simplified by removing EXTRACTED_FILE_HTTP_SERVER_ENCRYPT variable, j…

…ust base it off of whether or not EXTRACTED_FILE_HTTP_SERVER_KEY is set (idaholab#288)
mmguero-dev · Dec 21, 2023 · 4667291 · 4667291
1 parent 34aeea0
commit 4667291
Show file tree

Hide file tree

Showing 7 changed files with 8 additions and 34 deletions.
diff --git a/Dockerfiles/file-monitor.Dockerfile b/Dockerfiles/file-monitor.Dockerfile
@@ -49,8 +49,7 @@ ARG EXTRACTED_FILE_ENABLE_CAPA=false
 ARG EXTRACTED_FILE_CAPA_VERBOSE=false
 ARG EXTRACTED_FILE_HTTP_SERVER_DEBUG=false
 ARG EXTRACTED_FILE_HTTP_SERVER_ENABLE=false
-ARG EXTRACTED_FILE_HTTP_SERVER_ENCRYPT=false
-ARG EXTRACTED_FILE_HTTP_SERVER_ZIP=false
+ARG EXTRACTED_FILE_HTTP_SERVER_ZIP=true
 ARG EXTRACTED_FILE_HTTP_SERVER_KEY=infected
 ARG EXTRACTED_FILE_HTTP_SERVER_PORT=8440
 
@@ -90,7 +89,6 @@ ENV CAPA_DIR "/opt/capa"
 ENV CAPA_BIN "${CAPA_DIR}/capa"
 ENV EXTRACTED_FILE_HTTP_SERVER_DEBUG $EXTRACTED_FILE_HTTP_SERVER_DEBUG
 ENV EXTRACTED_FILE_HTTP_SERVER_ENABLE $EXTRACTED_FILE_HTTP_SERVER_ENABLE
-ENV EXTRACTED_FILE_HTTP_SERVER_ENCRYPT $EXTRACTED_FILE_HTTP_SERVER_ENCRYPT
 ENV EXTRACTED_FILE_HTTP_SERVER_ZIP $EXTRACTED_FILE_HTTP_SERVER_ZIP
 ENV EXTRACTED_FILE_HTTP_SERVER_KEY $EXTRACTED_FILE_HTTP_SERVER_KEY
 ENV EXTRACTED_FILE_HTTP_SERVER_PORT $EXTRACTED_FILE_HTTP_SERVER_PORT

diff --git a/config/zeek.env.example b/config/zeek.env.example
@@ -51,8 +51,6 @@ EXTRACTED_FILE_PIPELINE_VERBOSITY=
 EXTRACTED_FILE_HTTP_SERVER_ENABLE=false
 # Whether or not Zeek-extracted files served over HTTP will be archived in a Zip file
 EXTRACTED_FILE_HTTP_SERVER_ZIP=false
-# Whether or not Zeek-extracted files served over HTTP will be AES-256-CBC-encrypted
-EXTRACTED_FILE_HTTP_SERVER_ENCRYPT=true
 # Environment variables for tweaking Zeek at runtime (see local.zeek)
 #   Set to any non-blank value to disable the corresponding feature
 ZEEK_DISABLE_HASH_ALL_FILES=

diff --git a/docs/malcolm-config.md b/docs/malcolm-config.md
@@ -82,8 +82,7 @@ Although the configuration script automates many of the following configuration
     - `EXTRACTED_FILE_ENABLE_YARA` – if set to `true`, [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) will be scanned with [Yara](https://github.com/VirusTotal/yara)
     - `EXTRACTED_FILE_HTTP_SERVER_ENABLE` – if set to `true`, the directory containing [Zeek-extracted files](file-scanning.md#ZeekFileExtraction) will be served over HTTP at `./extracted-files/` (e.g., **https://localhost/extracted-files/** if connecting locally)
     - `EXTRACTED_FILE_HTTP_SERVER_ZIP` – if to `true`, the Zeek-extracted files will be archived in a ZIP file upon download
-    - `EXTRACTED_FILE_HTTP_SERVER_ENCRYPT` – if to `true`, the Zeek-extracted files will be AES-256-CBC-encrypted in an `openssl enc`-compatible format (e.g., `openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe`) upon download
-    - `EXTRACTED_FILE_HTTP_SERVER_KEY` – specifies the password for the ZIP archive if `EXTRACTED_FILE_HTTP_SERVER_ZIP` is `true`; otherwise, this specifies the AES-256-CBC decryption password for encrypted Zeek-extracted files if `EXTRACTED_FILE_HTTP_SERVER_ENCRYPT` is `true`
+    - `EXTRACTED_FILE_HTTP_SERVER_KEY` – specifies the password for the ZIP archive if `EXTRACTED_FILE_HTTP_SERVER_ZIP` is `true`; otherwise, this specifies the decryption password for encrypted Zeek-extracted files in an `openssl enc`-compatible format (e.g., `openssl enc -aes-256-cbc -d -in example.exe.encrypted -out example.exe`)
     - `EXTRACTED_FILE_IGNORE_EXISTING` – if set to `true`, files extant in `./zeek-logs/extract_files/`  directory will be ignored on startup rather than scanned
     - `EXTRACTED_FILE_PRESERVATION` – determines behavior for preservation of [Zeek-extracted files](file-scanning.md#ZeekFileExtraction)
     - `EXTRACTED_FILE_UPDATE_RULES` – if set to `true`, file scanner engines (e.g., ClamAV, Capa, Yara) will periodically update their rule definitions (default `false`)

