Monday, October 13, 2014

Splunk Backup Script - splunkBackup.py

A while back I was working on a Splunk setup and needed to automate the backup and restore process. Since Splunk does not do this natively I thought I should whip-up something quickly. Currently going through the latest Splunk Admin guide (6.1.4) and noticed that there was still no option for automating the backup process. As a result I figured I should share this script as someone may either use it as it is or perfect it. Whichever works for you is fine with me.

The Backup Process
The script backups "/opt/splunk/etc" to the "/home/admin/s_backups" folder. Obviously you can change this. Maybe one of these days I will rewrite the script to allow you to choose your path. However, when this was done was to address a specific need.
It creates a log file of every backup which is done. The events are written to "/home/admin/s_backups/backup.log"

Sample backup log:
Sun Oct 12 21:25:48 2014: info:Backup /home/admin/s_backups/Sun_Oct_12_21_25_42_2014_BACKUP.tar.gz Completed successfully :root pid:19379 


Sample backup file "Sun_Oct_12_21_25_42_2014_BACKUP.tar.gz"

The Restore Process
The restore process restores the previous backup files by extracting the tar.gz file
It then replaces the existing "/opt/splunk/etc" folder
It then write a log entry similar to the backup entry

Email
You will need to specify your mail relay server
You will need to specify a receiving email 
Once the backup/restore process is completed, an email is sent to the address previously specified

Hope this script helps someone else



#!/usr/bin/env python
# This script makes a backup of the splunk 'etc' folder located in /opt/splunk/etc
# which contains all the Splunk configuration. It does not backup any data
# Author Nik Alleyne, CISSP | GCIA | SFCA 
# Email < nikalleyne at gmail dot com >
# splunkBackup.py
# March 2014

# To run this script manually, simple put an argument after the script. Any argument would do
# eg ./splunBackup.py --backup
# another example  even ./splunkBackup.py 0 will work also


import os
import shutil
import subprocess
import sys
import time
import tarfile

import smtplib
import email.utils
from email.mime.text import MIMEText

# Check the OS to ensure if is Linux
def check_os():
    if ( os.name == 'posix' ) and ( os.uname()[0] == 'Linux' ):
        print('=' * 50)
        #print(' Supported OS ')
        print(' :: OS: %s :: Host: %s \n :: User: %s :: PID:%s \n :: Time: %s ' %(os.uname()[0],os.uname()[1],os.getlogin(),os.getpid(),time.ctime()))
        print('=' * 50)   
    else:
        print(' While this script may work on other platforrms \n it was designed for Linux.')
        sys.exit(0)



# Build the menu
def menu():
    print('=' * 50)
    print(' Welcome to the Splunk Backup Script ')
    print(' Powered by SecurityNik ')
    print('=' * 50)
    print(' 1. Backup The System Config')
    print(' 2. Restore System Config ')
    print(' 3. Press any other key to exit  ')
    choice = raw_input(' \n Enter Selection:  ')

    #Read the choice and process
    if choice == '1':
        #print(' Beginning the backup process ... ')
        _backup()
    elif choice == '2':
        #print(' \n Beginning the restore process ...')
        _restore()
    else:
        print(' \n Exiting ... ')
        sys.exit(0)
   


   
# Do the work for backing up the configs
def _backup():
    BACKUP_DIR = '/home/admin/s_backups'
    BACKUP_LOG = '/home/admin/s_backups/backup.log'
    BACKUP_SRC = '/opt/splunk/etc'
   
    #print(' Beginning the Backup Process ')
    print(' \n Checking for backup directory ... %s ' %BACKUP_DIR)
    time.sleep(2)

    if ( os.path.exists(BACKUP_DIR) ) and ( os.path.isdir(BACKUP_DIR) ):
        print(' Backup directory found ')
        time.sleep(2)
    else:
        print(' Backup directory not found ')
        print(' Creating backup directory ...  %s '%BACKUP_DIR)
        try:
            os.mkdir(BACKUP_DIR,0755)
            f = open(BACKUP_LOG,'w')
            f.close()
            print(' Backup directory successfully created ')
            time.sleep(2)
        except:
            print(' An error occurred while creating the directory ... ')
            print(' Maybe a file currectly exists with this name in the /home/admin directory')
            print(' Try creating the directory %s manually and rerun the script ' %(BACKUP_DIR))
            sys.exit(0)
   
