER_NODE ENV WISE $WISE ENV VIEWER $VIEWER +ENV ARKIME_VIEWER_PORT $ARKIME_VIEWER_PORT ENV MANAGE_PCAP_FILES $MANAGE_PCAP_FILES ENV AUTO_TAG $AUTO_TAG ENV PCAP_PIPELINE_VERBOSITY $PCAP_PIPELINE_VERBOSITY ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST ENV PCAP_NODE_NAME $PCAP_NODE_NAME -ENV PCAP_NODE_HOST $PCAP_NODE_HOST COPY --from=build $ARKIME_DIR $ARKIME_DIR @@ -147,7 +168,9 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install -q -y --no-install-recommends \ + bc \ curl \ + ethtool \ file \ geoip-bin \ gettext \ @@ -191,6 +214,7 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ COPY --chmod=755 shared/bin/self_signed_key_gen.sh /usr/local/bin/ +COPY --chmod=755 shared/bin/nic-capture-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/opensearch_status.sh /opt COPY --chmod=755 shared/bin/pcap_processor.py /opt/ COPY --chmod=644 shared/bin/pcap_utils.py /opt/ @@ -199,6 +223,7 @@ COPY --chmod=644 shared/bin/watch_common.py /opt/ COPY --chmod=644 arkime/supervisord.conf /etc/supervisord.conf ADD arkime/scripts /opt/ ADD arkime/etc $ARKIME_DIR/etc/ +ADD arkime/rules/*.yml $ARKIME_DIR/rules/ ADD arkime/wise/source.*.js $ARKIME_DIR/wiseService/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic @@ -211,12 +236,12 @@ RUN [ ${#MAXMIND_GEOIP_DB_LICENSE_KEY} -gt 1 ] && for DB in ASN Country City; do cd /tmp && \ curl -s -S -L -o "GeoLite2-$DB.mmdb.tar.gz" "https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-$DB&license_key=$MAXMIND_GEOIP_DB_LICENSE_KEY&suffix=tar.gz" && \ tar xf "GeoLite2-$DB.mmdb.tar.gz" --wildcards --no-anchored '*.mmdb' --strip=1 && \ - mkdir -p $ARKIME_DIR/etc/ $ARKIME_DIR/logs/ && \ + mkdir -p $ARKIME_DIR/etc/ $ARKIME_DIR/rules/ $ARKIME_DIR/logs/ && \ mv -v "GeoLite2-$DB.mmdb" $ARKIME_DIR/etc/; \ rm -f "GeoLite2-$DB*"; \ done; \ curl -s -S -L -o $ARKIME_DIR/etc/ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" && \ - curl -s -S -L -o $ARKIME_DIR/etc/oui.txt "https://gitlab.com/wireshark/wireshark/raw/release-4.0/manuf" + curl -s -S -L -o $ARKIME_DIR/etc/oui.txt "https://www.wireshark.org/download/automated/data/manuf" RUN groupadd --gid $DEFAULT_GID $PGROUP && \ useradd -M --uid $DEFAULT_UID --gid $DEFAULT_GID --home $ARKIME_DIR $PUSER && \ @@ -225,9 +250,13 @@ RUN groupadd --gid $DEFAULT_GID $PGROUP && \ ln -sfr /opt/pcap_processor.py /opt/pcap_arkime_processor.py && \ cp -f /opt/arkime_update_geo.sh $ARKIME_DIR/bin/arkime_update_geo.sh && \ mv $ARKIME_DIR/etc/config.ini $ARKIME_DIR/etc/config.orig.ini && \ - chmod u+s $ARKIME_DIR/bin/capture && \ + cp $ARKIME_DIR/bin/capture $ARKIME_DIR/bin/capture-offline && \ + chown root:${PGROUP} $ARKIME_DIR/bin/capture && \ + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' $ARKIME_DIR/bin/capture && \ + chown root:${PGROUP} /sbin/ethtool && \ + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool && \ mkdir -p /var/run/arkime && \ - chown -R $PUSER:$PGROUP $ARKIME_DIR/etc $ARKIME_DIR/logs /var/run/arkime + chown -R $PUSER:$PGROUP $ARKIME_DIR/etc $ARKIME_DIR/rules $ARKIME_DIR/logs /var/run/arkime #Update Path ENV PATH="/opt:$ARKIME_DIR/bin:${PATH}" diff --git a/Dockerfiles/dashboards-helper.Dockerfile b/Dockerfiles/dashboards-helper.Dockerfile index 259a3a1ef..34336df29 100644 --- a/Dockerfiles/dashboards-helper.Dockerfile +++ b/Dockerfiles/dashboards-helper.Dockerfile @@ -47,10 +47,10 @@ ENV DASHBOARDS_URL $DASHBOARDS_URL ENV DASHBOARDS_DARKMODE $DASHBOARDS_DARKMODE ENV PATH="/data:${PATH}" -ENV SUPERCRONIC_VERSION "0.2.28" +ENV SUPERCRONIC_VERSION "0.2.29" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd" +ENV SUPERCRONIC_SHA1SUM "cd48d45c4b10f3f0bfdd3a57d054cd05ac96812b" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV ECS_RELEASES_URL "https://api.github.com/repos/elastic/ecs/releases/latest" diff --git a/Dockerfiles/dirinit.Dockerfile b/Dockerfiles/dirinit.Dockerfile index 806252251..cedbf33ee 100644 --- a/Dockerfiles/dirinit.Dockerfile +++ b/Dockerfiles/dirinit.Dockerfile @@ -1,13 +1,13 @@ FROM alpine:3.18 -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' -LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm' -LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/main/README.md' -LABEL org.opencontainers.image.source='https://github.com/idaholab/Malcolm' +LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' +LABEL org.opencontainers.image.documentation='https://github.com/cisagov/Malcolm/blob/main/README.md' +LABEL org.opencontainers.image.source='https://github.com/cisagov/Malcolm' LABEL org.opencontainers.image.vendor='Idaho National Laboratory' -LABEL org.opencontainers.image.title='ghcr.io/idaholab/malcolm/dirinit' +LABEL org.opencontainers.image.title='ghcr.io/cisagov/malcolm/dirinit' LABEL org.opencontainers.image.description='Sidecar container that ensures the creation of some volume subdirectories and does nothing else' ARG DEFAULT_UID=1000 @@ -24,7 +24,7 @@ COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ RUN apk update --no-cache && \ apk upgrade --no-cache && \ - apk --no-cache add bash psmisc shadow tini && \ + apk --no-cache add bash psmisc rsync shadow tini && \ addgroup -g ${DEFAULT_GID} ${PGROUP} ; \ adduser -D -H -u ${DEFAULT_UID} -h /nonexistant -s /sbin/nologin -G ${PGROUP} -g ${PUSER} ${PUSER} ; \ addgroup ${PUSER} tty ; \ diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile index 0c107dff3..eaac24b0c 100644 --- a/Dockerfiles/file-monitor.Dockerfile +++ b/Dockerfiles/file-monitor.Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' @@ -93,10 +93,10 @@ ENV EXTRACTED_FILE_HTTP_SERVER_ENCRYPT $EXTRACTED_FILE_HTTP_SERVER_ENCRYPT ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT -ENV SUPERCRONIC_VERSION "0.2.28" +ENV SUPERCRONIC_VERSION "0.2.29" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd" +ENV SUPERCRONIC_SHA1SUM "cd48d45c4b10f3f0bfdd3a57d054cd05ac96812b" ENV SUPERCRONIC_CRONTAB "/etc/crontab" COPY --chmod=755 shared/bin/yara_rules_setup.sh /usr/local/bin/ diff --git a/Dockerfiles/file-upload.Dockerfile b/Dockerfiles/file-upload.Dockerfile index 2901f59be..fe81b26f3 100644 --- a/Dockerfiles/file-upload.Dockerfile +++ b/Dockerfiles/file-upload.Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim AS npmget -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ENV DEBIAN_FRONTEND noninteractive @@ -49,10 +49,10 @@ ENV FILEPOND_SERVER_BRANCH $FILEPOND_SERVER_BRANCH ARG STALE_UPLOAD_DELETE_MIN=360 ENV STALE_UPLOAD_DELETE_MIN $STALE_UPLOAD_DELETE_MIN -ENV SUPERCRONIC_VERSION "0.2.28" +ENV SUPERCRONIC_VERSION "0.2.29" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd" +ENV SUPERCRONIC_SHA1SUM "cd48d45c4b10f3f0bfdd3a57d054cd05ac96812b" ENV SUPERCRONIC_CRONTAB "/etc/crontab" COPY --from=npmget /usr/local/lib/node_modules/filepond /var/www/upload/filepond diff --git a/Dockerfiles/filebeat.Dockerfile b/Dockerfiles/filebeat.Dockerfile index e7748c71f..b0cc8b0e2 100644 --- a/Dockerfiles/filebeat.Dockerfile +++ b/Dockerfiles/filebeat.Dockerfile @@ -1,6 +1,6 @@ -FROM docker.elastic.co/beats/filebeat-oss:8.11.1 +FROM docker.elastic.co/beats/filebeat-oss:8.11.3 -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' @@ -60,11 +60,12 @@ ARG FILEBEAT_TCP_PARSE_SOURCE_FIELD="message" ARG FILEBEAT_TCP_PARSE_TARGET_FIELD="" ARG FILEBEAT_TCP_PARSE_DROP_FIELD="" ARG FILEBEAT_TCP_TAG="_malcolm_beats" +ARG PCAP_NODE_NAME=malcolm -ENV SUPERCRONIC_VERSION "0.2.28" +ENV SUPERCRONIC_VERSION "0.2.29" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd" +ENV SUPERCRONIC_SHA1SUM "cd48d45c4b10f3f0bfdd3a57d054cd05ac96812b" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV TINI_VERSION v0.19.0 @@ -163,6 +164,7 @@ ENV FILEBEAT_TCP_PARSE_DROP_FIELD $FILEBEAT_TCP_PARSE_DROP_FIELD ENV FILEBEAT_TCP_TAG $FILEBEAT_TCP_TAG ENV FILEBEAT_REGISTRY_FILE "/usr/share/filebeat/data/registry/filebeat/data.json" ENV FILEBEAT_ZEEK_DIR "/zeek/" +ENV PCAP_NODE_NAME $PCAP_NODE_NAME VOLUME ["/usr/share/filebeat/data", "/usr/share/filebeat-nginx/data", "/usr/share/filebeat-tcp/data"] diff --git a/Dockerfiles/freq.Dockerfile b/Dockerfiles/freq.Dockerfile index fbf2d78f6..b2038b389 100644 --- a/Dockerfiles/freq.Dockerfile +++ b/Dockerfiles/freq.Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' diff --git a/Dockerfiles/htadmin.Dockerfile b/Dockerfiles/htadmin.Dockerfile index de820d92f..a3776eeb0 100644 --- a/Dockerfiles/htadmin.Dockerfile +++ b/Dockerfiles/htadmin.Dockerfile @@ -1,6 +1,6 @@ FROM debian:11-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' diff --git a/Dockerfiles/logstash.Dockerfile b/Dockerfiles/logstash.Dockerfile index 7e00933a8..74f18f626 100644 --- a/Dockerfiles/logstash.Dockerfile +++ b/Dockerfiles/logstash.Dockerfile @@ -1,4 +1,4 @@ -FROM docker.elastic.co/logstash/logstash-oss:8.11.1 +FROM docker.elastic.co/logstash/logstash-oss:8.11.3 LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' diff --git a/Dockerfiles/netbox.Dockerfile b/Dockerfiles/netbox.Dockerfile index bfc5d9cbd..2f52ce1fe 100644 --- a/Dockerfiles/netbox.Dockerfile +++ b/Dockerfiles/netbox.Dockerfile @@ -1,6 +1,6 @@ -FROM netboxcommunity/netbox:v3.6.6 +FROM netboxcommunity/netbox:v3.6.7 -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' @@ -24,10 +24,10 @@ ENV PUSER "ubuntu" ENV PGROUP "ubuntu" ENV PUSER_PRIV_DROP true -ENV SUPERCRONIC_VERSION "0.2.28" +ENV SUPERCRONIC_VERSION "0.2.29" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd" +ENV SUPERCRONIC_SHA1SUM "cd48d45c4b10f3f0bfdd3a57d054cd05ac96812b" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV YQ_VERSION "4.33.3" diff --git a/Dockerfiles/nginx.Dockerfile b/Dockerfiles/nginx.Dockerfile index 7df1b6a36..9c320b13a 100644 --- a/Dockerfiles/nginx.Dockerfile +++ b/Dockerfiles/nginx.Dockerfile @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. #################################################################################### # thanks to: nginx - https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile diff --git a/Dockerfiles/opensearch.Dockerfile b/Dockerfiles/opensearch.Dockerfile index eaabe1d60..09cab5b0b 100644 --- a/Dockerfiles/opensearch.Dockerfile +++ b/Dockerfiles/opensearch.Dockerfile @@ -1,6 +1,6 @@ FROM opensearchproject/opensearch:2.11.1 -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' diff --git a/Dockerfiles/pcap-capture.Dockerfile b/Dockerfiles/pcap-capture.Dockerfile index 2b5653a3b..0ace3218a 100644 --- a/Dockerfiles/pcap-capture.Dockerfile +++ b/Dockerfiles/pcap-capture.Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' diff --git a/Dockerfiles/pcap-monitor.Dockerfile b/Dockerfiles/pcap-monitor.Dockerfile index 028d8d851..221af12d0 100644 --- a/Dockerfiles/pcap-monitor.Dockerfile +++ b/Dockerfiles/pcap-monitor.Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' diff --git a/Dockerfiles/postgresql.Dockerfile b/Dockerfiles/postgresql.Dockerfile index 1a0d03497..0a06b1de8 100644 --- a/Dockerfiles/postgresql.Dockerfile +++ b/Dockerfiles/postgresql.Dockerfile @@ -1,6 +1,6 @@ FROM postgres:15-alpine -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' diff --git a/Dockerfiles/redis.Dockerfile b/Dockerfiles/redis.Dockerfile index 5fbfa1042..f6e09c46b 100644 --- a/Dockerfiles/redis.Dockerfile +++ b/Dockerfiles/redis.Dockerfile @@ -1,6 +1,6 @@ FROM redis:7-alpine -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' LABEL org.opencontainers.image.url='https://github.com/cisagov/Malcolm' diff --git a/Dockerfiles/suricata.Dockerfile b/Dockerfiles/suricata.Dockerfile index 80969284c..70dfec59e 100644 --- a/Dockerfiles/suricata.Dockerfile +++ b/Dockerfiles/suricata.Dockerfile @@ -30,10 +30,10 @@ ENV PGROUP "suricata" ENV PUSER_PRIV_DROP false ENV PUSER_RLIMIT_UNLOCK true -ENV SUPERCRONIC_VERSION "0.2.28" +ENV SUPERCRONIC_VERSION "0.2.29" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd" +ENV SUPERCRONIC_SHA1SUM "cd48d45c4b10f3f0bfdd3a57d054cd05ac96812b" ENV SUPERCRONIC_CRONTAB "/etc/crontab" ENV YQ_VERSION "4.33.3" @@ -42,6 +42,7 @@ ENV YQ_URL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_ ENV SURICATA_CONFIG_DIR /etc/suricata ENV SURICATA_CONFIG_FILE "$SURICATA_CONFIG_DIR"/suricata.yaml ENV SURICATA_CUSTOM_RULES_DIR /opt/suricata/rules +ENV SURICATA_DEFAULT_RULES_DIR /opt/suricata/rules-default ENV SURICATA_CUSTOM_CONFIG_DIR /opt/suricata/include-configs ENV SURICATA_LOG_DIR /var/log/suricata ENV SURICATA_MANAGED_DIR /var/lib/suricata @@ -52,15 +53,12 @@ ENV SURICATA_UPDATE_DIR "$SURICATA_MANAGED_DIR/update" ENV SURICATA_UPDATE_SOURCES_DIR "$SURICATA_UPDATE_DIR/sources" ENV SURICATA_UPDATE_CACHE_DIR "$SURICATA_UPDATE_DIR/cache" -COPY --chmod=644 suricata/default-rules/ /tmp/default-rules/ - RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sources && \ apt-get -q update && \ apt-get -y -q --no-install-recommends upgrade && \ apt-get install -q -y --no-install-recommends \ bc \ curl \ - ethtool \ file \ inotify-tools \ iproute2 \ @@ -117,15 +115,14 @@ RUN sed -i "s/main$/main contrib non-free/g" /etc/apt/sources.list.d/debian.sour usermod -a -G tty ${PUSER} && \ ln -sfr /usr/local/bin/pcap_processor.py /usr/local/bin/pcap_suricata_processor.py && \ (echo "*/5 * * * * /usr/local/bin/eve-clean-logs.sh\n0 */6 * * * /bin/bash /usr/local/bin/suricata-update-rules.sh\n" > ${SUPERCRONIC_CRONTAB}) && \ - mkdir -p "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \ - chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \ + mkdir -p "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_DEFAULT_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \ + chown -R ${PUSER}:${PGROUP} "$SURICATA_CUSTOM_RULES_DIR" "$SURICATA_DEFAULT_RULES_DIR" "$SURICATA_CUSTOM_CONFIG_DIR" && \ cp "$(dpkg -L suricata-update | grep 'update\.yaml$' | head -n 1)" \ "$SURICATA_UPDATE_CONFIG_FILE" && \ - find /tmp/default-rules/ -not -path '*/.gitignore' -type f -exec cp "{}" "$SURICATA_CONFIG_DIR"/rules/ \; && \ suricata-update update-sources --verbose --data-dir "$SURICATA_MANAGED_DIR" --config "$SURICATA_UPDATE_CONFIG_FILE" --suricata-conf "$SURICATA_CONFIG_FILE" && \ suricata-update update --fail --verbose --etopen --data-dir "$SURICATA_MANAGED_DIR" --config "$SURICATA_UPDATE_CONFIG_FILE" --suricata-conf "$SURICATA_CONFIG_FILE" && \ - chown root:${PGROUP} /sbin/ethtool /usr/bin/suricata && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool && \ + cp /usr/bin/suricata /usr/bin/suricata-offline && \ + chown root:${PGROUP} /usr/bin/suricata && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /usr/bin/suricata && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -135,13 +132,13 @@ COPY --chmod=644 suricata/supervisord.conf /etc/supervisord.conf COPY --chmod=755 shared/bin/docker-uid-gid-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/service_check_passthrough.sh /usr/local/bin/ COPY --from=ghcr.io/mmguero-dev/gostatic --chmod=755 /goStatic /usr/bin/goStatic -COPY --chmod=755 shared/bin/nic-capture-setup.sh /usr/local/bin/ COPY --chmod=755 shared/bin/pcap_processor.py /usr/local/bin/ COPY --chmod=644 scripts/malcolm_utils.py /usr/local/bin/ COPY --chmod=755 shared/bin/suricata_config_populate.py /usr/local/bin/ COPY --chmod=755 suricata/scripts/docker_entrypoint.sh /usr/local/bin/ COPY --chmod=755 suricata/scripts/eve-clean-logs.sh /usr/local/bin/ COPY --chmod=755 suricata/scripts/suricata-update-rules.sh /usr/local/bin/ +COPY --chmod=u=rwX,go=rX suricata/rules-default/ "$SURICATA_DEFAULT_RULES_DIR"/ ARG PCAP_PIPELINE_VERBOSITY="" ARG PCAP_MONITOR_HOST=pcap-monitor @@ -161,6 +158,7 @@ ARG SURICATA_ROTATED_PCAP=false ARG PCAP_IFACE=lo ARG PCAP_IFACE_TWEAK=false ARG PCAP_FILTER= +ARG PCAP_NODE_NAME=malcolm ENV PCAP_PIPELINE_VERBOSITY $PCAP_PIPELINE_VERBOSITY ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST @@ -179,6 +177,8 @@ ENV SURICATA_ROTATED_PCAP $SURICATA_ROTATED_PCAP ENV PCAP_IFACE $PCAP_IFACE ENV PCAP_IFACE_TWEAK $PCAP_IFACE_TWEAK ENV PCAP_FILTER $PCAP_FILTER +ENV PCAP_NODE_NAME $PCAP_NODE_NAME + ENV PUSER_CHOWN "$SURICATA_CONFIG_DIR;$SURICATA_MANAGED_DIR;$SURICATA_LOG_DIR;$SURICATA_RUN_DIR" diff --git a/Dockerfiles/zeek.Dockerfile b/Dockerfiles/zeek.Dockerfile index 29902e8e1..81e5d7027 100644 --- a/Dockerfiles/zeek.Dockerfile +++ b/Dockerfiles/zeek.Dockerfile @@ -62,7 +62,7 @@ RUN apt-get -q update && \ FROM debian:12-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' @@ -92,12 +92,11 @@ ENV PGROUP "zeeker" # docker-uid-gid-setup.sh will cause them to be lost, so we need # a final check in docker_entrypoint.sh before startup ENV PUSER_PRIV_DROP false -ENV PUSER_RLIMIT_UNLOCK true -ENV SUPERCRONIC_VERSION "0.2.28" +ENV SUPERCRONIC_VERSION "0.2.29" ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-amd64" ENV SUPERCRONIC "supercronic-linux-amd64" -ENV SUPERCRONIC_SHA1SUM "fe1a81a8a5809deebebbd7a209a3b97e542e2bcd" +ENV SUPERCRONIC_SHA1SUM "cd48d45c4b10f3f0bfdd3a57d054cd05ac96812b" ENV SUPERCRONIC_CRONTAB "/etc/crontab" # for download and install @@ -133,7 +132,6 @@ RUN export DEBARCH=$(dpkg --print-architecture) && \ clang \ cmake \ curl \ - ethtool \ file \ flex \ git \ @@ -224,7 +222,6 @@ ADD zeek/config/*.txt ${ZEEK_DIR}/share/zeek/site/ ADD zeek/scripts/docker_entrypoint.sh /usr/local/bin/ ADD shared/bin/zeek_intel_setup.sh ${ZEEK_DIR}/bin/ ADD shared/bin/zeekdeploy.sh ${ZEEK_DIR}/bin/ -ADD shared/bin/nic-capture-setup.sh /usr/local/bin/ # sanity checks to make sure the plugins installed and copied over correctly # these ENVs should match the number of third party scripts/plugins installed by zeek_install_plugins.sh @@ -245,10 +242,10 @@ RUN mkdir -p /tmp/logs && \ RUN groupadd --gid ${DEFAULT_GID} ${PUSER} && \ useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} --home /nonexistant ${PUSER} && \ usermod -a -G tty ${PUSER} && \ - chown root:${PGROUP} /sbin/ethtool "${ZEEK_DIR}"/bin/zeek "${ZEEK_DIR}"/bin/capstats && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' "${ZEEK_DIR}"/bin/zeek && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' "${ZEEK_DIR}"/bin/capstats && \ + cp "${ZEEK_DIR}"/bin/zeek "${ZEEK_DIR}"/bin/zeek-offline && \ + chown root:${PGROUP} "${ZEEK_DIR}"/bin/zeek "${ZEEK_DIR}"/bin/capstats && \ + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' "${ZEEK_DIR}"/bin/zeek && \ + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' "${ZEEK_DIR}"/bin/capstats && \ touch "${SUPERCRONIC_CRONTAB}" && \ chown -R ${DEFAULT_UID}:${DEFAULT_GID} "${ZEEK_DIR}"/share/zeek/site/intel "${SUPERCRONIC_CRONTAB}" && \ ln -sfr /usr/local/bin/pcap_processor.py /usr/local/bin/pcap_zeek_processor.py && \ @@ -269,6 +266,8 @@ ARG ZEEK_INTEL_REFRESH_THREADS=2 ARG ZEEK_INTEL_FEED_SINCE= ARG ZEEK_EXTRACTOR_MODE=none ARG ZEEK_EXTRACTOR_PATH=/zeek/extract_files +ARG ZEEK_INTEL_PATH=/opt/zeek/share/zeek/site/intel +ARG ZEEK_CUSTOM_PATH=/opt/zeek/share/zeek/site/custom ARG PCAP_PIPELINE_VERBOSITY="" ARG PCAP_MONITOR_HOST=pcap-monitor ARG ZEEK_LIVE_CAPTURE=false @@ -277,6 +276,7 @@ ARG ZEEK_ROTATED_PCAP=false ARG PCAP_IFACE=lo ARG PCAP_IFACE_TWEAK=false ARG PCAP_FILTER= +ARG PCAP_NODE_NAME=malcolm ENV AUTO_TAG $AUTO_TAG ENV ZEEK_PCAP_PROCESSOR $ZEEK_PCAP_PROCESSOR @@ -289,6 +289,8 @@ ENV ZEEK_INTEL_REFRESH_THREADS $ZEEK_INTEL_REFRESH_THREADS ENV ZEEK_INTEL_FEED_SINCE $ZEEK_INTEL_FEED_SINCE ENV ZEEK_EXTRACTOR_MODE $ZEEK_EXTRACTOR_MODE ENV ZEEK_EXTRACTOR_PATH $ZEEK_EXTRACTOR_PATH +ENV ZEEK_INTEL_PATH $ZEEK_INTEL_PATH +ENV ZEEK_CUSTOM_PATH $ZEEK_CUSTOM_PATH ENV PCAP_PIPELINE_VERBOSITY $PCAP_PIPELINE_VERBOSITY ENV PCAP_MONITOR_HOST $PCAP_MONITOR_HOST ENV ZEEK_LIVE_CAPTURE $ZEEK_LIVE_CAPTURE @@ -296,6 +298,7 @@ ENV ZEEK_ROTATED_PCAP $ZEEK_ROTATED_PCAP ENV PCAP_IFACE $PCAP_IFACE ENV PCAP_IFACE_TWEAK $PCAP_IFACE_TWEAK ENV PCAP_FILTER $PCAP_FILTER +ENV PCAP_NODE_NAME $PCAP_NODE_NAME # environment variables for zeek runtime tweaks (used in local.zeek) ARG ZEEK_DISABLE_HASH_ALL_FILES= diff --git a/LICENSE.txt b/LICENSE.txt index db2310bed..e4db15ef7 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,4 +1,4 @@ -Copyright 2023, Battelle Energy Alliance, LLC +Copyright 2024 Battelle Energy Alliance, LLC Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/NOTICE.txt b/NOTICE.txt index ecfde96a4..a27e8c07b 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -4,7 +4,7 @@ https://github.com/cisagov/Malcolm See LICENSE.txt for license terms. -Malcolm is Copyright (c) 2023 Battelle Energy Alliance, LLC, and is developed +Malcolm is Copyright (c) 2024 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the Cybersecurity and Infrastructure Security Agency of the U.S. Department of Homeland Security. All rights reserved. diff --git a/README.md b/README.md index 31b2adab6..fb4a574d1 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,7 @@ You can help steer Malcolm's development by sharing your ideas and feedback. Ple ## Copyright and License -Malcolm is Copyright 2023 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the [Cybersecurity and Infrastructure Security Agency](https://www.cisa.gov/) of the [U.S. Department of Homeland Security](https://www.dhs.gov/). +Malcolm is Copyright 2024 Battelle Energy Alliance, LLC, and is developed and released through the cooperation of the [Cybersecurity and Infrastructure Security Agency](https://www.cisa.gov/) of the [U.S. Department of Homeland Security](https://www.dhs.gov/). Malcolm is licensed under the Apache License, version 2.0. See `LICENSE.txt` for the terms of its release. diff --git a/api/requirements.txt b/api/requirements.txt index 19243e4ca..f76b2a87f 100644 --- a/api/requirements.txt +++ b/api/requirements.txt @@ -5,5 +5,5 @@ opensearch-py==2.4.2 requests==2.31.0 regex==2022.3.2 dateparser==1.1.1 -elasticsearch==8.11.0 +elasticsearch==8.11.1 elasticsearch-dsl==8.11.0 \ No newline at end of file diff --git a/arkime/arkime_regression_test_harness/docker-compose.yml b/arkime/arkime_regression_test_harness/docker-compose.yml index c205d0a7a..1e112a7a6 100644 --- a/arkime/arkime_regression_test_harness/docker-compose.yml +++ b/arkime/arkime_regression_test_harness/docker-compose.yml @@ -13,12 +13,6 @@ services: cluster.routing.allocation.node_initial_primaries_recoveries : 8 expose: - 9200 - ulimits: - memlock: - soft: -1 - hard: -1 - cap_add: - - IPC_LOCK healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9200"] interval: 30s diff --git a/arkime/etc/config.ini b/arkime/etc/config.ini index 3caf5a270..34aed4c57 100644 --- a/arkime/etc/config.ini +++ b/arkime/etc/config.ini @@ -4,69 +4,83 @@ # [default] -elasticsearch=http://opensearch:9200 +antiSynDrop=false +certFile=/opt/arkime/etc/viewer.crt +compressES=false cronQueries=true -rotateIndex=daily -passwordSecret=Malcolm +dropGroup=arkime +dropUser=arkime +elasticsearch=http://opensearch:9200 +freeSpaceG=10% +geoLite2ASN=/opt/arkime/etc/GeoLite2-ASN.mmdb +geoLite2Country=/opt/arkime/etc/GeoLite2-Country.mmdb httpRealm=Arkime -userAuthIps=::,0.0.0.0/0 +icmpTimeout=10 interface=eth0 -wiseHost=127.0.0.1 -wisePort=8081 +bpf= +keyFile=/opt/arkime/etc/viewer.key +logESRequests=false +logEveryXPackets=500000 +logFileCreation=true +logHTTPConnections=false +logUnknownProtocols=false +maxESConns=30 +maxESRequests=500 +maxFileSizeG=4 +maxFileTimeM=180 +maxPackets=10000 +maxReqBody=64 +maxStreams=1000000 +ouiFile=/opt/arkime/etc/oui.txt +packetsPerPoll=50000 +parseQSValue=false +parsersDir=/opt/arkime/parsers +parseSMB=true +parseSMTP=true +passwordSecret=Malcolm pcapDir=/data/pcap/processed +plugins=wise.so +pluginsDir=/opt/arkime/plugins readTruncatedPackets=true -maxFileSizeG=4 -tcpTimeout=600 +reqBodyOnlyUtf8=true +rirFile=/opt/arkime/etc/ipv4-address-space.csv +rotateIndex=daily +rulesFiles= +smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP: +spiDataMaxIndices=7 +supportSha256=false tcpSaveTimeout=720 +tcpTimeout=600 udpTimeout=30 -icmpTimeout=10 -maxStreams=1000000 -maxPackets=10000 -freeSpaceG=10% +uploadCommand= +userAuthIps=::,0.0.0.0/0 +viewerPlugins=wise.js viewPort=8005 -certFile=/opt/arkime/etc/viewer.crt -keyFile=/opt/arkime/etc/viewer.key -geoLite2Country=/opt/arkime/etc/GeoLite2-Country.mmdb -geoLite2ASN=/opt/arkime/etc/GeoLite2-ASN.mmdb -rirFile=/opt/arkime/etc/ipv4-address-space.csv -ouiFile=/opt/arkime/etc/oui.txt -dropUser=arkime -dropGroup=arkime +wiseHost=127.0.0.1 +wisePort=8081 # implicit auto-creation of users for Arkime (see https://github.com/arkime/arkime/pull/1120) # The userAutoCreateTmpl should more or less match what's in /etc/user_settings.json # which is what's used when creating the default admin user. userNameHeader=http_auth_http_user userAutoCreateTmpl={"userId": "${this.http_auth_http_user}", "userName": "${this.http_auth_http_user}", "enabled": true, "createEnabled": false, "webEnabled": true, "headerAuthEnabled": true, "emailSearch": true, "removeEnabled": false, "packetSearch": true, "hideStats": false, "hideFiles": false, "hidePcap": false, "disablePcapDownload": false, "settings": { "timezone": "local", "detailFormat": "last", "showTimestamps": "last", "sortColumn": "firstPacket", "sortDirection": "desc", "spiGraph": "protocol", "connSrcField": "source.ip", "connDstField": "destination.ip", "numPackets": "last", "theme" : "custom1: #222222,#E2E2E2,#FFFFFF,#00789E,#004A79,#017D73,#092B40,#42b7c5,#2A7580,#ecb30a,#333333,#89ADCC,#6D6D6D,#FFE7E7,#ECFEFF", "manualQuery": false }, "tableStates": { "sessionsNew": { "order": [ [ "firstPacket", "desc" ] ], "visibleHeaders": [ "protocol", "event.provider", "event.dataset", "firstPacket", "lastPacket", "src", "source.port", "dst", "destination.port", "network.packets", "dbby", "tags", "info" ] } } } -parseSMTP=true -parseSMB=true -parseQSValue=false -supportSha256=false -maxReqBody=64 -reqBodyOnlyUtf8=true -smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP: -parsersDir=/opt/arkime/parsers -pluginsDir=/opt/arkime/plugins -plugins=wise.so -viewerPlugins=wise.js -spiDataMaxIndices=7 -uploadCommand= -packetThreads=2 -pcapWriteMethod=simple -pcapWriteSize=262143 -simpleCompression=zstd -simpleZstdLevel=3 -compressES=false -maxESConns=30 -maxESRequests=500 -packetsPerPoll=50000 -antiSynDrop=true -logEveryXPackets=100000 -logUnknownProtocols=false -logESRequests=true -logFileCreation=true # temporarily disabling viewer autocomplete to see if it helps slugishness valueAutoComplete=false +### High Performance settings +# https://github.com/arkime/arkime/wiki/Settings#High_Performance_Settings +magicMode=basic +pcapReadMethod=tpacketv3 +tpacketv3NumThreads=2 +tpacketv3BlockSize=8388608 +pcapWriteMethod=simple +pcapWriteSize=2560000 +simpleCompression=none +simpleZstdLevel=3 +simpleGzipLevel=3 +packetThreads=2 +maxPacketsInQueue=300000 +dbBulkSize=4000000 + [custom-fields] # see https://docs.zeek.org/en/stable/script-reference/log-files.html for Zeek logfile documentation diff --git a/arkime-logs/.gitignore b/arkime/rules/.gitignore similarity index 100% rename from arkime-logs/.gitignore rename to arkime/rules/.gitignore diff --git a/arkime/rules/single_session_no_spi.yml b/arkime/rules/single_session_no_spi.yml new file mode 100644 index 000000000..fdfb73069 --- /dev/null +++ b/arkime/rules/single_session_no_spi.yml @@ -0,0 +1,11 @@ +--- +version: 1 +rules: + - name: "Dont save SPI sessions with only 1 source packet" + when: "beforeFinalSave" + fields: + packets.src: 1 + packets.dst: 0 + tcpflags.syn: 1 + ops: + _dontSaveSPI: 1 diff --git a/arkime/rules/ssh_trunate.yml b/arkime/rules/ssh_trunate.yml new file mode 100644 index 000000000..4d5b099d9 --- /dev/null +++ b/arkime/rules/ssh_trunate.yml @@ -0,0 +1,10 @@ +--- +version: 1 +rules: + - name: "Only save first n packets of SSH" + when: "fieldSet" + fields: + protocols: + - ssh + ops: + _maxPacketsToSave: 20 diff --git a/arkime/rules/tls_trunate.yml b/arkime/rules/tls_trunate.yml new file mode 100644 index 000000000..0e51a8e3d --- /dev/null +++ b/arkime/rules/tls_trunate.yml @@ -0,0 +1,10 @@ +--- +version: 1 +rules: + - name: "Only save first n packets of TLS" + when: "fieldSet" + fields: + protocols: + - tls + ops: + _maxPacketsToSave: 15 diff --git a/arkime/scripts/arkime_update_geo.sh b/arkime/scripts/arkime_update_geo.sh index 64be5973e..aed3c1ccf 100755 --- a/arkime/scripts/arkime_update_geo.sh +++ b/arkime/scripts/arkime_update_geo.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. cd "${ARKIME_DIR:-/opt/arkime}"/etc @@ -8,7 +8,7 @@ wget -nv --no-check-certificate -O ipv4-address-space.csv_new https://www.iana.o mv -f ipv4-address-space.csv_new ipv4-address-space.csv || \ rm -f ipv4-address-space.csv_new -wget -nv -O oui.txt_new https://gitlab.com/wireshark/wireshark/raw/release-4.0/manuf && \ +wget -nv -O oui.txt_new https://www.wireshark.org/download/automated/data/manuf && \ mv -f oui.txt_new oui.txt || \ rm -f oui.txt_new diff --git a/arkime/scripts/docker_entrypoint.sh b/arkime/scripts/docker_entrypoint.sh index a7b2fe542..1a6b4b031 100755 --- a/arkime/scripts/docker_entrypoint.sh +++ b/arkime/scripts/docker_entrypoint.sh @@ -9,8 +9,13 @@ function urlencodeall() { } ARKIME_DIR=${ARKIME_DIR:-"/opt/arkime"} +ARKIME_RULES_DIR=${ARKIME_RULES_DIR:-"/opt/arkime/rules"} +ARKIME_CONFIG_FILE="${ARKIME_DIR}"/etc/config.ini ARKIME_PASSWORD_SECRET=${ARKIME_PASSWORD_SECRET:-"Malcolm"} ARKIME_FREESPACEG=${ARKIME_FREESPACEG:-"10%"} +CAPTURE_INTERFACE=${PCAP_IFACE:-} +LIVE_CAPTURE=${ARKIME_LIVE_CAPTURE:-false} +VIEWER_PORT=${ARKIME_VIEWER_PORT:-8005} MALCOLM_PROFILE=${MALCOLM_PROFILE:-"malcolm"} OPENSEARCH_URL_FINAL=${OPENSEARCH_URL:-"http://opensearch:9200"} @@ -45,22 +50,106 @@ if ( [[ "$OPENSEARCH_PRIMARY" == "opensearch-remote" ]] || [[ "$OPENSEARCH_PRIMA OPENSEARCH_URL_FINAL="${PROTOCOL}${NEW_USER}:${NEW_PASSWORD}@${HOSTPORT}" fi -if [[ -r "${ARKIME_DIR}"/etc/config.orig.ini ]]; then - cp "${ARKIME_DIR}"/etc/config.orig.ini "${ARKIME_DIR}"/etc/config.ini - sed -i "s|^\(elasticsearch=\).*|\1"${OPENSEARCH_URL_FINAL}"|" "${ARKIME_DIR}"/etc/config.ini - sed -i "s/^\(passwordSecret=\).*/\1"${ARKIME_PASSWORD_SECRET}"/" "${ARKIME_DIR}"/etc/config.ini - sed -i "s/^\(freeSpaceG=\).*/\1"${ARKIME_FREESPACEG}"/" "${ARKIME_DIR}"/etc/config.ini - if [[ "$MALCOLM_PROFILE" == "hedgehog" ]]; then - sed -i "s/^\(userNameHeader=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini - sed -i "s/^\(userAuthIps=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini - sed -i "s/^\(userAutoCreateTmpl=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini - sed -i "s/^\(wiseHost=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini - sed -i "s/^\(wisePort=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini - sed -i "s/^\(plugins=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini - sed -i "s/^\(viewerPlugins=\)/# \1/" "${ARKIME_DIR}"/etc/config.ini - sed -i '/^\[custom-fields\]/,$d' "${ARKIME_DIR}"/etc/config.ini +# iff config.ini does not exist but config.orig.ini does, use it as a basis and modify based on env. vars +if [[ ! -f "${ARKIME_CONFIG_FILE}" ]] && [[ -r "${ARKIME_DIR}"/etc/config.orig.ini ]]; then + cp "${ARKIME_DIR}"/etc/config.orig.ini "${ARKIME_CONFIG_FILE}" + + sed -i "s|^\(elasticsearch=\).*|\1"${OPENSEARCH_URL_FINAL}"|" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(passwordSecret=\).*/\1"${ARKIME_PASSWORD_SECRET}"/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(freeSpaceG=\).*/\1"${ARKIME_FREESPACEG}"/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(viewPort=\).*/\1"${VIEWER_PORT}"/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(pcapDir=\).*/\1\/data\/pcap\/arkime-live/" "${ARKIME_CONFIG_FILE}" + + # performance tuning parameters + [[ -n "$ARKIME_DB_BULK_SIZE" ]] && \ + sed -r -i "s/(dbBulkSize)\s*=\s*.*/\1=$ARKIME_DB_BULK_SIZE/" "${ARKIME_CONFIG_FILE}" + [[ -n "$ARKIME_MAGIC_MODE" ]] && \ + sed -r -i "s/(magicMode)\s*=\s*.*/\1=$ARKIME_MAGIC_MODE/" "${ARKIME_CONFIG_FILE}" + [[ -n "$ARKIME_MAX_PACKETS_IN_QUEUE" ]] && \ + sed -r -i "s/(maxPacketsInQueue)\s*=\s*.*/\1=$ARKIME_MAX_PACKETS_IN_QUEUE/" "${ARKIME_CONFIG_FILE}" + [[ -n "$ARKIME_PACKET_THREADS" ]] && \ + sed -r -i "s/(packetThreads)\s*=\s*.*/\1=$ARKIME_PACKET_THREADS/" "${ARKIME_CONFIG_FILE}" + [[ -n "$ARKIME_PCAP_WRITE_METHOD" ]] && \ + sed -r -i "s/(pcapWriteMethod)\s*=\s*.*/\1=$ARKIME_PCAP_WRITE_METHOD/" "${ARKIME_CONFIG_FILE}" + [[ -n "$ARKIME_PCAP_WRITE_SIZE" ]] && \ + sed -r -i "s/(pcapWriteSize)\s*=\s*.*/\1=$ARKIME_PCAP_WRITE_SIZE/" "${ARKIME_CONFIG_FILE}" + [[ -n "$ARKIME_PCAP_READ_METHOD" ]] && \ + sed -r -i "s/(pcapReadMethod)\s*=\s*.*/\1=$ARKIME_PCAP_READ_METHOD/" "${ARKIME_CONFIG_FILE}" + [[ -n "$ARKIME_TPACKETV3_NUM_THREADS" ]] && \ + sed -r -i "s/(tpacketv3NumThreads)\s*=\s*.*/\1=$ARKIME_TPACKETV3_NUM_THREADS/" "${ARKIME_CONFIG_FILE}" + [[ -n "$ARKIME_TPACKETV3_BLOCK_SIZE" ]] && \ + sed -r -i "s/(tpacketv3BlockSize)\s*=\s*.*/\1=$ARKIME_TPACKETV3_BLOCK_SIZE/" "${ARKIME_CONFIG_FILE}" + + # capture interface(s) + if [[ -n "$CAPTURE_INTERFACE" ]] && [[ "$LIVE_CAPTURE" == "true" ]] ; then + + # in config.ini multiple interfaces are separated by ; + ARKIME_CAPTURE_INTERFACE="$(echo "$CAPTURE_INTERFACE" | sed "s/,/;/g")" + + # place capture interfaces in the config file + sed -r -i "s|(interface)\s*=\s*.