This project is not being actively maintined and will probably stay that way, as we have all moved on from the company that we built this for
OS X Strata builds upon Yelps OSXCollector(http://yelp.github.io/osxcollector/), providing a user interface to analyze data collected from a potentially compromised system.
Currently there are two ways that you can run OSXStrata.
- Run from the git directory. - Quick and easy.
- Run as an application.
We are working on a thrid option a docker container. We hope to have that done in the next couple of weeks.
This probably goes without saying but this app should only be used internally.
Pre Installation Checklist
-
Xcode is needed if you plan to use git to clone the project code. <-OS X only obviously.
-
pip (package manger) needs to be installed.
sudo easy_install pip- Install required python modules
sudo pip install pymongo (2.8 required)sudo pip install requests sudo pip install simplejsonInstall Meteor
-> curl https://install.meteor.com/ | shOS X & Linux
git clone <insert git repo>export PATH_TO_SCRIPTS=<path> MONGO_CONNECT=mongodb://localhost:3001/meteor runOS X BUILD APP Option 1: Ensure pre-installation checklist is done.
meteor build osxstrata
cd osxstrata
mv osxstrata.tar.gz ~/dirctoryofchoice
tar -xvf osxstrata.tar.gzThe uncompressed file should create a directory called bundle.
Build APP Option 2: Instead of creating the tar file you can download it from the git repo.
tar -xvf osxstrata.tar.gzThe uncompressed file should create a directory called bundle.
Installing NODE and MONGO
Node: Download and install: https://nodejs.org/dist/v0.10.40/node-v0.10.40.pkg
Mongo: Follow these Instructions: https://docs.mongodb.org/v3.0/tutorial/install-mongodb-on-os-x/
Add /mongodb/bin to full path
sudo vim /etc/paths
/Users/<user>/mongodb/binStart mongodb
mongod --port 3001Change to the bundle directory you created earlier.
cd <bundle>/programs/server
npm installStart the app
cd bundle
env PORT=3000 PATH_TO_SCRIPTS=<path> MONGO_CONNECT=mongodb://localhost:3001/ ROOT_URL=http://localhost MONGO_URL=mongodb://localhost:3001/meteor node main.jsLinux Build APP Option 1: Ensure pre-installation checklist is done.
meteor build osxstrata
cd osxstrata
mv osxstrata.tar.gz ~/directoryofchoice
tar -xvf osxstrata.tar.gzThe uncompressed file should create a directory called bundle.
BUILD APP Option 2: Instead of creating the tar file you can download it from the git repo.
tar -xvf osxstrata.tar.gzThe uncompressed file should create a directory called bundle.
Installing NODE and MONGO
Node:
wget http://nodejs.org/dist/v0.10.40/node-v0.10.40-linux-x64.tar.gz
tar -xvf node-v0.10.40-linux-x64.tar.gz
cd node-v0.10.40-linux-x64/lib/node_modules/npm/
./configure
make installFollow instructions here: https://docs.mongodb.org/v3.0/tutorial/install-mongodb-on-red-hat/
Start Mongo: edit mongo conf change port to 3001
sudo vim /etc/mongod.conf
service mongod startTO START APP:
cd bundle
env PORT=3000 PATH_TO_SCRIPTS=<path> MONGO_CONNECT=mongodb://localhost:3001/ ROOT_URL=http://localhost MONGO_URL=mongodb://localhost:3001/meteor node main.jsOther:
PATH_TO_SCRIPTS will be where ever you put the scripts folder.
Link to Sign up for IBM X-Force Threat Exchange https://www.ibm.com/account/profile/us?page=reg
Sign up for Public VirusTotal API https://www.virustotal.com/
USAGE:
OSXCollector json file can be imported from the UI or CLI.
export MONGO_CONNECT=mongodb://localhost:3001/ PATH_TO_SCRIPTS=/full/path/osxstrata/scripts/
python scripts/strata -h
-a Import Json File and Run Analysis
-a <Path to File>
-n Import Json File
-n <Path to File>
-r Remove all imported data from Project Collection
-ri Remove a specific incident from Project Collection
-ri <osxcollector_incident_id>
--virusTotal Send either hash or domain/url to VirusTotal API
--virusTotal --hash <md5>
--virusTotal <domain/url>
--ibmXforce Send either hash or domain/url to IBM Xforce API
--ibmXforce --hash <md5>
--ibmXforce <domain/url>
-h This Help Menu
Example
python scripts/strata.py -a doom.json