This repository has been archived by the owner on Jun 26, 2021. It is now read-only.
/
main.go
95 lines (80 loc) · 1.94 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
package main
import (
"bytes"
"fmt"
"github.com/aws/aws-lambda-go/lambda"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/s3/s3manager"
"github.com/oktasecuritylabs/sgt/dyndb"
"github.com/oktasecuritylabs/sgt/internal/pkg/carvebuilder"
"github.com/oktasecuritylabs/sgt/osquery_types"
"github.com/sirupsen/logrus"
"io/ioutil"
"os"
)
var (
log = logrus.New()
carveBucket string
)
func init() {
log.Formatter = &logrus.JSONFormatter{}
carveBucket = os.Getenv("CARVE_BUCKET")
}
type ev struct {
SessionID string `json:"session_id"`
BlockCount string `json:"block_count"`
}
func Handler(event ev) {
sess := session.Must(session.NewSession(&aws.Config{
Region: aws.String("us-east-1"),
}))
s3uploader := s3manager.NewUploader(sess)
c := &osquery_types.Carve{
SessionID: event.SessionID,
BlockCount: event.BlockCount,
}
db := dyndb.DbInstance()
ready, data, err := carvebuilder.CarveFinished(db, c)
if err != nil {
log.Error(err)
return
}
if ready {
fc := osquery_types.FileCarve{
SessionID: c.SessionID,
Chunks: data,
}
path := fmt.Sprintf("/tmp/%s.tar", fc.SessionID)
err = fc.SaveToFile(path)
if err != nil {
log.Fatal(err)
}
file, err := os.Open(path)
defer file.Close()
if err != nil {
log.Error(err)
}
body, err := ioutil.ReadAll(file)
if err != nil {
log.Error(err)
}
_, err = s3uploader.Upload(&s3manager.UploadInput{
Bucket: aws.String(carveBucket),
Key: aws.String(fmt.Sprintf("filecarves/%s", fc.SessionID)),
Body: bytes.NewReader(body),
})
// copy to s3 here, if successfull, delete
err = carvebuilder.DeleteCarve(db, c)
if err != nil {
log.Fatal(err)
}
}
return
// Perform action to transform log lines into firehose.Record type
// these transforms and actions should be defined in the pkg for the log type.
// see opendns pkg for example
}
func main() {
lambda.Start(Handler)
}