*|\1=$ARKIME_CAPTURE_INTERFACE|" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(readTruncatedPackets=\).*/\1"false"/" "${ARKIME_CONFIG_FILE}" + sed -r -i "s/(bpf)\s*=\s*.*/\1=${PCAP_FILTER:-}/" "${ARKIME_CONFIG_FILE}" + + # convert pcap rotation size units (MB to GB) and stick in config file + if [[ -n $PCAP_ROTATE_MEGABYTES ]]; then + PCAP_ROTATE_GIGABYTES=$(echo "($PCAP_ROTATE_MEGABYTES + 1024 - 1)/1024" | bc) + sed -r -i "s/(maxFileSizeG)\s*=\s*.*/\1=$PCAP_ROTATE_GIGABYTES/" "${ARKIME_CONFIG_FILE}" + fi + + # convert pcap rotation time units (sec to min) and stick in config file + if [[ -n $PCAP_ROTATE_SECONDS ]]; then + PCAP_ROTATE_MINUTES=$(echo "($PCAP_ROTATE_SECONDS + 60 - 1)/60" | bc) + sed -r -i "s/(maxFileTimeM)\s*=\s*.*/\1=$PCAP_ROTATE_MINUTES/" "${ARKIME_CONFIG_FILE}" + fi + + # pcap compression + COMPRESSION_TYPE="${ARKIME_COMPRESSION_TYPE:-none}" + COMPRESSION_LEVEL="${ARKIME_COMPRESSION_LEVEL:-0}" + sed -r -i "s/(simpleCompression)\s*=\s*.*/\1=$COMPRESSION_TYPE/" "${ARKIME_CONFIG_FILE}" + if [[ "$COMPRESSION_TYPE" == "zstd" ]]; then + sed -r -i "s/(simpleZstdLevel)\s*=\s*.*/\1=$COMPRESSION_LEVEL/" "${ARKIME_CONFIG_FILE}" + elif [[ "$COMPRESSION_TYPE" == "gzip" ]]; then + sed -r -i "s/(simpleGzipLevel)\s*=\s*.*/\1=$COMPRESSION_LEVEL/" "${ARKIME_CONFIG_FILE}" + fi + + # ensure capabilities for capture + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' "${ARKIME_DIR}"/bin/capture || true + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool || true + + # disable NIC hardware offloading features and adjust ring buffer sizes for each interface + for IFACE in ${CAPTURE_INTERFACE//,/ }; do + + [[ "${PCAP_IFACE_TWEAK:-false}" == "true" ]] && \ + [[ "$IFACE" != "lo" ]] && \ + [[ -x /usr/local/bin/nic-capture-setup.sh ]] && \ + /usr/local/bin/nic-capture-setup.sh "$IFACE" >/dev/null 2>&1 || true + + done # loop over capture interfaces + + fi # capture interface(s) defined and live capture enabled + + # rules files + if [[ -d "${ARKIME_RULES_DIR}" ]]; then + RULES_FILES="$(find "${ARKIME_RULES_DIR}" -mindepth 1 -maxdepth 1 -type f -size +0c \( -name '*.yml' -o -name '*.yaml' \) | tr '\n' ';' | sed 's/;$//' )" + sed -r -i "s|(rulesFiles)\s*=\s*.*|\1=$RULES_FILES|" "${ARKIME_CONFIG_FILE}" + fi + + # comment-out features that are unused in hedgehog run profile mode and in live-capture mode + if [[ "$MALCOLM_PROFILE" == "hedgehog" ]] || [[ "$LIVE_CAPTURE" == "true" ]]; then + sed -i "s/^\(userNameHeader=\)/# \1/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(userAuthIps=\)/# \1/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(userAutoCreateTmpl=\)/# \1/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(wiseHost=\)/# \1/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(wisePort=\)/# \1/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(plugins=\)/# \1/" "${ARKIME_CONFIG_FILE}" + sed -i "s/^\(viewerPlugins=\)/# \1/" "${ARKIME_CONFIG_FILE}" + sed -i '/^\[custom-fields\]/,$d' "${ARKIME_CONFIG_FILE}" fi - chmod 600 "${ARKIME_DIR}"/etc/config.ini + + chmod 600 "${ARKIME_CONFIG_FILE}" || true + [[ -n ${PUID} ]] && chown -f ${PUID} "${ARKIME_CONFIG_FILE}" || true + [[ -n ${PGID} ]] && chown -f :${PGID} "${ARKIME_CONFIG_FILE}" || true fi unset OPENSEARCH_URL_FINAL diff --git a/arkime/scripts/initarkime.sh b/arkime/scripts/initarkime.sh index 06f59eb28..a47caab03 100755 --- a/arkime/scripts/initarkime.sh +++ b/arkime/scripts/initarkime.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. MALCOLM_PROFILE=${MALCOLM_PROFILE:-"malcolm"} OPENSEARCH_URL=${OPENSEARCH_URL:-"http://opensearch:9200"} @@ -35,12 +35,12 @@ fi if [[ "$MALCOLM_PROFILE" == "malcolm" ]]; then - echo "Giving $OPENSEARCH_PRIMARY time to start..." - /opt/opensearch_status.sh 2>&1 && echo "$OPENSEARCH_PRIMARY is running!" - # download and/or update geo updates $ARKIME_DIR/bin/arkime_update_geo.sh + echo "Giving $OPENSEARCH_PRIMARY time to start..." + /opt/opensearch_status.sh 2>&1 && echo "$OPENSEARCH_PRIMARY is running!" + # start and wait patiently for WISE if [[ "$WISE" = "on" ]] ; then touch /var/run/arkime/runwise @@ -56,7 +56,7 @@ if [[ "$MALCOLM_PROFILE" == "malcolm" ]]; then fi # initialize the contents of the OpenSearch database if it has never been initialized (ie., the users_v# table hasn't been created) - if [[ $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -XGET -H'Content-Type: application/json' "${OPENSEARCH_URL}/_cat/indices/arkime_users_v*" | wc -l) < 1 ]]; then + if (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -XGET -H'Content-Type: application/json' "${OPENSEARCH_URL}/_cat/indices/arkime_users_v*" | wc -l) < 1 )); then echo "Initializing $OPENSEARCH_PRIMARY database..." @@ -71,7 +71,7 @@ if [[ "$MALCOLM_PROFILE" == "malcolm" ]]; then # this is a hacky way to get all of the Arkime-parseable field definitions put into E.S. touch /tmp/not_a_packet.pcap - $ARKIME_DIR/bin/capture $DB_SSL_FLAG --packetcnt 0 -r /tmp/not_a_packet.pcap >/dev/null 2>&1 + $ARKIME_DIR/bin/capture-offline $DB_SSL_FLAG --packetcnt 0 -r /tmp/not_a_packet.pcap >/dev/null 2>&1 rm -f /tmp/not_a_packet.pcap echo "Initializing views..." diff --git a/arkime/scripts/live_capture.sh b/arkime/scripts/live_capture.sh new file mode 100755 index 000000000..19072706a --- /dev/null +++ b/arkime/scripts/live_capture.sh @@ -0,0 +1,72 @@ +#!/bin/bash + +# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. + +ARKIME_DIR=${ARKIME_DIR:-"/opt/arkime"} +CERT_FILE="${ARKIME_DIR}"/etc/viewer.crt +KEY_FILE="${ARKIME_DIR}"/etc/viewer.key +ARKIME_PACKET_THREADS=${ARKIME_PACKET_THREADS:-1} +PUSER=${PUSER:-"arkime"} +PGROUP=${PGROUP:-"arkime"} +NODE_NAME=${PCAP_NODE_NAME:-"malcolm"}-live +NODE_HOST=${ARKIME_LIVE_NODE_HOST:-""} + +OPENSEARCH_PRIMARY=${OPENSEARCH_PRIMARY:-"opensearch-local"} +OPENSEARCH_URL=${OPENSEARCH_URL:-"http://opensearch:9200"} +OPENSEARCH_PRIMARY=${OPENSEARCH_PRIMARY:-"opensearch-local"} +OPENSEARCH_SSL_CERTIFICATE_VERIFICATION=${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"} +OPENSEARCH_CREDS_CONFIG_FILE=${OPENSEARCH_CREDS_CONFIG_FILE:-"/var/local/curlrc/.opensearch.primary.curlrc"} +if ( [[ "$OPENSEARCH_PRIMARY" == "opensearch-remote" ]] || [[ "$OPENSEARCH_PRIMARY" == "elasticsearch-remote" ]] ) && [[ -r "$OPENSEARCH_CREDS_CONFIG_FILE" ]]; then + CURL_CONFIG_PARAMS=( + --config + "$OPENSEARCH_CREDS_CONFIG_FILE" + ) +else + CURL_CONFIG_PARAMS=() +fi + +rm -f /var/run/arkime/initialized /var/run/arkime/runwise + +# make sure TLS certificates exist prior to starting up +CERT_FILE=$ARKIME_DIR/etc/viewer.crt +KEY_FILE=$ARKIME_DIR/etc/viewer.key +if ( [[ ! -f "$CERT_FILE" ]] || [[ ! -f "$KEY_FILE" ]] ) && [[ -x /usr/local/bin/self_signed_key_gen.sh ]]; then + rm -f "$CERT_FILE" "$KEY_FILE" ./newcerts + pushd $ARKIME_DIR/etc/ >/dev/null 2>&1 + /usr/local/bin/self_signed_key_gen.sh -n -o ./newcerts >/dev/null 2>&1 + mv ./newcerts/server.crt "$CERT_FILE" + mv ./newcerts/server.key "$KEY_FILE" + rm -rf ./newcerts + popd >/dev/null 2>&1 +fi + +# download and/or update geo updates +$ARKIME_DIR/bin/arkime_update_geo.sh + +# we haven't dropUser/dropGroup'ed yet, so make sure the regular user owns the files we just touched +[[ -n ${PUID} ]] && [[ -n ${PGID} ]] && chown -f -R ${PUID}:${PGID} "${ARKIME_DIR}"/etc/ || true + +# wait patiently for the non-live Arkime to initialize the database +echo "Giving $OPENSEARCH_PRIMARY time to start..." +/opt/opensearch_status.sh -t malcolm_template 2>&1 && echo "$OPENSEARCH_PRIMARY is running!" +echo "Giving Arkime time to initialize..." +sleep 5 +until (( $(curl "${CURL_CONFIG_PARAMS[@]}" -fs -XGET -H'Content-Type: application/json' "${OPENSEARCH_URL}/_cat/indices/arkime_users_v*" | wc -l) >= 1 )); do + sleep 1 +done + +# this will also allow viewer to kick off +touch /var/run/arkime/initialized + +echo "Arkime is initialized!" +echo + +"${ARKIME_DIR}"/bin/capture --insecure \ + -c "${ARKIME_DIR}"/etc/config.ini \ + -o pcapDir=/data/pcap/arkime-live \ + -o dropUser=${PUSER} \ + -o dropGroup=${PGROUP} \ + -o ecsEventProvider=arkime \ + -o ecsEventDataset=session \ + --node "${NODE_NAME}" \ + --host "${NODE_HOST}" diff --git a/arkime/scripts/viewer_service.sh b/arkime/scripts/viewer_service.sh index d1785b49b..00314c460 100755 --- a/arkime/scripts/viewer_service.sh +++ b/arkime/scripts/viewer_service.sh @@ -1,13 +1,15 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. + +[[ "${ARKIME_LIVE_CAPTURE:-false}" == "true" ]] && LIVE_NODE_FLAG=-live || LIVE_NODE_FLAG= while true; do if [[ -f /var/run/arkime/initialized && "$VIEWER" == "on" ]]; then echo "Launch viewer..." rm -f $ARKIME_DIR/logs/viewer* pushd $ARKIME_DIR/viewer >/dev/null 2>&1 - $ARKIME_DIR/bin/node viewer.js --insecure -n "${PCAP_NODE_NAME:-malcolm}" -c $ARKIME_DIR/etc/config.ini | tee -a $ARKIME_DIR/logs/viewer.log 2>&1 + $ARKIME_DIR/bin/node viewer.js --insecure -n "${PCAP_NODE_NAME:-malcolm}${LIVE_NODE_FLAG}" -c $ARKIME_DIR/etc/config.ini popd >/dev/null 2>&1 fi sleep 5 diff --git a/arkime/scripts/wipearkime.sh b/arkime/scripts/wipearkime.sh index 99b010118..6779dd6d1 100755 --- a/arkime/scripts/wipearkime.sh +++ b/arkime/scripts/wipearkime.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [[ ${OPENSEARCH_SSL_CERTIFICATE_VERIFICATION:-"false"} != "true" ]] && DB_SSL_FLAG="--insecure" || DB_SSL_FLAG="" OPENSEARCH_URL_FULL="$(grep -Pi '^elasticsearch\s*=' $ARKIME_DIR/etc/config.ini | cut -d'=' -f2-)" diff --git a/arkime/scripts/wise_service.sh b/arkime/scripts/wise_service.sh index ff9e26b34..199d39977 100755 --- a/arkime/scripts/wise_service.sh +++ b/arkime/scripts/wise_service.sh @@ -1,13 +1,13 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. while true; do if [[ ("$WISE" == "on") && (-f /var/run/arkime/runwise) && (-f $ARKIME_DIR/etc/wise.ini) ]]; then echo "Launch wise..." rm -f $ARKIME_DIR/logs/wise* pushd $ARKIME_DIR/wiseService >/dev/null 2>&1 - $ARKIME_DIR/bin/node wiseService.js --insecure -c $ARKIME_DIR/etc/wise.ini | tee -a $ARKIME_DIR/logs/wise.log 2>&1 + $ARKIME_DIR/bin/node wiseService.js --insecure -c $ARKIME_DIR/etc/wise.ini popd >/dev/null 2>&1 fi sleep 5 diff --git a/arkime/supervisord.conf b/arkime/supervisord.conf index 44d0d10ed..57ba0656d 100644 --- a/arkime/supervisord.conf +++ b/arkime/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) @@ -6,6 +6,7 @@ chmod=0700 [supervisord] nodaemon=true +user=root logfile=/dev/null logfile_maxbytes=0 pidfile=/tmp/supervisord.pid @@ -20,7 +21,7 @@ serverurl=unix:///tmp/supervisor.sock command=/opt/initarkime.sh startsecs=0 startretries=0 -autostart=true +autostart=%(ENV_ARKIME_PCAP_PROCESSOR)s autorestart=false stopasgroup=true killasgroup=true @@ -28,6 +29,7 @@ directory=%(ENV_ARKIME_DIR)s stdout_logfile=/dev/fd/1 stdout_logfile_maxbytes=0 redirect_stderr=true +user=%(ENV_PUSER)s [program:wise] command=/opt/wise_service.sh @@ -38,8 +40,10 @@ autorestart=true stopasgroup=true killasgroup=true directory=%(ENV_ARKIME_DIR)s/wiseService -stdout_logfile=%(ENV_ARKIME_DIR)s/logs/wise.log +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 redirect_stderr=true +user=%(ENV_PUSER)s [program:viewer] command=/opt/viewer_service.sh @@ -53,25 +57,44 @@ directory=%(ENV_ARKIME_DIR)s stdout_logfile=/dev/fd/1 stdout_logfile_maxbytes=0 redirect_stderr=true +user=%(ENV_PUSER)s [program:pcap-arkime] command=python3 /opt/pcap_arkime_processor.py %(ENV_PCAP_PIPELINE_VERBOSITY)s --start-sleep 10 - --threads %(ENV_ARKIME_ANALYZE_PCAP_THREADS)s + --threads %(ENV_ARKIME_AUTO_ANALYZE_PCAP_THREADS)s --publisher "%(ENV_PCAP_MONITOR_HOST)s" --pcap-directory /data/pcap/processed --node "%(ENV_PCAP_NODE_NAME)s" - --host "%(ENV_PCAP_NODE_HOST)s" - --arkime /opt/arkime/bin/capture + --arkime "%(ENV_ARKIME_DIR)s"/bin/capture-offline + --autoarkime "%(ENV_ARKIME_AUTO_ANALYZE_PCAP_FILES)s" + --forcearkime "%(ENV_ARKIME_ROTATED_PCAP)s" --autotag "%(ENV_AUTO_TAG)s" --managed "%(ENV_MANAGE_PCAP_FILES)s" startsecs=15 startretries=1 -autostart=true -autorestart=true +autostart=%(ENV_ARKIME_PCAP_PROCESSOR)s +autorestart=%(ENV_ARKIME_PCAP_PROCESSOR)s stopasgroup=true killasgroup=true directory=%(ENV_ARKIME_DIR)s stdout_logfile=/dev/fd/1 stdout_logfile_maxbytes=0 redirect_stderr=true +user=%(ENV_PUSER)s + +[program:live-arkime] +command=/opt/live_capture.sh +autostart=%(ENV_ARKIME_LIVE_CAPTURE)s +autorestart=%(ENV_ARKIME_LIVE_CAPTURE)s +startsecs=30 +startretries=2000000000 +stopwaitsecs=15 +stopasgroup=true +killasgroup=true +stdout_logfile=/dev/fd/1 +stdout_logfile_maxbytes=0 +redirect_stderr=true +user=root ; fear not, capture will dropUser/dropGroup to PUSER +directory=/data/pcap/arkime-live + diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js index 0e577bebf..652fab83d 100644 --- a/arkime/wise/source.zeeklogs.js +++ b/arkime/wise/source.zeeklogs.js @@ -10,7 +10,7 @@ const WISESource = require('./wiseSource.js'); // Data may be populated with Malcolm's Logstash filters: // (https://github.com/cisagov/Malcolm/tree/main/logstash/pipelines) // -// Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +// Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. // see https://raw.githubusercontent.com/cisagov/Malcolm/main/LICENSE.txt ////////////////////////////////////////////////////////////////////////////////// diff --git a/config/arkime-live.env.example b/config/arkime-live.env.example new file mode 100644 index 000000000..da1d54b02 --- /dev/null +++ b/config/arkime-live.env.example @@ -0,0 +1,25 @@ +# Whether or Arkime should monitor live traffic on a local +# interface (PCAP_IFACE in pcap-capture.env specifies interface) +ARKIME_LIVE_CAPTURE=false + +# Live capture tuning parameters +ARKIME_COMPRESSION_TYPE=none +ARKIME_COMPRESSION_LEVEL=0 +ARKIME_DB_BULK_SIZE=4000000 +ARKIME_MAGIC_MODE=basic +ARKIME_MAX_PACKETS_IN_QUEUE=300000 +ARKIME_PACKET_THREADS=2 +ARKIME_PCAP_WRITE_METHOD=simple +ARKIME_PCAP_WRITE_SIZE=2560000 +ARKIME_PCAP_READ_METHOD=tpacketv3 +ARKIME_TPACKETV3_NUM_THREADS=2 +ARKIME_TPACKETV3_BLOCK_SIZE=8388608 + +# The node host (e.g., the IP address of the machine running Malcolm) to associate with +# network traffic metadata when ARKIME_LIVE_CAPTURE is true +# (optional, defaults to PCAP_NODE_NAME if unspecified) +ARKIME_LIVE_NODE_HOST= + +ARKIME_PCAP_PROCESSOR=false +VIEWER=on +WISE=off \ No newline at end of file diff --git a/config/arkime-offline.env.example b/config/arkime-offline.env.example new file mode 100644 index 000000000..aa53cdc87 --- /dev/null +++ b/config/arkime-offline.env.example @@ -0,0 +1,14 @@ +# Whether or not Arkime should analyze uploaded PCAP files +ARKIME_AUTO_ANALYZE_PCAP_FILES=true +# The number of Arkime processes for analyzing uploaded PCAP files allowed +# to run concurrently +ARKIME_AUTO_ANALYZE_PCAP_THREADS=1 +# Whether or not Arkime should analyze captured PCAP files captured +# by netsniff-ng/tcpdump (see PCAP_ENABLE_NETSNIFF and PCAP_ENABLE_TCPDUMP +# below). If ARKIME_LIVE_CAPTURE is true, this should be false: otherwise +# Arkime will see duplicate traffic. +ARKIME_ROTATED_PCAP=true + +ARKIME_PCAP_PROCESSOR=true +VIEWER=on +WISE=on \ No newline at end of file diff --git a/config/arkime.env.example b/config/arkime.env.example index 8248a636d..3df6ecfc1 100644 --- a/config/arkime.env.example +++ b/config/arkime.env.example @@ -1,8 +1,7 @@ +ARKIME_VIEWER_PORT=8005 # Whether or not Arkime is allowed to delete uploaded/captured PCAP (see # https://arkime.com/faq#pcap-deletion) MANAGE_PCAP_FILES=false ARKIME_FREESPACEG=10% -# The number of Arkime capture processes allowed to run concurrently -ARKIME_ANALYZE_PCAP_THREADS=1 OPENSEARCH_MAX_SHARDS_PER_NODE=2500 \ No newline at end of file diff --git a/config/suricata.env.example b/config/suricata.env.example index aada5d39a..d652854ae 100644 --- a/config/suricata.env.example +++ b/config/suricata.env.example @@ -3,6 +3,7 @@ SURICATA_CUSTOM_RULES_ONLY=false SURICATA_UPDATE_RULES=false SURICATA_UPDATE_DEBUG=false SURICATA_UPDATE_ETOPEN=true +SURICATA_DISABLE_ICS_ALL=false # suricata_config_populate.py can use MANY more environment variables to tweak # suricata.yaml (see https://github.com/OISF/suricata/blob/master/suricata.yaml.in and # https://suricata.readthedocs.io/en/latest/configuration/suricata-yaml.html). diff --git a/config/upload-common.env.example b/config/upload-common.env.example index 17a89fd95..ad55df213 100644 --- a/config/upload-common.env.example +++ b/config/upload-common.env.example @@ -4,9 +4,6 @@ AUTO_TAG=true # The node name (e.g., the hostname of this machine running Malcolm) to associate with # network traffic metadata PCAP_NODE_NAME=malcolm -# The node host (e.g., the IP address of the machine running Malcolm) to associate with -# network traffic metadata (optional, defaults to PCAP_NODE_NAME if unspecified) -PCAP_NODE_HOST= # Verbosity flag for pcap pipeline debugging (e.g., -v, -vv, -vvv, etc.) PCAP_PIPELINE_VERBOSITY= # Whether or not PCAP files extant in ./pcap/ will be ignored on startup diff --git a/config/zeek-live.env.example b/config/zeek-live.env.example index 3659dacac..4cf6fc0cb 100644 --- a/config/zeek-live.env.example +++ b/config/zeek-live.env.example @@ -5,6 +5,4 @@ ZEEK_LIVE_CAPTURE=false ZEEK_PCAP_PROCESSOR=false ZEEK_CRON=true ZEEK_LOG_PATH=/zeek/live -ZEEK_INTEL_PATH=/opt/zeek/share/zeek/site/intel -ZEEK_CUSTOM_PATH=/opt/zeek/share/zeek/site/custom EXTRACT_FILES_PATH=/zeek/extract_files \ No newline at end of file diff --git a/config/zeek.env.example b/config/zeek.env.example index ca0c9d6c0..7e0e64249 100644 --- a/config/zeek.env.example +++ b/config/zeek.env.example @@ -12,6 +12,8 @@ ZEEK_INTEL_FEED_SINCE= # Specifies a cron expression indicating the refresh interval for generating the # Zeek Intelligence Framework files ('' disables automatic refresh) ZEEK_INTEL_REFRESH_CRON_EXPRESSION= +# Number of threads to use for querying feeds for generating Zeek Intelligence Framework files +ZEEK_INTEL_REFRESH_THREADS=2 # Determines the file extraction behavior for file transfers detected by Zeek ZEEK_EXTRACTOR_MODE=none # Whether or not to use polling vs. native inotify API to watch for files diff --git a/dashboards/dashboards/beats/db0312a0-e842-11ec-88e0-67bf497b7120.json b/dashboards/dashboards/beats/db0312a0-e842-11ec-88e0-67bf497b7120.json deleted file mode 100644 index 06ff9ba5b..000000000 --- a/dashboards/dashboards/beats/db0312a0-e842-11ec-88e0-67bf497b7120.json +++ /dev/null @@ -1,212 +0,0 @@ -{ - "version": "2.0.0", - "objects": [ - { - "id": "db0312a0-e842-11ec-88e0-67bf497b7120", - "type": "dashboard", - "namespaces": [ - "default" - ], - "updated_at": "2022-06-09T23:00:39.461Z", - "version": "WzkyMywxXQ==", - "attributes": { - "title": "Malcolm Sensor Syslog", - "hits": 0, - "description": "Syslog logs from Malcolm sensors", - "panelsJSON": "[{\"version\":\"2.0.0\",\"gridData\":{\"x\":0,\"y\":0,\"w\":9,\"h\":19,\"i\":\"e1d6d345-c417-4f95-8907-17806a08cc34\"},\"panelIndex\":\"e1d6d345-c417-4f95-8907-17806a08cc34\",\"embeddableConfig\":{},\"panelRefName\":\"panel_0\"},{\"version\":\"2.0.0\",\"gridData\":{\"x\":9,\"y\":0,\"w\":9,\"h\":19,\"i\":\"ec19724f-f84a-4dde-acff-f539df5afef4\"},\"panelIndex\":\"ec19724f-f84a-4dde-acff-f539df5afef4\",\"embeddableConfig\":{},\"panelRefName\":\"panel_1\"},{\"version\":\"2.0.0\",\"gridData\":{\"x\":18,\"y\":0,\"w\":15,\"h\":19,\"i\":\"ff1d5bec-24fd-43b1-8a7b-e1b6942aa306\"},\"panelIndex\":\"ff1d5bec-24fd-43b1-8a7b-e1b6942aa306\",\"embeddableConfig\":{},\"panelRefName\":\"panel_2\"},{\"version\":\"2.0.0\",\"gridData\":{\"x\":33,\"y\":0,\"w\":15,\"h\":19,\"i\":\"6874104c-2a3e-432f-9cf1-3324dce134c9\"},\"panelIndex\":\"6874104c-2a3e-432f-9cf1-3324dce134c9\",\"embeddableConfig\":{},\"panelRefName\":\"panel_3\"},{\"version\":\"2.0.0\",\"gridData\":{\"x\":0,\"y\":19,\"w\":48,\"h\":19,\"i\":\"f8d075cc-f2fc-4da7-8c0b-c1e691386eaf\"},\"panelIndex\":\"f8d075cc-f2fc-4da7-8c0b-c1e691386eaf\",\"embeddableConfig\":{},\"panelRefName\":\"panel_4\"}]", - "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", - "version": 1, - "timeRestore": false, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}" - } - }, - "references": [ - { - "name": "panel_0", - "type": "visualization", - "id": "6ccdb970-e842-11ec-88e0-67bf497b7120" - }, - { - "name": "panel_1", - "type": "visualization", - "id": "a6549790-e842-11ec-88e0-67bf497b7120" - }, - { - "name": "panel_2", - "type": "visualization", - "id": "42bd0a50-e847-11ec-8b84-87a2d75f23b1" - }, - { - "name": "panel_3", - "type": "visualization", - "id": "8e4a7890-e847-11ec-8b84-87a2d75f23b1" - }, - { - "name": "panel_4", - "type": "search", - "id": "37139ac0-e842-11ec-88e0-67bf497b7120" - } - ], - "migrationVersion": { - "dashboard": "7.9.3" - } - }, - { - "id": "6ccdb970-e842-11ec-88e0-67bf497b7120", - "type": "visualization", - "namespaces": [ - "default" - ], - "updated_at": "2022-06-09T22:51:27.963Z", - "version": "WzkxMywxXQ==", - "attributes": { - "title": "Malcolm Sensor Syslog - Host", - "visState": "{\"title\":\"Malcolm Sensor Syslog - Host\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"log.syslog.hostname\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"unknown\",\"customLabel\":\"Host\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "name": "search_0", - "type": "search", - "id": "37139ac0-e842-11ec-88e0-67bf497b7120" - } - ], - "migrationVersion": { - "visualization": "7.10.0" - } - }, - { - "id": "a6549790-e842-11ec-88e0-67bf497b7120", - "type": "visualization", - "namespaces": [ - "default" - ], - "updated_at": "2022-06-09T22:51:27.963Z", - "version": "WzkxNCwxXQ==", - "attributes": { - "title": "Malcolm Sensor Syslog - Program", - "visState": "{\"title\":\"Malcolm Sensor Syslog - Program\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"log.syslog.appname\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":200,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Program\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", - "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":1,\"direction\":\"desc\"}}}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "name": "search_0", - "type": "search", - "id": "37139ac0-e842-11ec-88e0-67bf497b7120" - } - ], - "migrationVersion": { - "visualization": "7.10.0" - } - }, - { - "id": "42bd0a50-e847-11ec-8b84-87a2d75f23b1", - "type": "visualization", - "namespaces": [ - "default" - ], - "updated_at": "2022-06-09T22:55:30.164Z", - "version": "WzkyMSwxXQ==", - "attributes": { - "title": "Malcolm Sensor Syslog - Severity", - "visState": "{\"title\":\"Malcolm Sensor Syslog - Severity\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"log.syslog.severity.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":8,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", - "uiStateJSON": "{\"vis\":{\"legendOpen\":true}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "name": "search_0", - "type": "search", - "id": "37139ac0-e842-11ec-88e0-67bf497b7120" - } - ], - "migrationVersion": { - "visualization": "7.10.0" - } - }, - { - "id": "8e4a7890-e847-11ec-8b84-87a2d75f23b1", - "type": "visualization", - "namespaces": [ - "default" - ], - "updated_at": "2022-06-09T22:57:36.921Z", - "version": "WzkyMiwxXQ==", - "attributes": { - "title": "Malcolm Sensor Syslog - Facility", - "visState": "{\"title\":\"Malcolm Sensor Syslog - Facility\",\"type\":\"horizontal_bar\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"log.syslog.facility.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"log.syslog.facility.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Facility\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":200},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":75,\"filter\":true,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false,\"labels\":{},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", - "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", - "description": "", - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" - }, - "savedSearchRefName": "search_0" - }, - "references": [ - { - "name": "search_0", - "type": "search", - "id": "37139ac0-e842-11ec-88e0-67bf497b7120" - } - ], - "migrationVersion": { - "visualization": "7.10.0" - } - }, - { - "id": "37139ac0-e842-11ec-88e0-67bf497b7120", - "type": "search", - "namespaces": [ - "default" - ], - "updated_at": "2022-06-09T22:51:27.963Z", - "version": "WzkxNSwxXQ==", - "attributes": { - "title": "Malcolm Sensor Syslog - Logs", - "description": "", - "hits": 0, - "columns": [ - "log.syslog.hostname", - "log.syslog.severity.name", - "log.syslog.facility.name", - "log.syslog.appname", - "event.original" - ], - "sort": [], - "version": 1, - "kibanaSavedObjectMeta": { - "searchSourceJSON": "{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":\"log.syslog:*\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" - } - }, - "references": [ - { - "name": "kibanaSavedObjectMeta.searchSourceJSON.index", - "type": "index-pattern", - "id": "malcolm_beats_*" - } - ], - "migrationVersion": { - "search": "7.9.3" - } - } - ] -} \ No newline at end of file diff --git a/dashboards/dashboards/beats/f6600310-9943-11ee-a029-e973f4774355.json b/dashboards/dashboards/beats/f6600310-9943-11ee-a029-e973f4774355.json new file mode 100644 index 000000000..6a4e2047e --- /dev/null +++ b/dashboards/dashboards/beats/f6600310-9943-11ee-a029-e973f4774355.json @@ -0,0 +1,251 @@ +{ + "version": "2.11.1", + "objects": [ + { + "id": "f6600310-9943-11ee-a029-e973f4774355", + "type": "dashboard", + "namespaces": [ + "default" + ], + "updated_at": "2023-12-14T22:33:38.334Z", + "version": "WzkzOCwxXQ==", + "attributes": { + "title": "Malcolm Sensor Journald Logs", + "hits": 0, + "description": "", + "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":19,\"i\":\"b514b4e8-689b-465e-8335-ca20c20d46fe\",\"w\":14,\"x\":0,\"y\":0},\"panelIndex\":\"b514b4e8-689b-465e-8335-ca20c20d46fe\",\"version\":\"2.11.1\",\"panelRefName\":\"panel_0\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"7a7cfec2-8688-45a7-9790-66b3f0e9fd7e\",\"w\":11,\"x\":14,\"y\":0},\"panelIndex\":\"7a7cfec2-8688-45a7-9790-66b3f0e9fd7e\",\"version\":\"2.11.1\",\"panelRefName\":\"panel_1\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":19,\"i\":\"2143906d-7adb-4de7-8484-2f87c8c98332\",\"w\":23,\"x\":25,\"y\":0},\"panelIndex\":\"2143906d-7adb-4de7-8484-2f87c8c98332\",\"version\":\"2.11.1\",\"panelRefName\":\"panel_2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"bb4d56fd-b110-4d58-b6aa-e4189bdba918\",\"w\":24,\"x\":0,\"y\":19},\"panelIndex\":\"bb4d56fd-b110-4d58-b6aa-e4189bdba918\",\"version\":\"2.11.1\",\"panelRefName\":\"panel_3\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":18,\"i\":\"4e4780cd-add6-4dbe-95ac-d11afbcd630c\",\"w\":24,\"x\":24,\"y\":19},\"panelIndex\":\"4e4780cd-add6-4dbe-95ac-d11afbcd630c\",\"version\":\"2.11.1\",\"panelRefName\":\"panel_4\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":32,\"i\":\"77bbae8a-66cd-4e30-9b90-c7ab7c271320\",\"w\":48,\"x\":0,\"y\":37},\"panelIndex\":\"77bbae8a-66cd-4e30-9b90-c7ab7c271320\",\"version\":\"2.11.1\",\"panelRefName\":\"panel_5\"}]", + "optionsJSON": "{\"hidePanelTitles\":false,\"useMargins\":true}", + "version": 1, + "timeRestore": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}" + } + }, + "references": [ + { + "name": "panel_0", + "type": "visualization", + "id": "82e154f0-99e5-11ee-a12e-a134fdba98ea" + }, + { + "name": "panel_1", + "type": "visualization", + "id": "5a3cb5c0-99e6-11ee-a12e-a134fdba98ea" + }, + { + "name": "panel_2", + "type": "visualization", + "id": "02c189b0-99e6-11ee-a12e-a134fdba98ea" + }, + { + "name": "panel_3", + "type": "visualization", + "id": "81e6b660-99e7-11ee-a12e-a134fdba98ea" + }, + { + "name": "panel_4", + "type": "visualization", + "id": "9601eb20-99e6-11ee-a12e-a134fdba98ea" + }, + { + "name": "panel_5", + "type": "search", + "id": "c79c1e60-9943-11ee-a029-e973f4774355" + } + ], + "migrationVersion": { + "dashboard": "7.9.3" + } + }, + { + "id": "82e154f0-99e5-11ee-a12e-a134fdba98ea", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-12-14T22:33:38.334Z", + "version": "WzkzOSwxXQ==", + "attributes": { + "title": "Malcolm Sensor Journald - Logger", + "visState": "{\"title\":\"Malcolm Sensor Journald - Logger\",\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"log.logger\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}}}", + "uiStateJSON": "{\"vis\":{\"legendOpen\":false}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "c79c1e60-9943-11ee-a029-e973f4774355" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "5a3cb5c0-99e6-11ee-a12e-a134fdba98ea", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-12-14T22:50:36.981Z", + "version": "Wzk1NSwxXQ==", + "attributes": { + "title": "Malcolm Sensor Journald - Process UID", + "visState": "{\"title\":\"Malcolm Sensor Journald - Process UID\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"miscbeat.systemd.hostname\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Systemd Host\"},\"schema\":\"bucket\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"process.user.id\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Process UID\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":1,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "c79c1e60-9943-11ee-a029-e973f4774355" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "02c189b0-99e6-11ee-a12e-a134fdba98ea", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-12-14T22:33:38.334Z", + "version": "Wzk0MSwxXQ==", + "attributes": { + "title": "Malcolm Sensor Journald - Logs by Host Over Time", + "visState": "{\"title\":\"Malcolm Sensor Journald - Logs by Host Over Time\",\"type\":\"histogram\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"date_histogram\",\"params\":{\"field\":\"@timestamp\",\"timeRange\":{\"from\":\"now-15m\",\"to\":\"now\"},\"useNormalizedOpenSearchInterval\":true,\"scaleMetricValues\":false,\"interval\":\"auto\",\"drop_partials\":false,\"min_doc_count\":1,\"extended_bounds\":{}},\"schema\":\"segment\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"miscbeat.systemd.hostname\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"Unknown\",\"customLabel\":\"Journald Host\"},\"schema\":\"group\"}],\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"filter\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"square root\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":true,\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"lineWidth\":2,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"bottom\",\"times\":[],\"addTimeMarker\":true,\"labels\":{\"show\":false},\"thresholdLine\":{\"show\":false,\"value\":10,\"width\":1,\"style\":\"full\",\"color\":\"#E7664C\"}}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "c79c1e60-9943-11ee-a029-e973f4774355" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "81e6b660-99e7-11ee-a12e-a134fdba98ea", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-12-14T22:33:38.334Z", + "version": "Wzk0MiwxXQ==", + "attributes": { + "title": "Malcolm Sensor Journald - Systemd Unit", + "visState": "{\"title\":\"Malcolm Sensor Journald - Systemd Unit\",\"type\":\"table\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"miscbeat.systemd.systemd_unit\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Systemd Unit\"},\"schema\":\"bucket\"},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"miscbeat.systemd.systemd_user_unit\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"Systemd User Unit\"},\"schema\":\"bucket\"},{\"id\":\"4\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"miscbeat.systemd.user_unit\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":true,\"missingBucketLabel\":\"-\",\"customLabel\":\"User Unit\"},\"schema\":\"bucket\"}],\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\"}}", + "uiStateJSON": "{\"vis\":{\"sortColumn\":{\"colIndex\":3,\"direction\":\"desc\"}}}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "c79c1e60-9943-11ee-a029-e973f4774355" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "9601eb20-99e6-11ee-a12e-a134fdba98ea", + "type": "visualization", + "namespaces": [ + "default" + ], + "updated_at": "2023-12-14T22:33:38.334Z", + "version": "Wzk0MywxXQ==", + "attributes": { + "title": "Malcolm Sensor Journald - Process Name", + "visState": "{\"title\":\"Malcolm Sensor Journald - Process Name\",\"type\":\"tagcloud\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"params\":{},\"schema\":\"metric\"},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"params\":{\"field\":\"process.name\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":50,\"otherBucket\":true,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"},\"schema\":\"segment\"}],\"params\":{\"scale\":\"square root\",\"orientation\":\"single\",\"minFontSize\":18,\"maxFontSize\":72,\"showLabel\":false}}", + "uiStateJSON": "{}", + "description": "", + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}" + }, + "savedSearchRefName": "search_0" + }, + "references": [ + { + "name": "search_0", + "type": "search", + "id": "c79c1e60-9943-11ee-a029-e973f4774355" + } + ], + "migrationVersion": { + "visualization": "7.10.0" + } + }, + { + "id": "c79c1e60-9943-11ee-a029-e973f4774355", + "type": "search", + "namespaces": [ + "default" + ], + "updated_at": "2023-12-14T22:33:38.334Z", + "version": "Wzk0NCwxXQ==", + "attributes": { + "title": "Malcolm Sensor Journald - Logs", + "description": "", + "hits": 0, + "columns": [ + "@timestamp", + "miscbeat.systemd.hostname", + "process.name", + "process.pid", + "process.user.id", + "event.original", + "miscbeat.systemd.systemd_unit", + "miscbeat.systemd.systemd_user_unit", + "log.logger" + ], + "sort": [], + "version": 1, + "kibanaSavedObjectMeta": { + "searchSourceJSON": "{\"query\":{\"query\":\"miscbeat.systemd:*\",\"language\":\"kuery\"},\"highlightAll\":true,\"version\":true,\"aggs\":{\"2\":{\"date_histogram\":{\"field\":\"@timestamp\",\"calendar_interval\":\"1w\",\"time_zone\":\"America/Denver\",\"min_doc_count\":1}}},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}" + } + }, + "references": [ + { + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern", + "id": "malcolm_beats_*" + } + ], + "migrationVersion": { + "search": "7.9.3" + } + } + ] +} \ No newline at end of file diff --git a/dashboards/scripts/create-arkime-sessions-index.sh b/dashboards/scripts/create-arkime-sessions-index.sh index c839d0fd9..a118dd46c 100755 --- a/dashboards/scripts/create-arkime-sessions-index.sh +++ b/dashboards/scripts/create-arkime-sessions-index.