From 18a9dfb9e29a624057ebd8c700a335aa1bb7a56a Mon Sep 17 00:00:00 2001 From: Rucciva Date: Thu, 12 Oct 2023 15:51:19 +0700 Subject: [PATCH] add yara downloader --- Dockerfile | 20 +++++++++++++++++--- entrypoint.sh | 3 +++ yara-rule-downloader.sh | 21 +++++++++++++++++++++ 3 files changed, 41 insertions(+), 3 deletions(-) create mode 100755 yara-rule-downloader.sh diff --git a/Dockerfile b/Dockerfile index 1d4e65e..40b7f26 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,12 +20,22 @@ RUN wget -c https://github.com/nicolas-van/multirun/releases/download/1.1.3/mult FROM golang:1.20.4-bullseye AS fsnotify WORKDIR /src -RUN git clone https://github.com/fsnotify/fsnotify -RUN cd fsnotify/cmd/fsnotify \ +RUN git clone https://github.com/fsnotify/fsnotify . +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.cache/go-build \ + cd cmd/fsnotify \ && GOOS=linux go build -tags release -a -ldflags "-extldflags -static" -o fsnotify +FROM golang:1.20.4-bullseye AS job +WORKDIR /src +RUN git clone --depth 1 --branch v0.2.0 https://github.com/liujianping/job . +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.cache/go-build \ + GOOS=linux go build -o job- + + FROM debian:bullseye AS yara RUN apt-get update -y && apt-get install -y \ ca-certificates wget automake libtool make gcc pkg-config libjansson-dev libmagic-dev libssl-dev git @@ -69,19 +79,23 @@ RUN apt-get update -y && apt-get install -y \ libjansson4 \ libmagic1 \ libssl1.1 \ + curl \ + unzip \ && rm -rf /var/cache/apt/lists COPY --from=gomplate /gomplate /usr/bin/gomplate COPY --from=multirun /src/multirun /usr/bin/multirun +COPY --from=job /src/job- /usr/bin/job COPY --from=yara /usr/local/yara /usr/local/yara COPY --from=wazuh-agent /var/ossec /var/ossec COPY --from=wazuh-manager /var/ossec/ruleset/sca.disabled /var/ossec/ruleset/sca.disabled -COPY --from=fsnotify /src/fsnotify/cmd/fsnotify/fsnotify /var/ossec/bin/fsnotify +COPY --from=fsnotify /src/cmd/fsnotify/fsnotify /var/ossec/bin/fsnotify COPY --from=wazuh-container-exec /src/wazuh-container-exec /var/ossec/active-response/bin/wazuh-container-exec COPY active-response/* /var/ossec/active-response/bin COPY entrypoint.sh /entrypoint.sh +COPY yara-rule-downloader.sh /yara-rule-downloader.sh COPY wazuh-start.sh /var/ossec/bin/wazuh-start.sh COPY wazuh-tail-logs.sh /var/ossec/bin/wazuh-tail-logs.sh COPY ossec.tpl.conf /var/ossec/etc/ossec.tpl.conf diff --git a/entrypoint.sh b/entrypoint.sh index e9d9a90..de5dd30 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -32,7 +32,10 @@ if [ "$desiredname" != "$currentname" ]; then echo -n "" >"$WAZUH_AGENT_HOST_DIR/var/ossec/etc/client.keys" fi +/yara-rule-downloader.sh + exec multirun \ "env PATH='/var/ossec/active-response/bin:$PATH' wazuh-container-exec server" \ + "job -s '0 1 * * *' -- /yara-rule-downloader.sh" \ "chroot $WAZUH_AGENT_HOST_DIR /var/ossec/bin/wazuh-start.sh" \ "chroot $WAZUH_AGENT_HOST_DIR /var/ossec/bin/wazuh-tail-logs.sh" diff --git a/yara-rule-downloader.sh b/yara-rule-downloader.sh new file mode 100755 index 0000000..a9c47c1 --- /dev/null +++ b/yara-rule-downloader.sh @@ -0,0 +1,21 @@ +#!/bin/bash +set -euo pipefail + +WAZUH_YARA_HOME="${WAZUH_YARA_HOME:-"/usr/local/yara"}" +WAZUH_YARA_RULES_URLS="${WAZUH_YARA_RULES_URLS:-}" + +if [ -z "$WAZUH_YARA_RULES_URLS" ]; then + echo "INFO: No yara rules to download." + exit 0 +fi + +mkdir -p /tmp/rules +cd /tmp/rules +for url in $WAZUH_YARA_RULES_URLS; do + echo "Downloading yara rules from '$url'." + curl -sfL "$url" -o temp.zip + unzip -qq temp.zip + rm temp.zip +done +rm -rf "$WAZUH_YARA_HOME/rules" +mv /tmp/rules "$WAZUH_YARA_HOME/rules"