From 9b1fac84173dabd6682b23552a5f9e35b0f98157 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 7 Feb 2022 14:36:40 -0500 Subject: [PATCH 01/23] Initial support - IDH Node --- salt/idh/Dockerfile | 12 +++ salt/idh/config/opencanary.conf | 113 +++++++++++++++++++++++++++++ salt/idh/init.sls | 46 ++++++++++++ salt/idh/supervise-opencanary.conf | 4 + setup/so-functions | 5 +- setup/so-setup | 11 +++ setup/so-whiptail | 1 + 7 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 salt/idh/Dockerfile create mode 100644 salt/idh/config/opencanary.conf create mode 100644 salt/idh/init.sls create mode 100644 salt/idh/supervise-opencanary.conf diff --git a/salt/idh/Dockerfile b/salt/idh/Dockerfile new file mode 100644 index 000000000..d4f4ad67b --- /dev/null +++ b/salt/idh/Dockerfile @@ -0,0 +1,12 @@ +FROM python:3.6-slim + +WORKDIR /root/ + +RUN rm /bin/sh && ln -s /bin/bash /bin/sh + +RUN apt update && apt-get install -y sudo supervisor && rm -rf /var/lib/apt/lists/* +RUN pip install opencanary + +ADD supervise-opencanary.conf /etc/supervisor/conf.d/supervise-opencanary.conf + +CMD ["/usr/bin/supervisord", "-n"] \ No newline at end of file diff --git a/salt/idh/config/opencanary.conf b/salt/idh/config/opencanary.conf new file mode 100644 index 000000000..84c65a3d2 --- /dev/null +++ b/salt/idh/config/opencanary.conf @@ -0,0 +1,113 @@ +{%- set HOSTNAME = salt['grains.get']('host') -%} + +{ + "device.node_id": "{{HOSTNAME}}", + "git.enabled": false, + "git.port" : 9418, + "ftp.enabled": false, + "ftp.port": 21, + "ftp.banner": "FTP server ready", + "http.banner": "Apache/2.2.22 (Ubuntu)", + "http.enabled": false, + "http.port": 80, + "http.skin": "nasLogin", + "http.skin.list": [ + { + "desc": "Plain HTML Login", + "name": "basicLogin" + }, + { + "desc": "Synology NAS Login", + "name": "nasLogin" + } + ], + "httpproxy.enabled" : false, + "httpproxy.port": 8080, + "httpproxy.skin": "squid", + "httproxy.skin.list": [ + { + "desc": "Squid", + "name": "squid" + }, + { + "desc": "Microsoft ISA Server Web Proxy", + "name": "ms-isa" + } + ], + "logger": { + "class": "PyLogger", + "kwargs": { + "formatters": { + "plain": { + "format": "%(message)s" + } + }, + "handlers": { + "console": { + "class": "logging.StreamHandler", + "stream": "ext://sys.stdout" + }, + "file": { + "class": "logging.FileHandler", + "filename": "/var/tmp/opencanary.log" + } + } + } + }, + "portscan.enabled": false, + "portscan.logfile":"/var/log/kern.log", + "portscan.synrate": 5, + "portscan.nmaposrate": 5, + "portscan.lorate": 3, + "smb.auditfile": "/var/log/samba-audit.log", + "smb.enabled": false, + "mysql.enabled": false, + "mysql.port": 3306, + "mysql.banner": "5.5.43-0ubuntu0.14.04.1", + "ssh.enabled": true, + "ssh.port": 2222, + "ssh.version": "SSH-2.0-OpenSSH_7.6p1 Ubuntu 4ubuntu0.3", + "redis.enabled": false, + "redis.port": 6379, + "rdp.enabled": false, + "rdp.port": 3389, + "sip.enabled": false, + "sip.port": 5060, + "snmp.enabled": false, + "snmp.port": 161, + "ntp.enabled": false, + "ntp.port": "123", + "tftp.enabled": false, + "tftp.port": 69, + "tcpbanner.maxnum":10, + "tcpbanner.enabled": false, + "tcpbanner_1.enabled": false, + "tcpbanner_1.port": 8001, + "tcpbanner_1.datareceivedbanner": "", + "tcpbanner_1.initbanner": "", + "tcpbanner_1.alertstring.enabled": false, + "tcpbanner_1.alertstring": "", + "tcpbanner_1.keep_alive.enabled": false, + "tcpbanner_1.keep_alive_secret": "", + "tcpbanner_1.keep_alive_probes": 11, + "tcpbanner_1.keep_alive_interval":300, + "tcpbanner_1.keep_alive_idle": 300, + "telnet.enabled": false, + "telnet.port": "23", + "telnet.banner": "", + "telnet.honeycreds": [ + { + "username": "admin", + "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA" + }, + { + "username": "admin", + "password": "admin1" + } + ], + "mssql.enabled": false, + "mssql.version": "2012", + "mssql.port":1433, + "vnc.enabled": true, + "vnc.port":5900 +} diff --git a/salt/idh/init.sls b/salt/idh/init.sls new file mode 100644 index 000000000..22dbe5ede --- /dev/null +++ b/salt/idh/init.sls @@ -0,0 +1,46 @@ +# IDH State + +# Create a config directory +temp: + file.directory: + - name: /opt/so/conf/idh + - user: 939 + - group: 939 + - makedirs: True + +# Create a config directory +configdir: + file.directory: + - name: /nsm/idh + - user: 939 + - group: 939 + - makedirs: True + +# Sync IDH files +idhfiles: + file.recurse: + - name: /opt/so/conf/idh + - user: 0 + - group: 0 + - file_mode: 755 + - source: salt://idh/config + - replace: False + - template: jinja + +# Build IDH Docker +so-idh: + docker_image.present: + - build: /opt/so/saltstack/local/salt/idh + - tag: latest + +# Set IDH Docker to run +so-idh-run: + docker_container.running: + - image: so-idh + - name: so-idh + - detach: True + - network_mode: host + - restart_policy: always + - binds: + - /nsm/idh:/var/tmp:rw + - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro diff --git a/salt/idh/supervise-opencanary.conf b/salt/idh/supervise-opencanary.conf new file mode 100644 index 000000000..c60a32d9f --- /dev/null +++ b/salt/idh/supervise-opencanary.conf @@ -0,0 +1,4 @@ + [program:opencanaryd] +command=/usr/local/bin/opencanaryd --start +redirect_stderr=true +autorestart=true \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 996620336..13434c772 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2619,7 +2619,7 @@ set_initial_firewall_policy() { $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" ;; - 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'RECEIVER') + 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" case "$install_type" in 'SENSOR') @@ -2639,6 +2639,9 @@ set_initial_firewall_policy() { 'FLEET') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" ;; + 'IDH') + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" + ;; 'RECEIVER') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receiverstab "$MINION_ID" "$MAINIP" diff --git a/setup/so-setup b/setup/so-setup index 90e57646d..eb44743f6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -251,6 +251,10 @@ elif [ "$install_type" = 'FLEET' ]; then is_minion=true is_fleet_standalone=true OSQUERY=1 +elif [ "$install_type" = 'IDH' ]; then + is_minion=true + is_idh_standalone=true + IDH=1 elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true elif [ "$install_type" = 'IMPORT' ]; then @@ -910,6 +914,13 @@ echo "1" > /root/accept_changes fi + if [[ "$IDH" = 1 ]]; then + + set_progress_str 79 "$(print_salt_state_apply 'idh')" + salt-call state.apply -l info idh >> $setup_log 2>&1 + + fi + if [[ "$WAZUH" = 1 ]]; then set_progress_str 79 "$(print_salt_state_apply 'wazuh')" salt-call state.apply -l info wazuh >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index a4c72fb55..c7073d4be 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -803,6 +803,7 @@ whiptail_install_type_dist_existing() { "SEARCHNODE" "Add a search node with parsing " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \ + "IDH" "Intrusion Detection Honeypot Node " OFF \ "RECEIVER" "Receiver Node " OFF \ 3>&1 1>&2 2>&3 # "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO From 7a9cb6d1104e6cef76b981f9d0dfd3c32ced4c8c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 7 Feb 2022 16:49:11 -0500 Subject: [PATCH 02/23] Initial support - IDH Node --- salt/allowed_states.map.jinja | 10 ++++++++++ salt/ssl/init.sls | 2 +- salt/top.sls | 18 ++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index bdff03c43..39596f595 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -91,6 +91,16 @@ 'schedule', 'docker_clean' ], + 'so-idh': [ + 'ssl', + 