MVP saf-cli Lambda Function

.github/draft-release.yml → .github/workflows/draft-release.yml

@@ -1,11 +1,9 @@
 name: Draft Release
-
 on:
  push:
- # branches to consider in the event; optional, defaults to all
- branches:
- - main
-
+ branches: [ main ]
+ pull_request:
+ branches: [ main ]
 jobs:
  update_draft_release:
  runs-on: ubuntu-latest

.npmignore

@@ -0,0 +1 @@
+tests/*

LICENSE.md

@@ -1,17 +1,15 @@
+Licensed under the apache-2.0 license, except as noted below.
 
-Licensed under the apache-2.0 license, except as noted below. 
-
-Redistribution and use in source and binary forms, with or without modification, 
+Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
 
-* Redistributions of source code must retain the above copyright/ digital rights 
-legend, this list of conditions and the following Notice.
-
-* Redistributions in binary form must reproduce the above copyright copyright/digital 
-rights legend, this list of conditions and the following Notice in the documentation 
-and/or other materials provided with the distribution.
+- Redistributions of source code must retain the above copyright/ digital rights
+ legend, this list of conditions and the following Notice.
 
-* Neither the name of The MITRE Corporation nor the names of its contributors may be 
-used to endorse or promote products derived from this software without specific prior 
-written permission.
+- Redistributions in binary form must reproduce the above copyright copyright/digital
+ rights legend, this list of conditions and the following Notice in the documentation
+ and/or other materials provided with the distribution.
 
+- Neither the name of The MITRE Corporation nor the names of its contributors may be
+ used to endorse or promote products derived from this software without specific prior
+ written permission.

README.md

@@ -1,2 +1,80 @@
 # saf-lambda-function
 
+AWS Lambda Function for the [SAF CLI](https://github.com/mitre/saf-lambda-function)
+
+This is based on [saf_action](https://github.com/mitre/saf)
+
+## Input and Output Arguments
+
+### Input
+
+#### `command_string` (Required)
+
+Command string to be executed by SAF CLI. The action will run `saf <command_string>`.
+
+Example:
+
+- `convert:asff2hdf -i asff-findings.json -o output-file-name.json`
+- More examples can be found at [SAF CLI Usage](https://github.com/mitre/saf#usage)
+- NOTE: This action does not support `view:heimdall`.
+
+### Output
+
+As determined by input command.
+
+## Secrets
+
+This action does not use any GitHub secrets at this time.
+
+## Example
+
+Below is an example action.
+
+```
+on: [push]
+jobs:
+ saf_hdf_conversion:
+ runs-on: ubuntu-latest
+ name: SAF CLI Convert ASFF to HDF
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+ - name: Convert ASFF
+ uses: mitre/saf_action@v1
+ with:
+ command_string: 'convert:asff2hdf -i asff_sample.json -o asff_sample_hdf.json'
+ - name: Artifacts
+ uses: actions/upload-artifact@v1
+ if: success()
+ with:
+ name: asff
+ path: asff_sample_hdf.json
+```
+
+## Contributing, Issues and Support
+
+### Contributing
+
+Please feel free to look through our issues, make a fork and submit PRs and improvements. We love hearing from our end-users and the community and will be happy to engage with you on suggestions, updates, fixes or new capabilities.
+
+### Issues and Support
+
+Please feel free to contact us by **opening an issue** on the issue board, or, at [saf@mitre.org](mailto:saf@mitre.org) should you have any suggestions, questions or issues.
+
+### NOTICE
+
+© 2022 The MITRE Corporation.
+
+Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
+
+### NOTICE
+
+MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
+
+### NOTICE
+
+This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
+
+No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.
+
+For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000.