    # Write Backup information to log file
    f = open(BACKUP_LOG,'a')
    f.write('%s: info:Backup Started by user:%s pid:%s \n'%(time.ctime(),os.getlogin(),os.getpid()))
    f.close()
    time.sleep(2)

    print('\n Gathering files for backup .... ')
    print(' The following files and directories will be backuped up ')
    time.sleep(2)
    for root, dirs, files in os.walk(BACKUP_SRC):
        for d in dirs:
            print('%s' %root)
            for f in files:
                print('%s' %(os.path.join(root,f)))


    # Let's tar and zip the files in the /opt/splunk/etc folder
    try:
        BACKUP = tarfile.open(BACKUP_DIR + '/'+ '_'.join('_'.join(time.ctime().split()).split(':')) + '_BACKUP.tar.gz','w:gz')
        BACKUP.add(BACKUP_SRC, arcname='etc')
        BACKUP.close()
        print(' \n\n Backup completed successfully \n Backup stored in %s ' %(BACKUP.name))

        f = open(BACKUP_LOG,'a')
        f.write('%s: info:Backup %s Completed successfully :%s pid:%s \n'%(time.ctime(),BACKUP.name,os.getlogin(),os.getpid()))
        f.close()
    except:
        print(' An error occurred during the backup process. ')
        f = open(BACKUP_LOG,'a')
        f.write('%s: info:Backup %s ERROR!!! Backup not completed successfully :%s pid:%s \n'%(time.ctime(),BACKUP.name,os.getlogin(),os.getpid()))
        f.close()

   

def _restore():
    i = 0
    BACKUPS = {}
    BACKUP_DIR = '/home/admin/s_backups'
    BACKUP_LOG = '/home/admin/s_backups/backup.log'
    RESTORE_DIR = '/opt/splunk/'
    print(' Beginning the Restore Process ')
    print(' Locating backup directory ')
    time.sleep(2)


    # Write Restore information to log file
    f = open(BACKUP_LOG,'a')
    f.write('%s: info:Restore Started by user:%s pid:%s \n'%(time.ctime(),os.getlogin(),os.getpid()))
    f.close()
    time.sleep(2)


    if ( os.path.exists(BACKUP_DIR) and os.path.isdir(BACKUP_DIR)):
        print(' Backup dir found %s \n' %BACKUP_DIR )
    else:
        print(' Could not locate backup dir %s' %BACKUP_DIR)
        print(' You can also manually use tar to extract the file ')
        print(' Exiting ')
        sys.exit(0)
       
    for tar_file in os.listdir(BACKUP_DIR):
        if tar_file.endswith('_BACKUP.tar.gz'):
            i = i + 1
            BACKUPS[i] = tar_file
       
#    print(BACKUPS)
    for bak_no, bak_file in BACKUPS.items():
        print(' %d : %s' %(bak_no,bak_file))
   
    restore_choice = raw_input(' Please select a backup number:')
    if BACKUPS.has_key(int(restore_choice)):
        print(' Preparing to restore  %s ' %(BACKUPS.get(int(restore_choice))))
        RESTORE_FILE =  BACKUPS.get(int(restore_choice))
        #print(RESTORE_FILE)

    else:
        print(' Not a valid backup \n Exiting ... ')
        sys.exit(0)


    try:
        subprocess.call(['/opt/splunk/bin/splunk', 'stop'])
        os.chdir(BACKUP_DIR)
        if os.path.exists(RESTORE_DIR +'/etc.OLD'):
            shutil.rmtree(RESTORE_DIR +'/etc.OLD')
           
        os.rename(RESTORE_DIR +'/etc', RESTORE_DIR + '/etc.OLD')
        RESTORE = tarfile.open(RESTORE_FILE, 'r:gz')
        RESTORE.extractall(RESTORE_DIR)

        f = open(BACKUP_LOG,'a')
        f.write('%s: info:Restore %s Completed successfully :%s pid:%s \n'%(time.ctime(),RESTORE_FILE,os.getlogin(),os.getpid()))
        f.close()
        print('\n\n Restore completed successfully ')
        subprocess.call(['/opt/splunk/bin/splunk', 'start'])
    except:
        f = open(BACKUP_LOG,'a')
        f.write('%s: info:Restore %s Failed :%s pid:%s \n'%(time.ctime(),RESTORE_FILE,os.getlogin(),os.getpid()))
        f.close()
        print('\n\n Restore Failed to complete for %s ' %RESTORE_FILE)
        sys.exit(0)



def _mailer():
    BACKUP_LOG = '/home/admin/s_backups/backup.log'   
    SEND_FROM = 'SecurityNik Splunk <splunk@securitynik.com>'
    SEND_TO = 'Splunk Receiver <splunkreceiver@securitynik.com>'

    print(' Sending Mail ...')
    f = open(BACKUP_LOG)
    for line in f.readlines():
        pass
    print(line)

    msg = MIMEText(' Backup/Restore notification \n' + line + '\n Powered by SecurityNik')
    msg['From'] = SEND_FROM
    msg['To'] = SEND_TO
    msg['Subject'] = 'Splunk Backup/Restore Notification'

    _mailer_send = smtplib.SMTP('localhost')
    _mailer_send.sendmail(SEND_FROM, [SEND_TO], msg.as_string())

    f.close()
   



def main():
    subprocess.call('clear')
    check_os()

    if len(sys.argv) == 1:
        print(' Running in Automated Mode ... This mode works with cron. A cron job needs to be setup for this to be used')
        _backup()
    else:
        menu()

    _mailer()


if __name__ == '__main__':
    main()


splunkBackup.py
MD5: 6598a5c8f6de293b2a032972847e7288 splunkbackup.py
SHA1: 6e6a515ead39151873cb8b23a3d43c836f565cdc splunkbackup.py

My Top 5 Computer Future Security Issues




Data Breaches

“A breach is defined as an event in which an individual’s name plus a medical record and/or a financial record or debit card is potentially put at risk—either in electronic or paper format.” (Ponemon, 2014)


For the first half of 2014, there were a reported 1,331 incidents. As a result of these incidents, there were a reported 502 million records exposed (datalossdb.org, 2014).  For the entire 2013, there were a reported 2308 incidents (datalossdb.org, 2014). While it is generally accepted that sooner or later an organization will be breached, the frequency with which these occur and the number of records involved is what is astounding.



Interestingly, these breaches are not limited to a specific country and or industry. Figure 1 below shows the number of breaches experienced by countries while Figure 2 shows by Industry during the period May 2013 to May 2014.

Figure 1
Source: Pomenon Institue

Figure 2:
  
 

Source: Pomenon Institue 



Identity Theft/Fraud

Identify theft is referred to as the “preparatory stage of acquiring and collecting someone else’s personal information for criminal purposes” (rcmp-grc.gc.ca). Identity Fraud on the other hand, is defined as “the unauthorized use of another person’s personal information to achieve illicit financial gain” (javelinstrategy.com, 2014)


With the massive amount of breached records and the known proclivity for cyber criminals to ensure they are compensated for their illegal activities one can only conclude that sooner or later, these records will be on the blackmarket. Some sites from which credit card and other personal information can be bought are rescator.* (.cm, .la. and .so), kaddaf[dot]hk, octavian[dot]su and cheapdumps[dot]org (Krebs, 2013).

More importantly, It is reported that there was A New Identity Fraud Victim Every Two Seconds in 2013” (javelinstrategy.com, 2014). Of greater importance, one in 3 people who received data breach notification letter were victims of identity fraud (javelinstrategy.com, 2014).

The graph below shows millions of Identity Theft Victims

Figure 3:


Source: Javelinstrategy.com


Human Factor

Whether it is a user that has clicked on a link via a phishing email or an administrator that misconfigured a firewall, the human factor plays a tremendous role in the security threats paradigm. It is reported that 30% of all data breaches is a result of Human Error (Ponemon, 2014).


Figure 4:

 

Organizations such as the SANS Institute have recognize the importance of the role of humans in IT Security and thus have implemented programs based on “Securing the Human” (securingthehuman.org).  It is through these programs that while everyone cannot be made an expert in IT security, everyone can at least be made knowledgeable about some of the dangers related to technology. Through its’ OUCH newsletter, SANS has also produced a free document which each explains a specific topic and the necessary actions people can take to protect themselves (securingthehuman.org, 2014)


Mobile/Wearable Malware


It is predicted that in 2015, 87% of connected devices sales will be tablets and smart phones (idc.com, 2013). This immediately implies that most of our online activities will be done via a smart phone and or tablet.  To be able to effectively use these devices, an operating system is required. It is estimated that Android owns 76% of this market with iOS at 14.4% as shown in the figure below.

Figure 5:
 
 

Source: MobileThinking


The threat comes not necessarily from these devices themselves but from the underlying OS which they used. According to the F-Secure, for Q1 2014, there were 275 threat families (malware) that run on Android, 1 for iPhone and 1 for Symbian (F-Secure, 2014). 

In addition, the advent of Smart Watches, google glass, fitness tracking bands and other wearables, makes for an even more interesting mobile future.


Internet of Things
As we continue to march towards the future, by biggest fears lies in what else we may choose to connect to the Internet.


The Internet of things is considered as a network of physical objects which are accessed through the Internet. Through the Internet of things, connections can be made between manufacturing floors, energy grids, healthcare facilities, transportations systems to the Internet (cisco.com).

It is reported at a staggering 30 Billion devices will connect wirelessly to the Internet of Everything in 2020 (abiresearch.com, 2013).  If we contrast this with the world’s population which currently stands at 7.2 Billion (worldometers.info), we can conclude that each person will be responsible for at least 4 devices in 2020. Our rush to have everything inter-connected will provide us with a very interesting future.

References:

(n.d.). Retrieved from rcmp-grc.gc.ca: http://www.rcmp-grc.gc.ca/scams-fraudes/id-theft-vol-eng.htm
(n.d.). Retrieved from securingthehuman.org: http://www.securingthehuman.org
(n.d.). Retrieved from cisco.com: http://www.cisco.com/web/solutions/trends/iot/overview.html
(n.d.). Retrieved from worldometers.info: http://www.worldometers.info/world-population/
(n.d.).
(2013, 9 11). Retrieved from idc.com: http://www.idc.com/getdoc.jsp?containerId=prUS24314413
(2013, 05 09). Retrieved from abiresearch.com: https://www.abiresearch.com/press/more-than-30-billion-devices-will-wirelessly-conne
(2014, 08 24). Retrieved from datalossdb.org: http://datalossdb.org
(2014, 08 25). Retrieved from census.gov: http://www.census.gov/popclock/
(2014, 02 5). Retrieved from javelinstrategy.com: https://www.javelinstrategy.com/news/1467/92/A-New-Identity-Fraud-Victim-Every-Two-Seconds-in-2013-According-to-Latest-Javelin-Strategy-Research-Study/d,pressRoomDetail
(2014, 08). Retrieved from securingthehuman.org: http://www.securingthehuman.org/resources/newsletters/ouch/2014
F-Secure. (2014). Mobile Threat Report Q1. F-Secure.
Krebs, B. (2013, 12 13). Retrieved from krebsonsecurity.com: http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/
Ponemon. (2014). 2014 Cost of Data Breach Study: Global ANalysis. Ponemon Institute.
ZIOBRO, P. (n.d.). Retrieved from blogs.wsj.com: http://blogs.wsj.com/corporate-intelligence/2014/03/17/with-credit-card-data-in-play-who-hacks-the-hackers/