Skip to content
This repository has been archived by the owner on Oct 14, 2024. It is now read-only.

Commit

Permalink
feat: yara support (#638)
Browse files Browse the repository at this point in the history 
* feat(api): malware rule name to support yara

* feat: yara support

* fix: typo in debug message

* update temp file path

* fix: yara rule metadata parser

* update comments

* fix: field separator

* minor fixes

* deploy yara-rule-server with docker compose

* feat: add yara config

* updated aws installer

* updated gcp installer

* allow acces to yara server

* docs: update

* fix: aws installer

* fix aws instaler

* add yara-rule-server into azure installer

* fix lint errors

* update doc

* fix: yara-rule-server config name

* fix missing header

* fix makefile

* add yara to malware scanner list

* installer: use 9993 port for yara rule server

* review

* fix lint

* move pointerToStringOrNil to utils

* review

* update vmclarity-tool-base

* remove debug mesage

* fix merge failure

* fix select

* fix error wrapping

* update docker compose file for fix e2e test

* update installers

* updates based on review

* add ruleName to MalwareKey

* fix: ruleName in malwareKey and select

* fix(install): missing new line

* use ValueOrZero instead of StringPointerValOrEmpty
  • Loading branch information
@pbalogh-sa
pbalogh-sa authored Sep 19, 2023
1 parent 7263406 commit 32adb9d
Show file tree
Hide file tree
Showing 39 changed files with 1,032 additions and 179 deletions.
2 changes: 1 addition & 1 deletion Dockerfile.cli
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# syntax=docker/dockerfile:1.2
ARG VMCLARITY_TOOLS_BASE=ghcr.io/openclarity/vmclarity-tools-base:v0.3.0@sha256:c592419f5f3f184909363e080b01aea5deef63374b856aed74334afa3bdef793
ARG VMCLARITY_TOOLS_BASE=ghcr.io/openclarity/vmclarity-tools-base:v0.4.0@sha256:8431af10930dddadaf7365e8610ac8f8f62dd4be01928dba6bc16d50f152a12b
FROM --platform=$BUILDPLATFORM golang:1.21.1-alpine AS builder

RUN apk add --update --no-cache ca-certificates git
Expand Down
2 changes: 1 addition & 1 deletion api/models/families.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ func (c *MalwareConfig) GetScannersList() []string {
return *c.Scanners
}

return []string{"clam"}
return []string{"clam", "yara"}
}

func (c *ExploitsConfig) IsEnabled() bool {
Expand Down
6 changes: 4 additions & 2 deletions api/models/models.gen.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions api/openapi.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2482,6 +2482,8 @@ components:
type: string
malwareType:
$ref: '#/components/schemas/MalwareType'
ruleName:
type: string
path:
type: string
description: Path of the file that contains malware
Expand Down
226 changes: 113 additions & 113 deletions api/server/server.gen.go
View file

Large diffs are not rendered by default.

