v.1.9: Enables vulnerability management - gather installed packages a…

…cross the fleet and discover associated CVEs; Fixes the Windows installer;

README.md

@@ -2,7 +2,7 @@
 
 #### Deep Security Visibility & Protection
 
-Impulse XDR is the easiest way to start monitoring your servers and endpoints including VPS, VPC networks, VMs, Linux Desktop and Windows 10/11 assets.
+Impulse XDR is the easiest way to start monitoring your servers and endpoints including VPS, VPC, VMs, Droplets or Linux/Windows 10/11 machines. 
 
 Whether your goal is to secure a single VPS server or large cloud network (VPC), Impulse will help you get there. Set up deep visibility and protection for your infrastucture in two steps: 
 
@@ -46,4 +46,4 @@ Integrated with VirursTotal to scan for malicious files on your hosts.
 Integrated with several high-quality threat intelligence providers to enrich your context data.
 
 #### Self-Hosted & Open-Core
-Data never leaves you servers.
+Data never leaves you servers.

agent/agentd/sensor_grpc_client.py

@@ -128,11 +128,34 @@ def start_main_thread(streaming_stub):
 					result = get_agent_system_posture(syst_posture_queries)	
 					result = json.dumps(result)	
 
-				elif task_code == "gather_installed_packages":
-					args = json.loads( response.args )
-					all_packages = {'python_packages': exec_osqueryd("select * from python_packages")}
-					#result = json.dumps(result)
-					pass 	
+				elif task_code == "installed_packages":
+					os_type = args['os_type']
+
+					package_list = []
+
+					if os_type == 'linux':
+						result_dict = exec_osqueryd('select * from deb_packages;')
+
+						package_list.append({"type": "deb_package", "result": result_dict })
+
+						if len(result_dict) == 0:
+							result_dict = exec_osqueryd('select * from rpm_packages;')
+							package_list.append({"type": "rpm_package", "result": result_dict })
+
+					elif os_type == 'windows':
+						programs_dict = exec_osqueryd('select * from programs;')
+						chocolatey_packages_dict = exec_osqueryd('select * from chocolatey_packages;')
+
+						package_list.append({"type": "windows_program", "result": programs_dict })
+						package_list.append({"type": "windows_chocolatey_package", "result": chocolatey_packages_dict })
+					else:
+						pass 
+
+					python_packages_dict = exec_osqueryd('select * from python_packages;')
+
+					package_list.append({"type": "python_package", "result": python_packages_dict })
+
+					result = json.dumps(package_list)
 
 				elif task_code == "man_page":
 					service_name = args['service_name']
@@ -159,7 +182,6 @@ def start_main_thread(streaming_stub):
 					)				
 					result = json.dumps(respJson) 
 
-
 				elif task_code == "take_action":
 					indicator_name = args['indicator_name']
 					target_param = args['target_param']
@@ -198,6 +220,7 @@ def start_main_thread(streaming_stub):
 
 					with open(OSQUERY_CONF_IN_USE, "w") as jsonFile:
 						json.dump(core_pack_data, jsonFile, indent=4)
+
 					subprocess.Popen(['systemctl', 'restart', 'osqueryd'])
 
 					respJson = {
@@ -209,8 +232,6 @@ def start_main_thread(streaming_stub):
 				else:
 					pass 
 
-				print("Task return result: ", result)
-
 			except Exception as e:
 				print("exception doing task: ", e)
 				pass 
@@ -234,14 +255,12 @@ def run():
 		credentials=ca_root_cert
 	) as channel:
 		streaming_stub = manager_grpc_server_pb2_grpc.GrpcServerStub(channel)
-		#unary_stub = manager_grpc_server_pb2_grpc.GrpcServerStub(channel)
 		start_main_thread(streaming_stub)
 
 if __name__ == '__main__':
 	try:
 		print("[START SENSOR CLIENT]..")
 		run()
 	except Exception as e:
-		print("__main__: ", e)
 		logging.debug('[SERVICE EXITING] logs:', e)
 

agent/docker-compose-nids.yml

@@ -0,0 +1,18 @@
+version: "3" 
+
+services:
+  suricata:
+    container_name: impulse-suricata
+    image: 'jasonish/suricata:latest'
+    network_mode: "host"
+    cap_add:
+      - SYS_NICE  
+      - NET_ADMIN
+    volumes:
+      - /var/impulse/etc/suricata:/etc/suricata
+      - /var/impulse/lib/suricata:/var/lib/suricata
+      - /var/impulse/log/suricata:/var/log/suricata
+    command: '-i ${HOST_INTERFACE} -F /etc/suricata/capture-filter.bpf' ## IDS mode
+    #command: '-i ${HOST_INTERFACE} -F /etc/suricata/capture-filter.bpf' ## IPS mode
+    restart: always
+

agent/impulse.conf

@@ -1,16 +1,16 @@
 
 [Env]
 IP_MANAGER=192.168.0.37
-STATIC_IP_ADDR=
-HOST_INTERFACE=n/a
-AGENT_TYPE=light
+STATIC_IP_ADDR=192.168.0.25
+HOST_INTERFACE=eth1
+AGENT_TYPE=heavy
 SETUP_TYPE=agent
-NIDS_ENABLED=false
+NIDS_ENABLED=true
 NIDS_MODE=IDS
 IPS_SETUP=auto
 IPS_MODE_PORTS=22,80
-AGENT_ID=upscu5dm
-AGENT_SECRET_KEY=mqunh1a0kq527ecznm4r3x0jliabdr4q
+AGENT_ID=ylgq2g0o
+AGENT_SECRET_KEY=apkh08vkyxdxdj1z2xbqgo9lx0lmhrov
 
 ##################################################
 # There should be no space between key and value.

agent/install_agent.sh

@@ -107,6 +107,8 @@ mkdir -p /var/impulse/data/rsyslog/spool
 mkdir -p /var/impulse/data/quarantined_files
 mkdir -p /var/log/impulse
 
+mkdir -p /var/spool/rsyslog
+
 ## with system rsyslog
 mkdir -p /etc/ssl/impulse
 mkdir -p /etc/rsyslog.d/impulse
@@ -134,6 +136,11 @@ openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -subj "/CN=localhost"
 
 $PROJECT_ROOT_DIR/install_modules/agent/impulse_systemd_services.sh $PROJECT_ROOT_DIR $IP_HOST $AGENT_TYPE $OS_TYPE
 
+# SELinux must be adjusted for rsyslog on Alma/CentOS/RHEL distributions
+
+## or temporary disable it with
+# setenforce 0 
+
 echo "Create Indexer templates..."
 $PROJECT_ROOT_DIR/install_modules/agent/impulse_rsyslog.sh $PROJECT_ROOT_DIR $AGENT_TYPE $IP_MANAGER $AGENT_TAG_ID $PACKAGE_MGR
 

agent/install_modules/agent/impulse_crontab.sh

@@ -14,8 +14,8 @@ fi
 echo "$kernelk_cron_file" > /etc/cron.d/impulse
 
 if [[ $OS_TYPE == 'ubuntu' || $OS_TYPE == 'debian' || $OS_TYPE = "linuxmint" ]]; then
-	service cron reload 
-	service cron restart 
+	service crond reload 
+	service crond restart 
 fi
 
 if [[ $OS_TYPE == 'centos' || $OS_TYPE = "fedora" ]]; then

agent/install_modules/agent/impulse_rsyslog.sh

@@ -129,3 +129,75 @@ echo "$AGENT_GENERAL_CONF_TEMPLATE" > "/etc/rsyslog.conf"
 systemctl enable rsyslog
 systemctl restart rsyslog
 
+
+
+
+
+
+
+
+
+
+
+
+
+# # rsyslog configuration file
+
+# # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+# #### MODULES ####
+
+# # The imjournal module bellow is now used as a message source instead of imuxsock.
+# $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
+# # Tachtler
+# # default: $ModLoad imjournal # provides access to the systemd journal
+# # $ModLoad imjournal # provides access to the systemd journal
+# #$ModLoad imklog # reads kernel messages (the same are read from journald)
+# # Tachtler
+# # default: #$ModLoad immark  # provides --MARK-- message capability
+# $ModLoad immark  # provides --MARK-- message capability
+
+# # Provides UDP syslog reception
+# #$ModLoad imudp
+# #$UDPServerRun 514
+
+# # Provides TCP syslog reception
+# #$ModLoad imtcp
+# #$InputTCPServerRun 514
+
+
+# #### GLOBAL DIRECTIVES ####
+
+# # Where to place auxiliary files
+# $WorkDirectory /var/lib/rsyslog
+
+# # Use default timestamp format
+# $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+# # File syncing capability is disabled by default. This feature is usually not required,
+# # not useful and an extreme performance hit
+# #$ActionFileEnableSync on
+
+# # Include all config files in /etc/rsyslog.d/
+# $IncludeConfig /etc/rsyslog.d/*.conf
+
+# # Turn off message reception via local log socket;
+# # local messages are retrieved through imjournal now.
+# # Tachtler
+# # default: $OmitLocalLogging on
+# $OmitLocalLogging off
+
+# # File to store the position in the journal
+# # Tachtler
+# # default: $IMJournalStateFile imjournal.state
+# # $IMJournalStateFile imjournal.state
+
+
+# #### RULES ####
+
+# # Tachtler - new -
+# # Write all Log-Information to graylog
+# #$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
+# #*.*                                                     @10.7.0.110:514;GRAYLOGRFC5424
+# *.*                                                     @10.7.0.110:514;RSYSLOG_SyslogProtocol23Format

