Merge pull request #23 from HubbleStack/develop

Merge to master (prep for v2016.10.2)

Author: basepi

FORMULA

@@ -1,7 +1,7 @@
 name: hubblestack_nebula
 os: RedHat, CentOS, Debian, Ubuntu
 os_family: RedHat, Debian
-version: 2016.9.1
+version: 2016.10.1
 release: 1
 summary: HubbleStack Nebula
 description: HubbleStack Nebula

README.rst

@@ -122,38 +122,19 @@ These queries have been designed to give detailed insight into system activity.
 Schedule
 --------
 
-Nebula is designed to be used on a schedule. Here is a set of sample schedules
-for use with the sample queries.
+Nebula is meant to be run on a schedule. Unfortunately, in it's present state,
+the Salt scheduler has a memory leak. Pending a solution we're suggesting the
+use of cron for the scheduled jobs:
 
-**hubble_nebula.sls (cont.)**
+**/etc/cron.d/hubble**
 
 .. code-block:: yaml
 
-    schedule:
-      nebula_fifteen_min:
-        function: nebula.queries
-        seconds: 900
-        args:
-          - fifteen_min
-        returner: splunk_nebula_return
-        return_job: False
-        run_on_start: False
-      nebula_hour:
-        function: nebula.queries
-        seconds: 3600
-        args:
-          - hour
-        returner: splunk_nebula_return
-        return_job: False
-        run_on_start: False
-      nebula_day:
-        function: nebula.queries
-        seconds: 86400
-        args:
-          - day
-        returner: splunk_nebula_return
-        return_job: False
-        run_on_start: False
+    MAILTO=""
+    SHELL=/bin/bash
+    */15 * * * * root /usr/bin/salt '*' nebula.queries fifteen_min --return splunk_nebula_return
+    @hourly      root /usr/bin/salt '*' nebula.queries hour --return splunk_nebula_return
+    @daily       root /usr/bin/salt '*' nebula.queries day --return splunk_nebula_return
 
 .. _nebula_configuration:
 

hubblestack_nebula/hubblestack_nebula_queries.yaml

@@ -1,12 +1,12 @@
 fifteen_min:
   - query_name: running_procs
-    query: SELECT p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.parent, g.groupname, u.username AS user, p.path, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN hash AS h ON p.path=h.path;
+    query: SELECT p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.parent, g.groupname, u.username AS user, p.path, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN hash AS h ON p.path=h.path WHERE parent IS NOT 2 AND username NOTNULL AND process NOTNULL AND parent NOTNULL;
   - query_name: established_outbound
     query: SELECT t.iso_8601 AS _time, pos.family, h.*, ltrim(pos.local_address, ':f') AS src, pos.local_port AS src_port, pos.remote_port AS dest_port, ltrim(remote_address, ':f') AS dest, name, p.path AS file_path, cmdline, pos.protocol, lp.protocol FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN time AS t LEFT JOIN (SELECT * FROM listening_ports) AS lp ON lp.port=pos.local_port AND lp.protocol=pos.protocol LEFT JOIN hash AS h ON h.path=p.path WHERE NOT remote_address='' AND NOT remote_address='::' AND NOT remote_address='0.0.0.0' AND NOT remote_address='127.0.0.1' AND port is NULL;
   - query_name: listening_procs
     query:  SELECT t.iso_8601 AS _time, h.md5 AS md5, p.pid, name, ltrim(address, ':f') AS address, port, p.path AS file_path, cmdline, root, parent FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path WHERE NOT address='127.0.0.1';
   - query_name: suid_binaries
-    query: SELECT sb.*, t.iso_8601 AS _time FROM suid_bin AS sb JOIN time AS t;
+    query: SELECT sb.*, t.iso_8601 AS _time, h.sha1, h.sha256 FROM suid_bin AS sb JOIN time AS t LEFT JOIN hash AS h ON sb.path=h.path;
 hour:
   - query_name: crontab
     query: SELECT c.*,t.iso_8601 AS _time FROM crontab AS c JOIN time AS t;