Skip to content

mikarinneoracle/vm-based-virus-scanning-with-terraform

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

93 Commits
resource_manager
resource_manager
 
 
scanning
scanning
 
 
terraform
terraform
 
 
README.md
README.md
 
 
scan.sh
scan.sh
 
 

Repository files navigation

Instructions

Create OL8 VM image

  • Using Cloud UI create a VM with ssh access temporarily (can use Bastion service if preferred)
  • Install oci cli (will be authorized as instance-principal)
  • Install UV scan. I downloaded Command Line Scanner for Linux-64bit free trial from https://www.trellix.com/en-us/downloads/trials.html?selectedTab=endpointprotection and then using scp copied the file to the VM instance using Internet connection over ssh, e.g.:
 scp cls-l64-703-e.tar.gz opc@141.144.201.144:/tmp
  • Access VM over ssh and add /home/opc/scan.sh (modify region if necessary)
  • Also dowloaded the uvscan datafile and then moved it to it's place (in uvscan):
wget https://update.nai.com/products/commonupdater/current/vscandat1000/dat/0000/avvdat-10629.zip

Create Dynamic Groups for Policies

  • scanning_fn
ALL {resource.type = 'fnfunc', resource.compartment.id = 'ocid1.compartment.oc1..u5ripl2whnznhmvgiqdatqgq'}
  • scanning_agent
ANY {instance.compartment.id = 'ocid1.compartment.oc1..u5ripl2whnznhmvgiqdatqgq'}

Create policies

  • scanning_fn

This should be enough:

Allow dynamic-group scanning_fn to manage instance-agent-command-family in compartment <YOUR COMPARTMENT>

However, I used policy for broader access to make it work:

Allow dynamic-group scanning_fn to manage all-resources in compartment <YOUR COMPARTMENT>
  • scanning_agent
Allow dynamic-group scanning_agent to use instance-agent-command-execution-family in compartment <YOUR COMPARTMENT> where request.instance.id=target.instance.id
Allow dynamic-group scanning_agent to manage objects in compartment <YOUR COMPARTMENT> where all {target.bucket.name = 'scanning'}
Allow dynamic-group scanning_agent to use instance-agent-command-execution-family in compartment <YOUR COMPARTMENT>

Create OCIR for Function

  • In Cloud UI create Container registry scanning for the Function created in the next step

Create Function

  • In Cloud UI create Application scanning
  • Enable logging

In Cloud Shell / Cloud Code Editor:

  • Clone repo to localhost or Cloud Shell and cd to /scanning
  • Follow the instructions in the Application "Getting Started" to Function scanning
  • Copy/paste func.py, func.yaml, requirements.txt
  • Finally run (as part of the getting started):
fn -v deploy --app scanning

This will create and push the OCIR image and deploy the Function scanning to the Application

Create Object Storage Bucket and Events using Terraform

In could shell or localhost:

  • Clone repo and cd to /terraform
  • Update vars.tf compartment and region used
  • Update vars.tf function_id with scanning Function OCID created in the previous step
  • Update vars.tf compartment in event_condition, clean_event_condition and infected_event_condition
  • Run terraform init and terraform apply

Running apply will create:

  • Three Object Storage buckets scanning, scanned, scanning-alert-report
  • Event to kick-off the Function for environment creation using Resource Manager and then scanning using VM instance-agent and the scanning script
  • Event to kick-off the Function for environment deletion using Resource Manager after the scanning is done
  • To delete these resources run terraform destroy from Cloud Shell or locally

Create Resource Manager Stack

In localhost:

  • Clone repo and cd to /resource_manager locally
  • Update versions.tf for region used
  • Update vars.tf for VM image ocid, compartment and region/AD used. This can be also done in the next step in Resource Manager.
  • Create Resource Manager Stack using Cloud UI by drag-and-drop the folder /resource_manager from localhost
  • Copy OCID of the Stack for the next step Configure Function

When Function is run using Resource Manager stack it creates (and then destroys once the scan is done)

  • VCN with private subnet (no access from outside; add a Bastion Service if access is needed)
  • VM instance to the VCN private subnet from the VM image created earlier
  • Uses instance-agent to execute the uvscan shell script on the VM instance

Configure Function

  • Configure STACK_OCID, COMPARTMENT_OCID, COMMAND parameters for the Function tu run

VM Instance-Agent Run COMMAND:

sudo -u opc /home/opc/scan.sh

Upload a .zip file

  • Use oci cli
oci os object put --bucket-name scanning --region eu-amsterdam-1 --file GCN-oke.zip
  • To use curl first create a PAR (preauthenticated request) for the bucket scanning with permit object writes using Cloud UI and then use curl command (example):
curl -T GCN-oke.zip https://objectstorage.eu-amsterdam-1.oraclecloud.com/p/0ZBlo1e.....caMjhEfRsjcg5/n/frsxwtjslf35/b/scanning/o/

Scanning report example

Scanning report for the GCN-oke.zip file in the examples above. Report is saved to the target bucket along with the scanned file:

Command Line Scanner for Linux64 Version: 7.0.4.835
Copyright (C) 2024 Musarubra US LLC.
EVALUATION COPY - March 21 2024

AV Engine version: 6700.10107 for Linux64.


