def create_investigation(self, instance_id: str, event: object,
execution_id: str) -> str:
self.logger = get_logger(None)
instance = self.__get_instance(instance_id)
investigation_id = "{}_{}".format(
datetime.now().strftime("%Y-%m-%d.%H:%M:%S"),
instance["InstanceId"])
self.logger = get_logger(investigation_id)
self.__put(investigation_id, "alert.json", event, execution_id)
self.__put(investigation_id, "instance.json", instance, execution_id)
self.__tag(
instance_id,
[{
"Key": CLAIRE,
"Value": "Investigating"
}, {
"Key": "InvestigationId",
"Value": investigation_id
}],
)
return investigation_id
def run_memory_analysis(investigation_id: str, instance_id: str, vol: str,
bucket: str):
ssm = client("ssm")
get_logger(investigation_id)(
"Sending memory upload commands to {}".format(instance_id))
resp = ssm.send_command(
DocumentName="AWS-RunShellScript",
InstanceIds=[instance_id],
Comment="Uploading memory for investigation {}".format(
investigation_id),
TimeoutSeconds=3600,
Parameters={
"commands": [
"sudo memory_analysis.sh {} 's3://{}/{}'".format(
vol,
bucket,
investigation_id,
)
]
},
OutputS3BucketName=environ["INVESTIGATION_BUCKET"],
OutputS3KeyPrefix="{}/cmd/memory-analysis".format(investigation_id),
)
return resp["Command"]["CommandId"]
def create_investigation_from_alert(self, event: object,
execution_id: str) -> object:
self.logger = get_logger(None)
(is_investigatable, issue, err) = self.__is_investigatable(event)
if not is_investigatable:
self.logger("Event will not be investigated {} because {}".format(
event, issue))
return {
"investigation_id": None,
"instance_id": None,
"execution_arn": execution_id,
"issue": issue,
"err": err
}
instance_id = event["detail"]["resource"]["instanceDetails"][
"instanceId"]
self.logger("Instance {} will be investigated.".format(instance_id))
investigation_id = self.create_investigation(instance_id, event,
execution_id)
try:
severity = event["detail"]["severity"]
except KeyError:
severity = 0
return {
"investigation_id": investigation_id,
"instance_id": instance_id,
"execution_arn": execution_id,
"severity": severity,
"err": "",
}
def terminate_instance(investigation_id: str, instance_id: str):
ec2 = client("ec2")
logger = get_logger(investigation_id)
logger("Terminating instance {}".format(instance_id))
ec2.terminate_instances(InstanceIds=[instance_id])
logger("Terminate request succeeded")
def poll_extractor(investigation_id: str, instance_id: str):
logger = get_logger(investigation_id)
logger("Getting instance {} information".format(instance_id))
resp = client("ec2").describe_instances(InstanceIds=[instance_id])
logger("Instance information returned")
return resp["Reservations"][0]["Instances"][0]
def prepare_volume(extractor_id: str, investigation_id: str):
ssm = client("ssm")
get_logger(investigation_id)(
"Preparing memory capture volume on {}".format(extractor_id))
resp = ssm.send_command(
DocumentName="AWS-RunShellScript",
InstanceIds=[extractor_id],
Comment="CLAIRE Prepare Volume for Memory Capture of {}".format(
extractor_id),
TimeoutSeconds=3600,
Parameters={
"commands": ["sudo memory_prepare_volume.sh /dev/nvme1n1"]
},
OutputS3BucketName=environ["INVESTIGATION_BUCKET"],
OutputS3KeyPrefix="{}/cmd/prepare-memory-volume".format(
investigation_id),
)
return resp["Command"]["CommandId"]
def get_command_status(investigation_id: str, instance_id: str,
command_id: str):
ssm = client("ssm")
log = get_logger(investigation_id)
log("Checking command {} status".format(command_id))
resp = ssm.get_command_invocation(
InstanceId=instance_id,
CommandId=command_id,
)
log("Command {} status returned {}".format(command_id, resp["Status"]))
return resp["Status"]
def capture_memory(instance_id: str, volume_id: str, investigation_id: str):
ssm = client("ssm")
get_logger(investigation_id)(
"Sending memory capture commands to {}".format(instance_id))
resp = ssm.send_command(
DocumentName="AWS-RunShellScript",
InstanceIds=[instance_id],
Comment="CLAIRE Memory Capture of {} to {}".format(
instance_id,
volume_id,
),
TimeoutSeconds=3600,
Parameters={
"commands": [
"sudo mkdir -p /mnt/mem",
"sudo mount /dev/xvdm /mnt/mem",
"sudo /mnt/mem/avml --compress /mnt/mem/memory.lime.compressed",
"sudo umount /mnt/mem",
]
},
)
return resp["Command"]["CommandId"]
def isolate(investigation_id: str, security_group):
logger = get_logger(investigation_id)
instance = InstanceService(investigation_id).get_instance(investigation_id)
logger("Saving security group(s) to tag:claire_removed_groups")
ec2.create_tags(Resources=[instance["InstanceId"]],
Tags=[{
"Key":
"claire_removed_groups",
"Value":
",".join(g["GroupId"]
for g in instance["SecurityGroups"])
}])
logger("Changing security group to {}".format(security_group))
ec2.modify_instance_attribute(
InstanceId=instance["InstanceId"],
Groups=[security_group],
)
logger("Security group updated successfully")
def __init__(self, investigation_id):
self.logger = get_logger(investigation_id)