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. set -euo pipefail shopt -s nocasematch diff --git a/dashboards/supervisord.conf b/dashboards/supervisord.conf index 81e64278a..b6cee6932 100644 --- a/dashboards/supervisord.conf +++ b/dashboards/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) diff --git a/dashboards/templates/composable/component/miscbeat.json b/dashboards/templates/composable/component/miscbeat.json index 62f272927..d3072b3c4 100644 --- a/dashboards/templates/composable/component/miscbeat.json +++ b/dashboards/templates/composable/component/miscbeat.json @@ -93,6 +93,58 @@ "properties": { } }, + "systemd": { + "properties": { + "audit_loginuid": { "type": "integer" }, + "audit_session": { "type": "integer" }, + "boot_id": { "type": "keyword" }, + "cpu_usage_nsec": { "type": "long" }, + "device": { "type": "keyword" }, + "glib_domain": { "type": "keyword" }, + "glib_old_log_api": { "type": "keyword" }, + "hostname": { "type": "keyword" }, + "invocation_id": { "type": "keyword" }, + "job_id": { "type": "integer" }, + "job_result": { "type": "keyword" }, + "job_type": { "type": "keyword" }, + "kernel_device": { "type": "keyword" }, + "kernel_subsystem": { "type": "keyword" }, + "leader": { "type": "keyword" }, + "machine_id": { "type": "keyword" }, + "message": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "message_id": { "type": "keyword" }, + "nm_device": { "type": "keyword" }, + "nm_log_domains": { "type": "keyword" }, + "nm_log_level": { "type": "keyword" }, + "priority": { "type": "integer" }, + "runtime_scope": { "type": "keyword" }, + "selinux_context": { "type": "keyword" }, + "session_id": { "type": "keyword" }, + "source_monotonic_timestamp": { "type": "long" }, + "source_realtime_timestamp" : { "type": "date" }, + "stream_id": { "type": "keyword" }, + "syslog_raw": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "syslog_timestamp": { "type": "keyword" }, + "systemd_cgroup": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }, + "systemd_invocation_id": { "type": "keyword" }, + "systemd_session": { "type": "keyword" }, + "systemd_slice": { "type": "keyword" }, + "systemd_unit": { "type": "keyword" }, + "systemd_user_slice": { "type": "keyword" }, + "systemd_user_unit": { "type": "keyword" }, + "timestamp_boottime": { "type": "float" }, + "timestamp_monotonic": { "type": "float" }, + "udev_devnode": { "type": "keyword" }, + "udev_sysname": { "type": "keyword" }, + "unit": { "type": "keyword" }, + "user_id": { "type": "keyword" }, + "user_invocation_id": { "type": "keyword" }, + "user_unit": { "type": "keyword" }, + "userspace_usec": { "type": "integer" }, + "wp_object": { "type": "keyword" }, + "wp_object_type": { "type": "keyword" } + } + }, "thermal": { "properties": { "name": { "type": "keyword"}, diff --git a/docker-compose-standalone.yml b/docker-compose-standalone.yml index 1963a0f74..697718674 100644 --- a/docker-compose-standalone.yml +++ b/docker-compose-standalone.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. version: '3.7' @@ -12,7 +12,7 @@ x-logging: services: opensearch: - image: ghcr.io/idaholab/malcolm/opensearch:23.12.0 + image: ghcr.io/idaholab/malcolm/opensearch:23.12.1 # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case # OPENSEARCH_PRIMARY will be set to remote, which means the container will # start but not actually run OpenSearch. It's included in both profiles to @@ -36,7 +36,10 @@ services: soft: -1 hard: -1 cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro @@ -51,7 +54,7 @@ services: retries: 3 start_period: 180s dashboards-helper: - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -81,7 +84,7 @@ services: retries: 3 start_period: 30s dashboards: - image: ghcr.io/idaholab/malcolm/dashboards:23.12.0 + image: ghcr.io/idaholab/malcolm/dashboards:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -109,7 +112,7 @@ services: retries: 3 start_period: 210s logstash: - image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -123,7 +126,10 @@ services: soft: -1 hard: -1 cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE env_file: - ./config/process.env - ./config/ssl.env @@ -153,7 +159,7 @@ services: retries: 3 start_period: 600s filebeat: - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -188,7 +194,7 @@ services: retries: 3 start_period: 60s arkime: - image: ghcr.io/idaholab/malcolm/arkime:23.12.0 + image: ghcr.io/idaholab/malcolm/arkime:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -204,48 +210,66 @@ services: - ./config/upload-common.env - ./config/auth.env - ./config/arkime.env + - ./config/arkime-offline.env - ./config/arkime-secret.env environment: VIRTUAL_HOST : 'arkime.malcolm.local' - ulimits: - memlock: - soft: -1 - hard: -1 depends_on: - opensearch - ports: - - "127.0.0.1:8005:8005" volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./arkime/rules:/opt/arkime/rules:ro - ./pcap:/data/pcap - - ./arkime-logs:/opt/arkime/logs - - ./arkime-raw:/opt/arkime/raw healthcheck: test: ["CMD", "curl", "--insecure", "--silent", "--fail", "https://localhost:8005/_ns_/nstest.html"] interval: 90s timeout: 30s retries: 3 start_period: 210s - zeek: - image: ghcr.io/idaholab/malcolm/zeek:23.12.0 + arkime-live: + image: ghcr.io/idaholab/malcolm/arkime:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" stdin_open: false tty: true - hostname: zeek - networks: - - default - ulimits: - memlock: - soft: -1 - hard: -1 + network_mode: host cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN + # SYS_NICE - to set process nice values, real-time scheduling policies, I/O scheduling + - SYS_NICE + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/upload-common.env + - ./config/pcap-capture.env + - ./config/auth.env + - ./config/arkime.env + - ./config/arkime-live.env + - ./config/arkime-secret.env + volumes: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./arkime/rules:/opt/arkime/rules:ro + - ./pcap:/data/pcap + zeek: + image: ghcr.io/idaholab/malcolm/zeek:23.12.1 + profiles: ["malcolm", "hedgehog"] + logging: *default-logging + restart: "no" + stdin_open: false + tty: true + hostname: zeek + networks: + - default env_file: - ./config/process.env - ./config/ssl.env @@ -269,22 +293,19 @@ services: retries: 3 start_period: 60s zeek-live: - image: ghcr.io/idaholab/malcolm/zeek:23.12.0 + image: ghcr.io/idaholab/malcolm/zeek:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" stdin_open: false tty: true network_mode: host - ulimits: - memlock: - soft: -1 - hard: -1 cap_add: - - IPC_LOCK + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN + # SYS_NICE - to set process nice values, real-time scheduling policies, I/O scheduling + - SYS_NICE env_file: - ./config/process.env - ./config/ssl.env @@ -300,7 +321,7 @@ services: - ./zeek/intel:/opt/zeek/share/zeek/site/intel - ./zeek/custom:/opt/zeek/share/zeek/site/custom:ro suricata: - image: ghcr.io/idaholab/malcolm/suricata:23.12.0 + image: ghcr.io/idaholab/malcolm/suricata:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -309,15 +330,6 @@ services: hostname: suricata networks: - default - ulimits: - memlock: - soft: -1 - hard: -1 - cap_add: - - IPC_LOCK - - NET_ADMIN - - NET_RAW - - SYS_ADMIN env_file: - ./config/process.env - ./config/ssl.env @@ -337,22 +349,23 @@ services: retries: 3 start_period: 120s suricata-live: - image: ghcr.io/idaholab/malcolm/suricata:23.12.0 + image: ghcr.io/idaholab/malcolm/suricata:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" stdin_open: false tty: true network_mode: host - ulimits: - memlock: - soft: -1 - hard: -1 cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN + # SYS_NICE - to set process nice values and scheduling policies for capture + - SYS_NICE env_file: - ./config/process.env - ./config/ssl.env @@ -366,7 +379,7 @@ services: - ./suricata/rules:/opt/suricata/rules:ro - ./suricata/include-configs:/opt/suricata/include-configs:ro file-monitor: - image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0 + image: ghcr.io/idaholab/malcolm/file-monitor:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -394,7 +407,7 @@ services: retries: 3 start_period: 60s pcap-capture: - image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -406,10 +419,15 @@ services: soft: -1 hard: -1 cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # SYS_ADMIN - for netsniff-ng to set the disc I/O scheduler policy + - SYS_ADMIN + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN env_file: - ./config/process.env - ./config/ssl.env @@ -418,7 +436,7 @@ services: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./pcap/upload:/pcap pcap-monitor: - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -446,7 +464,7 @@ services: retries: 3 start_period: 90s upload: - image: ghcr.io/idaholab/malcolm/file-upload:23.12.0 + image: ghcr.io/idaholab/malcolm/file-upload:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -473,7 +491,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:23.12.0 + image: ghcr.io/idaholab/malcolm/htadmin:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -500,7 +518,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:23.12.0 + image: ghcr.io/idaholab/malcolm/freq:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -524,7 +542,7 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:23.12.0 + image: ghcr.io/idaholab/malcolm/netbox:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -558,7 +576,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:23.12.0 + image: ghcr.io/idaholab/malcolm/postgresql:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -584,7 +602,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:23.12.0 + image: ghcr.io/idaholab/malcolm/redis:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -614,7 +632,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:23.12.0 + image: ghcr.io/idaholab/malcolm/redis:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -643,7 +661,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:23.12.0 + image: ghcr.io/idaholab/malcolm/api:23.12.1 profiles: ["malcolm"] logging: *default-logging command: gunicorn --bind 0:5000 manage:app @@ -670,7 +688,7 @@ services: retries: 3 start_period: 60s nginx-proxy: - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" diff --git a/docker-compose.yml b/docker-compose.yml index 85958b908..3bc8b9014 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. version: '3.7' @@ -15,7 +15,7 @@ services: build: context: . dockerfile: Dockerfiles/opensearch.Dockerfile - image: ghcr.io/idaholab/malcolm/opensearch:23.12.0 + image: ghcr.io/idaholab/malcolm/opensearch:23.12.1 # Technically the "hedgehog" profile doesn't have OpenSearch, but in that case # OPENSEARCH_PRIMARY will be set to remote, which means the container will # start but not actually run OpenSearch. It's included in both profiles to @@ -39,7 +39,10 @@ services: soft: -1 hard: -1 cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro @@ -57,7 +60,7 @@ services: build: context: . dockerfile: Dockerfiles/dashboards-helper.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -90,7 +93,7 @@ services: build: context: . dockerfile: Dockerfiles/dashboards.Dockerfile - image: ghcr.io/idaholab/malcolm/dashboards:23.12.0 + image: ghcr.io/idaholab/malcolm/dashboards:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -121,7 +124,7 @@ services: build: context: . dockerfile: Dockerfiles/logstash.Dockerfile - image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -135,7 +138,10 @@ services: soft: -1 hard: -1 cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE env_file: - ./config/process.env - ./config/ssl.env @@ -172,7 +178,7 @@ services: build: context: . dockerfile: Dockerfiles/filebeat.Dockerfile - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -210,7 +216,7 @@ services: build: context: . dockerfile: Dockerfiles/arkime.Dockerfile - image: ghcr.io/idaholab/malcolm/arkime:23.12.0 + image: ghcr.io/idaholab/malcolm/arkime:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -229,20 +235,13 @@ services: - ./config/arkime-secret.env environment: VIRTUAL_HOST : 'arkime.malcolm.local' - ulimits: - memlock: - soft: -1 - hard: -1 depends_on: - opensearch - ports: - - "127.0.0.1:8005:8005" volumes: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro - ./pcap:/data/pcap - - ./arkime-logs:/opt/arkime/logs - - ./arkime-raw:/opt/arkime/raw + - ./arkime/rules:/opt/arkime/rules:ro - ./arkime/etc/config.ini:/opt/arkime/etc/config.orig.ini:ro - ./arkime/etc/user_settings.json:/opt/arkime/etc/user_settings.json:ro - ./arkime/wise/source.zeeklogs.js:/opt/arkime/wiseService/source.zeeklogs.js:ro @@ -252,11 +251,50 @@ services: timeout: 30s retries: 3 start_period: 210s + arkime-live: + build: + context: . + dockerfile: Dockerfiles/arkime.Dockerfile + image: ghcr.io/idaholab/malcolm/arkime:23.12.1 + profiles: ["malcolm", "hedgehog"] + logging: *default-logging + restart: "no" + stdin_open: false + tty: true + network_mode: host + cap_add: + # IPC_LOCK - to lock memory, preventing swapping + - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets + - NET_ADMIN + - NET_RAW + # SYS_NICE - to set process nice values, real-time scheduling policies, I/O scheduling + - SYS_NICE + env_file: + - ./config/process.env + - ./config/ssl.env + - ./config/opensearch.env + - ./config/upload-common.env + - ./config/pcap-capture.env + - ./config/auth.env + - ./config/arkime.env + - ./config/arkime-live.env + - ./config/arkime-secret.env + volumes: + - ./nginx/ca-trust:/var/local/ca-trust:ro + - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro + - ./pcap:/data/pcap + - ./arkime/rules:/opt/arkime/rules:ro + - ./arkime/etc/config.ini:/opt/arkime/etc/config.orig.ini:ro + - ./arkime/etc/user_settings.json:/opt/arkime/etc/user_settings.json:ro + - ./arkime/wise/source.zeeklogs.js:/opt/arkime/wiseService/source.zeeklogs.js:ro zeek: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:23.12.0 + image: ghcr.io/idaholab/malcolm/zeek:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -265,15 +303,6 @@ services: hostname: zeek networks: - default - ulimits: - memlock: - soft: -1 - hard: -1 - cap_add: - - IPC_LOCK - - NET_ADMIN - - NET_RAW - - SYS_ADMIN env_file: - ./config/process.env - ./config/ssl.env @@ -301,22 +330,19 @@ services: build: context: . dockerfile: Dockerfiles/zeek.Dockerfile - image: ghcr.io/idaholab/malcolm/zeek:23.12.0 + image: ghcr.io/idaholab/malcolm/zeek:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" stdin_open: false tty: true network_mode: host - ulimits: - memlock: - soft: -1 - hard: -1 cap_add: - - IPC_LOCK + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN + # SYS_NICE - to set process nice values, real-timescheduling policies, I/O scheduling + - SYS_NICE env_file: - ./config/process.env - ./config/ssl.env @@ -336,7 +362,7 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:23.12.0 + image: ghcr.io/idaholab/malcolm/suricata:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -345,15 +371,6 @@ services: hostname: suricata networks: - default - ulimits: - memlock: - soft: -1 - hard: -1 - cap_add: - - IPC_LOCK - - NET_ADMIN - - NET_RAW - - SYS_ADMIN env_file: - ./config/process.env - ./config/ssl.env @@ -376,22 +393,23 @@ services: build: context: . dockerfile: Dockerfiles/suricata.Dockerfile - image: ghcr.io/idaholab/malcolm/suricata:23.12.0 + image: ghcr.io/idaholab/malcolm/suricata:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" stdin_open: false tty: true network_mode: host - ulimits: - memlock: - soft: -1 - hard: -1 cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN + # SYS_NICE - to set process nice values, real-timescheduling policies, I/O scheduling + - SYS_NICE env_file: - ./config/process.env - ./config/ssl.env @@ -408,7 +426,7 @@ services: build: context: . dockerfile: Dockerfiles/file-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0 + image: ghcr.io/idaholab/malcolm/file-monitor:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -439,7 +457,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-capture.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -451,10 +469,15 @@ services: soft: -1 hard: -1 cap_add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # SYS_ADMIN - for netsniff-ng to set the disc I/O scheduler policy + - SYS_ADMIN + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN env_file: - ./config/process.env - ./config/ssl.env @@ -466,7 +489,7 @@ services: build: context: . dockerfile: Dockerfiles/pcap-monitor.Dockerfile - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.1 profiles: ["malcolm", "hedgehog"] logging: *default-logging restart: "no" @@ -497,7 +520,7 @@ services: build: context: . dockerfile: Dockerfiles/file-upload.Dockerfile - image: ghcr.io/idaholab/malcolm/file-upload:23.12.0 + image: ghcr.io/idaholab/malcolm/file-upload:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" @@ -524,7 +547,7 @@ services: retries: 3 start_period: 60s htadmin: - image: ghcr.io/idaholab/malcolm/htadmin:23.12.0 + image: ghcr.io/idaholab/malcolm/htadmin:23.12.1 profiles: ["malcolm"] logging: *default-logging build: @@ -554,7 +577,7 @@ services: retries: 3 start_period: 60s freq: - image: ghcr.io/idaholab/malcolm/freq:23.12.0 + image: ghcr.io/idaholab/malcolm/freq:23.12.1 profiles: ["malcolm"] logging: *default-logging build: @@ -581,7 +604,7 @@ services: retries: 3 start_period: 60s netbox: - image: ghcr.io/idaholab/malcolm/netbox:23.12.0 + image: ghcr.io/idaholab/malcolm/netbox:23.12.1 profiles: ["malcolm"] logging: *default-logging build: @@ -618,7 +641,7 @@ services: retries: 3 start_period: 120s netbox-postgres: - image: ghcr.io/idaholab/malcolm/postgresql:23.12.0 + image: ghcr.io/idaholab/malcolm/postgresql:23.12.1 profiles: ["malcolm"] logging: *default-logging build: @@ -647,7 +670,7 @@ services: retries: 3 start_period: 45s netbox-redis: - image: ghcr.io/idaholab/malcolm/redis:23.12.0 + image: ghcr.io/idaholab/malcolm/redis:23.12.1 profiles: ["malcolm"] logging: *default-logging build: @@ -680,7 +703,7 @@ services: retries: 3 start_period: 45s netbox-redis-cache: - image: ghcr.io/idaholab/malcolm/redis:23.12.0 + image: ghcr.io/idaholab/malcolm/redis:23.12.1 profiles: ["malcolm"] logging: *default-logging build: @@ -712,7 +735,7 @@ services: retries: 3 start_period: 45s api: - image: ghcr.io/idaholab/malcolm/api:23.12.0 + image: ghcr.io/idaholab/malcolm/api:23.12.1 profiles: ["malcolm"] logging: *default-logging build: @@ -745,7 +768,7 @@ services: build: context: . dockerfile: Dockerfiles/nginx.Dockerfile - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.1 profiles: ["malcolm"] logging: *default-logging restart: "no" diff --git a/docs/README.md b/docs/README.md index a1f428dc0..560f87caa 100644 --- a/docs/README.md +++ b/docs/README.md @@ -50,6 +50,7 @@ Malcolm can also easily be deployed locally on an ordinary consumer workstation * [Live analysis](live-analysis.md#LiveAnalysis) - [Using a network sensor appliance](live-analysis.md#Hedgehog) - [Monitoring local network interfaces](live-analysis.md#LocalPCAP) + + ["Hedgehog" run profile](live-analysis.md#Profiles) - [Manually forwarding logs from an external source](live-analysis.md#ExternalForward) * [Arkime](arkime.md#Arkime) - [Zeek log integration](arkime.md#ArkimeZeek) diff --git a/docs/contributing-local-modifications.md b/docs/contributing-local-modifications.md index 53e32eddf..8f2491351 100644 --- a/docs/contributing-local-modifications.md +++ b/docs/contributing-local-modifications.md @@ -42,8 +42,6 @@ arkime: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./.opensearch.primary.curlrc:/var/local/curlrc/.opensearch.primary.curlrc:ro - ./pcap:/data/pcap - - ./arkime-logs:/opt/arkime/logs - - ./arkime-raw:/opt/arkime/raw zeek: - ./nginx/ca-trust:/var/local/ca-trust:ro - ./pcap:/pcap diff --git a/docs/contributing-pcap.md b/docs/contributing-pcap.md index d8f0edd61..f9ed21c54 100644 --- a/docs/contributing-pcap.md +++ b/docs/contributing-pcap.md @@ -1,6 +1,6 @@ # PCAP processors -When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.12.0 release]({{ site.github.repository_url }}/releases/tag/v23.12.0)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: +When a PCAP is uploaded (either through Malcolm's [upload web interface](upload.md#Upload) or just copied manually into the `./pcap/upload` directory), the `pcap-monitor` container has a script that picks up those PCAP files and publishes to a [ZeroMQ](https://zeromq.org/) topic that can be subscribed to by any other process that wants to analyze that PCAP. In Malcolm (at the time of the [v23.12.1 release]({{ site.github.repository_url }}/releases/tag/v23.12.1)), there are three such ZeroMQ topics: the `zeek`, `suricata` and `arkime` containers. These actually share the [same script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/pcap_processor.py) to run the PCAP through Zeek, Suricata, and Arkime, respectively. For an example to follow, the `zeek` container is the less complicated of the two. To integrate a new PCAP processing tool into Malcolm (named `cooltool` for this example) the process would entail: 1. Define the service as instructed in the [Adding a new service](contributing-new-image.md#NewImage) section * Note how the existing `zeek` and `arkime` services use [bind mounts](contributing-local-modifications.md#Bind) to access the local `./pcap` directory diff --git a/docs/development.md b/docs/development.md index 8207e3582..c4a5a05fa 100644 --- a/docs/development.md +++ b/docs/development.md @@ -8,7 +8,6 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{ * `api` - code and configuration for the `api` container, which provides a REST API to query Malcolm * `arkime` - code and configuration for the `arkime` container that processes PCAP files using `capture`, which serves the Viewer application -* `arkime-logs` - an initially empty directory to which the `arkime` container will write some debug log files * `config` - a directory containing the environment variable files that define Malcolm's configuration * `dashboards` - code and configuration for the `dashboards` container for creating additional ad-hoc visualizations and dashboards beyond that which is provided by Arkime Viewer * `Dockerfiles` - a directory containing build instructions for Malcolm's docker images diff --git a/docs/download.md b/docs/download.md index 1aca19bca..588fc90ef 100644 --- a/docs/download.md +++ b/docs/download.md @@ -16,7 +16,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno | ISO | SHA256 | |---|---| -| [malcolm-23.12.0.iso](/iso/malcolm-23.12.0.iso) (5.1GiB) | [`3e836d09cd79a4e3f54c6fc365b032385312ad885b8483a0df156b59175d4909`](/iso/malcolm-23.12.0.iso.sha256.txt) | +| [malcolm-23.12.1.iso](/iso/malcolm-23.12.1.iso) (5.2GiB) | [`a3dd7dbcaa78322f1ae62b93efd4d95e3644a1b52b65ba24dd1bccf4ac6b173a`](/iso/malcolm-23.12.1.iso.sha256.txt) | ## Hedgehog Linux @@ -26,7 +26,7 @@ While official downloads of the Malcolm installer ISO are not provided, an **uno | ISO | SHA256 | |---|---| -| [hedgehog-23.12.0.iso](/iso/hedgehog-23.12.0.iso) (2.4GiB) | [`835160cc0d2e3608754736989088d912c17372c49764244742e0572af9295d4b`](/iso/hedgehog-23.12.0.iso.sha256.txt) | +| [hedgehog-23.12.1.iso](/iso/hedgehog-23.12.1.iso) (2.4GiB) | [`009e67d61ae6e8ffa53e8e134091263b91c0f7a442a0717594434761db60b1b5`](/iso/hedgehog-23.12.1.iso.sha256.txt) | ## Warning diff --git a/docs/hedgehog-iso-build.md b/docs/hedgehog-iso-build.md index eb05c0ccb..a97d0d283 100644 --- a/docs/hedgehog-iso-build.md +++ b/docs/hedgehog-iso-build.md @@ -29,7 +29,7 @@ Building the ISO may take 90 minutes or more depending on your system. As the bu ``` … -Finished, created "/sensor-build/hedgehog-23.12.0.iso" +Finished, created "/sensor-build/hedgehog-23.12.1.iso" … ``` diff --git a/docs/hedgehog-upgrade.md b/docs/hedgehog-upgrade.md index 6c7e69e29..f106bb030 100644 --- a/docs/hedgehog-upgrade.md +++ b/docs/hedgehog-upgrade.md @@ -208,9 +208,9 @@ commands: ``` chown root:netdev /usr/sbin/netsniff-ng && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip CAP_SYS_ADMIN+eip' /usr/sbin/netsniff-ng + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /usr/sbin/netsniff-ng chown root:netdev /opt/zeek/bin/zeek && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/zeek/bin/zeek + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/zeek/bin/zeek chown root:netdev /sbin/ethtool && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool chown root:netdev /opt/zeek/bin/capstats && \ @@ -218,7 +218,7 @@ chown root:netdev /opt/zeek/bin/capstats && \ chown root:netdev /usr/bin/tcpdump && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump chown root:netdev /opt/arkime/bin/capture && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/arkime/bin/capture + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/arkime/bin/capture ln -s -f /opt/zeek/bin/zeek /usr/local/bin/ ln -s -f /usr/sbin/netsniff-ng /usr/local/bin/ @@ -233,9 +233,9 @@ example: ``` root@hedgehog:/tmp# chown root:netdev /usr/sbin/netsniff-ng && \ -> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip CAP_SYS_ADMIN+eip' /usr/sbin/netsniff-ng +> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /usr/sbin/netsniff-ng root@hedgehog:/tmp# chown root:netdev /opt/zeek/bin/zeek && \ -> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/zeek/bin/zeek +> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/zeek/bin/zeek root@hedgehog:/tmp# chown root:netdev /sbin/ethtool && \ > setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool root@hedgehog:/tmp# chown root:netdev /opt/zeek/bin/capstats && \ @@ -243,7 +243,7 @@ root@hedgehog:/tmp# chown root:netdev /opt/zeek/bin/capstats && \ root@hedgehog:/tmp# chown root:netdev /usr/bin/tcpdump && \ > setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/tcpdump root@hedgehog:/tmp# chown root:netdev /opt/arkime/bin/capture && \ -> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/arkime/bin/capture +> setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/arkime/bin/capture root@hedgehog:/tmp# ln -s -f /opt/zeek/bin/zeek /usr/local/bin/ root@hedgehog:/tmp# ln -s -f /usr/sbin/netsniff-ng /usr/local/bin/ root@hedgehog:/tmp# ln -s -f /usr/bin/tcpdump /usr/local/bin/ diff --git a/docs/kubernetes.md b/docs/kubernetes.md index da570cb96..b1b351d50 100644 --- a/docs/kubernetes.md +++ b/docs/kubernetes.md @@ -272,28 +272,28 @@ agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | 861.34m | 14.36% | 19.55Gi | 9.29Gi | 61.28Gi | 11 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:23.12.0 | -file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:23.12.0 | -zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:23.12.0 | -dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:23.12.0 | -upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:23.12.0 | -filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:23.12.0 | -zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:23.12.0 | -logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:23.12.0 | -netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:23.12.0 | -suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:23.12.0 | -dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:23.12.0 | -netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:23.12.0 | -suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:23.12.0 | -freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:23.12.0 | -arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:23.12.0 | -pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:23.12.0 | -pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:23.12.0 | -netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:23.12.0 | -htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:23.12.0 | -netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:23.12.0 | -nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:23.12.0 | -opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:23.12.0 | +api-deployment-6f4686cf59-bn286 | Running | 10.42.2.14 | ReplicaSet | agent1 | 0.11m | 59.62Mi | api-container:0 | api:23.12.1 | +file-monitor-deployment-855646bd75-vk7st | Running | 10.42.2.16 | ReplicaSet | agent1 | 8.47m | 1.46Gi | file-monitor-container:0 | file-monitor:23.12.1 | +zeek-live-deployment-64b69d4b6f-947vr | Running | 10.42.2.17 | ReplicaSet | agent1 | 0.02m | 12.44Mi | zeek-live-container:0 | zeek:23.12.1 | +dashboards-helper-deployment-69dc54f6b6-ln4sq | Running | 10.42.2.15 | ReplicaSet | agent1 | 10.77m | 38.43Mi | dashboards-helper-container:0 | dashboards-helper:23.12.1 | +upload-deployment-586568844b-4jnk9 | Running | 10.42.2.18 | ReplicaSet | agent1 | 0.15m | 29.78Mi | upload-container:0 | file-upload:23.12.1 | +filebeat-deployment-6ff8bc444f-t7h49 | Running | 10.42.2.20 | ReplicaSet | agent1 | 2.84m | 70.71Mi | filebeat-container:0 | filebeat-oss:23.12.1 | +zeek-offline-deployment-844f4865bd-g2sdm | Running | 10.42.2.21 | ReplicaSet | agent1 | 0.17m | 41.92Mi | zeek-offline-container:0 | zeek:23.12.1 | +logstash-deployment-6fbc9fdcd5-hwx8s | Running | 10.42.2.22 | ReplicaSet | agent1 | 85.55m | 2.91Gi | logstash-container:0 | logstash-oss:23.12.1 | +netbox-deployment-cdcff4977-hbbw5 | Running | 10.42.2.23 | ReplicaSet | agent1 | 807.64m | 702.86Mi | netbox-container:0 | netbox:23.12.1 | +suricata-offline-deployment-6ccdb89478-z5696 | Running | 10.42.2.19 | ReplicaSet | agent1 | 0.22m | 34.88Mi | suricata-offline-container:0 | suricata:23.12.1 | +dashboards-deployment-69b5465db-vz88g | Running | 10.42.1.14 | ReplicaSet | agent2 | 0.94m | 100.12Mi | dashboards-container:0 | dashboards:23.12.1 | +netbox-redis-cache-deployment-5f77d47b8b-z7t2z | Running | 10.42.1.15 | ReplicaSet | agent2 | 3.57m | 7.36Mi | netbox-redis-cache-container:0 | redis:23.12.1 | +suricata-live-deployment-6494c77759-9rlnt | Running | 10.42.1.16 | ReplicaSet | agent2 | 0.02m | 9.69Mi | suricata-live-container:0 | suricata:23.12.1 | +freq-deployment-cfd84fd97-dnngf | Running | 10.42.1.17 | ReplicaSet | agent2 | 0.2m | 26.36Mi | freq-container:0 | freq:23.12.1 | +arkime-deployment-56999cdd66-s98pp | Running | 10.42.1.18 | ReplicaSet | agent2 | 4.15m | 113.07Mi | arkime-container:0 | arkime:23.12.1 | +pcap-monitor-deployment-594ff674c4-fsm7m | Running | 10.42.1.19 | ReplicaSet | agent2 | 1.24m | 48.44Mi | pcap-monitor-container:0 | pcap-monitor:23.12.1 | +pcap-capture-deployment-7c8bf6957-jzpzn | Running | 10.42.1.20 | ReplicaSet | agent2 | 0.02m | 9.64Mi | pcap-capture-container:0 | pcap-capture:23.12.1 | +netbox-postgres-deployment-5879b8dffc-kkt56 | Running | 10.42.1.21 | ReplicaSet | agent2 | 70.91m | 33.02Mi | netbox-postgres-container:0 | postgresql:23.12.1 | +htadmin-deployment-6fc46888b9-sq6ln | Running | 10.42.1.23 | ReplicaSet | agent2 | 0.14m | 30.53Mi | htadmin-container:0 | htadmin:23.12.1 | +netbox-redis-deployment-5bcd8f6c96-j5xpf | Running | 10.42.1.24 | ReplicaSet | agent2 | 1.46m | 7.34Mi | netbox-redis-container:0 | redis:23.12.1 | +nginx-proxy-deployment-69fcc4968d-f68tq | Running | 10.42.1.22 | ReplicaSet | agent2 | 0.31m | 22.63Mi | nginx-proxy-container:0 | nginx-proxy:23.12.1 | +opensearch-deployment-75498799f6-4zmwd | Running | 10.42.1.25 | ReplicaSet | agent2 | 89.8m | 11.03Gi | opensearch-container:0 | opensearch:23.12.1 | ``` The other control scripts (`stop`, `restart`, `logs`, etc.) work in a similar manner as in a Docker-based deployment. One notable difference is the `wipe` script: data on PersistentVolume storage cannot be deleted by `wipe`. It must be deleted manually on the storage media underlying the PersistentVolumes. @@ -307,8 +307,6 @@ Here is a basic step-by-step example illustrating how to deploy Malcolm with Kub ``` $ ls -l total 45,056 -drwxr-xr-x 2 user user 6 Apr 24 14:35 arkime-logs -drwxr-xr-x 2 user user 6 Apr 24 14:35 arkime-raw drwxr-xr-x 2 user user 4,096 Apr 24 14:35 config drwxr-xr-x 3 user user 19 Apr 24 14:35 filebeat drwxr-xr-x 2 user user 6 Apr 24 14:35 htadmin @@ -377,7 +375,7 @@ Enter index threshold (e.g., 250GB, 1TB, 60%, etc.): 250G Determine oldest indices by name (instead of creation time)? (Y / n): y -Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y / N): y +Should Arkime delete uploaded PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)? (y / N): y Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.): 10% @@ -557,28 +555,28 @@ agent1 | agent1 | 192.168.56.11 | agent1 | k3s | 6000m | agent2 | agent2 | 192.168.56.12 | agent2 | k3s | 6000m | 552.71m | 9.21% | 19.55Gi | 13.27Gi | 61.28Gi | 12 | Pod Name | State | Pod IP | Pod Kind | Worker Node | CPU Usage | Memory Usage | Container Name:Restarts | Container Image | -netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:23.12.0 | -netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:23.12.0 | -dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:23.12.0 | -freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:23.12.0 | -pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:23.12.0 | -nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:23.12.0 | -htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:23.12.0 | -opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:23.12.0 | -zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:23.12.0 | -dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:23.12.0 | -arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:23.12.0 | -api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:23.12.0 | -netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:23.12.0 | -pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:23.12.0 | -suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:23.12.0 | -suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:23.12.0 | -netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:23.12.0 | -zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:23.12.0 | -filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:23.12.0 | -file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:23.12.0 | -upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:23.12.0 | -logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:23.12.0 | +netbox-redis-cache-deployment-5f77d47b8b-jr9nt | Running | 10.42.2.6 | ReplicaSet | agent2 | 1.89m | 7.24Mi | netbox-redis-cache-container:0 | redis:23.12.1 | +netbox-redis-deployment-5bcd8f6c96-bkzmh | Running | 10.42.2.5 | ReplicaSet | agent2 | 1.62m | 7.52Mi | netbox-redis-container:0 | redis:23.12.1 | +dashboards-helper-deployment-69dc54f6b6-ks7ps | Running | 10.42.2.4 | ReplicaSet | agent2 | 12.95m | 40.75Mi | dashboards-helper-container:0 | dashboards-helper:23.12.1 | +freq-deployment-cfd84fd97-5bwp6 | Running | 10.42.2.8 | ReplicaSet | agent2 | 0.11m | 26.33Mi | freq-container:0 | freq:23.12.1 | +pcap-capture-deployment-7c8bf6957-hkvkn | Running | 10.42.2.12 | ReplicaSet | agent2 | 0.02m | 9.21Mi | pcap-capture-container:0 | pcap-capture:23.12.1 | +nginx-proxy-deployment-69fcc4968d-m57rz | Running | 10.42.2.10 | ReplicaSet | agent2 | 0.91m | 22.72Mi | nginx-proxy-container:0 | nginx-proxy:23.12.1 | +htadmin-deployment-6fc46888b9-vpt7l | Running | 10.42.2.7 | ReplicaSet | agent2 | 0.16m | 30.21Mi | htadmin-container:0 | htadmin:23.12.1 | +opensearch-deployment-75498799f6-5v92w | Running | 10.42.2.13 | ReplicaSet | agent2 | 139.2m | 10.86Gi | opensearch-container:0 | opensearch:23.12.1 | +zeek-live-deployment-64b69d4b6f-fcb6n | Running | 10.42.2.9 | ReplicaSet | agent2 | 0.02m | 109.55Mi | zeek-live-container:0 | zeek:23.12.1 | +dashboards-deployment-69b5465db-kgsqk | Running | 10.42.2.3 | ReplicaSet | agent2 | 14.98m | 108.85Mi | dashboards-container:0 | dashboards:23.12.1 | +arkime-deployment-56999cdd66-xxpw9 | Running | 10.42.2.11 | ReplicaSet | agent2 | 208.95m | 78.42Mi | arkime-container:0 | arkime:23.12.1 | +api-deployment-6f4686cf59-xt9md | Running | 10.42.1.3 | ReplicaSet | agent1 | 0.14m | 56.88Mi | api-container:0 | api:23.12.1 | +netbox-postgres-deployment-5879b8dffc-lb4qm | Running | 10.42.1.6 | ReplicaSet | agent1 | 141.2m | 48.02Mi | netbox-postgres-container:0 | postgresql:23.12.1 | +pcap-monitor-deployment-594ff674c4-fwq7g | Running | 10.42.1.12 | ReplicaSet | agent1 | 3.93m | 46.44Mi | pcap-monitor-container:0 | pcap-monitor:23.12.1 | +suricata-offline-deployment-6ccdb89478-j5fgj | Running | 10.42.1.10 | ReplicaSet | agent1 | 10.42m | 35.12Mi | suricata-offline-container:0 | suricata:23.12.1 | +suricata-live-deployment-6494c77759-rpt48 | Running | 10.42.1.8 | ReplicaSet | agent1 | 0.01m | 9.62Mi | suricata-live-container:0 | suricata:23.12.1 | +netbox-deployment-cdcff4977-7ns2q | Running | 10.42.1.7 | ReplicaSet | agent1 | 830.47m | 530.7Mi | netbox-container:0 | netbox:23.12.1 | +zeek-offline-deployment-844f4865bd-7x68b | Running | 10.42.1.9 | ReplicaSet | agent1 | 1.44m | 43.66Mi | zeek-offline-container:0 | zeek:23.12.1 | +filebeat-deployment-6ff8bc444f-pdgzj | Running | 10.42.1.11 | ReplicaSet | agent1 | 0.78m | 75.25Mi | filebeat-container:0 | filebeat-oss:23.12.1 | +file-monitor-deployment-855646bd75-nbngq | Running | 10.42.1.4 | ReplicaSet | agent1 | 1.69m | 1.46Gi | file-monitor-container:0 | file-monitor:23.12.1 | +upload-deployment-586568844b-9s7f5 | Running | 10.42.1.13 | ReplicaSet | agent1 | 0.14m | 29.62Mi | upload-container:0 | file-upload:23.12.1 | +logstash-deployment-6fbc9fdcd5-2hhx8 | Running | 10.42.1.5 | ReplicaSet | agent1 | 3236.29m | 357.36Mi | logstash-container:0 | logstash-oss:23.12.1 | ``` View container logs for the Malcolm deployment with `./scripts/logs` (if **[stern](https://github.com/stern/stern)** present in `$PATH`): diff --git a/docs/live-analysis.md b/docs/live-analysis.md index 4e8dd7453..1389384db 100644 --- a/docs/live-analysis.md +++ b/docs/live-analysis.md @@ -3,6 +3,7 @@ * [Live analysis](#LiveAnalysis) - [Using a network sensor appliance](#Hedgehog) - [Monitoring local network interfaces](#LocalPCAP) + + ["Hedgehog" run profile](#Profiles) - [Manually forwarding logs from an external source](#ExternalForward) ## Using a network sensor appliance @@ -18,16 +19,22 @@ Please see the [Hedgehog Linux README](hedgehog.md) for more information. ## Monitoring local network interfaces -Malcolm's `pcap-capture`, `suricata-live` and `zeek-live` containers can monitor one or more local network interfaces, specified by the `PCAP_IFACE` environment variable in [`pcap-capture.env`](malcolm-config.md#MalcolmConfigEnvVars). These containers are started with additional privileges (`IPC_LOCK`, `NET_ADMIN`, `NET_RAW`, and `SYS_ADMIN`) to allow opening network interfaces in promiscuous mode for capture. +The options for monitoring traffic on local network interfaces can be [configured](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig) by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning). -The instances of Zeek and Suricata (in the `suricata-live` and `zeek-live` containers when the `SURICATA_LIVE_CAPTURE` and `ZEEK_LIVE_CAPTURE` [environment variables](malcolm-config.md#MalcolmConfigEnvVars) are set to `true`, respectively) analyze traffic on-the-fly and generate log files containing network session metadata. These log files are in turn scanned by [Filebeat](https://www.elastic.co/products/beats/filebeat) and forwarded to [Logstash](https://www.elastic.co/products/logstash) for enrichment and indexing into the [OpenSearch](https://opensearch.org/) document store. +Malcolm's `pcap-capture`, `suricata-live` and `zeek-live` containers can monitor one or more local network interfaces, specified by the `PCAP_IFACE` environment variable in [`pcap-capture.env`](malcolm-config.md#MalcolmConfigEnvVars). These containers are started with additional privileges to allow opening network interfaces in promiscuous mode for capture. -In contrast, the `pcap-capture` container buffers traffic to PCAP files and periodically rotates these files for processing (by Arkime's `capture` utlity in the `arkime` container) according to the thresholds defined by the `PCAP_ROTATE_MEGABYTES` and `PCAP_ROTATE_MINUTES` environment variables in [`pcap-capture.env`](malcolm-config.md#MalcolmConfigEnvVars). If for some reason (e.g., a low resources environment) you also want Zeek and Suricata to process these intermediate PCAP files rather than monitoring the network interfaces directly, you can set `SURICATA_ROTATED_PCAP`/`ZEEK_ROTATED_PCAP` to `true` and `SURICATA_LIVE_CAPTURE`/`ZEEK_LIVE_CAPTURE` to false. +The instances of Zeek and Suricata (in the `suricata-live` and `zeek-live` containers when the `SURICATA_LIVE_CAPTURE` and `ZEEK_LIVE_CAPTURE` [environment variables](malcolm-config.md#MalcolmConfigEnvVars) are set to `true`, respectively) analyze traffic on-the-fly and generate log files containing network session metadata. These log files are in turn scanned by [Filebeat](https://www.elastic.co/products/beats/filebeat) and forwarded to [Logstash](https://www.elastic.co/products/logstash) for enrichment and indexing into the [OpenSearch](https://opensearch.org/) document store. -These various options for monitoring traffic on local network interfaces can also be configured by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning). +In contrast, the `pcap-capture` container buffers traffic to PCAP files and periodically rotates these files for processing (by Arkime's `capture` utlity in the `arkime` container) according to the thresholds defined by the `PCAP_ROTATE_MEGABYTES` and `PCAP_ROTATE_MINUTES` environment variables in [`pcap-capture.env`](malcolm-config.md#MalcolmConfigEnvVars). If for some reason (e.g., a low resources environment) you also want Zeek and Suricata to process these intermediate PCAP files rather than monitoring the network interfaces directly, you can set `SURICATA_ROTATED_PCAP`/`ZEEK_ROTATED_PCAP` to `true` and `SURICATA_LIVE_CAPTURE`/`ZEEK_LIVE_CAPTURE` to false. The only exception to this behavior (i.e., the creation of intermediate PCAP files by `netsniff-ng` or `tcpdump` in the `pcap-capture` which are periodically rolled over for processing by Arkime) is when running the ["Hedgehog" run profile](#Profiles) or when using [a remote OpenSearch or Elasticsearch instance](opensearch-instances.md#OpenSearchInstance). In either of these configurations, users may choose to have Arkime's `capture` tool monitor live traffic on the network interface without using the intermediate PCAP file. Note that Microsoft Windows and Apple macOS platforms currently run Docker inside of a virtualized environment. Live traffic capture and analysis on those platforms would require additional configuration of virtual interfaces and port forwarding in Docker, which is outside of the scope of this document. +### "Hedgehog" run profile + +Another configuration for monitoring local network interfaces is to use the `hedgehog` run profile. During [Malcolm configuration](malcolm-hedgehog-e2e-iso-install.md#MalcolmConfig) users are prompted "**Run with Malcolm (all containers) or Hedgehog (capture only) profile?**" Docker Compose can use [profiles](https://docs.docker.com/compose/profiles/) to selectively start services. While the `malcolm` run profile runs all of Malcolm's containers (OpenSearch, Dashboards, LogStash, etc.), the `hedgehog` profile runs *only* the containers necessary for traffic capture. + +When configuring the `hedgehog` profile, users must provide connection details for another Malcolm instance to which to forward its network traffic logs. + ## Manually forwarding logs from an external source Malcolm's Logstash instance can also be configured to accept logs from a [remote forwarder](https://www.elastic.co/products/beats/filebeat) by running [`./scripts/configure`](malcolm-config.md#ConfigAndTuning) and answering "yes" to "`Expose Logstash port to external hosts?`" Enabling encrypted transport of these log files is discussed in [Configure authentication](authsetup.md#AuthSetup) and the description of the `BEATS_SSL` environment variable in [`beats-common.env`](malcolm-config.md#MalcolmConfigEnvVars). diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md index fc2fe24c2..94ee44959 100644 --- a/docs/malcolm-config.md +++ b/docs/malcolm-config.md @@ -9,7 +9,7 @@ Run `./scripts/configure` and answer the questions to configure Malcolm. For an Although the configuration script automates many of the following configuration and tuning parameters, some environment variables of particular interest are listed here for reference. * **`arkime.env`** and **`arkime-secret.env`** - settings for [Arkime](https://arkime.com/) - - `ARKIME_ANALYZE_PCAP_THREADS` – the number of threads available to Arkime for analyzing PCAP files (default `1`) + - `ARKIME_AUTO_ANALYZE_PCAP_THREADS` – the number of threads available to Arkime for analyzing PCAP files (default `1`) - `ARKIME_PASSWORD_SECRET` - the password hash secret for the Arkime viewer cluster (see `passwordSecret` in [Arkime INI Settings](https://arkime.com/settings)) used to secure the connection used when Arkime viewer retrieves a PCAP payload for display in its user interface - `MANAGE_PCAP_FILES` – if set to `true`, all PCAP files imported into Malcolm will be marked as available for deletion by Arkime if available storage space becomes too low (default `false`) - `MAXMIND_GEOIP_DB_LICENSE_KEY` - Malcolm uses MaxMind's free GeoLite2 databases for GeoIP lookups. As of December 30, 2019, these databases are [no longer available](https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/) for download via a public URL. Instead, they must be downloaded using a MaxMind license key (available without charge [from MaxMind](https://www.maxmind.com/en/geolite2/signup)). The license key can be specified here for GeoIP database downloads during build- and run-time. @@ -69,12 +69,12 @@ Although the configuration script automates many of the following configuration - `SURICATA_UPDATE_RULES` – if set to `true`, Suricata signatures will periodically be updated (default `false`) - `SURICATA_LIVE_CAPTURE` - if set to `true`, Suricata will monitor live traffic on the local interface(s) defined by `PCAP_FILTER` - `SURICATA_ROTATED_PCAP` - if set to `true`, Suricata can analyze PCAP files captured by `netsniff-ng` or `tcpdump` (see `PCAP_ENABLE_NETSNIFF` and `PCAP_ENABLE_TCPDUMP`, as well as `SURICATA_AUTO_ANALYZE_PCAP_FILES`); if `SURICATA_LIVE_CAPTURE` is `true`, this should be `false`; otherwise Suricata will see duplicate traffic + - `SURICATA_DISABLE_ICS_ALL` - if set to `true`, this variable can be used to disable Malcolm's [built-in Suricata rules for Operational Technology/Industrial Control Systems (OT/ICS) vulnerabilities and exploits]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/suricata/rules-default/OT) - `SURICATA_…` - the [`suricata` container entrypoint script]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/shared/bin/suricata_config_populate.py) can use **many** more environment variables to tweak [suricata.yaml](https://github.com/OISF/suricata/blob/master/suricata.yaml.in); in that script, `DEFAULT_VARS` defines those variables (albeit without the `SURICATA_` prefix you must add to each for use) Note that for some variables (e.g., something with a sequence like `HOME_NET`) Suricata wants values to be quoted. To accomplish that in the `suricata.env` file, use outer single quotes with inner double quotes, like this: + `SURICATA_HOME_NET='"[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"'` * **`upload-common.env`** - settings for dealing with PCAP files [uploaded](upload.md#Upload) to Malcolm for analysis - `AUTO_TAG` – if set to `true`, Malcolm will automatically create Arkime sessions and Zeek logs with tags based on the filename, as described in [Tagging](upload.md#Tagging) (default `true`) - `PCAP_NODE_NAME` - specifies the node name to associate with network traffic metadata - - `PCAP_NODE_HOST` - specifies the node host or IP address to associate with network traffic metadata (optional, defaults to the value of `PCAP_NODE_NAME`; generally this value *does not* need to be specified) * **`zeek.env`**, **`zeek-secret.env`**, **`zeek-live.env`** and **`zeek-offline.env`** - settings for [Zeek](https://www.zeek.org/index.html) and for scanning [extracted files](file-scanning.md#ZeekFileExtraction) Zeek observes in network traffic - `EXTRACTED_FILE_CAPA_VERBOSE` – if set to `true`, all Capa rule hits will be logged; otherwise (`false`) only [MITRE ATT&CK® technique](https://attack.mitre.org/techniques) classifications will be logged - `EXTRACTED_FILE_ENABLE_CAPA` – if set to `true`, [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) determined to be PE (portable executable) files will be scanned with [Capa](https://github.com/fireeye/capa) diff --git a/docs/malcolm-hedgehog-e2e-iso-install.md b/docs/malcolm-hedgehog-e2e-iso-install.md index a537f9f65..cc756826a 100644 --- a/docs/malcolm-hedgehog-e2e-iso-install.md +++ b/docs/malcolm-hedgehog-e2e-iso-install.md @@ -177,7 +177,7 @@ The [configuration and tuning](malcolm-config.md#ConfigAndTuning) wizard's quest - Choose **Y** to proceed to the following related questions about managing the data storage used by Malcolm. - **Delete the oldest indices when the database exceeds a certain size?** - Most of the configuration around OpenSearch [Index State Management](https://opensearch.org/docs/latest/im-plugin/ism/index/) and [Snapshot Management](https://opensearch.org/docs/latest/opensearch/snapshots/sm-dashboards/) can be done in OpenSearch Dashboards. In addition to (or instead of) the OpenSearch index state management operations, Malcolm can also be configured to delete the oldest network session metadata indices when the database exceeds a certain size to prevent filling up all available storage with OpenSearch indices. - - **Should Arkime delete PCAP files based on available storage?** + - **Should Arkime delete uploaded PCAP files based on available storage?** - Answering **Y** allows Arkime to prune (delete) old PCAP files based on available disk space (see https://arkime.com/faq#pcap-deletion). - **Enter PCAP deletion threshold in gigabytes or as a percentage (e.g., 500, 10%, etc.)** - If [Arkime PCAP-deletion](https://arkime.com/faq#pcap-deletion) is enabled, Arkime will delete PCAP files when **free space** is lower than this value, specified as integer gigabytes (e.g., `500`) or a percentage (e.g., `10%`) @@ -572,9 +572,9 @@ Despite configuring capture and/or forwarder services as described in previous s * **AUTOSTART_FILEBEAT** - [filebeat](#Hedgehogfilebeat) Zeek and Suricata log forwarder * **AUTOSTART_FLUENTBIT_AIDE** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/exec) [AIDE](https://aide.github.io/) file system integrity checks * **AUTOSTART_FLUENTBIT_AUDITLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/tail) [auditd](https://man7.org/linux/man-pages/man8/auditd.8.html) logs -* *AUTOSTART_FLUENTBIT_KMSG* - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/kernel-logs) the Linux kernel log buffer (these are generally reflected in syslog as well, which may make this agent redundant) +* *AUTOSTART_FLUENTBIT_KMSG* - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/kernel-logs) the Linux kernel log buffer (these are generally reflected in the Systemd log as well, which may make this agent redundant) * **AUTOSTART_FLUENTBIT_METRICS** - [Fluent Bit](https://fluentbit.io/) agent for collecting [various](https://docs.fluentbit.io/manual/pipeline/inputs) system resource and performance metrics -* **AUTOSTART_FLUENTBIT_SYSLOG** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/syslog) Linux syslog messages +* **AUTOSTART_FLUENTBIT_SYSTEMD** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/systemd) log messages from the Linux Journald daemon * **AUTOSTART_FLUENTBIT_THERMAL** - [Fluent Bit](https://fluentbit.io/) agent [monitoring](https://docs.fluentbit.io/manual/pipeline/inputs/thermal) system temperatures (only applicable on actual hardware, not if Hedgehog is running on a virtual machine) * **AUTOSTART_MISCBEAT** - [filebeat](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-tcp.html) forwarder which sends system metrics collected by [Fluent Bit](https://fluentbit.io/) to a remote Logstash instance (e.g., [Malcolm]({{ site.github.repository_url }})'s) * *AUTOSTART_NETSNIFF* - [netsniff-ng](http://netsniff-ng.org/) PCAP engine for saving packet capture (PCAP) files @@ -617,7 +617,7 @@ fluentbit-metrics:disk RUNNING pid 6468, uptime 0:03:17 fluentbit-metrics:mem RUNNING pid 6472, uptime 0:03:17 fluentbit-metrics:mem_p RUNNING pid 6473, uptime 0:03:17 fluentbit-metrics:netif RUNNING pid 6474, uptime 0:03:17 -fluentbit-syslog RUNNING pid 6478, uptime 0:03:17 +fluentbit-systemd RUNNING pid 6478, uptime 0:03:17 fluentbit-thermal RUNNING pid 6480, uptime 0:03:17 netsniff:netsniff-enp1s0 STOPPED Not started prune:prune-pcap RUNNING pid 6484, uptime 0:03:17 diff --git a/docs/malcolm-iso.md b/docs/malcolm-iso.md index 309c48309..640276d77 100644 --- a/docs/malcolm-iso.md +++ b/docs/malcolm-iso.md @@ -41,7 +41,7 @@ Building the ISO may take 30 minutes or more depending on the system. As the bui ``` … -Finished, created "/malcolm-build/malcolm-iso/malcolm-23.12.0.iso" +Finished, created "/malcolm-build/malcolm-iso/malcolm-23.12.1.iso" … ``` diff --git a/docs/quickstart.md b/docs/quickstart.md index 0a6accdb5..91adf3d93 100644 --- a/docs/quickstart.md +++ b/docs/quickstart.md @@ -54,25 +54,25 @@ You can then observe the images have been retrieved by running `docker images`: ``` $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 23.12.0 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 23.12.0 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 23.12.0 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 23.12.0 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 23.12.0 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 23.12.0 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 23.12.0 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 23.12.0 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 23.12.0 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 23.12.0 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 23.12.0 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 23.12.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 23.12.0 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 23.12.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 23.12.0 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 23.12.0 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 23.12.0 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 23.12.0 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 23.12.0 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 23.12.1 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 23.12.1 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 23.12.1 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 23.12.1 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 23.12.1 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 23.12.1 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 23.12.1 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 23.12.1 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 23.12.1 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 23.12.1 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 23.12.1 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 23.12.1 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 23.12.1 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 23.12.1 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 23.12.1 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 23.12.1 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 23.12.1 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 23.12.1 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 23.12.1 xxxxxxxxxxxx 3 days ago 1GB ``` ### Import from pre-packaged tarballs diff --git a/docs/ubuntu-install-example.md b/docs/ubuntu-install-example.md index 9278935e1..389a0ad39 100644 --- a/docs/ubuntu-install-example.md +++ b/docs/ubuntu-install-example.md @@ -179,7 +179,7 @@ Scan extracted PE files with Capa? (y / N): y Lookup extracted file hashes with VirusTotal? (y / N): n -Download updated file scanner signatures periodically? (n/Y): y +Download updated file scanner signatures periodically? (Y / n): n Should Malcolm run and maintain an instance of NetBox, an infrastructure resource modeling tool? (y / N): n @@ -190,7 +190,9 @@ Should Malcolm capture live network traffic? 2 Specify capture interface(s) (comma-separated): eth0 -Enable dark mode for OpenSearch Dashboards? (n/Y): y +Enable dark mode for OpenSearch Dashboards? (Y / n): y + +Pull Malcolm Docker images (y / N): y Malcolm has been installed to /home/user/Malcolm. See README.md for more information. Scripts for starting and stopping Malcolm and changing authentication-related settings can be found in /home/user/Malcolm/scripts. @@ -227,7 +229,7 @@ As an alternative to manually copying the files to the sensor, Malcolm can facil In this example, rather than [building Malcolm from scratch](development.md#Build), images may be pulled from [GitHub](https://github.com/orgs/idaholab/packages?repo_name=Malcolm): ``` -user@host:~/Malcolm$ docker compose pull +user@host:~/Malcolm$ docker compose --profile malcolm pull Pulling api ... done Pulling arkime ... done Pulling dashboards ... done @@ -250,25 +252,25 @@ Pulling zeek ... done user@host:~/Malcolm$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE -ghcr.io/idaholab/malcolm/api 23.12.0 xxxxxxxxxxxx 3 days ago 158MB -ghcr.io/idaholab/malcolm/arkime 23.12.0 xxxxxxxxxxxx 3 days ago 816MB -ghcr.io/idaholab/malcolm/dashboards 23.12.0 xxxxxxxxxxxx 3 days ago 1.02GB -ghcr.io/idaholab/malcolm/dashboards-helper 23.12.0 xxxxxxxxxxxx 3 days ago 184MB -ghcr.io/idaholab/malcolm/file-monitor 23.12.0 xxxxxxxxxxxx 3 days ago 588MB -ghcr.io/idaholab/malcolm/file-upload 23.12.0 xxxxxxxxxxxx 3 days ago 259MB -ghcr.io/idaholab/malcolm/filebeat-oss 23.12.0 xxxxxxxxxxxx 3 days ago 624MB -ghcr.io/idaholab/malcolm/freq 23.12.0 xxxxxxxxxxxx 3 days ago 132MB -ghcr.io/idaholab/malcolm/htadmin 23.12.0 xxxxxxxxxxxx 3 days ago 242MB -ghcr.io/idaholab/malcolm/logstash-oss 23.12.0 xxxxxxxxxxxx 3 days ago 1.35GB -ghcr.io/idaholab/malcolm/netbox 23.12.0 xxxxxxxxxxxx 3 days ago 1.01GB -ghcr.io/idaholab/malcolm/nginx-proxy 23.12.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/opensearch 23.12.0 xxxxxxxxxxxx 3 days ago 1.17GB -ghcr.io/idaholab/malcolm/pcap-capture 23.12.0 xxxxxxxxxxxx 3 days ago 121MB -ghcr.io/idaholab/malcolm/pcap-monitor 23.12.0 xxxxxxxxxxxx 3 days ago 213MB -ghcr.io/idaholab/malcolm/postgresql 23.12.0 xxxxxxxxxxxx 3 days ago 268MB -ghcr.io/idaholab/malcolm/redis 23.12.0 xxxxxxxxxxxx 3 days ago 34.2MB -ghcr.io/idaholab/malcolm/suricata 23.12.0 xxxxxxxxxxxx 3 days ago 278MB -ghcr.io/idaholab/malcolm/zeek 23.12.0 xxxxxxxxxxxx 3 days ago 1GB +ghcr.io/idaholab/malcolm/api 23.12.1 xxxxxxxxxxxx 3 days ago 158MB +ghcr.io/idaholab/malcolm/arkime 23.12.1 xxxxxxxxxxxx 3 days ago 816MB +ghcr.io/idaholab/malcolm/dashboards 23.12.1 xxxxxxxxxxxx 3 days ago 1.02GB +ghcr.io/idaholab/malcolm/dashboards-helper 23.12.1 xxxxxxxxxxxx 3 days ago 184MB +ghcr.io/idaholab/malcolm/file-monitor 23.12.1 xxxxxxxxxxxx 3 days ago 588MB +ghcr.io/idaholab/malcolm/file-upload 23.12.1 xxxxxxxxxxxx 3 days ago 259MB +ghcr.io/idaholab/malcolm/filebeat-oss 23.12.1 xxxxxxxxxxxx 3 days ago 624MB +ghcr.io/idaholab/malcolm/freq 23.12.1 xxxxxxxxxxxx 3 days ago 132MB +ghcr.io/idaholab/malcolm/htadmin 23.12.1 xxxxxxxxxxxx 3 days ago 242MB +ghcr.io/idaholab/malcolm/logstash-oss 23.12.1 xxxxxxxxxxxx 3 days ago 1.35GB +ghcr.io/idaholab/malcolm/netbox 23.12.1 xxxxxxxxxxxx 3 days ago 1.01GB +ghcr.io/idaholab/malcolm/nginx-proxy 23.12.1 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/opensearch 23.12.1 xxxxxxxxxxxx 3 days ago 1.17GB +ghcr.io/idaholab/malcolm/pcap-capture 23.12.1 xxxxxxxxxxxx 3 days ago 121MB +ghcr.io/idaholab/malcolm/pcap-monitor 23.12.1 xxxxxxxxxxxx 3 days ago 213MB +ghcr.io/idaholab/malcolm/postgresql 23.12.1 xxxxxxxxxxxx 3 days ago 268MB +ghcr.io/idaholab/malcolm/redis 23.12.1 xxxxxxxxxxxx 3 days ago 34.2MB +ghcr.io/idaholab/malcolm/suricata 23.12.1 xxxxxxxxxxxx 3 days ago 278MB +ghcr.io/idaholab/malcolm/zeek 23.12.1 xxxxxxxxxxxx 3 days ago 1GB ``` Finally, start Malcolm. When Malcolm starts it will stream informational and debug messages to the console until it has completed initializing. diff --git a/file-monitor/docker-entrypoint.sh b/file-monitor/docker-entrypoint.sh index eb9955a1c..0027ecfd6 100755 --- a/file-monitor/docker-entrypoint.sh +++ b/file-monitor/docker-entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if [[ -z $EXTRACTED_FILE_ENABLE_CLAMAV ]]; then EXTRACTED_FILE_ENABLE_CLAMAV=false diff --git a/file-monitor/supervisord.conf b/file-monitor/supervisord.conf index d39508348..78cf4d79b 100644 --- a/file-monitor/supervisord.conf +++ b/file-monitor/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) diff --git a/file-upload/docker-entrypoint.sh b/file-upload/docker-entrypoint.sh index 85dacd97f..f4b3c3afc 100755 --- a/file-upload/docker-entrypoint.sh +++ b/file-upload/docker-entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if [[ -z $MALCOLM_USERNAME || -z $MALCOLM_PASSWORD ]]; then echo "Please set the SSH username and (openssl-encrypted then base64-encoded) password by adding the following arguments to docker run/create:" diff --git a/file-upload/supervisord.conf b/file-upload/supervisord.conf index f85dac136..5a6f22aa2 100644 --- a/file-upload/supervisord.conf +++ b/file-upload/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) diff --git a/filebeat/filebeat-nginx.yml b/filebeat/filebeat-nginx.yml index 7bd453f6c..2d1247d13 100644 --- a/filebeat/filebeat-nginx.yml +++ b/filebeat/filebeat-nginx.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. name: "${PCAP_NODE_NAME:malcolm}" diff --git a/filebeat/filebeat-tcp.yml b/filebeat/filebeat-tcp.yml index 6a208eedc..dd5353579 100644 --- a/filebeat/filebeat-tcp.yml +++ b/filebeat/filebeat-tcp.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. name: "${PCAP_NODE_NAME:malcolm}" diff --git a/filebeat/filebeat.yml b/filebeat/filebeat.yml index 046c1947f..f4429083a 100644 --- a/filebeat/filebeat.yml +++ b/filebeat/filebeat.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. name: "${PCAP_NODE_NAME:malcolm}" diff --git a/filebeat/scripts/filebeat-clean-zeeklogs-processed-folder.py b/filebeat/scripts/filebeat-clean-zeeklogs-processed-folder.py index 736e7c0e7..2484f9c39 100755 --- a/filebeat/scripts/filebeat-clean-zeeklogs-processed-folder.py +++ b/filebeat/scripts/filebeat-clean-zeeklogs-processed-folder.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import os @@ -9,7 +9,6 @@ import errno import time import fcntl -import fnmatch import magic import json import pprint diff --git a/filebeat/scripts/filebeat-process-zeek-folder-functions.sh b/filebeat/scripts/filebeat-process-zeek-folder-functions.sh index 806e0e44c..17cd2e8ff 100755 --- a/filebeat/scripts/filebeat-process-zeek-folder-functions.sh +++ b/filebeat/scripts/filebeat-process-zeek-folder-functions.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. function in_array() { local haystack="${1}[@]" diff --git a/filebeat/scripts/filebeat-process-zeek-folder.sh b/filebeat/scripts/filebeat-process-zeek-folder.sh index 7b0c89c3c..825e26609 100755 --- a/filebeat/scripts/filebeat-process-zeek-folder.sh +++ b/filebeat/scripts/filebeat-process-zeek-folder.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # for files (sort -V (natural)) under /zeek that: diff --git a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py index 7139361b6..aca0a0893 100755 --- a/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py +++ b/filebeat/scripts/filebeat-watch-zeeklogs-uploads-folder.