Skip to content

Commit

Permalink
Merge remote-tracking branch 'cisa/main'
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmguero
mmguero committed Jan 5, 2022
2 parents 2777f26 + 3957e25 commit 576b532
Show file tree
Hide file tree
Showing 57 changed files with 12,144 additions and 8,342 deletions.
59 changes: 59 additions & 0 deletions .github/workflows/api-build-and-push-ghcr.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: api-build-and-push-ghcr

on:
push:
branches:
- main
- development
paths:
- 'api/**'
- 'Dockerfiles/api.Dockerfile'
- 'shared/bin/*'
- '.trigger_workflow_build'
workflow_dispatch:
repository_dispatch:

jobs:
docker:
runs-on: ubuntu-latest
permissions:
actions: write
packages: write
contents: read
steps:
-
name: Cancel previous run in progress
uses: styfle/[email protected]
with:
ignore_sha: true
all_but_latest: true
access_token: ${{ secrets.GITHUB_TOKEN }}
-
name: Checkout
uses: actions/checkout@v2
-
name: Extract branch name
shell: bash
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
id: extract_branch
-
name: Set up QEMU
uses: docker/setup-qemu-action@v1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
-
name: Log in to registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build and push
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfiles/api.Dockerfile
push: true
tags: ghcr.io/${{ github.repository_owner }}/malcolmnetsec/api:${{ steps.extract_branch.outputs.branch }}
2 changes: 1 addition & 1 deletion .trigger_workflow_build
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,2 @@
# this file exists solely for the purpose of being updated and seen by github to trigger a commit build action
7
8
95 changes: 95 additions & 0 deletions Dockerfiles/api.Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
FROM python:3-slim-bullseye as builder

ENV DEBIAN_FRONTEND noninteractive
ENV TERM xterm
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1

RUN apt-get update -q \
&& apt-get install -y --no-install-recommends gcc \
&& python3 -m pip install --upgrade pip \
&& python3 -m pip install flake8

COPY ./api /usr/src/app/
WORKDIR /usr/src/app

RUN python3 -m pip wheel --no-cache-dir --no-deps --wheel-dir /usr/src/app/wheels -r requirements.txt \
&& flake8 --ignore=E501,F401

FROM python:3-slim-bullseye

# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="[email protected]"
LABEL org.opencontainers.image.authors='[email protected]'
LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm'
LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/main/README.md'
LABEL org.opencontainers.image.source='https://github.com/idaholab/Malcolm'
LABEL org.opencontainers.image.vendor='Idaho National Laboratory'
LABEL org.opencontainers.image.title='malcolmnetsec/api'
LABEL org.opencontainers.image.description='Malcolm container providing a REST API for some information about network traffic'

ARG DEFAULT_UID=1000
ARG DEFAULT_GID=1000
ENV DEFAULT_UID $DEFAULT_UID
ENV DEFAULT_GID $DEFAULT_GID
ENV PUSER "yeflask"
ENV PGROUP "yeflask"
ENV PUSER_PRIV_DROP true

ENV DEBIAN_FRONTEND noninteractive
ENV TERM xterm
ENV PYTHONDONTWRITEBYTECODE 1
ENV PYTHONUNBUFFERED 1

ARG FLASK_ENV=production
ARG OPENSEARCH_URL="http://opensearch:9200"
ARG ARKIME_INDEX_PATTERN="arkime_sessions3-*"
ARG ARKIME_INDEX_TIME_FIELD="firstPacket"
ARG RESULT_SET_LIMIT="500"

ENV HOME=/malcolm
ENV APP_HOME="${HOME}"/api
ENV APP_FOLDER="${APP_HOME}"
ENV FLASK_APP=project/__init__.py
ENV FLASK_ENV $FLASK_ENV
ENV OPENSEARCH_URL $OPENSEARCH_URL
ENV ARKIME_INDEX_PATTERN $ARKIME_INDEX_PATTERN
ENV ARKIME_INDEX_TIME_FIELD $ARKIME_INDEX_TIME_FIELD
ENV RESULT_SET_LIMIT $RESULT_SET_LIMIT

WORKDIR "${APP_HOME}"

COPY --from=builder /usr/src/app/wheels /wheels
COPY --from=builder /usr/src/app/requirements.txt .
COPY ./api "${APP_HOME}"
COPY shared/bin/opensearch_status.sh "${APP_HOME}"/

ADD shared/bin/docker-uid-gid-setup.sh /usr/local/bin/
RUN apt-get -q update \
&& apt-get -y -q --no-install-recommends install curl netcat \
&& python3 -m pip install --upgrade pip \
&& python3 -m pip install --no-cache /wheels/* \
&& chmod 755 /usr/local/bin/docker-uid-gid-setup.sh \
&& groupadd --gid ${DEFAULT_GID} ${PGROUP} \
&& useradd -M --uid ${DEFAULT_UID} --gid ${DEFAULT_GID} --home "${HOME}" ${PUSER} \
&& chown -R ${PUSER}:${PGROUP} "${HOME}" \
&& usermod -a -G tty ${PUSER} \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

EXPOSE 5000

ENTRYPOINT ["/usr/local/bin/docker-uid-gid-setup.sh", "${APP_HOME}/entrypoint.sh"]

# to be populated at build-time:
ARG BUILD_DATE
ARG MALCOLM_VERSION
ARG VCS_REVISION

ENV BUILD_DATE $BUILD_DATE
ENV MALCOLM_VERSION $MALCOLM_VERSION
ENV VCS_REVISION $VCS_REVISION

LABEL org.opencontainers.image.created=$BUILD_DATE
LABEL org.opencontainers.image.version=$MALCOLM_VERSION
LABEL org.opencontainers.image.revision=$VCS_REVISION
2 changes: 1 addition & 1 deletion Dockerfiles/dashboards.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ ENV PGROUP "dashboarder"

ENV TERM xterm

ARG OPENSEARCH_VERSION="1.2.2"
ARG OPENSEARCH_VERSION="1.2.3"
ENV OPENSEARCH_VERSION $OPENSEARCH_VERSION

ARG OPENSEARCH_DASHBOARDS_VERSION="1.2.0"
Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/logstash.Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:7.13.4
FROM opensearchproject/logstash-oss-with-opensearch-output-plugin:7.16.2

# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.

Expand Down
2 changes: 1 addition & 1 deletion Dockerfiles/opensearch.Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM opensearchproject/opensearch:1.2.2
FROM opensearchproject/opensearch:1.2.3

# Copyright (c) 2022 Battelle Energy Alliance, LLC. All rights reserved.
LABEL maintainer="[email protected]"
Expand Down
80 changes: 49 additions & 31 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ In short, Malcolm provides an easily deployable network analysis tool suite for
* [Starting Malcolm](#Starting)
* [Stopping and restarting Malcolm](#StopAndRestart)
* [Clearing Malcolm's data](#Wipe)
* [Temporary read-only interface](#ReadOnlyUI)
* [Capture file and log archive upload](#Upload)
- [Tagging](#Tagging)
- [Processing uploaded PCAPs with Zeek](#UploadPCAPZeek)
Expand Down Expand Up @@ -103,6 +104,7 @@ In short, Malcolm provides an easily deployable network analysis tool suite for

See [**Building from source**](#Build) to read how you can use GitHub [workflow files](./.github/workflows/) to build Malcolm.

![api-build-and-push-ghcr](https://github.com/idaholab/Malcolm/workflows/api-build-and-push-ghcr/badge.svg)
![arkime-build-and-push-ghcr](https://github.com/idaholab/Malcolm/workflows/arkime-build-and-push-ghcr/badge.svg)
![dashboards-build-and-push-ghcr](https://github.com/idaholab/Malcolm/workflows/dashboards-build-and-push-ghcr/badge.svg)
![dashboards-helper-build-and-push-ghcr](https://github.com/idaholab/Malcolm/workflows/dashboards-helper-build-and-push-ghcr/badge.svg)
Expand Down Expand Up @@ -146,6 +148,7 @@ You must run [`auth_setup`](#AuthSetup) prior to pulling Malcolm's Docker images
Malcolm's Docker images are periodically built and hosted on [Docker Hub](https://hub.docker.com/u/malcolmnetsec). If you already have [Docker](https://www.docker.com/) and [Docker Compose](https://docs.docker.com/compose/), these prebuilt images can be pulled by navigating into the Malcolm directory (containing the `docker-compose.yml` file) and running `docker-compose pull` like this:
```
$ docker-compose pull
Pulling api ... done
Pulling arkime ... done
Pulling dashboards ... done
Pulling dashboards-helper ... done
Expand All @@ -167,21 +170,22 @@ You can then observe that the images have been retrieved by running `docker imag
```
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
malcolmnetsec/arkime 5.0.4 xxxxxxxxxxxx 2 days ago 811MB
malcolmnetsec/dashboards 5.0.4 xxxxxxxxxxxx 2 days ago 970MB
malcolmnetsec/dashboards-helper 5.0.4 xxxxxxxxxxxx 2 days ago 154MB
malcolmnetsec/filebeat-oss 5.0.4 xxxxxxxxxxxx 2 days ago 621MB
malcolmnetsec/file-monitor 5.0.4 xxxxxxxxxxxx 2 days ago 586MB
malcolmnetsec/file-upload 5.0.4 xxxxxxxxxxxx 2 days ago 259MB
malcolmnetsec/freq 5.0.4 xxxxxxxxxxxx 2 days ago 132MB
malcolmnetsec/htadmin 5.0.4 xxxxxxxxxxxx 2 days ago 242MB
malcolmnetsec/logstash-oss 5.0.4 xxxxxxxxxxxx 2 days ago 1.27GB
malcolmnetsec/name-map-ui 5.0.4 xxxxxxxxxxxx 2 days ago 142MB
malcolmnetsec/nginx-proxy 5.0.4 xxxxxxxxxxxx 2 days ago 117MB
malcolmnetsec/opensearch 5.0.4 xxxxxxxxxxxx 2 days ago 1.18GB
malcolmnetsec/pcap-capture 5.0.4 xxxxxxxxxxxx 2 days ago 122MB
malcolmnetsec/pcap-monitor 5.0.4 xxxxxxxxxxxx 2 days ago 214MB
malcolmnetsec/zeek 5.0.4 xxxxxxxxxxxx 2 days ago 938MB
malcolmnetsec/api 5.1.0 xxxxxxxxxxxx 2 days ago 155MB
malcolmnetsec/arkime 5.1.0 xxxxxxxxxxxx 2 days ago 811MB
malcolmnetsec/dashboards 5.1.0 xxxxxxxxxxxx 2 days ago 970MB
malcolmnetsec/dashboards-helper 5.1.0 xxxxxxxxxxxx 2 days ago 154MB
malcolmnetsec/filebeat-oss 5.1.0 xxxxxxxxxxxx 2 days ago 621MB
malcolmnetsec/file-monitor 5.1.0 xxxxxxxxxxxx 2 days ago 586MB
malcolmnetsec/file-upload 5.1.0 xxxxxxxxxxxx 2 days ago 259MB
malcolmnetsec/freq 5.1.0 xxxxxxxxxxxx 2 days ago 132MB
malcolmnetsec/htadmin 5.1.0 xxxxxxxxxxxx 2 days ago 242MB
malcolmnetsec/logstash-oss 5.1.0 xxxxxxxxxxxx 2 days ago 1.27GB
malcolmnetsec/name-map-ui 5.1.0 xxxxxxxxxxxx 2 days ago 142MB
malcolmnetsec/nginx-proxy 5.1.0 xxxxxxxxxxxx 2 days ago 117MB
malcolmnetsec/opensearch 5.1.0 xxxxxxxxxxxx 2 days ago 1.18GB
malcolmnetsec/pcap-capture 5.1.0 xxxxxxxxxxxx 2 days ago 122MB
malcolmnetsec/pcap-monitor 5.1.0 xxxxxxxxxxxx 2 days ago 214MB
malcolmnetsec/zeek 5.1.0 xxxxxxxxxxxx 2 days ago 938MB
```

#### Import from pre-packaged tarballs
Expand Down Expand Up @@ -333,6 +337,7 @@ See [Zeek log integration](#ArkimeZeek) for more information on how Malcolm inte

Checking out the [Malcolm source code](https://github.com/idaholab/Malcolm/tree/main) results in the following subdirectories in your `malcolm/` working copy:

* `api` - code and configuration for the `api` container which provides a REST API to query Malcolm
* `arkime` - code and configuration for the `arkime` container which processes PCAP files using `capture` and which serves the Viewer application
* `arkime-logs` - an initially empty directory to which the `arkime` container will write some debug log files
* `arkime-raw` - an initially empty directory to which the `arkime` container will write captured PCAP files; as Arkime as employed by Malcolm is currently used for processing previously-captured PCAP files, this directory is currently unused
Expand Down Expand Up @@ -378,6 +383,7 @@ $ ./scripts/build.sh

Then, go take a walk or something since it will be a while. When you're done, you can run `docker images` and see you have fresh images for:

* `malcolmnetsec/api` (based on `python:3-slim-bullseye`)
* `malcolmnetsec/arkime` (based on `debian:bullseye-slim`)
* `malcolmnetsec/dashboards` (based on `opensearchproject/opensearch-dashboards`)
* `malcolmnetsec/dashboards-helper` (based on `alpine:3.15`)
Expand Down Expand Up @@ -845,6 +851,16 @@ Malcolm can be configured to be automatically restarted when the Docker system d

Run `./scripts/wipe` to stop the Malcolm instance and wipe its OpenSearch database (**including** [index snapshots and management policies](#IndexManagement) and [alerting configuration](#Alerting)).

### <a name="ReadOnlyUI"></a>Temporary read-only interface

To temporarily set the Malcolm user interaces into a read-only configuration, run the following command from the Malcolm installation directory:

```
docker-compose exec nginx-proxy bash -c "cp /etc/nginx/nginx_readonly.conf /etc/nginx/nginx.conf && nginx -s reload"
```

This command must be re-run every time you restart Malcolm.

## <a name="Upload"></a>Capture file and log archive upload

Malcolm serves a web browser-based upload form for uploading PCAP files and Zeek logs at [https://localhost/upload/](https://localhost/upload/) if you are connecting locally.
Expand Down Expand Up @@ -1523,7 +1539,7 @@ Building the ISO may take 30 minutes or more depending on your system. As the bu

```
Finished, created "/malcolm-build/malcolm-iso/malcolm-5.0.4.iso"
Finished, created "/malcolm-build/malcolm-iso/malcolm-5.1.0.iso"
```

Expand Down Expand Up @@ -1891,6 +1907,7 @@ Store username/password for email alert sender account (y/N):
For now, rather than [build Malcolm from scratch](#Build), we'll pull images from [Docker Hub](https://hub.docker.com/u/malcolmnetsec):
```
user@host:~/Malcolm$ docker-compose pull
Pulling api ... done
Pulling arkime ... done
Pulling dashboards ... done
Pulling dashboards-helper ... done
Expand All @@ -1909,21 +1926,22 @@ Pulling zeek ... done
user@host:~/Malcolm$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
malcolmnetsec/arkime 5.0.4 xxxxxxxxxxxx 2 days ago 811MB
malcolmnetsec/dashboards 5.0.4 xxxxxxxxxxxx 2 days ago 970MB
malcolmnetsec/dashboards-helper 5.0.4 xxxxxxxxxxxx 2 days ago 154MB
malcolmnetsec/filebeat-oss 5.0.4 xxxxxxxxxxxx 2 days ago 621MB
malcolmnetsec/file-monitor 5.0.4 xxxxxxxxxxxx 2 days ago 586MB
malcolmnetsec/file-upload 5.0.4 xxxxxxxxxxxx 2 days ago 259MB
malcolmnetsec/freq 5.0.4 xxxxxxxxxxxx 2 days ago 132MB
malcolmnetsec/htadmin 5.0.4 xxxxxxxxxxxx 2 days ago 242MB
malcolmnetsec/logstash-oss 5.0.4 xxxxxxxxxxxx 2 days ago 1.27GB
malcolmnetsec/name-map-ui 5.0.4 xxxxxxxxxxxx 2 days ago 142MB
malcolmnetsec/nginx-proxy 5.0.4 xxxxxxxxxxxx 2 days ago 117MB
malcolmnetsec/opensearch 5.0.4 xxxxxxxxxxxx 2 days ago 1.18GB
malcolmnetsec/pcap-capture 5.0.4 xxxxxxxxxxxx 2 days ago 122MB
malcolmnetsec/pcap-monitor 5.0.4 xxxxxxxxxxxx 2 days ago 214MB
malcolmnetsec/zeek 5.0.4 xxxxxxxxxxxx 2 days ago 938MB
malcolmnetsec/api 5.1.0 xxxxxxxxxxxx 2 days ago 155MB
malcolmnetsec/arkime 5.1.0 xxxxxxxxxxxx 2 days ago 811MB
malcolmnetsec/dashboards 5.1.0 xxxxxxxxxxxx 2 days ago 970MB
malcolmnetsec/dashboards-helper 5.1.0 xxxxxxxxxxxx 2 days ago 154MB
malcolmnetsec/filebeat-oss 5.1.0 xxxxxxxxxxxx 2 days ago 621MB
malcolmnetsec/file-monitor 5.1.0 xxxxxxxxxxxx 2 days ago 586MB
malcolmnetsec/file-upload 5.1.0 xxxxxxxxxxxx 2 days ago 259MB
malcolmnetsec/freq 5.1.0 xxxxxxxxxxxx 2 days ago 132MB
malcolmnetsec/htadmin 5.1.0 xxxxxxxxxxxx 2 days ago 242MB
malcolmnetsec/logstash-oss 5.1.0 xxxxxxxxxxxx 2 days ago 1.27GB
malcolmnetsec/name-map-ui 5.1.0 xxxxxxxxxxxx 2 days ago 142MB
malcolmnetsec/nginx-proxy 5.1.0 xxxxxxxxxxxx 2 days ago 117MB
malcolmnetsec/opensearch 5.1.0 xxxxxxxxxxxx 2 days ago 1.18GB
malcolmnetsec/pcap-capture 5.1.0 xxxxxxxxxxxx 2 days ago 122MB
malcolmnetsec/pcap-monitor 5.1.0 xxxxxxxxxxxx 2 days ago 214MB
malcolmnetsec/zeek 5.1.0 xxxxxxxxxxxx 2 days ago 938MB
```

Finally, we can start Malcolm. When Malcolm starts it will stream informational and debug messages to the console. If you wish, you can safely close the console or use `Ctrl+C` to stop these messages; Malcolm will continue running in the background.
Expand Down
6 changes: 6 additions & 0 deletions api/entrypoint.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
#!/bin/sh

echo "Giving OpenSearch time to start..."
"${APP_HOME}"/opensearch_status.sh 2>&1 && echo "OpenSearch is running!"

exec "$@"
8 changes: 8 additions & 0 deletions api/manage.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
from flask.cli import FlaskGroup

from project import app

cli = FlaskGroup(app)

if __name__ == "__main__":
cli()
Loading

0 comments on commit 576b532

Please sign in to comment.