mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge pull request #6705 from Security-Onion-Solutions/kilo
Initial CM Impl; Improve so-user script
This commit is contained in:
Jason Ertel
GitHub
@@ -147,7 +147,7 @@ function updatePassword() {
|
|||||||
# Generate password hash
|
# Generate password hash
|
||||||
passwordHash=$(hashPassword "$password")
|
passwordHash=$(hashPassword "$password")
|
||||||
# Update DB with new hash
|
# Update DB with new hash
|
||||||
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB) where identity_id='${identityId}';" | sqlite3 "$databasePath"
|
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}';" | sqlite3 "$databasePath"
|
||||||
[[ $? != 0 ]] && fail "Unable to update password"
|
[[ $? != 0 ]] && fail "Unable to update password"
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
@@ -310,7 +310,7 @@ function listUsers() {
|
|||||||
|
|
||||||
users=$(echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort)
|
users=$(echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort)
|
||||||
for user in $users; do
|
for user in $users; do
|
||||||
roles=$(grep "$user" "$elasticRolesFile" | cut -d: -f1 | tr '\n' ' ')
|
roles=$(grep ":$user\$" "$elasticRolesFile" | cut -d: -f1 | tr '\n' ' ')
|
||||||
echo "$user: $roles"
|
echo "$user: $roles"
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
@@ -341,7 +341,7 @@ function adjustUserRole() {
|
|||||||
|
|
||||||
filename="$socRolesFile"
|
filename="$socRolesFile"
|
||||||
hasRole=0
|
hasRole=0
|
||||||
grep "$role:" "$socRolesFile" | grep -q "$identityId" && hasRole=1
|
grep "^$role:" "$socRolesFile" | grep -q "$identityId" && hasRole=1
|
||||||
if [[ "$op" == "add" ]]; then
|
if [[ "$op" == "add" ]]; then
|
||||||
if [[ "$hasRole" == "1" ]]; then
|
if [[ "$hasRole" == "1" ]]; then
|
||||||
echo "User '$email' already has the role: $role"
|
echo "User '$email' already has the role: $role"
|
||||||
|
|||||||
3
salt/soc/files/soc/cases.eventfields.json
Normal file
3
salt/soc/files/soc/cases.eventfields.json
Normal file
@@ -0,0 +1,3 @@
|
|||||||
|
{
|
||||||
|
"default": ["soc_timestamp", "case.title", "case.status", "case.severity", "case.createTime"]
|
||||||
|
}
|
||||||
5
salt/soc/files/soc/cases.queries.json
Normal file
5
salt/soc/files/soc/cases.queries.json
Normal file
@@ -0,0 +1,5 @@
|
|||||||
|
[
|
||||||
|
{ "name": "Open Cases", "query": "!case.status:Closed AND !case.category:Template" },
|
||||||
|
{ "name": "Closed Cases", "query": "case.status:Closed AND !case.category:Template" },
|
||||||
|
{ "name": "Templates", "query": "case.category:Template" }
|
||||||
|
]
|
||||||
20
salt/soc/files/soc/presets.artifacttype.json
Normal file
20
salt/soc/files/soc/presets.artifacttype.json
Normal file
@@ -0,0 +1,20 @@
|
|||||||
|
{
|
||||||
|
"labels": [
|
||||||
|
"autonomous-system",
|
||||||
|
"domain",
|
||||||
|
"file",
|
||||||
|
"filename",
|
||||||
|
"fqdn",
|
||||||
|
"hash",
|
||||||
|
"ip",
|
||||||
|
"mail",
|
||||||
|
"mail_subject",
|
||||||
|
"other",
|
||||||
|
"regexp",
|
||||||
|
"registry",
|
||||||
|
"uri_path",
|
||||||
|
"url",
