Merge pull request #7282 from Security-Onion-Solutions/delta

Initial Support - IDH Node

salt/allowed_states.map.jinja

@@ -91,6 +91,16 @@
           'schedule',
           'docker_clean'
           ],
+     'so-idh': [
+          'ssl',
+          'telegraf',
+          'firewall',
+          'fleet.install_package',
+          'filebeat',
+          'idh',
+          'schedule',
+          'docker_clean'
+          ],
       'so-import': [
           'salt.master',
           'ca',
@@ -238,7 +248,7 @@
     {% do allowed_states.append('strelka') %}
   {% endif %}
 
-  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver']%}
+  {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%}
     {% do allowed_states.append('wazuh') %}
   {% endif %}
 

salt/common/tools/sbin/so-idh-restart

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-restart idh $1

salt/common/tools/sbin/so-idh-start

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-start idh $1

salt/common/tools/sbin/so-idh-stop

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+/usr/sbin/so-stop idh $1

salt/common/tools/sbin/so-image-common

@@ -55,6 +55,7 @@ container_list() {
       "so-fleet"
       "so-fleet-launcher"
       "so-grafana"
+      "so-idh"
       "so-idstools"
       "so-influxdb"
       "so-kibana"

salt/filebeat/etc/filebeat.yml

@@ -294,6 +294,48 @@ filebeat.inputs:
   close_removed: false
 {%- endif %}
 
+{%- if grains.role == 'so-idh' %}
+- type: log
+  paths:
+    - /nsm/idh/opencanary.log
+  fields:
+    module: opencanary
+    dataset: idh
+    category: host
+    tags: beat-ext
+  processors:
+    - decode_json_fields:
+        fields: ["message"]
+        target: ""
+        add_error_key: true
+    - drop_fields:
+        when:
+          equals:
+            logtype: 1001
+        fields: ["src_host", "src_port", "dst_host", "dst_port" ]
+        ignore_missing: true
+    - rename:
+        fields:
+          - from: "src_host"
+            to: "source.ip"
+          - from: "src_port"
+            to: "source.port"
+          - from: "dst_host"
+            to: "destination.host"
+          - from: "dst_port"
+            to: "destination.port"
+        ignore_missing: true
+    - convert:
+        fields:
+          - {from: "logtype", to: "event.code", type: "string"}
+        ignore_missing: true
+    - drop_fields:
+        fields: '["prospector", "input", "offset", "beat"]'
+  fields_under_root: true
+  clean_removed: false
+  close_removed: false
+{%- endif %}
+
 {%- if INPUTS %}
 # USER PILLAR DEFINED INPUTS
 {{ INPUTS | yaml(False) }}
@@ -352,7 +394,7 @@ output.logstash:
 
   # The Logstash hosts
   hosts:
-{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node'] %}
+{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %}
 {%-   set LOGSTASH = namespace() %}
 {%-   set LOGSTASH.count = 0 %}
 {%-   set LOGSTASH.loadbalance = false %}

salt/firewall/assigned_hostgroups.map.yaml

@@ -653,3 +653,20 @@ role:
           localhost:
             portgroups:
               - {{ portgroups.all }}
+  idh:
+    chain:
+      INPUT:
+        hostgroups:
+          anywhere:
+            portgroups:
+              - {{ portgroups.ssh }}
+            {% set idh_services = salt['pillar.get']('idh:services', []) %}
+            {% for service in idh_services %}
+              - {{ portgroups['idh_'~service] }}
+            {% endfor %}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
+          localhost:
+            portgroups:
+              - {{ portgroups.all }}

salt/firewall/portgroups.yaml

@@ -1,3 +1,8 @@
+{% if grains.role == 'so-idh' %}
+  {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %}
+  {% set idh_services = salt['pillar.get']('idh:services', []) %}
+{% endif %}
+
 firewall:
   aliases:
     ports:
@@ -106,3 +111,16 @@ firewall:
       yum:
         tcp:
           - 443
+
+{% if idh_services is defined %}
+  {% for service in idh_services %}
+  {% if service in ["smnp","ntp", "tftp"] %}
+    {% set proto = 'udp' %}
+  {% else %}
+    {% set proto = 'tcp' %}
+  {% endif %}
+      idh_{{service}}:
+        {{proto}}:
+          - {{ OPENCANARYCONFIG[service~'.port'] }}
+  {% endfor %}
+{% endif %}

