Merge pull request #37 from Security-Onion-Solutions/dev

2.3.60

.gitignore

@@ -2,7 +2,6 @@ version.json
 config.json
 sensoroni.log
 sensoroni
-kratos
 jobs/
 nsm/
 .vscode/

Dockerfile.kratos

@@ -14,26 +14,23 @@ RUN addgroup -S ory; \
     adduser -S ory -G ory -D -H -s /bin/nologin
 RUN apk -U --no-cache add build-base git gcc bash
 
-RUN mkdir -p /go/src/github.com/ory
-WORKDIR /go/src/github.com/ory
-RUN git clone https://github.com/ory/kratos.git
+RUN mkdir -p /go/src/github.com/jertel
+WORKDIR /go/src/github.com/jertel
+RUN git clone https://github.com/jertel/kratos.git
 
-WORKDIR /go/src/github.com/ory/kratos
+WORKDIR /go/src/github.com/jertel/kratos
 
-RUN git checkout v0.5.5-alpha.1
+RUN git checkout v0.6.3-alpha.1-so
 
 ENV GO111MODULE on
 ENV CGO_ENABLED 1
 
 RUN go mod download
-RUN make pack
 RUN go build -tags sqlite -a
 
 FROM ghcr.io/security-onion-solutions/alpine:latest
 
 ENV DSN=sqlite:///kratos-data/db.sqlite?_fk=true
-ENV SQA_OPT_OUT=true
-ENV DISABLE_TELEMETRY=true
 
 ARG UID=928
 ARG GID=928
@@ -48,11 +45,11 @@ RUN echo "#!/bin/sh" > /start-kratos.sh
 RUN echo "kratos -c /kratos-conf/kratos.yaml migrate sql -e --yes >> /kratos-log/kratos-migrate.log 2>&1" >> /start-kratos.sh
 RUN echo "chown kratos:kratos /kratos-data/db.sqlite" >> /start-kratos.sh
 RUN echo "chmod 600 /kratos-data/db.sqlite" >> /start-kratos.sh
-RUN echo "kratos -c /kratos-conf/kratos.yaml serve >> /kratos-log/kratos.log 2>&1" >> /start-kratos.sh
+RUN echo "kratos -c /kratos-conf/kratos.yaml serve --sqa-opt-out=true >> /kratos-log/kratos.log 2>&1" >> /start-kratos.sh
 RUN chmod a+x /start-kratos.sh
 
-COPY --from=builder /go/src/github.com/ory/kratos/kratos /usr/bin/kratos
-COPY --from=builder /go/src/github.com/ory/kratos/.schema /.schema
+COPY --from=builder /go/src/github.com/jertel/kratos/kratos /usr/bin/kratos
+COPY --from=builder /go/src/github.com/jertel/kratos/.schema /.schema
 USER kratos
 
 

config/clientparameters.go

@@ -19,6 +19,7 @@ const DEFAULT_MOST_RECENTLY_USED_LIMIT = 5
 type ClientParameters struct {
   HuntingParams       HuntingParameters     `json:"hunt"`
   AlertingParams      HuntingParameters     `json:"alerts"`
+  JobParams           HuntingParameters     `json:"job"`
   DocsUrl             string                `json:"docsUrl"`
   CheatsheetUrl       string                `json:"cheatsheetUrl"`
   GridParams          GridParameters        `json:"grid"`
@@ -34,6 +35,7 @@ func (config *ClientParameters) Verify() error {
   var err error
   err = config.HuntingParams.Verify()
   err = config.AlertingParams.Verify()
+  err = config.JobParams.Verify()
   return err
 }
 

config/serverconfig.go

@@ -29,6 +29,7 @@ type ServerConfig struct {
   ModuleFailuresIgnored           bool                              `json:"moduleFailuresIgnored"`
   ClientParams                    ClientParameters                  `json:"client"`
   IdleConnectionTimeoutMs         int                               `json:"idleConnectionTimeoutMs"`
+  TimezoneScript                  string                            `json:"timezoneScript"`
 }
 
 func (config *ServerConfig) Verify() error {
@@ -51,5 +52,8 @@ func (config *ServerConfig) Verify() error {
   if (config.IdleConnectionTimeoutMs <= 0) {
     config.IdleConnectionTimeoutMs = DEFAULT_IDLE_CONNECTION_TIMEOUT_MS
   }
+  if len(config.TimezoneScript) == 0 {
+    config.TimezoneScript = "/opt/sensoroni/scripts/timezones.sh"
+  }
   return err
 }

config/serverconfig_test.go

@@ -36,4 +36,7 @@ func TestVerifyServer(tester *testing.T) {
   if err != nil {
     tester.Errorf("expected no error")
   }
+  if cfg.TimezoneScript != "/opt/sensoroni/scripts/timezones.sh" {
+    tester.Errorf("Unexpected default timezone script: %s", cfg.TimezoneScript)
+  }
 }