10 changes: 6 additions & 4 deletions docs/configuration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,15 @@
| `SCANNER_CONTAINER_IMAGE` | | | |
| `GITLEAKS_BINARY_PATH` | | | |
| `CLAM_BINARY_PATHCLAM_BINARY_PATH` | | | |
| `YARA_BINARY_PATH` | | | |
| `FRESHCLAM_BINARY_PATH` | | | |
| `ALTERNATIVE_FRESHCLAM_MIRROR_URL` | | | |
| `LYNIS_INSTALL_PATH` | | | |
| `SCANNER_VMCLARITY_BACKEND_ADDRESS` | | | |
| `EXPLOIT_DB_ADDRESS` | | | |
| `TRIVY_SERVER_ADDRESS` | | | |
| `TRIVY_SERVER_TIMEOUT` | | | |
| `YARA_RULE_SERVER_ADDRESS` | | | |
| `GRYPE_SERVER_ADDRESS` | | | |
| `GRYPE_SERVER_TIMEOUT` | | | |
| `CHKROOTKIT_BINARY_PATH` | | | |
Expand All @@ -23,10 +25,10 @@
| `SCAN_POLLING_INTERVAL` | | | |
| `SCAN_RECONCILE_TIMEOUT` | | | |
| `SCAN_TIMEOUT` | | | |
| `ASSET_SCAN_POLLING_INTERVAL` | | | |
| `ASSET_SCAN_RECONCILE_TIMEOUT` | | | |
| `ASSET_SCAN_PROCESSOR_POLLING_INTERVAL` | | | |
| `ASSET_SCAN_PROCESSOR_RECONCILE_TIMEOUT` | | | |
| `ASSET_SCAN_POLLING_INTERVAL` | | | |
| `ASSET_SCAN_RECONCILE_TIMEOUT` | | | |
| `ASSET_SCAN_PROCESSOR_POLLING_INTERVAL` | | | |
| `ASSET_SCAN_PROCESSOR_RECONCILE_TIMEOUT` | | | |
| `DISCOVERY_INTERVAL` | | | |
| `CONTROLLER_STARTUP_DELAY` | | | |
| `PROVIDER` | **yes** | `aws` | Provider used for Asset discovery and scans |
Expand Down
67 changes: 67 additions & 0 deletions installation/aws/VmClarity.cfn
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,10 @@ Resources:
# Create directory for trivy server
/usr/bin/mkdir -p /opt/trivy-server

# Create directory required for yara-rule-server
/usr/bin/mkdir -p /opt/yara-rule-server
/usr/bin/chown -R 1000:1000 /opt/yara-rule-server

# Enable and start/restart VMClarity backend
systemctl enable vmclarity.service
systemctl restart vmclarity.service
Expand Down Expand Up @@ -382,6 +386,27 @@ Resources:
restart_policy:
condition: on-failure

yara-rule-server:
image: ${YaraRuleServerContainerImage}
command:
- run
ports:
- "9993:8080"
configs:
- source: yara_rule_server_config
target: /etc/yara-rule-server/config.yaml
volumes:
- type: bind
source: /opt/yara-rule-server
target: /var/lib/yara-rule-server
logging:
driver: journald
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure

postgresql:
image: ${PostgresqlContainerImage}
env_file: ./postgres.env
Expand Down Expand Up @@ -410,6 +435,8 @@ Resources:
file: ./gateway.conf
swagger_config:
file: ./swagger-config.json
yara_rule_server_config:
file: ./yara-rule-server.yaml

- APIServerContainerImage: !If [ APIServerContainerImageOverridden, !Ref APIServerContainerImageOverride, "ghcr.io/openclarity/vmclarity-apiserver:latest" ]
OrchestratorContainerImage: !If [ OrchestratorContainerImageOverridden, !Ref OrchestratorContainerImageOverride, "ghcr.io/openclarity/vmclarity-orchestrator:latest" ]
Expand All @@ -418,6 +445,7 @@ Resources:
ExploitDBServerContainerImage: !If [ExploitDBServerContainerImageOverridden, !Ref ExploitDBServerContainerImageOverride, "ghcr.io/openclarity/exploit-db-server:v0.2.3"]
TrivyServerContainerImage: !If [TrivyServerContainerImageOverridden, !Ref TrivyServerContainerImageOverride, "docker.io/aquasec/trivy:0.41.0"]
GrypeServerContainerImage: !If [GrypeServerContainerImageOverridden, !Ref GrypeServerContainerImageOverride, "ghcr.io/openclarity/grype-server:v0.5.0"]
YaraRuleServerContainerImage: !If [YaraRuleServerContainerImageOverridden, !Ref YaraRuleServerContainerImageOverride, "ghcr.io/openclarity/yara-rule-server:v0.1.0"]
FreshclamMirrorContainerImage: !If [FreshclamMirrorContainerImageOverridden, !Ref FreshclamMirrorContainerImageOverride, "ghcr.io/openclarity/freshclam-mirror:v0.2.0"]
PostgresqlContainerImage: !If [PostgresqlContainerImageOverridden, !Ref PostgresqlContainerImageOverride, "bitnami/postgresql:12.14.0-debian-11-r28"]

