diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml
index ee871ad80..3f30fc367 100644
--- a/files/firewall/assigned_hostgroups.local.map.yaml
+++ b/files/firewall/assigned_hostgroups.local.map.yaml
@@ -13,6 +13,7 @@ role:
fleet:
heavynode:
helixsensor:
+ idh:
import:
manager:
managersearch:
diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml
index 334b090d1..9e7babe00 100644
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -28,6 +28,10 @@ firewall:
ips:
delete:
insert:
+ idh:
+ ips:
+ delete:
+ insert:
manager:
ips:
delete:
diff --git a/pillar/top.sls b/pillar/top.sls
index 37bd53f5e..8ab666d0d 100644
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -98,6 +98,11 @@ base:
- global
- minions.{{ grains.id }}
+ '*_idh':
+ - data.*
+ - global
+ - minions.{{ grains.id }}
+
'*_searchnode':
- logstash
- logstash.search
diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja
index bdff03c43..36fd86321 100644
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -91,6 +91,16 @@
'schedule',
'docker_clean'
],
+ 'so-idh': [
+ 'ssl',
+ 'telegraf',
+ 'firewall',
+ 'fleet.install_package',
+ 'filebeat',
+ 'idh',
+ 'schedule',
+ 'docker_clean'
+ ],
'so-import': [
'salt.master',
'ca',
@@ -238,7 +248,7 @@
{% do allowed_states.append('strelka') %}
{% endif %}
- {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver']%}
+ {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%}
{% do allowed_states.append('wazuh') %}
{% endif %}
diff --git a/salt/common/tools/sbin/so-idh-restart b/salt/common/tools/sbin/so-idh-restart
new file mode 100644
index 000000000..ce6dd9843
--- /dev/null
+++ b/salt/common/tools/sbin/so-idh-restart
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart idh $1
diff --git a/salt/common/tools/sbin/so-idh-start b/salt/common/tools/sbin/so-idh-start
new file mode 100644
index 000000000..2f300ba01
--- /dev/null
+++ b/salt/common/tools/sbin/so-idh-start
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start idh $1
diff --git a/salt/common/tools/sbin/so-idh-stop b/salt/common/tools/sbin/so-idh-stop
new file mode 100644
index 000000000..48e974be2
--- /dev/null
+++ b/salt/common/tools/sbin/so-idh-stop
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop idh $1
diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common
index 9b9c1a344..140d4c63b 100755
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -55,6 +55,7 @@ container_list() {
"so-fleet"
"so-fleet-launcher"
"so-grafana"
+ "so-idh"
"so-idstools"
"so-influxdb"
"so-kibana"
diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml
index 0f6f65c71..e29b1a583 100644
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -294,6 +294,48 @@ filebeat.inputs:
close_removed: false
{%- endif %}
+{%- if grains.role == 'so-idh' %}
+- type: log
+ paths:
+ - /nsm/idh/opencanary.log
+ fields:
+ module: opencanary
+ dataset: idh
+ category: host
+ tags: beat-ext
+ processors:
+ - decode_json_fields:
+ fields: ["message"]
+ target: ""
+ add_error_key: true
+ - drop_fields:
+ when:
+ equals:
+ logtype: 1001
+ fields: ["src_host", "src_port", "dst_host", "dst_port" ]
+ ignore_missing: true
+ - rename:
+ fields:
+ - from: "src_host"
+ to: "source.ip"
+ - from: "src_port"
+ to: "source.port"
+ - from: "dst_host"