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Monitor a directory for PCAP files for processing (by publishing their filenames to a ZMQ socket) diff --git a/filebeat/scripts/zeek-log-field-bitmap.py b/filebeat/scripts/zeek-log-field-bitmap.py index 8e05898ea..6ee960c40 100755 --- a/filebeat/scripts/zeek-log-field-bitmap.py +++ b/filebeat/scripts/zeek-log-field-bitmap.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # parse the fields names from the header of of the log file and compare them to the diff --git a/filebeat/supervisord.conf b/filebeat/supervisord.conf index 705ebc304..24c402bf6 100644 --- a/filebeat/supervisord.conf +++ b/filebeat/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) diff --git a/freq-server/supervisord.conf b/freq-server/supervisord.conf index e1f73dff7..0fc672422 100644 --- a/freq-server/supervisord.conf +++ b/freq-server/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) diff --git a/htadmin/supervisord.conf b/htadmin/supervisord.conf index c93a6d9b0..c0aba0f9d 100644 --- a/htadmin/supervisord.conf +++ b/htadmin/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) diff --git a/kubernetes/03-opensearch.yml b/kubernetes/03-opensearch.yml index 2f0ff97b0..97ef53dfe 100644 --- a/kubernetes/03-opensearch.yml +++ b/kubernetes/03-opensearch.yml @@ -30,14 +30,16 @@ spec: spec: containers: - name: opensearch-container - image: ghcr.io/idaholab/malcolm/opensearch:23.12.0 + image: ghcr.io/idaholab/malcolm/opensearch:23.12.1 imagePullPolicy: Always stdin: false tty: true securityContext: capabilities: add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits - SYS_RESOURCE ports: - name: opensearch @@ -69,7 +71,7 @@ spec: subPath: "opensearch" initContainers: - name: opensearch-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/04-dashboards.yml b/kubernetes/04-dashboards.yml index 4817da142..8481d5d6c 100644 --- a/kubernetes/04-dashboards.yml +++ b/kubernetes/04-dashboards.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-container - image: ghcr.io/idaholab/malcolm/dashboards:23.12.0 + image: ghcr.io/idaholab/malcolm/dashboards:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/05-upload.yml b/kubernetes/05-upload.yml index c2152f0d9..44b281c0a 100644 --- a/kubernetes/05-upload.yml +++ b/kubernetes/05-upload.yml @@ -34,7 +34,7 @@ spec: spec: containers: - name: upload-container - image: ghcr.io/idaholab/malcolm/file-upload:23.12.0 + image: ghcr.io/idaholab/malcolm/file-upload:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -73,7 +73,7 @@ spec: subPath: "upload" initContainers: - name: upload-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/06-pcap-monitor.yml b/kubernetes/06-pcap-monitor.yml index 9a2287e41..fb7a356c5 100644 --- a/kubernetes/06-pcap-monitor.yml +++ b/kubernetes/06-pcap-monitor.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: pcap-monitor-container - image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.0 + image: ghcr.io/idaholab/malcolm/pcap-monitor:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -70,7 +70,7 @@ spec: name: pcap-monitor-zeek-volume initContainers: - name: pcap-monitor-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/07-arkime.yml b/kubernetes/07-arkime.yml index 863c46f73..70cdf1e56 100644 --- a/kubernetes/07-arkime.yml +++ b/kubernetes/07-arkime.yml @@ -30,15 +30,10 @@ spec: spec: containers: - name: arkime-container - image: ghcr.io/idaholab/malcolm/arkime:23.12.0 + image: ghcr.io/idaholab/malcolm/arkime:23.12.1 imagePullPolicy: Always stdin: false tty: true - securityContext: - capabilities: - add: - - IPC_LOCK - - SYS_RESOURCE ports: - name: http protocol: TCP @@ -56,6 +51,8 @@ spec: name: upload-common-env - configMapRef: name: arkime-env + - configMapRef: + name: arkime-offline-env - secretRef: name: arkime-secret-env env: @@ -76,14 +73,13 @@ spec: name: arkime-var-local-catrust-volume - mountPath: /var/local/curlrc/secretmap name: arkime-opensearch-curlrc-secret-volume + - mountPath: "/opt/arkime/rules/configmap" + name: arkime-rules-volume - mountPath: "/data/pcap" name: arkime-pcap-volume - - name: arkime-runtime-logs-volume - mountPath: /opt/arkime/logs - subPath: "arkime" initContainers: - name: arkime-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -92,12 +88,10 @@ spec: name: process-env env: - name: PUSER_MKDIR - value: "/data/pcap:processed;/data/runtime-logs:arkime" + value: "/data/pcap:processed" volumeMounts: - name: arkime-pcap-volume mountPath: "/data/pcap" - - name: arkime-runtime-logs-volume - mountPath: "/data/runtime-logs" volumes: - name: arkime-var-local-catrust-volume configMap: @@ -105,9 +99,9 @@ spec: - name: arkime-opensearch-curlrc-secret-volume secret: secretName: opensearch-curlrc + - name: arkime-rules-volume + configMap: + name: arkime-rules - name: arkime-pcap-volume persistentVolumeClaim: claimName: pcap-claim - - name: arkime-runtime-logs-volume - persistentVolumeClaim: - claimName: runtime-logs-claim \ No newline at end of file diff --git a/kubernetes/08-api.yml b/kubernetes/08-api.yml index c158439fc..34b6a62a3 100644 --- a/kubernetes/08-api.yml +++ b/kubernetes/08-api.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: api-container - image: ghcr.io/idaholab/malcolm/api:23.12.0 + image: ghcr.io/idaholab/malcolm/api:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/09-dashboards-helper.yml b/kubernetes/09-dashboards-helper.yml index a210c1b8d..35ecffa08 100644 --- a/kubernetes/09-dashboards-helper.yml +++ b/kubernetes/09-dashboards-helper.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: dashboards-helper-container - image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.0 + image: ghcr.io/idaholab/malcolm/dashboards-helper:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/10-zeek.yml b/kubernetes/10-zeek.yml index 3e5c25046..60041dd52 100644 --- a/kubernetes/10-zeek.yml +++ b/kubernetes/10-zeek.yml @@ -16,18 +16,10 @@ spec: spec: containers: - name: zeek-offline-container - image: ghcr.io/idaholab/malcolm/zeek:23.12.0 + image: ghcr.io/idaholab/malcolm/zeek:23.12.1 imagePullPolicy: Always stdin: false tty: true - securityContext: - capabilities: - add: - - IPC_LOCK - - NET_ADMIN - - NET_RAW - - SYS_ADMIN - - SYS_RESOURCE envFrom: - configMapRef: name: process-env @@ -63,16 +55,16 @@ spec: - mountPath: "/zeek/upload" name: zeek-offline-zeek-volume subPath: "upload" - - mountPath: "/opt/zeek/share/zeek/site/custom" + - mountPath: "/opt/zeek/share/zeek/site/custom/configmap" name: zeek-offline-custom-volume - - mountPath: "/opt/zeek/share/zeek/site/intel-preseed" + - mountPath: "/opt/zeek/share/zeek/site/intel-preseed/configmap" name: zeek-offline-intel-preseed-volume - mountPath: "/opt/zeek/share/zeek/site/intel" name: zeek-offline-intel-volume subPath: "zeek/intel" initContainers: - name: zeek-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/11-suricata.yml b/kubernetes/11-suricata.yml index b7ed63050..41c126f2e 100644 --- a/kubernetes/11-suricata.yml +++ b/kubernetes/11-suricata.yml @@ -16,18 +16,10 @@ spec: spec: containers: - name: suricata-offline-container - image: ghcr.io/idaholab/malcolm/suricata:23.12.0 + image: ghcr.io/idaholab/malcolm/suricata:23.12.1 imagePullPolicy: Always stdin: false tty: true - securityContext: - capabilities: - add: - - IPC_LOCK - - NET_ADMIN - - NET_RAW - - SYS_ADMIN - - SYS_RESOURCE envFrom: - configMapRef: name: process-env @@ -63,7 +55,7 @@ spec: name: suricata-offline-custom-configs-volume initContainers: - name: suricata-offline-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/12-file-monitor.yml b/kubernetes/12-file-monitor.yml index a8e9afd94..8f8140a47 100644 --- a/kubernetes/12-file-monitor.yml +++ b/kubernetes/12-file-monitor.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: file-monitor-container - image: ghcr.io/idaholab/malcolm/file-monitor:23.12.0 + image: ghcr.io/idaholab/malcolm/file-monitor:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -81,7 +81,7 @@ spec: name: file-monitor-yara-rules-custom-volume initContainers: - name: file-monitor-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/13-filebeat.yml b/kubernetes/13-filebeat.yml index c38697906..9681fbb7b 100644 --- a/kubernetes/13-filebeat.yml +++ b/kubernetes/13-filebeat.yml @@ -33,7 +33,7 @@ spec: spec: containers: - name: filebeat-container - image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.0 + image: ghcr.io/idaholab/malcolm/filebeat-oss:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: "nginx" initContainers: - name: filebeat-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/14-logstash.yml b/kubernetes/14-logstash.yml index 4b2d03bb7..6f6ee2b2a 100644 --- a/kubernetes/14-logstash.yml +++ b/kubernetes/14-logstash.yml @@ -49,14 +49,16 @@ spec: # topologyKey: "kubernetes.io/hostname" containers: - name: logstash-container - image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.0 + image: ghcr.io/idaholab/malcolm/logstash-oss:23.12.1 imagePullPolicy: Always stdin: false tty: true securityContext: capabilities: add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits - SYS_RESOURCE ports: - name: lumberjack @@ -113,7 +115,7 @@ spec: subPath: "logstash" initContainers: - name: logstash-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/15-netbox-redis.yml b/kubernetes/15-netbox-redis.yml index 6fc358ecc..6062e0098 100644 --- a/kubernetes/15-netbox-redis.yml +++ b/kubernetes/15-netbox-redis.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-container - image: ghcr.io/idaholab/malcolm/redis:23.12.0 + image: ghcr.io/idaholab/malcolm/redis:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -83,7 +83,7 @@ spec: subPath: netbox/redis initContainers: - name: netbox-redis-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/16-netbox-redis-cache.yml b/kubernetes/16-netbox-redis-cache.yml index d8c7dc2f5..091e49ada 100644 --- a/kubernetes/16-netbox-redis-cache.yml +++ b/kubernetes/16-netbox-redis-cache.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-redis-cache-container - image: ghcr.io/idaholab/malcolm/redis:23.12.0 + image: ghcr.io/idaholab/malcolm/redis:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/17-netbox-postgres.yml b/kubernetes/17-netbox-postgres.yml index 8bd333ede..2d04687ba 100644 --- a/kubernetes/17-netbox-postgres.yml +++ b/kubernetes/17-netbox-postgres.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: netbox-postgres-container - image: ghcr.io/idaholab/malcolm/postgresql:23.12.0 + image: ghcr.io/idaholab/malcolm/postgresql:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -74,7 +74,7 @@ spec: subPath: netbox/postgres initContainers: - name: netbox-postgres-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/18-netbox.yml b/kubernetes/18-netbox.yml index 8ca9d1fde..83f9db69b 100644 --- a/kubernetes/18-netbox.yml +++ b/kubernetes/18-netbox.yml @@ -36,7 +36,7 @@ spec: spec: containers: - name: netbox-container - image: ghcr.io/idaholab/malcolm/netbox:23.12.0 + image: ghcr.io/idaholab/malcolm/netbox:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -88,7 +88,7 @@ spec: subPath: netbox/media initContainers: - name: netbox-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/19-htadmin.yml b/kubernetes/19-htadmin.yml index d402c9e1b..c4a9b3ebb 100644 --- a/kubernetes/19-htadmin.yml +++ b/kubernetes/19-htadmin.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: htadmin-container - image: ghcr.io/idaholab/malcolm/htadmin:23.12.0 + image: ghcr.io/idaholab/malcolm/htadmin:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -63,7 +63,7 @@ spec: subPath: "htadmin" initContainers: - name: htadmin-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/20-pcap-capture.yml b/kubernetes/20-pcap-capture.yml index d82fd6274..66014d9c8 100644 --- a/kubernetes/20-pcap-capture.yml +++ b/kubernetes/20-pcap-capture.yml @@ -16,18 +16,22 @@ spec: spec: containers: - name: pcap-capture-container - image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.0 + image: ghcr.io/idaholab/malcolm/pcap-capture:23.12.1 imagePullPolicy: Always stdin: false tty: true securityContext: capabilities: add: + # IPC_LOCK required for some of the memory optimizations netsniff-ng does - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # SYS_ADMIN - for netsniff-ng to set the disc I/O scheduler policy + - SYS_ADMIN + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN - - SYS_RESOURCE envFrom: - configMapRef: name: process-env @@ -46,7 +50,7 @@ spec: subPath: "upload" initContainers: - name: pcap-capture-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/21-zeek-live.yml b/kubernetes/21-zeek-live.yml index 725a21b10..c63a9acb8 100644 --- a/kubernetes/21-zeek-live.yml +++ b/kubernetes/21-zeek-live.yml @@ -16,18 +16,18 @@ spec: spec: containers: - name: zeek-live-container - image: ghcr.io/idaholab/malcolm/zeek:23.12.0 + image: ghcr.io/idaholab/malcolm/zeek:23.12.1 imagePullPolicy: Always stdin: false tty: true securityContext: capabilities: add: - - IPC_LOCK + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN - - SYS_RESOURCE + # SYS_NICE - to set process nice values, real-time scheduling policies, I/O scheduling + - SYS_NICE envFrom: - configMapRef: name: process-env @@ -43,9 +43,6 @@ spec: name: zeek-live-env - configMapRef: name: pcap-capture-env - env: - - name: ZEEK_DISABLED - value: "true" volumeMounts: - mountPath: /var/local/ca-trust/configmap name: zeek-live-var-local-catrust-volume @@ -55,16 +52,16 @@ spec: - mountPath: "/zeek/upload" name: zeek-live-zeek-volume subPath: "upload" - - mountPath: "/opt/zeek/share/zeek/site/custom" + - mountPath: "/opt/zeek/share/zeek/site/custom/configmap" name: zeek-live-custom-volume - - mountPath: "/opt/zeek/share/zeek/site/intel-preseed" + - mountPath: "/opt/zeek/share/zeek/site/intel-preseed/configmap" name: zeek-live-intel-preseed-volume - mountPath: "/opt/zeek/share/zeek/site/intel" name: zeek-live-intel-volume subPath: "zeek/intel" initContainers: - name: zeek-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/22-suricata-live.yml b/kubernetes/22-suricata-live.yml index 19e5763c8..1b373130f 100644 --- a/kubernetes/22-suricata-live.yml +++ b/kubernetes/22-suricata-live.yml @@ -16,18 +16,22 @@ spec: spec: containers: - name: suricata-live-container - image: ghcr.io/idaholab/malcolm/suricata:23.12.0 + image: ghcr.io/idaholab/malcolm/suricata:23.12.1 imagePullPolicy: Always stdin: false tty: true securityContext: capabilities: add: + # IPC_LOCK - to lock memory, preventing swapping - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets - NET_ADMIN - NET_RAW - - SYS_ADMIN - - SYS_RESOURCE + # SYS_NICE - to set process nice values, real-time scheduling policies, I/O scheduling + - SYS_NICE envFrom: - configMapRef: name: process-env @@ -41,9 +45,6 @@ spec: name: suricata-live-env - configMapRef: name: pcap-capture-env - env: - - name: SURICATA_DISABLED - value: "true" volumeMounts: - mountPath: /var/local/ca-trust/configmap name: suricata-live-var-local-catrust-volume @@ -55,7 +56,7 @@ spec: name: suricata-live-custom-configs-volume initContainers: - name: suricata-live-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/23-arkime-live.yml b/kubernetes/23-arkime-live.yml new file mode 100644 index 000000000..41f508378 --- /dev/null +++ b/kubernetes/23-arkime-live.yml @@ -0,0 +1,90 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: arkime-live-deployment + namespace: malcolm +spec: + selector: + matchLabels: + name: arkime-live-deployment + replicas: 1 + template: + metadata: + labels: + name: arkime-live-deployment + spec: + containers: + - name: arkime-live-container + image: ghcr.io/idaholab/malcolm/arkime:23.12.1 + imagePullPolicy: Always + stdin: false + tty: true + securityContext: + capabilities: + add: + # IPC_LOCK - to lock memory, preventing swapping + - IPC_LOCK + # SYS_RESOURCE - for increasing memlock limits + - SYS_RESOURCE + # NET_ADMIN and NET_RAW - to turn on promiscuous mode and capture raw packets + - NET_ADMIN + - NET_RAW + # SYS_NICE - to set process nice values, real-time scheduling policies, I/O scheduling + - SYS_NICE + envFrom: + - configMapRef: + name: process-env + - configMapRef: + name: ssl-env + - configMapRef: + name: opensearch-env + - secretRef: + name: auth-env + - configMapRef: + name: upload-common-env + - configMapRef: + name: pcap-capture-env + - configMapRef: + name: arkime-env + - configMapRef: + name: arkime-live-env + - secretRef: + name: arkime-secret-env + volumeMounts: + - mountPath: /var/local/ca-trust/configmap + name: arkime-live-var-local-catrust-volume + - mountPath: /var/local/curlrc/secretmap + name: arkime-live-opensearch-curlrc-secret-volume + - mountPath: "/opt/arkime/rules/configmap" + name: arkime-live-rules-volume + - mountPath: "/data/pcap" + name: arkime-live-pcap-volume + initContainers: + - name: arkime-live-dirinit-container + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 + imagePullPolicy: Always + stdin: false + tty: true + envFrom: + - configMapRef: + name: process-env + env: + - name: PUSER_MKDIR + value: "/data/pcap:arkime-live" + volumeMounts: + - name: arkime-live-pcap-volume + mountPath: "/data/pcap" + volumes: + - name: arkime-live-var-local-catrust-volume + configMap: + name: var-local-catrust + - name: arkime-live-opensearch-curlrc-secret-volume + secret: + secretName: opensearch-curlrc + - name: arkime-live-rules-volume + configMap: + name: arkime-rules + - name: arkime-live-pcap-volume + persistentVolumeClaim: + claimName: pcap-claim diff --git a/kubernetes/23-freq.yml b/kubernetes/24-freq.yml similarity index 96% rename from kubernetes/23-freq.yml rename to kubernetes/24-freq.yml index 5173b8d2a..32e834237 100644 --- a/kubernetes/23-freq.yml +++ b/kubernetes/24-freq.yml @@ -30,7 +30,7 @@ spec: spec: containers: - name: freq-container - image: ghcr.io/idaholab/malcolm/freq:23.12.0 + image: ghcr.io/idaholab/malcolm/freq:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/kubernetes/98-nginx-proxy.yml b/kubernetes/98-nginx-proxy.yml index 1f293bd64..c8e208b56 100644 --- a/kubernetes/98-nginx-proxy.yml +++ b/kubernetes/98-nginx-proxy.yml @@ -39,7 +39,7 @@ spec: spec: containers: - name: nginx-proxy-container - image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.0 + image: ghcr.io/idaholab/malcolm/nginx-proxy:23.12.1 imagePullPolicy: Always stdin: false tty: true @@ -95,7 +95,7 @@ spec: subPath: "nginx" initContainers: - name: nginx-dirinit-container - image: ghcr.io/idaholab/malcolm/dirinit:23.12.0 + image: ghcr.io/idaholab/malcolm/dirinit:23.12.1 imagePullPolicy: Always stdin: false tty: true diff --git a/logstash/pipelines/beats/11_beats_logs.conf b/logstash/pipelines/beats/11_beats_logs.conf index e4cd573f9..e991be9f8 100644 --- a/logstash/pipelines/beats/11_beats_logs.conf +++ b/logstash/pipelines/beats/11_beats_logs.conf @@ -2,7 +2,7 @@ # Malcolm and Hedgehog Linux itself (i.e., not captured # network traffic metadata, but operational metadata) # -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ####################### filter { @@ -545,6 +545,101 @@ filter { } # if ([miscbeat][syslog]) + if ([miscbeat][systemd]) { + #------------------------------------------------- + # systemd - https://docs.fluentbit.io/manual/pipeline/inputs/systemd + # see also - https://www.freedesktop.org/software/systemd/man/latest/systemd.journal-fields.html + + if ([miscbeat][systemd][source_realtime_timestamp]) { + # microseconds to milliseconds + ruby { + id => "ruby_miscbeat_systemd_source_realtime_timestamp_calc" + code => " + event.set('[miscbeat][systemd][source_realtime_timestamp]', + (event.get('[miscbeat][systemd][source_realtime_timestamp]').to_i / 1000)) + " + } + # milliseconds to date + date { + id => "date_beats_miscbeat_systemd_source_realtime_timestamp" + match => [ "[miscbeat][systemd][source_realtime_timestamp]", "UNIX_MS" ] + target => "[miscbeat][systemd][source_realtime_timestamp]" + } + } + + # rename fields according to ECS + # https://www.elastic.co/guide/en/ecs/current/ecs-process.html + # https://www.elastic.co/guide/en/ecs/current/ecs-log.html + mutate { id => "mutate_rename_miscbeat_systemd_log_fields" + # todo: translate this to CAP_BPF, CAP_SYS_ADMIN, etc. + rename => { "[miscbeat][systemd][cap_effective]" => "[process][thread][capabilities][effective]" } + rename => { "[miscbeat][systemd][cmdline]" => "[process][command_line]" } + rename => { "[miscbeat][systemd][code_file]" => "[log][origin][file][name]" } + rename => { "[miscbeat][systemd][code_func]" => "[log][origin][function]" } + rename => { "[miscbeat][systemd][code_line]" => "[log][origin][file][line]" } + rename => { "[miscbeat][systemd][comm]" => "[process][name]" } + rename => { "[miscbeat][systemd][exe]" => "[process][executable]" } + rename => { "[miscbeat][systemd][gid]" => "[process][group_leader][pid]" } + rename => { "[miscbeat][systemd][pid]" => "[process][pid]" } + rename => { "[miscbeat][systemd][syslog_facility]" => "[log][syslog][facility][code]" } + rename => { "[miscbeat][systemd][syslog_identifier]" => "[log][syslog][appname]" } + rename => { "[miscbeat][systemd][syslog_pid]" => "[log][syslog][procid]" } + rename => { "[miscbeat][systemd][systemd_owner_uid]" => "[process][real_user][id]" } + rename => { "[miscbeat][systemd][tid]" => "[process][thread][id]" } + rename => { "[miscbeat][systemd][uid]" => "[process][user][id]" } + rename => { "[miscbeat][systemd][transport]" => "[log][logger]" } + } + if ([log][syslog][facility][code]) { + translate { + id => "translate_sensor_systemd_syslog_facility_code" + source => "[log][syslog][facility][code]" + target => "[log][syslog][facility][name]" + dictionary_path => "/etc/syslog_facility_codes.yaml" + } + } + + # store raw message text as event.original + if ([miscbeat][systemd][syslog_raw]) { + mutate { id => "mutate_rename_miscbeat_systemd_syslog_raw" + rename => { "[miscbeat][systemd][syslog_raw]" => "[event][original]" } } + } else if ([miscbeat][systemd][message]) { + mutate { id => "mutate_rename_miscbeat_systemd_message" + rename => { "[miscbeat][systemd][message]" => "[event][original]" } } + } + + # + if ([miscbeat][systemd][errno]) { + mutate { id => "mutate_rename_miscbeat_systemd_errno" + rename => { "[miscbeat][systemd][errno]" => "[event][result]" } } + } + + if (![event][hash]) { + fingerprint { + id => "fingerprint_malcolm_miscbeat_systemd" + source => [ "[host][name]", + "[event][module]", + "[process][pid]", + "[process][user][id]", + "[process][thread][id]", + "[process][group_leader][pid]", + "[miscbeat][systemd][unit]", + "[miscbeat][systemd][comm]", + "[miscbeat][systemd][exe]", + "[miscbeat][systemd][cmdline]", + "[miscbeat][systemd][machine_id]", + "[event][original]", + "[miscbeat][systemd][message_id]", + "[@timestamp]" ] + concatenate_sources => true + # uses event.hash + ecs_compatibility => "v8" + method => "MURMUR3_128" + base64encode => true + } + } + + } # if ([miscbeat][systemd]) + if ([miscbeat][thermal]) { #------------------------------------------------- # thermal - https://docs.fluentbit.io/manual/pipeline/inputs/thermal diff --git a/logstash/pipelines/enrichment/20_enriched_to_ecs.conf b/logstash/pipelines/enrichment/20_enriched_to_ecs.conf index 24552d683..5a46456a6 100644 --- a/logstash/pipelines/enrichment/20_enriched_to_ecs.conf +++ b/logstash/pipelines/enrichment/20_enriched_to_ecs.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filter { diff --git a/logstash/pipelines/enrichment/23_severity.conf b/logstash/pipelines/enrichment/23_severity.conf index 2f794df35..6f8506c32 100644 --- a/logstash/pipelines/enrichment/23_severity.conf +++ b/logstash/pipelines/enrichment/23_severity.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filter { diff --git a/logstash/pipelines/enrichment/96_make_unique.conf b/logstash/pipelines/enrichment/96_make_unique.conf index 22848bd4c..913f54514 100644 --- a/logstash/pipelines/enrichment/96_make_unique.conf +++ b/logstash/pipelines/enrichment/96_make_unique.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # take array fields that are already generic (i.e., ECS or Arkime) and deduplicate them. # there is also a little bit of light normalization that happens here diff --git a/logstash/pipelines/enrichment/97_arkimize.conf b/logstash/pipelines/enrichment/97_arkimize.conf index e5a88aa8c..384f9a455 100644 --- a/logstash/pipelines/enrichment/97_arkimize.conf +++ b/logstash/pipelines/enrichment/97_arkimize.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # take fields that are already generic (i.e., ECS or whatever) and copy them # to their Arkime equivalents if applicable diff --git a/logstash/pipelines/enrichment/98_finalize.conf b/logstash/pipelines/enrichment/98_finalize.conf index d9a64f309..f292b9202 100644 --- a/logstash/pipelines/enrichment/98_finalize.conf +++ b/logstash/pipelines/enrichment/98_finalize.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # final adjustments before forwarding diff --git a/logstash/pipelines/suricata/19_severity.conf b/logstash/pipelines/suricata/19_severity.conf index 5c3043642..19d8db1eb 100644 --- a/logstash/pipelines/suricata/19_severity.conf +++ b/logstash/pipelines/suricata/19_severity.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filter { diff --git a/logstash/pipelines/zeek/10_zeek_prep.conf b/logstash/pipelines/zeek/10_zeek_prep.conf index 48c5a2d1e..6e0785a35 100644 --- a/logstash/pipelines/zeek/10_zeek_prep.conf +++ b/logstash/pipelines/zeek/10_zeek_prep.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filter { diff --git a/logstash/pipelines/zeek/11_zeek_parse.conf b/logstash/pipelines/zeek/11_zeek_parse.conf index f6809839d..249450c3d 100644 --- a/logstash/pipelines/zeek/11_zeek_parse.conf +++ b/logstash/pipelines/zeek/11_zeek_parse.conf @@ -10,7 +10,7 @@ # - get filters where in != out # $ docker compose exec logstash curl -XGET http://localhost:9600/_node/stats/pipelines | jq -r '.. | .filters? // empty | .[] | objects | select (.events.in != .events.out) | [.id, .events.in, .events.out, .events.duration_in_millis] | join (";")' # -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ####################### filter { diff --git a/logstash/pipelines/zeek/12_zeek_mutate.conf b/logstash/pipelines/zeek/12_zeek_mutate.conf index 83ed11143..9eebdebc8 100644 --- a/logstash/pipelines/zeek/12_zeek_mutate.conf +++ b/logstash/pipelines/zeek/12_zeek_mutate.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filter { diff --git a/logstash/pipelines/zeek/13_zeek_normalize.conf b/logstash/pipelines/zeek/13_zeek_normalize.conf index c4e74423b..48d97d88d 100644 --- a/logstash/pipelines/zeek/13_zeek_normalize.conf +++ b/logstash/pipelines/zeek/13_zeek_normalize.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filter { diff --git a/logstash/pipelines/zeek/14_zeek_convert.conf b/logstash/pipelines/zeek/14_zeek_convert.conf index 51e9b2dfb..3103b0d62 100644 --- a/logstash/pipelines/zeek/14_zeek_convert.conf +++ b/logstash/pipelines/zeek/14_zeek_convert.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filter { diff --git a/logstash/pipelines/zeek/19_severity.conf b/logstash/pipelines/zeek/19_severity.conf index 5851cf21e..aedf410ae 100644 --- a/logstash/pipelines/zeek/19_severity.conf +++ b/logstash/pipelines/zeek/19_severity.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filter { diff --git a/logstash/scripts/logstash-start.sh b/logstash/scripts/logstash-start.sh index be558a9d8..35df19c66 100755 --- a/logstash/scripts/logstash-start.sh +++ b/logstash/scripts/logstash-start.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/logstash/supervisord.conf b/logstash/supervisord.conf index f9734ba3f..a9b91b0bf 100644 --- a/logstash/supervisord.conf +++ b/logstash/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [inet_http_server] port=0.0.0.0:9001 diff --git a/malcolm-iso/Dockerfile b/malcolm-iso/Dockerfile index e6bde3829..7b8029fd9 100644 --- a/malcolm-iso/Dockerfile +++ b/malcolm-iso/Dockerfile @@ -1,6 +1,6 @@ FROM ghcr.io/mmguero/qemu-live-iso:latest -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' diff --git a/malcolm-iso/build.sh b/malcolm-iso/build.sh index d505fd4a3..16080b1b0 100755 --- a/malcolm-iso/build.sh +++ b/malcolm-iso/build.sh @@ -92,8 +92,7 @@ if [ -d "$WORKDIR" ]; then # grab things from the Malcolm parent directory into /etc/skel so the user's got it set up in their home/Malcolm dir pushd "$SCRIPT_PATH/.." >/dev/null 2>&1 MALCOLM_DEST_DIR="$WORKDIR/work/$IMAGE_NAME-Live-Build/config/includes.chroot/etc/skel/Malcolm" - mkdir -p "$MALCOLM_DEST_DIR/arkime-logs/" - mkdir -p "$MALCOLM_DEST_DIR/arkime-raw/" + mkdir -p "$MALCOLM_DEST_DIR/arkime/rules/" mkdir -p "$MALCOLM_DEST_DIR/config/" mkdir -p "$MALCOLM_DEST_DIR/filebeat/certs/" mkdir -p "$MALCOLM_DEST_DIR/htadmin/" @@ -108,6 +107,7 @@ if [ -d "$WORKDIR" ]; then mkdir -p "$MALCOLM_DEST_DIR/kubernetes/" mkdir -p "$MALCOLM_DEST_DIR/opensearch-backup/" mkdir -p "$MALCOLM_DEST_DIR/opensearch/nodes/" + mkdir -p "$MALCOLM_DEST_DIR/pcap/arkime-live/" mkdir -p "$MALCOLM_DEST_DIR/pcap/processed/" mkdir -p "$MALCOLM_DEST_DIR/pcap/upload/tmp/spool/" mkdir -p "$MALCOLM_DEST_DIR/pcap/upload/variants/" @@ -147,6 +147,7 @@ if [ -d "$WORKDIR" ]; then cp ./scripts/malcolm_utils.py "$MALCOLM_DEST_DIR/scripts/" cp ./kubernetes/*.* "$MALCOLM_DEST_DIR/kubernetes/" grep -v "^#" ./kubernetes/.gitignore | xargs -r -I XXX rm -f "$MALCOLM_DEST_DIR/kubernetes/XXX" + cp ./arkime/rules/*.yml "$MALCOLM_DEST_DIR/arkime/rules/" cp ./logstash/certs/*.conf "$MALCOLM_DEST_DIR/logstash/certs/" cp ./logstash/maps/malcolm_severity.yaml "$MALCOLM_DEST_DIR/logstash/maps/" cp -r ./netbox/config/ "$MALCOLM_DEST_DIR/netbox/" diff --git a/malcolm-iso/config/hooks/normal/0168-firefox-install.hook.chroot b/malcolm-iso/config/hooks/normal/0168-firefox-install.hook.chroot index 18c4941ab..98b7a4782 100755 --- a/malcolm-iso/config/hooks/normal/0168-firefox-install.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0168-firefox-install.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export LC_ALL=C.UTF-8 export LANG=C.UTF-8 diff --git a/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot b/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot index 32dceebc4..4ba6b95fb 100755 --- a/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # clone harbian-audit and clean up some stuff we don't need mkdir -p /opt diff --git a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot index 9d160f065..9c0131952 100755 --- a/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/malcolm-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -31,6 +31,7 @@ UFW_ALLOW_RULES=( for i in ${UFW_ALLOW_RULES[@]}; do ufw allow "$i" done +ufw allow proto tcp from 172.29.0.0/16 to any port 8005 # docker (disallow overriding firewall) mkdir -p /etc/docker/ @@ -121,14 +122,6 @@ echo "umask 077" >> /etc/profile echo "export UMASK=077" >> /etc/profile echo "export PYTHONDONTWRITEBYTECODE=1" >> /etc/profile -# enable cron logging -sed -r -i "s@^#(cron\.\*\s+.*/var/log/cron\.log)@\1@" /etc/rsyslog.conf - -# enable rsyslog forwarding to localhost:9514 over UDP (for filebeat syslog input) -echo >> /etc/rsyslog.conf -echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf -echo >> /etc/rsyslog.conf - # put sudoers log into its own logfile awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers diff --git a/malcolm-iso/config/includes.binary/install/preseed_base.cfg b/malcolm-iso/config/includes.binary/install/preseed_base.cfg index 1d18bfce4..f25b47593 100644 --- a/malcolm-iso/config/includes.binary/install/preseed_base.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed_base.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. d-i hw-detect/load_firmware boolean true d-i clock-setup/utc boolean true diff --git a/malcolm-iso/config/includes.binary/install/preseed_multipar.cfg b/malcolm-iso/config/includes.binary/install/preseed_multipar.cfg index 43624ac41..96d68233c 100644 --- a/malcolm-iso/config/includes.binary/install/preseed_multipar.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed_multipar.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. d-i debian-installer/locale string en_US.UTF-8 d-i console-setup/ask_detect boolean false diff --git a/malcolm-iso/config/includes.binary/install/preseed_vmware.cfg b/malcolm-iso/config/includes.binary/install/preseed_vmware.cfg index 7d433121d..792d0c7a6 100644 --- a/malcolm-iso/config/includes.binary/install/preseed_vmware.cfg +++ b/malcolm-iso/config/includes.binary/install/preseed_vmware.