salt/idh/Plays/IDH_SSH.yaml

@@ -0,0 +1,18 @@
+title: SO IDH - SSH Accessed
+status: experimental
+description: Detects when the SSH service on a SO IDH node has been probed.
+author: Security Onion Solutions
+logsource:
+  product: idh
+detection:
+  selection:
+    event.code:
+    - 4000
+    - 4001
+    - 4002
+  condition: selection
+falsepositives:
+  - None
+fields:
+  - source.ip
+level: critical

salt/idh/defaults/defaults.yaml

@@ -0,0 +1,35 @@
+idh:
+  opencanary:
+    config:
+      device.node_id: {{ grains.host }}
+      logger:
+        class: PyLogger
+        kwargs:
+            formatters:
+              plain:
+                  format: '%(message)s'
+            handlers:
+              console:
+                  class: logging.StreamHandler
+                  stream: ext://sys.stdout
+              file:
+                  class: logging.FileHandler
+                  filename: /var/tmp/opencanary.log
+      portscan.enabled: false
+      portscan.logfile: /var/log/kern.log
+      portscan.synrate: 5
+      portscan.nmaposrate: 5
+      portscan.lorate: 3
+      tcpbanner.maxnum: 10
+      tcpbanner.enabled: false
+      tcpbanner_1.enabled: false
+      tcpbanner_1.port: 8001
+      tcpbanner_1.datareceivedbanner: ''
+      tcpbanner_1.initbanner: ''
+      tcpbanner_1.alertstring.enabled: false
+      tcpbanner_1.alertstring: ''
+      tcpbanner_1.keep_alive.enabled: false
+      tcpbanner_1.keep_alive_secret: ''
+      tcpbanner_1.keep_alive_probes: 11
+      tcpbanner_1.keep_alive_interval: 300
+      tcpbanner_1.keep_alive_idle: 300

salt/idh/defaults/ftp.defaults.yaml

@@ -0,0 +1,6 @@
+idh:
+  opencanary:
+    config:
+      ftp.enabled: true
+      ftp.port: 21
+      ftp.banner: FTP server ready

salt/idh/defaults/git.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      git.enabled: true
+      git.port: 9418      

salt/idh/defaults/http.defaults.yaml

@@ -0,0 +1,12 @@
+idh:
+  opencanary:
+    config:
+      http.banner: Apache/2.2.22 (Ubuntu)
+      http.enabled: true
+      http.port: 80
+      http.skin: nasLogin
+      http.skin.list:
+      - desc: Plain HTML Login
+        name: basicLogin
+      - desc: Synology NAS Login
+        name: nasLogin

salt/idh/defaults/httpproxy.defaults.yaml

@@ -0,0 +1,11 @@
+idh:
+  opencanary:
+    config:
+      httpproxy.enabled: true
+      httpproxy.port: 8080
+      httpproxy.skin: squid
+      httproxy.skin.list:
+      - desc: Squid
+        name: squid
+      - desc: Microsoft ISA Server Web Proxy
+        name: ms-isa

salt/idh/defaults/mssql.defaults.yaml

@@ -0,0 +1,6 @@
+idh:
+  opencanary:
+    config:
+      mssql.enabled: true
+      mssql.version: '2012'
+      mssql.port: 1433

salt/idh/defaults/mysql.defaults.yaml

@@ -0,0 +1,6 @@
+idh:
+  opencanary:
+    config:
+      mysql.enabled: true
+      mysql.port: 3306
+      mysql.banner: 5.5.43-0ubuntu0.14.04.1

salt/idh/defaults/ntp.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      ntp.enabled: true
+      ntp.port: '123'

salt/idh/defaults/redis.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      redis.enabled: true
+      redis.port: 6379