Expand Down Expand Up @@ -463,6 +491,8 @@ Resources:
GRYPE_SERVER_ADDRESS=__CONTROLPLANE_HOST__:9991
# FreshClam mirror URL
ALTERNATIVE_FRESHCLAM_MIRROR_URL=http://__CONTROLPLANE_HOST__:1000/clamav
# Yara rule server address
YARA_RULE_SERVER_ADDRESS=http://__CONTROLPLANE_HOST__:9993
# Resource cleanup policy
DELETE_JOB_POLICY=${AssetScanDeletePolicy}
# Provider to use
Expand Down Expand Up @@ -508,6 +538,19 @@ Resources:
# COMPOSE_PROFILES=
mode: "000644"

"/etc/vmclarity/yara-rule-server.yaml":
content: |
enable_json_log: true
rule_update_schedule: "0 0 * * *"
rule_sources:
- name: "base"
url: "https://github.com/Yara-Rules/rules/archive/refs/heads/master.zip"
exclude_regex: ".*index.*.yar|.*/utils/.*|.*/deprecated/.*|.*index_.*|.*MALW_AZORULT.yar"
- name: "magic"
url: "https://github.com/securitymagic/yara/archive/refs/heads/main.zip"
exclude_regex: ".*index.*.yar"
mode: "000644"

"/etc/vmclarity/postgres.env":
content:
Fn::Sub: |
Expand Down Expand Up @@ -674,6 +717,17 @@ Resources:
FromPort: 1000
ToPort: 1000
SourceSecurityGroupId: !Ref VmClarityScannerSecurityGroup
# Allow the Scanner VMs in the VmClarityScannerSecurityGroup to access the
# Yara Rule Server on port 9993 by adding an ingress rule to the
# VmClarityServerSecurityGroup.
VmClarityServerSecurityGroupScannerIngressToYaraRuleServer:
Type: "AWS::EC2::SecurityGroupIngress"
Properties:
GroupId: !Ref VmClarityServerSecurityGroup
IpProtocol: tcp
FromPort: 9993
ToPort: 9993
SourceSecurityGroupId: !Ref VmClarityScannerSecurityGroup