+ to: "destination.host"
+ - from: "dst_port"
+ to: "destination.port"
+ ignore_missing: true
+ - convert:
+ fields:
+ - {from: "logtype", to: "event.code", type: "string"}
+ ignore_missing: true
+ - drop_fields:
+ fields: '["prospector", "input", "offset", "beat"]'
+ fields_under_root: true
+ clean_removed: false
+ close_removed: false
+{%- endif %}
+
{%- if INPUTS %}
# USER PILLAR DEFINED INPUTS
{{ INPUTS | yaml(False) }}
@@ -352,7 +394,7 @@ output.logstash:
# The Logstash hosts
hosts:
-{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node'] %}
+{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %}
{%- set LOGSTASH = namespace() %}
{%- set LOGSTASH.count = 0 %}
{%- set LOGSTASH.loadbalance = false %}
diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml
index e2fbfc737..f58fff158 100644
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -653,3 +653,20 @@ role:
localhost:
portgroups:
- {{ portgroups.all }}
+ idh:
+ chain:
+ INPUT:
+ hostgroups:
+ anywhere:
+ portgroups:
+ - {{ portgroups.ssh }}
+ {% set idh_services = salt['pillar.get']('idh:services', []) %}
+ {% for service in idh_services %}
+ - {{ portgroups['idh_'~service] }}
+ {% endfor %}
+ dockernet:
+ portgroups:
+ - {{ portgroups.all }}
+ localhost:
+ portgroups:
+ - {{ portgroups.all }}
\ No newline at end of file
diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml
index d81d00d6a..e928987f7 100644
--- a/salt/firewall/portgroups.yaml
+++ b/salt/firewall/portgroups.yaml
@@ -1,3 +1,8 @@
+{% if grains.role == 'so-idh' %}
+ {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
+ {% set idh_services = salt['pillar.get']('idh:services', []) %}
+{% endif %}
+
firewall:
aliases:
ports:
@@ -106,3 +111,16 @@ firewall:
yum:
tcp:
- 443
+
+{% if idh_services is defined %}
+ {% for service in idh_services %}
+ {% if service in ["smnp","ntp", "tftp"] %}
+ {% set proto = 'udp' %}
+ {% else %}
+ {% set proto = 'tcp' %}
+ {% endif %}
+ idh_{{service}}:
+ {{proto}}:
+ - {{ OPENCANARYCONFIG[service~'.port'] }}
+ {% endfor %}
+{% endif %}
diff --git a/salt/idh/Plays/IDH_SSH.yaml b/salt/idh/Plays/IDH_SSH.yaml
new file mode 100644
index 000000000..1d4e7ece4
--- /dev/null
+++ b/salt/idh/Plays/IDH_SSH.yaml
@@ -0,0 +1,18 @@
+title: SO IDH - SSH Accessed
+status: experimental
+description: Detects when the SSH service on a SO IDH node has been probed.
+author: Security Onion Solutions
+logsource:
+ product: idh
+detection:
+ selection:
+ event.code:
+ - 4000
+ - 4001
+ - 4002
+ condition: selection
+falsepositives:
+ - None
+fields:
+ - source.ip
+level: critical
\ No newline at end of file
diff --git a/salt/idh/defaults/defaults.yaml b/salt/idh/defaults/defaults.yaml
new file mode 100644
index 000000000..5f3cc826c
--- /dev/null
+++ b/salt/idh/defaults/defaults.yaml
@@ -0,0 +1,35 @@
+idh:
+ opencanary:
+ config:
+ device.node_id: {{ grains.host }}
+ logger:
+ class: PyLogger
+ kwargs:
+ formatters:
+ plain:
+ format: '%(message)s'
+ handlers:
+ console:
+ class: logging.StreamHandler
+ stream: ext://sys.stdout
+ file:
+ class: logging.FileHandler
+ filename: /var/tmp/opencanary.log
+ portscan.enabled: false
+ portscan.logfile: /var/log/kern.log
+ portscan.synrate: 5
+ portscan.nmaposrate: 5
+ portscan.lorate: 3
+ tcpbanner.maxnum: 10
