Merge pull request #232 from hubblestack/develop

Merge to master (prep v2.2.9)

Author: basepi

conf/afterinstall-systemd.sh

@@ -0,0 +1,2 @@
+systemctl daemon-reload
+service hubble start

conf/afterinstall.sh

@@ -0,0 +1 @@
+service hubble start

conf/afterupgrade.sh

@@ -0,0 +1 @@
+service hubble restart

hubblestack/__init__.py

@@ -1 +1 @@
-__version__ = '2.2.8'
+__version__ = '2.2.9'

hubblestack/cloud_details.py

@@ -54,14 +54,14 @@ def _get_azure_details():
     # Gather azure information if present
     azure = {}
     azure['azure_vmId'] = None
-
+    azure['azure_subscriptionId'] = None
     azureHeader = {'Metadata': 'true'}
-
     try:
-        r = requests.get('http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-03-01&format=text',
-                         timeout=1, headers=azureHeader)
-        r.raise_for_status()
-        azure['azure_vmId'] = r.text
+        id = requests.get('http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01',
+                          headers=azureHeader, timeout=1).json()
+        azure['azure_vmId'] = id['vmId']
+        azure['azure_subscriptionId'] = id['subscriptionId']
+
     except (requests.exceptions.RequestException, ValueError):
         # Not on an Azure box
         azure = None

hubblestack/extmods/fileserver/azurefs.py

@@ -24,14 +24,15 @@
 
 You must have either an account_key or a sas_token defined for each container,
 if it is private. If you use a sas_token, it must have READ and LIST
-permissions.
+permissions. Proxy can also be provided in the configuration.
 
 .. code-block:: yaml
 
     azurefs:
       - account_name: my_storage
         account_key: 'fNH9cRp0+qVIVYZ+5rnZAhHc9ycOUcJnHtzpfOr0W0sxrtL2KVLuMe1xDfLwmfed+JJInZaEdWVCPHD4d/oqeA=='
         container_name: my_container
+        proxy: 10.10.10.10:8080
       - account_name: my_storage
         sas_token: 'ss=b&sp=&sv=2015-07-08&sig=cohxXabx8FQdXsSEHyUXMjsSfNH2tZ2OB97Ou44pkRE%3D&srt=co&se=2017-04-18T21%3A38%3A01Z'
         container_name: my_dev_container
@@ -362,6 +363,8 @@ def _get_container_service(container):
     else:
         account = azure.storage.CloudStorageAccount(container['account_name'])
     blob_service = account.create_block_blob_service()
+    if 'proxy' in container and len(container['proxy'].split(':'))==2:
+        blob_service.set_proxy(container['proxy'].split(':')[0],container['proxy'].split(':')[1])
     return blob_service
 
 

hubblestack/extmods/returners/splunk_nebula_return.py

@@ -78,7 +78,7 @@ def returner(ret):
 
             # Set up the fields to be extracted at index time. The field values must be strings.
             # Note that these fields will also still be available in the event data
-            index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId']
+            index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId', 'azure_subscriptionId']
             try:
                 index_extracted_fields.extend(opts['index_extracted_fields'])
             except TypeError:

hubblestack/extmods/returners/splunk_nova_return.py

@@ -77,7 +77,7 @@ def returner(ret):
 
             # Set up the fields to be extracted at index time. The field values must be strings.
             # Note that these fields will also still be available in the event data
-            index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId']
+            index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId', 'azure_subscriptionId']
             try:
                 index_extracted_fields.extend(opts['index_extracted_fields'])
             except TypeError:

hubblestack/extmods/returners/splunk_pulsar_return.py

@@ -82,7 +82,7 @@ def returner(ret):
 
             # Set up the fields to be extracted at index time. The field values must be strings.
             # Note that these fields will also still be available in the event data
-            index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId']
+            index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId', 'azure_subscriptionId']
             try:
                 index_extracted_fields.extend(opts['index_extracted_fields'])
             except TypeError:

