Skip to content
/ blackbox_appliance Public

A Linux-based automatic installation multi-purpose closed-up hardened appliance

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cristianhares/blackbox_appliance

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
.github
.github
 
 
bin
bin
 
 
config_input
config_input
 
 
images
images
 
 
templates
templates
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
create_blackbox_iso.sh
create_blackbox_iso.sh
 
 

Repository files navigation

BlackBox Appliance

BlackBox Appliance Logo

Description
A Linux-based automatic installation multi-purpose closed-up hardened appliance.

If you found it useful and if you can, consider buying me a coffee :) https://buymeacoff.ee/cristianhares or https://ko-fi.com/cristianhares

Small History: Over my years working with SIEMs and other vendor's appliances, I was always surprised by the fact there wasn't an open source appliance that would make the same experience of a closed-up box where you could run your own application, so I had this idea sitting there for quite some time. An example of this was a cheap Syslog collector with store-and-forward capabilities without paying for the crazy licensing fees of a vendor collector.

Current State:
The BlackBox appliance right now is based on Centos7 and should work with RHEL 7/8 and Centos 8, still most Enterprise tech supports major version 7.

The system has 3 users, the root (disabled), the sysadmin (with sudo privs) and the netadmin which can only set networking parameters. An example usage of this would be of a "Service Provider" that maintains control of the box, and its "customer" can only change network parameters.

So the idea is basically that you ("the Service Provider") provide your "customer" with a plug-and-play system, where they don't have to do anything, and you can add a command and control channel to call home or talk to a central server if needed.

Note: System has been hardened in accordance to most of the checks of the CIS Benchmark, even so it is likely it still has bugs/missing things that I haven't found yet.

This solution will use Centos 7 minimal as a base, Centos 8 no longer has minimal but it should work editing the code (line 156, *comps.xml) to detect the repository metadata you want to use. There's this great project for a Centos 8 minimal that's worthy to look at for this case: https://github.com/uboreas/centos-8-minimal

Since Ubuntu allows kickstart it can/could be made to work as the source distro, but the code is not ready yet to handle the way ubuntu manages it repositories.

Note: If you download this code through Windows GIT for using it with WSL, remember that it changes the LF to CRLF in the sh file, so use the dos2unix program.

PS: I know the logo is a bit ugly, is the best I could come up with with Paint3D :P.

ISO Creation features
  - Automatically downloads required packages for ISO generation depending on your OS distro.
  - Automatically downloads ISO Linux distro.
  - Automatically downloads updates since release for the chose distro and add them to the ISO repo (YUM based systems).
  - Validates the ks.cfg config before creation.
  - Add extra packages of your choosing by adding them in the extras directory.
  - Add commands of your choosing either in the ks.cfg post section, or the post_installation.sh script.

System Image features
  - Automatic System installation with auto partitioning, no user interaction (except for one enter!).
  - Automatic installation of VM Hypervisor tools depending on platform.
  - System has been hardened in accordance to most of the checks of the CIS Benchmark.
  - Run commands/installations after first boot via the post_installation.sh script.
  - System is divided by a privileged user and a non-privileged user that can only change networking (Good for Service Providers!).

Available Templates
  - Default template: Build the BlackBox Appliance you want!.
  - Microsoft Azure Sentinel CEF rsyslog collector with OMS Agent template.
  - Syslog collector (with TCP support, local cache, and TLS support!).

Planned Templates
  - Docker node for quickly setting up docker images.
  - Quickly deployed secure web server with Availability functionality.
  - Load balancer with transparent TCP proxy.

Planned Functionality
  - Establish a control channel via VPN (OpenVPN) to a VPN Server for remote control (Good for Service Providers!).
  - Network scanning with nmap for making network inventory available to SIEMs and other platforms.
  - Powershell script that installs WSL so that you can create the ISO easily in Windows.
  - Install Docker if needed in other Linux distros to get CentOS/RHEL for generating ISO.

Not Planned Templates (Ideas)
  - IAM Platform.
  - Directory Services Platform.
  - RADIUS server with 2FA Support with Yubico.

Package Requirements
The scripts for the ISO generation are based to run on linux, in windows I use WSL for this, the main script will attempt to install and download them in your distro if available from the repos, although I know in newer ubuntu's some are not present, and I haven't tested it yet in Suse-based ones.

Main Script (it will try to download them):
  - genisoimage
  - python3
  - pykickstart
  - createrepo

Generated ISO (it will try to download them for Centos 7):
  - open-vm-tools (and dependencies)
  - hyperv-daemons (and dependencies)
  - wget
  - nano
  - aide
  - tcp_wrappers

Note: The reason behind not including the package requirements with the code is because of all the licensing mumbo jumbo legalese jargon required to do so.

Instructions for ISO generation
(Optional, the script will do it for you if needed) Download the Centos7 minimal ISO of the minor version of your choosing and put it in the ISO_INPUT_DIR folder defined in the script (default: iso_input).

Do NOT forget to edit your environment parameters at the start of the main script (create_blackbox_iso.sh).

You can add your custom packages in the extras folder and then add them in the %packages section of the ks.cfg file, or you can also add them to the PACKAGES_SYSTEM variable if you want them automatically downloaded if they are present in a YUM repository (you have to add the dependencies for the moment).

If YUM is not available, edit the CONFIG_INPUT_DIR/requirements.txt according to the System Distro version you want to use for downloading them.

You can edit the CONFIG_INPUT_DIR/post_installation.sh for the commands to run after first boot and the network adapter starts.

usage: ./create_blackbox_iso.sh [OPTIONS]

optional arguments:
    -d | --default                 default ISO creation process.
  -azs | --azuresentinel    ISO with Azure Sentinel CEF collector & OMS Agent.
    -s | --syslogcollector    ISO with RSyslog syslog collector.
                                      Note: requires the workspace ID, shared key and system hostname set in main script.
    -? | -h | --help               shows this usage text.

Known issues / Planned development
  - Still missing some error control scenarios.
  - ISO generation script is not proxy-aware yet.

About

A Linux-based automatic installation multi-purpose closed-up hardened appliance

Topics

linux security automation deployment centos collector infosec siem blackbox syslog-server appliance blackbox-appliance

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

Version 1.0 Latest
Sep 14, 2020

Sponsor this project

Packages

No packages published

Languages