# Create an Internet Gateway to allow VMClarityServer to talk to the internet
# and the internet to talk to it for SSH/HTTP.
Expand Down Expand Up @@ -1077,6 +1131,12 @@ Parameters:
"ghcr.io/openclarity/grype-server:v0.5.0" will be used if not overridden.
Type: String
Default: ''
YaraRuleServerContainerImageOverride:
Description: >
Name of the container image used for the yara rule server.
"ghcr.io/openclarity/yara-rule-server:v0.1.0" will be used if not overridden.
Type: String
Default: ''
ExploitDBServerContainerImageOverride:
Description: >
Name of the container image used for the exploit db server.
Expand Down Expand Up @@ -1162,6 +1222,7 @@ Metadata:
- ScannerContainerImageOverride
- TrivyServerContainerImageOverride
- GrypeServerContainerImageOverride
- YaraRuleServerContainerImageOverride
- ExploitDBServerContainerImageOverride
- PostgresqlContainerImageOverride
- FreshclamMirrorContainerImageOverride
Expand All @@ -1185,6 +1246,8 @@ Metadata:
default: Trivy Server Container Image Override
GrypeServerContainerImageOverride:
default: Grype Server Container Image Override
YaraRuleServerContainerImageOverride:
default: Yara Rule Server Container Image Override
ExploitDBServerContainerImageOverride:
default: Exploit DB Server Container Image Override
FreshclamMirrorContainerImageOverride:
Expand Down Expand Up @@ -1307,6 +1370,10 @@ Conditions:
- !Equals
- !Ref GrypeServerContainerImageOverride
- ''
YaraRuleServerContainerImageOverridden: !Not
- !Equals
- !Ref YaraRuleServerContainerImageOverride
- ''
ExploitDBServerContainerImageOverridden: !Not
- !Equals
- !Ref ExploitDBServerContainerImageOverride
Expand Down
17 changes: 17 additions & 0 deletions installation/azure/vmclarity-UI.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,6 +263,22 @@
"infoMessages": [],
"visible": true
},
{
"name": "yaraRuleServerContainerImage",
"type": "Microsoft.Common.TextBox",
"label": "Yara Rule Server Container Image",
"subLabel": "",
"defaultValue": "ghcr.io/openclarity/yara-rule-server:v0.1.0",
"toolTip": "Yara Rule Server Container Image",
"constraints": {
"required": false,
"regex": "",
"validationMessage": "",
"validations": []
},
"infoMessages": [],
"visible": true
},
{
"name": "assetScanDeletePolicy",
"type": "Microsoft.Common.DropDown",
Expand Down Expand Up @@ -470,6 +486,7 @@
"grypeServerContainerImage": "[steps('advanced').grypeServerContainerImage]",
"exploitDBContainerImage": "[steps('advanced').exploitDBContainerImage]",
"freshclamMirrorContainerImage": "[steps('advanced').freshclamMirrorContainerImage]",
"yaraRuleServerContainerImage": "[steps('advanced').yaraRuleServerContainerImage]",
"assetScanDeletePolicy": "[steps('advanced').assetScanDeletePolicy]",
"databaseToUse": "[steps('advanced').databaseSection.databaseToUse]",
"postgresContainerImage": "[steps('advanced').databaseSection.postgresContainerImage]",
Expand Down
39 changes: 39 additions & 0 deletions installation/azure/vmclarity-install.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,12 +81,28 @@ systemctl daemon-reload
# Create directory for trivy server
/usr/bin/mkdir -p /opt/trivy-server
# Create directory for yara rule server
/usr/bin/mkdir -p /opt/yara-rule-server
# Enable and start/restart VMClarity backend
systemctl enable vmclarity.service
systemctl restart vmclarity.service
EOF
chmod 744 /etc/vmclarity/deploy.sh

cat << 'EOF' > /etc/vmclarity/yara-rule-server.yaml
enable_json_log: true
rule_update_schedule: "0 0 * * *"
rule_sources:
- name: "base"
url: "https://github.com/Yara-Rules/rules/archive/refs/heads/master.zip"
exclude_regex: ".*index.*.yar|.*/utils/.*|.*/deprecated/.*|.*index_.*|.*MALW_AZORULT.yar"
- name: "magic"
url: "https://github.com/securitymagic/yara/archive/refs/heads/main.zip"
exclude_regex: ".*index.*.yar"
EOF
chmod 644 /etc/vmclarity/yara-rule-server.yaml

cat << 'EOF' > /etc/vmclarity/orchestrator.env
PROVIDER=Azure
VMCLARITY_AZURE_SUBSCRIPTION_ID=__AZURE_SUBSCRIPTION_ID__
Expand Down Expand Up @@ -261,6 +277,27 @@ services:
restart_policy:
condition: on-failure
yara-rule-server:
image: __YaraRuleServerContainerImage__
command:
- run
ports:
- "9993:8080"
configs:
- source: yara_rule_server_config
target: /etc/yara-rule-server/config.yaml
volumes:
- type: bind
source: /opt/yara-rule-server
target: /var/lib/yara-rule-server
logging:
driver: journald
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: on-failure
postgresql:
image: __PostgresqlContainerImage__
env_file: ./postgres.env
Expand Down Expand Up @@ -289,6 +326,8 @@ configs:
file: ./gateway.conf
swagger_config:
file: ./swagger-config.json
yara_rule_server_config:
file: ./yara-rule-server.yaml
EOF

cat << 'EOF' > /etc/vmclarity/swagger-config.json
Expand Down
Loading

0 comments on commit 32adb9d

Please sign in to comment.