+ tcpbanner.enabled: false
+ tcpbanner_1.enabled: false
+ tcpbanner_1.port: 8001
+ tcpbanner_1.datareceivedbanner: ''
+ tcpbanner_1.initbanner: ''
+ tcpbanner_1.alertstring.enabled: false
+ tcpbanner_1.alertstring: ''
+ tcpbanner_1.keep_alive.enabled: false
+ tcpbanner_1.keep_alive_secret: ''
+ tcpbanner_1.keep_alive_probes: 11
+ tcpbanner_1.keep_alive_interval: 300
+ tcpbanner_1.keep_alive_idle: 300
\ No newline at end of file
diff --git a/salt/idh/defaults/ftp.defaults.yaml b/salt/idh/defaults/ftp.defaults.yaml
new file mode 100644
index 000000000..bed8f90dc
--- /dev/null
+++ b/salt/idh/defaults/ftp.defaults.yaml
@@ -0,0 +1,6 @@
+idh:
+ opencanary:
+ config:
+ ftp.enabled: true
+ ftp.port: 21
+ ftp.banner: FTP server ready
\ No newline at end of file
diff --git a/salt/idh/defaults/git.defaults.yaml b/salt/idh/defaults/git.defaults.yaml
new file mode 100644
index 000000000..e6946465a
--- /dev/null
+++ b/salt/idh/defaults/git.defaults.yaml
@@ -0,0 +1,5 @@
+idh:
+ opencanary:
+ config:
+ git.enabled: true
+ git.port: 9418
\ No newline at end of file
diff --git a/salt/idh/defaults/http.defaults.yaml b/salt/idh/defaults/http.defaults.yaml
new file mode 100644
index 000000000..a685062c5
--- /dev/null
+++ b/salt/idh/defaults/http.defaults.yaml
@@ -0,0 +1,12 @@
+idh:
+ opencanary:
+ config:
+ http.banner: Apache/2.2.22 (Ubuntu)
+ http.enabled: true
+ http.port: 80
+ http.skin: nasLogin
+ http.skin.list:
+ - desc: Plain HTML Login
+ name: basicLogin
+ - desc: Synology NAS Login
+ name: nasLogin
\ No newline at end of file
diff --git a/salt/idh/defaults/httpproxy.defaults.yaml b/salt/idh/defaults/httpproxy.defaults.yaml
new file mode 100644
index 000000000..32ef4a961
--- /dev/null
+++ b/salt/idh/defaults/httpproxy.defaults.yaml
@@ -0,0 +1,11 @@
+idh:
+ opencanary:
+ config:
+ httpproxy.enabled: true
+ httpproxy.port: 8080
+ httpproxy.skin: squid
+ httproxy.skin.list:
+ - desc: Squid
+ name: squid
+ - desc: Microsoft ISA Server Web Proxy
+ name: ms-isa
\ No newline at end of file
diff --git a/salt/idh/defaults/mssql.defaults.yaml b/salt/idh/defaults/mssql.defaults.yaml
new file mode 100644
index 000000000..199640992
--- /dev/null
+++ b/salt/idh/defaults/mssql.defaults.yaml
@@ -0,0 +1,6 @@
+idh:
+ opencanary:
+ config:
+ mssql.enabled: true
+ mssql.version: '2012'
+ mssql.port: 1433
\ No newline at end of file
diff --git a/salt/idh/defaults/mysql.defaults.yaml b/salt/idh/defaults/mysql.defaults.yaml
new file mode 100644
index 000000000..98c6d2041
--- /dev/null
+++ b/salt/idh/defaults/mysql.defaults.yaml
@@ -0,0 +1,6 @@
+idh:
+ opencanary:
+ config:
+ mysql.enabled: true
+ mysql.port: 3306
+ mysql.banner: 5.5.43-0ubuntu0.14.04.1
\ No newline at end of file
diff --git a/salt/idh/defaults/ntp.defaults.yaml b/salt/idh/defaults/ntp.defaults.yaml
new file mode 100644
index 000000000..a7df2d460
--- /dev/null
+++ b/salt/idh/defaults/ntp.defaults.yaml
@@ -0,0 +1,5 @@
+idh:
+ opencanary:
+ config:
+ ntp.enabled: true
+ ntp.port: '123'
\ No newline at end of file
diff --git a/salt/idh/defaults/redis.defaults.yaml b/salt/idh/defaults/redis.defaults.yaml
new file mode 100644
index 000000000..90e190f09
--- /dev/null
+++ b/salt/idh/defaults/redis.defaults.yaml
@@ -0,0 +1,5 @@
+idh:
+ opencanary:
+ config:
+ redis.enabled: true
