"hedgehog run profile" doesn't allow for reaching back for PCAP payload or carved file artifacts

[mmguero]

See Hedgehog Run Profile for background of what the feature is.

A normal Malcolm instance's Arkime interface can't grab PCAP from a hedgehog run profile instance's Arkime capture. In order to do so, the arkime-live session needs to expose port 8005 (I'm pretty sure it's the arkime-live container that needs to do it, not just the regular arkime container). This should probably be handled around here in install.py.

However, there are some issues to this: namely, a hedgehog run profile doesn't have nginx at all, meaning no authentication. On the hedghog sensor we handle this with an access control list and a shared secret (which is not really a password) but we can't really do that here in Malcolm, since we don't necessarily have control of the user's system to set the firewall up. Maybe we just need to ask them if they want to open the port, and if they do say "you need to handle the access/firewall yourself."

The next part of this is the "extracted files user interface.". We don't even prompt the user to enable this in the hedgehog run profile, but should we? If so, we've got the same access control problem as mentioned above, plus one worse: it's not even https, it's HTTP only. Now, the main malcolm instance should proxy those requests, as per the documentation:

Similarly, files extracted and preserved on a Hedgehog Linux network sensor can be accessed at https://localhost/hh-extracted-files/X.X.X.X/, where X.X.X.X represents the IP address or hostname of the sensor (e.g., https://localhost/hh-extracted-files/192.168.122.57/ if the sensor’s IP address were 192.168.122.57).

which we'd also need to make sure works, but again it would mean exposing through docker the non-https port, which I'm not super excited to do.

Another possibility is that we change the hedgehog run profile to have an nginx-proxy container, which it doesn't right now, but there are quite a few issues with that as well:

• the depends on section of that service would have to change (we could write this list out depending on profile in install.py)
• they'd have to configure authentication on a hedgehog profile, which wouldn't be the end of the world
• I'm not sure how the PCAP reachback would work, that would still probably need to be unauthenticated (?) because I'm not sure how we'd tell the main malcolm instance what the user/password for that would be.

Anyway there are some issues here. This isn't a super super huge priority, as I don't know for sure that anybody is actually using this feature, and even if they are it's only the reachback that's broken (for the most part, it still works with data flowing the other direction).

This also needs to be handled and tested in a Kubernetes deployment to be considered complete.

[mmguero]

Kamino closed and cloned this issue to cisagov/Malcolm