'telegraf', + 'firewall', + 'fleet.install_package', + 'filebeat', + 'idh', + 'schedule', + 'docker_clean' + ], 'so-import': [ 'salt.master', 'ca', diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 7ac6687e1..533f347d8 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -447,7 +447,7 @@ fleetkeyperms: {% endif %} -{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import', 'so-receiver'] %} +{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %} fbcertdir: file.directory: diff --git a/salt/top.sls b/salt/top.sls index b417089ba..2b70ce780 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -503,3 +503,21 @@ base: {%- endif %} - schedule - docker_clean + + '*_idh and G@saltversion:{{saltversion}}': + - match: compound + - ssl + - sensoroni + - nginx + - telegraf + - firewall + {%- if WAZUH != 0 %} + - wazuh + {%- endif %} + {%- if FLEETMANAGER or FLEETNODE %} + - fleet.install_package + {%- endif %} + - schedule + - docker_clean + - filebeat + - idh \ No newline at end of file From f590bc43a61878275413b959a2a309f09d679c5e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 7 Feb 2022 19:09:27 -0500 Subject: [PATCH 03/23] Initial support - IDH Node --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 13434c772..d9ec0b658 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1521,7 +1521,7 @@ get_redirect() { get_minion_type() { local minion_type case "$install_type" in - 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'STANDALONE' | 'IMPORT' | 'RECEIVER') + 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER') minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]') ;; 'HELIXSENSOR') From 37b17b8821fc27b91fabfb9639298e3fc6f64968 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 7 Feb 2022 19:27:51 -0500 Subject: [PATCH 04/23] Initial support - IDH Node --- pillar/top.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pillar/top.sls b/pillar/top.sls index 37bd53f5e..8ab666d0d 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -98,6 +98,11 @@ base: - global - minions.{{ grains.id }} + '*_idh': + - data.* + - global + - minions.{{ grains.id }} + '*_searchnode': - logstash - logstash.search From a3602c9eb9cf39b1c60d2ac28d29b5b55143daa2 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 8 Feb 2022 08:24:15 -0500 Subject: [PATCH 05/23] Initial support - IDH Node --- salt/firewall/assigned_hostgroups.map.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index e2fbfc737..4964f5071 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -653,3 +653,16 @@ role: localhost: portgroups: - {{ portgroups.all }} + idh: + chain: + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} \ No newline at end of file From ac8e06e79bf22c36eaaf3767a9dd670ee9cc6370 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 8 Feb 2022 09:08:52 -0500 Subject: [PATCH 06/23] Initial support - IDH Node --- files/firewall/assigned_hostgroups.local.map.yaml | 1 + files/firewall/hostgroups.local.yaml | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/files/firewall/assigned_hostgroups.local.map.yaml b/files/firewall/assigned_hostgroups.local.map.yaml index ee871ad80..3f30fc367 100644 --- a/files/firewall/assigned_hostgroups.local.map.yaml +++ b/files/firewall/assigned_hostgroups.local.map.yaml @@ -13,6 +13,7 @@ role: fleet: heavynode: helixsensor: + idh: import: manager: managersearch: diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 334b090d1..9e7babe00 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -28,6 +28,10 @@ firewall: ips: delete: insert: + idh: + ips: + delete: + insert: manager: ips: delete: From 30c40ed3d7f568b5eef07e8c905b6ce72c10622b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 9 Feb 2022 10:37:47 -0500 Subject: [PATCH 07/23] IDH Initial Support --- salt/common/tools/sbin/so-image-common | 1 + salt/idh/init.sls | 15 ++++----------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 9b9c1a344..140d4c63b 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -55,6 +55,7 @@ container_list() { "so-fleet" "so-fleet-launcher" "so-grafana" + "so-idh" "so-idstools" "so-influxdb" "so-kibana" diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 22dbe5ede..a0bcc4572 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -8,7 +8,7 @@ temp: - group: 939 - makedirs: True -# Create a config directory +# Create a log directory configdir: file.directory: - name: /nsm/idh @@ -27,20 +27,13 @@ idhfiles: - replace: False - template: jinja -# Build IDH Docker so-idh: - docker_image.present: - - build: /opt/so/saltstack/local/salt/idh - - tag: latest - -# Set IDH Docker to run -so-idh-run: docker_container.running: - - image: so-idh + - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idh:{{ VERSION }} + - hostname: so-idh - name: so-idh - detach: True - network_mode: host - - restart_policy: always - binds: - /nsm/idh:/var/tmp:rw - - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro + - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro \ No newline at end of file From f31fbbf1ed92278f539b0af1eca32e51c96215f3 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 9 Feb 2022 13:57:18 -0500 Subject: [PATCH 08/23] IDH - states allowed --- salt/allowed_states.map.jinja | 2 +- salt/idh/Dockerfile | 12 ------------ salt/idh/init.sls | 4 ++++ salt/idh/supervise-opencanary.conf | 4 ---- setup/so-setup | 4 ++-- 5 files changed, 7 insertions(+), 19 deletions(-) delete mode 100644 salt/idh/Dockerfile delete mode 100644 salt/idh/supervise-opencanary.conf diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 39596f595..36fd86321 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -248,7 +248,7 @@ {% do allowed_states.append('strelka') %} {% endif %} - {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver']%} + {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%} {% do allowed_states.append('wazuh') %} {% endif %} diff --git a/salt/idh/Dockerfile b/salt/idh/Dockerfile deleted file mode 100644 index d4f4ad67b..000000000 --- a/salt/idh/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -FROM python:3.6-slim - -WORKDIR /root/ - -RUN rm /bin/sh && ln -s /bin/bash /bin/sh - -RUN apt update && apt-get install -y sudo supervisor && rm -rf /var/lib/apt/lists/* -RUN pip install opencanary - -ADD supervise-opencanary.conf /etc/supervisor/conf.d/supervise-opencanary.conf - -CMD ["/usr/bin/supervisord", "-n"] \ No newline at end of file diff --git a/salt/idh/init.sls b/salt/idh/init.sls index a0bcc4572..ea68aaa8c 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -1,3 +1,7 @@ +{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} +{% set MANAGER = salt['grains.get']('master') %} + # IDH State # Create a config directory diff --git a/salt/idh/supervise-opencanary.conf b/salt/idh/supervise-opencanary.conf deleted file mode 100644 index c60a32d9f..000000000 --- a/salt/idh/supervise-opencanary.conf +++ /dev/null @@ -1,4 +0,0 @@ - [program:opencanaryd] -command=/usr/local/bin/opencanaryd --start -redirect_stderr=true -autorestart=true \ No newline at end of file diff --git a/setup/so-setup b/setup/so-setup index eb44743f6..91a45de7e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -253,7 +253,7 @@ elif [ "$install_type" = 'FLEET' ]; then OSQUERY=1 elif [ "$install_type" = 'IDH' ]; then is_minion=true - is_idh_standalone=true + is_idh=true IDH=1 elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true @@ -809,7 +809,7 @@ echo "1" > /root/accept_changes set_progress_str 62 "$(print_salt_state_apply 'common')" salt-call state.apply -l info common >> $setup_log 2>&1 - if [[ ! $is_helix && ! $is_receiver ]]; then + if [[ ! $is_helix && ! $is_receiver && ! $is_idh ]]; then set_progress_str 62 "$(print_salt_state_apply 'nginx')" salt-call state.apply -l info nginx >> $setup_log 2>&1 fi From b66472ecedaaec509b82a27495bd6170278e5dcf Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 9 Feb 2022 14:56:56 -0500 Subject: [PATCH 09/23] IDH - disable nginx --- salt/idh/init.sls | 1 - salt/top.sls | 1 - 2 files changed, 2 deletions(-) diff --git a/salt/idh/init.sls b/salt/idh/init.sls index ea68aaa8c..3d95015d7 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -34,7 +34,6 @@ idhfiles: so-idh: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idh:{{ VERSION }} - - hostname: so-idh - name: so-idh - detach: True - network_mode: host diff --git a/salt/top.sls b/salt/top.sls index 2b70ce780..fc8434e69 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -508,7 +508,6 @@ base: - match: compound - ssl - sensoroni - - nginx - telegraf - firewall {%- if WAZUH != 0 %} From 1e5b9ef0bf64804c001033cba99e0b26b9929ff5 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 10 Feb 2022 11:37:10 -0500 Subject: [PATCH 10/23] IDH - Enable Filebeat --- salt/filebeat/etc/filebeat.yml | 44 +++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index f18a72752..0061aefc1 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -264,6 +264,48 @@ filebeat.inputs: {%- endif %} +{%- if grains.role == 'so-idh' %} +- type: log + paths: + - /nsm/idh/opencanary.log + fields: + module: opencanary + dataset: idh + category: host + tags: beat-ext + processors: + - decode_json_fields: + fields: ["message"] + target: "" + add_error_key: true + - drop_fields: + when: + equals: + logtype: 1001 + fields: ["src_host", "src_port", "dst_host", "dst_port" ] + ignore_missing: true + - rename: + fields: + - from: "src_host" + to: "source.ip" + - from: "src_port" + to: "source.port" + - from: "dst_host" + to: "destination.host" + - from: "dst_port" + to: "destination.port" + ignore_missing: true + - convert: + fields: + - {from: "logtype", to: "event.code", type: "string"} + ignore_missing: true + - drop_fields: + fields: '["prospector", "input", "offset", "beat"]' + fields_under_root: true + clean_removed: false + close_removed: false +{%- endif %} + {%- if INPUTS %} # USER PILLAR DEFINED INPUTS {{ INPUTS | yaml(False) }} @@ -322,7 +364,7 @@ output.logstash: # The Logstash hosts hosts: -{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node'] %} +{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %} {%- set LOGSTASH = namespace() %} {%- set LOGSTASH.count = 0 %} {%- set LOGSTASH.loadbalance = false %} From 3ccef12df76fcf500bb683d0050ef70940b53cb9 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 15 Feb 2022 13:57:31 -0500 Subject: [PATCH 11/23] IDH - Pillarize OpenCanary Config --- salt/idh/config/opencanary.conf | 113 --------------------------- salt/idh/defaults.yml | 90 +++++++++++++++++++++ salt/idh/idh.conf.jinja | 1 + salt/idh/init.sls | 16 ++-- salt/idh/opencanary_config.map.jinja | 2 + 5 files changed, 100 insertions(+), 122 deletions(-) delete mode 100644 salt/idh/config/opencanary.conf create mode 100644 salt/idh/defaults.yml create mode 100644 salt/idh/idh.conf.jinja create mode 100644 salt/idh/opencanary_config.map.jinja diff --git a/salt/idh/config/opencanary.conf b/salt/idh/config/opencanary.conf deleted file mode 100644 index 84c65a3d2..000000000 --- a/salt/idh/config/opencanary.conf +++ /dev/null @@ -1,113 +0,0 @@ -{%- set HOSTNAME = salt['grains.get']('host') -%} - -{ - "device.node_id": "{{HOSTNAME}}", - "git.enabled": false, - "git.port" : 9418, - "ftp.enabled": false, - "ftp.port": 21, - "ftp.banner": "FTP server ready", - "http.banner": "Apache/2.2.22 (Ubuntu)", - "http.enabled": false, - "http.port": 80, - "http.skin": "nasLogin", - "http.skin.list": [ - { - "desc": "Plain HTML Login", - "name": "basicLogin" - }, - { - "desc": "Synology NAS Login", - "name": "nasLogin" - } - ], - "httpproxy.enabled" : false, - "httpproxy.port": 8080, - "httpproxy.skin": "squid", - "httproxy.skin.list": [ - { - "desc": "Squid", - "name": "squid" - }, - { - "desc": "Microsoft ISA Server Web Proxy", - "name": "ms-isa" - } - ], - "logger": { - "class": "PyLogger", - "kwargs": { - "formatters": { - "plain": { - "format": "%(message)s" - } - }, - "handlers": { - "console": { - "class": "logging.StreamHandler", - "stream": "ext://sys.stdout" - }, - "file": { - "class": "logging.FileHandler", - "filename": "/var/tmp/opencanary.log" - } - } - } - }, - "portscan.enabled": false, - "portscan.logfile":"/var/log/kern.log", - "portscan.synrate": 5, - "portscan.nmaposrate": 5, - "portscan.lorate": 3, - "smb.auditfile": "/var/log/samba-audit.log", - "smb.enabled": false, - "mysql.enabled": false, - "mysql.port": 3306, - "mysql.banner": "5.5.43-0ubuntu0.14.04.1", - "ssh.enabled": true, - "ssh.port": 2222, - "ssh.version": "SSH-2.0-OpenSSH_7.6p1 Ubuntu 4ubuntu0.3", - "redis.enabled": false, - "redis.port": 6379, - "rdp.enabled": false, - "rdp.port": 3389, - "sip.enabled": false, - "sip.port": 5060, - "snmp.enabled": false, - "snmp.port": 161, - "ntp.enabled": false, - "ntp.port": "123", - "tftp.enabled": false, - "tftp.port": 69, - "tcpbanner.maxnum":10, - "tcpbanner.enabled": false, - "tcpbanner_1.enabled": false, - "tcpbanner_1.port": 8001, - "tcpbanner_1.datareceivedbanner": "", - "tcpbanner_1.initbanner": "", - "tcpbanner_1.alertstring.enabled": false, - "tcpbanner_1.alertstring": "", - "tcpbanner_1.keep_alive.enabled": false, - "tcpbanner_1.keep_alive_secret": "", - "tcpbanner_1.keep_alive_probes": 11, - "tcpbanner_1.keep_alive_interval":300, - "tcpbanner_1.keep_alive_idle": 300, - "telnet.enabled": false, - "telnet.port": "23", - "telnet.banner": "", - "telnet.honeycreds": [ - { - "username": "admin", - "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA" - }, - { - "username": "admin", - "password": "admin1" - } - ], - "mssql.enabled": false, - "mssql.version": "2012", - "mssql.port":1433, - "vnc.enabled": true, - "vnc.port":5900 -} diff --git a/salt/idh/defaults.yml b/salt/idh/defaults.yml new file mode 100644 index 000000000..368326eb9 --- /dev/null +++ b/salt/idh/defaults.yml @@ -0,0 +1,90 @@ +idh: + opencanary: + config: + device.node_id: opencanary-01 + git.enabled: true + git.port: 9418 + ftp.enabled: true + ftp.port: 21 + ftp.banner: FTP server ready + http.banner: Apache/2.2.22 (Ubuntu) + http.enabled: true + http.port: 80 + http.skin: nasLogin + http.skin.list: + - desc: Plain HTML Login + name: basicLogin + - desc: Synology NAS Login + name: nasLogin + httpproxy.enabled: false + httpproxy.port: 8080 + httpproxy.skin: squid + httproxy.skin.list: + - desc: Squid + name: squid + - desc: Microsoft ISA Server Web Proxy + name: ms-isa + logger: + class: PyLogger + kwargs: + formatters: + plain: + format: '%(message)s' + handlers: + console: + class: logging.StreamHandler + stream: ext://sys.stdout + file: + class: logging.FileHandler + filename: /var/tmp/opencanary.log + portscan.enabled: false + portscan.logfile: /var/log/kern.log + portscan.synrate: 5 + portscan.nmaposrate: 5 + portscan.lorate: 3 + smb.auditfile: /var/log/samba-audit.log + smb.enabled: false + mysql.enabled: false + mysql.port: 3306 + mysql.banner: 5.5.43-0ubuntu0.14.04.1 + ssh.enabled: false + ssh.port: 22 + ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 + redis.enabled: false + redis.port: 6379 + rdp.enabled: false + rdp.port: 3389 + sip.enabled: false + sip.port: 5060 + snmp.enabled: false + snmp.port: 161 + ntp.enabled: false + ntp.port: '123' + tftp.enabled: false + tftp.port: 69 + tcpbanner.maxnum: 