first sync

iris-web/docker/db/Dockerfile

@@ -0,0 +1,22 @@
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+
+FROM postgres:12-alpine
+
+COPY create_user.sh   /docker-entrypoint-initdb.d/10-create_user.sh

iris-web/docker/db/create_user.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+
+POSTGRES="psql --username ${POSTGRES_USER}"
+
+echo "Creating database role: ${POSTGRES_ADMIN_USER}"
+
+$POSTGRES <<-EOSQL
+CREATE USER ${POSTGRES_ADMIN_USER} WITH CREATEDB SUPERUSER PASSWORD '${POSTGRES_ADMIN_PASSWORD}';
+EOSQL

iris-web/docker/nginx/Dockerfile

@@ -0,0 +1,49 @@
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+
+FROM nginx:1.21.3
+
+RUN apt-get update && apt-get install -y curl
+
+# Used to pass protected files to the container through volumes
+ARG NGINX_CONF_GID
+ARG NGINX_CONF_FILE
+
+RUN groupadd -g ${NGINX_CONF_GID} az-app-nginx-conf && usermod -a -G az-app-nginx-conf www-data
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod 700 /entrypoint.sh
+RUN chown www-data:www-data /entrypoint.sh
+
+COPY ${NGINX_CONF_FILE} /etc/nginx/nginx.conf
+
+# log
+RUN touch /var/log/nginx/audit_platform_error.log && chown -R www-data:www-data /var/log/nginx/audit_platform_error.log
+RUN touch /var/log/nginx/audit_platform_access.log && chown -R www-data:www-data /var/log/nginx/audit_platform_access.log
+
+# Security
+RUN touch /var/run/nginx.pid && chown -R www-data:www-data /var/run/nginx.pid /var/cache/nginx /etc/nginx/nginx.conf
+
+RUN mkdir -p /www/certs/
+
+USER www-data
+
+HEALTHCHECK --interval=5s --timeout=3s CMD curl --fail -k https://127.0.0.1:${INTERFACE_HTTPS_PORT:-8443} || exit 1
+
+ENTRYPOINT ["/entrypoint.sh"]

iris-web/docker/nginx/entrypoint.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+set -e
+
+# envsubst will make a substitution on every $variable in a file, since the nginx file contains nginx variable like $host, we have to limit the substitution to this set
+# otherwise, each nginx variable will be replaced by an empty string
+envsubst '${INTERFACE_HTTPS_PORT} ${IRIS_UPSTREAM_SERVER} ${IRIS_UPSTREAM_PORT} ${SERVER_NAME} ${KEY_FILENAME} ${CERT_FILENAME}' < /etc/nginx/nginx.conf > /tmp/nginx.conf
+cp /tmp/nginx.conf /etc/nginx/nginx.conf
+rm /tmp/nginx.conf
+
+exec nginx -g "daemon off;"

iris-web/docker/nginx/nginx.conf

@@ -0,0 +1,161 @@
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    map $request_uri $csp_header {
+        default "default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline';";
+    }
+    include /etc/nginx/mime.types;
+
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log main;
+    error_log   /var/log/nginx/error.log debug;
+
+    server_tokens off;
+
+    sendfile    on;
+    tcp_nopush  on;
+    tcp_nodelay on;
+
+    types_hash_max_size             2048;
+    types_hash_bucket_size          128;
+    proxy_headers_hash_max_size     2048;
+    proxy_headers_hash_bucket_size  128;
+    proxy_buffering                 on;
+    proxy_buffers                   8 16k;
+    proxy_buffer_size               4k;
+
+    client_header_buffer_size   2k;
+    large_client_header_buffers 8 64k;
+    client_body_buffer_size     64k;
+    client_max_body_size        100M;
+
+    reset_timedout_connection   on;
+    keepalive_timeout           90s;
+    client_body_timeout         90s;
+    send_timeout                90s;
+    client_header_timeout       90s;
+    fastcgi_read_timeout        90s;
+    # WORKING TIMEOUT FOR PROXY CONF
+    proxy_read_timeout          90s;
+    uwsgi_read_timeout          90s;
+
+    gzip off;
+    gzip_disable "MSIE [1-6]\.";
+
+    # FORWARD CLIENT IDENTITY TO SERVER
+    proxy_set_header    HOST                $http_host;
+    proxy_set_header    X-Forwarded-Proto   $scheme;
+    proxy_set_header    X-Real-IP           $remote_addr;
+    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+
+    # FULLY DISABLE SERVER CACHE
+    add_header          Last-Modified $date_gmt;
+    add_header          'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+    if_modified_since   off;
+    expires             off;
+    etag                off;
+    proxy_no_cache      1;
+    proxy_cache_bypass  1;
+
+    # SSL CONF, STRONG CIPHERS ONLY
+    ssl_protocols               TLSv1.2 TLSv1.3;
+
+    ssl_prefer_server_ciphers   on;
+    ssl_certificate             /www/certs/${CERT_FILENAME};
+    ssl_certificate_key         /www/certs/${KEY_FILENAME};
+    ssl_ecdh_curve              secp521r1:secp384r1:prime256v1;
+    ssl_buffer_size             4k;
+
+    # DISABLE SSL SESSION CACHE
+    ssl_session_tickets         off;
+    ssl_session_cache           none;
+
+    access_log /var/log/nginx/audit_platform_access.log main;
+    error_log  /var/log/nginx/audit_platform_error.log debug;
+
+    server {
+        listen          ${INTERFACE_HTTPS_PORT} ssl;
+        server_name     ${SERVER_NAME};
+        root            /www/data;
+        index           index.html;
+        error_page      500 502 503 504  /50x.html;
+
+        add_header Content-Security-Policy $csp_header;
+        
+        # SECURITY HEADERS
+        add_header X-XSS-Protection             "1; mode=block";
+        add_header X-Frame-Options              DENY;
+        add_header X-Content-Type-Options       nosniff;
+        # max-age = 31536000s = 1 year
+        add_header Strict-Transport-Security    "max-age=31536000: includeSubDomains" always;
+        add_header Front-End-Https              on;
+
+        location / {
+            proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
+
+            location ~ ^/(manage/templates/add|manage/cases/upload_files) {
+                keepalive_timeout           10m;
+                client_body_timeout         10m;
+                send_timeout                10m;
+                proxy_read_timeout          10m;
+                client_max_body_size        0M;
+                proxy_request_buffering off;
+                proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
+            }
+
+            location ~ ^/(datastore/file/add|datastore/file/add-interactive) {
+                keepalive_timeout           10m;
+                client_body_timeout         10m;
+                send_timeout                10m;
+                proxy_read_timeout          10m;
+                client_max_body_size        0M;
+                proxy_request_buffering off;
+                proxy_pass  http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT};
+            }
+        }
+        location /socket.io {
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_http_version 1.1;
+            proxy_buffering off;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+            proxy_pass http://${IRIS_UPSTREAM_SERVER}:${IRIS_UPSTREAM_PORT}/socket.io;
+        }
+
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+}

iris-web/docker/webApp/Dockerfile

@@ -0,0 +1,74 @@
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+
+#################
+# COMPILE IMAGE #
+#################
+FROM python:3.9 AS compile-image
+RUN apt-get update
+
+RUN python -m venv /opt/venv
+# Make sure we use the virtualenv:
+ENV PATH="/opt/venv/bin:$PATH"
+
+COPY source/dependencies /dependencies
+COPY source/requirements.txt /
+
+RUN pip3 install -r requirements.txt
+
+###############
+# BUILD IMAGE #
+###############
+FROM python:3.9 as iriswebapp
+
+ENV PYTHONUNBUFFERED=1
+
+COPY --from=compile-image /opt/venv /opt/venv
+
+# Make sure we use the virtualenv:
+ENV PATH="/opt/venv/bin:$PATH"
+
+# Define specific admin password at creation
+#ENV IRIS_ADM_PASSWORD="MySuperFirstPasswordIWant"
+
+RUN apt update
+RUN apt install -y p7zip-full pgp rsync postgresql-client
+
+RUN mkdir /iriswebapp/
+RUN mkdir -p /home/iris/certificates
+RUN mkdir -p /home/iris/user_templates
+RUN mkdir -p /home/iris/server_data
+RUN mkdir -p /home/iris/server_data/backup
+RUN mkdir -p /home/iris/server_data/updates
+RUN mkdir -p /home/iris/server_data/custom_assets
+RUN mkdir -p /home/iris/server_data/datastore
+
+WORKDIR /iriswebapp
+
+COPY docker/webApp/iris-entrypoint.sh .
+COPY docker/webApp/wait-for-iriswebapp.sh .
+COPY ./source .
+
+# Add execution right to binaries needed by evtx2splunk for iris_evtx module
+RUN chmod +x /iriswebapp/dependencies/evtxdump_binaries/linux/x64/fd
+RUN chmod +x /iriswebapp/dependencies/evtxdump_binaries/linux/x64/evtx_dump
+
+RUN chmod +x iris-entrypoint.sh
+RUN chmod +x wait-for-iriswebapp.sh
+#ENTRYPOINT [ "./iris-entrypoint.sh" ]

iris-web/docker/webApp/Dockerfile.k8s

@@ -0,0 +1,77 @@
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+
+#################
+# COMPILE IMAGE #
+#################
+FROM python:3.9 AS compile-image
+RUN apt-get update
+
+RUN python -m venv /opt/venv
+# Make sure we use the virtualenv:
+ENV PATH="/opt/venv/bin:$PATH"
+
+COPY source/dependencies /dependencies
+COPY source/requirements.txt /
+
+RUN pip3 install -r requirements.txt
+
+###############
+# BUILD IMAGE #
+###############
+FROM python:3.9 as iriswebapp
+
+ENV PYTHONUNBUFFERED=1
+
+COPY --from=compile-image /opt/venv /opt/venv
+
+# Make sure we use the virtualenv:
+ENV PATH="/opt/venv/bin:$PATH"
+
+# Define specific admin password at creation
+#ENV IRIS_ADM_PASSWORD="MySuperFirstPasswordIWant"
+
+RUN apt update
+RUN apt install -y p7zip-full pgp rsync postgresql-client
+
+RUN mkdir /iriswebapp/
+RUN mkdir -p /home/iris/certificates
+RUN mkdir -p /home/iris/user_templates
+RUN mkdir -p /home/iris/server_data
+RUN mkdir -p /home/iris/server_data/backup
+RUN mkdir -p /home/iris/server_data/updates
+RUN mkdir -p /home/iris/server_data/custom_assets
+RUN mkdir -p /home/iris/server_data/datastore
+
+WORKDIR /iriswebapp
+
+COPY docker/webApp/iris-entrypoint.sh .
+COPY docker/webApp/wait-for-iriswebapp.sh .
+COPY ../../certificates /home/iris/certificates/
+COPY ../../certificates/rootCA/irisRootCACert.pem /etc/irisRootCACert.pem
+COPY ../../certificates/ldap/ /iriswebapp/certificates/ldap/
+COPY ./source .
+
+# Add execution right to binaries needed by evtx2splunk for iris_evtx module
+RUN chmod +x /iriswebapp/dependencies/evtxdump_binaries/linux/x64/fd
+RUN chmod +x /iriswebapp/dependencies/evtxdump_binaries/linux/x64/evtx_dump
+
+RUN chmod +x iris-entrypoint.sh
+RUN chmod +x wait-for-iriswebapp.sh
+#ENTRYPOINT [ "./iris-entrypoint.sh" ]

iris-web/docker/webApp/iris-entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+
+
+
+target=${1-:app}
+
+printf "Running ${target} ...\n"
+
+if [[ "${target}" == iris-worker ]] ; then
+    celery -A app.celery worker -E -B -l INFO &
+else
+    gunicorn app:app --worker-class eventlet --bind 0.0.0.0:8000 --timeout 180 --worker-connections 1000 --log-level=info &
+fi
+
+while true; do sleep 2; done
+

iris-web/docker/webApp/wait-for-iriswebapp.sh

@@ -0,0 +1,34 @@
+#!/bin/sh
+# wait-for-iriswebapp.sh
+
+#  IRIS Source Code
+#  Copyright (C) 2021 - Airbus CyberSecurity (SAS)
+#  ir@cyberactionlab.net
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU Lesser General Public
+#  License as published by the Free Software Foundation; either
+#  version 3 of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+#  Lesser General Public License for more details.
+#
+#  You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+#  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+set -e
+
+host="$1"
+shift
+
+sleep 1
+until curl "$host" >/dev/null 2>&1; do
+  >&2 echo "IRISwebapp is unavailable - sleeping"
+  sleep 1
+done
+
+>&2 echo "IRISwebapp is up - executing command"
+exec "$@"