app.js

@@ -0,0 +1,142 @@
+const aws = require("aws-sdk");
+const s3 = new aws.S3({
+ apiVersion: "2006-03-01",
+});
+const saf = require("@mitre/saf");
+const fs = require("fs");
+const path = require("path");
+const winston = require("winston");
+const { createLogger, format, transports } = winston;
+let response;
+
+/**
+ *
+ * Event doc: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html#api-gateway-simple-proxy-for-lambda-input-format
+ * @param {Object} event - API Gateway Lambda Proxy Input Format
+ *
+ * Context doc: https://docs.aws.amazon.com/lambda/latest/dg/nodejs-prog-model-context.html
+ * @param {Object} context
+ *
+ * Return doc: https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-lambda-proxy-integrations.html
+ * @returns {Object} object - API Gateway Lambda Proxy Output Format
+ *
+ */
+
+exports.lambdaHandler = async (event, context) => {
+ const logger = createLogger({
+ level: process.env.LOG_LEVEL || "debug",
+ format: format.combine(format.timestamp(), format.simple()),
+ transports: [
+ new transports.Console({
+ format: format.combine(
+ format.timestamp({
+ format: "YYYY-MM-DDTHH:mm:ss.SSSZ",
+ }),
+ format.printf((info) => `${[info.timestamp]}\t${context.awsRequestId}\t${logger.level.toUpperCase()}\t${info.message}`)
+ ),
+ }),
+ ],
+ });
+
+ logger.log({
+ level: "debug",
+ message: "Logging Level set to : " + logger.level.toUpperCase(),
+ });
+
+ if (!command_string) {
+ let command_string_message = "SAF CLI Command String argument is required. See http://saf-cli.mitre.org for more details.";
+ logger.info(command_string_message);
+ throw new Error(command_string_message);
+ }
+
+ if (CLI_COMMAND.trim() === "view" && CLI_FUNCTION.trim() === "heimdall") {
+ let view_heimdall_message = "You cannot use the 'saf view:heimdall' command in this environment.";
+ logger.info(view_heimdall_message);
+ throw new Error(view_heimdall_message);
+ }
+
+ // TODO: REMOVE ALL THESE COMMENTS
+ // TODO: Decide is we want to catch undefined saf-cli command groupings https://stackoverflow.com/questions/15201939/jquery-javascript-check-string-for-multiple-substringsa
+ // TODO: Removed hardcoded data and move to lambda params
+
+ const HEC_TOKEN = "473b3297-1d88-4740-96ff-e6048e51b785";
+ const SPLUNK_SERVER = "splk1.efficacy.online";
+ const CLI_COMMAND = "convert";
+ const CLI_FUNCTION = "hdf2splunk";
+
+ // TODO: REMOVE ALL THESE COMMENTS
+ // TODO: Add the rest of the parameters
+ /*
+ - -t HEC_TOKEN
+ - -i HDF_FILE
+ - SPLUNK_PORT(defults to 8089)
+ - SPLUNK_INDEX(defauls to HEC default )
+ - INSECURE(ignore_ssl)
+ - PROTOCOL(defults to https)
+ - DEBUG - for logging in lambda logging
+ */
+
+ logger.debug("Starting Lambda Function");
+ logger.debug("Received context:" + JSON.stringify(context));
+
+ const bucket = params.Bucket;
+ const key = decodeURIComponent(event.Records[0].s3.object.key.replace(/\+/g, " "));
+ const params = {
+ Bucket: bucket,
+ Key: key,
+ };
+
+ try {
+ logger.info("Read from bucket: " + params.Bucket);
+ logger.info("Reading File: " + params.Key);
+
+ let { ContentType, Body } = await s3.getObject(params).promise();
+
+ logger.debug("Recieved File ContentType - " + ContentType);
+
+ let HDF_FILE = path.resolve("/tmp/", params.Key.toString());
+ Body = Body.toString();
+
+ const command_string = [CLI_COMMAND + ":" + CLI_FUNCTION, "-i", HDF_FILE, "-H", SPLUNK_SERVER, "-t", HEC_TOKEN];
+ await fs.writeFileSync(HDF_FILE, Body);
+
+ logger.info("Wrote file into runtime environment: " + HDF_FILE);
+ logger.debug("Finished reading object type: " + JSON.stringify(ContentType));
+
+ // TODO: REMOVE ALL THESE COMMENTS
+ // TODO: Remove the hardcoded saf-cli command
+ // TODO: Remove the ||
+ /* TODO: Add the rest of the possible options to the command_string builder
+ - SPLUNK_PORT (defults to 8089)
+ - SPLUNK_INDEX (defauls to HEC default)
+ - INSECURE (ignore_ssl)
+ - PROTOCOL (defults to https)
+ - DEBUG - for logging in lambda logging
+ */
+
+ logger.info("Running the SAF CLI with the command_string: " + command_string.join(" "));
+ logger.info("Pushing HDF Data: " + HDF_FILE + " to server: " + SPLUNK_SERVER);
+
+ let saf_cli_response = await saf.run(command_string);
+
+ logger.info("Push returned with: " + saf_cli_response);
+
+ response = {
+ statusCode: 200,
+ body: JSON.stringify({
+ message: saf_cli_response,
+ }),
+ };
+ } catch (err) {
+ logger.info(err);
+ return err;
+ }
+ return response;
+};
+
+exports.handler = async function (event, context) {
+ logger.log("ENVIRONMENT VARIABLES\n" + JSON.stringify(process.env, null, 2));
+ logger.info("EVENT\n" + JSON.stringify(event, null, 2));
+ logger.warn("Event not processed.");
+ return context.logStreamName;
+};