10 + tcpbanner.enabled: false + tcpbanner_1.enabled: false + tcpbanner_1.port: 8001 + tcpbanner_1.datareceivedbanner: '' + tcpbanner_1.initbanner: '' + tcpbanner_1.alertstring.enabled: false + tcpbanner_1.alertstring: '' + tcpbanner_1.keep_alive.enabled: false + tcpbanner_1.keep_alive_secret: '' + tcpbanner_1.keep_alive_probes: 11 + tcpbanner_1.keep_alive_interval: 300 + tcpbanner_1.keep_alive_idle: 300 + telnet.enabled: false + telnet.port: '23' + telnet.banner: '' + telnet.honeycreds: + - username: admin + password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA + - username: admin + password: admin1 + mssql.enabled: false + mssql.version: '2012' + mssql.port: 1433 + vnc.enabled: false + vnc.port: 5000 \ No newline at end of file diff --git a/salt/idh/idh.conf.jinja b/salt/idh/idh.conf.jinja new file mode 100644 index 000000000..0dbb5eb5a --- /dev/null +++ b/salt/idh/idh.conf.jinja @@ -0,0 +1 @@ +{{ IDH | tojson(True) }} \ No newline at end of file diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 3d95015d7..03b31b469 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -20,16 +20,14 @@ configdir: - group: 939 - makedirs: True -# Sync IDH files -idhfiles: - file.recurse: - - name: /opt/so/conf/idh - - user: 0 - - group: 0 - - file_mode: 755 - - source: salt://idh/config - - replace: False +{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %} +opencanary_config: + file.managed: + - name: /opt/so/conf/idh/opencanary.conf + - source: salt://idh/idh.conf.jinja - template: jinja + - defaults: + OPENCANARYCONFIG: {{ OPENCANARYCONFIG }} so-idh: docker_container.running: diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja new file mode 100644 index 000000000..cf65cc7d3 --- /dev/null +++ b/salt/idh/opencanary_config.map.jinja @@ -0,0 +1,2 @@ +{% import_yaml 'idh/defaults.yml' as OPENCANARYCONFIG with context %} +{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %} \ No newline at end of file From ef4df585106ef5ec1044276ef3fd77fa9d923a3a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 17 Feb 2022 09:00:57 -0500 Subject: [PATCH 12/23] IDH - Jinjafy hostname --- salt/idh/defaults.yml | 2 +- salt/idh/idh.conf.jinja | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/idh/defaults.yml b/salt/idh/defaults.yml index 368326eb9..708be4d4f 100644 --- a/salt/idh/defaults.yml +++ b/salt/idh/defaults.yml @@ -1,7 +1,7 @@ idh: opencanary: config: - device.node_id: opencanary-01 + device.node_id: {{ grains.host }} git.enabled: true git.port: 9418 ftp.enabled: true diff --git a/salt/idh/idh.conf.jinja b/salt/idh/idh.conf.jinja index 0dbb5eb5a..fcc000379 100644 --- a/salt/idh/idh.conf.jinja +++ b/salt/idh/idh.conf.jinja @@ -1 +1 @@ -{{ IDH | tojson(True) }} \ No newline at end of file +{{ OPENCANARYCONFIG | tojson(True) }} \ No newline at end of file From 6c124733b580cbab4a78e13246dd4b74bffcc89b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 17 Feb 2022 10:50:26 -0500 Subject: [PATCH 13/23] IDH - Enable default states --- salt/idh/defaults.yml | 57 +---------------------- salt/idh/defaults/ftp.defaults.yaml | 6 +++ salt/idh/defaults/git.defaults.yaml | 5 ++ salt/idh/defaults/http.defaults.yaml | 12 +++++ salt/idh/defaults/httpproxy.defaults.yaml | 11 +++++ salt/idh/defaults/mssql.defaults.yaml | 6 +++ salt/idh/defaults/mysql.defaults.yaml | 6 +++ salt/idh/defaults/ntp.defaults.yaml | 5 ++ salt/idh/defaults/rdp.defaults.yaml | 5 ++ salt/idh/defaults/redis.defaults.yaml | 5 ++ salt/idh/defaults/sip.defaults.yaml | 5 ++ salt/idh/defaults/smb.defaults.yaml | 5 ++ salt/idh/defaults/snmp.defaults.yaml | 5 ++ salt/idh/defaults/ssh.defaults.yaml | 6 +++ salt/idh/defaults/telnet.defaults.yaml | 11 +++++ salt/idh/defaults/tftp.defaults.yaml | 5 ++ salt/idh/defaults/vnc.defaults.yaml | 5 ++ 17 files changed, 104 insertions(+), 56 deletions(-) create mode 100644 salt/idh/defaults/ftp.defaults.yaml create mode 100644 salt/idh/defaults/git.defaults.yaml create mode 100644 salt/idh/defaults/http.defaults.yaml create mode 100644 salt/idh/defaults/httpproxy.defaults.yaml create mode 100644 salt/idh/defaults/mssql.defaults.yaml create mode 100644 salt/idh/defaults/mysql.defaults.yaml create mode 100644 salt/idh/defaults/ntp.defaults.yaml create mode 100644 salt/idh/defaults/rdp.defaults.yaml create mode 100644 salt/idh/defaults/redis.defaults.yaml create mode 100644 salt/idh/defaults/sip.defaults.yaml create mode 100644 salt/idh/defaults/smb.defaults.yaml create mode 100644 salt/idh/defaults/snmp.defaults.yaml create mode 100644 salt/idh/defaults/ssh.defaults.yaml create mode 100644 salt/idh/defaults/telnet.defaults.yaml create mode 100644 salt/idh/defaults/tftp.defaults.yaml create mode 100644 salt/idh/defaults/vnc.defaults.yaml diff --git a/salt/idh/defaults.yml b/salt/idh/defaults.yml index 708be4d4f..5f3cc826c 100644 --- a/salt/idh/defaults.yml +++ b/salt/idh/defaults.yml @@ -2,28 +2,6 @@ idh: opencanary: config: device.node_id: {{ grains.host }} - git.enabled: true - git.port: 9418 - ftp.enabled: true - ftp.port: 21 - ftp.banner: FTP server ready - http.banner: Apache/2.2.22 (Ubuntu) - http.enabled: true - http.port: 80 - http.skin: nasLogin - http.skin.list: - - desc: Plain HTML Login - name: basicLogin - - desc: Synology NAS Login - name: nasLogin - httpproxy.enabled: false - httpproxy.port: 8080 - httpproxy.skin: squid - httproxy.skin.list: - - desc: Squid - name: squid - - desc: Microsoft ISA Server Web Proxy - name: ms-isa logger: class: PyLogger kwargs: @@ -42,26 +20,6 @@ idh: portscan.synrate: 5 portscan.nmaposrate: 5 portscan.lorate: 3 - smb.auditfile: /var/log/samba-audit.log - smb.enabled: false - mysql.enabled: false - mysql.port: 3306 - mysql.banner: 5.5.43-0ubuntu0.14.04.1 - ssh.enabled: false - ssh.port: 22 - ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 - redis.enabled: false - redis.port: 6379 - rdp.enabled: false - rdp.port: 3389 - sip.enabled: false - sip.port: 5060 - snmp.enabled: false - snmp.port: 161 - ntp.enabled: false - ntp.port: '123' - tftp.enabled: false - tftp.port: 69 tcpbanner.maxnum: 10 tcpbanner.enabled: false tcpbanner_1.enabled: false @@ -74,17 +32,4 @@ idh: tcpbanner_1.keep_alive_secret: '' tcpbanner_1.keep_alive_probes: 11 tcpbanner_1.keep_alive_interval: 300 - tcpbanner_1.keep_alive_idle: 300 - telnet.enabled: false - telnet.port: '23' - telnet.banner: '' - telnet.honeycreds: - - username: admin - password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA - - username: admin - password: admin1 - mssql.enabled: false - mssql.version: '2012' - mssql.port: 1433 - vnc.enabled: false - vnc.port: 5000 \ No newline at end of file + tcpbanner_1.keep_alive_idle: 300 \ No newline at end of file diff --git a/salt/idh/defaults/ftp.defaults.yaml b/salt/idh/defaults/ftp.defaults.yaml new file mode 100644 index 000000000..bed8f90dc --- /dev/null +++ b/salt/idh/defaults/ftp.defaults.yaml @@ -0,0 +1,6 @@ +idh: + opencanary: + config: + ftp.enabled: true + ftp.port: 21 + ftp.banner: FTP server ready \ No newline at end of file diff --git a/salt/idh/defaults/git.defaults.yaml b/salt/idh/defaults/git.defaults.yaml new file mode 100644 index 000000000..e6946465a --- /dev/null +++ b/salt/idh/defaults/git.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + git.enabled: true + git.port: 9418 \ No newline at end of file diff --git a/salt/idh/defaults/http.defaults.yaml b/salt/idh/defaults/http.defaults.yaml new file mode 100644 index 000000000..31680d5d0 --- /dev/null +++ b/salt/idh/defaults/http.defaults.yaml @@ -0,0 +1,12 @@ +idh: + opencanary: + config: + http.banner: Apache/2.2.22 (Ubuntu) + http.enabled: false + http.port: 80 + http.skin: nasLogin + http.skin.list: + - desc: Plain HTML Login + name: basicLogin + - desc: Synology NAS Login + name: nasLogin \ No newline at end of file diff --git a/salt/idh/defaults/httpproxy.defaults.yaml b/salt/idh/defaults/httpproxy.defaults.yaml new file mode 100644 index 000000000..6b9b97558 --- /dev/null +++ b/salt/idh/defaults/httpproxy.defaults.yaml @@ -0,0 +1,11 @@ +idh: + opencanary: + config: + httpproxy.enabled: false + httpproxy.port: 8080 + httpproxy.skin: squid + httproxy.skin.list: + - desc: Squid + name: squid + - desc: Microsoft ISA Server Web Proxy + name: ms-isa \ No newline at end of file diff --git a/salt/idh/defaults/mssql.defaults.yaml b/salt/idh/defaults/mssql.defaults.yaml new file mode 100644 index 000000000..199640992 --- /dev/null +++ b/salt/idh/defaults/mssql.defaults.yaml @@ -0,0 +1,6 @@ +idh: + opencanary: + config: + mssql.enabled: true + mssql.version: '2012' + mssql.port: 1433 \ No newline at end of file diff --git a/salt/idh/defaults/mysql.defaults.yaml b/salt/idh/defaults/mysql.defaults.yaml new file mode 100644 index 000000000..4cff7c628 --- /dev/null +++ b/salt/idh/defaults/mysql.defaults.yaml @@ -0,0 +1,6 @@ +idh: + opencanary: + config: + mysql.enabled: false + mysql.port: 3306 + mysql.banner: 5.5.43-0ubuntu0.14.04.1 \ No newline at end of file diff --git a/salt/idh/defaults/ntp.defaults.yaml b/salt/idh/defaults/ntp.defaults.yaml new file mode 100644 index 000000000..e3968068e --- /dev/null +++ b/salt/idh/defaults/ntp.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + ntp.enabled: false + ntp.port: '123' \ No newline at end of file diff --git a/salt/idh/defaults/rdp.defaults.yaml b/salt/idh/defaults/rdp.defaults.yaml new file mode 100644 index 000000000..fb406e123 --- /dev/null +++ b/salt/idh/defaults/rdp.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + rdp.enabled: false + rdp.port: 3389 \ No newline at end of file diff --git a/salt/idh/defaults/redis.defaults.yaml b/salt/idh/defaults/redis.defaults.yaml new file mode 100644 index 000000000..6c594f736 --- /dev/null +++ b/salt/idh/defaults/redis.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + redis.enabled: false + redis.port: 6379 \ No newline at end of file diff --git a/salt/idh/defaults/sip.defaults.yaml b/salt/idh/defaults/sip.defaults.yaml new file mode 100644 index 000000000..1981c178d --- /dev/null +++ b/salt/idh/defaults/sip.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + sip.enabled: false + sip.port: 5060 \ No newline at end of file diff --git a/salt/idh/defaults/smb.defaults.yaml b/salt/idh/defaults/smb.defaults.yaml new file mode 100644 index 000000000..fbf8c12b6 --- /dev/null +++ b/salt/idh/defaults/smb.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + smb.auditfile: /var/log/samba-audit.log + smb.enabled: false \ No newline at end of file diff --git a/salt/idh/defaults/snmp.defaults.yaml b/salt/idh/defaults/snmp.defaults.yaml new file mode 100644 index 000000000..981dceaeb --- /dev/null +++ b/salt/idh/defaults/snmp.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + snmp.enabled: false + snmp.port: 161 \ No newline at end of file diff --git a/salt/idh/defaults/ssh.defaults.yaml b/salt/idh/defaults/ssh.defaults.yaml new file mode 100644 index 000000000..aed7de490 --- /dev/null +++ b/salt/idh/defaults/ssh.defaults.yaml @@ -0,0 +1,6 @@ +idh: + opencanary: + config: + ssh.enabled: false + ssh.port: 22 + ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 \ No newline at end of file diff --git a/salt/idh/defaults/telnet.defaults.yaml b/salt/idh/defaults/telnet.defaults.yaml new file mode 100644 index 000000000..34f1d3190 --- /dev/null +++ b/salt/idh/defaults/telnet.defaults.yaml @@ -0,0 +1,11 @@ +idh: + opencanary: + config: + telnet.enabled: true + telnet.port: '23' + telnet.banner: '' + telnet.honeycreds: + - username: admin + password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA + - username: admin + password: admin1 \ No newline at end of file diff --git a/salt/idh/defaults/tftp.defaults.yaml b/salt/idh/defaults/tftp.defaults.yaml new file mode 100644 index 000000000..01996ed3b --- /dev/null +++ b/salt/idh/defaults/tftp.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + tftp.enabled: false + tftp.port: 69 \ No newline at end of file diff --git a/salt/idh/defaults/vnc.defaults.yaml b/salt/idh/defaults/vnc.defaults.yaml new file mode 100644 index 000000000..55d4abddc --- /dev/null +++ b/salt/idh/defaults/vnc.defaults.yaml @@ -0,0 +1,5 @@ +idh: + opencanary: + config: + vnc.enabled: true + vnc.port: 5000 \ No newline at end of file From f995d0768f7d11d9a6cb9b9885e75de7f8375db4 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 17 Feb 2022 15:54:20 -0500 Subject: [PATCH 14/23] IDH - Initial firewall support --- salt/firewall/assigned_hostgroups.map.yaml | 4 ++++ salt/firewall/portgroups.yaml | 9 +++++++++ salt/idh/{defaults.yml => defaults/defaults.yaml} | 0 salt/idh/defaults/http.defaults.yaml | 2 +- salt/idh/opencanary_config.map.jinja | 9 ++++++++- 5 files changed, 22 insertions(+), 2 deletions(-) rename salt/idh/{defaults.yml => defaults/defaults.yaml} (100%) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 4964f5071..52f850909 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -660,6 +660,10 @@ role: anywhere: portgroups: - {{ portgroups.ssh }} + {% set idh_services = salt['pillar.get']('idh:services', []) %} + {% for service in idh_services %} + - {{ portgroups.service }} + {% endfor %} dockernet: portgroups: - {{ portgroups.all }} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index d81d00d6a..5fe08db08 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -48,6 +48,15 @@ firewall: fleet_webui: tcp: - 443 + ftp: + tcp: + - 21 + git: + tcp: + - 9418 + http: + tcp: + - 80 influxdb: tcp: - 8086 diff --git a/salt/idh/defaults.yml b/salt/idh/defaults/defaults.yaml similarity index 100% rename from salt/idh/defaults.yml rename to salt/idh/defaults/defaults.yaml diff --git a/salt/idh/defaults/http.defaults.yaml b/salt/idh/defaults/http.defaults.yaml index 31680d5d0..a685062c5 100644 --- a/salt/idh/defaults/http.defaults.yaml +++ b/salt/idh/defaults/http.defaults.yaml @@ -2,7 +2,7 @@ idh: opencanary: config: http.banner: Apache/2.2.22 (Ubuntu) - http.enabled: false + http.enabled: true http.port: 80 http.skin: nasLogin http.skin.list: diff --git a/salt/idh/opencanary_config.map.jinja b/salt/idh/opencanary_config.map.jinja index cf65cc7d3..dbd2fbad5 100644 --- a/salt/idh/opencanary_config.map.jinja +++ b/salt/idh/opencanary_config.map.jinja @@ -1,2 +1,9 @@ -{% import_yaml 'idh/defaults.yml' as OPENCANARYCONFIG with context %} +{% set idh_services = salt['pillar.get']('idh:services', []) %} + +{% import_yaml "idh/defaults/defaults.yaml" as OPENCANARYCONFIG with context %} +{% for service in idh_services %} + {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %} + {% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %} +{% endfor %} + {% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %} \ No newline at end of file From 0362afb2601f555d1bcad5ed847493901d6f2bc1 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 18 Feb 2022 13:23:48 -0500 Subject: [PATCH 15/23] IDH - Finalize Firewall config --- salt/firewall/assigned_hostgroups.map.yaml | 2 +- salt/firewall/portgroups.yaml | 22 +++++++++++++--------- salt/idh/init.sls | 6 +++++- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 52f850909..f58fff158 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -662,7 +662,7 @@ role: - {{ portgroups.ssh }} {% set