renamed sensor-iso to hedgehog-iso and sensor-raspi to hedgehog-raspi

.dockerignore

@@ -28,8 +28,8 @@ arkime-logs
 arkime-raw
 kubernetes
 malcolm-iso
-sensor-iso
-sensor-raspi
+hedgehog-iso
+hedgehog-raspi
 nginx/nginx_ldap*.conf
 pcap
 _site

.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml → .github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml

@@ -1,15 +1,15 @@
-name: sensor-iso-build-docker-wrap-push-ghcr
+name: hedgehog-iso-build-docker-wrap-push-ghcr
 
 on:
   push:
     branches:
       - main
       - development
     paths:
-      - 'sensor-iso/**'
+      - 'hedgehog-iso/**'
       - 'shared/bin/*'
       - '.trigger_iso_workflow_build'
-      - '.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml'
+      - '.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml'
   workflow_dispatch:
   repository_dispatch:
 
@@ -93,13 +93,13 @@ jobs:
       -
         name: Build image
         run: |
-          cp -r ./shared ./docs ./_config.yml ./_includes ./_layouts ./Gemfile ./README.md ./malcolm-iso/htpdate ./sensor-iso
-          cp ./scripts/malcolm_utils.py ./sensor-iso/shared/bin/
-          cp ./scripts/documentation_build.sh ./sensor-iso/docs/
-          cp -r ./arkime/patch ./sensor-iso/shared/arkime_patch
-          mkdir -p ./sensor-iso/suricata
-          cp -r ./suricata/rules-default ./sensor-iso/suricata/
-          pushd ./sensor-iso
+          cp -r ./shared ./docs ./_config.yml ./_includes ./_layouts ./Gemfile ./README.md ./malcolm-iso/htpdate ./hedgehog-iso
+          cp ./scripts/malcolm_utils.py ./hedgehog-iso/shared/bin/
+          cp ./scripts/documentation_build.sh ./hedgehog-iso/docs/
+          cp -r ./arkime/patch ./hedgehog-iso/shared/arkime_patch
+          mkdir -p ./hedgehog-iso/suricata
+          cp -r ./suricata/rules-default ./hedgehog-iso/suricata/
+          pushd ./hedgehog-iso
           echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt
           echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt
           echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" > ./shared/environment.chroot
@@ -115,7 +115,7 @@ jobs:
         uses: aquasecurity/trivy-action@master
         with:
           scan-type: 'fs'
-          scan-ref: './sensor-iso'
+          scan-ref: './hedgehog-iso'
           format: 'sarif'
           output: 'trivy-results.sarif'
           severity: 'HIGH,CRITICAL'
@@ -140,6 +140,6 @@ jobs:
         name: Build and push ISO image
         uses: docker/build-push-action@v5
         with:
-          context: ./sensor-iso
+          context: ./hedgehog-iso
           push: true
           tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog:${{ steps.extract_branch.outputs.branch }}

.github/workflows/sensor-raspi-build-docker-wrap-push-ghcr.yml → .github/workflows/hedgehog-raspi-build-docker-wrap-push-ghcr.yml

@@ -1,4 +1,4 @@
-name: sensor-raspi-build-docker-wrap-push-ghcr
+name: hedgehog-raspi-build-docker-wrap-push-ghcr
 
 on:
   # push:
@@ -76,7 +76,7 @@ jobs:
       -
         name: Build image
         run: |
-          pushd ./sensor-raspi
+          pushd ./hedgehog-raspi
           mkdir -p ./shared
           echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt
           echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt
@@ -97,6 +97,6 @@ jobs:
         name: Build and push IMG image
         uses: docker/build-push-action@v5
         with:
-          context: ./sensor-raspi
+          context: ./hedgehog-raspi
           push: true
           tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog-raspi:${{ steps.extract_branch.outputs.branch }}

.gitignore

@@ -37,13 +37,13 @@ malcolm_netbox_backup_*.gz
 *-build.log
 Gemfile.lock
 _site
-sensor-iso/_config.yml
-sensor-iso/_includes
-sensor-iso/_layouts
-sensor-iso/_site
-sensor-iso/docs
-sensor-iso/Gemfile
-sensor-iso/README.md
+hedgehog-iso/_config.yml
+hedgehog-iso/_includes
+hedgehog-iso/_layouts
+hedgehog-iso/_site
+hedgehog-iso/docs
+hedgehog-iso/Gemfile
+hedgehog-iso/README.md
 
