Git-Mirrors/shaker
1
0
Fork 0
mirror of https://github.com/unman/shaker.git synced 2024-10-01 01:25:41 -04:00
Code Issues Packages Projects Releases Wiki Activity

Monitor - add note to README.

Browse Source 
spec file
This commit is contained in:
unman 2024-07-27 11:01:00 +00:00
parent 5078086f63
commit 2b27e0ebdd
No known key found for this signature in database
GPG Key ID: FDD1B8244731B36C
2 changed files with 52 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
monitor.spec Normal file
View File

@ -0,0 +1,42 @@
Name: 3isec-qubes-monitor
Version: 1
Release: 1%{?dist}
Summary: Prepares qube for network monitoring in Qubes
License: GPLv3+
SOURCE0: monitor
%description
This package creates a template, with tools installed for network monitoring.
An AppVM named sys-monitor, is created from that template.
The template, template-monitor, is cloned from the debian-12-minimal template.
If the debian-12-minimal template is not present, it will be downloaded
and installed - this may take some time depending on your net connection.
sys-monitor is created with `provides_network` set, so you can attach qubes to it, setting it as netvm.
Wireshark, suricata, tcpdump, and tcpflow are installed and ready to run.
The template has passwordless root installed, so you can run packet captures using `sudo..`.
If you want to run wireshark as an ordinary user, you will have to follow the instructions in `/srv/salt/monitor/README.md` to reconfigure the package.
%install
rm -rf %{buildroot}
mkdir -p %{buildroot}/srv/salt
cp -rv %{SOURCE0}/ %{buildroot}/srv/salt
%files
%defattr(-,root,root,-)
/srv/salt/monitor/*
%post
if [ $1 -eq 1 ]; then
qubesctl state.apply monitor.create
qubesctl --skip-dom0 --targets=template-monitor state.apply monitor.install
qubesctl --skip-dom0 --targets=sys-monitor state.apply monitor.configure
fi
%preun
%changelog
* Thu Jul 25 2024 unman <unman@thirdeyesecurity.org> - 1.1
- First Build

14
monitor/README.md
View File

@ -9,10 +9,13 @@ and installed - this may take some time depending on your net connection.
The template has passwordless root installed, so you can run packet captures using `sudo..`.
If you want to run wireshark as an ordinary user, open a terminal in template-monitor and run
`sudo dpkg-reconfigure wireshark-common`.
Answer `Yes` to the question, "should non-superusers be able to capture packets?"
Run `sudo usermod -a -G wireshark user`.
Shut down the template.
1. `sudo dpkg-reconfigure wireshark-common`.
2. Answer `Yes` to the question, "should non-superusers be able to capture packets?"
3. Run `sudo usermod -a -G wireshark user`.
4. Shut down the template.
Next time you start a qube using the template-monitor template, you will be able to run Wireshark as an ordinary user.
## Usage
sys-monitor is created with `provides_network` set, so you can attach qubes to it, setting it as netvm.
@ -30,6 +33,9 @@ You can monitor traffic at eth0 or at any of the vif interfaces to downstream qu
You can, of course, use template-monitor to create other qubes for monitoring at different positions in the Qubes networking structure..
**Remember that Qubes uses masquerade in the nft qubes table, so that all traffic coming from (e.g) sys-firewall appears to come from the IP address of that qube.
If you want to see traffic from individual qubes you must attache those qubes directly to sys-monitor**
## Installation
Copy the monitor folder to /srv/salt.
```