+ redis.port: 6379
\ No newline at end of file
diff --git a/salt/idh/defaults/sip.defaults.yaml b/salt/idh/defaults/sip.defaults.yaml
new file mode 100644
index 000000000..740a13234
--- /dev/null
+++ b/salt/idh/defaults/sip.defaults.yaml
@@ -0,0 +1,5 @@
+idh:
+ opencanary:
+ config:
+ sip.enabled: true
+ sip.port: 5060
\ No newline at end of file
diff --git a/salt/idh/defaults/smb.defaults.yaml b/salt/idh/defaults/smb.defaults.yaml
new file mode 100644
index 000000000..e92e0239a
--- /dev/null
+++ b/salt/idh/defaults/smb.defaults.yaml
@@ -0,0 +1,5 @@
+idh:
+ opencanary:
+ config:
+ smb.auditfile: /var/log/samba-audit.log
+ smb.enabled: true
\ No newline at end of file
diff --git a/salt/idh/defaults/snmp.defaults.yaml b/salt/idh/defaults/snmp.defaults.yaml
new file mode 100644
index 000000000..990bf919e
--- /dev/null
+++ b/salt/idh/defaults/snmp.defaults.yaml
@@ -0,0 +1,5 @@
+idh:
+ opencanary:
+ config:
+ snmp.enabled: true
+ snmp.port: 161
\ No newline at end of file
diff --git a/salt/idh/defaults/ssh.defaults.yaml b/salt/idh/defaults/ssh.defaults.yaml
new file mode 100644
index 000000000..00dcfbcf8
--- /dev/null
+++ b/salt/idh/defaults/ssh.defaults.yaml
@@ -0,0 +1,6 @@
+idh:
+ opencanary:
+ config:
+ ssh.enabled: true
+ ssh.port: 22
+ ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4
\ No newline at end of file
diff --git a/salt/idh/defaults/telnet.defaults.yaml b/salt/idh/defaults/telnet.defaults.yaml
new file mode 100644
index 000000000..34f1d3190
--- /dev/null
+++ b/salt/idh/defaults/telnet.defaults.yaml
@@ -0,0 +1,11 @@
+idh:
+ opencanary:
+ config:
+ telnet.enabled: true
+ telnet.port: '23'
+ telnet.banner: ''
+ telnet.honeycreds:
+ - username: admin
+ password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA
+ - username: admin
+ password: admin1
\ No newline at end of file
diff --git a/salt/idh/defaults/tftp.defaults.yaml b/salt/idh/defaults/tftp.defaults.yaml
new file mode 100644
index 000000000..5f275839f
--- /dev/null
+++ b/salt/idh/defaults/tftp.defaults.yaml
@@ -0,0 +1,5 @@
+idh:
+ opencanary:
+ config:
+ tftp.enabled: true
+ tftp.port: 69
\ No newline at end of file
diff --git a/salt/idh/defaults/vnc.defaults.yaml b/salt/idh/defaults/vnc.defaults.yaml
new file mode 100644
index 000000000..1995e5651
--- /dev/null
+++ b/salt/idh/defaults/vnc.defaults.yaml
@@ -0,0 +1,5 @@
+idh:
+ opencanary:
+ config:
+ vnc.enabled: true
+ vnc.port: 5900
\ No newline at end of file
diff --git a/salt/idh/idh.conf.jinja b/salt/idh/idh.conf.jinja
new file mode 100644
index 000000000..fcc000379
--- /dev/null
+++ b/salt/idh/idh.conf.jinja
@@ -0,0 +1 @@
+{{ OPENCANARYCONFIG | tojson(True) }}
\ No newline at end of file
diff --git a/salt/idh/init.sls b/salt/idh/init.sls
new file mode 100644
index 000000000..6627e266d
--- /dev/null
+++ b/salt/idh/init.sls
@@ -0,0 +1,75 @@
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+
+{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
+{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+{% set MANAGER = salt['grains.get']('master') %}
+
+# IDH State
+
+# Create a config directory
+temp:
+ file.directory:
+ - name: /opt/so/conf/idh
+ - user: 939
+ - group: 939
+ - makedirs: True
+
+# Create a log directory
+configdir:
+ file.directory:
