├── Berksfile ├── recipes ├── nodes │ └── ubuntu-bot-server.json └── default.rb ├── spec ├── spec_helper.rb └── unit │ └── recipes │ └── default_spec.rb ├── test └── integration │ ├── helpers │ └── serverspec │ │ └── spec_helper.rb │ └── default │ └── serverspec │ └── default_spec.rb ├── metadata.rb ├── templates └── default │ └── mysysdig.erb ├── LICENSE.md ├── chefignore └── README.md /Berksfile: -------------------------------------------------------------------------------- 1 | source 'https://supermarket.chef.io' 2 | 3 | metadata 4 | -------------------------------------------------------------------------------- /recipes/nodes/ubuntu-bot-server.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "ubuntu-bot-server" 3 | } -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | require 'chefspec' 2 | require 'chefspec/berkshelf' 3 | -------------------------------------------------------------------------------- /test/integration/helpers/serverspec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | require 'serverspec' 2 | 3 | if (/cygwin|mswin|mingw|bccwin|wince|emx/ =~ RUBY_PLATFORM).nil? 4 | set :backend, :exec 5 | else 6 | set :backend, :cmd 7 | set :os, family: 'windows' 8 | end 9 | -------------------------------------------------------------------------------- /metadata.rb: -------------------------------------------------------------------------------- 1 | name 'sysdig-falco' 2 | maintainer 'Dennis Panagiotopoulos' 3 | maintainer_email 'dennis.panagiotopoulos@mwrinfosecurity.com' 4 | license 'all_rights' 5 | description 'Installs/Configures sysdig-falco' 6 | long_description 'Installs/Configures sysdig-falco' 7 | version '0.1.0' 8 | -------------------------------------------------------------------------------- /test/integration/default/serverspec/default_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper' 2 | 3 | describe 'sysdig-falco::default' do 4 | # Serverspec examples can be found at 5 | # http://serverspec.org/resource_types.html 6 | it 'does something' do 7 | skip 'Replace this with meaningful tests' 8 | end 9 | end 10 | -------------------------------------------------------------------------------- /spec/unit/recipes/default_spec.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: sysdig-falco 3 | # Spec:: default 4 | # 5 | # Copyright (c) 2016 The Authors, All Rights Reserved. 6 | 7 | require 'spec_helper' 8 | 9 | describe 'sysdig-falco::default' do 10 | context 'When all attributes are default, on an unspecified platform' do 11 | let(:chef_run) do 12 | runner = ChefSpec::ServerRunner.new 13 | runner.converge(described_recipe) 14 | end 15 | 16 | it 'converges successfully' do 17 | expect { chef_run }.to_not raise_error 18 | end 19 | end 20 | end 21 | -------------------------------------------------------------------------------- /templates/default/mysysdig.erb: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | DESC="sysdig as a service" 4 | NAME="sysdig" 5 | 6 | do_start() 7 | { 8 | echo "Starting $NAME"; 9 | sysdig -C 5000 -W 3 -w /usr/local/src/image.$(date +"%Y%m%d-%H%M%S").gz > /dev/null 2>&1 & 10 | } 11 | 12 | do_stop() 13 | { 14 | echo "Stopping $NAME"; 15 | killall sysdig 16 | } 17 | 18 | case "$1" in 19 | start) 20 | do_start 21 | ;; 22 | stop) 23 | do_stop 24 | ;; 25 | *) 26 | echo "Usage: /etc/init.d/mysysdig start|stop" 27 | exit 1 28 | ;; 29 | esac 30 | 31 | exit 0 32 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright (c) 2016 MWR InfoSecurity 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright 8 | notice, this list of conditions and the following disclaimer. 9 | * Redistributions in binary form must reproduce the above copyright 10 | notice, this list of conditions and the following disclaimer in the 11 | documentation and/or other materials provided with the distribution. 12 | * Neither the name of MWR InfoSecurity nor the names of its contributors 13 | may be used to endorse or promote products derived from this software 14 | without specific prior written permission. 