Enhancing Software Resilience and Achieving CIS Level 1 Standards
Apart from regular Ubuntu, Sandbox can also run on CIS level 1 hardened Ubuntu.
To harden the operating system first, please use the guide from here: https://www.open-scap.org/security-policies/scap-security-guide/
The upcoming guide will be divided into two different sections:
- Steps to make the installer antivirus-compliant
- Fixing post-installation issues, related to the hardened OS
Steps to make the installer antivirus-compliant
You can run this step both before and after the installation, whether you need the installer ZIP compliant or only the installed software itself.
In this section, we will unpack the installer and run a script to modify potentially falsely detected files and malware rules.
- Download the latest release from the OPSWAT Portal
- If you have internet connection: run the following command:
pip3 install plyara - Do the first step described on the following link: installation/offline-installation (unpack the zip)
- Using the same command as previously, but now unpack the
sandbox.zipfile as well (It's in thesandbox-installerdirectory that you just unzipped) - Now you have a directory inside, called
sandbox. Grab the Python scriptharden-yara.pywhich you can find below. Copy it next to thesandboxdirectory. - Execute the python script using the following command:
python3 harden_yara.py sandbox/transform/yara/rules - Execute the python script using the following command:
python3 harden_yara.py sandbox/webservice/src/storage/resources/yara_rules - Execute the python script using the following command:
python3 harden_yara.py sandbox/transform/parser/mwconfig-extractors - Now re-zip the
sandboxdirectory and you're done. Example Linux command:7z a -r sandbox.zip sandbox - Now you can proceed on installing Sandbox either in an online or offline manner
Below, you can find two different scripts. If you can install plyara pip package, please use the first script, else please use the second!
The version using plyara is more sophisticated, hence it's preferred, however both should work perfectly fine.
x
import osimport argparseimport plyarafrom plyara.utils import rebuild_yara_ruledef string_to_hex_array(s, encoding='ascii'):def process_yara_ruleset(yara_ruleset, strip_comments=True):def process_file(ruleset, input_file, output_file, strip_comments=True):def traverse_and_process(input_folder, output_prefix=None, strip_comments=True):def delete_files_in_yara_folder(root_dir):def main():if __name__ == "__main__": import reimport osimport argparsedef string_to_hex_array(s):def remove_comments_multiline(yara_rule):def process_yara_rule(yara_rule, strip_comments=True):def process_file(input_file, output_file, strip_comments=True):def traverse_and_process(input_folder, output_prefix=None, strip_comments=True):def delete_files_in_yara_folder(root_dir):def main():if __name__ == "__main__":After-installation troubleshooting
In some rare cases, you can bump into the following issues after installing Sandbox on a hardened operating system:
Caused by: java.io.IOException: Error initiating config file: can not write to /app/broker.cfg
Caused by: java.io.IOException: Error initiating config file: can not write to /app/transform.cfg
nginx: [emerg] cannot load certificate "/etc/ssl/certs/nginx-selfsigned.crt": BIO_new_file() failed (SSL: error:80000002:systemlibrary::No such file or directory:calling fopen(/etc/ssl/certs/nginx-selfsigned.crt, r) error:10000080:BIO routines::no such file)
If you encounter any of those, you should apply the fix below.
You must have Sandbox installed to run the code below.
In case you installed Sandbox in OFFLINE mode, you will need an extra --offline flag when you execute the script.
