US101 - Maintenance

[U039b]

Description: We manufacture PiRogues to supply organizations, while taking care of its maintenance. We will include OS upgrades, improvement of the documentation and fixing bugs. Regarding Colander and Threatr, we maintain the public Colander server, upgrade dependencies, improve the documentation and fix bugs.

[CyrilBrulebois]

This month

While deploying officially supported Raspberry Pi 3 and Pi 4 devices, the outdatedness of the last PiRogue OS release became apparent. Since the historical tool used to turn Debian images for Raspberry Pi into PiRogue images was relicensed, it was replaced with another implementation.

After experimenting with the Raspberry Pi 5, the new tooling was extended to generate a different, experimental image to support it, alongside the official image supporting Pi 3 and Pi 4.

A new release arm64_v2.1.0 was published, catching up with Debian 12.6, supporting Pi 3 and Pi 4 officially, and Pi 5 experimentally and unofficially.

Next month

Support for the Raspberry Pi 5 requires some components outside the Debian and PiRogue ecosystems, which might make upgrades a little more complicated than usual. It would be best to perform test runs for scenarios that could be problematic, see if theoretical problems are likely to happen, making it possible to either avoid them entirely, or be ready to tackle them when they show up.

Challenges

Unfortunately, the Debian images for Raspberry Pi that are turned into PiRogue images are also outdated (compared to the updates in Debian 12). Until it's resolved on the Debian side, an independent image build has been set up, to ensure images are generated weekly.

[TontonSancho]

This month

The Colander API and the Colander Python client v1.0.4 now support querying Teams, creating Cases, and both querying and creating relationships between Entities. The Python client now supports the files *.metadata.json, generated by the pirogue-evidence-collector, to inject the metadata in the attributes of the collected artifact.

Regarding the distribution of the Debian packages we maintain, we have introduced an archive keyring which is the minimal collection of PGP keys. It provides the keys that are used when signing the release of the Debian packages we publish on our PPA.

Support for Raspberry Pi 5 was improved by merging the required packages in our repository and adjusting our image generation process accordingly. This means we're back to the original situation, just like in the case of Raspberry Pi 3 and Pi 4 images: users only need official Debian and PTS repositories (no more extra Raspberry OS repository).

Next month

No further work is planned regarding Raspberry Pi 5 support. We hope to have mainline and Debian support in the next major Debian release (Debian 13 “Trixie”, scheduled mid 2025), at which point the separate, experimental image for Raspberry Pi 5 can be retired.

We will continue the maintenance of all the Debian packages we maintain.

Challenges

We don't want to stay on the same version of linux-image-* packages merged from Raspberry OS repositories forever. So the deb-frido tool — used to automate Frida packaging — was extended to monitor packages we care about (in Debian and in Raspberry OS repositories), so that PTS developers are notified of package updates.

[U039b]

This month

We have improved the API of Threatr to support observability such as the status of the configuration or the size of its cache. The status of the Threatr service can be checked on the status page of Colander.

We have released the version v1.0.5 of the Python client for Colander to add a method to download the decrypted traffic of a PiRogue experiment.

We have started working on implementing a tool to convert PCAPNG files to HAR. The purpose is to make it possible to open the decrypted network traffic in the Network tab of the web browser developer tools.

We have published the version 16.5.2 of Frida.

Next month

We will continue the maintenance of all the tools and Debian packages we maintain.

Challenges

None.

[U039b]

This month

A new version v1.0.5 of pcapng-utils has been released. And the package is now available on:

• our PPA as a Debian package
• PyPi as a Python library

This new version supports 2 types of HAR enrichment:

• it adds the stacktrace associated with a network communication
• it replaces encrypted payloads with decrypted once

Find more details on GitHub.

We have improved the UX of the Investigate workspace of Colander, making its usage less confusing. A showstopper bug has been fixed in Colander as it was no longer possible to quickly create multiple entities at once. This bug was introduced when we reworked the Investigate workspace last month.

We have updated the Linux kernel for Raspberry Pi 5 to v1:6.6.51-1+rpt2.

Next month

We will continue the maintenance of all the tools and Debian packages we maintain.

Challenges

None.