|
||||||
|
"user-agent"
|
||||||
|
],
|
||||||
|
"customEnabled": true
|
||||||
|
}
|
||||||
7
salt/soc/files/soc/presets.category.json
Normal file
7
salt/soc/files/soc/presets.category.json
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
{
|
||||||
|
"labels": [
|
||||||
|
"General",
|
||||||
|
"Template"
|
||||||
|
],
|
||||||
|
"customEnabled": true
|
||||||
|
}
|
||||||
9
salt/soc/files/soc/presets.pap.json
Normal file
9
salt/soc/files/soc/presets.pap.json
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
{
|
||||||
|
"labels": [
|
||||||
|
"White",
|
||||||
|
"Green",
|
||||||
|
"Amber",
|
||||||
|
"Red"
|
||||||
|
],
|
||||||
|
"customEnabled": false
|
||||||
|
}
|
||||||
9
salt/soc/files/soc/presets.severity.json
Normal file
9
salt/soc/files/soc/presets.severity.json
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
{
|
||||||
|
"labels": [
|
||||||
|
"Low",
|
||||||
|
"Medium",
|
||||||
|
"High",
|
||||||
|
"Critical"
|
||||||
|
],
|
||||||
|
"customEnabled": false
|
||||||
|
}
|
||||||
8
salt/soc/files/soc/presets.status.json
Normal file
8
salt/soc/files/soc/presets.status.json
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
{
|
||||||
|
"labels": [
|
||||||
|
"New",
|
||||||
|
"In Progress",
|
||||||
|
"Closed"
|
||||||
|
],
|
||||||
|
"customEnabled": false
|
||||||
|
}
|
||||||
8
salt/soc/files/soc/presets.tag.json
Normal file
8
salt/soc/files/soc/presets.tag.json
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
{
|
||||||
|
"labels": [
|
||||||
|
"false-positive",
|
||||||
|
"confirmed",
|
||||||
|
"pending"
|
||||||
|
],
|
||||||
|
"customEnabled": true
|
||||||
|
}
|
||||||
9
salt/soc/files/soc/presets.tlp.json
Normal file
9
salt/soc/files/soc/presets.tlp.json
Normal file
@@ -0,0 +1,9 @@
|
|||||||
|
{
|
||||||
|
"labels": [
|
||||||
|
"White",
|
||||||
|
"Green",
|
||||||
|
"Amber",
|
||||||
|
"Red"
|
||||||
|
],
|
||||||
|
"customEnabled": false
|
||||||
|
}
|
||||||
@@ -16,8 +16,17 @@
|
|||||||
{%- import_json "soc/files/soc/alerts.eventfields.json" as alerts_eventfields %}
|
{%- import_json "soc/files/soc/alerts.eventfields.json" as alerts_eventfields %}
|
||||||
{%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %}
|
{%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %}
|
||||||
{%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %}
|
{%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %}
|
||||||
|
{%- import_json "soc/files/soc/cases.queries.json" as cases_queries %}
|
||||||
|
{%- import_json "soc/files/soc/cases.eventfields.json" as cases_eventfields %}
|
||||||
{%- import_json "soc/files/soc/menu.actions.json" as menu_actions %}
|
{%- import_json "soc/files/soc/menu.actions.json" as menu_actions %}
|
||||||
{%- import_json "soc/files/soc/tools.json" as tools %}
|
{%- import_json "soc/files/soc/tools.json" as tools %}
|
||||||
|
{%- import_json "soc/files/soc/presets.artifacttype.json" as presets_artifacttype %}
|
||||||
|
{%- import_json "soc/files/soc/presets.category.json" as presets_category %}
|
||||||
|
{%- import_json "soc/files/soc/presets.pap.json" as presets_pap %}
|
||||||
|
{%- import_json "soc/files/soc/presets.severity.json" as presets_severity %}
|
||||||
|
{%- import_json "soc/files/soc/presets.status.json" as presets_status %}
|
||||||
|
{%- import_json "soc/files/soc/presets.tag.json" as presets_tag %}
|
||||||
|
{%- import_json "soc/files/soc/presets.tlp.json" as presets_tlp %}
|
||||||
{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
|
{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
|
||||||
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %}
|
||||||
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %}
|
||||||
@@ -27,6 +36,8 @@
|
|||||||
{%- set ES_PASS = '' %}
|
{%- set ES_PASS = '' %}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
{%- set ES_INDEX_PATTERNS = salt['pillar.get']('soc:es_index_patterns', '*:so-*') %}
|
{%- set ES_INDEX_PATTERNS = salt['pillar.get']('soc:es_index_patterns', '*:so-*') %}
|
||||||
|
{%- set CASE_MODULE = salt['pillar.get']('soc:case_module', 'soc') %}
|
||||||
|
{%- set GENERIC_CASE_CONFIG = salt['pillar.get']('soc:generic_case_config', '') %}
|
||||||
{
|
{
|
||||||
"logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
|
"logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
|
||||||
"server": {
|
"server": {
|
||||||
@@ -57,9 +68,10 @@
|
|||||||
{%- endif %}
|
{%- endif %}
|
||||||
"username": "{{ ES_USER }}",
|
"username": "{{ ES_USER }}",
|
||||||
"password": "{{ ES_PASS }}",
|
"password": "{{ ES_PASS }}",
|
||||||
"index": "{{ ES_INDEX_PATTERNS }}",
|
"index": "{{ ES_INDEX_PATTERNS }}",
|
||||||
"cacheMs": {{ ES_FIELDCAPS_CACHE }},
|
"cacheMs": {{ ES_FIELDCAPS_CACHE }},
|
||||||
"verifyCert": false,
|
"verifyCert": false,
|
||||||
|
"casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
|
||||||
"timeoutMs": {{ API_TIMEOUT }}
|
"timeoutMs": {{ API_TIMEOUT }}
|
||||||
},
|
},
|
||||||
"influxdb": {
|
"influxdb": {
|
||||||
@@ -77,12 +89,22 @@
|
|||||||
"refreshIntervalMs": 30000,
|
"refreshIntervalMs": 30000,
|
||||||
"offlineThresholdMs": 900000
|
"offlineThresholdMs": 900000
|
||||||
},
|
},
|
||||||
{% if THEHIVEKEY != '' %}
|
{% if CASE_MODULE == 'thehive' and THEHIVEKEY != '' %}
|
||||||
"thehive": {
|
"thehive": {
|
||||||
"hostUrl": "http://{{ MANAGERIP }}:9000/thehive",
|
"hostUrl": "http://{{ MANAGERIP }}:9000/thehive",
|
||||||
"key": "{{ THEHIVEKEY }}",
|
"key": "{{ THEHIVEKEY }}",
|
||||||
"verifyCert": false
|
"verifyCert": false
|
||||||
},
|
},
|
||||||
|
{% elif CASE_MODULE == 'elasticcases' %}
|
||||||
|
"elasticcases": {
|
||||||
|
"hostUrl": "https://{{ MANAGERIP }}:5601",
|
||||||
|
"username": "{{ ES_USER }}",
|
||||||
|
"password": "{{ ES_PASS }}",
|
||||||
|
},
|
||||||
|
{% elif CASE_MODULE == 'generichttp' %}
|
||||||
|
"generichttp": {
|
||||||
|
{{ GENERIC_CASE_CONFIG }}
|
||||||
|
},
|
||||||
{% endif %}
|
{% endif %}
|
||||||
"statickeyauth": {
|
"statickeyauth": {
|
||||||
"anonymousCidr": "{{ DNET }}/24",
|
"anonymousCidr": "{{ DNET }}/24",
|
||||||
@@ -113,6 +135,7 @@
|
|||||||
"webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }},
|
"webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }},
|
||||||
"tipTimeoutMs": {{ TIP_TIMEOUT }},
|
"tipTimeoutMs": {{ TIP_TIMEOUT }},
|
||||||
"cacheExpirationMs": {{ CACHE_EXPIRATION }},
|
"cacheExpirationMs": {{ CACHE_EXPIRATION }},
|
||||||
|
"casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
|
||||||
"inactiveTools": [
|
"inactiveTools": [
|
||||||
{%- if PLAYBOOK == 0 %}
|
{%- if PLAYBOOK == 0 %}
|
||||||
"toolPlaybook",
|
"toolPlaybook",
|
||||||
@@ -139,7 +162,8 @@
|
|||||||
"relativeTimeUnit": 30,
|
"relativeTimeUnit": 30,
|
||||||
"mostRecentlyUsedLimit": 5,
|
"mostRecentlyUsedLimit": 5,
|
||||||
"ackEnabled": false,
|
"ackEnabled": false,
|
||||||
"escalateEnabled": {{ 'true' if THEHIVEKEY != '' else 'false' }},
|
"escalateEnabled": true,
|
||||||
|
"escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
|
||||||
"eventFields": {{ hunt_eventfields | json }},
|
"eventFields": {{ hunt_eventfields | json }},
|
||||||
"queryBaseFilter": "",
|
"queryBaseFilter": "",
|
||||||
"queryToggleFilters": [],
|
"queryToggleFilters": [],
|
||||||
@@ -159,7 +183,8 @@
|
|||||||
"relativeTimeUnit": 30,
|
"relativeTimeUnit": 30,
|
||||||
"mostRecentlyUsedLimit": 5,
|
"mostRecentlyUsedLimit": 5,
|
||||||
"ackEnabled": true,
|
"ackEnabled": true,
|
||||||
"escalateEnabled": {{ 'true' if THEHIVEKEY != '' else 'false' }},
|
"escalateEnabled": true,
|
||||||
|
"escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }},
|
||||||
"eventFields": {{ alerts_eventfields | json }},
|
"eventFields": {{ alerts_eventfields | json }},
|
||||||
"queryBaseFilter": "event.dataset:alert",
|
"queryBaseFilter": "event.dataset:alert",
|
||||||
"queryToggleFilters": [
|
"queryToggleFilters": [
|
||||||
@@ -168,6 +193,38 @@
|
|||||||
],
|
],
|
||||||
"queries": {{ alerts_queries | json }},
|
"queries": {{ alerts_queries | json }},
|
||||||
"actions": {{ menu_actions | json }}
|
"actions": {{ menu_actions | json }}
|
||||||
|
},
|
||||||
|
"cases": {
|
||||||
|
"advanced": false,
|
||||||
|
"groupItemsPerPage": 50,
|
||||||
|
"groupFetchLimit": 100,
|
||||||
|
"eventItemsPerPage": 50,
|
||||||
|
"eventFetchLimit": 500,
|
||||||
|
"relativeTimeValue": 12,
|
||||||
|
"relativeTimeUnit": 60,
|
||||||
|
"mostRecentlyUsedLimit": 5,
|
||||||
|
"ackEnabled": false,
|
||||||
|
"escalateEnabled": false,
|
||||||
|
"escalateRelatedEventsEnabled": false,
|
||||||
|
"viewEnabled": true,
|
||||||
|
"eventFields": {{ cases_eventfields | json }},
|
||||||
|
"queryBaseFilter": "_index:so-case AND kind:case",
|
||||||
|
"queryToggleFilters": [
|
||||||
|
],
|
||||||
|
"queries": {{ cases_queries | json }},
|
||||||
|
"actions": {{ menu_actions | json }}
|
||||||
|
},
|
||||||
|
"case": {
|
||||||
|
"mostRecentlyUsedLimit": 5,
|
||||||
|
"presets": {
|
||||||
|
"artifactType": {{ presets_artifacttype | json }},
|
||||||
|
"category": {{ presets_category | json }},
|
||||||
|
"pap": {{ presets_pap | json }},
|
||||||
|
"severity": {{ presets_severity | json }},
|
||||||
|
"status": {{ presets_status | json }},
|
||||||
|
"tags": {{ presets_tag | json }},
|
||||||
|
"tlp": {{ presets_tlp | json }}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user