Dat set version: 11019  created Mar 20 2024
Scanning for 596817 viruses, trojans and variants.


2024-Mar-21 13:28:00


Options:
-v --unzip --analyze --summary --afc 512 --program --mime --recursive --threads=4 --report=/home/opc/report.txt --rptall --rptcor --rpterr --rptobjects /home/opc/scandir


/home/opc/scandir/GCN-oke.zip/micronaut-cli.yml ... is OK.
/home/opc/scandir/GCN-oke.zip/.gitkeep ... is OK.
/home/opc/scandir/GCN-oke.zip/.gitkeep ... is OK.
/home/opc/scandir/GCN-oke.zip/Application.java ... is OK.
/home/opc/scandir/GCN-oke.zip/OciTest.java ... is OK.
/home/opc/scandir/GCN-oke.zip/LICENSE ... is OK.
/home/opc/scandir/GCN-oke.zip/NOTICE ... is OK.
/home/opc/scandir/GCN-oke.zip/logback.xml ... is OK.
/home/opc/scandir/GCN-oke.zip/application-oraclecloud.properties ... is OK.
/home/opc/scandir/GCN-oke.zip/bootstrap-oraclecloud.properties ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/MANIFEST.MF ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/DEPENDENCIES ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/LICENSE ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/NOTICE ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/BootstrapMainStarter.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/DefaultDownloader$1.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/DefaultDownloader$SystemPropertiesProxyAuthenticator.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/DefaultDownloader.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/Downloader.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/Installer$1.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/Installer.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/Logger.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/MavenWrapperMain.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/PathAssembler$LocalDistribution.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/PathAssembler.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/SystemPropertiesHandler.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/WrapperConfiguration.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/WrapperExecutor.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/AbstractCommandLineConverter.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/AbstractPropertiesCommandLineConverter.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineArgumentException.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineConverter.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineOption.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$1.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$AfterFirstSubCommand.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$AfterOptions.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$BeforeFirstSubCommand.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$CaseInsensitiveStringComparator.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$KnownOptionParserState.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$MissingOptionArgState.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$OptionAwareParserState.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$OptionComparator.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$OptionParserState.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$OptionString.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$OptionStringComparator.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$ParserState.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser$UnknownOptionParserState.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/CommandLineParser.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/ParsedCommandLine.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/ParsedCommandLineOption.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/ProjectPropertiesCommandLineConverter.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/SystemPropertiesCommandLineConverter.class ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/pom.xml ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar/pom.properties ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.jar ... is OK.
/home/opc/scandir/GCN-oke.zip/maven-wrapper.properties ... is OK.
/home/opc/scandir/GCN-oke.zip/mvnw ... is OK.
/home/opc/scandir/GCN-oke.zip/mvnw.bat ... is OK.
/home/opc/scandir/GCN-oke.zip/pom.xml ... is OK.
/home/opc/scandir/GCN-oke.zip/.gitignore ... is OK.
/home/opc/scandir/GCN-oke.zip/pom.xml ... is OK.
/home/opc/scandir/GCN-oke.zip/pom.xml ... is OK.
/home/opc/scandir/GCN-oke.zip/README.md ... is OK.
/home/opc/scandir/GCN-oke.zip ... is OK.


Summary Report on /home/opc/scandir
File(s)
Total files:...................     1
Total Objects:.................     64
Clean:.........................     1
Not Scanned:...................     0
Possibly Infected:.............     0
Objects Possibly Infected:.....     0


Time: 00:00:01


Thank you for choosing to evaluate Command Line Scanner from Trellix.
This  version of the software is for Evaluation Purposes Only and may be
used  for  up to 30 days to determine if it meets your requirements.  To
license  the  software,  or to  obtain  assistance during the evaluation
process,  please refer to
https://www.trellix.com/en-us/contact-us/demo-request-form.html
(Choose Endpoint/Infrastructure Security).
If you  choose not to license the software, you  need to remove it from
your system.  All  use  of  this software is conditioned upon compliance
with the license terms set forth in the README.TXT file.

About

Scanning zip files with uvscan

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages