diff --git a/so-strelka-backend/Dockerfile b/so-strelka-backend/Dockerfile index 20e6da50..4e64cb22 100644 --- a/so-strelka-backend/Dockerfile +++ b/so-strelka-backend/Dockerfile @@ -7,7 +7,7 @@ ARG DEBIAN_FRONTEND=noninteractive ARG CONFIG_TESTS=false ARG YARA_VERSION=4.3.1 -ARG CAPA_VERSION=6.1.0 +ARG CAPA_VERSION=9.2.1 ARG EXIFTOOL_VERSION=12.60 # Environment variables @@ -19,14 +19,11 @@ ENV PYTHONUNBUFFERED 1 ARG USERNAME=strelka ARG USER_UID=1001 ARG USER_GID=$USER_UID - -# SO - Pin to release tag, download from GitHub, and prepare container dirs -ARG STRELKA_RELEASE_VERSION=0.24.01.18 - RUN groupadd --gid $USER_GID $USERNAME \ && useradd --uid $USER_UID --gid $USER_GID --create-home --shell /bin/bash $USERNAME -RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache +# SO - Pin to release tag, download from GitHub, and prepare container dirs +ARG STRELKA_RELEASE_VERSION=1.0.1 RUN mkdir /strelka && \ mkdir /etc/strelka && \ @@ -40,28 +37,67 @@ RUN mkdir /strelka && \ cp -fr /tmp/strelka/poetry.lock /strelka/ && \ cp -fr /tmp/strelka/src/python/* /strelka/ && \ cp -fr /tmp/strelka/configs/python/backend/* /etc/strelka/ && \ - cp -fr /tmp/strelka/build/python/backend/pin.pref /etc/apt/preferences.d/ && \ - # cp -fr /tmp/strelka/build/python/backend/mantic.list /etc/apt/sources.list.d/ && \ rm -fr /tmp/strelka && \ - chown -R ${USER_UID}:${USER_GID} /var/log/strelka/ - -ADD mantic.list /etc/apt/sources.list.d/mantic.list + chown -R ${USER_UID}:${USER_GID} /var/log/strelka/ && \ + rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb # Install build packages RUN apt-get -q update && \ apt-get install -q -y --no-install-recommends \ - automake build-essential cmake curl gcc git dirmngr gnupg gpg libglu1-mesa libtool make swig python3-dev python3-pip python3-wheel python-is-python3 pkg-config supervisor ncat && \ + automake \ + build-essential \ + cmake \ + curl \ + gcc \ + git \ + dirmngr \ + gnupg \ + gpg \ + libglu1-mesa \ + libtool \ + make \ + swig \ + python3-dev \ + python3-pip \ + python3-wheel \ + python-is-python3 \ + pkg-config \ + supervisor \ + ncat && \ + rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb + # Install runtime packages - apt-get install -q -y --no-install-recommends \ - 7zip antiword binwalk libarchive-dev libfuzzy-dev libjansson-dev libmagic-dev libssl-dev libzbar0 libgl1 python3-setuptools redis-server tesseract-ocr unrar unzip upx jq && \ +RUN apt-get -q update && apt-get install -q -y --no-install-recommends \ + antiword \ + binwalk \ + libarchive-dev \ + libfuzzy-dev \ + libjansson-dev \ + libmagic-dev \ + libssl-dev \ + libzbar0 \ + libgl1 \ + python3-setuptools \ + redis-server \ + tesseract-ocr \ + unrar \ + unzip \ + upx \ + jq && \ + rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb # Download and compile exiftool - cd /tmp/ && \ +RUN cd /tmp/ && \ curl -OL https://github.com/exiftool/exiftool/archive/refs/tags/$EXIFTOOL_VERSION.tar.gz && \ tar -zxvf $EXIFTOOL_VERSION.tar.gz && \ cd exiftool-$EXIFTOOL_VERSION/ && \ perl Makefile.PL && \ - make && \ - make install && \ + make -s -j && \ + make -s install && \ +# Download and move binary for 7z 24.09 + cd /tmp/ && \ + curl -OL https://7-zip.org/a/7z2409-linux-x64.tar.xz && \ + tar -xf 7z2409-linux-x64.tar.xz &&\ + cp 7zz /usr/local/bin && \ # Install FireEye CAPA rules and signatures mkdir -p /etc/capa/rules/ && \ curl -OL https://github.com/mandiant/capa-rules/archive/refs/tags/v$CAPA_VERSION.zip && \ @@ -86,7 +122,7 @@ RUN apt-get -q update && \ cd yara-$YARA_VERSION/ && \ ./bootstrap.sh && \ ./configure --with-crypto --enable-magic --enable-cuckoo && \ - make -s && make -s install && make -s check && \ + make -s -j && make -s install && make -s check && \ # Install yara-python cd /tmp/ && \ curl -OL https://github.com/VirusTotal/yara-python/archive/v$YARA_VERSION.tar.gz && \ @@ -96,11 +132,16 @@ RUN apt-get -q update && \ python3 setup.py install # Install JTR -RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ - --mount=type=cache,target=/var/lib/apt,sharing=locked \ - apt-get update -qq && \ +RUN apt-get update -qq && \ apt-get install -qq -y --no-install-recommends \ - ca-certificates zlib1g-dev yasm libgmp-dev liblzma-dev libpcap-dev libbz2-dev libgomp1 && \ + ca-certificates \ + zlib1g-dev \ + yasm \ + libgmp-dev \ + liblzma-dev \ + libpcap-dev \ + libbz2-dev \ + libgomp1 && \ cpan -i Compress::Raw::Lzma && \ # The maintainer isn't big on releases or tags so grab an arbitrary, but consistent, commit. # Additionally jump through some extra hoops to get the single commit to save some download time. @@ -111,17 +152,16 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \ cd /jtr/src && \ ./configure && \ make -s clean && \ - make -sj4 && \ + make -sj && \ make install && \ cp -Tr /jtr/run/ /jtr && rm -rf /jtr/run && \ chmod -R 777 /jtr && \ chown -R $USER_UID:$USER_UID /jtr && \ - # Install Poetry globally and copy project files python3 -m pip install -U pip setuptools && \ -# Install specific version of poetry, in >= 2.0.0 --no-dev is removed and causes build errors in strelka <= 0.24.01.18 - python3 -m pip install poetry==1.8.5 && \ - rm -rf /root/.cache/pip + python3 -m pip install poetry && \ + rm -rf /root/.cache/pip && \ + rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb # Set the working directory WORKDIR /strelka/ @@ -130,7 +170,7 @@ WORKDIR /strelka/ # This step is after the COPY step because it is more likely to change, # and therefore should not be included in earlier layers that can be cached. RUN poetry config virtualenvs.create false && \ - poetry install --no-dev && \ + poetry install --only main && \ rm -rf /root/.cache/pypoetry && \ # Install Strelka cd /strelka/ && \ @@ -139,20 +179,36 @@ RUN poetry config virtualenvs.create false && \ # Remove build packages python3 setup.py -q clean --all && \ rm -rf dist/ strelka.egg-info && \ - pip3 uninstall -y grpcio-tools && \ - apt-get remove -y --purge \ - automake build-essential cmake curl gcc git gpg libtool make python3-dev python3-pip python3-wheel && \ + apt-get -q update && \ + apt-get purge -y \ + automake \ + build-essential \ + cmake \ + curl \ + gcc \ + git \ + gpg \ + libtool \ + make \ + python3-dev \ + python3-pip \ + python3-wheel && \ apt-get clean -qq && \ - rm -rf /var/lib/apt/lists/* /tmp/yara* + rm -rf /var/lib/apt/lists/* /tmp/yara* && \ +# Assign permissions to Strelka scan result logging directory + chgrp -R 0 /var/log/strelka/ && \ + chmod -R g=u /var/log/strelka/ && \ + rm -rf /var/lib/apt/lists/* /var/cache/apt/*.bin /var/cache/apt/archives/*.deb # Run tests as non-root user USER $USERNAME # Run build checks +ARG SCANNER_TEST="" RUN echo '[+] Run build checks' && \ cd /strelka/strelka/ && \ - python3 -m pytest -p no:cacheprovider -s tests/ --ignore-glob='*pcap*.py' --ignore-glob='*test_scan_transcode.py' --ignore-glob='*test_scan_nf.py' && \ - if $CONFIG_TESTS; then python3 -m pytest -s tests_configuration/; fi && \ + if $SCANNER_TESTS; then python3 -m pytest -p no:cacheprovider -s --ignore=tests/test_scan_pcap.py --ignore=tests/test_scan_clamav.py tests/$SCANNER_TEST; fi && \ + if $CONFIG_TESTS; then python3 -m pytest -s --ignore=tests/test_scan_pcap.py tests_configuration/; fi && \ echo '[+] Done' USER root diff --git a/so-strelka-backend/mantic.list b/so-strelka-backend/mantic.list deleted file mode 100644 index 14d2ac13..00000000 --- a/so-strelka-backend/mantic.list +++ /dev/null @@ -1,2 +0,0 @@ -deb [arch=amd64] http://old-releases.ubuntu.com/ubuntu mantic main restricted universe multiverse -deb [arch=arm64] http://old-releases.ubuntu.com/ubuntu mantic-backports main restricted universe multiverse \ No newline at end of file diff --git a/so-strelka-backend/pin.pref b/so-strelka-backend/pin.pref deleted file mode 100644 index 8fae477d..00000000 --- a/so-strelka-backend/pin.pref +++ /dev/null @@ -1,7 +0,0 @@ -Package: 7zip -Pin: release n=jammy -Pin-Priority: 100 - -Package: * -Pin: release n=lunar -Pin-Priority: 200 diff --git a/so-strelka-filestream/Dockerfile b/so-strelka-filestream/Dockerfile deleted file mode 100644 index 0e996e6d..00000000 --- a/so-strelka-filestream/Dockerfile +++ /dev/null @@ -1,14 +0,0 @@ -FROM ghcr.io/security-onion-solutions/golang:1.24.3-alpine AS build -ARG STRELKA_RELEASE_VERSION=0.24.01.18 - -RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-filestream@$STRELKA_RELEASE_VERSION - -FROM ghcr.io/security-onion-solutions/alpine:3.21.3 -LABEL maintainer="Security Onion Solutions, LLC" - -COPY --from=build /go/bin/strelka-filestream /usr/local/bin/ -RUN addgroup -g 939 strelka && \ - adduser -u 939 -G strelka strelka --disabled-password \ - -h /etc/strelka --no-create-home strelka -RUN apk add --no-cache jq -USER strelka diff --git a/so-strelka-frontend/Dockerfile b/so-strelka-frontend/Dockerfile deleted file mode 100644 index 87cba197..00000000 --- a/so-strelka-frontend/Dockerfile +++ /dev/null @@ -1,24 +0,0 @@ -FROM ghcr.io/security-onion-solutions/golang:1.24.3-alpine AS build -ARG STRELKA_RELEASE_VERSION=0.24.01.18 - -RUN apk add openssl-dev \ - bash \ - build-base \ - pkgconfig \ - librdkafka \ - librdkafka-dev && \ - CGO_ENABLED=1 go install -tags musl github.com/target/strelka/src/go/cmd/strelka-frontend@$STRELKA_RELEASE_VERSION - -FROM ghcr.io/security-onion-solutions/alpine:3.21.3 -LABEL maintainer="Security Onion Solutions, LLC" - -COPY --from=build /go/bin/strelka-frontend /usr/local/bin/ - -RUN addgroup -g 939 strelka && \ - adduser -u 939 -G strelka strelka --disabled-password \ - -h /etc/strelka --no-create-home strelka && \ - mkdir /var/log/strelka/ && \ - touch /var/log/strelka/strelka.log && \ - chown -R 939:939 /var/log/strelka/ - -USER strelka diff --git a/so-strelka-manager/Dockerfile b/so-strelka-manager/Dockerfile index 26420783..902982cd 100644 --- a/so-strelka-manager/Dockerfile +++ b/so-strelka-manager/Dockerfile @@ -1,13 +1,24 @@ -FROM ghcr.io/security-onion-solutions/golang:1.24.3-alpine AS build -ARG STRELKA_RELEASE_VERSION=0.24.01.18 +FROM ghcr.io/security-onion-solutions/golang:1.25.1-alpine AS build +ARG STRELKA_RELEASE_VERSION=1.0.1 -RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-manager@$STRELKA_RELEASE_VERSION +RUN CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-manager@$STRELKA_RELEASE_VERSION && \ + CGO_ENABLED=0 go install github.com/target/strelka/src/go/cmd/strelka-filestream@$STRELKA_RELEASE_VERSION && \ + apk add openssl-dev bash build-base pkgconfig librdkafka librdkafka-dev && \ + CGO_ENABLED=1 go install -tags musl github.com/target/strelka/src/go/cmd/strelka-frontend@$STRELKA_RELEASE_VERSION -FROM