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. d-i debian-installer/locale string en_US.UTF-8 d-i console-setup/ask_detect boolean false diff --git a/malcolm-iso/config/includes.chroot/etc/skel/.config/systemd/user/systemd-localhost-malcolm.service b/malcolm-iso/config/includes.chroot/etc/skel/.config/systemd/user/systemd-localhost-malcolm.service new file mode 100644 index 000000000..ed79496b0 --- /dev/null +++ b/malcolm-iso/config/includes.chroot/etc/skel/.config/systemd/user/systemd-localhost-malcolm.service @@ -0,0 +1,12 @@ +[Unit] +AssertPathExists=%h/Malcolm/filebeat/certs/client.key +After=network.target + +[Service] +ExecStart=/opt/fluent-bit/bin/fluent-bit -R /etc/fluent-bit/parsers.conf -i systemd -p Read_From_Tail=On -p Lowercase=On -p Strip_Underscores=On -o tcp://localhost:5045 -p tls=on -p tls.verify=off -p tls.ca_file=%h/Malcolm/filebeat/certs/ca.crt -p tls.crt_file=%h/Malcolm/filebeat/certs/client.crt -p tls.key_file=%h/Malcolm/filebeat/certs/client.key -p format=json_lines -F nest -p Operation=nest -p Nested_under=systemd -p WildCard='*' -m '*' -F record_modifier -p 'Record=module systemd' -m '*' -F modify -p 'Add=host.name %H' -m '*' -F nest -p 'Operation=nest' -p 'Wildcard=host.*' -p 'Nest_under=host' -p 'Remove_prefix=host.' -m '*' -f 1 +Restart=on-failure +PrivateTmp=false +NoNewPrivileges=false + +[Install] +WantedBy=default.target diff --git a/malcolm-iso/vagrant/Vagrantfile b/malcolm-iso/vagrant/Vagrantfile index 0558db616..ecc7852a2 100644 --- a/malcolm-iso/vagrant/Vagrantfile +++ b/malcolm-iso/vagrant/Vagrantfile @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. unless Vagrant.has_plugin?("vagrant-sshfs") raise 'vagrant-sshfs plugin is not installed!' diff --git a/netbox/scripts/netbox_init.py b/netbox/scripts/netbox_init.py index ac93af265..874776681 100755 --- a/netbox/scripts/netbox_init.py +++ b/netbox/scripts/netbox_init.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import argparse import glob diff --git a/netbox/scripts/netbox_library_import.py b/netbox/scripts/netbox_library_import.py index 034ec0306..fa514c738 100644 --- a/netbox/scripts/netbox_library_import.py +++ b/netbox/scripts/netbox_library_import.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # adapted from minitriga/Netbox-Device-Type-Library-Import (MIT License) # Copyright (c) 2021 Alexander Gittings diff --git a/netbox/supervisord.conf b/netbox/supervisord.conf index 1703592bc..4bb797473 100644 --- a/netbox/supervisord.conf +++ b/netbox/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [inet_http_server] port=0.0.0.0:9001 diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 05a138c45..e6c109bcd 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. daemon off; @@ -145,14 +145,6 @@ http { client_max_body_size 50G; } - # Logstash statistics - location ~* ^/logstash\b(.*) { - include /etc/nginx/nginx_auth_rt.conf; - proxy_pass http://logstash-stats/_node/stats$1; - proxy_redirect off; - proxy_set_header Host arkime.malcolm.local; - } - # Arkime -> Dashboards shortcut location ~* ^/idark2dash(.*) { include /etc/nginx/nginx_auth_rt.conf; @@ -253,6 +245,34 @@ http { proxy_set_header Authorization ""; } + # passthrough Logstash statistics from the Malcolm API + location /mapi/logstash/ { + include /etc/nginx/nginx_auth_rt.conf; + proxy_pass http://logstash-stats/_node/stats/; + proxy_redirect off; + } + + # passthrough OpenSearch from the Malcolm API + location /mapi/opensearch/ { + include /etc/nginx/nginx_auth_rt.conf; + proxy_pass http://opensearch/; + proxy_redirect off; + proxy_set_header Host os.malcolm.local; + client_max_body_size 50m; + } + + # passthrough NetBox from the Malcolm API + location /mapi/netbox/ { + include /etc/nginx/nginx_auth_rt.conf; + proxy_pass http://netbox/netbox/api/; + proxy_redirect off; + proxy_set_header Host netbox.malcolm.local; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Remote-Auth $authenticated_user; + } + # Malcolm API location /mapi { include /etc/nginx/nginx_auth_rt.conf; diff --git a/nginx/nginx_readonly.conf b/nginx/nginx_readonly.conf index 61e6b0012..4bb3705fc 100644 --- a/nginx/nginx_readonly.conf +++ b/nginx/nginx_readonly.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. daemon off; @@ -177,6 +177,19 @@ http { proxy_set_header Authorization ""; } + # passthrough NetBox from the Malcolm API + location /mapi/netbox/ { + limit_except GET { deny all; } + include /etc/nginx/nginx_auth_rt.conf; + proxy_pass http://netbox/netbox/api/; + proxy_redirect off; + proxy_set_header Host netbox.malcolm.local; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Remote-Auth $authenticated_user; + } + # Malcolm API location /mapi { proxy_pass http://api; diff --git a/nginx/supervisord.conf b/nginx/supervisord.conf index a03b1f7e3..4fa4d85ad 100644 --- a/nginx/supervisord.conf +++ b/nginx/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) diff --git a/pcap-capture/scripts/netsniff-roll.sh b/pcap-capture/scripts/netsniff-roll.sh index ca2ab23f9..1fd48530a 100755 --- a/pcap-capture/scripts/netsniff-roll.sh +++ b/pcap-capture/scripts/netsniff-roll.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. lastmod(){ expr $(date +%s) - $(stat -c %X "$1") diff --git a/pcap-capture/scripts/supervisor.sh b/pcap-capture/scripts/supervisor.sh index 46e612c8d..618e775ff 100755 --- a/pcap-capture/scripts/supervisor.sh +++ b/pcap-capture/scripts/supervisor.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/pcap-capture/supervisord.conf b/pcap-capture/supervisord.conf index 07a7b1af2..1ee0eb6a3 100644 --- a/pcap-capture/supervisord.conf +++ b/pcap-capture/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) diff --git a/pcap-monitor/scripts/watch-pcap-uploads-folder.py b/pcap-monitor/scripts/watch-pcap-uploads-folder.py index 2b7847f0e..8945d937e 100755 --- a/pcap-monitor/scripts/watch-pcap-uploads-folder.py +++ b/pcap-monitor/scripts/watch-pcap-uploads-folder.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Monitor a directory for PCAP files for processing (by publishing their filenames to a ZMQ socket) diff --git a/pcap-monitor/supervisord.conf b/pcap-monitor/supervisord.conf index bb3e3bdc1..e1f7b6fc1 100644 --- a/pcap-monitor/supervisord.conf +++ b/pcap-monitor/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] diff --git a/arkime-raw/.gitignore b/pcap/arkime-live/.gitignore similarity index 100% rename from arkime-raw/.gitignore rename to pcap/arkime-live/.gitignore diff --git a/scripts/build.sh b/scripts/build.sh index a4ff97c27..36bd18b5c 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if [ -z "$BASH_VERSION" ]; then echo "Wrong interpreter, please run \"$0\" with bash" diff --git a/scripts/control.py b/scripts/control.py index c6b39d6c9..3b90076a2 100755 --- a/scripts/control.py +++ b/scripts/control.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import sys @@ -843,15 +843,13 @@ def stop(wipe=False): if wipe: # there is some overlap here among some of these containers, but it doesn't matter boundPathsToWipe = ( - BoundPath("arkime", "/opt/arkime/logs", True, None, None), - BoundPath("arkime", "/opt/arkime/raw", True, None, None), BoundPath("filebeat", "/zeek", True, None, None), BoundPath("file-monitor", "/zeek/logs", True, None, None), BoundPath("netbox", "/opt/netbox/netbox/media", True, None, ["."]), BoundPath("netbox-postgres", "/var/lib/postgresql/data", True, None, ["."]), BoundPath("netbox-redis", "/data", True, None, ["."]), BoundPath("opensearch", "/usr/share/opensearch/data", True, ["nodes"], None), - BoundPath("pcap-monitor", "/pcap", True, ["processed", "upload"], None), + BoundPath("pcap-monitor", "/pcap", True, ["arkime-live", "processed", "upload"], None), BoundPath("suricata", "/var/log/suricata", True, None, ["."]), BoundPath( "upload", @@ -995,8 +993,6 @@ def start(): if orchMode is OrchestrationFramework.DOCKER_COMPOSE: # make sure some directories exist before we start boundPathsToCreate = ( - BoundPath("arkime", "/opt/arkime/logs", False, None, None), - BoundPath("arkime", "/opt/arkime/raw", False, None, None), BoundPath("file-monitor", "/zeek/logs", False, None, None), BoundPath("nginx-proxy", "/var/local/ca-trust", False, None, None), BoundPath("netbox", "/opt/netbox/netbox/media", False, None, None), @@ -1004,7 +1000,7 @@ def start(): BoundPath("netbox-redis", "/data", False, None, None), BoundPath("opensearch", "/usr/share/opensearch/data", False, ["nodes"], None), BoundPath("opensearch", "/opt/opensearch/backup", False, None, None), - BoundPath("pcap-monitor", "/pcap", False, ["processed", "upload"], None), + BoundPath("pcap-monitor", "/pcap", False, ["arkime-live", "processed", "upload"], None), BoundPath("suricata", "/var/log/suricata", False, ["live"], None), BoundPath( "upload", diff --git a/scripts/demo/Vagrantfile b/scripts/demo/Vagrantfile index 23ad11734..e80b63314 100644 --- a/scripts/demo/Vagrantfile +++ b/scripts/demo/Vagrantfile @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. class VagrantPlugins::ProviderVirtualBox::Action::Network def dhcp_server_matches_config?(dhcp_server, config) diff --git a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh index 762c7b37e..e75544379 100755 --- a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh +++ b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################### # for setting up a Malcolm demo instance on an Amazon Linux 2 instance from scratch diff --git a/scripts/demo/reset_and_auto_populate.sh b/scripts/demo/reset_and_auto_populate.sh index 38dea9057..900b2a43a 100755 --- a/scripts/demo/reset_and_auto_populate.sh +++ b/scripts/demo/reset_and_auto_populate.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ############################################################################### # diff --git a/scripts/documentation_build.sh b/scripts/documentation_build.sh index d9a230878..7510d1b57 100755 --- a/scripts/documentation_build.sh +++ b/scripts/documentation_build.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if [ -z "$BASH_VERSION" ]; then echo "Wrong interpreter, please run \"$0\" with bash" diff --git a/scripts/install.py b/scripts/install.py index 8408144ed..0b341bcae 100755 --- a/scripts/install.py +++ b/scripts/install.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import sys @@ -235,6 +235,7 @@ def __init__(self, orchMode, debug=False, configOnly=False): self.checkPackageCmds = [] self.installPackageCmds = [] self.requiredPackages = [] + self.dockerComposeCmd = None self.pipCmd = 'pip3' if not which(self.pipCmd, debug=self.debug): @@ -302,15 +303,16 @@ def install_required_packages(self): return self.install_package(self.requiredPackages) # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - def install_docker_images(self, docker_image_file): + def install_docker_images(self, docker_image_file, malcolm_install_path): result = False + composeFile = os.path.join(malcolm_install_path, 'docker-compose.yml') if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: if ( docker_image_file and os.path.isfile(docker_image_file) and InstallerYesOrNo( - f'Load Malcolm Docker images from {docker_image_file}', default=True, forceInteraction=True + f'Load Malcolm Docker images from {docker_image_file}?', default=True, forceInteraction=True ) ): ecode, out = self.run_process(['docker', 'load', '-q', '-i', docker_image_file], privileged=True) @@ -319,6 +321,31 @@ def install_docker_images(self, docker_image_file): else: eprint(f"Loading Malcolm Docker images failed: {out}") + elif ( + os.path.isfile(composeFile) + and self.dockerComposeCmd + and InstallerYesOrNo(f'Pull Malcolm Docker images?', default=False, forceInteraction=False) + ): + for priv in (False, True): + ecode, out = self.run_process( + [ + self.dockerComposeCmd, + '-f', + composeFile, + '--profile=malcolm', + 'pull', + '--quiet', + ], + privileged=priv, + ) + if ecode == 0: + break + + if ecode == 0: + result = True + else: + eprint(f"Pulling Malcolm Docker images failed: {out}") + return result # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -331,7 +358,7 @@ def install_malcolm_files(self, malcolm_install_file, default_config_dir): malcolm_install_file and os.path.isfile(malcolm_install_file) and InstallerYesOrNo( - f'Extract Malcolm runtime files from {malcolm_install_file}', default=True, forceInteraction=True + f'Extract Malcolm runtime files from {malcolm_install_file}?', default=True, forceInteraction=True ) ): # determine and create destination path for installation @@ -434,8 +461,10 @@ def tweak_malcolm_runtime(self, malcolm_install_path): defaultUid = '1000' defaultGid = '1000' if ((self.platform == PLATFORM_LINUX) or (self.platform == PLATFORM_MAC)) and (self.scriptUser == "root"): - defaultUid = str(os.stat(malcolm_install_path).st_uid) - defaultGid = str(os.stat(malcolm_install_path).st_gid) + if pathUid := os.stat(malcolm_install_path).st_uid: + defaultUid = str(pathUid) + if pathGid := os.stat(malcolm_install_path).st_gid: + defaultGid = str(pathGid) puid = defaultUid pgid = defaultGid @@ -470,7 +499,6 @@ def tweak_malcolm_runtime(self, malcolm_install_path): f'Enter the node name to associate with network traffic metadata', default=args.pcapNodeName, ) - pcapNodeHost = '' if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: # guestimate how much memory we should use based on total system memory @@ -626,18 +654,6 @@ def tweak_malcolm_runtime(self, malcolm_install_path): f'Enter Logstash host and port (e.g., 192.168.1.123:5044)', default=args.logstashHost, ) - pcapNodeHost = InstallerAskForString( - f"Enter this node's hostname or IP to associate with network traffic metadata", - default=args.pcapNodeHost, - ) - if not pcapNodeHost and not InstallerYesOrNo( - f'Node hostname or IP is required for Arkime session retrieval under the {malcolmProfile} profile. Are you sure?', - default=False, - ): - pcapNodeHost = InstallerAskForString( - f"Enter this node's hostname or IP to associate with network traffic metadata", - default=args.pcapNodeHost, - ) if (malcolmProfile == PROFILE_MALCOLM) and InstallerYesOrNo( 'Forward Logstash logs to a secondary remote document store?', @@ -963,6 +979,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): for pathToCreate in ( indexDirFull, indexSnapshotDirFull, + os.path.join(pcapDirFull, 'arkime-live'), os.path.join(pcapDirFull, 'processed'), os.path.join(pcapDirFull, os.path.join('upload', os.path.join('tmp', 'spool'))), os.path.join(pcapDirFull, os.path.join('upload', 'variants')), @@ -1029,7 +1046,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): (opensearchPrimaryMode != DatabaseMode.OpenSearchLocal) or (malcolmProfile != PROFILE_MALCOLM) or InstallerYesOrNo( - 'Should Arkime delete PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', + 'Should Arkime delete uploaded PCAP files based on available storage (see https://arkime.com/faq#pcap-deletion)?', default=args.arkimeManagePCAP, ) ) @@ -1044,6 +1061,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): if arkimeFreeSpaceGTmp: arkimeFreeSpaceG = arkimeFreeSpaceGTmp + autoArkime = InstallerYesOrNo('Automatically analyze all PCAP files with Arkime?', default=args.autoArkime) autoSuricata = InstallerYesOrNo( 'Automatically analyze all PCAP files with Suricata?', default=args.autoSuricata ) @@ -1052,14 +1070,14 @@ def tweak_malcolm_runtime(self, malcolm_install_path): ) autoZeek = InstallerYesOrNo('Automatically analyze all PCAP files with Zeek?', default=args.autoZeek) - zeekIcs = InstallerYesOrNo( + malcolmIcs = InstallerYesOrNo( 'Is Malcolm being used to monitor an Operational Technology/Industrial Control Systems (OT/ICS) network?', - default=args.zeekIcs, + default=args.malcolmIcs, ) zeekICSBestGuess = ( autoZeek - and zeekIcs + and malcolmIcs and InstallerYesOrNo( 'Should Malcolm use "best guess" to identify potential OT/ICS traffic with Zeek?', default=args.zeekICSBestGuess, @@ -1084,7 +1102,6 @@ def tweak_malcolm_runtime(self, malcolm_install_path): ) if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: if malcolmProfile == PROFILE_MALCOLM: - arkimeViewerOpen = False openPortsOptions = ('no', 'yes', 'customize') loopBreaker = CountUntilException(MaxAskForValueCount) while openPortsSelection not in [x[0] for x in openPortsOptions] and loopBreaker.increment(): @@ -1097,7 +1114,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): logstashOpen = False filebeatTcpOpen = False elif openPortsSelection == 'y': - opensearchOpen = True + opensearchOpen = opensearchPrimaryMode == DatabaseMode.OpenSearchLocal logstashOpen = True filebeatTcpOpen = True else: @@ -1116,16 +1133,12 @@ def tweak_malcolm_runtime(self, malcolm_install_path): openPortsSelection = 'n' logstashOpen = False filebeatTcpOpen = False - arkimeViewerOpen = InstallerYesOrNo( - 'Expose Arkime viewer to external hosts for PCAP payload retrieval?', - default=args.exposeArkimeViewer, - ) + else: opensearchOpen = opensearchPrimaryMode == DatabaseMode.OpenSearchLocal openPortsSelection = 'y' logstashOpen = True filebeatTcpOpen = True - arkimeViewerOpen = malcolmProfile == PROFILE_HEDGEHOG filebeatTcpFormat = 'json' filebeatTcpSourceField = 'message' @@ -1260,7 +1273,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): default=args.netboxLogstashAutoPopulate, ) and ( - InstallerYesOrNo( + args.acceptDefaultsNonInteractive + or InstallerYesOrNo( "Autopopulating NetBox's inventory is not recommended. Are you sure?", default=args.netboxLogstashAutoPopulate, ) @@ -1284,6 +1298,8 @@ def tweak_malcolm_runtime(self, malcolm_install_path): # input packet capture parameters pcapNetSniff = False pcapTcpDump = False + liveArkime = False + liveArkimeNodeHost = '' liveZeek = False liveSuricata = False pcapIface = 'lo' @@ -1309,32 +1325,47 @@ def tweak_malcolm_runtime(self, malcolm_install_path): choices=[(x, '', x == captureOptions[0]) for x in captureOptions], )[0] if captureSelection == 'y': - pcapNetSniff = True + liveArkime = (malcolmProfile == PROFILE_HEDGEHOG) or (opensearchPrimaryMode != DatabaseMode.OpenSearchLocal) + pcapNetSniff = not liveArkime liveSuricata = True liveZeek = True + tweakIface = True elif captureSelection == 'c': if InstallerYesOrNo( 'Should Malcolm capture live network traffic to PCAP files for analysis with Arkime?', - default=args.pcapNetSniff or args.pcapTcpDump or (malcolmProfile == PROFILE_HEDGEHOG), + default=args.pcapNetSniff + or args.pcapTcpDump + or args.liveArkime + or (malcolmProfile == PROFILE_HEDGEHOG), ): - pcapNetSniff = InstallerYesOrNo('Capture packets using netsniff-ng?', default=args.pcapNetSniff) - if not pcapNetSniff: - pcapTcpDump = InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump) + liveArkime = (opensearchPrimaryMode != DatabaseMode.OpenSearchLocal) and ( + (malcolmProfile == PROFILE_HEDGEHOG) + or InstallerYesOrNo('Capture packets using Arkime capture?', default=args.liveArkime) + ) + pcapNetSniff = (not liveArkime) and InstallerYesOrNo( + 'Capture packets using netsniff-ng?', default=args.pcapNetSniff + ) + pcapTcpDump = ( + (not liveArkime) + and (not pcapNetSniff) + and InstallerYesOrNo('Capture packets using tcpdump?', default=args.pcapTcpDump) + ) liveSuricata = InstallerYesOrNo( 'Should Malcolm analyze live network traffic with Suricata?', default=args.liveSuricata ) liveZeek = InstallerYesOrNo('Should Malcolm analyze live network traffic with Zeek?', default=args.liveZeek) - if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata: + if pcapNetSniff or pcapTcpDump or liveArkime or liveZeek or liveSuricata: pcapFilter = InstallerAskForString( 'Capture filter (tcpdump-like filter expression; leave blank to capture all traffic)', default=args.pcapFilter, ) - tweakIface = InstallerYesOrNo( + # Arkime requires disabling NIC offloading: https://arkime.com/faq#arkime_requires_full_packet_captures_error + tweakIface = liveArkime or InstallerYesOrNo( 'Disable capture interface hardware offloading and adjust ring buffer sizes?', default=args.tweakIface, ) - if pcapNetSniff or pcapTcpDump or liveZeek or liveSuricata: + if pcapNetSniff or pcapTcpDump or liveArkime or liveZeek or liveSuricata: pcapIface = '' loopBreaker = CountUntilException(MaxAskForValueCount, 'Invalid capture interface(s)') while (len(pcapIface) <= 0) and loopBreaker.increment(): @@ -1342,12 +1373,33 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'Specify capture interface(s) (comma-separated)', default=args.pcapIface ) + if liveArkime: + liveArkimeNodeHost = InstallerAskForString( + f"Enter this node's hostname or IP to associate with network traffic metadata", + default=args.liveArkimeNodeHost, + ) + if ( + (not liveArkimeNodeHost) + and (not args.acceptDefaultsNonInteractive) + and ( + not InstallerYesOrNo( + f'With live Arkime capture node hostname or IP is required for viewer session retrieval. Are you sure?', + default=False, + ) + ) + ): + liveArkimeNodeHost = InstallerAskForString( + f"Enter this node's hostname or IP to associate with network traffic metadata", + default=args.liveArkimeNodeHost, + ) + if ( (malcolmProfile == PROFILE_HEDGEHOG) and (not pcapNetSniff) and (not pcapTcpDump) and (not liveZeek) and (not liveSuricata) + and (not liveArkime) ): InstallerDisplayMessage( f'Warning: Running with the {malcolmProfile} profile but no capture methods are enabled.', @@ -1393,6 +1445,30 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'ARKIME_FREESPACEG', arkimeFreeSpaceG, ), + # live traffic analysis with Arkime capture (only available with remote opensearch or elasticsearch) + EnvValue( + os.path.join(args.configDir, 'arkime-live.env'), + 'ARKIME_LIVE_CAPTURE', + TrueOrFalseNoQuote(liveArkime), + ), + # capture source "node host" for live Arkime capture + EnvValue( + os.path.join(args.configDir, 'arkime-live.env'), + 'ARKIME_LIVE_NODE_HOST', + liveArkimeNodeHost, + ), + # rotated captured PCAP analysis with Arkime (not live capture) + EnvValue( + os.path.join(args.configDir, 'arkime-offline.env'), + 'ARKIME_ROTATED_PCAP', + TrueOrFalseNoQuote(autoArkime and (not liveArkime)), + ), + # automatic uploaded pcap analysis with Arkime + EnvValue( + os.path.join(args.configDir, 'arkime-offline.env'), + 'ARKIME_AUTO_ANALYZE_PCAP_FILES', + TrueOrFalseNoQuote(autoArkime), + ), # authentication method: basic (true), ldap (false) or no_authentication EnvValue( os.path.join(args.configDir, 'auth-common.env'), @@ -1650,6 +1726,12 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'SURICATA_UPDATE_RULES', TrueOrFalseNoQuote(suricataRuleUpdate), ), + # disable/enable ICS analyzers + EnvValue( + os.path.join(args.configDir, 'suricata.env'), + 'SURICATA_DISABLE_ICS_ALL', + TrueOrFalseNoQuote(not malcolmIcs), + ), # live traffic analysis with Suricata EnvValue( os.path.join(args.configDir, 'suricata-live.env'), @@ -1674,12 +1756,6 @@ def tweak_malcolm_runtime(self, malcolm_install_path): 'PCAP_NODE_NAME', pcapNodeName, ), - # capture source "node host" for locally processed PCAP files - EnvValue( - os.path.join(args.configDir, 'upload-common.env'), - 'PCAP_NODE_HOST', - pcapNodeHost, - ), # zeek file extraction mode EnvValue( os.path.join(args.configDir, 'zeek.env'), @@ -1744,7 +1820,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): EnvValue( os.path.join(args.configDir, 'zeek.env'), 'ZEEK_DISABLE_ICS_ALL', - '' if zeekIcs else TrueOrFalseNoQuote(not zeekIcs), + '' if malcolmIcs else TrueOrFalseNoQuote(not malcolmIcs), ), # disable/enable ICS best guess EnvValue( @@ -1892,7 +1968,7 @@ def tweak_malcolm_runtime(self, malcolm_install_path): # whether or not to restart services automatically (on boot, etc.) line = f"{sectionIndents[currentSection] * 2}restart: {restartMode}" - elif currentService == 'arkime': + elif (currentService == 'arkime') or (currentService == 'arkime-live'): # stuff specifically in the arkime section if re.match(r'^\s*-.+:/data/pcap(:.+)?\s*$', line): # Arkime's reference to the PCAP directory @@ -1901,13 +1977,6 @@ def tweak_malcolm_runtime(self, malcolm_install_path): pcapDir, sectionIndents[currentSection] * 3, ) - elif re.match(r'^[\s#]*-\s*"([\d\.]+:)?\d+:\d+"\s*$', line): - # set bind IP based on whether it should be externally exposed or not - line = re.sub( - r'^([\s#]*-\s*")([\d\.]+:)?(\d+:\d+"\s*)$', - fr"\g<1>{'0.0.0.0' if arkimeViewerOpen else '127.0.0.1'}:\g<3>", - line, - ) elif currentService == 'filebeat': # stuff specifically in the filebeat section @@ -2591,24 +2660,28 @@ def install_docker_compose(self): if self.orchMode is OrchestrationFramework.DOCKER_COMPOSE: # first see if docker compose/docker-compose is already installed and runnable # (try non-root and root) - dockerComposeCmd = ('docker', 'compose') - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False) + tmpComposeCmd = ('docker', 'compose') + + for priv in (False, True): + err, out = self.run_process([tmpComposeCmd, 'version'], privileged=priv) + if err == 0: + break if err != 0: - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True) - if err != 0: - dockerComposeCmd = 'docker-compose' - if not which(dockerComposeCmd, debug=self.debug): - if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'): - dockerComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose' - elif os.path.isfile('/usr/local/bin/docker-compose'): - dockerComposeCmd = '/usr/local/bin/docker-compose' - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False) - if err != 0: - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True) + tmpComposeCmd = 'docker-compose' + if not which(tmpComposeCmd, debug=self.debug): + if os.path.isfile('/usr/libexec/docker/cli-plugins/docker-compose'): + tmpComposeCmd = '/usr/libexec/docker/cli-plugins/docker-compose' + elif os.path.isfile('/usr/local/bin/docker-compose'): + tmpComposeCmd = '/usr/local/bin/docker-compose' + for priv in (False, True): + err, out = self.run_process([tmpComposeCmd, 'version'], privileged=priv) + if err == 0: + break - if (err != 0) and InstallerYesOrNo( - 'docker compose failed, attempt to install docker compose?', default=True - ): + if err == 0: + self.dockerComposeCmd = tmpComposeCmd + + elif InstallerYesOrNo('docker compose failed, attempt to install docker compose?', default=True): if InstallerYesOrNo('Install docker compose directly from docker github?', default=True): # download docker-compose from github and put it in /usr/local/bin @@ -2622,7 +2695,7 @@ def install_docker_compose(self): unames.append(out[0].lower()) if len(unames) == 2: # download docker-compose from github and save it to a temporary file - tempFileName = os.path.join(self.tempDirName, dockerComposeCmd) + tempFileName = os.path.join(self.tempDirName, tmpComposeCmd) dockerComposeUrl = f"https://github.com/docker/compose/releases/download/v{DOCKER_COMPOSE_INSTALL_VERSION}/docker-compose-{unames[0]}-{unames[1]}" if DownloadToFile(dockerComposeUrl, tempFileName, debug=self.debug): os.chmod(tempFileName, 493) # 493 = 0o755, mark as executable @@ -2632,7 +2705,7 @@ def install_docker_compose(self): ) if err == 0: eprint("Download and installation of docker-compose apparently succeeded") - dockerComposeCmd = '/usr/local/bin/docker-compose' + tmpComposeCmd = '/usr/local/bin/docker-compose' else: raise Exception(f'Error copying {tempFileName} to /usr/local/bin: {out}') @@ -2656,11 +2729,13 @@ def install_docker_compose(self): eprint(f"Install docker-compose via pip failed with {err}, {out}") # see if docker-compose is now installed and runnable (try non-root and root) - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=False) - if err != 0: - err, out = self.run_process([dockerComposeCmd, 'version'], privileged=True) + for priv in (False, True): + err, out = self.run_process([tmpComposeCmd, 'version'], privileged=priv) + if err == 0: + break if err == 0: + self.dockerComposeCmd = tmpComposeCmd result = True if self.debug: eprint('docker compose succeeded') @@ -3508,6 +3583,16 @@ def main(): ) analysisArgGroup = parser.add_argument_group('Analysis options') + analysisArgGroup.add_argument( + '--auto-arkime', + dest='autoArkime', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=True, + help="Automatically analyze all PCAP files with Arkime", + ) analysisArgGroup.add_argument( '--auto-suricata', dest='autoSuricata', @@ -3540,7 +3625,7 @@ def main(): ) analysisArgGroup.add_argument( '--zeek-ics', - dest='zeekIcs', + dest='malcolmIcs', type=str2bool, metavar="true|false", nargs='?', @@ -3754,11 +3839,30 @@ def main(): metavar="true|false", nargs='?', const=True, - default=False, + default=True, help="Disable capture interface hardware offloading and adjust ring buffer sizes", ) captureArgGroup.add_argument( '--live-capture-arkime', + dest='liveArkime', + type=str2bool, + metavar="true|false", + nargs='?', + const=True, + default=False, + help=f"Capture live network traffic with Arkime capture (not available with --opensearch {DATABASE_MODE_LABELS[DatabaseMode.OpenSearchLocal]})", + ) + captureArgGroup.add_argument( + '--live-capture-arkime-node-host', + dest='liveArkimeNodeHost', + required=False, + metavar='', + type=str, + default='', + help='The node hostname or IP address to associate with live network traffic observed by Arkime capture', + ) + captureArgGroup.add_argument( + '--live-capture-netsniff', dest='pcapNetSniff', type=str2bool, metavar="true|false", @@ -3768,7 +3872,7 @@ def main(): help="Capture live network traffic with netsniff-ng for Arkime", ) captureArgGroup.add_argument( - '--live-capture-arkime-tcpdump', + '--live-capture-tcpdump', dest='pcapTcpDump', type=str2bool, metavar="true|false", @@ -3806,15 +3910,6 @@ def main(): default=os.getenv('HOSTNAME', os.getenv('COMPUTERNAME', platform.node())).split('.')[0], help='The node name to associate with network traffic metadata', ) - captureArgGroup.add_argument( - '--node-host', - dest='pcapNodeHost', - required=False, - metavar='', - type=str, - default='', - help='The node hostname or IP address to associate with network traffic metadata', - ) try: parser.error = parser.exit @@ -3906,8 +4001,6 @@ def main(): success = installer.install_docker_compose() if hasattr(installer, 'tweak_system_files'): success = installer.tweak_system_files() - if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_docker_images'): - success = installer.install_docker_images(imageFile) if (orchMode is OrchestrationFramework.DOCKER_COMPOSE) and hasattr(installer, 'install_malcolm_files'): success, installPath = installer.install_malcolm_files(malcolmFile, args.configDir is None) @@ -3958,11 +4051,19 @@ def main(): if args.debug: eprint(f"Malcolm installation detected at {installPath}") - if (installPath is not None) and os.path.isdir(installPath) and hasattr(installer, 'tweak_malcolm_runtime'): - installer.tweak_malcolm_runtime(installPath) - eprint(f"\nMalcolm has been installed to {installPath}. See README.md for more information.") - eprint( - f"Scripts for starting and stopping Malcolm and changing authentication-related settings can be found in {os.path.join(installPath, 'scripts')}." + if (installPath is not None) and os.path.isdir(installPath): + if hasattr(installer, 'tweak_malcolm_runtime'): + installer.tweak_malcolm_runtime(installPath) + + if ( + (not args.configOnly) + and (orchMode is OrchestrationFramework.DOCKER_COMPOSE) + and hasattr(installer, 'install_docker_images') + ): + success = installer.install_docker_images(imageFile, installPath) + + InstallerDisplayMessage( + f"Malcolm has been installed to {installPath}. See README.md for more information.\nScripts for starting and stopping Malcolm and changing authentication-related settings can be found in {os.path.join(installPath, 'scripts')}." ) diff --git a/scripts/malcolm_appliance_packager.sh b/scripts/malcolm_appliance_packager.sh index 3f7256549..d4fb0f795 100755 --- a/scripts/malcolm_appliance_packager.sh +++ b/scripts/malcolm_appliance_packager.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if [ -z "$BASH_VERSION" ]; then echo "Wrong interpreter, please run \"$0\" with bash" @@ -61,8 +61,7 @@ if mkdir "$DESTDIR"; then # ensure that if we "grabbed a lock", we release it (works for clean exit, SIGTERM, and SIGINT/Ctrl-C) trap "cleanup" EXIT - mkdir $VERBOSE -p "$DESTDIR/arkime-logs/" - mkdir $VERBOSE -p "$DESTDIR/arkime-raw/" + mkdir $VERBOSE -p "$DESTDIR/arkime/rules/" mkdir $VERBOSE -p "$DESTDIR/filebeat/certs/" mkdir $VERBOSE -p "$DESTDIR/htadmin/" mkdir $VERBOSE -p "$DESTDIR/logstash/certs/" @@ -75,6 +74,7 @@ if mkdir "$DESTDIR"; then mkdir $VERBOSE -p "$DESTDIR/nginx/certs/" mkdir $VERBOSE -p "$DESTDIR/opensearch-backup/" mkdir $VERBOSE -p "$DESTDIR/opensearch/nodes/" + mkdir $VERBOSE -p "$DESTDIR/pcap/arkime-live/" mkdir $VERBOSE -p "$DESTDIR/pcap/processed/" mkdir $VERBOSE -p "$DESTDIR/pcap/upload/tmp/spool" mkdir $VERBOSE -p "$DESTDIR/pcap/upload/variants/" @@ -103,6 +103,7 @@ if mkdir "$DESTDIR"; then cp $VERBOSE ./scripts/malcolm_kubernetes.py "$DESTDIR/scripts/" cp $VERBOSE ./scripts/malcolm_utils.py "$DESTDIR/scripts/" cp $VERBOSE ./README.md "$DESTDIR/" + cp $VERBOSE ./arkime/rules/*.yml "$DESTDIR/arkime/rules/" cp $VERBOSE ./logstash/certs/*.conf "$DESTDIR/logstash/certs/" cp $VERBOSE ./logstash/maps/malcolm_severity.yaml "$DESTDIR/logstash/maps/" cp $VERBOSE -r ./netbox/config/ "$DESTDIR/netbox/" diff --git a/scripts/malcolm_common.py b/scripts/malcolm_common.py index 843af368a..d8e95ded3 100644 --- a/scripts/malcolm_common.py +++ b/scripts/malcolm_common.