experimenting with github pages

cisagov · Sep 23, 2022 · 3b5e26a · 3b5e26a
1 parent 3f20469
commit 3b5e26a
Show file tree

Hide file tree

Showing 59 changed files with 160 additions and 163 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -1,4 +1,4 @@
-## <a name="Overview"></a>Overview
+# <a name="Overview"></a>Overview
 
 ![Malcolm Network Diagram](./images/malcolm_network_diagram.png)
 
@@ -12,8 +12,7 @@ The enriched data is stored in an [OpenSearch](https://opensearch.org/) document
 
 For smaller networks, use at home by network security enthusiasts, or in the field for incident response engagements, Malcolm can also easily be deployed locally on an ordinary consumer workstation or laptop. Malcolm can process local artifacts such as locally-generated Zeek logs, locally-captured PCAP files, and PCAP files collected offline without the use of a dedicated sensor appliance.
 
-## <a name="TableOfContents"></a>Table of Contents
-
+<a name="TableOfContents"></a>
 * [Quick start](quickstart.md#QuickStart)
     - [Getting Malcolm](quickstart.md#GetMalcolm)
     - [User interface](quickstart.md#UserInterfaceURLs)

diff --git a/docs/alerting.md b/docs/alerting.md
@@ -1,4 +1,4 @@
-### <a name="Alerting"></a>Alerting
+# <a name="Alerting"></a>Alerting
 
 * [Alerting](#Alerting)
     - [Email Sender Accounts](#AlertingEmail)
@@ -7,7 +7,7 @@ Malcolm uses the Alerting plugins for [OpenSearch](https://github.com/opensearch
 
 A fresh installation of Malcolm configures an example [custom webhook destination](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#create-destinations) named **Malcolm API Loopback Webhook** that directs the triggered alerts back into the [Malcolm API](api.md#API) to be reindexed as a session record with `event.dataset` set to `alerting`. The corresponding monitor **Malcolm API Loopback Monitor** is disabled by default, as you'll likely want to configure the trigger conditions to suit your needs. These examples are provided to illustrate how triggers and monitors can interact with a custom webhook to process alerts.
 
-#### <a name="AlertingEmail"></a>Email Sender Accounts
+## <a name="AlertingEmail"></a>Email Sender Accounts
 
 When using an email account to send alerts, you must [authenticate each sender account](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#authenticate-sender-account) before you can send an email. The [`auth_setup`](authsetup.md#AuthSetup) script can be used to securely store the email account credentials:
 

diff --git a/docs/anomaly-detection.md b/docs/anomaly-detection.md
@@ -1,4 +1,4 @@
-### <a name="AnomalyDetection"></a>Anomaly Detection
+# <a name="AnomalyDetection"></a>Anomaly Detection
 
 Malcolm uses the Anomaly Detection plugins for [OpenSearch](https://github.com/opensearch-project/anomaly-detection) and [OpenSearch Dashboards](https://github.com/opensearch-project/anomaly-detection-dashboards-plugin) to identify anomalous log data in near real-time using the [Random Cut Forest](https://api.semanticscholar.org/CorpusID:927435) (RCF) algorithm. This can be paired with [Alerting](alerting.md#Alerting) to automatically notify when anomalies are found. See [Anomaly detection](https://opensearch.org/docs/latest/monitoring-plugins/ad/index/) in the OpenSearch documentation for usage instructions on how to create detectors for any of the many fields Malcolm supports.
 

diff --git a/docs/api-aggregations.md b/docs/api-aggregations.md
@@ -1,4 +1,4 @@
-#### Field Aggregations
+# Field Aggregations
 
 `GET` or `POST` - /mapi/agg/`<fieldname>`
 

diff --git a/docs/api-document-lookup.md b/docs/api-document-lookup.md
@@ -1,4 +1,4 @@
-#### Document Lookup
+# Document Lookup
 
 `GET` or `POST` - /mapi/document
 

diff --git a/docs/api-event-logging.md b/docs/api-event-logging.md
@@ -1,4 +1,4 @@
-#### Event Logging
+# Event Logging
 
 `POST` - /mapi/event
 

diff --git a/docs/api-examples.md b/docs/api-examples.md
@@ -1,4 +1,4 @@
-#### <a name="APIExamples"></a>Examples
+# <a name="APIExamples"></a>Examples
 