+ - name: /nsm/idh
+ - user: 939
+ - group: 939
+ - makedirs: True
+
+{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %}
+opencanary_config:
+ file.managed:
+ - name: /opt/so/conf/idh/opencanary.conf
+ - source: salt://idh/idh.conf.jinja
+ - template: jinja
+ - defaults:
+ OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
+
+so-idh:
+ docker_container.running:
+ - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idh:{{ VERSION }}
+ - name: so-idh
+ - detach: True
+ - network_mode: host
+ - binds:
+ - /nsm/idh:/var/tmp:rw
+ - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
+ - watch:
+ - file: opencanary_config
+ - require:
+ - file: opencanary_config
+
+append_so-idh_so-status.conf:
+ file.append:
+ - name: /opt/so/conf/so-status/so-status.conf
+ - text: so-idh
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+ test.fail_without_changes:
+ - name: {{sls}}_state_not_allowed
+
+{% endif %}
\ No newline at end of file
diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja
new file mode 100644
index 000000000..dbd2fbad5
--- /dev/null
+++ b/salt/idh/opencanary_config.map.jinja
@@ -0,0 +1,9 @@
+{% set idh_services = salt['pillar.get']('idh:services', []) %}
+
+{% import_yaml "idh/defaults/defaults.yaml" as OPENCANARYCONFIG with context %}
+{% for service in idh_services %}
+ {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %}
+ {% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %}
+{% endfor %}
+
+{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %}
\ No newline at end of file
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 7ac6687e1..533f347d8 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -447,7 +447,7 @@ fleetkeyperms:
{% endif %}
-{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import', 'so-receiver'] %}
+{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %}
fbcertdir:
file.directory:
diff --git a/salt/top.sls b/salt/top.sls
index b417089ba..fc8434e69 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -503,3 +503,20 @@ base:
{%- endif %}
- schedule
- docker_clean
+
+ '*_idh and G@saltversion:{{saltversion}}':
+ - match: compound
+ - ssl
+ - sensoroni
+ - telegraf
+ - firewall
+ {%- if WAZUH != 0 %}
+ - wazuh
+ {%- endif %}
+ {%- if FLEETMANAGER or FLEETNODE %}
+ - fleet.install_package
+ {%- endif %}
+ - schedule
+ - docker_clean
+ - filebeat
+ - idh
\ No newline at end of file
diff --git a/setup/so-functions b/setup/so-functions
index c9285219a..91244a7cc 100755
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -447,6 +447,25 @@ collect_hostname_validate() {
done
}
+collect_idh_services() {
+ whiptail_idh_services
+
+ case "$idh_services" in
+ 'Linux Webserver')
+ idh_services=("HTTP" "FTP" "SSH")
+ ;;
+ 'MySQL Server')
+ idh_services=("MYSQL" "SSH")
+ ;;
+ 'MSSQL Server')
+ idh_services=("MSSQL" "VNC")
+ ;;
+ 'Custom')
+ whiptail_idh_services_custom
+ ;;
+ esac
+}
+
collect_int_ip_mask() {
whiptail_management_interface_ip_mask
@@ -864,6 +883,7 @@ check_requirements() {
req_cores=4
if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
+ if [[ "$node_type" == 'idh' ]]; then req_mem=1 req_cores=2; fi
elif [[ "$standalone_or_dist" == 'import' ]]; then
req_mem=4
req_cores=2
@@ -1521,7 +1541,7 @@ get_redirect() {
get_minion_type() {