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import getpass import importlib @@ -705,6 +705,7 @@ def DownloadToFile(url, local_filename, debug=False): | GET\s+/(_cat/health|api/status|sessions2-|arkime_\w+).+HTTP/[\d\.].+\b200\b | GET\s+/\s+.+\b200\b.+ELB-HealthChecker | (GET|POST|PATCH)\s+/netbox/.+HTTP/[\d\.].+\b20[01]\b + | (GET|POST)\s+/(fields|get|valueActions|views|fieldActions)\b.+bytes\s+[\d\.]+\s+ms | loaded\s+config\s+'/etc/netbox/config/ | LOG:\s+checkpoint\s+(complete|starting) | "netbox"\s+application\s+started diff --git a/scripts/malcolm_kubernetes.py b/scripts/malcolm_kubernetes.py index 4bb7bc47c..7643f58d5 100644 --- a/scripts/malcolm_kubernetes.py +++ b/scripts/malcolm_kubernetes.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import base64 import glob @@ -11,6 +11,7 @@ from collections import defaultdict from itertools import chain from io import StringIO +from pathlib import Path from malcolm_common import ( DotEnvDynamic, @@ -23,7 +24,6 @@ from malcolm_utils import ( deep_get, dictsearch, - eprint, get_iterable, file_contents, remove_suffix, @@ -37,6 +37,7 @@ MALCOLM_IMAGE_PREFIX = 'ghcr.io/idaholab/malcolm/' MALCOLM_DOTFILE_SECRET_KEY = 'K8S_SECRET' +MALCOLM_CONFIGMAP_DIR_REPLACER = '_MALDIR_' MALCOLM_CONFIGMAPS = { 'etc-nginx': [ @@ -107,6 +108,12 @@ 'path': os.path.join(MalcolmPath, os.path.join('logstash', 'logstash.keystore')), }, ], + 'arkime-rules': [ + { + 'secret': False, + 'path': os.path.join(MalcolmPath, os.path.join('arkime', 'rules')), + }, + ], 'yara-rules': [ { 'secret': False, @@ -197,6 +204,7 @@ MALCOLM_PROFILES_CONTAINERS[PROFILE_MALCOLM] = [ 'api', 'arkime', + 'arkime-live', 'dashboards', 'dashboards-helper', 'filebeat', @@ -220,6 +228,7 @@ ] MALCOLM_PROFILES_CONTAINERS[PROFILE_HEDGEHOG] = [ 'arkime', + 'arkime-live', 'file-monitor', 'filebeat', 'pcap-capture', @@ -702,6 +711,8 @@ def StartMalcolm(namespace, malcolmPath, configPath, profile=PROFILE_MALCOLM): results_dict['create_namespace']['error'] = str(x) # create configmaps from files + # files in nested directories will be created with a name like foo_MALDIR_bar_MALDIR_baz.txt + # and then renamed to foo/bar/baz.txt during container start up by docker-uid-gid-setup.sh results_dict['create_namespaced_config_map']['result'] = dict() results_dict['create_namespaced_secret']['result'] = dict() for configMapName, configMapFiles in MALCOLM_CONFIGMAPS.items(): @@ -723,20 +734,21 @@ def StartMalcolm(namespace, malcolmPath, configPath, profile=PROFILE_MALCOLM): else: dataMap[os.path.basename(fname)] = contents elif os.path.isdir(fname): - for subfname in glob.iglob( - os.path.join(os.path.join(fname, '**'), '*'), recursive=True - ): - if os.path.isfile(subfname): - contents = file_contents( - subfname, - binary_fallback=True, + for root, dirNames, fileNames in os.walk(fname): + for f in fileNames: + subfname = os.path.join(root, f) + relfname = str(Path(os.path.join(root, f)).relative_to(fname)).replace( + os.sep, MALCOLM_CONFIGMAP_DIR_REPLACER ) - if hasattr(contents, 'decode'): - binaryDataMap[os.path.basename(subfname)] = base64.b64encode( - contents - ).decode('utf-8') - else: - dataMap[os.path.basename(subfname)] = contents + if os.path.isfile(subfname): + contents = file_contents( + subfname, + binary_fallback=True, + ) + if hasattr(contents, 'decode'): + binaryDataMap[relfname] = base64.b64encode(contents).decode('utf-8') + else: + dataMap[relfname] = contents metadata = kubeImported.client.V1ObjectMeta( name=configMapName, namespace=namespace, diff --git a/scripts/malcolm_utils.py b/scripts/malcolm_utils.py index cab6703d1..febc46df1 100644 --- a/scripts/malcolm_utils.py +++ b/scripts/malcolm_utils.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import contextlib import enum diff --git a/scripts/package_zeek_logs.sh b/scripts/package_zeek_logs.sh index b06d6dcff..8a484e4da 100755 --- a/scripts/package_zeek_logs.sh +++ b/scripts/package_zeek_logs.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # package up Zeek logs in a format more suitable for upload to Malcolm # diff --git a/scripts/third-party-environments/aws/ami/packer_vars.json.example b/scripts/third-party-environments/aws/ami/packer_vars.json.example index 88031bc28..f6a3d87fd 100644 --- a/scripts/third-party-environments/aws/ami/packer_vars.json.example +++ b/scripts/third-party-environments/aws/ami/packer_vars.json.example @@ -2,7 +2,7 @@ "aws_access_key": "XXXXXXXXXXXXXXXXXXXX", "aws_secret_key": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", "instance_type": "t2.micro", - "malcolm_tag": "v23.12.0", + "malcolm_tag": "v23.12.1", "malcolm_repo": "idaholab/Malcolm", "malcolm_uid": "1000", "ssh_username": "ec2-user", diff --git a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh index a1c4d1f80..dcc032fe8 100755 --- a/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh +++ b/scripts/third-party-environments/aws/ami/scripts/Malcolm_AMI_Setup.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # Configure Amazon Linux 2 and install Malcolm diff --git a/scripts/third-party-logs/fluent-bit-setup.ps1 b/scripts/third-party-logs/fluent-bit-setup.ps1 index 4d7e55716..9b13fe07d 100644 --- a/scripts/third-party-logs/fluent-bit-setup.ps1 +++ b/scripts/third-party-logs/fluent-bit-setup.ps1 @@ -5,7 +5,7 @@ # configuration of fluent-bit (https://fluentbit.io/) for forwarding logs to # an instance of Malcolm (https://github.com/cisagov/malcolm). # -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ############################################################################### $fluent_bit_version = '2.2' diff --git a/scripts/third-party-logs/fluent-bit-setup.sh b/scripts/third-party-logs/fluent-bit-setup.sh index ed21c4a06..a92ffcb7d 100755 --- a/scripts/third-party-logs/fluent-bit-setup.sh +++ b/scripts/third-party-logs/fluent-bit-setup.sh @@ -7,7 +7,7 @@ # configuration of fluent-bit (https://fluentbit.io/) for forwarding logs to # an instance of Malcolm (https://github.com/cisagov/malcolm). # -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ############################################################################### # force bash diff --git a/scripts/zeek_script_to_malcolm_boilerplate.py b/scripts/zeek_script_to_malcolm_boilerplate.py index 11c9857d3..f254099e0 100755 --- a/scripts/zeek_script_to_malcolm_boilerplate.py +++ b/scripts/zeek_script_to_malcolm_boilerplate.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # # This script takes as input the filenames of one or more .zeek scripts which diff --git a/sensor-iso/Dockerfile b/sensor-iso/Dockerfile index c96bc5753..a609ece07 100644 --- a/sensor-iso/Dockerfile +++ b/sensor-iso/Dockerfile @@ -1,6 +1,6 @@ FROM ghcr.io/mmguero/qemu-live-iso:latest -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" LABEL org.opencontainers.image.authors='malcolm@inl.gov' diff --git a/sensor-iso/arkime/Dockerfile b/sensor-iso/arkime/Dockerfile index f6d5ab354..80c6074ea 100644 --- a/sensor-iso/arkime/Dockerfile +++ b/sensor-iso/arkime/Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/sensor-iso/arkime/build-arkime-deb.sh b/sensor-iso/arkime/build-arkime-deb.sh index c20eee583..b556741ab 100755 --- a/sensor-iso/arkime/build-arkime-deb.sh +++ b/sensor-iso/arkime/build-arkime-deb.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ARKIME_URL="https://github.com/arkime/arkime.git" OUTPUT_DIR="/tmp" diff --git a/sensor-iso/arkime/build-docker-image.sh b/sensor-iso/arkime/build-docker-image.sh index 808a5641b..e071e492d 100755 --- a/sensor-iso/arkime/build-docker-image.sh +++ b/sensor-iso/arkime/build-docker-image.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" diff --git a/sensor-iso/build.sh b/sensor-iso/build.sh index abeef74f5..49a15f561 100755 --- a/sensor-iso/build.sh +++ b/sensor-iso/build.sh @@ -5,7 +5,7 @@ IMAGE_PUBLISHER=cisagov IMAGE_VERSION=1.0.0 IMAGE_DISTRIBUTION=bookworm -BEATS_VER="8.11.1" +BEATS_VER="8.11.3" BEATS_OSS="-oss" BUILD_ERROR_CODE=1 @@ -106,12 +106,13 @@ if [ -d "$WORKDIR" ]; then # replace capture interface for now, it'll need to be automatically detected/configured on boot sed -i "s/CAPTURE_INTERFACE=.*/CAPTURE_INTERFACE=xxxx/g" ./config/includes.chroot/opt/sensor/sensor_ctl/control_vars.conf - # copy shared scripts + # copy shared scripts and files rsync -a "$SCRIPT_PATH/shared/bin/" ./config/includes.chroot/usr/local/bin/ mkdir -p ./config/includes.chroot/opt/zeek/bin/ mv ./config/includes.chroot/usr/local/bin/zeekdeploy.sh ./config/includes.chroot/opt/zeek/bin/ ln -s -r ./config/includes.chroot/usr/local/bin/malcolm_utils.py ./config/includes.chroot/opt/zeek/bin/ chown -R root:root ./config/includes.chroot/usr/local/bin/ ./config/includes.chroot/opt/zeek/bin/ + rsync -a "$SCRIPT_PATH/suricata/" ./config/includes.chroot/opt/sensor/sensor_ctl/suricata/ # write out some version stuff specific to this installation version echo "BUILD_ID=\"$(date +'%Y-%m-%d')-${IMAGE_VERSION}\"" > ./config/includes.chroot/opt/sensor/.os-info @@ -167,7 +168,7 @@ if [ -d "$WORKDIR" ]; then fi fi curl -s -S -L -o ipv4-address-space.csv "https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.csv" - curl -s -S -L -o oui.txt "https://gitlab.com/wireshark/wireshark/raw/release-4.0/manuf" + curl -s -S -L -o oui.txt "https://www.wireshark.org/download/automated/data/manuf" popd >/dev/null 2>&1 # clone and build Arkime .deb package in its own clean environment (rather than in hooks/) diff --git a/sensor-iso/build_via_vagrant.sh b/sensor-iso/build_via_vagrant.sh index 7fd7fd43d..fa9a2f84a 100755 --- a/sensor-iso/build_via_vagrant.sh +++ b/sensor-iso/build_via_vagrant.sh @@ -28,7 +28,8 @@ function cleanup_shared_and_docs { "$SCRIPT_PATH"/_includes \ "$SCRIPT_PATH"/_layouts \ "$SCRIPT_PATH"/Gemfile \ - "$SCRIPT_PATH"/README.md + "$SCRIPT_PATH"/README.md \ + "$SCRIPT_PATH"/suricata } unset FORCE_PROVISION @@ -87,6 +88,8 @@ cp -r "$SCRIPT_PATH"/../shared \ "$SCRIPT_PATH"/../README.md "$SCRIPT_PATH"/ cp "$SCRIPT_PATH"/../scripts/documentation_build.sh "$SCRIPT_PATH"/docs/ cp "$SCRIPT_PATH"/../scripts/malcolm_utils.py "$SCRIPT_PATH"/shared/bin/ +mkdir "$SCRIPT_PATH"/suricata +cp -r "$SCRIPT_PATH"/../suricata/rules-default "$SCRIPT_PATH"/suricata/ YML_IMAGE_VERSION="$(grep -P "^\s+image:.*/malcolm/" "$SCRIPT_PATH"/../docker-compose-standalone.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" [[ -n $YML_IMAGE_VERSION ]] && echo "$YML_IMAGE_VERSION" > "$SCRIPT_PATH"/shared/version.txt diff --git a/sensor-iso/config/hooks/normal/0168-firefox-install.hook.chroot b/sensor-iso/config/hooks/normal/0168-firefox-install.hook.chroot index 18c4941ab..98b7a4782 100755 --- a/sensor-iso/config/hooks/normal/0168-firefox-install.hook.chroot +++ b/sensor-iso/config/hooks/normal/0168-firefox-install.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export LC_ALL=C.UTF-8 export LANG=C.UTF-8 diff --git a/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot b/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot index a1b67dde1..3a217625c 100755 --- a/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot +++ b/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export LC_ALL=C.UTF-8 export LANG=C.UTF-8 diff --git a/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot b/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot index 7eeb00e8b..a97c39031 100755 --- a/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot +++ b/sensor-iso/config/hooks/normal/0900-setup-rc-local.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. sed -i 's/^exit 0//' /etc/rc.local 2>/dev/null diff --git a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot index 161106cea..144e70778 100755 --- a/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot +++ b/sensor-iso/config/hooks/normal/0910-sensor-build.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # some environment variables needed for build export CCACHE_DIR="/var/spool/ccache" @@ -224,9 +224,9 @@ freshclam --stdout --quiet --no-warnings # set up capabilities for network-related tools chown root:netdev /usr/sbin/netsniff-ng && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip CAP_SYS_ADMIN+eip' /usr/sbin/netsniff-ng + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /usr/sbin/netsniff-ng chown root:netdev "${ZEEK_DIR}"/bin/zeek && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' "${ZEEK_DIR}"/bin/zeek + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' "${ZEEK_DIR}"/bin/zeek chown root:netdev /sbin/ethtool && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool chown root:netdev "${ZEEK_DIR}"/bin/capstats && \ @@ -236,7 +236,7 @@ chown root:netdev /usr/bin/tcpdump && \ chown root:netdev /usr/bin/suricata && \ setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /usr/bin/suricata chown root:netdev /opt/arkime/bin/capture && \ - setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /opt/arkime/bin/capture + setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/arkime/bin/capture ln -s -f "${ZEEK_DIR}"/bin/zeek /usr/local/bin/ ln -s -f /usr/sbin/netsniff-ng /usr/local/bin/ diff --git a/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot b/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot index f5bc55347..2d9862133 100755 --- a/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot +++ b/sensor-iso/config/hooks/normal/0911-get-stig-scripts.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # clone harbian-audit and clean up some stuff we don't need mkdir -p /opt diff --git a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot index 09adb6273..ee8baa4ae 100755 --- a/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot +++ b/sensor-iso/config/hooks/normal/0990-remove-unwanted-pkg.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # remove development packages not necessary for building dynamic Zeek plugins apt-get -y --purge remove \ diff --git a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot index 2a462a350..93afb4f60 100755 --- a/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot +++ b/sensor-iso/config/hooks/normal/0991-security-performance.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # configure firewall sed -i "s/LOGLEVEL=.*/LOGLEVEL=off/" /etc/ufw/ufw.conf @@ -96,14 +96,6 @@ echo "umask 077" >> /etc/profile echo "export UMASK=077" >> /etc/profile echo "export PYTHONDONTWRITEBYTECODE=1" >> /etc/profile -# enable cron logging -sed -r -i "s@^#(cron\.\*\s+.*/var/log/cron\.log)@\1@" /etc/rsyslog.conf - -# enable rsyslog forwarding to localhost:9514 over UDP (for filebeat syslog input) -echo >> /etc/rsyslog.conf -echo '*.* @127.0.0.1:9514' >> /etc/rsyslog.conf -echo >> /etc/rsyslog.conf - # put sudoers log into its own logfile awk 'FNR==NR{ if (/^Defaults/) p=NR; next} 1; FNR==p{ print "Defaults\t!syslog\nDefaults\tlogfile=/var/log/sudo.log" }' /etc/sudoers /etc/sudoers > /tmp/newsudoers mv /tmp/newsudoers /etc/sudoers && chmod 440 /etc/sudoers diff --git a/sensor-iso/config/hooks/normal/0992-login.hook.chroot b/sensor-iso/config/hooks/normal/0992-login.hook.chroot index d8dc2fff3..c8cd4a337 100755 --- a/sensor-iso/config/hooks/normal/0992-login.hook.chroot +++ b/sensor-iso/config/hooks/normal/0992-login.hook.chroot @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. sed -i 's/^#autologin-user=.*/autologin-user=sensor/' /etc/lightdm/lightdm.conf sed -i 's/^#autologin-user-timeout=.*/autologin-user-timeout=0/' /etc/lightdm/lightdm.conf diff --git a/sensor-iso/config/includes.binary/install/preseed_base.cfg b/sensor-iso/config/includes.binary/install/preseed_base.cfg index 81b5ba435..bc3c87ca2 100644 --- a/sensor-iso/config/includes.binary/install/preseed_base.cfg +++ b/sensor-iso/config/includes.binary/install/preseed_base.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. d-i netcfg/enable boolean false d-i netcfg/choose_interface select auto diff --git a/sensor-iso/config/includes.binary/install/preseed_multipar.cfg b/sensor-iso/config/includes.binary/install/preseed_multipar.cfg index 4f5c10499..9189b6932 100644 --- a/sensor-iso/config/includes.binary/install/preseed_multipar.cfg +++ b/sensor-iso/config/includes.binary/install/preseed_multipar.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. d-i debian-installer/locale string en_US.UTF-8 d-i console-setup/ask_detect boolean false diff --git a/sensor-iso/config/includes.binary/install/preseed_vmware.cfg b/sensor-iso/config/includes.binary/install/preseed_vmware.cfg index 7d433121d..792d0c7a6 100644 --- a/sensor-iso/config/includes.binary/install/preseed_vmware.cfg +++ b/sensor-iso/config/includes.binary/install/preseed_vmware.cfg @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. d-i debian-installer/locale string en_US.UTF-8 d-i console-setup/ask_detect boolean false diff --git a/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek b/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek index 0418f23e9..07e745368 100644 --- a/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek +++ b/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. @load ./extractor_params diff --git a/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek b/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek index a169bd0d9..2ffb8a8a2 100644 --- a/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek +++ b/sensor-iso/config/includes.chroot/opt/zeek/share/zeek/site/extractor_params.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export { const extractor_extract_none = "none" &redef; diff --git a/sensor-iso/interface/sensor_ctl/arkime/config.ini b/sensor-iso/interface/sensor_ctl/arkime/config.ini index 9b67ff43e..fd30ae188 100644 --- a/sensor-iso/interface/sensor_ctl/arkime/config.ini +++ b/sensor-iso/interface/sensor_ctl/arkime/config.ini @@ -2,49 +2,50 @@ # so you can (for the most part) ignore settings here that seem like dummy settings [default] +antiSynDrop=false +compressES=false +dropGroup=netdev +dropUser=sensor elasticsearch=http://192.168.0.1:9200 -rotateIndex=daily -passwordSecret=Malcolm +freeSpaceG=5% +geoLite2ASN=/dummy/GeoLite2-ASN.mmdb +geoLite2Country=/dummy/GeoLite2-Country.mmdb httpRealm=Arkime +icmpTimeout=10 +bpf= interface=enp0s1 -pcapDir=/tmp +logESRequests=false +logEveryXPackets=500000 +logFileCreation=true +logHTTPConnections=false +logUnknownProtocols=false +maxESConns=30 +maxESRequests=500 maxFileSizeG=4 maxFileTimeM=180 -tcpTimeout=600 -tcpSaveTimeout=720 -udpTimeout=30 -icmpTimeout=10 -maxStreams=1000000 maxPackets=10000 -freeSpaceG=5% -viewPort=8005 -geoLite2Country=/dummy/GeoLite2-Country.mmdb -geoLite2ASN=/dummy/GeoLite2-ASN.mmdb -rirFile=/dummy/ipv4-address-space.csv +maxReqBody=64 +maxStreams=1000000 ouiFile=/dummy/oui.txt -dropUser=sensor -dropGroup=netdev -parseSMTP=true -parseSMB=true +packetsPerPoll=50000 parseQSValue=false -supportSha256=false -maxReqBody=64 -reqBodyOnlyUtf8=true -smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP: parsersDir=/dummy/parsers +parseSMB=true +parseSMTP=true +passwordSecret=Malcolm +pcapDir=/tmp pluginsDir=/dummy/plugins -spiDataMaxIndices=2 +reqBodyOnlyUtf8=true +rirFile=/dummy/ipv4-address-space.csv +rotateIndex=daily +smtpIpHeaders=X-Originating-IP:;X-Barracuda-Apparent-Source-IP: +spiDataMaxIndices=7 +supportSha256=false +tcpSaveTimeout=720 +tcpTimeout=600 +udpTimeout=30 uploadCommand= -compressES=false -maxESConns=30 -maxESRequests=500 -packetsPerPoll=50000 -antiSynDrop=false -logEveryXPackets=500000 -logUnknownProtocols=false -logESRequests=false -logFileCreation=true -logHTTPConnections=false +viewPort=8005 ### High Performance settings # https://github.com/arkime/arkime/wiki/Settings#High_Performance_Settings @@ -60,5 +61,4 @@ simpleGzipLevel=3 packetThreads=5 maxPacketsInQueue=300000 dbBulkSize=4000000 -#compressES=true rulesFiles=/dummy/rules.yml diff --git a/sensor-iso/interface/sensor_ctl/clean.sh b/sensor-iso/interface/sensor_ctl/clean.sh index e4f696d9c..047b1d220 100755 --- a/sensor-iso/interface/sensor_ctl/clean.sh +++ b/sensor-iso/interface/sensor_ctl/clean.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/sensor-iso/interface/sensor_ctl/control.sh b/sensor-iso/interface/sensor_ctl/control.sh index eb020d25d..84a645b1f 100755 --- a/sensor-iso/interface/sensor_ctl/control.sh +++ b/sensor-iso/interface/sensor_ctl/control.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/sensor-iso/interface/sensor_ctl/control_vars.conf b/sensor-iso/interface/sensor_ctl/control_vars.conf index 98301dae5..d821c64d8 100644 --- a/sensor-iso/interface/sensor_ctl/control_vars.conf +++ b/sensor-iso/interface/sensor_ctl/control_vars.conf @@ -89,6 +89,7 @@ export ZEEK_DISABLE_BEST_GUESS_ICS=true # Suricata export SURICATA_CUSTOM_RULES_ONLY=false +export SURICATA_DISABLE_ICS_ALL=false export SURICATA_RUNMODE=workers export SURICATA_AF_PACKET_BLOCK_SIZE=32768 export SURICATA_AF_PACKET_BLOCK_TIMEOUT=10 @@ -140,7 +141,7 @@ export AUTOSTART_FLUENTBIT_AIDE=false export AUTOSTART_FLUENTBIT_AUDITLOG=false export AUTOSTART_FLUENTBIT_KMSG=false export AUTOSTART_FLUENTBIT_METRICS=false -export AUTOSTART_FLUENTBIT_SYSLOG=false +export AUTOSTART_FLUENTBIT_SYSTEMD=false export AUTOSTART_FLUENTBIT_THERMAL=false export AUTOSTART_MISCBEAT=false export AUTOSTART_NETSNIFF=false diff --git a/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml b/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml index 6b6ec2fda..0816bb59f 100644 --- a/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml +++ b/sensor-iso/interface/sensor_ctl/filebeat/filebeat.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. logging.metrics.enabled: false diff --git a/sensor-iso/interface/sensor_ctl/filebeat/sensor_filebeat_local.sh b/sensor-iso/interface/sensor_ctl/filebeat/sensor_filebeat_local.sh index 47de02598..212a1d1ad 100755 --- a/sensor-iso/interface/sensor_ctl/filebeat/sensor_filebeat_local.sh +++ b/sensor-iso/interface/sensor_ctl/filebeat/sensor_filebeat_local.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if [[ -z "$ZEEK_CAPTURE_PATH" ]]; then ZEEK_CAPTURE_PATH="$HOME/bro_logs" diff --git a/sensor-iso/interface/sensor_ctl/miscbeat/filebeat.yml b/sensor-iso/interface/sensor_ctl/miscbeat/filebeat.yml index de1d9eb84..f3a0dbae7 100644 --- a/sensor-iso/interface/sensor_ctl/miscbeat/filebeat.yml +++ b/sensor-iso/interface/sensor_ctl/miscbeat/filebeat.yml @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. filebeat.inputs: - type: tcp diff --git a/sensor-iso/interface/sensor_ctl/miscbeat/sensor_miscbeat_local.sh b/sensor-iso/interface/sensor_ctl/miscbeat/sensor_miscbeat_local.sh index e650773dc..a62c80487 100755 --- a/sensor-iso/interface/sensor_ctl/miscbeat/sensor_miscbeat_local.sh +++ b/sensor-iso/interface/sensor_ctl/miscbeat/sensor_miscbeat_local.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory (containing config file) [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath diff --git a/sensor-iso/interface/sensor_ctl/scripts/log_disk_space.sh b/sensor-iso/interface/sensor_ctl/scripts/log_disk_space.sh index 28d09a96b..798987cde 100755 --- a/sensor-iso/interface/sensor_ctl/scripts/log_disk_space.sh +++ b/sensor-iso/interface/sensor_ctl/scripts/log_disk_space.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. SPACE_STRING="$(/bin/df -lh --output=source,target,avail,size,pcent | tail -n +2 | grep '^/dev' | tr -s ' ' ',' | cut -d, -f2,3,4,5 | sed 's/^/\[/' | sed 's/$/\]/' | tr '\n' '.')" logger "${SPACE_STRING}" diff --git a/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-syslog.conf b/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-syslog.conf deleted file mode 100644 index 0aaef35eb..000000000 --- a/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-syslog.conf +++ /dev/null @@ -1,21 +0,0 @@ -[program:fluentbit-syslog] -command=/opt/fluent-bit/bin/fluent-bit - -R /etc/fluent-bit/parsers.conf - -i syslog - -p Mode=udp - -p Listen=127.0.0.1 - -p Port=9514 - -p Parser=syslog-rfc3164 - -p Buffer_Chunk_Size=32000 - -p Buffer_Max_Size=64000 - -o tcp://localhost:%(ENV_MISCBEAT_PORT)s - -p format=json_lines - -F nest -p Operation=nest -p Nested_under=syslog -p WildCard='*' -m '*' - -F record_modifier -p "Record=module syslog" -m '*' - -f 1 -startsecs=20 -startretries=3 -stopasgroup=true -killasgroup=true -autostart=%(ENV_AUTOSTART_FLUENTBIT_SYSLOG)s -autorestart=%(ENV_AUTOSTART_FLUENTBIT_SYSLOG)s diff --git a/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-systemd.conf b/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-systemd.conf new file mode 100644 index 000000000..d62057e30 --- /dev/null +++ b/sensor-iso/interface/sensor_ctl/supervisor.d/fluentbit-systemd.conf @@ -0,0 +1,18 @@ +[program:fluentbit-systemd] +command=/opt/fluent-bit/bin/fluent-bit + -R /etc/fluent-bit/parsers.conf + -i systemd + -p Read_From_Tail=On + -p Lowercase=On + -p Strip_Underscores=On + -o tcp://localhost:%(ENV_MISCBEAT_PORT)s + -p format=json_lines + -F nest -p Operation=nest -p Nested_under=systemd -p WildCard='*' -m '*' + -F record_modifier -p "Record=module systemd" -m '*' + -f 1 +startsecs=20 +startretries=3 +stopasgroup=true +killasgroup=true +autostart=%(ENV_AUTOSTART_FLUENTBIT_SYSTEMD)s +autorestart=%(ENV_AUTOSTART_FLUENTBIT_SYSTEMD)s diff --git a/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh b/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh index 048e2944e..fd7c32ce2 100644 --- a/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh +++ b/sensor-iso/interface/sensor_ctl/supervisor.init/arkime_config_populate.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export ARKIME_HTTPS_FLAG="" @@ -38,6 +38,10 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r "$SUPERVISOR_PATH"/arkime/config.ini ]]; t sed -r -i "s|(elasticsearch)\s*=\s*.*|\1=$ARKIME_ELASTICSEARCH|" "$ARKIME_CONFIG_FILE" fi + if [[ -n $ARKIME_VIEWER_PORT ]]; then + sed -r -i "s/(viewPort)\s*=\s*.*/\1=$ARKIME_VIEWER_PORT/" "$ARKIME_CONFIG_FILE" + fi + if [[ -n $ARKIME_PASSWORD_SECRET ]]; then # place the Arkime viewer cluster password hash in the config file sed -r -i "s|(passwordSecret)\s*=\s*.*|\1=$ARKIME_PASSWORD_SECRET|" "$ARKIME_CONFIG_FILE" @@ -64,7 +68,6 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r "$SUPERVISOR_PATH"/arkime/config.ini ]]; t if [[ -n $ARKIME_FREESPACEG ]]; then sed -r -i "s/(freeSpaceG)\s*=\s*.*/\1=$ARKIME_FREESPACEG/" "$ARKIME_CONFIG_FILE" fi - # pcap compression COMPRESSION_TYPE="${ARKIME_COMPRESSION_TYPE:-none}" COMPRESSION_LEVEL="${ARKIME_COMPRESSION_LEVEL:-0}" diff --git a/sensor-iso/interface/sensor_ctl/supervisor.init/supercronic_populate.sh b/sensor-iso/interface/sensor_ctl/supervisor.init/supercronic_populate.sh index ee81c84ba..a4eb73573 100644 --- a/sensor-iso/interface/sensor_ctl/supervisor.init/supercronic_populate.sh +++ b/sensor-iso/interface/sensor_ctl/supervisor.init/supercronic_populate.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if [[ -n $SUPERVISOR_PATH ]] && [[ -d "$SUPERVISOR_PATH"/supercronic ]]; then diff --git a/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh b/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh index 96473ab4b..63f020636 100644 --- a/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh +++ b/sensor-iso/interface/sensor_ctl/supervisor.init/suricata_config_populate.sh @@ -12,8 +12,10 @@ if [[ -n $SUPERVISOR_PATH ]] && [[ -r /usr/local/bin/suricata_config_populate.py [[ ! -f "$SUPERVISOR_PATH"/suricata/update.yaml ]] && cp "$(dpkg -L suricata-update | grep 'update\.yaml' | head -n 1)" "$SUPERVISOR_PATH"/suricata/update.yaml # specify the custom rules and configuration directories relative to the supervisor path + SURICATA_DEFAULT_RULES_DIR="$SUPERVISOR_PATH"/suricata/rules-default SURICATA_CUSTOM_RULES_DIR="$SUPERVISOR_PATH"/suricata/rules SURICATA_CUSTOM_CONFIG_DIR="$SUPERVISOR_PATH"/suricata/include-configs + [[ -d "$SURICATA_DEFAULT_RULES_DIR" ]] && export SURICATA_DEFAULT_RULES_DIR [[ -d "$SURICATA_CUSTOM_RULES_DIR" ]] && export SURICATA_CUSTOM_RULES_DIR [[ -d "$SURICATA_CUSTOM_CONFIG_DIR" ]] && export SURICATA_CUSTOM_CONFIG_DIR diff --git a/sensor-iso/interface/sensor_ctl/supervisor.sh b/sensor-iso/interface/sensor_ctl/supervisor.sh index 7f1dc9241..933baf5cf 100755 --- a/sensor-iso/interface/sensor_ctl/supervisor.sh +++ b/sensor-iso/interface/sensor_ctl/supervisor.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. set -e @@ -81,7 +81,11 @@ mkdir -p "$SUPERVISOR_PATH/"{log,run} rm -f "$SUPERVISOR_PATH/"/log/* rm -rf /opt/sensor/sensor_ctl/zeek/intel/lock || true -mkdir -p "$SUPERVISOR_PATH"/suricata/rules "$SUPERVISOR_PATH"/suricata/include-configs "$ZEEK_LOG_PATH"/suricata 2>/dev/null || true +mkdir -p "$SUPERVISOR_PATH"/suricata/rules \ + "$SUPERVISOR_PATH"/suricata/rules-default/OT \ + "$SUPERVISOR_PATH"/suricata/rules-default/IT \ + "$SUPERVISOR_PATH"/suricata/include-configs \ + "$ZEEK_LOG_PATH"/suricata 2>/dev/null || true mkdir -p "$PCAP_PATH"/ 2>/dev/null || true mkdir -p "$SUPERVISOR_PATH"/supercronic 2>/dev/null && touch "$SUPERVISOR_PATH"/supercronic/crontab || true diff --git a/sensor-iso/interface/sensor_ctl/zeek/extractor_override.interesting.zeek b/sensor-iso/interface/sensor_ctl/zeek/extractor_override.interesting.zeek index eaf220289..290a8948c 100644 --- a/sensor-iso/interface/sensor_ctl/zeek/extractor_override.interesting.zeek +++ b/sensor-iso/interface/sensor_ctl/zeek/extractor_override.interesting.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export { redef extractor_always_extract_unknown = F; diff --git a/sensor-iso/interface/sensor_interface/routes.py b/sensor-iso/interface/sensor_interface/routes.py index 2f4c3d66e..4a0b0c5ce 100644 --- a/sensor-iso/interface/sensor_interface/routes.py +++ b/sensor-iso/interface/sensor_interface/routes.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import psutil import time diff --git a/sensor-iso/interface/sensor_interface/static/js/custom.js b/sensor-iso/interface/sensor_interface/static/js/custom.js index 592b584cb..9e7373347 100644 --- a/sensor-iso/interface/sensor_interface/static/js/custom.js +++ b/sensor-iso/interface/sensor_interface/static/js/custom.js @@ -1,4 +1,4 @@ -// Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +// Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. function start_all() { var xhttp = new XMLHttpRequest(); diff --git a/sensor-iso/interface/sensor_interface/sysquery/sys_service.py b/sensor-iso/interface/sensor_interface/sysquery/sys_service.py index a1a432bf2..781882084 100644 --- a/sensor-iso/interface/sensor_interface/sysquery/sys_service.py +++ b/sensor-iso/interface/sensor_interface/sysquery/sys_service.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import subprocess import json diff --git a/sensor-iso/vagrant/Vagrantfile b/sensor-iso/vagrant/Vagrantfile index 500ab7083..04cfb86f6 100644 --- a/sensor-iso/vagrant/Vagrantfile +++ b/sensor-iso/vagrant/Vagrantfile @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. unless Vagrant.has_plugin?("vagrant-sshfs") raise 'vagrant-sshfs plugin is not installed!' diff --git a/sensor-iso/yara/Dockerfile b/sensor-iso/yara/Dockerfile index 4afe51c14..98b9c4674 100644 --- a/sensor-iso/yara/Dockerfile +++ b/sensor-iso/yara/Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/sensor-iso/yara/build-docker-image.sh b/sensor-iso/yara/build-docker-image.sh index 190dd2454..31060166b 100755 --- a/sensor-iso/yara/build-docker-image.sh +++ b/sensor-iso/yara/build-docker-image.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" diff --git a/sensor-iso/yara/build-yara-deb.sh b/sensor-iso/yara/build-yara-deb.sh index dd8415742..1fd9f7989 100755 --- a/sensor-iso/yara/build-yara-deb.sh +++ b/sensor-iso/yara/build-yara-deb.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. YARA_URL="https://github.com/VirusTotal/YARA" YARA_VER="$(curl -sqI "$YARA_URL/releases/latest" | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}' | sed 's/^v//')" diff --git a/sensor-iso/zeek/Dockerfile b/sensor-iso/zeek/Dockerfile index 6086825ff..c4e69ce8e 100644 --- a/sensor-iso/zeek/Dockerfile +++ b/sensor-iso/zeek/Dockerfile @@ -1,6 +1,6 @@ FROM debian:12-slim -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. LABEL maintainer="malcolm@inl.gov" diff --git a/sensor-iso/zeek/build-docker-image.sh b/sensor-iso/zeek/build-docker-image.sh index 320226c35..3538212ff 100755 --- a/sensor-iso/zeek/build-docker-image.sh +++ b/sensor-iso/zeek/build-docker-image.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # force-navigate to script directory SCRIPT_PATH="$( cd -P "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" diff --git a/sensor-iso/zeek/build-zeek-deb.sh b/sensor-iso/zeek/build-zeek-deb.sh index 4be53b1b8..0ea95d4dc 100755 --- a/sensor-iso/zeek/build-zeek-deb.sh +++ b/sensor-iso/zeek/build-zeek-deb.