Merge pull request #42 from JupiterOne/ingest-log4j-vulns

Create Ingest Log4j Vulnerabilities script

Author: MadOx710

.github/workflows/build-ingest-log4j-vulns.yml

@@ -0,0 +1,42 @@
+name: Build
+on: ['push']
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out source code
+        uses: actions/checkout@v2
+
+      - name: Detect Dockerfile changes
+        uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: |
+            projectchanged:
+              - 'ingest-log4j-vulns/**'
+
+      - name: Should Build?
+        if: steps.filter.outputs.projectchanged == 'true'
+        run: |
+          echo "Project changed. Need to update Docker image."
+          echo "need_docker_build=true" >> $GITHUB_ENV
+          
+      - name: Login to DockerHub Registry
+        if: env.need_docker_build
+        run: echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u ${{ secrets.DOCKERHUB_USERNAME }} --password-stdin docker.io
+
+      - name: Build the latest Docker image
+        if: env.need_docker_build
+        run: |
+          cd ingest-log4j-vulns
+          pkgver="$(jq -r .version package.json)"
+          echo "pkgver=$pkgver" >> $GITHUB_ENV
+          docker build --file Dockerfile --tag jupiterone/ingest-log4j-vulns:latest --tag jupiterone/ingest-log4j-vulns:$pkgver . 
+
+      - name: Push the latest Docker image
+        if: env.need_docker_build
+        run: |
+          docker push jupiterone/ingest-log4j-vulns:latest
+          docker push jupiterone/ingest-log4j-vulns:${{ env.pkgver }}

.gitignore

@@ -3,5 +3,8 @@ node_modules
 .DS_Store
 dist
 
+j1-scope-key
+results
+
 results.json
 bulkDelete.json

ingest-log4j-vulns/Dockerfile

@@ -0,0 +1,19 @@
+# syntax=docker/dockerfile:1.2
+
+FROM node:14-alpine
+
+RUN apk update && apk upgrade && apk add wget bash
+
+COPY . . 
+
+RUN wget https://github.com/ossie-git/log4shell_sentinel/releases/download/v1.0.0/log4shell_sentinel_v1.0.0-linux-amd64.tar.gz
+
+# This should produce just the binary
+RUN tar -zxf log4shell_sentinel_v1.0.0-linux-amd64.tar.gz
+
+# This puts it on our $PATH so our shell script works as expected
+RUN mv log4shell_sentinel /bin
+
+RUN npm i
+
+CMD ["./scan-for-log4j.sh", "/scan"]

ingest-log4j-vulns/README.md

@@ -0,0 +1,74 @@
+# JupiterOne - Script to Ingest Log4J Vulnerabilities
+
+This automation example ingests the output of [log4shell_sentinel][1], a
+cross-platform tool that scans local filesystems and emits CSV output. This
+ingestion script is intended for distribution/deployment to all hosts in your
+environment that you would like to scan and remediate for log4j vulnerabilities.
+
+## Dependencies / Installation
+
+You will need to:
+1. Clone this repo, containing the shell and Node scripts in this example
+2. Run `npm install` to install dependencies
+3. Install an [OS/arch-appropriate binary of log4shell_sentinel][2] on each target
+host.
+
+The ingestion script assumes `log4shell_sentinel` is available locally, and is
+in your system's `$PATH`.
+
+You will need to export the following ENV vars for ingestion:
+
+* `J1_ACCOUNT`
+* `J1_ACCESS_TOKEN`
+
+## Usage
+
+`sudo ./scan-for-log4j.sh`  - by default, scan the entire filesystem, including container images (recommended)
+
+`./scan-for-log4j.sh ./some/target/path`  - scan only target path, additionally do not use superuser privs
+
+### Usage with Docker
+
+`docker run -v /target/file/path:/scan -e J1_ACCOUNT="$J1_ACCOUNT" -e J1_ACCESS_TOKEN="$J1_ACCESS_TOKEN" -e HOST_IDENTIFIER="$(hostname)" --rm jupiterone/ingest-log4j-vulns`
+
+Use `-v /:/scan` to scan the entire filesystem (recommended).
+
+NOTES: 
+* This does not run as root and does not scan container images. 
+* The `HOST_IDENTIFIER` env var is needed since this information is not available inside the running Docker container.
+* If desired, you may also specify `-e HOST_IP="some.ip.addr"` to provide the outer hosts' IP address.
+
+## Expected Workflow:
+
+The following suggested workflow can be used to identify and remediate Log4j
+vulnerabilities across your entire fleet of hosts.
+
+Step 1: Deployment
+
+Deploy this software to your hosts via MDM, Ansible, Chef, etc.
+
+Step 2: Scanning
+
+Periodically scan your hosts by creating a CRON job that runs every hour.
+
+`0 * * * * /path/to/scan-for-log4j.sh`
+
+or
+
+`0 * * * * docker run -v /target/file/path:/scan -e J1_ACCOUNT="$J1_ACCOUNT" -e J1_ACCESS_TOKEN="$J1_ACCESS_TOKEN" --rm jupiterone/ingest-log4j-vulns`
+
+Step 3: Monitoring in JupiterOne
+
+Issue queries like the following:
+
+* `Find log4j_vulnerability as v ORDER BY v._createdOn ASC` - vulnerable hosts, oldest findings first
+* `Find log4j_vulnerability as v return v.hostname, count(v) as vulns ORDER BY vulns DESC` - show vulnerable hosts, rank ordered by number of vulnerabilities
+
+Step 4: Remediate Hosts
+
+As you work to remediate hosts, the above query results will automatically return fewer results over time as these hosts' passing scans report in.
+
+
+
+[1]: https://github.com/ossie-git/log4shell_sentinel
+[2]: https://github.com/ossie-git/log4shell_sentinel/releases/tag/v1.0.0

ingest-log4j-vulns/ingest-log4j-vulns.js

@@ -0,0 +1,102 @@
+const { JupiterOneClient } = require("@jupiterone/jupiterone-client-nodejs") 
+const { v4: uuid } = require('uuid');
+const fs = require("fs")
+
+
+const authenticate = async () => {
+    console.log('Authenticating...');
+  
+    const input = {
+      accessToken: process.env.J1_ACCESS_TOKEN,
+      account: process.env.J1_ACCOUNT,
+      dev: process.env.J1_DEV_ENABLED
+    };
+  
+    const j1 = new JupiterOneClient(input);
+  
+    await j1.init();
+  
+    console.log('Successfully authenticated...');
+  
+    return j1;
+  };
+
+const j1UniqueKeyFileLocation = `${process.cwd()}/j1-scope-key`
+
+const getScope = () => {
+    let scope;
+    if (!fs.existsSync(j1UniqueKeyFileLocation)) {
+        scope = uuid()
+        fs.writeFileSync(j1UniqueKeyFileLocation, scope, 'utf8')
+    } else {
+        scope = fs.readFileSync(j1UniqueKeyFileLocation, 'utf8')
+    }
+
+    return scope;
+}
+
+// TODO: make this as a config value so shell script and node program reference same file location
+const inputDataFilePath = "./results"
+
+const sentinelDictionary = {
+    0: "ip",
+    1: "hostname",
+    2: "appname",
+    3: "team",
+    4: "ignore (y/n)",
+    5: "comments",
+    6: "md5hash",
+    7: "timestamp",
+    8: "container",
+    9: "image",
+    10: "fullpath",
+    11: "version",
+}
+
+const main = async () => {
+    // Bail early if file doesn't exist
+    // This indicates a problem upstream
+    if (!fs.existsSync(inputDataFilePath)) return
+    
+    // utf8 guarantees our output is returned to us as a string
+    const input = fs.readFileSync(inputDataFilePath, "utf8")?.trim()
+    
+    const j1 = await authenticate()
+    const scope = getScope();
+    
+    // Ensure at least we have an array contains empty string
+    const lines = input?.length ? input.split(/\n/) : []
+    
+    // Create entities to upload to J1
+    const entities = lines.map((line) => {
+        const sentinelDataProps = line?.toString().split(",") ?? []
+
+        return {
+            _key: uuid(),
+            _type: 'log4j_vulnerability',
+            _class: 'Finding',
+            displayName: sentinelDataProps[11],
+            [sentinelDictionary[0]]: process.env.HOST_IP || sentinelDataProps[0],
+            [sentinelDictionary[1]]: process.env.HOST_IDENTIFIER || sentinelDataProps[1],
+            [sentinelDictionary[6]]: sentinelDataProps[6],
+            [sentinelDictionary[7]]: sentinelDataProps[7],
+            [sentinelDictionary[8]]: sentinelDataProps[8] === 'true',
+            [sentinelDictionary[9]]: sentinelDataProps[9],
+            [sentinelDictionary[10]]: sentinelDataProps[10],
+            [sentinelDictionary[11]]: sentinelDataProps[11],
+        }
+    })
+
+    // Note: entities of 0 isn't necessarily a bad thing..
+    // It's still needed to clear out existing data in the event
+    // that there were previous vulnerabilities and they have since
+    // been remediated.
+    console.log('Entities Uploading :>> ', entities.length);
+
+    await j1.bulkUpload({syncJobOptions: {scope}, entities})
+    if (entities.length) {
+      console.log('Entities may be found with a J1QL query like "Find log4j_vulnerability"')
+    }
+}
+
+main().catch(console.error)