update(different): Extend OpenCTI Application and do a lot of other s…

…tuff... (#24) ````release_notes ## Whats new In this release I did the following things: - Add additional OpenCTI connectors - Update TheHive Container to 4.1.3 - Update Cortex and TheHive Version Number - Add env check script - Add Filebeat Container - Add additional TheHive4-debug Dockerfile ````
it-bgk · Apr 14, 2021 · 4db4178 · 4db4178
1 parent a9b9195
commit 4db4178
Show file tree

Hide file tree

Showing 15 changed files with 462 additions and 86 deletions.
diff --git a/.docker/cortex/Dockerfile b/.docker/cortex/Dockerfile
@@ -27,7 +27,7 @@ ENV VERSION ${VERSION}
 RUN set -eu \
     ;apt-get update \
     ;apt-get install -y --no-install-recommends \
-        cortex=${VERSION} \
+        cortex=${VERSION}-1 \
     ;apt-get autoremove -y \
     ;rm -Rf /var/lib/apt \
     ;

diff --git a/.docker/thehive4-debug/Dockerfile b/.docker/thehive4-debug/Dockerfile
@@ -0,0 +1,12 @@
+ARG VERSION
+FROM itbgk/thehive4:${VERSION}
+
+RUN set -eu \
+    ;apt-get update \
+    ;apt-get install -y --no-install-recommends  \
+        vim \
+        nano \
+        bash \
+    ;apt-get autoremove -y \
+    ;rm -Rf /var/lib/apt/lists/* \
+    ;
diff --git a/.docker/thehive4/Dockerfile b/.docker/thehive4/Dockerfile
@@ -24,7 +24,7 @@ ENV VERSION ${VERSION}
 RUN set -eu \
     ;apt-get update \
     ;apt-get install -y --no-install-recommends  \
-        thehive4=${VERSION} \
+        thehive4=${VERSION}-1 \
     ;apt-get autoremove -y \
     ;rm -Rf /var/lib/apt/lists/* \
     ;

diff --git a/.docker/thehive4/s6/thehive/default_vars.sh b/.docker/thehive4/s6/thehive/default_vars.sh
@@ -5,7 +5,8 @@ DEBUG=${DEBUG:-"0"}
 CASSANDRA_DB_HOSTNAME=${CASSANDRA_DB_HOSTNAME:-"th-cassandra"}
 ELASTICSEARCH_HOSTS=${ELASTICSEARCH_HOSTS:-"elasticsearch"}
 CONFIG_FILE=${CONFIG_FILE:-"/etc/thehive/application.conf"}
-CONFIG=${CONFIG:-"1"}
+LOGGER_FILE=${LOGGER_FILE:-"/etc/thehive/logback.xml"}
+CONFIG=${CONFIG:-"0"}
 SECRET="${SECRET:-"$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"}"
 
 CORTEX_URL=${CORTEX_URL}

diff --git a/.docker/thehive4/s6/thehive/prepare b/.docker/thehive4/s6/thehive/prepare
@@ -13,7 +13,7 @@ then
     groupmod -g "${GID}" "$USERNAME"
 fi
 
-chown -R "$USERNAME":"$USERNAME" "${DATA_PATH}" /opt/thehive*
+chown -R "$USERNAME":"$USERNAME" "${DATA_PATH}" /opt/*
 chgrp "$USERNAME" "$CONFIG_FILE"
 chmod 640 "$CONFIG_FILE"
 
@@ -24,3 +24,8 @@ then
     #sed -i "s/\${??AUTH_LDAP_HOSTS}/${?AUTH_LDAP_HOSTS}/g" "$CONFIG_FILE"
 
 fi
+
+if [ $DEBUG ]
+then
+    sed -i "s/name=\"org.thp\" level=\"INFO\"/name=\"org.thp\" level=\"DEBUG\"/" "$LOGGER_FILE"
+fi
diff --git a/.docker/thehive4/s6/thehive/run b/.docker/thehive4/s6/thehive/run
@@ -4,7 +4,7 @@ source /default_vars.sh
 exec s6-setuidgid thehive \
 /opt/thehive/bin/thehive \
 	-Dconfig.file="$CONFIG_FILE" \
-	-Dlogger.file=/etc/thehive/logback.xml \
+	-Dlogger.file="$LOGGER_FILE" \
 	-Dpidfile.path=/dev/null \
 	"$@"
 
diff --git a/.env.sample b/.env.sample
@@ -1,26 +1,27 @@
-# Base Configuration
+### Base Configuration ###
 FQDN=misp.example.com
 EGRESS_IP_SUBNET=192.168.200
 INTERNAL_IP_SUBNET=192.168.201
+DOCKER_PROXY_IP_SUBNET=192.168.202
 BASE_FOLDER=/opt/git/cdc-platform
-# This is required in the case of SSL inspection on your firewalls:
+## This is required in the case of SSL inspection on your firewalls:
 SSL_ROOT_CA=${BASE_FOLDER}/DATA/ssl/ssl-cert-snakeoil.pem
 SSL_CA_BUNDLE=./DATA/ssl/ca-certificates.crt
 
 
 
-### Traefik
-# SSL Certificate and key for traefik
+### Traefik ###
+## SSL Certificate and key for traefik
 SSL_CERT=${BASE_FOLDER}/DATA/ssl/ssl-cert-snakeoil.pem
 SSL_KEY=${BASE_FOLDER}/DATA/ssl/ssl-cert-snakeoil.key
-# https://blog.roberthallam.org/2020/05/generating-a-traefik-nginx-password-hash-without-htpasswd/
-#  openssl passwd -apr1
+## https://blog.roberthallam.org/2020/05/generating-a-traefik-nginx-password-hash-without-htpasswd/
+##  openssl passwd -apr1
 TRAEFIK_BASIC_AUTH_USER=traefik:$apr1$EsK/7TSe$JfV.KuI1a68xWaq2AmlAa/
 
 
 
-### Cortex
-CORTEX_AUTH=local
+### Cortex ###
+# Default local auth:
 #CORTEX_AUTH=ad
 #CORTEX_AUTH_AD_SERVERNAMES=ad1.mydomain.local, ad2.mydomain.local
 #CORTEX_AUTH_AD_DOMAINNAME=MYDOMAIN
@@ -31,13 +32,13 @@ CORTEX_AUTH=local
 CORTEX_ES_URL=http://elasticsearch:9200
 #CORTEX_ES_AUTH_USER=
 #CORTEX_ES_AUTH_PW=
-CORTEX_VERSION=3.1.1-1
+CORTEX_VERSION=3.1.1
 # echo "$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
 CORTEX_SECRET=
 
 
 
-### The hive
+### TheHive ###
 TH_AUTH_AD_WINDOMAIN=${CORTEX_AUTH_AD_DOMAINNAME}
 TH_AUTH_AD_DNSDOMAIN=${CORTEX_AUTH_AD_DOMAINFQDN}
 #TH_AUTH_AD_USESSL=false
@@ -73,14 +74,14 @@ TH_MISP_PUB_CASE_TEMPLATE=${TH_MISP_INT_CASE_TEMPLATE}
 #TH_MISP_PUB_EXCLUDE_TAGS="tag1", "tag2"
 # Comma separated and "" list of MISP tags which should be whitelisted
 #TH_MISP_PUB_WHITELIST_TAGS="tag1", "tag2"
-TH_VERSION=4.1.1-1
+TH_VERSION=4.1.3
 # echo "$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
 TH_SECRET=
 TH_ELASTICSEARCH_HOSTS=elasticsearch
 
 
 
-### Synapse for thehive
+### Synapse for TheHive ###
 #DEBUG=True
 #TH_SYNAPSE_TH_URL=http://thehive:9000
 #TH_SYNAPSE_TH_USER=synapse@local
@@ -92,18 +93,17 @@ TH_SYNAPSE_EWS_PASSWORD=
 TH_SYNAPSE_EWS_SMTP_ADDRESS=
 TH_SYNAPSE_EWS_FOLDER_NAME=
 
-### Mihari
+### Mihari ###
 MIHARI_THEHIVE_API_ENDPOINT=http://thehive:9000
 MIHARI_THEHIVE_API_KEY=
 # Further ENV Keys https://github.com/ninoseki/mihari
 # please always add prefix MIHARI_
 
 
-
-### Cerebro
+### Cerebro ###
 # echo "$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)"
 # CEREBRO_SECRET=
-# #CEREBRO_BASE_PATH=/es-admin/
+# CEREBRO_BASE_PATH=/es-admin/
 # CEREBRO_ES_URL=http://${TH_ES_HOSTNAME}:9200
 # CEREBRO_ES_AUTH_USER=kibanaserver
 # CEREBRO_ES_AUTH_PW=kibanaserver
@@ -138,7 +138,7 @@ MIHARI_THEHIVE_API_KEY=
 
 
 
-### Watchtower
+### Watchtower ###
 WATCHTOWER_NOTIFICATION_EMAIL_FROM=
 WATCHTOWER_NOTIFICATION_EMAIL_TO=
 WATCHTOWER_NOTIFICATION_EMAIL_SERVER=
@@ -148,8 +148,8 @@ WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD=
 