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export CCACHE_DIR="/var/spool/ccache" export CCACHE_COMPRESS=1 diff --git a/shared/bin/agg-init.sh b/shared/bin/agg-init.sh index 3f8d0857f..b0215f97c 100755 --- a/shared/bin/agg-init.sh +++ b/shared/bin/agg-init.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. SCRIPT_PATH="$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" diff --git a/shared/bin/capture-format-wait.sh b/shared/bin/capture-format-wait.sh index e2ba88095..1c4362e7c 100755 --- a/shared/bin/capture-format-wait.sh +++ b/shared/bin/capture-format-wait.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. grep -q boot=live /proc/cmdline && exit 0 diff --git a/shared/bin/common-init.sh b/shared/bin/common-init.sh index 645e0d181..19bbd3f9b 100755 --- a/shared/bin/common-init.sh +++ b/shared/bin/common-init.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. declare -A IFACES diff --git a/shared/bin/configure-capture.py b/shared/bin/configure-capture.py index e948c2bcb..c67729d81 100755 --- a/shared/bin/configure-capture.py +++ b/shared/bin/configure-capture.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # script for configuring sensor capture and forwarding parameters diff --git a/shared/bin/configure-interfaces.py b/shared/bin/configure-interfaces.py index f3f4c5bfc..56eafb508 100755 --- a/shared/bin/configure-interfaces.py +++ b/shared/bin/configure-interfaces.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # script for configuring sensor network interface controller(s) diff --git a/shared/bin/docker-load-wait.sh b/shared/bin/docker-load-wait.sh index c6cd55c8f..5f177c912 100755 --- a/shared/bin/docker-load-wait.sh +++ b/shared/bin/docker-load-wait.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. grep -q boot=live /proc/cmdline && exit 0 diff --git a/shared/bin/docker-uid-gid-setup.sh b/shared/bin/docker-uid-gid-setup.sh index 0022249ac..eb5189c2d 100755 --- a/shared/bin/docker-uid-gid-setup.sh +++ b/shared/bin/docker-uid-gid-setup.sh @@ -40,11 +40,25 @@ if [[ -n ${CONFIG_MAP_DIR} ]] && command -v rsync >/dev/null 2>&1; then awk '{print gsub("/","/"), $0}' | sort -n | cut -d' ' -f2- | \ while read CMDIR; do + DSTDIR="$(realpath "${CMDIR}"/../)" rsync --recursive --copy-links \ "--usermap=*:${PUID:-${DEFAULT_UID}}" \ "--groupmap=*:${PGID:-${DEFAULT_GID}}" \ --exclude='..*' --exclude="${MAP_DIR}"/ --exclude=.dockerignore --exclude=.gitignore \ - "${CMDIR}"/ "${CMDIR}"/../ + "${CMDIR}"/ "${DSTDIR}"/ + + # Additionally, files in these directories with _MALDIR_ in the name will be expanded out, + # creating the intermediate paths. For example: + # ./acid_MALDIR_ACID_MALDIR_s7comm_MALDIR_detect_MALDIR_copy.zeek + # will be renamed to + # ./acid/ACID/s7comm/detect/copy.zeek + find "${DSTDIR}" -type f -name '*_MALDIR_*' -print -o -path "${CMDIR}" -prune 2>/dev/null | \ + while read FLATTENED_FILE; do + EXPANDED_FILE="$(echo "${FLATTENED_FILE}" | sed 's@_MALDIR_@/@g')" + mkdir -p "$(dirname "${EXPANDED_FILE}")" && \ + mv "${FLATTENED_FILE}" "${EXPANDED_FILE}" || \ + true + done # loop over flattened filenames # TODO - regarding ownership and permissions: # diff --git a/shared/bin/fstab.py b/shared/bin/fstab.py index 7f13f45ce..b6750cd84 100644 --- a/shared/bin/fstab.py +++ b/shared/bin/fstab.py @@ -1,7 +1,7 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # fstab interpreter diff --git a/shared/bin/keystore-bootstrap.sh b/shared/bin/keystore-bootstrap.sh index f24243523..b519db285 100644 --- a/shared/bin/keystore-bootstrap.sh +++ b/shared/bin/keystore-bootstrap.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # make sure the keystore file used by the tool (e.g., foobar) is copied or created # into the correct location before the tool. starts up. diff --git a/shared/bin/malcolm-first-run-configure.sh b/shared/bin/malcolm-first-run-configure.sh index 1f82c876e..3a81f572f 100755 --- a/shared/bin/malcolm-first-run-configure.sh +++ b/shared/bin/malcolm-first-run-configure.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. grep -q boot=live /proc/cmdline && exit 0 diff --git a/shared/bin/manuf-oui-parse.py b/shared/bin/manuf-oui-parse.py index e37d65ed0..92920adff 100755 --- a/shared/bin/manuf-oui-parse.py +++ b/shared/bin/manuf-oui-parse.py @@ -17,7 +17,7 @@ except ImportError: import yaml -DEFAULT_MANUF_URL = "https://gitlab.com/wireshark/wireshark/raw/release-4.0/manuf" +DEFAULT_MANUF_URL = "https://www.wireshark.org/download/automated/data/manuf" padded_mac_low = '00:00:00:00:00:00' padded_mac_high = 'FF:FF:FF:FF:FF:FF' mac_pattern = re.compile(r"[-:\.]") diff --git a/shared/bin/opensearch_read_only.py b/shared/bin/opensearch_read_only.py index 7d28bf4b3..38dac8715 100755 --- a/shared/bin/opensearch_read_only.py +++ b/shared/bin/opensearch_read_only.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import argparse import json diff --git a/shared/bin/opensearch_status.sh b/shared/bin/opensearch_status.sh index 47f7e5772..72883939b 100755 --- a/shared/bin/opensearch_status.sh +++ b/shared/bin/opensearch_status.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. set -e diff --git a/shared/bin/pcap_processor.py b/shared/bin/pcap_processor.py index 09ff58a00..8f54857c9 100755 --- a/shared/bin/pcap_processor.py +++ b/shared/bin/pcap_processor.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Process queued files reported by pcap_watcher.py, using either arkime's capture or zeek to process @@ -47,14 +47,15 @@ PCAP_PROCESSING_MODE_ZEEK = "zeek" PCAP_PROCESSING_MODE_SURICATA = "suricata" -ARKIME_CAPTURE_PATH = "/opt/arkime/bin/capture" +ARKIME_CAPTURE_PATH = "/opt/arkime/bin/capture-offline" +ARKIME_AUTOARKIME_TAG = 'AUTOARKIME' -SURICATA_PATH = "/usr/bin/suricata" +SURICATA_PATH = "/usr/bin/suricata-offline" SURICATA_LOG_DIR = os.getenv('SURICATA_LOG_DIR', '/var/log/suricata') SURICATA_CONFIG_FILE = os.getenv('SURICATA_CONFIG_FILE', '/etc/suricata/suricata.yaml') SURICATA_AUTOSURICATA_TAG = 'AUTOSURICATA' -ZEEK_PATH = "/opt/zeek/bin/zeek" +ZEEK_PATH = "/opt/zeek/bin/zeek-offline" ZEEK_EXTRACTOR_MODE_INTERESTING = 'interesting' ZEEK_EXTRACTOR_MODE_MAPPED = 'mapped' ZEEK_EXTRACTOR_MODE_NONE = 'none' @@ -71,6 +72,7 @@ TAGS_NOSHOW = ( USERTAG_TAG, + ARKIME_AUTOARKIME_TAG, SURICATA_AUTOSURICATA_TAG, ZEEK_AUTOZEEK_TAG, ) @@ -112,7 +114,7 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs): scanWorkerId = scanWorkersCount.increment() # unique ID for this thread - newFileQueue, pcapBaseDir, arkimeBin, nodeName, nodeHost, autoTag, notLocked, logger = ( + newFileQueue, pcapBaseDir, arkimeBin, nodeName, nodeHost, autoArkime, forceArkime, autoTag, notLocked, logger = ( arkimeWorkerArgs[0], arkimeWorkerArgs[1], arkimeWorkerArgs[2], @@ -121,6 +123,8 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs): arkimeWorkerArgs[5], arkimeWorkerArgs[6], arkimeWorkerArgs[7], + arkimeWorkerArgs[8], + arkimeWorkerArgs[9], ) if not logger: @@ -141,49 +145,57 @@ def arkimeCaptureFileWorker(arkimeWorkerArgs): fileInfo[FILE_INFO_DICT_NAME] = os.path.join(pcapBaseDir, fileInfo[FILE_INFO_DICT_NAME]) if os.path.isfile(fileInfo[FILE_INFO_DICT_NAME]): - # finalize tags list - fileInfo[FILE_INFO_DICT_TAGS] = ( - [ - x - for x in fileInfo[FILE_INFO_DICT_TAGS] - if (x not in TAGS_NOSHOW) and (not x.startswith(ZEEK_AUTOCARVE_TAG_PREFIX)) - ] - if ((FILE_INFO_DICT_TAGS in fileInfo) and autoTag) - else list() - ) - logger.info(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileInfo}") - - # put together arkime execution command - cmd = [ - arkimeBin, - '--quiet', - '--insecure', - '--node', - fileInfo[FILE_INFO_DICT_NODE] if (FILE_INFO_DICT_NODE in fileInfo) else nodeName, - '-o', - f'ecsEventProvider={arkimeProvider}', - '-o', - f'ecsEventDataset={arkimeDataset}', - '-r', - fileInfo[FILE_INFO_DICT_NAME], - ] - if nodeHost: - cmd.append('--host') - cmd.append(nodeHost) - if notLocked: - cmd.append('--nolockpcap') - cmd.extend(list(chain.from_iterable(zip(repeat('-t'), fileInfo[FILE_INFO_DICT_TAGS])))) - - # execute capture for pcap file - retcode, output = run_process(cmd, logger=logger) - if retcode == 0: - logger.info( - f"{scriptName}[{scanWorkerId}]:\t✅\t{os.path.basename(fileInfo[FILE_INFO_DICT_NAME])}" + # Arkime this PCAP if it's tagged "AUTOARKIME" or if the global autoArkime flag is turned on. + if ( + forceArkime + or autoArkime + or ( + (FILE_INFO_DICT_TAGS in fileInfo) and ARKIME_AUTOARKIME_TAG in fileInfo[FILE_INFO_DICT_TAGS] ) - else: - logger.warning( - f"{scriptName}[{scanWorkerId}]:\t❗\t{arkimeBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} returned {retcode} {output}" + ): + # finalize tags list + fileInfo[FILE_INFO_DICT_TAGS] = ( + [ + x + for x in fileInfo[FILE_INFO_DICT_TAGS] + if (x not in TAGS_NOSHOW) and (not x.startswith(ZEEK_AUTOCARVE_TAG_PREFIX)) + ] + if ((FILE_INFO_DICT_TAGS in fileInfo) and autoTag) + else list() ) + logger.info(f"{scriptName}[{scanWorkerId}]:\t🔎\t{fileInfo}") + + # put together arkime execution command + cmd = [ + arkimeBin, + '--quiet', + '--insecure', + '--node', + fileInfo[FILE_INFO_DICT_NODE] if (FILE_INFO_DICT_NODE in fileInfo) else nodeName, + '-o', + f'ecsEventProvider={arkimeProvider}', + '-o', + f'ecsEventDataset={arkimeDataset}', + '-r', + fileInfo[FILE_INFO_DICT_NAME], + ] + if nodeHost: + cmd.append('--host') + cmd.append(nodeHost) + if notLocked: + cmd.append('--nolockpcap') + cmd.extend(list(chain.from_iterable(zip(repeat('-t'), fileInfo[FILE_INFO_DICT_TAGS])))) + + # execute capture for pcap file + retcode, output = run_process(cmd, logger=logger) + if retcode == 0: + logger.info( + f"{scriptName}[{scanWorkerId}]:\t✅\t{os.path.basename(fileInfo[FILE_INFO_DICT_NAME])}" + ) + else: + logger.warning( + f"{scriptName}[{scanWorkerId}]:\t❗\t{arkimeBin} {os.path.basename(fileInfo[FILE_INFO_DICT_NAME])} returned {retcode} {output}" + ) logger.info(f"{scriptName}[{scanWorkerId}]:\tfinished") @@ -531,7 +543,7 @@ def main(): help="PCAP source node host (for Arkime viewer reachback)", metavar='', type=str, - default=os.getenv('PCAP_NODE_HOST', ''), + default='', ) requiredNamed = parser.add_argument_group('required arguments') requiredNamed.add_argument( @@ -543,6 +555,28 @@ def main(): required=True, ) if processingMode == PCAP_PROCESSING_MODE_ARKIME: + parser.add_argument( + '--autoarkime', + dest='autoArkime', + help="Autoanalyze all PCAP file with Arkime", + metavar='true|false', + type=str2bool, + nargs='?', + const=True, + default=False, + required=False, + ) + parser.add_argument( + '--forcearkime', + dest='forceArkime', + help="Force Arkime analysis even on rotated PCAPs", + metavar='true|false', + type=str2bool, + nargs='?', + const=True, + default=False, + required=False, + ) parser.add_argument( '--arkime', required=False, @@ -713,6 +747,8 @@ def main(): args.executable, args.nodeName, args.nodeHost, + args.autoArkime, + args.forceArkime, args.autoTag, args.notLocked, logging, diff --git a/shared/bin/pcap_utils.py b/shared/bin/pcap_utils.py index 2c9bf4f57..39fd5d313 100644 --- a/shared/bin/pcap_utils.py +++ b/shared/bin/pcap_utils.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import os import re diff --git a/shared/bin/pcap_watcher.py b/shared/bin/pcap_watcher.py index 821986ffd..8d70f322e 100755 --- a/shared/bin/pcap_watcher.py +++ b/shared/bin/pcap_watcher.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Monitor a directory for PCAP files for processing (by publishing their filenames to a ZMQ socket) diff --git a/shared/bin/preseed_late_user_config.sh b/shared/bin/preseed_late_user_config.sh index f5036608a..439c01a72 100755 --- a/shared/bin/preseed_late_user_config.sh +++ b/shared/bin/preseed_late_user_config.sh @@ -1,6 +1,6 @@ #!/bin/sh -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################## # prompt whether to autologin or not diff --git a/shared/bin/prune_files.sh b/shared/bin/prune_files.sh index 56fe3a9dd..9d4c63f99 100755 --- a/shared/bin/prune_files.sh +++ b/shared/bin/prune_files.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # recursion depth (1 = not recursive) DEPTH=1 diff --git a/shared/bin/sensor-capture-disk-config.py b/shared/bin/sensor-capture-disk-config.py index b6ac3dd52..40c05b323 100755 --- a/shared/bin/sensor-capture-disk-config.py +++ b/shared/bin/sensor-capture-disk-config.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Detect, partition, and format devices to be used for sensor packet/log captures. diff --git a/shared/bin/sensor-init.sh b/shared/bin/sensor-init.sh index 7a081f9ef..0f0ddaaa0 100755 --- a/shared/bin/sensor-init.sh +++ b/shared/bin/sensor-init.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. SCRIPT_PATH="$(dirname $(realpath -e "${BASH_SOURCE[0]}"))" @@ -66,7 +66,10 @@ if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then if dpkg -s suricata >/dev/null 2>&1 ; then mkdir -p /etc/suricata/rules /var/log/suricata /var/lib/suricata/rules if [[ -d /opt/sensor/sensor_ctl ]]; then - mkdir -p /opt/sensor/sensor_ctl/suricata/rules /opt/sensor/sensor_ctl/suricata/include-configs + mkdir -p /opt/sensor/sensor_ctl/suricata/rules \ + /opt/sensor/sensor_ctl/suricata/rules-default/OT \ + /opt/sensor/sensor_ctl/suricata/rules-default/IT \ + /opt/sensor/sensor_ctl/suricata/include-configs [[ ! -f /opt/sensor/sensor_ctl/suricata/suricata.yaml ]] && cp /etc/suricata/suricata.yaml /opt/sensor/sensor_ctl/suricata/suricata.yaml [[ ! -f /opt/sensor/sensor_ctl/suricata/update.yaml ]] && cp "$(dpkg -L suricata-update | grep 'update\.yaml' | head -n 1)" /opt/sensor/sensor_ctl/suricata/update.yaml fi diff --git a/shared/bin/sensorcommon.py b/shared/bin/sensorcommon.py index 19d97f3ff..8d5b3ebb3 100644 --- a/shared/bin/sensorcommon.py +++ b/shared/bin/sensorcommon.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import argparse import ipaddress diff --git a/shared/bin/service_check_passthrough.sh b/shared/bin/service_check_passthrough.sh index 6b98aed5c..3e63a57a4 100755 --- a/shared/bin/service_check_passthrough.sh +++ b/shared/bin/service_check_passthrough.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # This script will check command-line parameters and environment variables to see # if the service (determined by the hostname, unless otherwise specified) is @@ -159,7 +159,7 @@ EOF fi # json vs http if command -v goStatic >/dev/null 2>&1; then - goStatic -path "$(pwd)" -fallback "index.html" -port $PORT + goStatic -vhost "" -path "$(pwd)" -fallback "index.html" -port $PORT elif command -v python3 >/dev/null 2>&1; then python3 -m http.server --bind 0.0.0.0 $PORT elif command -v python >/dev/null 2>&1; then diff --git a/shared/bin/set-dconf-screen-lock-defaults.sh b/shared/bin/set-dconf-screen-lock-defaults.sh index c5864c1fd..9ccb4c0c1 100755 --- a/shared/bin/set-dconf-screen-lock-defaults.sh +++ b/shared/bin/set-dconf-screen-lock-defaults.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. grep -q boot=live /proc/cmdline && exit 0 diff --git a/shared/bin/set-malcolm-gtk-bookmark.sh b/shared/bin/set-malcolm-gtk-bookmark.sh index f324b94dc..5b16afc88 100755 --- a/shared/bin/set-malcolm-gtk-bookmark.sh +++ b/shared/bin/set-malcolm-gtk-bookmark.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if ! grep -q Malcolm$ "$HOME"/.config/gtk-3.0/bookmarks && [[ -d "$HOME"/Malcolm ]]; then mkdir -p "$HOME"/.config/gtk-3.0/ diff --git a/shared/bin/suricata_config_populate.py b/shared/bin/suricata_config_populate.py index 612e30a15..50c365304 100755 --- a/shared/bin/suricata_config_populate.py +++ b/shared/bin/suricata_config_populate.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # modify suricata.yaml according to many environment variables @@ -13,7 +13,7 @@ import argparse import contextlib -import fnmatch +import glob import logging import os import sys @@ -271,8 +271,8 @@ def __call__(self, repr, data): ), 'dnp3': ProtocolConfig( [], - val2bool(DEFAULT_VARS['DNP3_ENABLED']), - val2bool(DEFAULT_VARS['DNP3_EVE_ENABLED']), + (not val2bool(DEFAULT_VARS['DISABLE_ICS_ALL'])) and val2bool(DEFAULT_VARS['DNP3_ENABLED']), + (not val2bool(DEFAULT_VARS['DISABLE_ICS_ALL'])) and val2bool(DEFAULT_VARS['DNP3_EVE_ENABLED']), True, DEFAULT_VARS['DNP3_PORTS'], None, @@ -287,8 +287,8 @@ def __call__(self, repr, data): ), 'enip': ProtocolConfig( [], - val2bool(DEFAULT_VARS['ENIP_ENABLED']), - val2bool(DEFAULT_VARS['ENIP_EVE_ENABLED']), + (not val2bool(DEFAULT_VARS['DISABLE_ICS_ALL'])) and val2bool(DEFAULT_VARS['ENIP_ENABLED']), + (not val2bool(DEFAULT_VARS['DISABLE_ICS_ALL'])) and val2bool(DEFAULT_VARS['ENIP_EVE_ENABLED']), False, DEFAULT_VARS['ENIP_PORTS'], DEFAULT_VARS['ENIP_PORTS'], @@ -359,8 +359,8 @@ def __call__(self, repr, data): ), 'modbus': ProtocolConfig( [], - val2bool(DEFAULT_VARS['MODBUS_ENABLED']), - val2bool(DEFAULT_VARS['MODBUS_EVE_ENABLED']), + (not val2bool(DEFAULT_VARS['DISABLE_ICS_ALL'])) and val2bool(DEFAULT_VARS['MODBUS_ENABLED']), + (not val2bool(DEFAULT_VARS['DISABLE_ICS_ALL'])) and val2bool(DEFAULT_VARS['MODBUS_EVE_ENABLED']), False, DEFAULT_VARS['MODBUS_PORTS'], None, @@ -503,39 +503,83 @@ def __call__(self, repr, data): ################################################################################################### -def GetRuleSources(requireRulesExist=False): +def GetRuleFiles(): global DEFAULT_VARS - ruleSources = [] + ruleFiles = [] if not val2bool(DEFAULT_VARS['CUSTOM_RULES_ONLY']): - ruleSources.append('suricata.rules') + # built-in suricata rules + ruleFiles.append('suricata.rules') + + # Malcolm's default IT rules + ruleFiles.extend( + sorted( + list( + glob.iglob( + os.path.join( + os.path.join(os.path.join(DEFAULT_VARS['DEFAULT_RULES_DIR'], 'IT'), '**'), '*.rules' + ), + recursive=True, + ) + ) + ) + if os.path.isdir(str(DEFAULT_VARS['DEFAULT_RULES_DIR'])) + else [] + ) + + # Malcolm's default OT rules + ruleFiles.extend( + sorted( + list( + glob.iglob( + os.path.join( + os.path.join(os.path.join(DEFAULT_VARS['DEFAULT_RULES_DIR'], 'OT'), '**'), '*.rules' + ), + recursive=True, + ) + ) + ) + if ( + os.path.isdir(str(DEFAULT_VARS['DEFAULT_RULES_DIR'])) + and (not val2bool(DEFAULT_VARS['DISABLE_ICS_ALL'])) + ) + else [] + ) - customRuleFiles = ( - fnmatch.filter(os.listdir(DEFAULT_VARS['CUSTOM_RULES_DIR']), '*.rules') - if DEFAULT_VARS['CUSTOM_RULES_DIR'] is not None + # User's custom rules + ruleFiles.extend( + sorted( + list( + glob.iglob( + os.path.join(os.path.join(DEFAULT_VARS['CUSTOM_RULES_DIR'], '**'), '*.rules'), + recursive=True, + ) + ) + ) + if os.path.isdir(str(DEFAULT_VARS['CUSTOM_RULES_DIR'])) else [] ) - if (DEFAULT_VARS['CUSTOM_RULES_DIR'] is not None) and ((not requireRulesExist) or (len(customRuleFiles) > 0)): - ruleSources.append(os.path.join(DEFAULT_VARS['CUSTOM_RULES_DIR'], '*.rules')) - - return ruleSources + return ruleFiles ################################################################################################### def GetIncludeConfigSources(): global DEFAULT_VARS - configSources = list( - [ - os.path.join(DEFAULT_VARS['CUSTOM_CONFIG_DIR'], x) - for x in fnmatch.filter(os.listdir(DEFAULT_VARS['CUSTOM_CONFIG_DIR']), '*.yaml') - ] - if DEFAULT_VARS['CUSTOM_CONFIG_DIR'] is not None + configSources = ( + sorted( + list( + glob.iglob( + os.path.join(os.path.join(DEFAULT_VARS['CUSTOM_CONFIG_DIR'], '**'), '*.yaml'), + recursive=True, + ) + ) + ) + if os.path.isdir(str(DEFAULT_VARS['CUSTOM_CONFIG_DIR'])) else [] ) - return configSources @@ -627,7 +671,8 @@ def main(): if os.path.isfile(args.output) and os.path.samefile(args.input, args.output): backupFile = inFileParts[0] + "_bak_" + str(int(round(time.time()))) + inFileParts[1] CopyFile(args.input, backupFile) - backupFiles = sorted(fnmatch.filter(os.listdir(os.path.dirname(backupFile)), '*_bak_*')) + backupFiles = sorted(list(glob.glob(os.path.join(os.path.dirname(backupFile), '*_bak_*')))) + while len(backupFiles) > BACKUP_FILES_MAX: toDeleteFileName = os.path.join(os.path.dirname(backupFile), backupFiles.pop(0)) logging.debug(f'Removing old backup file "{toDeleteFileName}"') @@ -1080,7 +1125,7 @@ def main(): deep_set(cfg, ['stats', 'enabled'], True) cfg.pop('rule-files', None) - deep_set(cfg, ['rule-files'], GetRuleSources(requireRulesExist=True)) + deep_set(cfg, ['rule-files'], GetRuleFiles()) # Hackety-hack, don't talk back! Despite the "Including multiple files" section of # https://docs.suricata.io/en/latest/configuration/includes.html#including-multiple-files @@ -1127,7 +1172,7 @@ def main(): # final tweaks deep_set(cfg, ['stats', 'enabled'], False) cfg.pop('rule-files', None) - deep_set(cfg, ['rule-files'], GetRuleSources(requireRulesExist=False)) + deep_set(cfg, ['rule-files'], GetRuleFiles()) # see note on 'include' above cfg.pop('include', None) diff --git a/shared/bin/suricata_update_config_populate.py b/shared/bin/suricata_update_config_populate.py index edcad9155..52cf643f8 100755 --- a/shared/bin/suricata_update_config_populate.py +++ b/shared/bin/suricata_update_config_populate.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # modify suricata's update.yaml according to many environment variables @@ -13,7 +13,7 @@ import argparse import contextlib -import fnmatch +import glob import logging import os import sys @@ -157,7 +157,7 @@ def main(): if os.path.isfile(args.output) and os.path.samefile(args.input, args.output): backupFile = inFileParts[0] + "_bak_" + str(int(round(time.time()))) + inFileParts[1] CopyFile(args.input, backupFile) - backupFiles = sorted(fnmatch.filter(os.listdir(os.path.dirname(backupFile)), '*_bak_*')) + backupFiles = sorted(list(glob.glob(os.path.join(os.path.dirname(backupFile), '*_bak_*')))) while len(backupFiles) > BACKUP_FILES_MAX: toDeleteFileName = os.path.join(os.path.dirname(backupFile), backupFiles.pop(0)) logging.debug(f'Removing old backup file "{toDeleteFileName}"') diff --git a/shared/bin/therm-sensors-json.py b/shared/bin/therm-sensors-json.py index 48f7d6b2f..87ff591ea 100755 --- a/shared/bin/therm-sensors-json.py +++ b/shared/bin/therm-sensors-json.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import argparse import json diff --git a/shared/bin/ufw_allow_viewer.sh b/shared/bin/ufw_allow_viewer.sh index ae581a314..90c06fbaf 100755 --- a/shared/bin/ufw_allow_viewer.sh +++ b/shared/bin/ufw_allow_viewer.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # manage a UFW rule for allowing a remote Arkime viewer instance (on the same host # to which arkime's capture is forwarding session logs) to connect to and diff --git a/shared/bin/zeek_carve_logger.py b/shared/bin/zeek_carve_logger.py index 0f2e0f884..2ab20dadd 100755 --- a/shared/bin/zeek_carve_logger.py +++ b/shared/bin/zeek_carve_logger.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Monitor a directory for files extracted by zeek for processing diff --git a/shared/bin/zeek_carve_scanner.py b/shared/bin/zeek_carve_scanner.py index 35d56f7bd..c472b84b2 100755 --- a/shared/bin/zeek_carve_scanner.py +++ b/shared/bin/zeek_carve_scanner.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Process queued files reported by zeek_carve_watcher.py, scanning them with the specified diff --git a/shared/bin/zeek_carve_utils.py b/shared/bin/zeek_carve_utils.py index 1ac1129ea..21550aeaa 100644 --- a/shared/bin/zeek_carve_utils.py +++ b/shared/bin/zeek_carve_utils.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. import clamd import logging diff --git a/shared/bin/zeek_carve_watcher.py b/shared/bin/zeek_carve_watcher.py index e2b93590a..960464905 100755 --- a/shared/bin/zeek_carve_watcher.py +++ b/shared/bin/zeek_carve_watcher.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. ################################################################################################### # Monitor a directory for files extracted by zeek for processing diff --git a/shared/bin/zeek_install_plugins.sh b/shared/bin/zeek_install_plugins.sh index d1588bf8b..70ce9b01f 100755 --- a/shared/bin/zeek_install_plugins.sh +++ b/shared/bin/zeek_install_plugins.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. if [ -z "$BASH_VERSION" ]; then echo "Wrong interpreter, please run \"$0\" with bash" diff --git a/shared/bin/zeek_intel_from_threat_feed.py b/shared/bin/zeek_intel_from_threat_feed.py index ad3e27831..b884c4873 100755 --- a/shared/bin/zeek_intel_from_threat_feed.py +++ b/shared/bin/zeek_intel_from_threat_feed.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 # -*- coding: utf-8 -*- -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. from collections import deque from dateparser import parse as ParseDate diff --git a/shared/bin/zeek_intel_setup.sh b/shared/bin/zeek_intel_setup.sh index 818fedca7..3254d68ac 100755 --- a/shared/bin/zeek_intel_setup.sh +++ b/shared/bin/zeek_intel_setup.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # set up intel files prior to running zeek # - https://cisagov.github.io/Malcolm/docs/zeek-intel.html#ZeekIntel diff --git a/shared/bin/zeek_threat_feed_utils.py b/shared/bin/zeek_threat_feed_utils.py index e5446a6aa..a7b0c21a7 100644 --- a/shared/bin/zeek_threat_feed_utils.py +++ b/shared/bin/zeek_threat_feed_utils.py @@ -1,4 +1,4 @@ -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # adapted some code from tenzir/threatbus # - https://github.com/tenzir/threatbus diff --git a/shared/bin/zeekdeploy.sh b/shared/bin/zeekdeploy.sh index 0e2b2999e..f5a88d49f 100755 --- a/shared/bin/zeekdeploy.sh +++ b/shared/bin/zeekdeploy.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # get utilities for finding default zeek path and executable [[ "$(uname -s)" = 'Darwin' ]] && REALPATH=grealpath || REALPATH=realpath diff --git a/suricata/default-rules/IT/.gitignore b/suricata/rules-default/IT/.gitignore similarity index 100% rename from suricata/default-rules/IT/.gitignore rename to suricata/rules-default/IT/.gitignore diff --git a/suricata/default-rules/OT/.gitignore b/suricata/rules-default/OT/.gitignore similarity index 100% rename from suricata/default-rules/OT/.gitignore rename to suricata/rules-default/OT/.gitignore diff --git a/suricata/rules-default/OT/malcolm/CVE-2023-28771_Zyxel.rules b/suricata/rules-default/OT/malcolm/CVE-2023-28771_Zyxel.rules new file mode 100644 index 000000000..4d1d2db9a --- /dev/null +++ b/suricata/rules-default/OT/malcolm/CVE-2023-28771_Zyxel.rules @@ -0,0 +1,14 @@ +alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show users"; nocase; sid:1001001; rev:1;) +alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show sessions"; nocase; sid:1001002; rev:1;) +alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show configuration"; nocase; sid:1001003; rev:1;) +alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show running-config"; nocase; sid:1001004; rev:1;) +alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show firewall rule"; nocase; sid:1001005; rev:1;) +alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"export config"; nocase; sid:1001006; rev:1;) +alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/mipskiller"; sid:1001007; rev:1;) +alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/proxy2"; sid:1001008; rev:1;) +alert tcp any any -> any 82 (msg: "Potential Zyxel Payload connection"; content:"/fuckjewishpeople.mips"; sid:1001009; rev:1;) +alert tcp any any -> any 8080 (msg: "Potential Zyxel Payload connection"; content:"/mips"; sid:1001010; rev:1;) +alert tcp any any -> any 8080 (msg: "Potential Zyxel Payload connection"; content:"/mpsl"; sid:1001011; rev:1;) +alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/bins/paraiso.mips"; sid:1001012; rev:1;) +alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/bins/libcurl1337.mips"; sid:1001013; rev:1;) +alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/proxy1"; sid:1001014; rev:1;) \ No newline at end of file diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules b/suricata/rules-default/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules similarity index 100% rename from suricata/default-rules/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules rename to suricata/rules-default/OT/nsacyber/ELITEWOLF/AllenBradley_RockwellAutomation.rules diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules b/suricata/rules-default/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules similarity index 100% rename from suricata/default-rules/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules rename to suricata/rules-default/OT/nsacyber/ELITEWOLF/SchweitzerEngineeringLaboratories.rules diff --git a/suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules b/suricata/rules-default/OT/nsacyber/ELITEWOLF/Siemens.rules similarity index 100% rename from suricata/default-rules/OT/nsacyber/ELITEWOLF/Siemens.rules rename to suricata/rules-default/OT/nsacyber/ELITEWOLF/Siemens.rules diff --git a/suricata/scripts/docker_entrypoint.sh b/suricata/scripts/docker_entrypoint.sh index a3d3e0200..b3044ed59 100755 --- a/suricata/scripts/docker_entrypoint.sh +++ b/suricata/scripts/docker_entrypoint.sh @@ -1,7 +1,6 @@ #!/bin/bash # ensure capabilities for capture -setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool || true setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' /usr/bin/suricata || true # modify suricata.yaml according to environment variables (as non-root) diff --git a/suricata/scripts/eve-clean-logs.sh b/suricata/scripts/eve-clean-logs.sh index e38a0e00b..33b0127e0 100755 --- a/suricata/scripts/eve-clean-logs.sh +++ b/suricata/scripts/eve-clean-logs.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. # Clean up suricata log files that have reached a certain age. If we can # verify they've been parsed and logged at least one event to the database, diff --git a/suricata/supervisord.conf b/suricata/supervisord.conf index 49e10393e..8376a91d9 100644 --- a/suricata/supervisord.conf +++ b/suricata/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) @@ -24,7 +24,7 @@ command=python3 /usr/local/bin/pcap_suricata_processor.py %(ENV_PCAP_PIPELINE_VE --publisher "%(ENV_PCAP_MONITOR_HOST)s" --pcap-directory /data/pcap/processed --node "%(ENV_PCAP_NODE_NAME)s" - --suricata /usr/bin/suricata + --suricata /usr/bin/suricata-offline --autotag "%(ENV_AUTO_TAG)s" --autosuricata "%(ENV_SURICATA_AUTO_ANALYZE_PCAP_FILES)s" --forcesuricata "%(ENV_SURICATA_ROTATED_PCAP)s" diff --git a/zeek/config/extractor.zeek b/zeek/config/extractor.zeek index 0418f23e9..07e745368 100644 --- a/zeek/config/extractor.zeek +++ b/zeek/config/extractor.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. @load ./extractor_params diff --git a/zeek/config/extractor_override.interesting.zeek b/zeek/config/extractor_override.interesting.zeek index eaf220289..290a8948c 100644 --- a/zeek/config/extractor_override.interesting.zeek +++ b/zeek/config/extractor_override.interesting.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export { redef extractor_always_extract_unknown = F; diff --git a/zeek/config/extractor_params.zeek b/zeek/config/extractor_params.zeek index 1d82162fe..653e91503 100644 --- a/zeek/config/extractor_params.zeek +++ b/zeek/config/extractor_params.zeek @@ -1,6 +1,6 @@ #!/usr/bin/env zeek -# Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +# Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. export { const extractor_extract_none = "none" &redef; diff --git a/zeek/scripts/docker_entrypoint.sh b/zeek/scripts/docker_entrypoint.sh index 2d9d4f972..0ed78c9b0 100755 --- a/zeek/scripts/docker_entrypoint.sh +++ b/zeek/scripts/docker_entrypoint.sh @@ -3,9 +3,8 @@ ZEEK_DIR=${ZEEK_DIR:-"/opt/zeek"} # ensure capabilities for capture -setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /sbin/ethtool || true -setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' "${ZEEK_DIR}"/bin/zeek || true -setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip CAP_IPC_LOCK+eip' "${ZEEK_DIR}"/bin/capstats || true +setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' "${ZEEK_DIR}"/bin/zeek || true +setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' "${ZEEK_DIR}"/bin/capstats || true if [[ "${ZEEK_LIVE_CAPTURE:-false}" != "true" ]] && [[ -x "${ZEEK_DIR}"/bin/zeek_intel_setup.sh ]]; then sleep 15 # give the "live" instance, if there is one, a chance to go first diff --git a/zeek/supervisord.conf b/zeek/supervisord.conf index 23db15fbe..5ad1d49b7 100644 --- a/zeek/supervisord.conf +++ b/zeek/supervisord.conf @@ -1,4 +1,4 @@ -; Copyright (c) 2023 Battelle Energy Alliance, LLC. All rights reserved. +; Copyright (c) 2024 Battelle Energy Alliance, LLC. All rights reserved. [unix_http_server] file=/tmp/supervisor.sock ; (the path to the socket file) @@ -24,7 +24,7 @@ command=python3 /usr/local/bin/pcap_zeek_processor.py %(ENV_PCAP_PIPELINE_VERBOS --publisher "%(ENV_PCAP_MONITOR_HOST)s" --pcap-directory /pcap/processed --node "%(ENV_PCAP_NODE_NAME)s" - --zeek /opt/zeek/bin/zeek + --zeek /opt/zeek/bin/zeek-offline --autotag "%(ENV_AUTO_TAG)s" --autozeek "%(ENV_ZEEK_AUTO_ANALYZE_PCAP_FILES)s" --forcezeek "%(ENV_ZEEK_ROTATED_PCAP)s"