From 2b27e0ebdd6453bc52e6669c1203160408344a23 Mon Sep 17 00:00:00 2001 From: unman Date: Sat, 27 Jul 2024 11:01:00 +0000 Subject: [PATCH] Monitor - add note to README. spec file --- monitor.spec | 42 ++++++++++++++++++++++++++++++++++++++++++ monitor/README.md | 14 ++++++++++---- 2 files changed, 52 insertions(+), 4 deletions(-) create mode 100644 monitor.spec diff --git a/monitor.spec b/monitor.spec new file mode 100644 index 0000000..606b45d --- /dev/null +++ b/monitor.spec @@ -0,0 +1,42 @@ +Name: 3isec-qubes-monitor +Version: 1 +Release: 1%{?dist} +Summary: Prepares qube for network monitoring in Qubes + +License: GPLv3+ +SOURCE0: monitor + +%description +This package creates a template, with tools installed for network monitoring. +An AppVM named sys-monitor, is created from that template. +The template, template-monitor, is cloned from the debian-12-minimal template. +If the debian-12-minimal template is not present, it will be downloaded +and installed - this may take some time depending on your net connection. +sys-monitor is created with `provides_network` set, so you can attach qubes to it, setting it as netvm. +Wireshark, suricata, tcpdump, and tcpflow are installed and ready to run. +The template has passwordless root installed, so you can run packet captures using `sudo..`. +If you want to run wireshark as an ordinary user, you will have to follow the instructions in `/srv/salt/monitor/README.md` to reconfigure the package. + + +%install +rm -rf %{buildroot} +mkdir -p %{buildroot}/srv/salt +cp -rv %{SOURCE0}/ %{buildroot}/srv/salt + +%files +%defattr(-,root,root,-) +/srv/salt/monitor/* + +%post +if [ $1 -eq 1 ]; then + qubesctl state.apply monitor.create + qubesctl --skip-dom0 --targets=template-monitor state.apply monitor.install + qubesctl --skip-dom0 --targets=sys-monitor state.apply monitor.configure +fi + +%preun + + +%changelog +* Thu Jul 25 2024 unman - 1.1 +- First Build diff --git a/monitor/README.md b/monitor/README.md index 6c9099e..5d811f9 100644 --- a/monitor/README.md +++ b/monitor/README.md @@ -9,10 +9,13 @@ and installed - this may take some time depending on your net connection. The template has passwordless root installed, so you can run packet captures using `sudo..`. If you want to run wireshark as an ordinary user, open a terminal in template-monitor and run -`sudo dpkg-reconfigure wireshark-common`. -Answer `Yes` to the question, "should non-superusers be able to capture packets?" -Run `sudo usermod -a -G wireshark user`. -Shut down the template. +1. `sudo dpkg-reconfigure wireshark-common`. +2. Answer `Yes` to the question, "should non-superusers be able to capture packets?" +3. Run `sudo usermod -a -G wireshark user`. +4. Shut down the template. + +Next time you start a qube using the template-monitor template, you will be able to run Wireshark as an ordinary user. + ## Usage sys-monitor is created with `provides_network` set, so you can attach qubes to it, setting it as netvm. @@ -30,6 +33,9 @@ You can monitor traffic at eth0 or at any of the vif interfaces to downstream qu You can, of course, use template-monitor to create other qubes for monitoring at different positions in the Qubes networking structure.. +**Remember that Qubes uses masquerade in the nft qubes table, so that all traffic coming from (e.g) sys-firewall appears to come from the IP address of that qube. +If you want to see traffic from individual qubes you must attache those qubes directly to sys-monitor** + ## Installation Copy the monitor folder to /srv/salt. ```