I was recently introduced to the Phantom security orchestration framework (version 1.2.113). The product is very interesting and provides an extensible incident investigation and response automation framework. The level of documentation and extensibility is reminiscent of Splunk's approach to allowing development and customization.
The ample documentation, novel take on security automation, and a $10,000 app development challenge motivated me to try my hand at developing an app.
I ended up building the Shodan.io API connector for Phantom (github). It was a great excuse to expand my Python scripting experience while contributing something to the community. There were some speed bumps along the way. I thought I'd share my experience since the Phantom community is still growing.
Please leave a comment if you find this useful.
Issue #1: Console & SSH Timeouts
After working on this app for quite a while, I noticed that my sessions were closing. I had multiple Putty windows open and the one I left for a while would be gone when I went back to it. This would even happen with byobu sessions. The active session would usually stay available. But the others sessions would close seemingly at random.
My first inclination was that this was due to the SSH timeout as described in this page. However, changing these settings had no effect. And, they did not explain the byobu sessions disappearing.
Solution:
Found here. The closing sessions was due to the TMOUT variable being set.This can be fixed in the Phantom OVA by deleting or commenting out the lines in the following file:
$ cat /etc/profile.d/timeout.sh #TMOUT=600 #export TMOUT
I would recommend leaving this setting as-is in your production environment. But this change eliminates a lot of frustrations working via SSH in your dev instance.
The TMOUT value is set in seconds. So you could also change this to a higher value to extend the time it takes to auto-logout.
Issue #2: "Failed to load the app json"
While following the app tutorial (here) I came across the syntax to run/debug the app from the command line.I remembered the command running correctly when I first ran it. But for some reason my follow-up attempts kept resulting in the following error:
$ python2.7 samplewhois_connector.py ../test_jsons/sample_whois_domain.json { ... uninteresting JSON from sample_whois_domain.json ... } Loaded action execution configuration { "status": "failed", "result_summary": {}, "action_cancelled": false, "message": "Failed to load the app json", "identifier": "whois_domain", "exception_occured": false, "result_data": [] } Exception AttributeError: "'NoneType' object has no attribute 'path'" in <function 0x7f4a356e2758 _remove at> ignored
Kind of confusing right? The real error is not the "Exception AttributeError...". It is "Failed to load the app json".
The issue has to do with how the command is formed on the command line. The tutorial lists the following command to run/debug the app:
$ python2.7 ./samplewhois_connector.py ../test_jsons/sample_whois_domain.json
The command I was running was:
$ python2.7 samplewhois_connector.py ../test_jsons/sample_whois_domain.json
Do you see the difference? It took me more time than I'm comfortable admitting to realize that I had omitted the './' in front of the python file.
For the uninitiated, specifying the relative path of a file is usually unnecessary when you're referencing a file from the command line so long as you're working directory is the same directory as the file. In fact, the file executes as you would expect it to, until it exits with the error. If anyone knows what's causing this and can cure my ignorance I'd greatly appreciate a tip in the comments section.
Solution:
Always include the relative path prefix when you're running your Phantom apps from the command line. Even if you're in the same working directory.
$ python2.7 ./samplewhois_connector.py ../test_jsons/sample_whois_domain.json
Issue #3: Environment Variables
The tutorial lists two essential environment variables to be set for development. This can easily be set from the command-line as suggested. However, this is necessary for every new session. I highly suggest adding these environment variables to the ~/.bash_profile file for the phantom user.
Solution:
Append these two lines to the bottom of ~/.bash_profile
export PYTHONPATH=/opt/phantom/lib/:/opt/phantom/www/ export REQUESTS_CA_BUNDLE=/opt/phantom/etc/cacerts.pem