ghcr.io/security-onion-solutions/alpine:3.21.3 + +FROM ghcr.io/security-onion-solutions/alpine:3.22.1 LABEL maintainer="Security Onion Solutions, LLC" COPY --from=build /go/bin/strelka-manager /usr/local/bin/ +COPY --from=build /go/bin/strelka-filestream /usr/local/bin/ +COPY --from=build /go/bin/strelka-frontend /usr/local/bin/ + RUN addgroup -g 939 strelka && \ adduser -u 939 -G strelka strelka --disabled-password \ - -h /etc/strelka --no-create-home strelka + -h /etc/strelka --no-create-home strelka && \ + apk add --no-cache jq && \ + mkdir /var/log/strelka/ && \ + touch /var/log/strelka/strelka.log && \ + chown -R 939:939 /var/log/strelka/ USER strelka diff --git a/so-suricata/Dockerfile b/so-suricata/Dockerfile index 82656e4f..b37a4d1e 100644 --- a/so-suricata/Dockerfile +++ b/so-suricata/Dockerfile @@ -27,7 +27,7 @@ RUN dnf -y install autoconf automake diffutils file-devel gcc gcc-c++ git \ lua-devel lz4-devel make nss-devel pcre-devel pcre2-devel pkgconfig \ python3-devel python3-sphinx python3-yaml sudo which cargo \ zlib-devel luajit-devel cargo && cargo install --force cbindgen -ENV SURIVERSION=7.0.12 +ENV SURIVERSION=8.0.2 RUN mkdir /suricata WORKDIR /suricata diff --git a/so-zeek/Dockerfile b/so-zeek/Dockerfile index 180e91af..91a29ca1 100644 --- a/so-zeek/Dockerfile +++ b/so-zeek/Dockerfile @@ -20,7 +20,7 @@ RUN dnf -y install dnf-plugins-core && \ dnf update -y && \ dnf -y install epel-release bash libpcap iproute wget cmake swig && \ dnf -y install jemalloc numactl libnl3 libdnet gdb git && \ - dnf -y install libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel python3 kernel-devel kernel-headers libnghttp2-devel brotli-devel && \ + dnf -y install libpcap-devel openssl-devel zlib-devel jemalloc-devel python3-devel python3 kernel-devel kernel-headers libnghttp2-devel brotli-devel zeromq-devel && \ dnf group install -y "Development Tools" && \ yum install -y glibc-common && \ pip3 install GitPython semantic-version requests && \ @@ -39,7 +39,7 @@ RUN dnf -y install perl && \ WORKDIR / -ENV ZEEKVER=7.0.11 +ENV ZEEKVER=8.0.4 ARG BUILD_TYPE=Release RUN mkdir /zeekbuild @@ -69,7 +69,7 @@ RUN /opt/zeek/bin/zkg install --force ja3 && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-wireguard && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-stun && \ /opt/zeek/bin/zkg install --force --skiptests https://github.com/iamckn/oui-logging && \ - /opt/zeek/bin/zkg install --force --skiptests https://github.com/mitrecnd/bro-http2 --version master && \ + /opt/zeek/bin/zkg install --force --skiptests https://github.com/Security-Onion-Solutions/bro-http2.git && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-ipsec && \ /opt/zeek/bin/zkg install --force --skiptests zeek-spicy-openvpn @@ -95,9 +95,9 @@ LABEL description="Zeek running in docker for use with Security Onion" RUN dnf update -y && dnf -y install epel-release bash libpcap iproute && \ dnf clean all && rm -rf /var/cache/dnf/* && \ dnf -y install findutils jemalloc numactl libnl3 libdnet gdb libunwind-devel && \ - dnf config-manager --enable ol9_codeready_builder && \ - dnf -y install libnghttp2-devel brotli-devel && \ - dnf config-manager --disable ol9_codeready_builder && \ + dnf config-manager --enable ol9_codeready_builder ol9_developer_EPEL && \ + dnf -y install libnghttp2-devel brotli-devel zeromq-devel && \ + dnf config-manager --disable ol9_codeready_builder ol9_developer_EPEL && \ dnf -y remove epel-release && \ dnf clean all && \ rm -rf /var/cache/dnf/ && rm -rf /var/cache/yum/ && \