agent/install_modules/shared/selinux_policy.sh

@@ -12,6 +12,9 @@ if [ -x "$(command -v sestatus)" ]; then
         semodule -i /opt/impulse/build/shared/selinux_policy/impulse_fedora_policy.pp
     fi   
 	semodule --reload
+
+  # disable selinux 
+  #setenforce 0
 else
 	echo "No selinux detected."
 fi

agent/uninstall_agent.sh

@@ -42,7 +42,7 @@ rm -rf /usr/share/osquery
 cd /opt 
 rm -rf /opt/impulse
 
-systemctl restart cron 
+systemctl restart cron crond 
 
 # deluser impulse_siem
 # rm -rf /home/impulse_siem

aux_server/aux-venv/lib/python3.10/site-packages/MarkupSafe-2.1.4.dist-info/METADATA → aux_server/aux-venv/lib/python3.10/site-packages/MarkupSafe-2.1.5.dist-info/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: MarkupSafe
-Version: 2.1.4
+Version: 2.1.5
 Summary: Safely add untrusted strings to HTML/XML markup.
 Home-page: https://palletsprojects.com/p/markupsafe/
 Maintainer: Pallets

aux_server/aux-venv/lib/python3.10/site-packages/MarkupSafe-2.1.4.dist-info/RECORD → aux_server/aux-venv/lib/python3.10/site-packages/MarkupSafe-2.1.5.dist-info/RECORD

@@ -1,10 +1,10 @@
-MarkupSafe-2.1.4.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4
-MarkupSafe-2.1.4.dist-info/LICENSE.rst,sha256=SJqOEQhQntmKN7uYPhHg9-HTHwvY-Zp5yESOf_N9B-o,1475
-MarkupSafe-2.1.4.dist-info/METADATA,sha256=FG6QyNhkd6O_gW6Ies5gTq1WvWzSBP2ssaQXb6cD_qY,3003
-MarkupSafe-2.1.4.dist-info/RECORD,,
-MarkupSafe-2.1.4.dist-info/WHEEL,sha256=1FEjxEYgybphwh9S0FO9IcZ0B-NIeM2ko8OzhFZeOeQ,152
-MarkupSafe-2.1.4.dist-info/top_level.txt,sha256=qy0Plje5IJuvsCBjejJyhDCjEAdcDLK_2agVcex8Z6U,11
-markupsafe/__init__.py,sha256=tRxwyNnEbraoYPIRtDDyRLHLWhF5VjVHmS9S0EqVyoI,10931
+MarkupSafe-2.1.5.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4
+MarkupSafe-2.1.5.dist-info/LICENSE.rst,sha256=SJqOEQhQntmKN7uYPhHg9-HTHwvY-Zp5yESOf_N9B-o,1475
+MarkupSafe-2.1.5.dist-info/METADATA,sha256=2dRDPam6OZLfpX0wg1JN5P3u9arqACxVSfdGmsJU7o8,3003
+MarkupSafe-2.1.5.dist-info/RECORD,,
+MarkupSafe-2.1.5.dist-info/WHEEL,sha256=1FEjxEYgybphwh9S0FO9IcZ0B-NIeM2ko8OzhFZeOeQ,152
+MarkupSafe-2.1.5.dist-info/top_level.txt,sha256=qy0Plje5IJuvsCBjejJyhDCjEAdcDLK_2agVcex8Z6U,11
+markupsafe/__init__.py,sha256=r7VOTjUq7EMQ4v3p4R1LoVOGJg6ysfYRncLr34laRBs,10958
 markupsafe/__pycache__/__init__.cpython-310.pyc,,
 markupsafe/__pycache__/_native.cpython-310.pyc,,
 markupsafe/_native.py,sha256=GR86Qvo_GcgKmKreA1WmYN9ud17OFwkww8E-fiW-57s,1713