On Jira DHCP - Log Enrichment for Security tool

[smjmoj]

SOC require enhanced logs from the KIA DHCP server.

Test the Kia configuration according to the recommendation in an isolated environment (preferably on a developers workstation) to validate the improved quality of the logs.

https://www.ncsc.gov.uk/files/NCSC_SOC_Feeds.pdf

Example log configuration:

{
    "Dhcp4": {
        "loggers": [
            {
                "name": "kea-dhcp4",
                "severity": "INFO",
                "output_options": [
                    {
                        "output": "/var/log/kea/dhcp4.log",
                        "maxver": 10
                    }
                ]
            },
            {
                "name": "kea-dhcp4.dhcpsrv",
                "severity": "INFO",
                "output_options": [
                    {
                        "output": "/var/log/kea/dhcp4-dhcpsrv.log",
                        "maxver": 10
                    }
                ]
            },
            {
                "name": "kea-dhcp4.leases",
                "severity": "INFO",
                "output_options": [
                    {
                        "output": "/var/log/kea/dhcp4-leases.log",
                        "maxver": 10
                    }
                ]
            }
        ]
    }
}

Acceptance Criteria:

1. Log configuration tested in local env
2. Example logs generated from running tests provided to the SOC team

[darey-io]

I have created a spreadsheet that can help track the identification and testing of the requirements from the SOC team. I will spend some time with the team so that we can determine which ones are obtainable and those that are not. Some may require additional software or settings for intrusion data capturing detection, and perhaps time synchronisation in case we don't have such already.

Spreadsheet - https://docs.google.com/spreadsheets/d/1pCzXCJm0e3YRopI36sNX9P09VNX2f9Cx5McFM-_EWZ8/edit?usp=sharing

[darey-io]

Running DHCP server locally is giving errors:

05.4 Executing busybox-1.34.1-r7.trigger 105.4 Executing ca-certificates-20230506-r0.trigger 105.4 OK: 196 MiB in 50 packages 105.6 ERROR: unable to select packages: 105.6 isc-kea-ctrl-agent (no such package): 105.6 required by: world[isc-kea-ctrl-agent] 105.6 isc-kea-dhcp4 (no such package): 105.6 required by: world[isc-kea-dhcp4] 105.6 isc-kea-hook-ha (no such package): 105.6 required by: world[isc-kea-hook-ha] 105.6 isc-kea-hook-lease-cmds (no such package): 105.6 required by: world[isc-kea-hook-lease-cmds] 105.6 isc-kea-hook-stat-cmds (no such package): 105.6 required by: world[isc-kea-hook-stat-cmds] 105.6 isc-kea-perfdhcp (no such package): 105.6 required by: world[isc-kea-perfdhcp] 105.6 isc-kea-common (no such package): 105.6 required by: isc-kea-admin-2.2.1-r20230719182021[isc-kea-common=2.2.1-r20230719182021]

failed to solve: process "/bin/sh -c apk add bash curl mysql mysql-client && curl -1sLf 'https://dl.cloudsmith.io/public/isc/kea-2-2/setup.alpine.sh' | bash && apk upgrade && apk add build-base mysql-dev isc-kea-admin isc-kea-perfdhcp isc-kea-dhcp4 isc-kea-ctrl-agent isc-kea-hook-lease-cmds isc-kea-hook-stat-cmds isc-kea-hook-ha && curl -sL https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub -o /etc/apk/keys/sgerrand.rsa.pub && curl -sLO https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VER}/glibc-${GLIBC_VER}.apk && curl -sLO https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VER}/glibc-bin-${GLIBC_VER}.apk && apk add --no-cache glibc-${GLIBC_VER}.apk glibc-bin-${GLIBC_VER}.apk && curl -sL https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip -o awscliv2.zip && unzip awscliv2.zip && aws/install && rm -rf awscliv2.zip aws /usr/local/aws-cli/v2//dist/aws_completer /usr/local/aws-cli/v2//dist/awscli/data/ac.index /usr/local/aws-cli/v2//dist/awscli/examples && rm glibc-${GLIBC_VER}.apk && rm glibc-bin-${GLIBC_VER}.apk && rm -rf /var/cache/apk/" did not complete successfully: exit code: 8 make: *** [Makefile:41: run] Error 17

[darey-io]

Looking into troubleshooting this

[darey-io]

I got @smjmoj to run make build on his laptop and it worked. My suspicion is incompatibility with M1 Chip that my Macbook laptop has. Putting the ticket back in the backlog to accomodate other priority tickets in the sprint.

[darey-io]

this is now back in the sprint. Will carry on pairing with Sandhya on this

[darey-io]

Both myself and Sandy cannot run the make successfully on our Mac. Because of the M1 chip restriction.

Sandy has created an ubuntu poc server in AWS where we were able to run the application and can collaborate.

[darey-io]

The DHCP Logs configuration is configured to stdout with a dEBUG level of 99 which is high. https://github.com/ministryofjustice/staff-device-dhcp-server/blob/main/dhcp-service/config_api.json#L51

Below is a generated data of detailed logs tested locally in a development environment according to the requirements.

https://drive.google.com/file/d/1zWeg4voT54DZa2jgc2JdGDKYLbEYZEbD/view?usp=sharing