/
Makefile
110 lines (89 loc) · 3.17 KB
/
Makefile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
NS ?= accenturecifr
VERSION ?= latest
IMAGE_NAME ?= plaso
CONTAINER_NAME ?= plaso
CONTAINER_INSTANCE ?= default
INPUTDIR="/tmp/"
OUTPUTDIR=/tmp
EVIDENCE_FILE=LM_Remote_Service02_7045.evtx
VOLUMES=-v ${INPUTDIR}:/data:cached -v ${OUTPUTDIR}:/output:cached
ENV=
PORTS=
HUB_URL=
.PHONY: build push shell run start stop rm release
# if make_env exists, include it
ifneq ("$(wildcard make_env)", "")
include make_env
endif
build: Dockerfile
docker build -t ${NS}/${IMAGE_NAME}:${VERSION} -f Dockerfile .
build-nocache: Dockerfile
docker build --no-cache -t ${NS}/${IMAGE_NAME}:${VERSION} -f Dockerfile .
hub-build: Dockerfile
curl -H "Content-Type: application/json" --data '{"build": true}' -X POST ${HUB_URL}
git-push:
git commit && \
git push
push:
docker push ${NS}/${IMAGE_NAME}:${VERSION}
shell:
docker run --rm --name ${CONTAINER_NAME}-${CONTAINER_INSTANCE} -i -t ${PORTS} ${VOLUMES} ${ENV} ${NS}/${IMAGE_NAME}:${VERSION} /bin/bash
shell-root:
docker run -u root --rm --name ${CONTAINER_NAME}-${CONTAINER_INSTANCE} -i -t ${PORTS} ${VOLUMES} ${ENV} ${NS}/${IMAGE_NAME}:${VERSION} /bin/bash
run:
docker run --rm --name ${CONTAINER_NAME}-${CONTAINER_INSTANCE} ${PORTS} ${VOLUMES} ${ENV} ${NS}/${IMAGE_NAME}:${VERSION}
start:
docker run -d --name ${CONTAINER_NAME}-${CONTAINER_INSTANCE} ${PORTS} ${VOLUMES} ${ENV} ${NS}/${IMAGE_NAME}:${VERSION}
stop:
docker stop ${CONTAINER_NAME}-${CONTAINER_INSTANCE}
rm:
docker rm ${CONTAINER_NAME}-${CONTAINER_INSTANCE}
release: build
make push -e VERSION=${VERSION}
test: psort-analysis psort psort-csv pinfo
log2timeline:
mkdir -p ${OUTPUTDIR}/log2timeline && \
docker run --rm ${VOLUMES} ${NS}/${IMAGE_NAME} log2timeline.py \
--artifact_definitions /usr/share/artifacts \
--data /usr/share/plaso \
--workers=$(shell nproc) \
--partitions all \
--vss_stores all \
--hashers md5 \
--logfile /output/log2timeline/${EVIDENCE_FILE}.plaso.log \
-q \
/output/log2timeline/${EVIDENCE_FILE}.plaso /data/${EVIDENCE_FILE}
psort-analysis:
mkdir -p ${OUTPUTDIR}/log2timeline && \
docker run --rm ${VOLUMES} ${NS}/${IMAGE_NAME} psort.py \
-o null \
--data /usr/share/plaso \
--tagging-file /usr/share/plaso/tag_windows.txt \
--analysis tagging,sessionize,windows_services \
/output/log2timeline/${EVIDENCE_FILE}.plaso
psort:
rm -f ${OUTPUTDIR}/log2timeline/${EVIDENCE_FILE}.json
mkdir -p ${OUTPUTDIR}/log2timeline && \
docker run --rm ${VOLUMES} ${NS}/${IMAGE_NAME} psort.py \
-o json_line \
-w /output/log2timeline/${EVIDENCE_FILE}.json \
--logfile /output/log2timeline/${EVIDENCE_FILE}.psort.log \
-q \
--status_view none \
/output/log2timeline/${EVIDENCE_FILE}.plaso
psort-csv:
mkdir -p ${OUTPUTDIR}/log2timeline && \
docker run --rm ${VOLUMES} ${NS}/${IMAGE_NAME} psort.py \
-o l2tcsv \
-w /output/log2timeline/${EVIDENCE_FILE}.csv \
/output/log2timeline/${EVIDENCE_FILE}.plaso \
--logfile /output/log2timeline/${EVIDENCE_FILE}.psort-csv.log \
--status_view none \
-q
pinfo:
mkdir -p ${OUTPUTDIR}/log2timeline && \
docker run --rm ${VOLUMES} ${NS}/${IMAGE_NAME} pinfo.py \
--output_format json \
-w /output/log2timeline/${EVIDENCE_FILE}-pinfo.json \
/output/log2timeline/${EVIDENCE_FILE}.plaso
default: build