Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zeek: add zeek module and fix zeekctl to deploy it. #86494

Open
wants to merge 13 commits into
base: master
from

Conversation

@GTrunSec
Copy link
Contributor

GTrunSec commented May 1, 2020

Motivation for this change

Re-open PR by #86435.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.
GTrunSec added 2 commits May 1, 2020
@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 1, 2020

  • TEST service.zeek setting
  services.zeek = {
    enable = true;
    standalone = true;
    interface = "eno1";
    listenAddress = "localhost";
    privateScript = ''
    @load /home/gtrun/project/hardenedlinux-zeek-script/scripts/zeek-query.zeek
    '';
  };
● zeek.service
   Loaded: loaded (/nix/store/w4sr0hzjsnj38sd3x3znm2i9043w1yxx-zeek.service/zeek.service; linked; vendor preset: enabled)
   Active: active (running) since Sat 2020-05-02 00:00:29 EDT; 1min 10s ago
  Process: 12297 ExecStartPre=/nix/store/kgp3vq8l9yb8mzghbw83kyr3f26yqvsz-bash-4.4-p23/bin/bash /nix/store/bibwqxc59ggqsl06lplng7wcfswgyv
 Main PID: 12320 (bash)
   CGroup: /user.slice/user-1000.slice/user@1000.service/zeek.service
           ├─12320 /nix/store/kgp3vq8l9yb8mzghbw83kyr3f26yqvsz-bash-4.4-p23/bin/bash /nix/store/zrnjfvn6hs93ri346n5s6zwndbs8chnn-zeek-one
           ├─12384 /nix/store/kgp3vq8l9yb8mzghbw83kyr3f26yqvsz-bash-4.4-p23/bin/bash /var/lib/zeek/scripts/run-zeek -1 -i enp0s3 -U .stat
           ├─12390 /nix/store/vh1f9s48sjaw0i0fy1d5bq01ggb5j1l1-zeek-3.0.5/bin/zeek -i enp0s3 -U .status -p zeekctl -p zeekctl-live -p sta
           └─12418 sleep infinity
lines 1-10/10 (END)

PATH env_vars check

==== .cmdline
-i enp0s3 -U .status -p zeekctl -p zeekctl-live -p standalone -p local -p zeek local.zeek zeekctl zeekctl/standalone zeekctl/auto

==== .env_vars
PATH=/nix/store/vh1f9s48sjaw0i0fy1d5bq01ggb5j1l1-zeek-3.0.5/bin:/var/lib/zeek/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/test/.nix-profile/bin/
ZEEKPATH=/var/lib/zeek/spool/installed-scripts-do-not-touch/site::/var/lib/zeek/spool/installed-scripts-do-not-touch/auto:/nix/store/vh1f9s48sjaw0i0fy1d5bq01ggb5j1l1-zeek-3.0.5/share/zeek:/nix/store/vh1f9s48sjaw0i0fy1d5bq01ggb5j1l1-zeek-3.0.5/share/zeek/policy:/nix/store/vh1f9s48sjaw0i0fy1d5bq01ggb5j1l1-zeek-3.0.5/share/zeek/site
CLUSTER_NODE=

==== .status
RUNNING [net_run]
  • sudo systemctl status zeek.service
@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 2, 2020

@tobim @marsam @pSub. Sorry, I can not deploy the Zeekctl on NixOS. I still got an error output like this
Error: cannot create working directory for zeek (https://github.com/zeek/zeekctl/blob/7e65a34905ec9684c442da5f737fe75beb94aae6/ZeekControl/control.py#L175

if you have time do a PR test or debug this issue. I really confuse what happed about this error outpout. I can deploy it and works well on other Linux which installed nix.

@tobim
Copy link
Contributor

tobim commented May 2, 2020

@GTrunSec I appreciate you put in so much work into that. I hope to be able to free up some time to help debug this during the next couple of days.

I suspect the error you get is a result of zeekctl trying to create a folder in the PREFIX where zeek is installed, which in case of nixos is in the store, which is mounted read-only by default.

@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 2, 2020

@tobim first of all, Thank you so much to help me debug it.

I think this issue from Spool/zeek could not be created.

image
invalid Spool/zeek hardlink to logs/current

It did not generate Zeek directory under Spool dir

  • let us look at the zeekctl testing what it did.

Create Zeek's working directory, chdir to that dir, and create rotated logs
mkdir $ZEEKCTL_INSTALL_PREFIX/spool/zeek
cd $ZEEKCTL_INSTALL_PREFIX/spool/zeek
cat > ${origtestlog} << EOF
This is a test zeekctltest.log
EOF

  • Start process.

verify that these files don't already exist before the start command runs
test ! -e $ZEEKCTL_INSTALL_PREFIX/spool/zeek
test ! -e $ZEEKCTL_INSTALL_PREFIX/spool/stats.log
zeekctl start > start.out
the start command creates some files (these are NOT created by zeek itself)
while read line; do
test -e $ZEEKCTL_INSTALL_PREFIX/$line
done << EOF
spool/zeek/.cmdline
spool/zeek/.env_vars
spool/zeek/.pid
spool/zeek/.startup
spool/zeek/stderr.log
spool/zeek/stdout.log

  • On Debian OS I got all of the outputs in here.
    Valid Zeek directory and hard link.
    image
    image
GTrunSec added 2 commits May 2, 2020
@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 3, 2020

I even can not deploy the standalone mode of Zeek which installed without the nix-store on NixOS.

@tobim if you can deploy it whatever without nix-store or not. Please let me know that. (I can surely no any dynamic files will be generated in nix-store.) Also, you can check the config file which in /var/lib/zeek/spool/zeekctl-config.sh. All of the dynamic file options have been removed to /var/lib/zeek path.

@tobim
Copy link
Contributor

tobim commented May 3, 2020

It looks like zeekctl is trying to run ['mkdir', '-p', '/var/lib/zeek/spool/zeek'] through ssh, as if the host IP belongs to a worker node, even when using type=standalone in node.cfg.

@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 4, 2020

@tobim

  • I have no idea how to fix this issue for Zeekctl.

if we did not solve the Zeekctl problem which running on NixOS(sandbox mode). I'm going to write a Systemd of Zeek for NixOS that can be running with some arguments of the interface instead of zeekctl to deploy it.

  • One of another solution which Without Zeekctl deploy
  • systemd workindDirecotry /var/lib/zeek/logs
../scripts/run-zeek -1 -i eno1 -U .status -p zeekctl -p zeekctl-live -p standalone -p local -p zeek local.zeek zeekctl zeekctl/standalone zeekctl/auto

image

@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 8, 2020

@tobim @marsam @pSub. ready to take a test for the maintainer. everything goes well.
Zeek's module test setting:

services.zeek = {
  enable = true;
  standalone = true;
  interface = "eno1";
  listenAddress = "localhost";
  privateScript = ''                                                            
  @load /home/gtrun/project/hardenedlinux-zeek-script/scripts/zeek-query.zeek   
  '';
};                                                                              
  • check privateScript loading Status:
more /var/lib/zeek/logs/current/loaded_scripts.log      
  /home/gtrun/project/hardenedlinux-zeek-script/scripts/zeek-query.zeek
/nix/store/g4al63qrpx8ckf6bkimam6w3wps1imav-zeek-3.0.5/share/zeek/zeekctl/standalone.zeek
  /var/lib/zeek/spool/installed-scripts-do-not-touch/auto/standalone-layout.zeek
  /nix/store/g4al63qrpx8ckf6bkimam6w3wps1imav-zeek-3.0.5/share/zeek/policy/misc/trim-trace-file.zeek
/nix/store/g4al63qrpx8ckf6bkimam6w3wps1imav-zeek-3.0.5/share/zeek/zeekctl/auto.zeek
  /var/lib/zeek/spool/installed-scripts-do-not-touch/auto/local-networks.zeek
  • sudo systemctl status zeek.service
zeek.service - Zeek Daemon
     Loaded: loaded (/nix/store/nal9g7ih8idk27pajvdxbbid4y18mgsc-unit-zeek.service/zeek.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2020-05-07 20:07:36 PDT; 1min 6s ago
    Process: 7985 ExecStartPre=/nix/store/xcs2xvn398hgsp0gz3slhlv02qljnhm0-unit-script-zeek-pre-start (code=exited, status=0/SUCCESS)
   Main PID: 8034 (bash)
         IP: 0B in, 0B out
      Tasks: 18 (limit: 4915)
     Memory: 82.4M
        CPU: 18.158s
     CGroup: /system.slice/zeek.service
             ├─8034 /nix/store/kgp3vq8l9yb8mzghbw83kyr3f26yqvsz-bash-4.4-p23/bin/bash /nix/store/zkrr30qd8acjdnwk89gp3fa6jjss4rdg-zeek-o>
             ├─8148 /nix/store/kgp3vq8l9yb8mzghbw83kyr3f26yqvsz-bash-4.4-p23/bin/bash /var/lib/zeek/scripts/run-zeek -1 -i eno1 -U .stat>
             └─8158 /nix/store/g4al63qrpx8ckf6bkimam6w3wps1imav-zeek-3.0.5/bin/zeek -i eno1 -U .status -p zeekctl -p zeekctl-live -p sta>

