iris-velo-org-module is a IRIS processor module created with https://github.com/dfir-iris/iris-skeleton-module. It hooks on created cases and adds the client of the case as new organization in Velociraptor, grants existing users in Velociraptor access to the case, and uploads to Velociraptor client config to IRIS' datastore. If an organization already exists, it won't get recreated and user permissions will not be changed. Nevertheless, the Velociraptor client config will be uploaded to the datastore.
Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries. DFIR-IRIS is an Incident Response Investigation System to collect information about a case and act as documentation platform.
- Run Velociraptor >= 0.6.6-rc1 Linux Build All Arches #1579. Refer to Velociraptors Readme to get the current executable after the fix #1579 Fixed crash in api_client command.
- Create API config and user in Velociraptor with Administrator and API permissions:
./velociraptor --config server.config.yaml config api_client --name iris-modules --role investigator,api api.config.yaml
- Mount the api.config.yaml file in DFIR-IRIS docker-compose for both Worker and Web-App
- Make sure that the Worker container can establish connections to Velociraptor API. Hint: Verify in the server.config.yaml that Velociraptor publishes the API to the required interface.
- Download the release *.whl to your DFIR-IRIS server
- Copy the wheel to worker and app container of iris (Pay attention to the file name!)
sudo docker cp dist/iris_velo-org_module-1.0.0-py3-none-any.whl iris-web_worker_1:/iriswebapp/dependencies/
sudo docker cp dist/iris_velo-org_module-1.0.0-py3-none-any.whl iris-web_app_1:/iriswebapp/dependencies/
- Force a reinstall of the module on the worker and app container of iris
sudo docker exec -it iris-web_worker_1 /bin/sh -c "pip3 install dependencies/iris_velo-org_module-1.0.0-py3-none-any.whl --force-reinstall"
sudo docker exec -it iris-web_app_1 /bin/sh -c "pip3 install dependencies/iris_velo-org_module-1.0.0-py3-none-any.whl --force-reinstall"
- Restart the worker & app container
sudo docker restart iris-web_worker_1
sudo docker restart iris-web_app_1
- Add the module via Advanced -> Modules -> Add Module -> Module name 'iris_velo_org_module'
- Configure the module.
Run the buildnpush2iris.sh script. If you run docker as root, then run the script as root as well.
- Build the wheel from the module root directory that contains the setup.py
python3.9 setup.py bdist_wheel
- Copy the wheel to worker and app container of iris
sudo docker cp dist/iris_velo-org_module-0.1.0-py3-none-any.whl iris-web_worker_1:/iriswebapp/dependencies/
sudo docker cp dist/iris_velo-org_module-0.1.0-py3-none-any.whl iris-web_app_1:/iriswebapp/dependencies/
- Force a reinstall of the module on the worker and app container of iris
sudo docker exec -it iris-web_worker_1 /bin/sh -c "pip3 install dependencies/iris_velo-org_module-0.1.0-py3-none-any.whl --force-reinstall"
sudo docker exec -it iris-web_app_1 /bin/sh -c "pip3 install dependencies/iris_velo-org_module-0.1.0-py3-none-any.whl --force-reinstall"
- Restart the worker & app container
sudo docker restart iris-web_worker_1
sudo docker restart iris-web_app_1
Copyright 2022, Stephan Mikiss under the License Lesser GNU GPL v3.0