Skip to content
This repository has been archived by the owner on May 23, 2019. It is now read-only.

CIF Groups

Gabriel Iovino edited this page Jul 3, 2015 · 7 revisions

CIF supports the creation of groups (buckets) to segment observable's, by default CIF ships with the default users in the everyone group and all the default OSINT is placed in the everyone group.

Default users and groups

Example of default users and their group membership:

$ /opt/cif/bin/cif-tokens 
username       description groups   admin read write acl expires revoked token                                                           
root@localhost             everyone       yes  yes                       058f...
cif-smrt                   everyone            yes                       c2fa...
cif-worker                 everyone       yes  yes                       08b3...

Example of OSINT and it's group membership:

$ cif --otype ipv4 --provider spamhaus.org --limit 1
tlp  |group   |reporttime          |observable    |cc|asn   |confidence|tags   |description                                                        |rdata         |provider    |altid_tlp|altid                                             
amber|everyone|2015-07-03T18:51:05Z|185.25.150.210|PL|198414|95        |exploit|CBL + customised NJABL. 3rd party exploits (proxies, trojans, etc.)|185.25.150.210|spamhaus.org|green    |http://www.spamhaus.org/query/bl?ip=185.25.150.210

Adding a user with different group membership

Group membership must be specified when the user is created, you cannot modify a users group membership after the user has been created. Here is an example of creating a user, adding an observable and querying the observable.

  1. Add user with membership in group01
$ /opt/cif/bin/cif-tokens --new --username john.smith@example.com --read --write --groups group01
  1. Add an observable with group01. Note: The user (API token) has read and write permissions to the group group01
$ echo '{"observable":"test.example.com","tlp":"amber","confidence":"25","tags":"malware","provider":"example.com","group":"group01"}' | cif -s --token ba3b...
  1. Query the observable with a user (API token) with membership in group01
$ cif --token ba3b... -q test.example.com
tlp  |group  |reporttime          |observable      |cc|asn|confidence|tags   |description|rdata|provider   |altid_tlp|altid
amber|group01|2015-07-03T19:54:25Z|test.example.com|  |   |25        |malware|           |     |example.com|         |     
Clone this wiki locally