 # Byte-compiled / optimized / DLL files
 __pycache__/

_config.yml

@@ -84,7 +84,7 @@ exclude:
   - pcap-capture
   - pcap-monitor
   - scripts
-  - sensor-iso
+  - hedgehog-iso
   - shared
   - suricata
   - suricata-logs

docs/development.md

@@ -16,6 +16,8 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{
 * `file-monitor` - code and configuration for the `file-monitor` container that can scan files extracted by Zeek
 * `file-upload` - code and configuration for the `upload` container that serves a web browser-based upload form for uploading PCAP files and Zeek logs, and serves an SFTP share as an alternate upload
 * `freq-server` - code and configuration for the `freq` container used for calculating entropy of strings
+* `hedgehog-iso` - code and configuration for building a [Hedgehog Linux](live-analysis.md#Hedgehog) ISO
+* `hedgehog-raspi` - code and configuration for building a [Hedgehog Linux](live-analysis.md#Hedgehog) [Raspberry Pi image](hedgehog-raspi-build.md#HedgehogRaspiBuild)
 * `htadmin` - configuration for the `htadmin` user account management container
 * `logstash` - code and configuration for the `logstash` container that parses Zeek logs and forwards them to the `opensearch` container
 * `malcolm-iso` - code and configuration for building an [installer ISO](malcolm-iso.md#ISO) for a minimal Debian-based Linux installation for running Malcolm
@@ -27,7 +29,6 @@ Checking out the [Malcolm source code]({{ site.github.repository_url }}/tree/{{
 * `pcap-capture` - code and configuration for the `pcap-capture` container that can capture network traffic
 * `pcap-monitor` - code and configuration for the `pcap-monitor` container that watches for new or uploaded PCAP files and notifies the other services to process them
 * `scripts` - control scripts for starting, stopping, restarting, etc., Malcolm
-* `sensor-iso` - code and configuration for building a [Hedgehog Linux](live-analysis.md#Hedgehog) ISO
 * `shared` - miscellaneous code used by various Malcolm components 
 * `suricata` - code and configuration for the `suricata` container that handles PCAP processing using Suricata
 * `suricata-logs` - an initially empty directory for Suricata logs to be uploaded, processed, and stored

docs/hedgehog-iso-build.md

@@ -18,7 +18,7 @@ The build should work with either the [VirtualBox](https://www.virtualbox.org/)
 To perform a clean build the Hedgehog Linux installer ISO, navigate to your local [Malcolm]({{ site.github.repository_url }}/) working copy and run:
 
 ```
-$ ./sensor-iso/build_via_vagrant.sh -f
+$ ./hedgehog-iso/build_via_vagrant.sh -f
 …
 Starting build machine...
 Bringing machine 'default' up with 'virtualbox' provider...
@@ -33,4 +33,4 @@ Finished, created "/sensor-build/hedgehog-24.03.0.iso"
 …
 ```
 
-Alternately, if you have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided which contain instructions for GitHub to build the docker images and Hedgehog and [Malcolm]({{ site.github.repository_url }}) installer ISOs, specifically [`sensor-iso-build-docker-wrap-push-ghcr.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml) for the Hedgehog ISO. The resulting ISO file is wrapped in a Docker image that provides an HTTP server from which the ISO may be downloaded.
+Alternately, if you have forked Malcolm on GitHub, [workflow files]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/.github/workflows/) are provided which contain instructions for GitHub to build the docker images and Hedgehog and [Malcolm]({{ site.github.repository_url }}) installer ISOs, specifically [`hedgehog-iso-build-docker-wrap-push-ghcr.yml`]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml) for the Hedgehog ISO. The resulting ISO file is wrapped in a Docker image that provides an HTTP server from which the ISO may be downloaded.

docs/hedgehog-raspi-build.md

@@ -1,6 +1,6 @@
 # <a name="HedgehogRaspiBuild"></a>Appendix B - Generating a Raspberry Pi Image
 
-Hedgehog Linux can [also be built]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/sensor-raspi) for the Raspberry Pi platform, although this capability is still considered experimental.
+Hedgehog Linux can [also be built]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/hedgehog-raspi) for the Raspberry Pi platform, although this capability is still considered experimental.
 
 * [Building the Image](#HedgehogRaspiBuild)
 * [Writing the Image to Flash Media](#HedgehogRaspiBurn)
@@ -27,7 +27,7 @@ The build should work with either the [VirtualBox](https://www.virtualbox.org/)
 To perform a clean build the Hedgehog Linux Raspberry Pi image, navigate to your local [Malcolm]({{ site.github.repository_url }}/) working copy and run:
 
 ```
-$ ./sensor-raspi/build_via_vagrant.sh -f -z
+$ ./hedgehog-raspi/build_via_vagrant.sh -f -z
 …
 Starting build machine...
 Bringing machine 'vagrant-hedgehog-raspi-build' up with 'virtualbox' provider...

docs/hedgehog-upgrade.md

@@ -47,9 +47,9 @@ deb https://XXXXXX:443/debian buster-backports main contrib non-free
 5. Update underlying system packages with `apt-get`
     - `apt-get update && apt-get dist-upgrade`
 
-6. If there were [new system deb packages added]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/sensor-iso/config/package-lists) to this release of Hedgehog Linux (you might have to [manually compare]({{ site.github.repository_url }}/commits/main/sensor-iso/config/package-lists) on GitHub), install them. If you're not sure, of course, you could just install everything, like this (although you may have to tweak some version numbers or something if the base distribution of your Hedgehog branch is different than `main`; in this example I'm not jumping between Debian releases, just upgrading within a release):
+6. If there were [new system deb packages added]({{ site.github.repository_url }}/tree/{{ site.github.build_revision }}/hedgehog-iso/config/package-lists) to this release of Hedgehog Linux (you might have to [manually compare]({{ site.github.repository_url }}/commits/main/hedgehog-iso/config/package-lists) on GitHub), install them. If you're not sure, of course, you could just install everything, like this (although you may have to tweak some version numbers or something if the base distribution of your Hedgehog branch is different than `main`; in this example I'm not jumping between Debian releases, just upgrading within a release):
 ```
-$ for LIST in apps desktopmanager net system; do curl -L -J -O {{ site.github.repository_url }}/main/sensor-iso/config/package-lists/$LIST.list.chroot; done
+$ for LIST in apps desktopmanager net system; do curl -L -J -O {{ site.github.repository_url }}/main/hedgehog-iso/config/package-lists/$LIST.list.chroot; done
 ...
 $ apt-get install $(cat *.list.chroot)
 ```
@@ -59,7 +59,7 @@ $ apt-get install $(cat *.list.chroot)
     * `python3 -m pip list --outdated --format=freeze | grep -v '^\-e' | cut -d = -f 1 | xargs -r -n1 python3 -m pip install -U`
         - if this fails for some reason, you may need to reinstall pip first with `python3 -m pip install --force -U pip`
         - some *very* old builds of Hedgehog Linux had separate Python 3.5 and 3.7 installations: in this case, you'd need to do this for both `python3 -m pip` and `python3.7 -m pip` (or whatever `python3.x` you have)
-    * If there were [new python packages](https://raw.githubusercontent.com/{{ site.github.repository_nwo }}/master/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot) added to this release of Hedgehog Linux (you might have to [manually compare]({{ site.github.repository_url }}/blame/main/sensor-iso/config/hooks/normal/0169-pip-installs.hook.chroot) on GitHub), install them. If you are using a PyPI mirror, replace `XXXXXX` here with your mirror's IP. The `colorama` package is used here as an example, your package list might vary.
+    * If there were [new python packages](https://raw.githubusercontent.com/{{ site.github.repository_nwo }}/master/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot) added to this release of Hedgehog Linux (you might have to [manually compare]({{ site.github.repository_url }}/blame/main/hedgehog-iso/config/hooks/normal/0169-pip-installs.hook.chroot) on GitHub), install them. If you are using a PyPI mirror, replace `XXXXXX` here with your mirror's IP. The `colorama` package is used here as an example, your package list might vary.
         - `python3 -m pip install --no-compile --no-cache-dir --force-reinstall --upgrade --index-url=https://XXXXXX:443/pypi/simple --trusted-host=XXXXXX:443 colorama`
 
 8. Okay, **now** things start to get a little bit ugly. You're going to need access to the ISO of the release of Hedgehog Linux you're upgrading to, as we're going to grab some packages off of it. On another Linux system, [build it](hedgehog-iso-build.md#HedgehogISOBuild).

docs/hedgehog.md

@@ -11,7 +11,7 @@ Hedgehog Linux is a Debian-based operating system built to
 * detect file transfers in network traffic and extract and scan those files for threats
 * generate and forward Zeek logs, Arkime sessions, and other information to [Malcolm]({{ site.github.repository_url }})
 
-![sensor-iso-build-docker-wrap-push-ghcr]({{ site.github.repository_url }}/workflows/sensor-iso-build-docker-wrap-push-ghcr/badge.svg)
+![hedgehog-iso-build-docker-wrap-push-ghcr]({{ site.github.repository_url }}/workflows/hedgehog-iso-build-docker-wrap-push-ghcr/badge.svg)
 
 <a name="HedgehogTableOfContents"></a>
 * [Sensor installation](hedgehog-installation.md#HedgehogInstallation)

docs/malcolm-hedgehog-e2e-iso-install.md

@@ -463,7 +463,7 @@ To specify which files should be extracted, specify the Zeek file carving mode:
 
 ![Zeek file carving mode](./images/hedgehog/images/zeek_file_carve_mode.png)
 
-If unsure what mode to choose, both **mapped (except common plain text files)** (to carve and scan almost all files) and **interesting** (to only carve and scan files with [mime types of common attack vectors]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/sensor-iso/interface/sensor_ctl/zeek/extractor_override.interesting.zeek)) are probably good choices.
+If unsure what mode to choose, both **mapped (except common plain text files)** (to carve and scan almost all files) and **interesting** (to only carve and scan files with [mime types of common attack vectors]({{ site.github.repository_url }}/blob/{{ site.github.build_revision }}/hedgehog-iso/interface/sensor_ctl/zeek/extractor_override.interesting.zeek)) are probably good choices.
 
 Next, specify which carved files to preserve (saved on the sensor under `/capture/bro/capture/extract_files/quarantine` by default). In order to not consume all the sensor's available storage space, the oldest preserved files will be pruned along with the oldest Zeek logs as described below with **AUTOSTART_PRUNE_ZEEK** in the [autostart services](#HedgehogConfigAutostart) section.
 

sensor-iso/Dockerfile → hedgehog-iso/Dockerfile

@@ -5,7 +5,7 @@ FROM ghcr.io/mmguero/qemu-live-iso:latest
 LABEL maintainer="[email protected]"
 LABEL org.opencontainers.image.authors='[email protected]'
 LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm'
-LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/main/sensor-iso/README.md'
+LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/main/hedgehog-iso/README.md'
 LABEL org.opencontainers.image.source='https://github.com/idaholab/Malcolm'
 LABEL org.opencontainers.image.vendor='Idaho National Laboratory'
 LABEL org.opencontainers.image.title='ghcr.io/idaholab/malcolm/hedgehog'

sensor-raspi/Dockerfile → hedgehog-raspi/Dockerfile

@@ -5,7 +5,7 @@ FROM ghcr.io/mmguero/qemu-live-iso:latest
 LABEL maintainer="[email protected]"
 LABEL org.opencontainers.image.authors='[email protected]'
 LABEL org.opencontainers.image.url='https://github.com/idaholab/Malcolm'
-LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/main/sensor-iso/README.md'
+LABEL org.opencontainers.image.documentation='https://github.com/idaholab/Malcolm/blob/main/hedgehog-iso/README.md'
 LABEL org.opencontainers.image.source='https://github.com/idaholab/Malcolm'
 LABEL org.opencontainers.image.vendor='Idaho National Laboratory'
 LABEL org.opencontainers.image.title='ghcr.io/idaholab/malcolm/hedgehog-raspi'

sensor-raspi/README.md → hedgehog-raspi/README.md

@@ -11,7 +11,7 @@ clone this repository:
 
 ```shell
 git clone https://github.com/idaholab/Malcolm.git
-cd Malcolm/sensor-raspi
+cd Malcolm/hedgehog-raspi
 ```
 
 For this you will first need to install the following packages on a

sensor-raspi/build_via_vagrant.sh → hedgehog-raspi/build_via_vagrant.sh

@@ -102,7 +102,7 @@ YML_IMAGE_VERSION="$(grep -P "^\s+image:.*/malcolm/" "$SCRIPT_PATH"/../docker-co
 echo "VCS_REVSION=$( git rev-parse --short HEAD 2>/dev/null || echo main )" >> "$SCRIPT_PATH"/shared/environment.chroot
 trap cleanup_shared_and_docs EXIT
 
-vm_execute "sudo bash -c \"whoami && cd /Malcolm/sensor-raspi && pwd && make ${IMAGE}${XZ_EXT}\""
+vm_execute "sudo bash -c \"whoami && cd /Malcolm/hedgehog-raspi && pwd && make ${IMAGE}${XZ_EXT}\""
 
 if [[ -n $NEED_SHUTDOWN ]]; then
   echo "Shutting down $VM_NAME..." >&2

sensor-raspi/generate-recipe.py → hedgehog-raspi/generate-recipe.py

@@ -7,7 +7,7 @@
 
 SCRIPT_DIR = os.path.dirname(os.path.realpath(__file__))
 MALCOLM_DIR = os.path.dirname(SCRIPT_DIR)
-SENSOR_DIR = os.path.join(MALCOLM_DIR, 'sensor-iso')
+SENSOR_DIR = os.path.join(MALCOLM_DIR, 'hedgehog-iso')
 
 # pylint: disable=invalid-name
 

sensor-raspi/sensor_install.sh → hedgehog-raspi/sensor_install.sh

@@ -329,7 +329,7 @@ install_deps() {
         deps+=$(tr '\n' ' ' < "$file")
     done
 
-    # Remove Sensor-ISO packages not relevant to RPI
+    # Remove hedgehog-iso packages not relevant to RPI
     # Rar is excluded because Debian doesn't have an ARM package
     # htpdate removed because repo version doesn't support https
     # aide is removed as we're not applying the same hardening requirements ot the rpi image