idh_services = salt['pillar.get']('idh:services', []) %} {% for service in idh_services %} - - {{ portgroups.service }} + - {{ portgroups['idh_'~service] }} {% endfor %} dockernet: portgroups: diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 5fe08db08..ae258daa6 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -1,3 +1,8 @@ +{% if grains.role == 'so-idh' %} + {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} + {% set idh_services = salt['pillar.get']('idh:services', []) %} +{% endif %} + firewall: aliases: ports: @@ -48,15 +53,6 @@ firewall: fleet_webui: tcp: - 443 - ftp: - tcp: - - 21 - git: - tcp: - - 9418 - http: - tcp: - - 80 influxdb: tcp: - 8086 @@ -115,3 +111,11 @@ firewall: yum: tcp: - 443 + +{% if idh_services is defined %} + {% for service in idh_services %} + idh_{{service}}: + tcp: + - {{ OPENCANARYCONFIG[service~'.port'] }} + {% endfor %} +{% endif %} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 03b31b469..b88e9b227 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -37,4 +37,8 @@ so-idh: - network_mode: host - binds: - /nsm/idh:/var/tmp:rw - - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro \ No newline at end of file + - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro + - watch: + - file: opencanary_config + - require: + - file: opencanary_config \ No newline at end of file From bf477a1c19b2b21b0c1455c58f27e9fbf39a5cc0 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 18 Feb 2022 17:21:04 -0500 Subject: [PATCH 16/23] IDH - Initial whiptail --- setup/so-functions | 10 ++++++++++ setup/so-setup | 1 + setup/so-whiptail | 41 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index d9ec0b658..c485ed7a0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -447,6 +447,16 @@ collect_hostname_validate() { done } +collect_idh_services() { + whiptail_idh_services + + if [ $idh_services == "Custom"; ] then + whiptail_idh_services_custom + fi + + echo $idh_services +} + collect_int_ip_mask() { whiptail_management_interface_ip_mask diff --git a/setup/so-setup b/setup/so-setup index 91a45de7e..23f3ed151 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -915,6 +915,7 @@ echo "1" > /root/accept_changes fi if [[ "$IDH" = 1 ]]; then + collect_idh_services() set_progress_str 79 "$(print_salt_state_apply 'idh')" salt-call state.apply -l info idh >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index c7073d4be..7a26ad54c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -717,6 +717,47 @@ whiptail_homenet_sensor() { export HNSENSOR } + +whiptail_idh_services() { + + [ -n "$TESTING" ] && return + + idh_services=$(whiptail --title "$whiptail_title" --radiolist \ + "\nThe IDH node can mimic several services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \ + "Linux Webserver" "Apache (80), FTP (21), SSH (22)" ON \ + "MySQL Server" "MySQL (3306), SSH (22)" OFF \ + "MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \ + "Custom" "Select a custom set of services on next screen" OFF 3>&1 1>&2 2>&3 ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + + +whiptail_idh_services_custom() { + + [ -n "$TESTING" ] && return + + idh_services=$(whiptail --title "$whiptail_title" --checklist \ + "\nThe IDH node can mimic many different services.\n\nChoose one or more of the following services along with their default ports (TCP). Some services have additional configuration options, please consult the documentation for further information." 20 75 6 \ + "FTP " "TCP/21, Additional Configuration Available " OFF \ + "Git " "TCP/9418 " OFF \ + "HTTP " "TCP/80, Additional Configuration Available " OFF \ + "HTTPPROXY " "TCP/8080, Additional Configuration Available " OFF \ + "MSSQL " "TCP/22 " OFF \ + "MySQL " "TCP/3306, Additional Configuration Available " OFF \ + "NTP " "TCP/123 " OFF \ + "REDIS " "TCP/6379 " OFF \ + "SNMP " "TCP/161 " OFF \ + "SSH " "TCP/22, Additional Configuration Available " OFF \ + "TELNET " "TCP/23, Additional Configuration Available " OFF \ + "TFTP " "TCP/69 " OFF \ + "VNC " "TCP/22 " OFF 3>&1 1>&2 2>&3 ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + whiptail_install_type() { [ -n "$TESTING" ] && return From 780cd38adf457b712676da8f77e963b1dcec477a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 19 Feb 2022 12:28:45 -0500 Subject: [PATCH 17/23] IDH - setup tweaks --- setup/so-functions | 30 +++++++++++++++++++++++++----- setup/so-setup | 9 +++++++-- setup/so-whiptail | 30 +++++++++++++++--------------- 3 files changed, 47 insertions(+), 22 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index c485ed7a0..90ced3b41 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -450,11 +450,21 @@ collect_hostname_validate() { collect_idh_services() { whiptail_idh_services - if [ $idh_services == "Custom"; ] then - whiptail_idh_services_custom - fi - - echo $idh_services + case "$idh_services" in + 'Linux Webserver') + idh_services=("HTTP" "FTP" "SSH") + ;; + 'MySQL Server') + idh_services=("MYSQL" "SSH") + ;; + 'MSSQL Server') + idh_services=("MSSQL" "VNC") + ;; + 'Custom') + whiptail_idh_services_custom + echo $idh_services + ;; + esac } collect_int_ip_mask() { @@ -2839,6 +2849,16 @@ wait_for_salt_minion() { retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1 } +write_out_idh_services() { + printf '%s\n'\ + "idh:"\ + " opencanary:"\ + " config:" >> "$minion_config" + for service in ${idh_services[@]}; do + echo " - $service" >> "$minion_config" + done +} + # Enable Zeek Logs zeek_logs_enabled() { echo "Enabling Zeek Logs" >> "$setup_log" 2>&1 diff --git a/setup/so-setup b/setup/so-setup index 23f3ed151..dc9b5abb5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -271,6 +271,10 @@ if [[ $is_manager || $is_import ]]; then check_elastic_license fi +if [[ $is_idh ]]; then + collect_idh_services +fi + if ! [[ -f $install_opt_file ]]; then if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" @@ -914,8 +918,9 @@ echo "1" > /root/accept_changes fi - if [[ "$IDH" = 1 ]]; then - collect_idh_services() + if [[ $is_idh ]]; then + # Write out services to minion pillar file + write_out_idh_services set_progress_str 79 "$(print_salt_state_apply 'idh')" salt-call state.apply -l info idh >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index 7a26ad54c..96a145d2d 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -723,7 +723,7 @@ whiptail_idh_services() { [ -n "$TESTING" ] && return idh_services=$(whiptail --title "$whiptail_title" --radiolist \ - "\nThe IDH node can mimic several services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \ + "\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \ "Linux Webserver" "Apache (80), FTP (21), SSH (22)" ON \ "MySQL Server" "MySQL (3306), SSH (22)" OFF \ "MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \ @@ -739,20 +739,20 @@ whiptail_idh_services_custom() { [ -n "$TESTING" ] && return idh_services=$(whiptail --title "$whiptail_title" --checklist \ - "\nThe IDH node can mimic many different services.\n\nChoose one or more of the following services along with their default ports (TCP). Some services have additional configuration options, please consult the documentation for further information." 20 75 6 \ - "FTP " "TCP/21, Additional Configuration Available " OFF \ - "Git " "TCP/9418 " OFF \ - "HTTP " "TCP/80, Additional Configuration Available " OFF \ - "HTTPPROXY " "TCP/8080, Additional Configuration Available " OFF \ - "MSSQL " "TCP/22 " OFF \ - "MySQL " "TCP/3306, Additional Configuration Available " OFF \ - "NTP " "TCP/123 " OFF \ - "REDIS " "TCP/6379 " OFF \ - "SNMP " "TCP/161 " OFF \ - "SSH " "TCP/22, Additional Configuration Available " OFF \ - "TELNET " "TCP/23, Additional Configuration Available " OFF \ - "TFTP " "TCP/69 " OFF \ - "VNC " "TCP/22 " OFF 3>&1 1>&2 2>&3 ) + "\nThe IDH node can mimic many different services.