local minion_type
case "$install_type" in
- 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'STANDALONE' | 'IMPORT' | 'RECEIVER')
+ 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER')
minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]')
;;
'HELIXSENSOR')
@@ -2659,7 +2679,7 @@ set_initial_firewall_policy() {
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
;;
- 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'RECEIVER')
+ 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER')
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
case "$install_type" in
'SENSOR')
@@ -2679,6 +2699,9 @@ set_initial_firewall_policy() {
'FLEET')
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
;;
+ 'IDH')
+ $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
+ ;;
'RECEIVER')
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP"
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receiverstab "$MINION_ID" "$MAINIP"
@@ -2866,6 +2889,17 @@ wait_for_salt_minion() {
retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1
}
+write_out_idh_services() {
+ local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls
+
+ printf '%s\n'\
+ "idh:"\
+ " services:" >> "$pillar_file"
+ for service in ${idh_services[@]}; do
+ echo " - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file"
+ done
+}
+
# Enable Zeek Logs
zeek_logs_enabled() {
echo "Enabling Zeek Logs" >> "$setup_log" 2>&1
diff --git a/setup/so-setup b/setup/so-setup
index 140f35377..67c821dd8 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -251,6 +251,10 @@ elif [ "$install_type" = 'FLEET' ]; then
is_minion=true
is_fleet_standalone=true
OSQUERY=1
+elif [ "$install_type" = 'IDH' ]; then
+ is_minion=true
+ is_idh=true
+ IDH=1
elif [ "$install_type" = 'HELIXSENSOR' ]; then
is_helix=true
elif [ "$install_type" = 'IMPORT' ]; then
@@ -267,11 +271,17 @@ if [[ $is_manager || $is_import ]]; then
check_elastic_license
fi
+if [[ $is_idh ]]; then
+ collect_idh_services
+fi
+
if ! [[ -f $install_opt_file ]]; then
if [[ $is_manager && $is_sensor ]]; then
check_requirements "standalone"
elif [[ $is_fleet_standalone ]]; then
check_requirements "dist" "fleet"
+ elif [[ $is_idh ]]; then
+ check_requirements "dist" "idh"
elif [[ $is_sensor && ! $is_eval ]]; then
check_requirements "dist" "sensor"
elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_import ]]; then
@@ -742,6 +752,12 @@ echo "1" > /root/accept_changes
logstash_pillar >> $setup_log 2>&1
fi
+ if [[ $is_idh ]]; then
+ # Write out services to minion pillar file
+ set_progress_str 19 'Generating IDH services pillar'
+ write_out_idh_services
+ fi
+
if [[ $is_minion ]]; then
set_progress_str 20 'Accepting Salt key on manager'
@@ -805,7 +821,7 @@ echo "1" > /root/accept_changes
set_progress_str 62 "$(print_salt_state_apply 'common')"
salt-call state.apply -l info common >> $setup_log 2>&1
- if [[ ! $is_helix && ! $is_receiver ]]; then
+ if [[ ! $is_helix && ! $is_receiver && ! $is_idh ]]; then
set_progress_str 62 "$(print_salt_state_apply 'nginx')"
salt-call state.apply -l info nginx >> $setup_log 2>&1
fi
@@ -910,6 +926,12 @@ echo "1" > /root/accept_changes
fi
+ if [[ $is_idh ]]; then
+ set_progress_str 79 "$(print_salt_state_apply 'idh')"
