Posted on January 1, 0001
The Carbon Black SDK provides a framework for easilly creating arbitrary connectors and integrations with Carbon Black products. The cb-integration project provides python libraries for generic integrations, a specialized framework for binary analysis connectors. See the source code in the cb-integration repo for implementation details.
The CBSDK is cross platform, and should work on any environment that has docker 1.7+ and docker-compose.
At its core, the CBSDK provides a lightweight linux container, for connectors -
that can be pulled from dockerhub with:
$ docker pull cbdevnetwork/cbsdk .
This container provides an environment with the appropriate python dependencies already installed - the CBAPI bindings for python, and the cb-integration code. The SDK provides a light wrapper around supervisor - which manages connectors where intictl did in the past. This allows developers to shunt a lot of responsibility over to supervisord: auto restarts, log rotation/compacting , monitoring, etc.
Connectors are thereby simplified from stand-alone RPMs with binaries, to simple python scripts managed by supervisor.
This integration SDK can, in principle, manage the execution of arbitrary services and is language and technology agnostic. Developers already familiar with supervisor should have no problem adapting to this new framework.
The SDK provides a docker-compose configuration. This mounts a target volume directory containing subdirectories for each desired connector, internally providing relevant configuration files, etc.
This mounted directory becomes
/vol within the CBSDK container, and
the supervisor daemon will manage any directories created within, so long as
they have their own supervisord.conf. The connector level supervisord.conf can control the startup
and shutdown of any dependent services the connector may rely on, for instance a database.
The CBSDK requires docker 1.71+ and docker-compose to be available on the target.
By default, a react based UI is available on port 5000 - this can be changed
docker-compose.yml . This is an extension of the basic supervisor UI - each connector
can provide an xmlprc interface extension that will be automatically loaded and integrated within the
UI to provide custom actions for each connector. Supervisor’s base RPC interface provides for logging,
log rotation, startup and shutdown, status etc. A custom connector level rpc interface can
extend this to provide distinct features like “Lookup a binary by md5”, “Rescan binary by md5” etc.
See the yaraconnector and supervisor’s xmlrpc interface documentation for details on how to do this.
The CBSDK project comes with the yara-connector loaded as a submodule. Checkout or clone the project with git or download the archive and extract to the working directory of your choice.
git clone firstname.lastname@example.org:carbonblack/cb-integration
Move into the cb-integration directory to begin.
The YARA binary analysis connector is provided as an example, intended to serve as a guide to developers and users.
The YARA connector is provided inline in the cb integration repo as a submodule.
Supervisord is configured to montior the mounted /vol directory.
The YARA connector resides in
$ docker-compose up will raise the CBSDK container.
``` vol: yaraconnector: yaraconnector.conf supervisord.conf db: feed: ```
feed directory stores a json formatted threat intel feed produced
from the results of YARA analysis of scanned binaries.
db directory provides space to store SQLITE db files.
The supervisord.conf in the vol/yaraconnector directory:
[rpcinterface:yaraconnector] supervisor.rpcinterface_factory = yaraconnector.supervisordrpcinterface:make_custom_rpcinterface [program:redis] command=/usr/bin/redis-server user=root autostart=true autorestart=true stdout_logfile=/vol/yaraconnector/redis.log stderr_logfile=/vol/yaraconnector/redis.log [program:yaraconnector] directory=/vol/yaraconnector stdout_logfile=/vol/yaraconnector/yaraconnector.log stderr_logfile=/vol/yaraconnector/yaraconnector.log command=python3 main.py user=root autostart=true autorestart=true priority=800 [program:yara_workers] stdout_logfile=/vol/yaraconnector/yaraconnector_workers.log stderr_logfile=/vol/yaraconnector/yaraconnector_workers.log user=supervisor directory=/vol/yaraconnector command=celery -A tasks worker --autoscale=16,4 --loglevel=debug autostart=true autorestart=true priority=900
Simple stated, this
supervisord.conf controls the startup of the YARA connector
and its' dependent services. A redis DB and a celery queue (which automagically scales) for async scanning
of the desired binaries - and provides an extension to supervisorD’s xmlrpc
interface to allow yara-connector specific actions and flows. See the rpcinterface definition
in the yara-connector project for details.
yaraconnector.conf has the configuration parameters for the YARA
connector, in .ini format. Be sure to specify the parameters for connecting to
the desired carbon black environment, etc.
Development requires: Yarn (npm works too in a pinch), git, docker & docker-compose as well as NPM10+.
Clone or download this github repo:
git clone email@example.com:carbonblack/cb-integration
If your connector requires additionaln python dependencies, you can create a virtualenvironment
and add the dependencies within - and add the
environment directive to the
[program:<myconnector>] stanza in the
supervisord.conf - making sure to set PATH=$YOURVIRTUALENV/bin. This will cause
supervisord to run your connector within the desired virtual environment.
You can modify the docker-compose to use the local dockerfile when building to inject additional dependencies by commenting out the ‘image’ directive and commenting-in the provided ‘build’ and ‘dockerfile’ directives which indicate to compose how to build the image locally.
A makefile is provided for building the project and UI.
The environment in the CB SDK image has python3.6,pip, and a very up to date toolchain. If you need to add addtional dependencies that cannot be installed in a virtualenv, extend the base CBSDK image using a ‘FROM ' directive in your own dockerfile and modify the docker-compose.yml to use this modified image instead.