https://github.com/capesandbox/cahi

CAPE Auto-Hardened Installer

https://github.com/capesandbox/cahi

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (12.0%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

CAPE Auto-Hardened Installer

Basic Info
  • Host: GitHub
  • Owner: CAPESandbox
  • License: other
  • Language: Jinja
  • Default Branch: master
  • Size: 178 KB
Statistics
  • Stars: 21
  • Watchers: 9
  • Forks: 5
  • Open Issues: 0
  • Releases: 0
Created about 6 years ago · Last pushed over 1 year ago
Metadata Files
Readme Changelog License Security

README.md

Introduction

CAHI (CAPE Auto-Hardened Installer) is a companion set of dedicated Ansible roles and tasks to build as secured and production-ready CAPE Sandbox local instance as possible. Majority of roles and tasks are ported from cape2.sh and kvm-qemu.sh. In addition, many of the anti-vm baked into the hypervisor is being randomized at run time as opposed to hardcoding values.

NOTE: The project is currently in a pre-alpha state and is aimed towards developers at this stage until it is more complete. Content and functionality may be added or removed with no prior notification. DO NOT RUN this against any production systems.

What is CAPE?

CAPE (Configuration and Payload Extraction) provides a dynamic and automated environment for analyzing (and debugging) malware behavior, extracting payloads (such as raw malware and N-stage binaries), as well as malware configurations (such as CnC IP addresses / domains, mutexes, bot IDs, etc.). All of this is accompanied by a myriad of built-in detection (behavior, host, network, Yara, MITRE, etc.) to depict a holistic view of the analyzed sample. Ultimately, CAPE allows reducing the time and efforts of threat hunting, threat intelligence collection, incident response, and developing proactive detection / prevention strategies. For more information about CAPE, visit the official CAPE repository, or use this project to setup a testing environment and explore hands-on.

Why use Ansible to deploy CAPE?

The ultimate goal to make CAPE a Configuration-As-Code (or Infrastructure-As-Code) ready. Ansible and associated tooling facilitate this by allowing rapid development, testing and deployment with as minimal efforts as possible while allowing new scenarios and possibilities.

What does the 'Auto-Hardened' part of the name mean?

It means that the Ansible roles and tasks are built with security in mind. For example, best practices and hardening of the operating system, web server, database, etc. are implemented in an automated fashion to ensure a secured and functional CAPE instance is being deployed. Implementing security and hardening from the get go while ensuring functionality is a considerable challenge, and automating these is a continuous effort.

What 'Auto-Hardened' does NOT mean is that the resulting host will not be unbreakable or unhackable. Risk cannot be eliminated, but we can reduce the attack surface as much as possible, resulting in a better and sustainable security posture (we are infosec folks after all) and in some cases, compliance. Designing a secure architecture that meets your standards is your responsibility and not the roles and tasks within this project.

The project tracks security and hardening configurations that are automated, which will be made available in Security Automation Tracker.

Deployment for Production

Coming soon.

Development and Testing Scenarios

The most complete scenarios at this time are default, cape-vm and to an extent cape-cr, which still requires additional configuration and testing. For additional details on setting up the development environment and the status of each scenario, review the Development documentation. Make sure to also check the Known Issues document under the docs directory.

| Scenario | Description | Status | |-----------|---------------------------------------------------------------------|-------------| | default | Single custom container to provision CAPE and associated services. | Ready | | cape-vm | Single VM provisioned with CAPE and services including hypervisor. | Ready | | cape-cr | Two containers, one for CAPE (and services) and one for hypervisor. | In-Progress | | cape-ship | Container per service. | One Day | | cape-pod | Same as 'default' but ONLY RHEL8 / CentoOS Stream and Podman. | Ready |

A GitHub, Molecule and Ansible CI pipeline will be introduced later as the project stabilizes. For developing on RHEL 8 / CentOS Stream with Podman, see Podman documentation.

Acknowledgements

Owner

  • Name: CAPE Sandbox
  • Login: CAPESandbox
  • Kind: organization

GitHub Events

Total
  • Watch event: 4
  • Push event: 1
  • Pull request event: 2
  • Create event: 1
Last Year
  • Watch event: 4
  • Push event: 1
  • Pull request event: 2
  • Create event: 1

Issues and Pull Requests

Last synced: 10 months ago

All Time
  • Total issues: 0
  • Total pull requests: 1
  • Average time to close issues: N/A
  • Average time to close pull requests: 37 minutes
  • Total issue authors: 0
  • Total pull request authors: 1
  • Average comments per issue: 0
  • Average comments per pull request: 0.0
  • Merged pull requests: 1
  • Bot issues: 0
  • Bot pull requests: 1
Past Year
  • Issues: 0
  • Pull requests: 1
  • Average time to close issues: N/A
  • Average time to close pull requests: 37 minutes
  • Issue authors: 0
  • Pull request authors: 1
  • Average comments per issue: 0
  • Average comments per pull request: 0.0
  • Merged pull requests: 1
  • Bot issues: 0
  • Bot pull requests: 1
Top Authors
Issue Authors
  • acr-varonis (1)
Pull Request Authors
  • dependabot[bot] (5)
Top Labels
Issue Labels
Pull Request Labels
dependencies (5)

Dependencies

roles/dependencies/files/requirements.txt pypi
  • Pebble *
  • PyCrypto *
  • SFlock2 ==0.3.21
  • bs4 *
  • capstone *
  • chardet *
  • cryptography ==3.3.2
  • cython *
  • distorm3 *
  • django >3
  • django-crispy-forms *
  • django-csp *
  • django-extensions *
  • django-otp *
  • django-settings-export *
  • djangorestframework *
  • dnspython *
  • dpkt *
  • flor *
  • future *
  • geoip *
  • gevent ==20.4.0
  • greenlet ==0.4.16
  • imagehash *
  • java-random *
  • jinja2 *
  • jsbeautifier *
  • maec *
  • markupsafe *
  • matplotlib >=2.2.2
  • mixbox *
  • mwcp *
  • netstruct *
  • networkx >=2.1
  • nose *
  • numpy >=1.15.0
  • olefile *
  • oletools *
  • openpyxl *
  • passlib *
  • pefile *
  • pillow >=7
  • psutil ==5.8.0
  • pyOpenSSL *
  • pyattck ==4.0.3
  • pygal *
  • pyinstaller *
  • pymisp *
  • pymongo >=3.11.3
  • pype32-py3 *
  • pyre2 *
  • python-dateutil *
  • python-magic *
  • python-tlsh *
  • python-whois *
  • pytz *
  • pyvmomi *
  • pyzipper *
  • qrcode *
  • rarfile *
  • regex *
  • requests *
  • requests_file *
  • simplejson *
  • six >=1.12.0
  • sqlalchemy *
  • sqlalchemy-utils *
  • statistics >=1.0.3.5
  • tabulate ==0.8.9
  • tldextract *
  • voluptuous *
  • xmltodict *
  • yara-python >=4.0.0