Merge pull request #132 from rocknsm/hotfix/2.0.2

Hotfix/2.0.2
rocknsm · Mar 17, 2017 · c11ecfe · c11ecfe
2 parents 71c43e9 + b1cb8f0
commit c11ecfe
Show file tree

Hide file tree

Showing 8 changed files with 83 additions and 19 deletions.
diff --git a/docs/guide/README.adoc b/docs/guide/README.adoc
@@ -210,6 +210,18 @@ http://IPADDRESS - Kibana
 === Full Packet Capture
 Google's Stenographer is installed and configured in this build. However, it is disabled by default. There are a few reasons for this: First, it can be too much for Vagrant builds on meager hardware. Second, you really need to make sure you've mounted /data over sufficient storage before you start saving full packets. Once you're ready to get nuts, enable and start the service with `systemctl enable stenographer.service` and then `systemctl start stenographer.service`. Stenographer is already stubbed into the `/usr/local/bin/rock_{start,stop,status}` scripts, you just need to uncomment it if you're going to use it.
 
+=== File Scanning Framework
+Emerson Electric Co's File Scanning Framework is installed and configured in this build to analyze files seen by bro that are of specific mime-types, however this service is disabled by default. There are two primary reasons for this: First, just like stenographer FSF can be too much for ROCK builds on meager hardware. Second, you should carefully consider what file types you want to extract and what additional yara rules you want to scan your extracted files with. If you choose to Enable FSF in /etc/rocknsm/config.yml, the default configuration will automatically scan any of the following file types seen by bro and log the results to Elasticsearch.
+ - application/pdf
+ - application/vnd.openxmlformats-officedocument.wordprocessingml.document
+ - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+ - application/vnd.openxmlformats-officedocument.presentationml.presentation
+ - application/x-dosexec
+ - application/java-archive
+ - application/x-java-applet
+ - application/x-java-jnlp-file
+
+
 == THANKS
 This architecture is made possible by the efforts of the Missouri National Guard Cyber Team for donating talent and resources to further development.
 

diff --git a/docs/guide/configuration.adoc b/docs/guide/configuration.adoc
@@ -98,6 +98,10 @@ Generally, most of the options you'll want to change are near the top. The file
 
 *NOTE*: While you theoretically _could_ install both Suricata and Snort, I guarantee that the automated deployment will not configure this as you were hoping.
 
+| with_fsf
+| `True`
+| Determines whether FSF will be installed and configured.
+
 | with_snort
 | `False`
 | Determines whether Snort will be installed and configured.

diff --git a/images/rock_full.png b/images/rock_full.png
diff --git a/playbooks/deploy-rock.yml b/playbooks/deploy-rock.yml
@@ -311,7 +311,10 @@
     when: with_zookeeper
 
   - name: Enable and start zookeeper
-    service: name=zookeeper state=started enabled=yes
+    service:
+      name: zookeeper
+      state: "{{ 'started' if enable_zookeeper else 'stopped' }}"
+      enabled: "{{ enable_zookeeper }}"
     when: with_zookeeper
 
     ######################################################
@@ -343,7 +346,10 @@
     when: with_kafka
 
   - name: Enable and start kafka
-    service: name=kafka state=started enabled=yes
+    service:
+      name: kafka
+      state: "{{ 'started' if enable_kafka else 'stopped' }}"
+      enabled: "{{ enable_kafka }}"
     when: with_kafka
 
     ######################################################
@@ -421,7 +427,10 @@
     when: with_elasticsearch
 
   - name: Enable and start Elasticsearch
-    service: name=elasticsearch state=started enabled=yes
+    service:
+      name: elasticsearch
+      state: "{{ 'started' if enable_elasticsearch else 'stopped' }}"
+      enabled: "{{ enable_elasticsearch }}"
     when: with_elasticsearch
     notify:
       - es maintenance
@@ -476,7 +485,10 @@
     when: with_logstash and with_fsf
 
   - name: Enable and start Logstash
-    service: name=logstash state=started enabled=yes
+    service:
+      name: logstash
+      state: "{{ 'started' if enable_logstash else 'stopped' }}"
+      enabled: "{{ enable_logstash }}"
     when: with_logstash
 
     #######################################################
@@ -650,6 +662,13 @@
       state: present
     when: with_bro and with_kafka
 
+  - name: Enable the SMB Analyzer in local.bro
+    lineinfile:
+      dest: /opt/bro/share/bro/site/local.bro
+      line: "@load policy/protocols/smb # Enable Bro SMB Analyzer"
+      state: present
+    when: with_bro
+
   - name: Add bro to path and aliases
     copy:
       src: profile.d-bro.sh
@@ -697,8 +716,11 @@
     when: with_bro
 
   - name: Enable and start broctl
-    service: name=broctl enabled=yes state=started
-    when: with_bro and enable_bro
+    service:
+      name: broctl
+      enabled: "{{ enable_bro }}"
+      state: "{{ 'started' if enable_bro else 'stopped' }}"
+    when: with_bro
 
     ######################################################
     ################# Setup Stenographer #################
@@ -742,8 +764,19 @@
       creates: /etc/stenographer/certs/client_key.pem
     when: with_stenographer
 
-  - name: Set Stenographer disabled by default
-    service: name=stenographer enabled=no state=stopped
+  - name: Configure Stenographer service
+    service:
+      name: stenographer
+      enabled: "{{ enable_stenographer }}"
+      state: "{{ 'started' if enable_stenographer else 'stopped' }}"
+    when: with_stenographer
+
+  - name: Configure Stenographer per-interface
+    service:
+      name: "stenographer@{{ item }}"
+      enabled: "{{ enable_stenographer }}"
+      state: "{{ 'started' if enable_stenographer else 'stopped' }}"
+    with_items: "{{ rock_monifs }}"
     when: with_stenographer
 
     ######################################################
@@ -811,7 +844,10 @@
     when: with_suricata
 
   - name: Enable and start suricata
-    service: name="suricata" enabled=yes state=started
+    service:
+      name: suricata
+      enabled: "{{ enable_suricata }}"
+      state: "{{ 'started' if enable_suricata else 'stopped' }}"
     when: with_suricata
 
   - name: Configure logrotate for suricata logs
@@ -939,16 +975,22 @@
     when: with_fsf
 
   - name: Enable and start FSF
-    service: name=fsf state=started enabled=yes
-    when: with_fsf and enable_fsf
+    service:
+      name: fsf
+      state: "{{ 'started' if enable_fsf else 'stopped' }}"
+      enabled: "{{ enable_fsf }}"
+    when: with_fsf
 
     ######################################################
     ################### Setup Kibana #####################
     ######################################################
 
   - name: Enable and start Kibana
-    service: name=kibana state=started enabled=yes
-    when: "{{ with_kibana }}"
+    service:
+      name: kibana
+      state: "{{ 'started' if enable_kibana else 'stopped' }}"
+      enabled: "{{ enable_kibana }}"
+    when: with_kibana
 
   - name: Download ROCK Dashboards
     get_url:
@@ -1067,7 +1109,10 @@
     when: with_nginx and with_kibana
 
   - name: Enable and start nginx
-    service: name=nginx state=started enabled=yes
+    service:
+      name: nginx
+      state: "{{ 'started' if enable_nginx else 'stopped' }}"
+      enabled: "{{ enable_nginx }}"
     when: with_nginx
 
     ######################################################

diff --git a/playbooks/files/logstash-fsf-es.conf b/playbooks/files/logstash-fsf-es.conf
@@ -1,7 +1,7 @@
 input {
   file {
     codec => "json"
-    path => "/data/fsf/scan.log"
+    path => "/data/fsf/rockout.log"
     add_field => { "[@metadata][stage]" => "fsf" }
   }
 }

diff --git a/playbooks/files/rock_start b/playbooks/files/rock_start
@@ -58,7 +58,10 @@ if feature_enabled stenographer; then
   echo "Starting Stenographer..."
   systemctl start stenographer
   sleep 5
-  systemctl status stenographer | egrep "^\s*Active"
+  for item in $(ls  /etc/stenographer/config* | awk -F. '/\./ { print $2 }')
+  do
+    systemctl status stenographer@${item} | egrep "^\s*Active" | cat <( echo -n "   ${item}: ") -
+  done
 fi
 
 if feature_enabled fsf; then

diff --git a/playbooks/files/[email protected] b/playbooks/files/[email protected]
@@ -33,5 +33,4 @@ ExecStart=/usr/bin/stenographer -config /etc/stenographer/config.%i
 ExecStopPost=/bin/pkill -9 stenotype
 
 [Install]
-WantedBy=multi-user.target
-
+WantedBy=stenographer.service
diff --git a/playbooks/templates/fsf-server-config.j2 b/playbooks/templates/fsf-server-config.j2
@@ -9,7 +9,8 @@ SCANNER_CONFIG = { 'LOG_PATH' : '{{ fsf_data_dir }}',
                    'EXPORT_PATH' : '{{ fsf_archive_dir }}',
                    'TIMEOUT' : 60,
                    'PID_PATH': '/run/fsf/fsf.pid',
-                   'MAX_DEPTH' : 10 }
+                   'MAX_DEPTH' : 10,
+		   'ACTIVE_LOGGING_MODULES': ['rockout', 'scan_log'] }
 
 SERVER_CONFIG = { 'IP_ADDRESS' : "localhost",
                   'PORT' : 5800 }