15 | 16 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 17 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 19 | DISCLAIMED. IN NO EVENT SHALL MWR INFOSECURITY BE LIABLE FOR ANY 20 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 21 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 22 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 23 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 24 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 25 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 26 | -------------------------------------------------------------------------------- /chefignore: -------------------------------------------------------------------------------- 1 | # Put files/directories that should be ignored in this file when uploading 2 | # to a chef-server or supermarket. 3 | # Lines that start with '# ' are comments. 4 | 5 | # OS generated files # 6 | ###################### 7 | .DS_Store 8 | Icon? 9 | nohup.out 10 | ehthumbs.db 11 | Thumbs.db 12 | 13 | # SASS # 14 | ######## 15 | .sass-cache 16 | 17 | # EDITORS # 18 | ########### 19 | \#* 20 | .#* 21 | *~ 22 | *.sw[a-z] 23 | *.bak 24 | REVISION 25 | TAGS* 26 | tmtags 27 | *_flymake.* 28 | *_flymake 29 | *.tmproj 30 | .project 31 | .settings 32 | mkmf.log 33 | 34 | ## COMPILED ## 35 | ############## 36 | a.out 37 | *.o 38 | *.pyc 39 | *.so 40 | *.com 41 | *.class 42 | *.dll 43 | *.exe 44 | */rdoc/ 45 | 46 | # Testing # 47 | ########### 48 | .watchr 49 | .rspec 50 | spec/* 51 | spec/fixtures/* 52 | test/* 53 | features/* 54 | examples/* 55 | Guardfile 56 | Procfile 57 | .kitchen* 58 | .rubocop.yml 59 | spec/* 60 | Rakefile 61 | .travis.yml 62 | .foodcritic 63 | .codeclimate.yml 64 | 65 | # SCM # 66 | ####### 67 | .git 68 | */.git 69 | .gitignore 70 | .gitmodules 71 | .gitconfig 72 | .gitattributes 73 | .svn 74 | */.bzr/* 75 | */.hg/* 76 | */.svn/* 77 | 78 | # Berkshelf # 79 | ############# 80 | Berksfile 81 | Berksfile.lock 82 | cookbooks/* 83 | tmp 84 | 85 | # Cookbooks # 86 | ############# 87 | CONTRIBUTING* 88 | CHANGELOG* 89 | TESTING* 90 | MAINTAINERS.toml 91 | 92 | # Strainer # 93 | ############ 94 | Colanderfile 95 | Strainerfile 96 | .colander 97 | .strainer 98 | 99 | # Vagrant # 100 | ########### 101 | .vagrant 102 | Vagrantfile 103 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # High Interaction Honeypots with Sysdig and Falco # 2 | 3 | Sysdig is an open source tool, which can capture and save system state and activity from a running Linux machine. Falco, an open source tool as well, is a behavioral activity monitor designed to detect anomalous activity in applications. Falco can detect and alert on any behavior that involves making Linux system calls. 4 | 5 | ## Description ## 6 | 7 | The honeypot_recipes repository contains a chef cookbook which can be used to quickly deploy a high interaction honeypot, using the sysdig and falco tools. The cookbook can be deployed under Red Hat, CentOS, Fedora, Ubuntu and Debian operating systems. 8 | 9 | The cookbook installs sysdig and falco tools. In addition it creates an init script under /etc/init.d/ directory which starts sysdig in file roration mode for continuous capture. All the files that sysdig produces are written under the /local/usr/src/ directory, which can be changed by modifing the init scirpt. 10 | 11 | ## How to run the cookbook ## 12 | 13 | In order to run the cookbook you should install: 14 | * git 15 | * chefdk 16 | 17 | Create a directory named **cookbooks** and clone the repository in the new directory: 18 | 19 | * `mkdir cookbooks && cd cookbooks` 20 | * `git clone https://github.com/mwrlabs/honeypot_recipes sysdig-falco` 21 | 22 | Run the cookbook with the following command: 23 | 24 | * `chef-client --local-mode --runlist 'recipe[sysdig-falco]'` 25 | 26 | ## License ## 27 | 28 | The cookbook is released under a 3-clause BSD License and maintained by [MWR Info-Security](https://mwrinfosecurity.com/). See the `LICENSE` file for details. 29 | 30 | ## Contact ## 31 | 32 | Please submit any bugs on the Github project page at: 33 | 34 | 35 | 36 | or give me a shout on twitter [@den_n1s](https://twitter.com/den_n1s) 37 | -------------------------------------------------------------------------------- /recipes/default.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Cookbook Name:: sysdig-falco 3 | # Recipe:: default 4 | # 5 | # Copyright (c) 2016 The Authors, All Rights Reserved. 6 | 7 | 8 | case node['platform'] 9 | when 'ubuntu', 'debian' 10 | 11 | #Trust the Draios GPG key 12 | execute 'add-key' do 13 | command 'curl -s https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public | apt-key add -' 14 | end 15 | 16 | #configure the apt repository 17 | execute 'config-repo' do 18 | command 'curl -s -o /etc/apt/sources.list.d/draios.list http://download.draios.com/stable/deb/draios.list' 19 | end 20 | 21 | #update the package list 22 | execute 'update-package-list' do 23 | command 'apt-get update' 24 | ignore_failure true 25 | end 26 | 27 | #install the appropriate linux headers 28 | execute 'install-linux-headers' do 29 | command 'apt-get -y install linux-headers-$(uname -r)' 30 | end 31 | 32 | #install falco 33 | apt_package 'falco' do 34 | action :install 35 | end 36 | 37 | #start falco service 38 | execute 'start falco service' do 39 | command 'service falco start' 40 | end 41 | 42 | #create init file for sysdig 43 | template '/etc/init.d/mysysdig' do 44 | source 'mysysdig.erb' 45 | owner 'root' 46 | group 'root' 47 | mode '0755' 48 | end 49 | 50 | #start sysdig as a service 51 | service 'mysysdig' do 52 | action :start 53 | end 54 | 55 | when 'redhat', 'centos' 56 | 57 | #Trust the Draios GPG key 58 | execute 'add-key' do 59 | command 'rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public' 60 | end 61 | 62 | #configure the apt repository 63 | execute 'config-repo' do 64 | command 'curl -s -o /etc/yum.repos.d/draios.repo http://download.draios.com/stable/rpm/draios.repo' 65 | end 66 | 67 | #add epel repository 68 | execute 'add-epel-repo' do 69 | command 'rpm -i http://mirror.us.leaseweb.net/epel/6/i386/epel-release-6-8.noarch.rpm' 70 | ignore_failure true 71 | end 72 | 73 | #install the appropriate linux headers 74 | execute 'install-linux-headers' do 75 | command 'yum -y install kernel-devel-$(uname -r)' 76 | end 77 | 78 | %w{falco psmisc}.each do |pkg| 79 | yum_package pkg do 80 | action :install 81 | end 82 | end 83 | 84 | #start falco service 85 | service 'falco' do 86 | action [:enable, :start] 87 | end 88 | 89 | #create init file for sysdig 90 | template '/etc/init.d/mysysdig' do 91 | source 'mysysdig.erb' 92 | owner 'root' 93 | group 'root' 94 | mode '0755' 95 | end 96 | 97 | #start sysdig as a service 98 | service 'mysysdig' do 99 | action :start 100 | end 101 | 102 | when 'fedora' 103 | 104 | #Trust the Draios GPG key 105 | execute 'add-key' do 106 | command 'rpm --import https://s3.amazonaws.com/download.draios.com/DRAIOS-GPG-KEY.public' 107 | end 108 | 109 | #configure the apt repository 110 | execute 'config-repo' do 111 | command 'curl -s -o /etc/yum.repos.d/draios.repo http://download.draios.com/stable/rpm/draios.repo' 112 | end 113 | 114 | #install the appropriate linux headers 115 | execute 'install-linux-headers' do 116 | command 'yum -y install kernel-devel-$(uname -r)' 117 | end 118 | 119 | #install falco and psmisc 120 | execute 'install-falco-psmisc' do 121 | command 'dnf install falco psmisc -y' 122 | end 123 | 124 | #start falco service 125 | service 'falco' do 126 | action [:enable, :start] 127 | end 128 | 129 | #create init file for sysdig 130 | template '/etc/init.d/mysysdig' do 131 | source 'mysysdig.erb' 132 | owner 'root' 133 | group 'root' 134 | mode '0755' 135 | end 136 | 137 | #start sysdig as a service 138 | service 'mysysdig' do 139 | action :start 140 | end 141 | 142 | end 143 | --------------------------------------------------------------------------------