diff --git a/file-monitor/supervisord.conf b/file-monitor/supervisord.conf
@@ -153,7 +153,6 @@ redirect_stderr=true
 command=/usr/local/bin/zeek_carved_http_server.py
   --port %(ENV_EXTRACTED_FILE_HTTP_SERVER_PORT)s
   --zip %(ENV_EXTRACTED_FILE_HTTP_SERVER_ZIP)s
-  --encrypt %(ENV_EXTRACTED_FILE_HTTP_SERVER_ENCRYPT)s
   --directory /zeek/extract_files
 autostart=%(ENV_EXTRACTED_FILE_HTTP_SERVER_ENABLE)s
 autorestart=%(ENV_EXTRACTED_FILE_HTTP_SERVER_ENABLE)s

diff --git a/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh b/scripts/demo/amazon_linux_2_malcolm_demo_setup.sh
@@ -553,7 +553,6 @@ function InstallMalcolm {
         "EXTRACTED_FILE_ENABLE_CLAMAV:'true'"
         "EXTRACTED_FILE_ENABLE_YARA:'true'"
         "EXTRACTED_FILE_HTTP_SERVER_ENABLE:'true'"
-        "EXTRACTED_FILE_HTTP_SERVER_ENCRYPT:'false'"
         "EXTRACTED_FILE_IGNORE_EXISTING:'true'"
         "EXTRACTED_FILE_PRESERVATION:'all'"
         "FREQ_LOOKUP:'true'"

diff --git a/scripts/install.py b/scripts/install.py
@@ -1786,14 +1786,6 @@ def tweak_malcolm_runtime(self, malcolm_install_path):
                 'EXTRACTED_FILE_HTTP_SERVER_ZIP',
                 TrueOrFalseNoQuote(fileCarveHttpServerZip),
             ),
-            # encrypt HTTP server for extracted files
-            EnvValue(
-                os.path.join(args.configDir, 'zeek.env'),
-                'EXTRACTED_FILE_HTTP_SERVER_ENCRYPT',
-                TrueOrFalseNoQuote(
-                    fileCarveHttpServer and (len(fileCarveHttpServeEncryptKey) > 0) and (not fileCarveHttpServerZip)
-                ),
-            ),
             # key for encrypted HTTP-served extracted files (' -> '' for escaping in YAML)
             EnvValue(
                 os.path.join(args.configDir, 'zeek-secret.env'),

diff --git a/shared/bin/zeek_carved_http_server.py b/shared/bin/zeek_carved_http_server.py
@@ -3,7 +3,8 @@
 
 # Multithreaded simple HTTP directory server.
 #
-# The files can optionally be aes-256-cbc encrypted in a way that's compatible with:
+# The files can optionally be archived in a ZIP file, with or without a password, or
+# be aes-256-cbc encrypted in a way that's compatible with:
 #   openssl enc -aes-256-cbc -d -in encrypted.data -out decrypted.data
 
 import argparse
@@ -89,12 +90,12 @@ def do_GET(self):
                                 self.wfile.write(chunk)
 
                 else:
-                    # encrypted ZIP file (streamed)
+                    # unprotected ZIP file (streamed)
                     for chunk in stream_zip(LocalFilesForZip([fullpath])):
                         self.wfile.write(chunk)
 
-            elif args.encrypt:
-                # encrypted file
+            elif args.key:
+                # openssl-compatible encrypted file
                 self.send_response(200)
                 self.send_header('Content-type', 'application/octet-stream')
                 self.send_header('Content-Disposition', f'attachment; filename={os.path.basename(fullpath)}.encrypted')
@@ -149,7 +150,6 @@ def main():
     global orig_path
 
     defaultDebug = os.getenv('EXTRACTED_FILE_HTTP_SERVER_DEBUG', 'false')
-    defaultEncrypt = os.getenv('EXTRACTED_FILE_HTTP_SERVER_ENCRYPT', 'false')
     defaultZip = os.getenv('EXTRACTED_FILE_HTTP_SERVER_ZIP', 'false')
     defaultPort = int(os.getenv('EXTRACTED_FILE_HTTP_SERVER_PORT', 8440))
     defaultKey = os.getenv('EXTRACTED_FILE_HTTP_SERVER_KEY', 'infected')
@@ -187,22 +187,11 @@ def main():
         type=str,
         default=defaultDir,
     )
-    parser.add_argument(
-        '-e',
-        '--encrypt',
-        dest='encrypt',
-        type=str2bool,
-        nargs='?',
-        const=True,
-        default=defaultEncrypt,
-        metavar='true|false',
-        help=f"Encrypt files (with -z/--zip, or with aes-256-cbc) ({defaultEncrypt})",
-    )
     parser.add_argument(
         '-k',
         '--key',
         dest='key',
-        help="File encryption key",
+        help="File encryption key (for ZIP file if -z/--zip, otherwise openssl-compatible encryption",
         metavar='<str>',
         type=str,
         default=defaultKey,