hubblestack/files/hubblestack_nova/win_secedit.py

@@ -283,7 +283,9 @@ def _translate_value_type(current, value, evaluator, __sidaccounts__=False):
             return False
     elif 'equal' in value:
         if ',' not in evaluator and type(evaluator) != list:
-            evaluator = _evaluator_translator(evaluator)
+            tmp_evaluator = _evaluator_translator(evaluator)
+            if tmp_evaluator != 'undefined':
+                evaluator = tmp_evaluator
         if type(current) == list:
             ret_final = []
             for item in current:
@@ -300,6 +302,21 @@ def _translate_value_type(current, value, evaluator, __sidaccounts__=False):
             return True
         else:
             return False
+    elif 'contains' in value:
+        if type(evaluator) != list:
+            evaluator = evaluator.split(',')
+            if type(current) != list:
+                current = current.lower().split(',')
+            ret_final = []
+            for item in evaluator:
+                if item in current:
+                    ret_final.append(True)
+                else:
+                    ret_final.append(False)
+            if False in ret_final:
+                return False
+            else:
+                return True
     elif 'account' in value:
         evaluator = _account_audit(evaluator, __sidaccounts__)
         evaluator_list = evaluator.split(',')
@@ -327,7 +344,7 @@ def _translate_value_type(current, value, evaluator, __sidaccounts__=False):
     elif 'configured' in value:
         if current == '':
             return False
-        elif current == value:
+        elif current.lower().find(evaluator) != -1:
             return True
         else:
             return False

hubblestack/splunklogging.py

@@ -77,7 +77,7 @@ def __init__(self):
 
             # Set up the fields to be extracted at index time. The field values must be strings.
             # Note that these fields will also still be available in the event data
-            index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId']
+            index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId', 'azure_subscriptionId']
             try:
                 index_extracted_fields.extend(opts['index_extracted_fields'])
             except TypeError:

pkg/amazonlinux2016.09/Dockerfile

@@ -91,8 +91,8 @@ RUN yum install -y ruby ruby-devel rpmbuild rubygems gcc make \
 #pyinstaller start
 #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built
 #use the following variables to choose the version of hubble
-ENV HUBBLE_CHECKOUT=v2.2.8
-ENV HUBBLE_VERSION=2.2.8
+ENV HUBBLE_CHECKOUT=v2.2.9
+ENV HUBBLE_VERSION=2.2.9
 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git
 ENV HUBBLE_SRC_PATH=/hubble_src
 ENV _HOOK_DIR="./pkg/"
@@ -123,8 +123,6 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
     && tar -xzvf /data/hubblestack-${HUBBLE_VERSION}.tar.gz -C /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION} \
     && mkdir -p /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/init.d \
     && cp /hubble_build/pkg/hubble /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/init.d/ \
-    && mkdir -p /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/usr/lib/systemd/system \
-    && cp /hubble_build/pkg/hubble.service /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/usr/lib/systemd/system/ \
     && cp -f /hubble_build/conf/hubble /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/hubble/ \
 #during container run, if a configuration file exists in a /data copy it over the existing one so it would be
 #possile to optionally include a custom one with the package
@@ -140,6 +138,8 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
     #todo: get rid of the git dependency with static bin in the future
        -d 'git' \
        --config-files /etc/hubble --config-files /etc/osquery/osquery.conf \
+       --after-install /hubble_build/conf/afterinstall.sh \
+       --after-upgrade /hubble_build/conf/afterupgrade.sh \
        etc/hubble etc/osquery etc/init.d opt usr \
 #edit to change iteration number, if necessary
     && cp hubblestack-${HUBBLE_VERSION}-1.x86_64.rpm /data/hubblestack-${HUBBLE_VERSION}-1.al1609.x86_64.rpm" ]

pkg/amazonlinux2017.03/Dockerfile

@@ -91,8 +91,8 @@ RUN yum install -y ruby ruby-devel rpmbuild rubygems gcc make \
 #pyinstaller start
 #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built
 #use the following variables to choose the version of hubble
-ENV HUBBLE_CHECKOUT=v2.2.8
-ENV HUBBLE_VERSION=2.2.8
+ENV HUBBLE_CHECKOUT=v2.2.9
+ENV HUBBLE_VERSION=2.2.9
 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git
 ENV HUBBLE_SRC_PATH=/hubble_src
 ENV _HOOK_DIR="./pkg/"
@@ -123,8 +123,6 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
     && tar -xzvf /data/hubblestack-${HUBBLE_VERSION}.tar.gz -C /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION} \
     && mkdir -p /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/init.d \
     && cp /hubble_build/pkg/hubble /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/init.d/ \
-    && mkdir -p /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/usr/lib/systemd/system \
-    && cp /hubble_build/pkg/hubble.service /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/usr/lib/systemd/system/ \
     && cp -f /hubble_build/conf/hubble /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/hubble/ \
 #during container run, if a configuration file exists in a /data copy it over the existing one so it would be
 #possile to optionally include a custom one with the package
@@ -140,6 +138,8 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
     #todo: get rid of the git dependency with static bin in the future
        -d 'git' \
        --config-files /etc/hubble --config-files /etc/osquery/osquery.conf \
+       --after-install /hubble_build/conf/afterinstall.sh \
+       --after-upgrade /hubble_build/conf/afterupgrade.sh \
        etc/hubble etc/osquery etc/init.d opt usr \
 #edit to change iteration number, if necessary
     && cp hubblestack-${HUBBLE_VERSION}-1.x86_64.rpm /data/hubblestack-${HUBBLE_VERSION}-1.al1703.x86_64.rpm" ]