+ salt-call state.apply -l info idh >> $setup_log 2>&1
+
+ fi
+
if [[ "$WAZUH" = 1 ]]; then
set_progress_str 79 "$(print_salt_state_apply 'wazuh')"
salt-call state.apply -l info wazuh >> $setup_log 2>&1
diff --git a/setup/so-whiptail b/setup/so-whiptail
index a4c72fb55..b993ca471 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -432,6 +432,14 @@ whiptail_end_settings() {
Hostname: $HOSTNAME
EOM
+ if [[ $is_idh ]]; then
+ __append_end_msg "IDH Services Enabled:"
+ for service in ${idh_services[@]}; do
+ __append_end_msg "- $service"
+ done
+
+ fi
+
[[ -n $NODE_DESCRIPTION ]] && __append_end_msg "Description: $NODE_DESCRIPTION"
[[ $is_airgap ]] && __append_end_msg "Airgap: True"
@@ -717,6 +725,47 @@ whiptail_homenet_sensor() {
export HNSENSOR
}
+
+whiptail_idh_services() {
+
+ [ -n "$TESTING" ] && return
+
+ idh_services=$(whiptail --title "$whiptail_title" --radiolist \
+ "\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \
+ "Linux Webserver" "Apache (80), FTP (21), SSH (22)" ON \
+ "MySQL Server" "MySQL (3306), SSH (22)" OFF \
+ "MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \
+ "Custom" "Select a custom set of services on next screen" OFF 3>&1 1>&2 2>&3 )
+
+ local exitstatus=$?
+ whiptail_check_exitstatus $exitstatus
+}
+
+
+whiptail_idh_services_custom() {
+
+ [ -n "$TESTING" ] && return
+
+ idh_services=$(whiptail --title "$whiptail_title" --checklist \
+ "\nThe IDH node can mimic many different services.\n\nChoose one or more of the following services along with their default ports (TCP). Some services have additional configuration options, please consult the documentation for further information." 25 75 8 \
+ "FTP" " TCP/21, Additional Configuration Available " OFF \
+ "Git" " TCP/9418 " OFF \
+ "HTTP" " TCP/80, Additional Configuration Available " OFF \
+ "HTTPPROXY" " TCP/8080, Additional Configuration Available " OFF \
+ "MSSQL" " TCP/1433 " OFF \
+ "MySQL" " TCP/3306, Additional Configuration Available " OFF \
+ "NTP" " UDP/123 " OFF \
+ "REDIS" " TCP/6379 " OFF \
+ "SNMP" " UDP/161 " OFF \
+ "SSH" " TCP/22, Additional Configuration Available " OFF \
+ "TELNET" " TCP/23, Additional Configuration Available " OFF \
+ "TFTP" " UDP/69 " OFF \
+ "VNC" " TCP/5900 " OFF 3>&1 1>&2 2>&3 )
+
+ local exitstatus=$?
+ whiptail_check_exitstatus $exitstatus
+}
+
whiptail_install_type() {
[ -n "$TESTING" ] && return
@@ -791,18 +840,17 @@ whiptail_install_type_dist_existing() {
local node_msg
read -r -d '' node_msg <<- EOM
- Choose a distributed node type to join to an existing grid.
-
- See https://docs.securityonion.net/architecture for details.
+ Choose a distributed node type to join to an existing grid. See https://docs.securityonion.net/architecture for details.
Note: Heavy nodes (HEAVYNODE) are NOT recommended for most users.
EOM
- install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 5 \
+ install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 6 \
"SENSOR" "Create a forward only sensor " ON \
"SEARCHNODE" "Add a search node with parsing " OFF \
"FLEET" "Dedicated Fleet Osquery Node " OFF \
"HEAVYNODE" "Sensor + Search Node " OFF \
+ "IDH" "Intrusion Detection Honeypot Node " OFF \
"RECEIVER" "Receiver Node " OFF \
3>&1 1>&2 2>&3
# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO