├── ubuntu16 ├── vars │ └── main.yml ├── tasks │ ├── firewall.yml │ ├── unattended_updates.yml │ ├── deps.yml │ └── main.yml ├── files │ └── apt_periodic ├── requirements.yml ├── ansible.cfg ├── bootstrap.sh └── site.yml ├── README.md ├── centos7 ├── requirements.yml ├── ansible.cfg ├── tasks │ ├── deps.yml │ ├── main.yml │ └── firewall.yml ├── vars │ └── main.yml ├── bootstrap.sh ├── templates │ ├── firewall.j2 │ └── firewall.bash.j2 └── site.yml ├── .travis.yml ├── global_vars.yml ├── roles └── nginx │ ├── defaults │ └── main.yml │ ├── tasks │ └── main.yml │ └── templates │ ├── ubuntu │ └── nginx.conf.j2 │ └── centos │ └── nginx.conf.j2 ├── archive_old_versions.sh ├── ansible.sh ├── .github ├── stale.yml └── issue_template.md ├── .gitignore ├── easybutton.sh ├── test.sh └── LICENSE /ubuntu16/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | firewall_ports: 3 | - 22 4 | - 443 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Getting Started 2 | 3 | [See the Wiki...](https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki) 4 | -------------------------------------------------------------------------------- /ubuntu16/tasks/firewall.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - ufw: rule=allow port={{ item }} state=enabled 3 | with_items: "{{ firewall_ports }}" 4 | tags: ufw 5 | -------------------------------------------------------------------------------- /ubuntu16/tasks/unattended_updates.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Adjust APT update intervals 3 | copy: src=apt_periodic dest=/etc/apt/apt.conf.d/10periodic -------------------------------------------------------------------------------- /centos7/requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # install elasticsearch role from galaxy 3 | - src: elastic.elasticsearch 4 | version: 5.5.1 5 | 6 | - src: csirtgadgets.cif 7 | -------------------------------------------------------------------------------- /ubuntu16/files/apt_periodic: -------------------------------------------------------------------------------- 1 | APT::Periodic::Update-Package-Lists "1"; 2 | APT::Periodic::Download-Upgradeable-Packages "0"; 3 | APT::Periodic::AutocleanInterval "14"; -------------------------------------------------------------------------------- /ubuntu16/requirements.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # install elasticsearch role from galaxy 3 | - src: elastic.elasticsearch 4 | version: 5.5.1 5 | 6 | #- src: csirtgadgets.cif 7 | -------------------------------------------------------------------------------- /centos7/ansible.cfg: -------------------------------------------------------------------------------- 1 | # Ansible config file 2 | 3 | [defaults] 4 | inventory = hosts 5 | private_key_file = ~/.ssh/id_rsa 6 | host_key_checking = False 7 | roles_path = ../roles:~/.ansible/roles 8 | 9 | [privilege_escalation] 10 | become_method = sudo 11 | become_user = root -------------------------------------------------------------------------------- /centos7/tasks/deps.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: install EPEL 3 | yum: name=epel-release state=latest 4 | 5 | - name: install deps 6 | yum: 7 | state: present 8 | pkg: "{{ item }}" 9 | with_items: 10 | - htop 11 | - libcurl-devel 12 | - net-tools 13 | - wget 14 | -------------------------------------------------------------------------------- /centos7/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | firewall_allowed_tcp_ports: 3 | - "22" 4 | - "443" 5 | - '5000' 6 | 7 | firewall_allowed_udp_ports: [] 8 | firewall_forwarded_tcp_ports: [] 9 | firewall_forwarded_udp_ports: [] 10 | firewall_additional_rules: [] 11 | firewall_log_dropped_packets: true -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | sudo: required 2 | dist: trusty 3 | language: python 4 | 5 | python: 6 | - 2.7 7 | 8 | before_install: 9 | - sudo apt-get install shellcheck 10 | 11 | script: 12 | - shellcheck -x easybutton.sh 13 | - shellcheck -x ubuntu16/bootstrap.sh 14 | - shellcheck -x centos7/bootstrap.sh 15 | -------------------------------------------------------------------------------- /ubuntu16/ansible.cfg: -------------------------------------------------------------------------------- 1 | # Ansible config file 2 | 3 | [defaults] 4 | inventory = hosts 5 | private_key_file = ~/.ssh/id_rsa 6 | host_key_checking = False 7 | remote_user = ubuntu 8 | roles_path = ../roles:~/.ansible/roles 9 | retry_files_enabled = False 10 | 11 | [privilege_escalation] 12 | become_method = sudo 13 | become_user = root -------------------------------------------------------------------------------- /global_vars.yml: -------------------------------------------------------------------------------- 1 | --- 2 | CIF_ES: "{{ lookup('env', 'CIF_ANSIBLE_ES') }}" 3 | cif_build_sdist: "{{ lookup('env', 'CIF_ANSIBLE_SDIST') | default() }}" 4 | router_store_nodes: "{{ lookup('env','CIF_ANSIBLE_ES_NODES')|default('localhost:9200', true) }}" 5 | cif_version: '3.0.8' 6 | es_version: "5.6.16" 7 | DOCKER_BUILD: "{{ lookup('env', 'DOCKER_BUILD') }}" 8 | -------------------------------------------------------------------------------- /roles/nginx/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | nginx: 3 | key_file: /etc/nginx/ssl/nginx.key 4 | cert_file: /etc/nginx/ssl/nginx.crt 5 | conf_path: /etc/nginx/sites-enabled/ 6 | conf_file: default 7 | server_name: localhost 8 | country: US 9 | state: NY 10 | city: Buffalo 11 | org: csirtgadgets 12 | cn: localhost 13 | days: 3650 14 | rsa: 4096 15 | server_name: cif -------------------------------------------------------------------------------- /ubuntu16/tasks/deps.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Add apt HTTPS support 3 | apt: name="{{ item }}" state=present 4 | with_items: 5 | - apt-transport-https 6 | - ca-certificates 7 | 8 | - name: Update apt cache if needed. 9 | apt: update_cache=yes cache_valid_time=3600 upgrade=yes 10 | 11 | - name: install deps 12 | apt: 13 | state: latest 14 | pkg: "{{ item }}" 15 | with_items: 16 | - build-essential 17 | - htop 18 | - iotop 19 | -------------------------------------------------------------------------------- /ubuntu16/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Check for version 16.04" 3 | fail: msg="Must be version 16.04 or higher" 4 | when: ansible_distribution_version is version_compare('16.04', '<') 5 | 6 | - include_tasks: firewall.yml 7 | when: DOCKER_BUILD is undefined or DOCKER_BUILD == 'no' or DOCKER_BUILD == "" 8 | tags: firewall 9 | 10 | - include_tasks: deps.yml 11 | tags: deps 12 | 13 | - include_tasks: unattended_updates.yml 14 | tags: deps 15 | -------------------------------------------------------------------------------- /archive_old_versions.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ARCHIVE_DB=$1 4 | DB=/var/lib/cif/cif.db 5 | 6 | if [ -d /usr/local/lib/python2.7/dist-packages ]; then 7 | echo 'removing old cif|cifsdk files..' 8 | rm -rf `find /usr/local/lib/python2.7/dist-packages | egrep "(cif-|cifsdk-)+"` 9 | 10 | if [ "$ARCHIVE_DB" == "1" ]; then 11 | if [ -f "$DB" ]; then 12 | echo "archiving old cif db" 13 | mv "$DB" "$DB.old" 14 | fi 15 | fi 16 | fi -------------------------------------------------------------------------------- /ansible.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | echo 'installing ansible...' 6 | sudo pip install 'setuptools>=18.3,<34.0' 'ansible>=2.4,<2.5' 7 | 8 | echo 'installing roles' 9 | ansible-galaxy install elastic.elasticsearch,5.5.1 10 | 11 | # test to see if we've linked this in development 12 | # install by default in production 13 | if [ ! -e roles/csirtgadgets.cif ] && [ ! -e ../roles/csirtgadgets.cif ]; then 14 | ansible-galaxy install csirtgadgets.cif,0.0.14 15 | fi 16 | 17 | echo 'running ansible...' 18 | ansible-playbook -i "localhost," -c local site.yml -vv 19 | -------------------------------------------------------------------------------- /centos7/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Check for 64-bit" 3 | fail: msg="Must be install 64-bit" 4 | when: ansible_architecture != "x86_64" 5 | 6 | - name: "Check for Centos" 7 | fail: msg="Must be CentOS, {{ is_centos }}" 8 | when: ansible_distribution != "CentOS" and ansible_distribution != "RedHat" 9 | 10 | - name: "Check for version 7" 11 | fail: msg="Must be version 7, {{ is_centos_version }}" 12 | when: (ansible_distribution_version < "7" or ansible_distribution_version >= "8") 13 | 14 | 15 | - include: firewall.yml 16 | tags: firewall 17 | 18 | - include: deps.yml 19 | tags: configuration 20 | -------------------------------------------------------------------------------- /centos7/tasks/firewall.