May 07 20:07:36 nixos bash[8042]: generating standalone-layout.zeek ...
May 07 20:07:36 nixos bash[8042]: generating local-networks.zeek ...
May 07 20:07:36 nixos bash[8042]: generating zeekctl-config.zeek ...
May 07 20:07:36 nixos bash[8042]: generating zeekctl-config.sh ...
May 07 20:07:36 nixos bash[8148]: max memory size         (kbytes, -m) unlimited
May 07 20:07:36 nixos bash[8148]: data seg size           (kbytes, -d) unlimited
May 07 20:07:36 nixos bash[8148]: virtual memory          (kbytes, -v) unlimited
May 07 20:07:36 nixos bash[8148]: core file size          (blocks, -c) unlimited
May 07 20:07:36 nixos bash[8158]: listening on eno1
May 07 20:07:46 nixos bash[8158]: 1588907266.826376 warning in /nix/store/g4al63qrpx8ckf6bkimam6w3wps1imav-zeek-3.0.5/share/zeek/base/mi
@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 8, 2020

  • fixed archive logs (paths)
/var/lib/zeek/logs                                                                                                                       
├── 2020-05-07                                                                                                                           
│   ├── conn.23:57:24-00:00:00.log.gz                                                                                                    
│   ├── conn-summary.23:57:24-00:00:00.log.gz                                                                                            
│   ├── dns.23:57:40-00:00:00.log.gz                                                                                                     
│   ├── files.23:58:54-00:00:00.log.gz                                                                                                   
│   ├── http.23:58:54-00:00:00.log.gz                                                                                                    
│   ├── known_services.23:57:30-00:00:00.log.gz                                                                                          
│   ├── loaded_scripts.23:57:21-00:00:00.log.gz
│   ├── packet_filter.23:57:21-00:00:00.log.gz
│   ├── reporter.23:57:31-00:00:00.log.gz
│   ├── ssh.23:58:07-00:00:00.log.gz
│   ├── ssl.23:57:29-00:00:00.log.gz
│   ├── stats.23:57:21-00:00:00.log.gz
│   └── weird.23:57:21-00:00:00.log.gz
└── current
    ├── capture_loss.log
    ├── conn.log
    ├── dns.log
GTrunSec added 2 commits May 8, 2020
@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 9, 2020

add Option: to override some arguments that alternative installs Zeek's plugin or not.

test package of Zeek setting:

 services.zeek = {
   enable = true;
   standalone = true;
   interface = "eno1";
   listenAddress = "localhost";
   package = pkgs.zeek.override{ KafkaPlugin = true; PostgresqlPlugin = true;};
   privateScript = ''                                                          
   @load /home/gtrun/project/hardenedlinux-zeek-script/scripts/zeek-query.zeek 
   '';
 };
GTrunSec added 3 commits May 9, 2020
@GTrunSec
Copy link
Contributor Author

GTrunSec commented May 14, 2020

Does anyone give me some feedback about this PR? let me know that to keep going deep work for this module on NixOS or not. Make sure I am doing the right direction on the way. @marsam @pSub @tobim Thanks. Sorry to bother you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.