Reworked Dockerfile to be multiarch
This commit is contained in:
tabledevil
82
Dockerfile
82
Dockerfile
@@ -1,19 +1,71 @@
|
|||||||
FROM alpine as builder
|
# Stage 1: Builder
|
||||||
ADD 'https://github.com/Yamato-Security/hayabusa/releases/download/v2.16.0/hayabusa-2.16.0-linux-intel.zip' /hayabusa.zip
|
FROM alpine AS builder
|
||||||
ADD 'https://github.com/Yamato-Security/takajo/releases/download/v2.5.0/takajo-2.5.0-linux.zip' /takajo.zip
|
|
||||||
RUN apk add -U unzip git
|
|
||||||
RUN mkdir /opt/hayabusa && cd /opt/hayabusa && unzip /hayabusa.zip && unzip /takajo.zip
|
|
||||||
RUN chmod +x /opt/hayabusa/*
|
|
||||||
RUN ln /opt/hayabusa/hayabusa-2.16.0-lin-x64-gnu /opt/hayabusa/hayabusa
|
|
||||||
RUN chmod +x /opt/hayabusa/hayabusa
|
|
||||||
RUN /opt/hayabusa/hayabusa-2.16.0-lin-x64-musl update-rules -r /opt/hayabusa/rules/
|
|
||||||
|
|
||||||
|
# Get the target platform
|
||||||
|
ARG TARGETPLATFORM
|
||||||
|
ENV HAYABUSA_VERSION=2.17.0
|
||||||
|
ENV TAKAJO_VERSION=2.6.0
|
||||||
|
|
||||||
From ubuntu
|
# Install necessary tools
|
||||||
COPY --from=0 /opt/hayabusa /opt/hayabusa
|
RUN apk add --no-cache unzip wget git
|
||||||
|
|
||||||
|
# Determine the correct zip files and binaries based on TARGETPLATFORM
|
||||||
|
RUN \
|
||||||
|
case "$TARGETPLATFORM" in \
|
||||||
|
"linux/amd64") \
|
||||||
|
HAYABUSA_ZIP="hayabusa-${HAYABUSA_VERSION}-linux-intel.zip"; \
|
||||||
|
HAYABUSA_BINARY="hayabusa-${HAYABUSA_VERSION}-lin-x64-gnu"; \
|
||||||
|
TAKAJO_ZIP="takajo-${TAKAJO_VERSION}-linux-intel.zip"; \
|
||||||
|
TAKAJO_BINARY="takajo-${TAKAJO_VERSION}-lin-x64-gnu"; \
|
||||||
|
;; \
|
||||||
|
"linux/arm64") \
|
||||||
|
HAYABUSA_ZIP="hayabusa-${HAYABUSA_VERSION}-linux-arm.zip"; \
|
||||||
|
HAYABUSA_BINARY="hayabusa-${HAYABUSA_VERSION}-lin-aarch64-gnu"; \
|
||||||
|
;; \
|
||||||
|
*) echo "Unsupported platform: $TARGETPLATFORM"; exit 1 ;; \
|
||||||
|
esac && \
|
||||||
|
# Download Hayabusa zip
|
||||||
|
wget -O /hayabusa.zip "https://github.com/Yamato-Security/hayabusa/releases/download/v${HAYABUSA_VERSION}/${HAYABUSA_ZIP}" && \
|
||||||
|
mkdir -p /opt/hayabusa && \
|
||||||
|
cd /opt/hayabusa && \
|
||||||
|
unzip /hayabusa.zip && \
|
||||||
|
ln -s "$HAYABUSA_BINARY" /opt/hayabusa/hayabusa && \
|
||||||
|
chmod +x /opt/hayabusa/hayabusa && \
|
||||||
|
# Download and extract Takajo for linux/amd64 only
|
||||||
|
if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
|
||||||
|
wget -O /takajo.zip "https://github.com/Yamato-Security/takajo/releases/download/v${TAKAJO_VERSION}/${TAKAJO_ZIP}" && \
|
||||||
|
unzip /takajo.zip -d /opt/hayabusa && \
|
||||||
|
ln -s "$TAKAJO_BINARY" /opt/hayabusa/takajo && \
|
||||||
|
chmod +x /opt/hayabusa/takajo; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Clone the latest rules directly from GitHub
|
||||||
|
RUN rm -rf /opt/hayabusa/rules
|
||||||
|
RUN git clone --depth=1 https://github.com/Yamato-Security/hayabusa-rules.git /opt/hayabusa/rules
|
||||||
|
|
||||||
|
# Stage 2: Final Image
|
||||||
|
FROM ubuntu
|
||||||
|
|
||||||
|
# Copy only the necessary files from the builder stage
|
||||||
|
COPY --from=builder /opt/hayabusa /opt/hayabusa
|
||||||
|
|
||||||
|
# Set environment variables
|
||||||
ENV PATH="${PATH}:/opt/hayabusa"
|
ENV PATH="${PATH}:/opt/hayabusa"
|
||||||
RUN apt update && apt install -y bash libcurl4 libpcre3 && rm -rf /var/lib/apt/lists/*
|
|
||||||
|
# Install necessary packages
|
||||||
|
RUN apt-get update && \
|
||||||
|
apt-get install -y --no-install-recommends bash libcurl4 libpcre3 libsqlite3-0 && \
|
||||||
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
# Set the working directory
|
||||||
WORKDIR /data
|
WORKDIR /data
|
||||||
RUN mkdir /output && touch /output/notmounted
|
|
||||||
ADD start.sh /root/start.sh
|
# Create output directory
|
||||||
CMD ["/bin/bash","/root/start.sh"]
|
RUN mkdir /output
|
||||||
|
|
||||||
|
# Add the startup script
|
||||||
|
COPY start.sh /root/start.sh
|
||||||
|
RUN chmod +x /root/start.sh
|
||||||
|
|
||||||
|
# Set the default command
|
||||||
|
CMD ["/bin/bash", "/root/start.sh"]
|
||||||
|
|||||||
54
start.sh
54
start.sh
@@ -1,38 +1,44 @@
|
|||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#check if folder was mounted under /data
|
# Check if folder was mounted under /data
|
||||||
if [[ ! -d /data ]] ; then
|
if [ ! -d /data ]; then
|
||||||
echo "[!] No Folder was mounted to /data"
|
echo "[!] No Folder was mounted to /data"
|
||||||
echo "[=] Make sure a folder containig the Windows Logs (evtx) is mounted. Example:"
|
echo "[=] Make sure a folder containing the Windows Logs (evtx) is mounted. Example:"
|
||||||
echo "[=]"
|
echo "[=]"
|
||||||
echo "[>] # docker run -it --rm --network=none -v /path/to/logfiles:/data tabledevil/hayabusa"
|
echo "[>] # docker run -it --rm --network=none -v /path/to/logfiles:/data tabledevil/hayabusa"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#check which destination is writeable /data or /output
|
# Check which destination is writable /data or /output
|
||||||
if [[ ! -f /output/notmounted ]] && [[ -w /output ]] ; then
|
if [ -w /output ]; then
|
||||||
echo "[!] Output folder was mounted and is writeable"
|
echo "[!] Output folder was mounted and is writable"
|
||||||
echo "[>] Using /output as destination for report"
|
echo "[>] Using /output as destination for report"
|
||||||
output="/output"
|
output="/output"
|
||||||
|
elif [ -w /data ]; then
|
||||||
|
echo "[!] Mounted folder /data can be written"
|
||||||
|
echo "[>] Using /data as destination for report"
|
||||||
|
output="/data"
|
||||||
else
|
else
|
||||||
if [[ -w /data ]] ; then
|
echo "[!] No writable output folder available"
|
||||||
echo "[!] Mounted folder /data can be written"
|
echo "[=] Make sure either the folder mounted under /data is writable ..."
|
||||||
echo "[>] Using /data as destination for report"
|
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/hayabusa"
|
||||||
output="/data"
|
echo "[=] ... or mount a writable folder to /output"
|
||||||
else
|
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/hayabusa"
|
||||||
echo "[!] No writeable output folder available"
|
exit 1
|
||||||
echo "[=] Make sure either the folder mounted under /data is writable ..."
|
|
||||||
echo "[>] # docker run -it --rm -v /path/to/logfiles:/data tabledevil/hayabusa"
|
|
||||||
echo "[=] ... or mount a writable folder to /output"
|
|
||||||
echo "[>] # docker run -it --rm -v --network=none /path/to/logfiles:/data:ro -v /path/for/report:/output tabledevil/hayabusa"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#set output-destination
|
# Set output destination
|
||||||
outdir="${output}"
|
outdir="${output}"
|
||||||
output="${output}/hayabusa_$(date +%s)"
|
timestamp=$(date +%s)
|
||||||
echo "output is goint to : ${output}"
|
output="${output}/hayabusa_${timestamp}"
|
||||||
|
echo "Output is going to: ${output}"
|
||||||
|
|
||||||
hayabusa csv-timeline -p timesketch-verbose -r /opt/hayabusa/rules/ -w -m low -U -H "${output}".html -o "${output}.ts.csv" -C -d /data
|
# Run hayabusa with the included rules
|
||||||
hayabusa json-timeline -p verbose -r /opt/hayabusa/rules/ -w -L -o "${output}_takajo.jsonl" -d /data
|
/opt/hayabusa/hayabusa csv-timeline -p timesketch-verbose -r /opt/hayabusa/rules/ -w -m low -U -H "${output}.html" -o "${output}.ts.csv" -C -d /data
|
||||||
takajo automagic -t "${output}_takajo.jsonl" -o "${outdir}/takajo"
|
/opt/hayabusa/hayabusa json-timeline -p verbose -r /opt/hayabusa/rules/ -w -L -o "${output}_takajo.jsonl" -d /data
|
||||||
|
|
||||||
|
# Check if takajo exists before running it
|
||||||
|
if [ -x /opt/hayabusa/takajo ]; then
|
||||||
|
/opt/hayabusa/takajo automagic -t "${output}_takajo.jsonl" -o "${outdir}/takajo"
|
||||||
|
else
|
||||||
|
echo "[!] Takajo is not available on this platform."
|
||||||
|
fi
|
||||||
Reference in New Issue
Block a user