 Some security-related API examples:
 

diff --git a/docs/api-fields.md b/docs/api-fields.md
@@ -1,4 +1,4 @@
-#### Fields
+# Fields
 
 `GET` - /mapi/fields
 

diff --git a/docs/api-indices.md b/docs/api-indices.md
@@ -1,4 +1,4 @@
-#### Indices
+# Indices
 
 `GET` - /mapi/indices
 

diff --git a/docs/api-ping.md b/docs/api-ping.md
@@ -1,4 +1,4 @@
-#### Ping
+# Ping
 
 `GET` - /mapi/ping
 

diff --git a/docs/api-version.md b/docs/api-version.md
@@ -1,4 +1,4 @@
-#### Version Information
+# Version Information
 
 `GET` - /mapi/version
 

diff --git a/docs/api.md b/docs/api.md
@@ -1,4 +1,4 @@
-### <a name="API"></a>API
+# <a name="API"></a>API
 
 * [Aggregations](api-aggregations.md)
 * [Document](api-document-lookup.md)

diff --git a/docs/arkime.md b/docs/arkime.md
@@ -1,4 +1,4 @@
-## <a name="Arkime"></a>Arkime
+# <a name="Arkime"></a>Arkime
 
 * [Arkime](#Arkime)
     - [Zeek log integration](#ArkimeZeek)
@@ -15,7 +15,7 @@
 
 The Arkime interface will be accessible over HTTPS on port 443 at the docker hosts IP address (e.g., [https://localhost](https://localhost) if you are connecting locally).
 
-### <a name="ArkimeZeek"></a>Zeek log integration
+## <a name="ArkimeZeek"></a>Zeek log integration
 
 A stock installation of Arkime extracts all of its network connection ("session") metadata ("SPI" or "Session Profile Information") from full packet capture artifacts (PCAP files). Zeek (formerly Bro) generates similar session metadata, linking network events to sessions via a connection UID. Malcolm aims to facilitate analysis of Zeek logs by mapping values from Zeek logs to the Arkime session database schema for equivalent fields, and by creating new "native" Arkime database fields for all the other Zeek log values for which there is not currently an equivalent in Arkime:
 
@@ -31,7 +31,7 @@ Click the icon of the owl **🦉** in the upper-left hand corner of to access th
 
 The values of records created from Zeek logs can be expanded and viewed like any native Arkime session by clicking the plus **➕** icon to the left of the record in the Sessions view. However, note that when dealing with these Zeek records the full packet contents are not available, so buttons dealing with viewing and exporting PCAP information will not behave as they would for records from PCAP files. Other than that, Zeek records and their values are usable in Malcolm just like native PCAP session records.
 
-#### <a name="ZeekArkimeFlowCorrelation"></a>Correlating Zeek logs and Arkime sessions
+### <a name="ZeekArkimeFlowCorrelation"></a>Correlating Zeek logs and Arkime sessions
 
 The Arkime interface displays both Zeek logs and Arkime sessions alongside each other. Using fields common to both data sources, one can [craft queries](queries-cheat-sheet.md#SearchCheatSheet) to filter results matching desired criteria.
 
@@ -45,11 +45,11 @@ Filtering on community ID OR'ed with zeek UID (e.g., `network.community_id == "1
 
 ![Correlating Arkime sessions and Zeek logs](./images/screenshots/arkime_correlate_communityid_uid.png)
 
-### <a name="ArkimeHelp"></a>Help
+## <a name="ArkimeHelp"></a>Help
 
 Click the icon of the owl 🦉 in the upper-left hand corner of to access the Arkime usage documentation (accessible at [https://localhost/help](https://localhost/help) if you are connecting locally), which includes such topics as [search syntax](https://localhost/help#search), the [Sessions view](https://localhost/help#sessions), [SPIView](https://localhost/help#spiview), [SPIGraph](https://localhost/help#spigraph), and the [Connections](https://localhost/help#connections) graph.
 
-### <a name="ArkimeSessions"></a>Sessions
+## <a name="ArkimeSessions"></a>Sessions
 
 The **Sessions** view provides low-level details of the sessions being investigated, whether they be Arkime sessions created from PCAP files or [Zeek logs mapped](#ArkimeZeek) to the Arkime session database schema.
 