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure iptables is installed (RedHat). 3 | yum: pkg=iptables state=installed 4 | 5 | - name: Copy firewall script into place. 6 | template: src=firewall.bash.j2 dest=/etc/firewall.bash owner=root group=root mode=0744 7 | 8 | - name: Copy firewall init script into place. 9 | template: src=firewall.j2 dest=/etc/init.d/firewall owner=root group=root mode=0755 10 | 11 | - name: reload systemd 12 | command: systemctl daemon-reload 13 | 14 | - name: Ensure the firewall is enabled and will start on boot. 15 | service: name=firewall state=started enabled=yes 16 | 17 | - name: restart firewall 18 | command: service firewall restart 19 | -------------------------------------------------------------------------------- /.github/stale.yml: -------------------------------------------------------------------------------- 1 | # Number of days of inactivity before an issue becomes stale 2 | daysUntilStale: 45 3 | # Number of days of inactivity before a stale issue is closed 4 | daysUntilClose: 7 5 | # Issues with these labels will never be considered stale 6 | exemptLabels: 7 | - pinned 8 | - security 9 | # Label to use when marking an issue as stale 10 | staleLabel: wontfix 11 | # Comment to post when marking an issue as stale. Set to `false` to disable 12 | markComment: > 13 | This issue has been automatically marked as stale because it has not had 14 | recent activity. It will be closed if no further activity occurs. Thank you 15 | for your contributions. 16 | # Comment to post when closing a stale issue. Set to `false` to disable 17 | closeComment: false 18 | -------------------------------------------------------------------------------- /centos7/bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | export CIF_ELASTICSEARCH=$CIF_ELASTICSEARCH 4 | export CIF_ANSIBLE_SDIST=$CIF_ANSIBLE_SDIST 5 | export CIF_HUNTER_THREADS=$CIF_HUNTER_THREADS 6 | export CIF_GATHERER_GEO_FQDN=$CIF_GATHERER_GEO_FQDN 7 | export CIF_HUNTER_ADVANCED=$CIF_HUNTER_ADVANCED 8 | export RHEL=$RHEL 9 | 10 | if [ "${RHEL}" == '1' ]; then 11 | subscription-manager repos --enable rhel-7-server-extras-rpms 12 | else 13 | yum -y update 14 | yum -y install epel-release 15 | rm -fr /var/cache/yum/* 16 | yum clean all 17 | fi 18 | 19 | # do this after, just in case EPEL is already built in and fails 20 | set -e 21 | 22 | yum -y update 23 | 24 | echo 'updating apt-get tree and installing python-pip' 25 | sudo yum install -y gcc python-pip python-devel git libffi-devel openssl-devel 26 | 27 | bash ../ansible.sh 28 | 29 | if [[ "$CIF_BOOTSTRAP_TEST" -eq '1' ]]; then 30 | bash ../test.sh 31 | fi -------------------------------------------------------------------------------- /.github/issue_template.md: -------------------------------------------------------------------------------- 1 | # Are you getting value from the project? Have you donated to the project? 2 | 3 | https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=YZPQXDLNYZZ3W 4 | 5 | # Did you check the FAQ https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki/FAQ ? 6 | 7 | # Are you running with hunters enabled? If so, does turning them off resolve the problem? 8 | 9 | # Expected behavior and actual behavior. 10 | 11 | # Steps to reporduce the problem 12 | 13 | # Relevant logs as a result of the actual behavior 14 | # https://github.com/csirtgadgets/bearded-avenger-deploymentkit/wiki/FAQ#searching-logs 15 | 16 | # Did you attempt to fix the problem and submit a pull request? 17 | 18 | # Specifications like the version of the project, operating system, or hardware. 19 | 20 | # Does adding additional memory to the box resolve the problem? 21 | 22 | # How large is your /var/lib/cif.sqlite database? 23 | -------------------------------------------------------------------------------- /centos7/templates/firewall.j2: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | # /etc/init.d/firewall 3 | # 4 | # Firewall init script, to be used with /etc/firewall.bash by Jeff Geerling. 5 | # 6 | # @author Jeff Geerling 7 | 8 | ### BEGIN INIT INFO 9 | # Provides: firewall 10 | # Required-Start: $remote_fs $syslog 11 | # Required-Stop: $remote_fs $syslog 12 | # Default-Start: 2 3 4 5 13 | # Default-Stop: 0 1 6 14 | # Short-Description: Start firewall at boot time. 15 | # Description: Enable the firewall. 16 | ### END INIT INFO 17 | 18 | # Carry out specific functions when asked to by the system 19 | case "$1" in 20 | start) 21 | echo "Starting firewall." 22 | /etc/firewall.bash 23 | ;; 24 | stop) 25 | echo "Stopping firewall." 26 | iptables -F 27 | ;; 28 | restart) 29 | echo "Restarting firewall." 30 | /etc/firewall.bash 31 | ;; 32 | status) 33 | echo -e "`iptables -L -n`" 34 | ;; 35 | *) 36 | echo "Usage: /etc/init.d/firewall {start|stop|status|restart}" 37 | exit 1 38 | ;; 39 | esac 40 | 41 | exit 0 -------------------------------------------------------------------------------- /ubuntu16/bootstrap.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | export CIF_ANSIBLE_ES=$CIF_ANSIBLE_ES 6 | export CIF_ANSIBLE_SDIST=$CIF_ANSIBLE_SDIST 7 | export CIF_HUNTER_THREADS=$CIF_HUNTER_THREADS 8 | export CIF_HUNTER_ADVANCED=$CIF_HUNTER_ADVANCED 9 | export CIF_GATHERER_GEO_FQDN=$CIF_GATHERER_GEO_FQDN 10 | 11 | echo 'installing the basics' 12 | sudo apt-get update && apt-get install -y build-essential python-dev python2.7 python-pip python-dev aptitude \ 13 | python-pip libffi-dev libssl-dev sqlite3 software-properties-common 14 | 15 | sudo pip install pip --upgrade 16 | 17 | echo 'checking for python-openssl' 18 | set +e 19 | EXISTS=$( dpkg -l | grep python-openssl ) 20 | set -e 21 | if [[ ! -z ${EXISTS} ]]; then 22 | echo "Python-openssl found. Applying workaround" 23 | echo "#@link https://github.com/csirtgadgets/bearded-avenger-deploymentkit/issues/15" 24 | echo "# sudo apt-get --auto-remove --yes remove python-openssl" 25 | echo "# sudo pip install pyOpenSSL" 26 | sudo apt-get --auto-remove --yes remove python-openssl && sudo pip install pyOpenSSL 27 | fi 28 | 29 | sudo pip install 'pytest>=2.8.0,<3.0' 30 | 31 | bash ../ansible.sh 32 | 33 | if [[ "$CIF_BOOTSTRAP_TEST" -eq '1' ]]; then 34 | bash ../test.sh 35 | fi 36 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | roles/**/* 2 | !roles/nginx 3 | *.retry 4 | # Byte-compiled / optimized / DLL files 5 | __pycache__/ 6 | *.py[cod] 7 | *$py.class 8 | 9 | # C extensions 10 | *.so 11 | 12 | # Distribution / packaging 13 | .Python 14 | env/ 15 | build/ 16 | develop-eggs/ 17 | dist/ 18 | downloads/ 19 | eggs/ 20 | .eggs/ 21 | lib/ 22 | lib64/ 23 | parts/ 24 | sdist/ 25 | var/ 26 | *.egg-info/ 27 | .installed.cfg 28 | *.egg 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *,cover 49 | .hypothesis/ 50 | 51 | # Translations 52 | *.mo 53 | *.pot 54 | 55 | # Django stuff: 56 | *.log 57 | local_settings.py 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # IPython Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # dotenv 82 | .env 83 | 84 | # virtualenv 85 | venv/ 86 | ENV/ 87 | 88 | # Spyder project settings 89 | .spyderproject 90 | 91 | # Rope project settings 92 | .ropeproject 93 | -------------------------------------------------------------------------------- /roles/nginx/tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: install nginx 3 | apt: state=latest pkg=nginx 4 | when: ansible_distribution == 'Ubuntu' 5 | 6 | - name: install nginx 7 | yum: state=latest pkg=nginx 8 | when: ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' 9 | 10 | - name: create directories for ssl certificiates 11 | file: path=/etc/nginx/ssl state=directory 12 | 13 | - name: generate TLS key 14 | command: 15 | openssl req -subj 16 | '/C={{ nginx_country | default(nginx.country) }}/ST={{ nginx_state | default(nginx.state) }}/L={{ nginx_city | default(nginx.city) }}/O={{ nginx_org | default(nginx.org) }}/CN={{ nginx_cn | default(nginx.cn) }}' 17 | -x509 -nodes -days {{ nginx_days | default(nginx.days) }} -newkey rsa:{{ nginx_rsa | default(nginx.rsa) }} -keyout {{ nginx_key_file | default(nginx.key_file) }} 18 | -out {{ nginx_cert_file | default(nginx.cert_file) }} 19 | 20 | - name: fix key perms 21 | file: path={{ item }} mode=600 22 | with_items: 23 | - "{{ nginx_cert_file | default(nginx.cert_file) }}" 24 | - "{{ nginx_key_file | default(nginx.key_file) }}" 25 | 26 | - name: copy nginx config file 27 | template: src=templates/centos/nginx.conf.j2 dest=/etc/nginx/nginx.conf 28 | when: ansible_distribution == 'CentOS' or ansible_distribution == 'RedHat' 29 | 30 | - name: copy nginx config file 31 | template: src=templates/ubuntu/nginx.conf.j2 dest=/etc/nginx/sites-enabled/default 32 | when: ansible_distribution == 'Ubuntu' 33 | 34 | - name: restart nginx 35 | service: name=nginx state=restarted daemon_reload=yes enabled=yes 36 | when: DOCKER_BUILD is undefined or DOCKER_BUILD == 'no' or DOCKER_BUILD == "" 37 | -------------------------------------------------------------------------------- /ubuntu16/site.yml: -------------------------------------------------------------------------------- 1 | # http://docs.ansible.com/ansible/playbooks_environment.html 2 | # environment: 3 | # http_proxy: http://proxy.example.com:8080 4 | --- 5 | - name: configure platform 6 | hosts: localhost 7 | gather_facts: False 8 | become: True 9 | 10 | vars_files: 11 | - "vars/main.yml" 12 | - "../global_vars.yml" 13 | 14 | vars: 15 | - GH_TOKEN: "{{ lookup('env', 'GH_TOKEN') }}" 16 | - router_store_args: '' 17 | - router_hunter_threads: "{{ lookup('env', 'CIF_HUNTER_THREADS') }}" 18 | - router_hunter_advanced: "{{ lookup('env', 'CIF_HUNTER_ADVANCED') }}" 19 | - router_gatherer_geo_fqdn: "{{ lookup('env', 'CIF_GATHERER_GEO_FQDN') }}" 20 | 21 | pre_tasks: 22 | 23 | - name: configure python 24 | raw: sudo apt-get install python-minimal aptitude -y 25 | 26 | - setup: 27 | filter: ansible_* 28 | 29 | - name: set store fact 30 | set_fact: 31 | router_store_store: 'elasticsearch' 32 | router_store_nodes: "{{ CIF_ES }}" 33 | when: CIF_ES is defined and CIF_ES != "" 34 | 35 | - name: set build_sdist 36 | set_fact: 37 | cif_build_sdist: CIF_ANSIBLE_SDIST 38 | when: CIF_ANSIBLE_SDIST is defined 39 | 40 | - import_tasks: tasks/main.yml 41 | 42 | 43 | roles: 44 | - { role: elastic.elasticsearch, 45 | es_config: { 46 | node.data: true, 47 | node.master: true, 48 | }, 49 | es_version: "5.6.16", 50 | es_instance_name: 'cif', 51 | when: router_store_store is defined and router_store_store == 'elasticsearch' 52 | } 53 | - { role: csirtgadgets.cif, tags: role-cif } 54 | - { role: nginx, tags: role-nginx } 55 | -------------------------------------------------------------------------------- /centos7/site.yml: -------------------------------------------------------------------------------- 1 | # http://docs.ansible.com/ansible/playbooks_environment.html 2 | # environment: 3 | # http_proxy: http://proxy.example.com:8080 4 | --- 5 | - name: configure platform 6 | hosts: localhost 7 | gather_facts: False 8 | become: True 9 | 10 | vars_files: 11 | - "vars/main.yml" 12 | - "../global_vars.yml" 13 | 14 | vars: 15 | - GH_TOKEN: "{{ lookup('env', 'GH_TOKEN') }}" 16 | - router_store_args: '' 17 | - router_hunter_threads: "{{ lookup('env', 'CIF_HUNTER_THREADS') }}" 18 | - router_hunter_advanced: "{{ lookup('env', 'CIF_HUNTER_ADVANCED') }}" 19 | - router_gatherer_geo_fqdn: "{{ lookup('env', 'CIF_GATHERER_GEO_FQDN') }}" 20 | 21 | pre_tasks: 22 | 23 | - name: configure repos 24 | raw: rpm -iUvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 25 | ignore_errors: yes 26 | 27 | - name: update yum 28 | raw: yum -y update 29 | 30 | - name: configure basics 31 | raw: yum install -y gcc python-pip python-devel git libffi-devel openssl-devel 32 | 33 | - setup: 34 | filter: ansible_* 35 | 36 | - name: set store fact 37 | set_fact: 38 | router_store_store: 'elasticsearch' 39 | router_store_nodes: "{{ CIF_ES }}" 40 | when: CIF_ES is defined and CIF_ES != "" 41 | 42 | - name: set build_sdist 43 | set_fact: 44 | cif_build_sdist: CIF_ANSIBLE_SDIST 45 | when: CIF_ANSIBLE_SDIST is defined 46 | 47 | - import_tasks: tasks/main.yml 48 | 49 | roles: 50 | - { role: elastic.elasticsearch, 51 | es_config: { 52 | node.data: true, 53 | node.master: true, 54 | }, 55 | es_version: "5.6.16", 56 | es_instance_name: 'cif', 57 | when: router_store_store is defined and router_store_store == 'elasticsearch' 58 | } 59 | - { role: csirtgadgets.cif, tags: role-cif } 60 | - { role: nginx, tags: role-nginx } 61 | -------------------------------------------------------------------------------- /roles/nginx/templates/ubuntu/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | server { 2 | listen [::]:80 default_server; 3 | listen 80 default_server; 4 | server_name _; 5 | return 301 https://$server_name$request_uri; 6 | } 7 | 8 | server { 9 | listen 443 ssl http2 default_server; 10 | listen [::]:443 ssl http2 default_server; 11 | server_name _; 12 | 13 | gzip on; 14 | gzip_comp_level 2; 15 | gzip_http_version 1.0; 16 | gzip_proxied any; 17 | gzip_min_length 1100; 18 | 19 | gzip_buffers 16 8k; 20 | gzip_types text/plain; 21 | 22 | ssl_session_timeout 5m; 23 | 24 | ssl_protocols TLSv1.2 TLSv1.1 TLSv1; 25 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 26 | ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; 27 | ssl_prefer_server_ciphers on; 28 | 29 | ssl_session_cache shared:SSL:50m; 30 | ssl_session_tickets off; 31 | 32 | # OCSP Stapling --- 33 | # fetch OCSP records from URL in ssl_certificate and cache them 34 | ssl_stapling on; 35 | ssl_stapling_verify on; 36 | 37 | root /usr/share/nginx/html; 38 | index index.html index.htm; 39 | 40 | location / { 41 | gzip off; 42 | proxy_set_header Host $host; 43 | proxy_set_header X-Real-IP $remote_addr; 44 | proxy_set_header X-Forwarded-Proto $scheme; 45 | proxy_pass http://127.0.0.1:5000; 46 | } 47 | 48 | ssl_certificate /etc/nginx/ssl/nginx.crt; 49 | ssl_certificate_key /etc/nginx/ssl/nginx.key; 50 | 51 | error_page 404 /404.html; 52 | location = /404.html { 53 | root /usr/share/nginx/html; 54 | } 55 | 56 | error_page 500 502 503 504 /50x.html; 57 | location = /50x.html { 58 | root /usr/share/nginx/html; 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /centos7/templates/firewall.bash.j2: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # iptables firewall for common LAMP servers. 3 | # 4 | # This file should be located at /etc/firewall.bash, and is meant to work with 5 | # Jeff Geerling's firewall init script. 6 | # 7 | # Common port reference: 8 | # 22: SSH 9 | # 25: SMTP 10 | # 80: HTTP 11 | # 123: DNS 12 | # 443: HTTPS 13 | # 2222: SSH alternate 14 | # 4949: Munin 15 | # 6082: Varnish admin 16 | # 8080: HTTP alternate (often used with Tomcat) 17 | # 8983: Tomcat HTTP 18 | # 8443: Tomcat HTTPS 19 | # 9000: SonarQube 20 | # 21 | # @author Jeff Geerling 22 | 23 | # No spoofing. 24 | if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] 25 | then 26 | for filter in /proc/sys/net/ipv4/conf/*/rp_filter 27 | do 28 | echo 1 > $filter 29 | done 30 | fi 31 | 32 | # Remove all rules and chains. 33 | iptables -F 34 | iptables -X 35 | 36 | # Accept traffic from loopback interface (localhost). 37 | iptables -A INPUT -i lo -j ACCEPT 38 | 39 | # Forwarded ports. 40 | {# Add a rule for each forwarded port #} 41 | {% for forwarded_port in firewall_forwarded_tcp_ports %} 42 | iptables -t nat -I PREROUTING -p tcp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }} 43 | iptables -t nat -I OUTPUT -p tcp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }} 44 | {% endfor %} 45 | {% for forwarded_port in firewall_forwarded_udp_ports %} 46 | iptables -t nat -I PREROUTING -p udp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }} 47 | iptables -t nat -I OUTPUT -p udp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }} 48 | {% endfor %} 49 | 50 | # Open ports. 51 | {# Add a rule for each open port #} 52 | {% for port in firewall_allowed_tcp_ports %} 53 | iptables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT 54 | {% endfor %} 55 | {% for port in firewall_allowed_udp_ports %} 56 | iptables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT 57 | {% endfor %} 58 | 59 | # Accept icmp ping requests. 60 | iptables -A INPUT -p icmp -j ACCEPT 61 | 62 | # Allow NTP traffic for time synchronization. 63 | iptables -A OUTPUT -p udp --dport 123 -j ACCEPT 64 | iptables -A INPUT -p udp --sport 123 -j ACCEPT 65 | 66 | # Additional custom rules. 67 | {% for rule in firewall_additional_rules %} 68 | {{ rule }} 69 | {% endfor %} 70 | 71 | # Allow established connections: 72 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 73 | 74 | # Log EVERYTHING (ONLY for Debug). 75 | # iptables -A INPUT -j LOG 76 | 77 | {% if firewall_log_dropped_packets %} 78 | # Log other incoming requests (all of which are dropped) at 15/minute max. 79 | iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: " 80 | {% endif %} 81 | 82 | # Drop all other traffic. 83 | iptables -A INPUT -j DROP -------------------------------------------------------------------------------- /easybutton.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | if [ "$(whoami)" != 'root' ]; then 6 | echo "must be run as root" 7 | exit 1 8 | fi 9 | 10 | # Check for an Internet Connection as it is required during installation 11 | HTTP_HOST=http://github.com 12 | if [ -x "$(which wget)" ]; then 13 | echo "Checking for an Internet connection" 14 | if [[ "$(wget -q --tries=3 --timeout=10 --spider $HTTP_HOST)" -eq 0 ]]; then 15 | echo "$HTTP_HOST appears to be available via HTTP" 16 | else 17 | echo "$HTTP_HOST does not appear to be available via HTTP" 18 | echo "Exiting installation" 19 | exit 1 20 | fi 21 | else 22 | echo "/usr/bin/wget does not exist, skipping Internet connection test" 23 | fi 24 | 25 | # archive old versions 26 | bash archive_old_versions.sh 27 | 28 | if [ -f /etc/lsb-release ]; then 29 | # shellcheck disable=SC1091 30 | . /etc/lsb-release 31 | OS=$DISTRIB_ID 32 | VER=$DISTRIB_RELEASE 33 | elif [ -f /etc/debian_version ]; then 34 | OS=Debian # XXX or Ubuntu?? 35 | VER=$(cat /etc/debian_version) 36 | elif [ -f /etc/centos-release ]; then 37 | # shellcheck disable=SC1091 38 | . /etc/os-release 39 | OS=$NAME 40 | VER=$VERSION_ID 41 | elif [ -f /etc/redhat-release ]; then 42 | # shellcheck disable=SC1091 43 | . /etc/os-release 44 | OS=$NAME 45 | VER=$VERSION_ID 46 | else 47 | OS=$(uname -s) 48 | VER=$(uname -r) 49 | fi 50 | 51 | case $OS in 52 | "Ubuntu" ) 53 | if [ "$VER" == "14.04" ]; then 54 | echo "14.04 is no longer supported, switch to 16.04 LTS (Server)" 55 | elif [ "$VER" == "16.04" ]; then 56 | cd ubuntu16 57 | bash bootstrap.sh 58 | else 59 | echo "Currently only 16.04 LTS (Server) is supported" 60 | echo "We accept Pull Requests! =)" 61 | fi 62 | ;; 63 | 64 | "Debian" ) 65 | echo 'Debian not yet supported...' 66 | echo "We accept Pull Requests! =)" 67 | exit 1;; 68 | 69 | "Darwin" ) 70 | echo 'Darwin not yet supported...' 71 | echo "We accept Pull Requests! =)" 72 | exit 1;; 73 | 74 | "Red Hat Enterprise Linux Server" ) 75 | if [ "$VER" == '7.3' ]; then 76 | cd centos7 77 | RHEL='1' bash bootstrap.sh 78 | elif [ "$VER" == '7.4' ]; then 79 | cd centos7 80 | RHEL='1' bash bootstrap.sh 81 | else 82 | echo 'only RHEL 7.3|7.4 are supported' 83 | echo "We accept Pull Requests! =)" 84 | fi 85 | ;; 86 | 87 | "CentOS Linux" ) 88 | if [ "$VER" == '7' ]; then 89 | cd centos7 90 | bash bootstrap.sh 91 | else 92 | echo 'only CentOS 7 is supported' 93 | echo "We accept Pull Requests! =)" 94 | fi 95 | ;; 96 | 97 | esac 98 | -------------------------------------------------------------------------------- /roles/nginx/templates/centos/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | user nginx; 2 | worker_processes auto; 3 | error_log /var/log/nginx/error.log; 4 | pid /run/nginx.pid; 5 | 6 | # Load dynamic modules. See /usr/share/nginx/README.dynamic. 7 | include /usr/share/nginx/modules/*.conf; 8 | 9 | events { 10 | worker_connections 1024; 11 | } 12 | 13 | http { 14 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 15 | '$status $body_bytes_sent "$http_referer" ' 16 | '"$http_user_agent" "$http_x_forwarded_for"'; 17 | 18 | access_log /var/log/nginx/access.log main; 19 | 20 | sendfile on; 21 | tcp_nopush on; 22 | tcp_nodelay on; 23 | keepalive_timeout 65; 24 | types_hash_max_size 2048; 25 | 26 | include /etc/nginx/mime.types; 27 | default_type application/octet-stream; 28 | 29 | # Load modular configuration files from the /etc/nginx/conf.d directory. 30 | # See http://nginx.org/en/docs/ngx_core_module.html#include 31 | # for more information. 32 | include /etc/nginx/conf.d/*.conf; 33 | } 34 | 35 | server { 36 | listen [::]:80 default_server; 37 | listen 80 default_server; 38 | server_name _; 39 | return 301 https://$server_name$request_uri; 40 | } 41 | 42 | server { 43 | listen 443 ssl http2 default_server; 44 | listen [::]:443 ssl http2 default_server; 45 | server_name _; 46 | 47 | gzip on; 48 | gzip_comp_level 2; 49 | gzip_http_version 1.0; 50 | gzip_proxied any; 51 | gzip_min_length 1100; 52 | 53 | gzip_buffers 16 8k; 54 | gzip_types text/plain; 55 | 56 | ssl_session_timeout 5m; 57 | 58 | ssl_protocols TLSv1.2 TLSv1.1 TLSv1; 59 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 60 | ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; 61 | ssl_prefer_server_ciphers on; 62 | 63 | ssl_session_cache shared:SSL:50m; 64 | ssl_session_tickets off; 65 | 66 | # OCSP Stapling --- 67 | # fetch OCSP records from URL in ssl_certificate and cache them 68 | ssl_stapling on; 69 | ssl_stapling_verify on; 70 | 71 | root /usr/share/nginx/html; 72 | index index.html index.htm; 73 | 74 | location / { 75 | gzip off; 76 | proxy_set_header Host $host; 77 | proxy_set_header X-Real-IP $remote_addr; 78 | proxy_set_header X-Forwarded-Proto $scheme; 79 | proxy_pass http://127.0.0.1:5000; 80 | } 81 | 82 | ssl_certificate /etc/nginx/ssl/nginx.crt; 83 | ssl_certificate_key /etc/nginx/ssl/nginx.key; 84 | 85 | error_page 404 /404.html; 86 | location = /404.html { 87 | root /usr/share/nginx/html; 88 | } 89 | 90 | error_page 500 502 503 504 /50x.html; 91 | location = /50x.html { 92 | root /usr/share/nginx/html; 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /test.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | #echo 'adding ubuntu to cif group...' 6 | #sudo usermod -aG cif ubuntu 7 | 8 | . /etc/default/cif 9 | . /etc/default/smrt 10 | 11 | 12 | echo 'giving things a chance to settle...' 13 | sleep 10 14 | 15 | echo 'testing connectivity' 16 | curl -v -k https://localhost 17 | sudo -E -u cif cif --config /home/cif/.cif.yml -p 18 | 19 | echo 'testing query' 20 | sudo -E -u cif cif --config /home/cif/.cif.yml --search example.com 21 | 22 | echo 'waiting...' 23 | sleep 5 24 | 25 | echo 'testing query' 26 | sudo -E -u cif cif --config /home/cif/.cif.yml --search example.com 27 | 28 | echo 'waiting...' 29 | sleep 5 30 | 31 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype ipv4 --tags saerch 32 | 33 | sudo -E -u cif cif --config /home/cif/.cif.yml -q 93.184.216.34 34 | 35 | echo 'waiting...' 36 | sleep 5 37 | 38 | sudo -E -u cif cif --config /home/cif/.cif.yml -q 93.184.216.34 39 | 40 | sudo -E -u cif CSIRTG_SMRT_RUNTIME_PATH=/var/lib/smrt CSIRTG_SMRT_CACHE_PATH=/var/lib/smrt csirtg-smrt -r /etc/cif/rules/default/openphish.yml -d --remember --client cif --config /etc/cif/csirtg-smrt.yml --limit 100 --skip-invalid --fireball --goback 7 41 | sudo -E -u cif CSIRTG_SMRT_RUNTIME_PATH=/var/lib/smrt CSIRTG_SMRT_CACHE_PATH=/var/lib/smrt csirtg-smrt -r /etc/cif/rules/default/openphish.yml -d --remember --client cif --config /etc/cif/csirtg-smrt.yml --limit 100 --skip-invalid --fireball --goback 7 42 | sudo -E -u cif CSIRTG_TOKEN="" CSIRTG_SMRT_RUNTIME_PATH=/var/lib/smrt CSIRTG_SMRT_CACHE_PATH=/var/lib/smrt csirtg-smrt -r /etc/cif/rules/default/csirtg.yml -f darknet -d --remember --client cif --config /etc/cif/csirtg-smrt.yml --limit 100 --skip-invalid --fireball --goback 7 43 | sudo -E -u cif CSIRTG_TOKEN="" CSIRTG_SMRT_RUNTIME_PATH=/var/lib/smrt CSIRTG_SMRT_CACHE_PATH=/var/lib/smrt csirtg-smrt -r /etc/cif/rules/default/csirtg.yml -f uce-urls -d --remember --client cif --config /etc/cif/csirtg-smrt.yml --limit 100 --skip-invalid --fireball --goback 7 44 | 45 | echo 'waiting 30s... let hunter do their thing...' 46 | sleep 30 47 | 48 | sudo -E -u cif cif --config /home/cif/.cif.yml --provider csirtg.io 49 | 50 | sudo -E -u cif cif --config /home/cif/.cif.yml --provider openphish.com 51 | 52 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype ipv4 --feed --tags scanner 53 | 54 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype ipv4 --feed --tags scanner --days 17 55 | 56 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype fqdn --feed --tags search 57 | 58 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype url --feed --tags uce 59 | 60 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype url --feed --tags phishing 61 | 62 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype ipv4 --feed --tags phishing --confidence 2 63 | 64 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype ipv4 --confidence 1,6 --no-feed -d 65 | 66 | sudo -E -u cif cif --config /home/cif/.cif.yml --itype fqdn --confidence 1,6 --no-feed -d 67 | 68 | echo "testing submissions" 69 | sudo -E -u cif cif --config /home/cif/.cif.yml --indicator csirtg.io --tags malware --submit --confidence 8 70 | 71 | sudo -E -u cif cif --config /home/cif/.cif.yml -nq csirtg.io 72 | 73 | echo 74 | echo 75 | echo "testing tokens" 76 | 77 | sudo -E -u cif cif-tokens --config /home/cif/.cif.yml 78 | sudo -E -u cif cif-tokens --config /home/cif/.cif.yml --user test-write --write --create 79 | sudo -E -u cif cif-tokens --config /home/cif/.cif.yml --user test-read --read --create 80 | sudo -E -u cif cif-tokens --config /home/cif/.cif.yml --user test-read-write --write --create --read 81 | sudo -E -u cif CIFSDK_CLIENT_HTTP_TRACE=1 cif-tokens -d --config /home/cif/.cif.yml 82 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | --------------------------------------------------------------------------------