salt/idh/defaults/sip.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      sip.enabled: true
+      sip.port: 5060

salt/idh/defaults/smb.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      smb.auditfile: /var/log/samba-audit.log
+      smb.enabled: true

salt/idh/defaults/snmp.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      snmp.enabled: true
+      snmp.port: 161

salt/idh/defaults/ssh.defaults.yaml

@@ -0,0 +1,6 @@
+idh:
+  opencanary:
+    config:
+      ssh.enabled: true
+      ssh.port: 22
+      ssh.version: SSH-2.0-OpenSSH_5.1p1 Debian-4

salt/idh/defaults/telnet.defaults.yaml

@@ -0,0 +1,11 @@
+idh:
+  opencanary:
+    config:
+      telnet.enabled: true
+      telnet.port: '23'
+      telnet.banner: ''
+      telnet.honeycreds:
+      - username: admin
+        password: $pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA
+      - username: admin
+        password: admin1

salt/idh/defaults/tftp.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      tftp.enabled: true
+      tftp.port: 69

salt/idh/defaults/vnc.defaults.yaml

@@ -0,0 +1,5 @@
+idh:
+  opencanary:
+    config:
+      vnc.enabled: true
+      vnc.port: 5900

salt/idh/idh.conf.jinja

@@ -0,0 +1 @@
+{{ OPENCANARYCONFIG | tojson(True) }}

salt/idh/init.sls

@@ -0,0 +1,75 @@
+
+# Copyright 2014-2022 Security Onion Solutions, LLC
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+
+{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
+{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+{% set MANAGER = salt['grains.get']('master') %}
+
+# IDH State
+
+# Create a config directory
+temp:
+  file.directory:
+    - name: /opt/so/conf/idh
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+# Create a log directory
+configdir:
+  file.directory:
+    - name: /nsm/idh
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+{% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG with context %}
+opencanary_config:
+  file.managed:
+    - name: /opt/so/conf/idh/opencanary.conf
+    - source: salt://idh/idh.conf.jinja
+    - template: jinja
+    - defaults:
+        OPENCANARYCONFIG: {{ OPENCANARYCONFIG }}
+
+so-idh:
+  docker_container.running:
+    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idh:{{ VERSION }}
+    - name: so-idh
+    - detach: True
+    - network_mode: host
+    - binds:
+      - /nsm/idh:/var/tmp:rw
+      - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro
+    - watch:
+      - file: opencanary_config
+    - require:
+      - file: opencanary_config
+
+append_so-idh_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-idh
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/idh/opencanary_config.map.jinja

@@ -0,0 +1,9 @@
+{% set idh_services = salt['pillar.get']('idh:services', []) %}
+
+{% import_yaml "idh/defaults/defaults.yaml" as OPENCANARYCONFIG with context %}
+{% for service in idh_services %}
+      {% import_yaml "idh/defaults/" ~ service ~ ".defaults.yaml" as SERVICECONFIG with context %}
+      {% do salt['defaults.merge'](OPENCANARYCONFIG, SERVICECONFIG, in_place=True) %}
+{% endfor %}
+
+{% set OPENCANARYCONFIG = salt['pillar.get']('idh:opencanary:config', default=OPENCANARYCONFIG.idh.opencanary.config, merge=True) %}

salt/ssl/init.sls

@@ -447,7 +447,7 @@ fleetkeyperms:
 
 {% endif %}
 
-{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-import', 'so-receiver'] %}
+{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %}
    
 fbcertdir:
   file.directory:

salt/top.sls

@@ -503,3 +503,20 @@ base:
     {%- endif %}
     - schedule
     - docker_clean
+
+  '*_idh and G@saltversion:{{saltversion}}':
+    - match: compound
+    - ssl
+    - sensoroni
+    - telegraf
+    - firewall
+    {%- if WAZUH != 0 %}
+    - wazuh
+    {%- endif %}
+    {%- if FLEETMANAGER or FLEETNODE %}
+    - fleet.install_package
+    {%- endif %}
+    - schedule
+    - docker_clean
+    - filebeat
+    - idh