 
 
-### OpenCTI
-OPENCTI_VERSION=4.3.2
+### OpenCTI ###
+OPENCTI_VERSION=4.3.5
 #OPENCTI_BASE_PATH=/opencti
 OPENCTI_ADMIN_EMAIL=admin@opencti.io
 # echo $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1)
@@ -162,28 +162,44 @@ RABBITMQ_DEFAULT_PASS=
 # To create a UUIDv4 token:
 # https://www.uuidgenerator.net/version4
 OPENCTI_ADMIN_TOKEN=
-CONNECTOR_HISTORY_ID=
-CONNECTOR_EXPORT_FILE_STIX_ID=
-CONNECTOR_EXPORT_FILE_CSV_ID=
-CONNECTOR_IMPORT_FILE_STIX_ID=
-CONNECTOR_IMPORT_FILE_PDF_OBSERVABLES_ID=
-CONNECTOR_OPENCTI_ID=
-CONNECTOR_HYGIENE_ID
-CONNECTOR_MISP_ID=
-CONNECTOR_MALPEDIA_ID=
-CONNECTOR_CYBERCRIMETRACKER_ID=
-CONNECTOR_ALIENVAULT_ID=
-CONNECTOR_CVE_ID=
-CONNECTOR_CYBER_THREAT_COALITION_ID=
-#OPENCTI_MISP_URL=
-OPENCTI_MISP_API_KEY=
-OPENCTI_MALPEDIA_API_KEY=
+OPENCTI_CONNECTOR_HISTORY_ID=
+OPENCTI_CONNECTOR_EXPORT_FILE_STIX_ID=
+OPENCTI_CONNECTOR_EXPORT_FILE_CSV_ID=
+OPENCTI_CONNECTOR_IMPORT_FILE_STIX_ID=
+OPENCTI_CONNECTOR_IMPORT_FILE_PDF_OBSERVABLES_ID=
+OPENCTI_CONNECTOR_OPENCTI_ID=
+OPENCTI_CONNECTOR_CYBER_THREAT_COALITION_ID=
+OPENCTI_CONNECTOR_CVE_ID=
+OPENCTI_CONNECTOR_ALIENVAULT_ID=
 OPENCTI_ALIENVAULT_API_KEY=
-#---
-
-
-
-### Watcher
+OPENCTI_CONNECTOR_CYBERCRIMETRACKER_ID=
+OPENCTI_CONNECTOR_MALPEDIA_ID=
+OPENCTI_MALPEDIA_API_KEY=
+OPENCTI_CONNECTOR_HYGIENE_ID=
+OPENCTI_CONNECTOR_MISP_INTERNAL_ID=
+OPENCTI_MISP_INTERNAL_URL=http://misp-internal
+OPENCTI_MISP_INTERNAL_API_KEY=
+OPENCTI_CONNECTOR_MISP_PUBLIC_ID=
+OPENCTI_MISP_PUBLIC_URL=http://misp-public
+OPENCTI_MISP_PUBLIC_API_KEY=
+OPENCTI_CONNECTOR_URLHAUS_ID=
+OPENCTI_CONNECTOR_VIRUSTOTAL_ID=
+OPENCTI_VIRUSTOTAL_API_KEY=
+OPENCTI_CONNECTOR_THEHIVE_ID=
+OPENCTI_THEHIVE_URL=http://thehive:9000
+OPENCTI_THEHIVE_API_KEY=
+OPENCTI_CONNECTOR_MITRE_ID=
+OPENCTI_CONNECTOR_CRYPTOLAEMUS_ID=
+OPENCTI_CONNECTOR_AMITT_ID=
+OPENCTI_CONNECTOR_LASTINFOSEC_ID=
+OPENCTI_LASTINFOSEC_API_KEY=
+OPENCTI_CONNECTOR_MALBEACON_ID=
+OPENCTI_MALBEACON_API_KEY=
+OPENCTI_MALBEACON_AUTO=false
+
+
+
+### Watcher ###
 # Time Zone
 TZ=Europe/Berlin
 # SECURITY WARNING: In production please put DJANGO_DEBUG environment variable to False
@@ -203,33 +219,33 @@ WATCHER_URL=https://${ALLOWED_HOST}
 THE_HIVE_URL=http://thehive:9000
 THE_HIVE_KEY=
 THE_HIVE_CASE_ASSIGNEE=watcher
-# MISP Setup
+## MISP Setup
 MISP_URL=http://misp-internal
 MISP_VERIFY_SSL=False
 MISP_KEY=
-# Optional
+## Optional
 MISP_TICKETING_URL=
-# LDAP Setup
+## LDAP Setup
 AUTH_LDAP_SERVER=test.example.com:389
 AUTH_LDAP_SERVER_URI=ldap://${AUTH_LDAP_SERVER}
 AUTH_LDAP_BIND_DN=
 AUTH_LDAP_BIND_PASSWORD=
 AUTH_LDAP_BASE_DN=OU=users,DC=example,DC=com
 AUTH_LDAP_FILTER=(uid=%(user)s)
 AUTH_LDAP_SSL=false
-# Searx Setup
+## Searx Setup
 SEARX_HOSTNAME=10.10.10.3:8080
 SEARX_PROTOCOL=http://
-# automaticaly update settings to the new version
-# comment this line if you made / will make some modifications to the settings
+## automaticaly update settings to the new version
+## comment this line if you made / will make some modifications to the settings
 SEARX_COMMAND=-f
-# If you have a proxy, please fill these variables
+## If you have a proxy, please fill these variables
 HTTP_PROXY=
 HTTPS_PROXY=
 
 
-### MISP
-# echo $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
+### MISP Internal ###
+## echo $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
 MISP_INTERNAL_MYSQL_USER=
 MISP_INTERNAL_MYSQL_PASSWORD=
 MISP_INTERNAL_MYSQL_ROOT_PASSWORD=
@@ -243,8 +259,8 @@ MISP_INTERNAL_POSTFIX_RELAY_HOST=${WATCHTOWER_NOTIFICATION_EMAIL_SERVER}
 MISP_INTERNAL_TIMEZONE=UTC
 MISP_INTERNAL_BASEURL=https://misp.${FQDN}
 
-### MISP Public
-# echo $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
+### MISP Public ###
+## echo $(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 10 | head -n 1)
 MISP_PUBLIC_MYSQL_USER=
 MISP_PUBLIC_MYSQL_PASSWORD=
 #
@@ -260,7 +276,7 @@ MISP_PUBLIC_TIMEZONE=${MISP_INTERNAL_TIMEZONE}
 
 
 
-### Hedgedoc
+### Hedgedoc ###
 #HEDGEDOC_DEBUG=true
 HEDGEDOC_LDAP_SERVER_URI=ldap://ad-server
 HEDGEDOC_LDAP_BINDDN="cn=binduser,cn=Users,dc=internal,dc=example,dc=com"
@@ -272,7 +288,10 @@ HEDGEDOC_LDAP_SEARCHBASE="dc=internal,dc=example,dc=com"
 
 
 
-### n8n
-#  openssl passwd -apr1
-#  user: test1:test test2:test45
+### n8n ###
+##  openssl passwd -apr1
+##  user: test1:test test2:test45
 N8N_BASIC_AUTH_USER=test:$apr1$cqiWErmZ$BwQMWsfM7U5bXiYIVnTaD.,test2:$apr1$fJse90Uu$CxGEebbvW0v5W84ONOwTG0
+
+### IntelOWL ###
+
diff --git a/.github/workflows/build_docker_thehive4.yml b/.github/workflows/build_docker_thehive4.yml
@@ -11,7 +11,7 @@ jobs:
   latest:
     strategy:
       matrix:
-        VERSION: [4.1.1]
+        VERSION: [4.1.3]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -38,7 +38,7 @@ jobs:
   other:
     strategy:
       matrix:
-        VERSION: [4.0.5,4.0.4,4.0.3,4.0.2]
+        VERSION: [4.1.2,4.1.1,4.0.5,4.0.4,4.0.3,4.0.2]
     continue-on-error: true
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/sysdig_cis_benchmark.yml b/.github/workflows/sysdig_cis_benchmark.yml
@@ -5,15 +5,14 @@ on:
     #   - '.docker/**'
 jobs:
   run:
+    strategy:
+      matrix:
+        DIRECTORY: [.docker/cortex,.docker/thehive4]
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
       uses: actions/checkout@v2
-    - name: Sysdig CIS Dockerfile Benchmark Cortex
+    - name: Sysdig CIS Dockerfile Benchmark folder ${{ matrix.DIRECTORY }}
       uses: sysdiglabs/benchmark-dockerfile@v1.0.0
       with:
-        directory: .docker/cortex
-    - name: Sysdig CIS Dockerfile Benchmark TheHive4
-      uses: sysdiglabs/benchmark-dockerfile@v1.0.0
-      with:
-        directory: .docker/thehive4
+        directory: ${{ matrix.DIRECTORY }}