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/apex/log v1.9.0
 	github.com/elastic/go-elasticsearch/v7 v7.11.0
 	github.com/google/gopacket v1.1.19
+	github.com/google/uuid v1.1.1 // indirect
 	github.com/gorilla/websocket v1.4.2
 	github.com/influxdata/influxdb-client-go/v2 v2.2.3 // indirect
 	github.com/kennygrant/sanitize v1.2.4

html/js/app.js

@@ -62,7 +62,7 @@ $(document).ready(function() {
       elasticVersion: '0.0.0',
       wazuhVersion: '0.0.0',
       papi: null,
-      connectionTimeout: 120000,
+      connectionTimeout: 300000,
       wsConnectionTimeout: 15000,
       socket: null,
       subscriptions: [],
@@ -80,30 +80,171 @@ $(document).ready(function() {
       usersLoadedDate: null,
       cacheRefreshIntervalMs: 300000,
       loadServerSettingsTime: 0,
+      user: null,
+      username: '',
     },
     watch: {
       '$vuetify.theme.dark': 'saveLocalSettings',
     },
     methods: {
+      formatActionContent(content, event, field, value, uriEncode = true) {
+        if (!content) return null;
+
+        content = this.replaceActionVar(content, "eventId", event["soc_id"], uriEncode)
+        content = this.replaceActionVar(content, "field", field, uriEncode)
+        content = this.replaceActionVar(content, "value", value, uriEncode)
+
+        const fields = this.getDynamicActionFieldNames(content);
+        const route = this;
+        if (fields && fields.length > 0) {
+          fields.forEach(function(field) {
+            value = event[field];
+            content = route.replaceActionVar(content, ":" + field, value, uriEncode)
+          });
+        }
+        return content;
+      },
+      performAction(event, action) {
+        if (action && !action.background) return false;
+        const options = action.options ? action.options : { mode: 'no-cors' };
+        options.method = action.method;
+        if (action.method != 'GET') {
+          options.body = action.bodyFormatted;
+        }
+        const route = this;
+        fetch(action.linkFormatted, options)
+        .then(data => {
+          var link = action.backgroundSuccessLinkFormatted;
+          if (link) {
+            if (data.status != null) {
+              link = route.replaceActionVar(link, "responseCode", data.status, true)
+            }
+            if (data.statusText != null) {
+              link = route.replaceActionVar(link, "responseStatus", data.statusText, true)
+            }
+            window.open(link, action.target);
+          } else {
+            route.$root.showTip(route.i18n.actionSuccess + route.$root.localizeMessage(action.name));
+          }
+        })
+        .catch((error) => {
+          console.error('Unable to perform background action: ' + error);
+          var link = action.backgroundFailureLinkFormatted;
+          if (link) {
+            link = route.replaceActionVar(link, "error", error.message, true)
+            window.open(link, action.target);
+          } else {
+            route.$root.showTip(route.i18n.actionFailure + route.$root.localizeMessage(action.name));
+          }
+        });
+      },
+      base64encode(content) {
+        try {
+          content = btoa(content);
+        } catch (e) {
+          console.error("Failed to base64 encode content: " + e);
+        }
+        return content;
+      },
+      escape(content) {
+        if (content.replace) {
+          try {
+            content = content.replace(/\\/g, "\\\\");
+            content = content.replace(/\"/g, "\\\"");
+          } catch (e) {
+            console.error("Failed to escape content: " + e);
+          }
+        }
+        return content
+      },
+      replaceActionVar(content, field, value, uriEncode) {
+        if (value === undefined || value == null) return content;
+
+        var encode = function(input) {
+          if (uriEncode) {
+            return encodeURIComponent(input);
+          }
+          return input;
+        };
+
+        content = content.replace("{" + field + "}", encode(value));
+        content = content.replace("{" + field + "|base64}", encode(this.base64encode(value)));
+        content = content.replace("{" + field + "|escape}", encode(this.escape(value)));
+        content = content.replace("{" + field + "|escape|base64}", encode(this.base64encode(this.escape(value))));
+        return content;
+      },
+      copyToClipboard(data, style) {
+        const buffer = document.getElementById('clipboardBuffer');
+        // Convert entire item into text
+        if (style == 'json') {
+          data = JSON.stringify(data);
+        } else if (style == 'kvp') {
+          var text = "";
+          for (const prop in data) {
+            text += prop + ": " + data[prop] + "\n";
+          }
+          data = text;
+        }
+        buffer.value = data;
+        buffer.select();
+        buffer.setSelectionRange(0, 99999);
+        document.execCommand("copy");
+      },
+      findEligibleActionLinkForEvent(action, event) {
+        if (action && action.links) {
+          for (var idx = 0; idx < action.links.length; idx++) {
+            const link = action.links[idx];
+
+            if (this.isActionLinkEligibleForEvent(link, event)) {
+              return link;
+            }
+          }
+        }
+        return null;
+      },
+      isActionLinkEligibleForEvent(link, event) {
+        var eligible = true;
+        eligible &= (link.indexOf("{eventId}") == -1 || event['soc_id']);
+        const fields = this.getDynamicActionFieldNames(link);
+        if (fields && fields.length > 0) {
+          fields.forEach(function(field) {
+            value = event[field];
+            eligible &= value != undefined && value != null;
+          });
+        }
+        return eligible;
+      },
+      getDynamicActionFieldNames(url) {
+        const fields = [];
+        const matches = url.matchAll(/\{:([@a-zA-Z0-9_.]+?)(\|.*?)?\}/g);
+        for (const match of matches) {
+          if (match.length > 1) {
+            fields.push(match[1]);
+          }
+        }
+        return fields;
+      },
       log(msg) {
         console.log(moment().format() + " | " + msg);
       },
       redirectIfAuthCompleted() {
         if (!location.pathname.startsWith("/login")) {
           destUri = this.getCookie("AUTH_REDIRECT");
-          if (destUri && destUri != "/" && 
-              !destUri.includes(".?v=") && 
-              !destUri.endsWith(".ico") && 
-              !destUri.endsWith(".js") && 
-              !destUri.endsWith(".css") &&
-              !destUri.endsWith(".png") &&
-              !destUri.endsWith(".svg") &&
-              !destUri.endsWith(".jpg") &&
-              !destUri.endsWith(".gif")) {
-            this.log("Redirecting to auth destination: " + destUri);
+          if (destUri) {
             this.deleteCookie("AUTH_REDIRECT");
-            location.pathname = destUri;
-            return true;
+            if (destUri != "/" && 
+                !destUri.includes(".?v=") && 
+                !destUri.endsWith(".ico") && 
+                !destUri.endsWith(".js") && 
+                !destUri.endsWith(".css") &&
+                !destUri.endsWith(".png") &&
+                !destUri.endsWith(".svg") &&
+                !destUri.endsWith(".jpg") &&
+                !destUri.endsWith(".gif")) {
+              this.log("Redirecting to auth destination: " + destUri);
+              location.pathname = destUri;
+              return true;
+            }
           }
         }
         return false;
@@ -122,40 +263,48 @@ $(document).ready(function() {
             this.loadServerSettingsTime = now;
             try {
               const response = await this.papi.get('info');
-              this.version = response.data.version;
-              this.license = response.data.license;
-              this.parameters = response.data.parameters;
-              this.elasticVersion = response.data.elasticVersion;
-              this.wazuhVersion = response.data.wazuhVersion;
+              if (response) {
+                this.version = response.data.version;
+                this.license = response.data.license;
+                this.parameters = response.data.parameters;
+                this.elasticVersion = response.data.elasticVersion;
+                this.wazuhVersion = response.data.wazuhVersion;
+                this.timezones = response.data.timezones;
 