@@ -80,13 +80,13 @@ When viewing Arkime session details (ie., a session generated from a PCAP file),
 
 See also Arkime's usage documentation for more information on the [Sessions view](https://localhost/help#sessions).
 
-#### <a name="ArkimePCAPExport"></a>PCAP Export
+### <a name="ArkimePCAPExport"></a>PCAP Export
 
 Clicking the down arrow **▼** icon to the far right of the search bar presents a list of actions including **PCAP Export** (see Arkime's [sessions help](https://localhost/help#sessions) for information on the other actions).  When full PCAP sessions are displayed, the **PCAP Export** feature allows you to create a new PCAP file from the matching Arkime sessions, including controls for which sessions are included (open items, visible items, or all matching items) and whether or not to include linked segments. Click **Export PCAP** button to generate the PCAP, after which you'll be presented with a browser download dialog to save or open the file. Note that depending on the scope of the filters specified this might take a long time (or, possibly even time out).
 
 ![Export PCAP](./images/screenshots/arkime_export_pcap.png)
 
-### <a name="ArkimeSPIView"></a>SPIView
+## <a name="ArkimeSPIView"></a>SPIView
 
 Arkime's **SPI** (**S**ession **P**rofile **I**nformation) **View** provides a quick and easy-to-use interface for  exploring session/log metrics. The SPIView page lists categories for general session metrics (e.g., protocol, source and destination IP addresses, sort and destination ports, etc.) as well as for all of various types of network traffic understood by Malcolm. These categories can be expanded and the top *n* values displayed, along with each value's cardinality, for the fields of interest they contain.
 
@@ -98,7 +98,7 @@ Note that because the SPIView page can potentially run many queries, SPIView lim
 
 See also Arkime's usage documentation for more information on [SPIView](https://localhost/help#spiview).
 
-### <a name="ArkimeSPIGraph"></a>SPIGraph
+## <a name="ArkimeSPIGraph"></a>SPIGraph
 
 Arkime's **SPI** (**S**ession **P**rofile **I**nformation) **Graph** visualizes the occurrence of some field's top *n* values over time, and (optionally) geographically. This is particularly useful for identifying trends in a particular type of communication over time: traffic using a particular protocol when seen sparsely at regular intervals on that protocol's date histogram in the SPIGraph may indicate a connection check, polling, or beaconing (for example, see the `llmnr` protocol in the screenshot below).
 
@@ -108,7 +108,7 @@ Controls can be found underneath the time bounding controls for selecting the fi
 
 See also Arkime's usage documentation for more information on [SPIGraph](https://localhost/help#spigraph).
 
-### <a name="ArkimeConnections"></a>Connections
+## <a name="ArkimeConnections"></a>Connections
 
 The **Connections** page presents network communications via a force-directed graph, making it easy to visualize logical relationships between network hosts.
 
@@ -127,7 +127,7 @@ or any other combination of these or other fields.
 
 See also Arkime's usage documentation for more information on the [Connections graph](https://localhost/help#connections).
 
-### <a name="ArkimeHunt"></a>Hunt
+## <a name="ArkimeHunt"></a>Hunt
 
 Arkime's **Hunt** feature allows an analyst to search within the packets themselves (including payload data) rather than simply searching the session metadata. The search string may be specified using ASCII (with or without case sensitivity), hex codes, or regular expressions. Once a hunt job is complete, matching sessions can be viewed in the [Sessions](#ArkimeSessions)  view.
 
@@ -157,7 +157,7 @@ The hunt feature is available only for sessions created from full packet capture
 
 See also Arkime's usage documentation for more information on the [hunt feature](https://localhost/help#hunt).
 
-### <a name="ArkimeStats"></a>Statistics
+## <a name="ArkimeStats"></a>Statistics
 
 Arkime provides several other reports which show information about the state of Arkime and the underlying OpenSearch database.
 
@@ -175,9 +175,9 @@ The **History** view provides a historical list of queries issues to Arkime and
 
 See also Arkime's usage documentation for more information on the [Files list](https://localhost/help#files), [statistics](https://localhost/help#files), and [history](https://localhost/help#history).
 
-### <a name="ArkimeSettings"></a>Settings
+## <a name="ArkimeSettings"></a>Settings
 
-#### General settings
+### General settings
 
 The **Settings** page can be used to tweak Arkime preferences, defined additional custom views and column configurations, tweak the color theme, and more.
 

diff --git a/docs/authsetup.md b/docs/authsetup.md
@@ -1,4 +1,4 @@
-### <a name="AuthSetup"></a>Configure authentication
+# <a name="AuthSetup"></a>Configure authentication
 
 * [Configure authentication](#AuthSetup)
     - [Local account management](#AuthBasicAccountManagement)
@@ -25,15 +25,15 @@ In either case, you **must** run `./scripts/auth_setup` before starting Malcolm
 * specify whether or not to [store the username/password](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#authenticate-sender-account) for [email alert senders](https://opensearch.org/docs/latest/monitoring-plugins/alerting/monitors/#create-destinations)
     * these parameters are stored securely in the OpenSearch keystore file `opensearch/opensearch.keystore`
 
-##### <a name="AuthBasicAccountManagement"></a>Local account management
+# <a name="AuthBasicAccountManagement"></a>Local account management
 
 [`auth_setup`](#AuthSetup) is used to define the username and password for the administrator account. Once Malcolm is running, the administrator account can be used to manage other user accounts via a **Malcolm User Management** page served over HTTPS on port 488 (e.g., [https://localhost:488](https://localhost:488) if you are connecting locally).
 
 Malcolm user accounts can be used to access the [interfaces](quickstart.md#UserInterfaceURLs) of all of its [components](components.md#Components), including Arkime. Arkime uses its own internal database of user accounts, so when a Malcolm user account logs in to Arkime for the first time Malcolm creates a corresponding Arkime user account automatically. This being the case, it is *not* recommended to use the Arkime **Users** settings page or change the password via the **Password** form under the Arkime **Settings** page, as those settings would not be consistently used across Malcolm.
 
 Users may change their passwords via the **Malcolm User Management** page by clicking **User Self Service**. A forgotten password can also be reset via an emailed link, though this requires SMTP server settings to be specified in `htadmin/config.ini` in the Malcolm installation directory.
 
-#### <a name="AuthLDAP"></a>Lightweight Directory Access Protocol (LDAP) authentication
+## <a name="AuthLDAP"></a>Lightweight Directory Access Protocol (LDAP) authentication
 
 The [nginx-auth-ldap](https://github.com/kvspb/nginx-auth-ldap) module serves as the interface between Malcolm's [Nginx](https://nginx.org/) web server and a remote LDAP server. When you run [`auth_setup`](#AuthSetup) for the first time, a sample LDAP configuration file is created at `nginx/nginx_ldap.conf`. 
 
@@ -74,7 +74,7 @@ Before starting Malcolm, edit `nginx/nginx_ldap.conf` according to the specifics
 
 The **Malcolm User Management** page described above is not available when using LDAP authentication.
 
-##### <a name="AuthLDAPSecurity"></a>LDAP connection security
+# <a name="AuthLDAPSecurity"></a>LDAP connection security
 
 Authentication over LDAP can be done using one of three ways, [two of which](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8e73932f-70cf-46d6-88b1-8d9f86235e81) offer data confidentiality protection: 
 
@@ -96,7 +96,7 @@ In addition to the `NGINX_BASIC_AUTH` environment variable being set to `false`
 
 For encrypted connections (whether using **StartTLS** or **LDAPS**), Malcolm will require and verify certificates when one or more trusted CA certificate files are placed in the `nginx/ca-trust/` directory. Otherwise, any certificate presented by the domain server will be accepted.
 
-### <a name="TLSCerts"></a>TLS certificates
+# <a name="TLSCerts"></a>TLS certificates
 
 When you [set up authentication](#AuthSetup) for Malcolm a set of unique [self-signed](https://en.wikipedia.org/wiki/Self-signed_certificate) TLS certificates are created which are used to secure the connection between clients (e.g., your web browser) and Malcolm's browser-based interface. This is adequate for most Malcolm instances as they are often run locally or on internal networks, although your browser will most likely require you to add a security exception for the certificate the first time you connect to Malcolm.
 

diff --git a/docs/components.md b/docs/components.md
@@ -1,4 +1,4 @@
-## <a name="Components"></a>Components
+# <a name="Components"></a>Components
 
 Malcolm leverages the following excellent open source tools, among others.
 

diff --git a/docs/contributing-dashboards.md b/docs/contributing-dashboards.md
@@ -1,8 +1,8 @@
-## <a name="dashboards"></a>OpenSearch Dashboards
+# <a name="dashboards"></a>OpenSearch Dashboards
 
 [OpenSearch Dashboards](https://opensearch.org/docs/latest/dashboards/index/) is an open-source fork of [Kibana](https://www.elastic.co/kibana/), which is [no longer open-source software](https://github.com/idaholab/Malcolm/releases/tag/v5.0.0).
 
-### <a name="DashboardsNewViz"></a>Adding new visualizations and dashboards
+## <a name="DashboardsNewViz"></a>Adding new visualizations and dashboards
 
 Visualizations and dashboards can be [easily created](dashboards.md#BuildDashboard) in OpenSearch Dashboards using its drag-and-drop WYSIWIG tools. Assuming you've created a new dashboard you wish to package with Malcolm, the dashboard and its visualization components can be exported using the following steps:
 
@@ -34,7 +34,7 @@ Visualizations and dashboards can be [easily created](dashboards.md#BuildDashboa
     ```
 1. Include the new dashboard either by using a [bind mount](contributing-local-modifications.md#Bind) for the `./dashboards./dashboards/` directory or by [rebuilding](development.md#Build) the `dashboards-helper` Docker image. Dashboards are imported the first time Malcolm starts up.
 
-### <a name="DashboardsPlugins"></a>OpenSearch Dashboards plugins
+## <a name="DashboardsPlugins"></a>OpenSearch Dashboards plugins
 
 The [dashboards.Dockerfile](../Dockerfiles/dashboards.Dockerfile) installs the OpenSearch Dashboards plugins used by Malcolm (search for `opensearch-dashboards-plugin install` in that file). Additional Dashboards plugins could be installed by modifying this Dockerfile and [rebuilding](development.md#Build) the `dashboards` Docker image.
 

diff --git a/docs/contributing-file-scanners.md b/docs/contributing-file-scanners.md
@@ -1,4 +1,4 @@
-## <a name="Scanners"></a>Carved file scanners
+# <a name="Scanners"></a>Carved file scanners
 
 Similar to the [PCAP processing pipeline](contributing-pcap.md#PCAP) described above, new tools can plug into Malcolm's [automatic file extraction and scanning](file-scanning.md#ZeekFileExtraction) to examine file transfers carved from network traffic.
 

diff --git a/docs/contributing-guide.md b/docs/contributing-guide.md
@@ -2,8 +2,7 @@
 
 The purpose of this document is to provide some direction for those willing to modify Malcolm, whether for local customization or for contribution to the Malcolm project.
 
-## <a name="TableOfContents"></a>Table of Contents
-
+<a name="ContribTableOfContents"></a>
 * [Local modifications](contributing-local-modifications.md#LocalMods)
     + [Docker bind mounts](contributing-local-modifications.md#Bind)
     + [Building Malcolm's Docker images](contributing-local-modifications.md#ContribBuild)

diff --git a/docs/contributing-local-modifications.md b/docs/contributing-local-modifications.md
@@ -1,8 +1,8 @@
-## <a name="LocalMods"></a>Local modifications
+# <a name="LocalMods"></a>Local modifications
 
 There are several ways to customize Malcolm's runtime behavior via local changes to configuration files. Many commonly-tweaked settings are discussed in the project [README](README.md) (see [`docker-compose.yml` parameters](malcolm-config.md#DockerComposeYml) and [Customizing event severity scoring](severity.md#SeverityConfig) for some examples).
 
-### <a name="Bind"></a>Docker bind mounts
+## <a name="Bind"></a>Docker bind mounts
 
 Some configuration changes can be put in place by modifying local copies of configuration files and then use a [Docker bind mount](https://docs.docker.com/storage/bind-mounts/) to overlay the modified file onto the running Malcolm container. This is already done for many files and directories used to persist Malcolm configuration and data. For example, the default list of bind mounted files and directories for each Malcolm service is as follows:
 
@@ -117,7 +117,7 @@ The change would take effect after stopping and starting Malcolm.
 
 See the documentation on [Docker bind mount](https://docs.docker.com/storage/bind-mounts/) for more information on this technique.
 
-### <a name="ContribBuild"></a>Building Malcolm's Docker images
+## <a name="ContribBuild"></a>Building Malcolm's Docker images
 
 Another method for modifying your local copies of Malcolm's services' containers is to [build your own](development.md#Build) containers with the modifications baked-in.