pkg/centos6/Dockerfile

@@ -56,7 +56,7 @@ RUN ls -lahR /opt/osquery/ && /opt/osquery/osqueryi --version
 RUN yum -y install  \
                libffi-devel openssl-devel libxml2-devel libxslt-devel \
                libjpeg-devel zlib-devel python-devel make cmake gcc \
-               python-setuptools wget 
+               python-setuptools wget
 
 #libgit2 install start
 #must precede pyinstaller requirements
@@ -93,8 +93,8 @@ RUN yum install -y rpmbuild gcc make rh-ruby23 rh-ruby23-ruby-devel \
 #pyinstaller start
 #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built
 #use the following variables to choose the version of hubble
-ENV HUBBLE_CHECKOUT=v2.2.8
-ENV HUBBLE_VERSION=2.2.8
+ENV HUBBLE_CHECKOUT=v2.2.9
+ENV HUBBLE_VERSION=2.2.9
 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git
 ENV HUBBLE_SRC_PATH=/hubble_src
 ENV _HOOK_DIR="./pkg/"
@@ -140,6 +140,8 @@ CMD [ "scl enable python27 'pyinstaller --onedir --noconfirm --log-level ${_BINA
                                  #todo: get rid of the git dependency with static bin in the future
                                  -d git \
                                  --config-files /etc/hubble --config-files /etc/osquery/osquery.conf \
+                                 --after-install /hubble_build/conf/afterinstall.sh \
+                                 --after-upgrade /hubble_build/conf/afterupgrade.sh \
                                  etc/hubble etc/osquery etc/init.d opt usr' \
 #edit to change iteration number, if necessary
     && cp hubblestack-${HUBBLE_VERSION}-1.x86_64.rpm /data/hubblestack-${HUBBLE_VERSION}-1.el6.x86_64.rpm" ]

pkg/centos7/Dockerfile

@@ -90,8 +90,8 @@ RUN yum install -y ruby ruby-devel rpmbuild rubygems gcc make \
 #pyinstaller start
 #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built
 #use the following variables to choose the version of hubble
-ENV HUBBLE_CHECKOUT=v2.2.8
-ENV HUBBLE_VERSION=2.2.8
+ENV HUBBLE_CHECKOUT=v2.2.9
+ENV HUBBLE_VERSION=2.2.9
 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git
 ENV HUBBLE_SRC_PATH=/hubble_src
 ENV _HOOK_DIR="./pkg/"
@@ -120,8 +120,6 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
     && tar -cPvzf /data/hubblestack-${HUBBLE_VERSION}.tar.gz /etc/hubble /etc/osquery /opt/hubble /opt/osquery /var/log/osquery /etc/profile.d/hubble-profile.sh \
     && mkdir -p /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION} \
     && tar -xzvf /data/hubblestack-${HUBBLE_VERSION}.tar.gz -C /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION} \
-    && mkdir -p /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/init.d \
-    && cp /hubble_build/pkg/hubble /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/init.d/ \
     && mkdir -p /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/usr/lib/systemd/system \
     && cp /hubble_build/pkg/hubble.service /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/usr/lib/systemd/system/ \
     && cp -f /hubble_build/conf/hubble /hubble_build/debbuild/hubblestack-${HUBBLE_VERSION}/etc/hubble/ \
@@ -139,6 +137,8 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
     #todo: get rid of the git dependency with static bin in the future
        -d 'git' \
        --config-files /etc/hubble --config-files /etc/osquery/osquery.conf \
-       etc/hubble etc/osquery etc/init.d opt usr \
+       --after-install /hubble_build/conf/afterinstall-systemd.sh \
+       --after-upgrade /hubble_build/conf/afterupgrade.sh \
+       etc/hubble etc/osquery opt usr \
 #edit to change iteration number, if necessary
     && cp hubblestack-${HUBBLE_VERSION}-1.x86_64.rpm /data/hubblestack-${HUBBLE_VERSION}-1.el7.x86_64.rpm" ]

pkg/coreos/Dockerfile

@@ -88,8 +88,8 @@ RUN pip install --upgrade pip \
 #pyinstaller start
 #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built
 #use the following variables to choose the version of hubble
-ENV HUBBLE_CHECKOUT=v2.2.8
-ENV HUBBLE_VERSION=2.2.8
+ENV HUBBLE_CHECKOUT=v2.2.9
+ENV HUBBLE_VERSION=2.2.9
 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git
 ENV HUBBLE_SRC_PATH=/hubble_src
 ENV _HOOK_DIR="./pkg/"

pkg/debian7/Dockerfile

@@ -115,8 +115,8 @@ RUN apt-get install -y ruby ruby-dev rubygems gcc make \
 #pyinstaller start
 #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built
 #use the following variables to choose the version of hubble
-ENV HUBBLE_CHECKOUT=v2.2.8
-ENV HUBBLE_VERSION=2.2.8
+ENV HUBBLE_CHECKOUT=v2.2.9
+ENV HUBBLE_VERSION=2.2.9
 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git
 ENV HUBBLE_SRC_PATH=/hubble_src
 ENV _HOOK_DIR="./pkg/"
@@ -162,6 +162,8 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
        -d 'git' \
        --config-files /etc/hubble --config-files /etc/osquery/osquery.conf \
        --deb-no-default-config-files \
+       --after-install /hubble_build/conf/afterinstall.sh \
+       --after-upgrade /hubble_build/conf/afterupgrade.sh \
        etc/hubble etc/osquery etc/init.d opt usr \
     && cp hubblestack_${HUBBLE_VERSION}-1_amd64.deb /data/hubblestack_${HUBBLE_VERSION}-1deb7_amd64.deb" ]
 

pkg/debian8/Dockerfile

@@ -96,8 +96,8 @@ RUN apt-get install -y ruby ruby-dev rubygems gcc make \
 #pyinstaller start
 #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built
 #use the following variables to choose the version of hubble
-ENV HUBBLE_CHECKOUT=v2.2.8
-ENV HUBBLE_VERSION=2.2.8
+ENV HUBBLE_CHECKOUT=v2.2.9
+ENV HUBBLE_VERSION=2.2.9
 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git
 ENV HUBBLE_SRC_PATH=/hubble_src
 ENV _HOOK_DIR="./pkg/"
@@ -145,6 +145,8 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
        -d 'git' \
        --config-files /etc/hubble --config-files /etc/osquery/osquery.conf \
        --deb-no-default-config-files \
+       --after-install /hubble_build/conf/afterinstall.sh \
+       --after-upgrade /hubble_build/conf/afterupgrade.sh \
        etc/hubble etc/osquery etc/init.d opt usr \
     && cp hubblestack_${HUBBLE_VERSION}-1_amd64.deb /data/hubblestack_${HUBBLE_VERSION}-1deb8_amd64.deb" ]
 

pkg/debian9/Dockerfile

@@ -92,8 +92,8 @@ RUN apt-get install -y ruby ruby-dev rubygems gcc make \
 #pyinstaller start
 #commands specified for ENTRYPOINT and CMD are executed when the container is run, not when the image is built
 #use the following variables to choose the version of hubble
-ENV HUBBLE_CHECKOUT=v2.2.8
-ENV HUBBLE_VERSION=2.2.8
+ENV HUBBLE_CHECKOUT=v2.2.9
+ENV HUBBLE_VERSION=2.2.9
 ENV HUBBLE_GIT_URL=https://github.com/hubblestack/hubble.git
 ENV HUBBLE_SRC_PATH=/hubble_src
 ENV _HOOK_DIR="./pkg/"
@@ -141,6 +141,8 @@ CMD [ "pyinstaller --onedir --noconfirm --log-level ${_BINARY_LOG_LEVEL} --addit
        -d 'git' \
        --config-files /etc/hubble --config-files /etc/osquery/osquery.conf \
        --deb-no-default-config-files \
+       --after-install /hubble_build/conf/afterinstall.sh \
+       --after-upgrade /hubble_build/conf/afterupgrade.sh \
        etc/hubble etc/osquery etc/init.d opt usr \
     && cp hubblestack_${HUBBLE_VERSION}-1_amd64.deb /data/hubblestack_${HUBBLE_VERSION}-1deb9_amd64.deb" ]