-              if (this.parameterCallback != null) {
-                this.parameterCallback(this.parameters[this.parameterSection]);
-                this.parameterCallback = null;
-              }
-              this.parametersLoaded = true;
-              if (this.parameters.webSocketTimeoutMs > 0) {
-                this.wsConnectionTimeout = this.parameters.webSocketTimeoutMs;
-              }
-              if (this.parameters.apiTimeoutMs > 0) {
-                this.connectionTimeout = this.parameters.apiTimeoutMs;
-              }
-              if (this.parameters.cacheExpirationMs > 0) {
-                this.cacheRefreshIntervalMs = this.parameters.cacheExpirationMs;
-              }
-              if (this.parameters.tipTimeoutMs > 0) {
-                this.tipTimeout = this.parameters.tipTimeoutMs;
-              }
-              if (this.parameters.tools && this.parameters.tools.length > 0) {
-                this.tools = this.parameters.tools;
-                if (this.parameters.inactiveTools) {
-                  const inactive = this.parameters.inactiveTools;
-                  for (var i = 0; i < this.tools.length; i++) {
-                    const tool = this.tools[i];
-                    tool.enabled = !inactive.includes(tool.name);
+                this.user = await this.getUserById(response.data.userId);
+                if (this.user) {
+                  this.username = this.user.email;
+                }
+
+                if (this.parameterCallback != null) {
+                  this.parameterCallback(this.parameters[this.parameterSection]);
+                  this.parameterCallback = null;
+                }
+                this.parametersLoaded = true;
+                if (this.parameters.webSocketTimeoutMs > 0) {
+                  this.wsConnectionTimeout = this.parameters.webSocketTimeoutMs;
+                }
+                if (this.parameters.apiTimeoutMs > 0) {
+                  this.connectionTimeout = this.parameters.apiTimeoutMs;
+                }
+                if (this.parameters.cacheExpirationMs > 0) {
+                  this.cacheRefreshIntervalMs = this.parameters.cacheExpirationMs;
+                }
+                if (this.parameters.tipTimeoutMs > 0) {
+                  this.tipTimeout = this.parameters.tipTimeoutMs;
+                }
+                if (this.parameters.tools && this.parameters.tools.length > 0) {
+                  this.tools = this.parameters.tools;
+                  if (this.parameters.inactiveTools) {
+                    const inactive = this.parameters.inactiveTools;
+                    for (var i = 0; i < this.tools.length; i++) {
+                      const tool = this.tools[i];
+                      tool.enabled = !inactive.includes(tool.name);
+                    }
                   }
                 }
+                this.subscribe("status", this.updateStatus);
               }
-              this.subscribe("status", this.updateStatus);
             } catch (error) {
               if (!background) {
                 // Only show the error on initial startup, otherwise the error