- Copy the
hardened-install-fix.shscript below on your sandbox installation path. By default, it is/home/sandbox/sandbox - Stop Sandbox services using
sudo service sandbox stop - Make the script executable by executing
sudo chmod +x hardened-install-fix.sh - Execute the script by using either
sudo ./hardened-install-fix.shorsudo ./hardened-install-fix.sh --offlinedepending, whether the initial install you made was using the offline flag or not. - Start Sandbox services by executing
sudo service sandbox start
DIR="$(dirname "$(realpath "${0}")")"OFFLINE_INSTALL=falseif [ "$(id -u)" -ne 0 ]; then echo "Please run this script as root!" exit 126fiwhile [ "$#" -gt 0 ]; do option="$1" shift case "$option" in -h|--help) USAGE ;; -v|--verbose) set -o xtrace VERBOSE="-v" ;; --offline) OFFLINE_INSTALL=true ;; *) echo "$0: Invalid argument.. $1" >&2 USAGE exit 1 ;; esacdonecommandOutput() {}success() {}error() {}fatal() {}conf() {}stopSandboxService() {}fixTransform() { if [ -f "$Sandbox_Directory/transform.cfg" ]; then success "transform.cfg exists and is a file" else if [ -d "$Sandbox_Directory/transform.cfg" ]; then error "transform.cfg is a directory, deleting it" rm -rf "$Sandbox_Directory"/transform.cfg else error "transform.cfg does not exist" fi if [ -z "$SandboxTransform_APIKeySecret" ]; then SandboxTransform_APIKeySecret=$(openssl rand -hex 24) fi read -r -d '' transform_cfg <<- EOF apiKey0.secret=$SandboxTransform_APIKeySecret apiKey0.authlevel=1000 EOF if echo "$transform_cfg" > "$Sandbox_Directory"/transform.cfg; then chown "$Sandbox_User":"$Sandbox_User" "$Sandbox_Directory"/transform.cfg success "Successfully created transform.cfg" else fatal "Failed to create $Sandbox_Directory/transform.cfg" fi if [ "$OFFLINE_INSTALL" = true ] ; then # Enable offlineMode by default for offline installations echo '' >> "$Sandbox_Directory/transform.cfg" echo 'offlineMode=true' >> "$Sandbox_Directory/transform.cfg" fi fi echo "transform.cfg permissions:" namei -l "$(realpath "$Sandbox_Directory"/transform.cfg)" echo ""}fixBroker() { if [ -f "$Sandbox_Directory/broker.cfg" ]; then success "broker.cfg exists and is a file" else if [ -d "$Sandbox_Directory/broker.cfg" ]; then error "broker.cfg is a directory, deleting it" rm -rf "$Sandbox_Directory"/broker.cfg else error "broker.cfg does not exist" fi if [ -z "$SandboxBroker_APIKeySecret" ]; then SandboxBroker_APIKeySecret=$(openssl rand -hex 24) fi read -r -d '' broker_cfg <<- EOF apiKey0.secret=$SandboxBroker_APIKeySecret apiKey0.authlevel=1000 app1.secret=$SandboxTransform_APIKeySecret EOF if echo "$broker_cfg" > "$Sandbox_Directory"/broker.cfg; then chown "$Sandbox_User":"$Sandbox_User" "$Sandbox_Directory"/broker.cfg success "Successfully created broker.cfg" else fatal "Failed to create $Sandbox_Directory/broker.cfg" fi fi echo "broker.cfg permissions:" namei -l "$(realpath "$Sandbox_Directory"/broker.cfg)" echo ""}fixWebservice() { selfsigned_key=/etc/ssl/private/nginx-selfsigned.key selfsigned_crt=/etc/ssl/certs/nginx-selfsigned.crt dhparam=/etc/ssl/certs/dhparam.pem if [ -e "$selfsigned_key" ]; then echo "$selfsigned_key exists, deleting" rm -rf "$selfsigned_key" fi if [ -e "$selfsigned_crt" ]; then echo "$selfsigned_crt exists, deleting" rm -rf "$selfsigned_crt" fi if [ -e "$dhparam" ]; then echo "$dhparam exists, deleting" rm -rf "$dhparam" fi if openssl req -x509 -nodes -days 1825 -newkey rsa:2048 \ -subj "/C=DE/ST=Hamburg/L=Germany /O=OPSWAT Inc./OU=Development/CN=*/emailAddress=support@filescan.io" \ -keyout /etc/ssl/private/nginx-selfsigned.key \ -out /etc/ssl/certs/nginx-selfsigned.crt; then success "Successfully created self-signed certificate" else fatal "Failed to create self-signed certificate" fi echo "Creating new DH Parameters (Safe Key Exchange)..." if openssl dhparam -out "$dhparam" 2048; then success "Successfully created safe keys" else fatal "Failed to create safe keys" fi}commandOutputconfstopSandboxServiceecho "List of Sandbox installation directory before applying the fix(es):"ls -lah "$Sandbox_Directory"if [ "$SandboxTransform_Install" = true ] ; then fixTransformfiif [ "$SandboxBroker_Install" = true ] ; then fixBrokerfiif [ "$SandboxWebservice_Install" = true ] ; then fixWebservicefiif chown "$Sandbox_User":"$Sandbox_User" "$Sandbox_Directory"/*.cfg "$Sandbox_Directory"/*.yaml; then success "Successfully updated config ownership"else error "Failed to change config ownership to $Sandbox_User:$Sandbox_User."fiecho "List of Sandbox installation directory after applying the fix(es):"ls -lah "$Sandbox_Directory"echo "Finished applying the fix(es), please start the Sandbox service manually!"Was this page helpful?