\n\nChoose one or more of the following services along with their default ports (TCP). Some services have additional configuration options, please consult the documentation for further information." 25 75 8 \ + "FTP" " TCP/21, Additional Configuration Available " OFF \ + "Git" " TCP/9418 " OFF \ + "HTTP" " TCP/80, Additional Configuration Available " OFF \ + "HTTPPROXY" " TCP/8080, Additional Configuration Available " OFF \ + "MSSQL" " TCP/22 " OFF \ + "MySQL" " TCP/3306, Additional Configuration Available " OFF \ + "NTP" " TCP/123 " OFF \ + "REDIS" " TCP/6379 " OFF \ + "SNMP" " TCP/161 " OFF \ + "SSH" " TCP/22, Additional Configuration Available " OFF \ + "TELNET" " TCP/23, Additional Configuration Available " OFF \ + "TFTP" " TCP/69 " OFF \ + "VNC" " TCP/22 " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 2203e2feddc5f6a2c021bc5e3518e2dfd95a7f80 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 19 Feb 2022 21:01:48 -0500 Subject: [PATCH 18/23] IDH - Final setup fixes --- salt/idh/defaults/httpproxy.defaults.yaml | 2 +- salt/idh/defaults/mysql.defaults.yaml | 2 +- salt/idh/defaults/ntp.defaults.yaml | 2 +- salt/idh/defaults/rdp.defaults.yaml | 5 ----- salt/idh/defaults/redis.defaults.yaml | 2 +- salt/idh/defaults/sip.defaults.yaml | 2 +- salt/idh/defaults/smb.defaults.yaml | 2 +- salt/idh/defaults/snmp.defaults.yaml | 2 +- salt/idh/defaults/ssh.defaults.yaml | 2 +- salt/idh/defaults/tftp.defaults.yaml | 2 +- setup/so-functions | 9 +++++---- setup/so-setup | 11 ++++++++--- setup/so-whiptail | 14 ++++++++++---- 13 files changed, 32 insertions(+), 25 deletions(-) delete mode 100644 salt/idh/defaults/rdp.defaults.yaml diff --git a/salt/idh/defaults/httpproxy.defaults.yaml b/salt/idh/defaults/httpproxy.defaults.yaml index 6b9b97558..32ef4a961 100644 --- a/salt/idh/defaults/httpproxy.defaults.yaml +++ b/salt/idh/defaults/httpproxy.defaults.yaml @@ -1,7 +1,7 @@ idh: opencanary: config: - httpproxy.enabled: false + httpproxy.enabled: true httpproxy.port: 8080 httpproxy.skin: squid httproxy.skin.list: diff --git a/salt/idh/defaults/mysql.defaults.yaml b/salt/idh/defaults/mysql.defaults.yaml index 4cff7c628..98c6d2041 100644 --- a/salt/idh/defaults/mysql.defaults.yaml +++ b/salt/idh/defaults/mysql.defaults.yaml @@ -1,6 +1,6 @@ idh: opencanary: config: - mysql.enabled: false + mysql.enabled: true mysql.port: 3306 mysql.banner: 5.5.43-0ubuntu0.14.04.1 \ No newline at end of file diff --git a/salt/idh/defaults/ntp.defaults.yaml b/salt/idh/defaults/ntp.defaults.yaml index e3968068e..a7df2d460 100644 --- a/salt/idh/defaults/ntp.defaults.yaml +++ b/salt/idh/defaults/ntp.defaults.yaml @@ -1,5 +1,5 @@ idh: opencanary: config: - ntp.enabled: false + ntp.enabled: true ntp.port: '123' \ No newline at end of file diff --git a/salt/idh/defaults/rdp.defaults.yaml b/salt/idh/defaults/rdp.defaults.yaml deleted file mode 100644 index fb406e123..000000000 --- a/salt/idh/defaults/rdp.defaults.yaml +++ /dev/null @@ -1,5 +0,0 @@ -idh: - opencanary: - config: - rdp.enabled: false - rdp.port: 3389 \ No newline at end of file diff --git a/salt/idh/defaults/redis.defaults.yaml b/salt/idh/defaults/redis.defaults.yaml index 6c594f736..90e190f09 100644 --- a/salt/idh/defaults/redis.defaults.yaml +++ b/salt/idh/defaults/redis.defaults.yaml @@ -1,5 +1,5 @@ idh: opencanary: config: - redis.enabled: false + redis.enabled: true redis.port: 6379 \ No newline at end of file diff --git a/salt/idh/defaults/sip.defaults.yaml b/salt/idh/defaults/sip.defaults.yaml index 1981c178d..740a13234 100644 --- a/salt/idh/defaults/sip.defaults.yaml +++ b/salt/idh/defaults/sip.defaults.yaml @@ -1,5 +1,5 @@ idh: opencanary: config: - sip.enabled: false + sip.enabled: true sip.port: 5060 \ No newline at end of file diff --git a/salt/idh/defaults/smb.defaults.yaml b/salt/idh/defaults/smb.defaults.yaml index fbf8c12b6..e92e0239a 100644 --- a/salt/idh/defaults/smb.defaults.yaml +++ b/salt/idh/defaults/smb.defaults.yaml @@ -2,4 +2,4 @@ idh: opencanary: config: smb.auditfile: /var/log/samba-audit.log - smb.enabled: false \ No newline at end of file + smb.enabled: true \ No newline at end of file diff --git a/salt/idh/defaults/snmp.defaults.yaml b/salt/idh/defaults/snmp.defaults.yaml index 981dceaeb..990bf919e 100644 --- a/salt/idh/defaults/snmp.defaults.yaml +++ b/salt/idh/defaults/snmp.defaults.yaml @@ -1,5 +1,5 @@ idh: opencanary: config: - snmp.enabled: false + snmp.enabled: true snmp.port: 161 \ No newline at end of file diff --git a/salt/idh/defaults/ssh.defaults.yaml b/salt/idh/defaults/ssh.defaults.yaml index aed7de490..00dcfbcf8 100644 --- a/salt/idh/defaults/ssh.defaults.yaml +++ b/salt/idh/defaults/ssh.defaults.yaml @@ -1,6 +1,6 @@ idh: opencanary: config: - ssh.enabled: false + ssh.enabled: true ssh.port: 22 ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4 \ No newline at end of file diff --git a/salt/idh/defaults/tftp.defaults.yaml b/salt/idh/defaults/tftp.defaults.yaml index 01996ed3b..5f275839f 100644 --- a/salt/idh/defaults/tftp.defaults.yaml +++ b/salt/idh/defaults/tftp.defaults.yaml @@ -1,5 +1,5 @@ idh: opencanary: config: - tftp.enabled: false + tftp.enabled: true tftp.port: 69 \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 90ced3b41..eea5da332 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -462,7 +462,6 @@ collect_idh_services() { ;; 'Custom') whiptail_idh_services_custom - echo $idh_services ;; esac } @@ -884,6 +883,7 @@ check_requirements() { req_cores=4 if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi + if [[ "$node_type" == 'idh' ]]; then req_mem=1 req_cores=2; fi elif [[ "$standalone_or_dist" == 'import' ]]; then req_mem=4 req_cores=2 @@ -2850,12 +2850,13 @@ wait_for_salt_minion() { } write_out_idh_services() { + local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls + printf '%s\n'\ "idh:"\ - " opencanary:"\ - " config:" >> "$minion_config" + " services:" >> "$pillar_file" for service in ${idh_services[@]}; do - echo " - $service" >> "$minion_config" + echo " - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file" done } diff --git a/setup/so-setup b/setup/so-setup index dc9b5abb5..cf3dabfaa 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -280,6 +280,8 @@ if ! [[ -f $install_opt_file ]]; then check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" + elif [[ $is_idh ]]; then + check_requirements "dist" "idh" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_import ]]; then @@ -750,6 +752,12 @@ echo "1" > /root/accept_changes logstash_pillar >> $setup_log 2>&1 fi + if [[ $is_idh ]]; then + # Write out services to minion pillar file + set_progress_str 19 'Generating IDH services pillar' + write_out_idh_services + fi + if [[ $is_minion ]]; then set_progress_str 20 'Accepting Salt key on manager' @@ -919,9 +927,6 @@ echo "1" > /root/accept_changes fi if [[ $is_idh ]]; then - # Write out services to minion pillar file - write_out_idh_services - set_progress_str 79 "$(print_salt_state_apply 'idh')" salt-call state.apply -l info idh >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index 96a145d2d..b6db2d9a7 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -432,6 +432,14 @@ whiptail_end_settings() { Hostname: $HOSTNAME EOM + if [[ $is_idh ]]; then + __append_end_msg "IDH Services Enabled:" + for service in ${idh_services[@]}; do + __append_end_msg "- $service" + done + + fi + [[ -n $NODE_DESCRIPTION ]] && __append_end_msg "Description: $NODE_DESCRIPTION" [[ $is_airgap ]] && __append_end_msg "Airgap: True" @@ -832,14 +840,12 @@ whiptail_install_type_dist_existing() { local node_msg read -r -d '' node_msg <<- EOM - Choose a distributed node type to join to an existing grid. - - See https://docs.securityonion.net/architecture for details. + Choose a distributed node type to join to an existing grid. See https://docs.securityonion.net/architecture for details. Note: Heavy nodes (HEAVYNODE) are NOT recommended for most users. EOM - install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 5 \ + install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 19 58 6 \ "SENSOR" "Create a forward only sensor " ON \ "SEARCHNODE" "Add a search node with parsing " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \ From 05be776f4b6a9cc91c7e8062ce12cba8e0a83f50 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 21 Feb 2022 16:41:36 -0500 Subject: [PATCH 19/23] IDH - so-status --- salt/idh/init.sls | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/salt/idh/init.sls b/salt/idh/init.sls index b88e9b227..6627e266d 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -1,3 +1,21 @@ + +# Copyright 2014-2022 Security Onion Solutions, LLC +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -41,4 +59,17 @@ so-idh: - watch: - file: opencanary_config - require: - - file: opencanary_config \ No newline at end of file + - file: opencanary_config + +append_so-idh_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-idh + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file From eea2b9ccfd9a0040da573544fa4b50d9abcfa18a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 21 Feb 2022 16:43:26 -0500 Subject: [PATCH 20/23] IDH - Play - ssh --- salt/idh/Plays/IDH_SSH.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 salt/idh/Plays/IDH_SSH.yaml diff --git a/salt/idh/Plays/IDH_SSH.yaml b/salt/idh/Plays/IDH_SSH.yaml new file mode 100644 index 000000000..1d4e7ece4 --- /dev/null +++ b/salt/idh/Plays/IDH_SSH.yaml @@ -0,0 +1,18 @@ +title: SO IDH - SSH Accessed +status: experimental +description: Detects when the SSH service on a SO IDH node has been probed. +author: Security Onion Solutions +logsource: + product: idh +detection: + selection: + event.code: + - 4000 + - 4001 + - 4002 + condition: selection +falsepositives: + - None +fields: + - source.ip +level: critical \ No newline at end of file From df9fc807a34f50e0e7eee5690f55eaa72b2bd8f9 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 22 Feb 2022 08:05:53 -0500 Subject: [PATCH 21/23] IDH - restart scripts, filebeat fix --- salt/common/tools/sbin/so-idh-restart | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-idh-start | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-idh-stop | 20 ++++++++++++++++++++ salt/filebeat/etc/filebeat.yml | 9 +++++++++ setup/so-whiptail | 4 ++-- 5 files changed, 71 insertions(+), 2 deletions(-) create mode 100644 salt/common/tools/sbin/so-idh-restart create mode 100644 salt/common/tools/sbin/so-idh-start create mode 100644 salt/common/tools/sbin/so-idh-stop diff --git a/salt/common/tools/sbin/so-idh-restart b/salt/common/tools/sbin/so-idh-restart new file mode 100644 index 000000000..ce6dd9843 --- /dev/null +++ b/salt/common/tools/sbin/so-idh-restart @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart idh $1 diff --git a/salt/common/tools/sbin/so-idh-start b/salt/common/tools/sbin/so-idh-start new file mode 100644 index 000000000..2f300ba01 --- /dev/null +++ b/salt/common/tools/sbin/so-idh-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start idh $1 diff --git a/salt/common/tools/sbin/so-idh-stop b/salt/common/tools/sbin/so-idh-stop new file mode 100644 index 000000000..48e974be2 --- /dev/null +++ b/salt/common/tools/sbin/so-idh-stop @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014-2022 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop idh $1 diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index fb4298893..e29b1a583 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -273,6 +273,10 @@ filebeat.inputs: category: host tags: beat-ext processors: + - decode_json_fields: + fields: ["message"] + target: "" + add_error_key: true - rename: fields: - from: "audience" @@ -297,6 +301,8 @@ filebeat.inputs: fields: module: opencanary dataset: idh + category: host + tags: beat-ext processors: - decode_json_fields: fields: ["message"] @@ -325,6 +331,9 @@ filebeat.inputs: ignore_missing: true - drop_fields: fields: '["prospector", "input", "offset", "beat"]' + fields_under_root: true + clean_removed: false + close_removed: false {%- endif %} {%- if INPUTS %} diff --git a/setup/so-whiptail b/setup/so-whiptail index b6db2d9a7..c8d0faf5e 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -752,7 +752,7 @@ whiptail_idh_services_custom() { "Git" " TCP/9418 " OFF \ "HTTP" " TCP/80, Additional Configuration Available " OFF \ "HTTPPROXY" " TCP/8080, Additional Configuration Available " OFF \ - "MSSQL" " TCP/22 " OFF \ + "MSSQL" " TCP/1433 " OFF \ "MySQL" " TCP/3306, Additional Configuration Available " OFF \ "NTP" " TCP/123 " OFF \ "REDIS" " TCP/6379 " OFF \ @@ -760,7 +760,7 @@ whiptail_idh_services_custom() { "SSH" " TCP/22, Additional Configuration Available " OFF \ "TELNET" " TCP/23, Additional Configuration Available " OFF \ "TFTP" " TCP/69 " OFF \ - "VNC" " TCP/22 " OFF 3>&1 1>&2 2>&3 ) + "VNC" " TCP/5000 " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 99554d5db8525c0e8267aa991a886b9af5fe5b00 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 22 Feb 2022 14:10:05 -0500 Subject: [PATCH 22/23] IDH - UDP vs TCP support --- salt/firewall/portgroups.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index ae258daa6..e928987f7 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -114,8 +114,13 @@ firewall: {% if idh_services is defined %} {% for service in idh_services %} + {% if service in ["smnp","ntp", "tftp"] %} + {% set proto = 'udp' %} + {% else %} + {% set proto = 'tcp' %} + {% endif %} idh_{{service}}: - tcp: - - {{ OPENCANARYCONFIG[service~'.port'] }} + {{proto}}: + - {{ OPENCANARYCONFIG[service~'.port'] }} {% endfor %} {% endif %} From 1d95aca4de880d32ec5000f0d5a3f1df4f88ae25 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 22 Feb 2022 14:16:45 -0500 Subject: [PATCH 23/23] IDH - VNC default port --- salt/idh/defaults/vnc.defaults.yaml | 2 +- setup/so-whiptail | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/idh/defaults/vnc.defaults.yaml b/salt/idh/defaults/vnc.defaults.yaml index 55d4abddc..1995e5651 100644 --- a/salt/idh/defaults/vnc.defaults.yaml +++ b/salt/idh/defaults/vnc.defaults.yaml @@ -2,4 +2,4 @@ idh: opencanary: config: vnc.enabled: true - vnc.port: 5000 \ No newline at end of file + vnc.port: 5900 \ No newline at end of file diff --git a/setup/so-whiptail b/setup/so-whiptail index c8d0faf5e..b993ca471 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -754,13 +754,13 @@ whiptail_idh_services_custom() { "HTTPPROXY" " TCP/8080, Additional Configuration Available " OFF \ "MSSQL" " TCP/1433 " OFF \ "MySQL" " TCP/3306, Additional Configuration Available " OFF \ - "NTP" " TCP/123 " OFF \ + "NTP" " UDP/123 " OFF \ "REDIS" " TCP/6379 " OFF \ - "SNMP" " TCP/161 " OFF \ + "SNMP" " UDP/161 " OFF \ "SSH" " TCP/22, Additional Configuration Available " OFF \ "TELNET" " TCP/23, Additional Configuration Available " OFF \ - "TFTP" " TCP/69 " OFF \ - "VNC" " TCP/5000 " OFF 3>&1 1>&2 2>&3 ) + "TFTP" " UDP/69 " OFF \ + "VNC" " TCP/5900 " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus