From 643dab12d0b6b1826e4717d1b96c32983b379b5b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Sep 2020 11:09:33 -0400 Subject: [PATCH 01/40] Enable airgap --- setup/so-setup | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 30bc10479..8ff274bf5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -193,16 +193,16 @@ if [[ "$setup_type" == 'iso' ]]; then is_iso=true fi -#Check if this is an airgap install +# Check if this is an airgap install -#if [[ $is_manager ]]; then -# if [[ $is_iso ]]; then -# whiptail_airgap -# if [[ "$INTERWEBS" == 'AIRGAP' ]]; then -# is_airgap=true -# fi -# fi -#fi +if [[ $is_manager ]]; then + if [[ $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi + fi +fi if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" From 9cff7c1427ca38dbbe024cec862684e451daa3a0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Sep 2020 11:24:22 -0400 Subject: [PATCH 02/40] Enable airgap functions --- setup/so-functions | 147 ++++++++++++++++++++++++--------------------- setup/so-setup | 2 + 2 files changed, 82 insertions(+), 67 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 73828b091..111f7ce5a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -480,72 +480,6 @@ check_requirements() { fi } -copy_salt_master_config() { - - # Copy the Salt master config template to the proper directory - if [ "$setup_type" = 'iso' ]; then - cp /root/SecurityOnion/files/master /etc/salt/master >> "$setup_log" 2>&1 - else - cp ../files/master /etc/salt/master >> "$setup_log" 2>&1 - fi - - # Restart the service so it picks up the changes - systemctl restart salt-master >> "$setup_log" 2>&1 -} - -copy_minion_tmp_files() { - case "$install_type" in - 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" - cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 - if [ -d "$temp_install_dir"/salt ] ; then - cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1 - fi - ;; - *) - { - echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; - ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; - ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; - scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; - if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then - if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then - scp -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; - fi - fi - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; - } >> "$setup_log" 2>&1 - ;; - esac -} - -copy_ssh_key() { - - echo "Generating SSH key" - # Generate SSH key - mkdir -p /root/.ssh - ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero - chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh - echo "Copying the SSH key to the manager" - #Copy the key over to the manager - ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" -} - -create_local_directories() { - echo "Creating local pillar and salt directories" - PILLARSALTDIR=${SCRIPTDIR::-5} - for i in "pillar" "salt"; do - for d in $(find $PILLARSALTDIR/$i -type d); do - suffixdir=${d//$PILLARSALTDIR/} - if [ ! -d "$local_salt_dir/$suffixdir" ]; then - mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 - fi - done - chown -R socore:socore "$local_salt_dir/$i" - done - -} - configure_network_sensor() { echo "Setting up sensor interface" >> "$setup_log" 2>&1 local nic_error=0 @@ -630,6 +564,77 @@ configure_network_sensor() { fi } +copy_salt_master_config() { + + # Copy the Salt master config template to the proper directory + if [ "$setup_type" = 'iso' ]; then + cp /root/SecurityOnion/files/master /etc/salt/master >> "$setup_log" 2>&1 + else + cp ../files/master /etc/salt/master >> "$setup_log" 2>&1 + fi + + # Restart the service so it picks up the changes + systemctl restart salt-master >> "$setup_log" 2>&1 +} + +copy_minion_tmp_files() { + case "$install_type" in + 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') + echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" + cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 + if [ -d "$temp_install_dir"/salt ] ; then + cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1 + fi + ;; + *) + { + echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; + ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; + ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; + scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; + if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then + if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then + scp -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; + fi + fi + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; + } >> "$setup_log" 2>&1 + ;; + esac +} + +copy_ssh_key() { + + echo "Generating SSH key" + # Generate SSH key + mkdir -p /root/.ssh + ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero + chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh + echo "Copying the SSH key to the manager" + #Copy the key over to the manager + ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" +} + +create_local_directories() { + echo "Creating local pillar and salt directories" + PILLARSALTDIR=${SCRIPTDIR::-5} + for i in "pillar" "salt"; do + for d in $(find $PILLARSALTDIR/$i -type d); do + suffixdir=${d//$PILLARSALTDIR/} + if [ ! -d "$local_salt_dir/$suffixdir" ]; then + mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 + fi + done + chown -R socore:socore "$local_salt_dir/$i" + done + +} + +create_repo() { + # Create the repo for airgap + createrepo /nsm/repo +} + detect_cloud() { echo "Testing if setup is running on a cloud instance..." >> "$setup_log" 2>&1 if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null); then export is_cloud="true"; fi @@ -1096,7 +1101,15 @@ manager_global() { " ids: $NIDS"\ " url_base: $REDIRECTIT"\ " managerip: $MAINIP" > "$global_pillar" - + + if [[ $is_airgap ]]; then + printf '%s\n'\ + " airgap: True"\ >> "$global_pillar" + else + printf '%s\n'\ + " airgap: False"\ >> "$global_pillar" + fi + # Check if TheHive is enabled. If so, add creds and other details if [[ "$THEHIVE" == "1" ]]; then printf '%s\n'\ diff --git a/setup/so-setup b/setup/so-setup index 8ff274bf5..39b7efe9c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -411,6 +411,8 @@ if [[ $is_manager || $is_import ]]; then whiptail_so_allow; fi whiptail_make_changes +# From here on changes will be made. + if [[ -n "$TURBO" ]]; then use_turbo_proxy fi From 951fe2ac69f4b6c230fd29a40808caba70d24a8d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Sep 2020 11:26:33 -0400 Subject: [PATCH 03/40] Create repo --- setup/so-setup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 39b7efe9c..f771d7d57 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -462,6 +462,11 @@ fi # Set initial percentage to 0 export percentage=0 + if [[ $is_manager && $is_airgap ]]; then + info "Creating airgap repo" + create_repo >> $setup_log 2>&1 + fi + if [[ $is_minion ]]; then set_progress_str 1 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 From 9745191f194b31d95e0c703590442e8f8af236d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Sep 2020 16:17:44 -0400 Subject: [PATCH 04/40] Add Airgap State --- salt/airgap/init.sls | 51 +++++++++++++++++++++++++ salt/nginx/etc/nginx.conf.so-standalone | 16 ++++++++ salt/nginx/init.sls | 4 ++ 3 files changed, 71 insertions(+) create mode 100644 salt/airgap/init.sls diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls new file mode 100644 index 000000000..c5f46e03b --- /dev/null +++ b/salt/airgap/init.sls @@ -0,0 +1,51 @@ +{% set MANAGER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('global:airgap') %} +airgap.repo: + pkgrepo.managed: + - humanname: Airgap Repo + - baseurl: https://{{ MANAGER }}/repo + - gpgcheck: 0 + +agbase: + file.absent: + - name: /etc/yum.repos.d/CentOS-Base.repo + +agcr: + file.absent: + - name: /etc/yum.repos.d/CentOS-CR.repo + +agdebug: + file.absent: + - name: /etc/yum.repos.d/CentOS-Debuginfo.repo + +agfasttrack: + file.absent: + - name: /etc/yum.repos.d/CentOS-fasttrack.repo + +agmedia: + file.absent: + - name: /etc/yum.repos.d/CentOS-Media.repo + +agsources: + file.absent: + - name: /etc/yum.repos.d/CentOS-Sources.repo + +agvault: + file.absent: + - name: /etc/yum.repos.d/CentOS-Vault.repo + +agkernel: + file.absent: + - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo + +agepel: + file.absent: + - name: /etc/yum.repos.d/epel.repo + +agtesting: + file.absent: + - name: /etc/yum.repos.d/epel-testing.repo + +agssrepo: + file.absent: + - name: /etc/yum.repos.d/saltstack.repo \ No newline at end of file diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index ceae18cb1..220f86af5 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -2,6 +2,7 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap') %} # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ @@ -182,6 +183,21 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } + {%- if ISAIRGAP is sameas true %} + location /repo/ { + #auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + {%- endif %} + + location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 2e67a6b2c..2cb7984db 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -3,6 +3,7 @@ {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap') %} # Drop the correct nginx config based on role nginxconfdir: @@ -72,6 +73,9 @@ so-nginx: - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro - /opt/so/conf/fleet/packages:/opt/socore/html/packages + {% if ISAIRGAP is sameas true %} + - /nsm/repo:/opt/socore/html/repo:ro + {% endif %} # ATT&CK Navigator binds - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro From 8db8dcb71a448dc2a9afb00289071b63c1eba594 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 3 Sep 2020 08:15:14 -0400 Subject: [PATCH 05/40] Change HOME_NET and EXTERNAL_NET defaults --- salt/suricata/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index a9dccdf46..f95bd5be7 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -2,8 +2,8 @@ suricata: config: vars: address-groups: - HOME_NET: "[192.168.0.0/16]" - EXTERNAL_NET: "!$HOME_NET" + HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" + EXTERNAL_NET: "any" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" SQL_SERVERS: "$HOME_NET" @@ -590,4 +590,4 @@ suricata: # threshold-file: /etc/suricata/threshold.config #include: include1.yaml #include: include2.yaml - \ No newline at end of file + From b2ee757db2b397f99b2d1e08495c99ce9cf6cd3d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 3 Sep 2020 10:35:12 -0400 Subject: [PATCH 06/40] Airgap Time --- salt/airgap/files/yum.conf | 12 ++++++++++++ salt/airgap/init.sls | 6 +++++- salt/nginx/etc/nginx.conf.so-standalone | 19 +++++++++---------- salt/top.sls | 9 ++++++++- setup/so-functions | 8 +++++--- 5 files changed, 39 insertions(+), 15 deletions(-) create mode 100644 salt/airgap/files/yum.conf diff --git a/salt/airgap/files/yum.conf b/salt/airgap/files/yum.conf new file mode 100644 index 000000000..cbab7607d --- /dev/null +++ b/salt/airgap/files/yum.conf @@ -0,0 +1,12 @@ +[main] +cachedir=/var/cache/yum/$basearch/$releasever +keepcache=0 +debuglevel=2 +logfile=/var/log/yum.log +exactarch=1 +obsoletes=1 +gpgcheck=1 +plugins=1 +installonly_limit=2 +bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum +distroverpkg=centos-release \ No newline at end of file diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls index c5f46e03b..5e972e877 100644 --- a/salt/airgap/init.sls +++ b/salt/airgap/init.sls @@ -1,5 +1,9 @@ {% set MANAGER = salt['grains.get']('master') %} -{% set IMAGEREPO = salt['pillar.get']('global:airgap') %} +airgapyum: + file.managed: + - name: /etc/yum/yum.conf + - source: salt://airgap/files/yum.conf + airgap.repo: pkgrepo.managed: - humanname: Airgap Repo diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index 220f86af5..dca073437 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -184,16 +184,15 @@ http { } {%- if ISAIRGAP is sameas true %} - location /repo/ { - #auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /repo/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } {%- endif %} diff --git a/salt/top.sls b/salt/top.sls index 719b367e8..8e0cbad59 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -9,17 +9,24 @@ {%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%} {% import_yaml 'salt/minion.defaults.yaml' as salt %} {% set saltversion = salt.salt.minion.version %} - +{% set ISAIRGAP = salt['pillar.get']('global:airgap') %} base: 'not G@saltversion:{{saltversion}}': - match: compound + {% if ISAIRGAP is sameas true %} + - airgap + {% endif %} - salt.minion 'G@os:CentOS and G@saltversion:{{saltversion}}': - match: compound + {% if ISAIRGAP is sameas true %} + - airgap + {% else %} - yum + {% endif %} - yum.packages '* and G@saltversion:{{saltversion}}': diff --git a/setup/so-functions b/setup/so-functions index 111f7ce5a..01dc15c78 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1109,7 +1109,7 @@ manager_global() { printf '%s\n'\ " airgap: False"\ >> "$global_pillar" fi - + # Check if TheHive is enabled. If so, add creds and other details if [[ "$THEHIVE" == "1" ]]; then printf '%s\n'\ @@ -1873,8 +1873,10 @@ set_redirect() { set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then - if ! grep -q "$MSRV" /etc/yum.conf; then - echo "proxy=http://$MSRV:3142" >> /etc/yum.conf + if [[ ! $is_airgap ]]; then + if ! grep -q "$MSRV" /etc/yum.conf; then + echo "proxy=http://$MSRV:3142" >> /etc/yum.conf + fi fi else # Set it up so the updates roll through the manager From 05b8b71af261051e7062ef44cf066cceebf398d5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 3 Sep 2020 15:54:24 -0400 Subject: [PATCH 07/40] add elasticsearch to standalone top --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 75244a615..d5277cafb 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -195,6 +195,7 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + - elasticsearch - logstash - redis - kibana From 1fc64d3eefb916a840f72ba807848c1937715aa4 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 3 Sep 2020 16:46:14 -0400 Subject: [PATCH 08/40] so-analyst should install gedit --- setup/so-analyst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-analyst b/setup/so-analyst index 9f0943523..d2873e693 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -20,6 +20,9 @@ if [ "$(id -u)" -ne 0 ]; then exit 1 fi +# Install a GUI text editor +yum -y install gedit + # Install misc utils yum -y install wget curl unzip epel-release; From a2265fac4f20fced7849666b1f5f5b3eb57a6317 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 4 Sep 2020 06:50:22 -0400 Subject: [PATCH 09/40] NetworkMiner has a compatibility issue with Mono 6 right now --- setup/so-analyst | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/setup/so-analyst b/setup/so-analyst index d2873e693..33bc9c658 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -32,6 +32,34 @@ yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal contr unlink /etc/systemd/system/default.target; ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target; +# NetworkMiner has a compatibility issue with Mono 6 right now +if ! grep -q "NetworkMiner has a compatibility issue with Mono 6 right now" /etc/yum/pluginconf.d/versionlock.list; then + +cat << EOF >> /etc/yum/pluginconf.d/versionlock.list + +# NetworkMiner has a compatibility issue with Mono 6 right now +0:libmono-llvm0-5.20.1.34-0.xamarin.2.epel7.* +0:mono-complete-5.20.1.34-0.xamarin.2.epel7.* +0:mono-core-5.20.1.34-0.xamarin.2.epel7.* +0:mono-data-5.20.1.34-0.xamarin.2.epel7.* +0:mono-data-oracle-5.20.1.34-0.xamarin.2.epel7.* +0:mono-data-sqlite-5.20.1.34-0.xamarin.2.epel7.* +0:mono-devel-5.20.1.34-0.xamarin.2.epel7.* +0:mono-extras-5.20.1.34-0.xamarin.2.epel7.* +0:mono-locale-extras-5.20.1.34-0.xamarin.2.epel7.* +0:mono-mvc-5.20.1.34-0.xamarin.2.epel7.* +0:mono-nunit-5.20.1.34-0.xamarin.2.epel7.* +0:mono-reactive-5.20.1.34-0.xamarin.2.epel7.* +0:mono-wcf-5.20.1.34-0.xamarin.2.epel7.* +0:mono-web-5.20.1.34-0.xamarin.2.epel7.* +0:mono-winforms-5.20.1.34-0.xamarin.2.epel7.* +0:mono-winfxcore-5.20.1.34-0.xamarin.2.epel7.* +0:monodoc-core-5.20.1.34-0.xamarin.2.epel7.* +EOF + +fi + + # Install Mono - prereq for NetworkMiner rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef"; curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo; From c050003b5a8bdba7c833b7b495268eb55b3249a8 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 4 Sep 2020 07:14:01 -0400 Subject: [PATCH 10/40] Install file-roller for opening zip files --- setup/so-analyst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-analyst b/setup/so-analyst index 33bc9c658..02c72188c 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -31,6 +31,7 @@ yum -y groupinstall "X Window System"; yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts; unlink /etc/systemd/system/default.target; ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target; +yum -y install file-roller # NetworkMiner has a compatibility issue with Mono 6 right now if ! grep -q "NetworkMiner has a compatibility issue with Mono 6 right now" /etc/yum/pluginconf.d/versionlock.list; then @@ -59,7 +60,6 @@ EOF fi - # Install Mono - prereq for NetworkMiner rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef"; curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo; From f8e68c82e40be4554fc877a47ac7633dbf162e83 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 4 Sep 2020 10:12:28 -0400 Subject: [PATCH 11/40] downgrade to Mono 4.2.1.102 and NetworkMiner 2.4 --- setup/so-analyst | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/setup/so-analyst b/setup/so-analyst index 02c72188c..277fb2865 100644 --- a/setup/so-analyst +++ b/setup/so-analyst @@ -39,23 +39,21 @@ if ! grep -q "NetworkMiner has a compatibility issue with Mono 6 right now" /etc cat << EOF >> /etc/yum/pluginconf.d/versionlock.list # NetworkMiner has a compatibility issue with Mono 6 right now -0:libmono-llvm0-5.20.1.34-0.xamarin.2.epel7.* -0:mono-complete-5.20.1.34-0.xamarin.2.epel7.* -0:mono-core-5.20.1.34-0.xamarin.2.epel7.* -0:mono-data-5.20.1.34-0.xamarin.2.epel7.* -0:mono-data-oracle-5.20.1.34-0.xamarin.2.epel7.* -0:mono-data-sqlite-5.20.1.34-0.xamarin.2.epel7.* -0:mono-devel-5.20.1.34-0.xamarin.2.epel7.* -0:mono-extras-5.20.1.34-0.xamarin.2.epel7.* -0:mono-locale-extras-5.20.1.34-0.xamarin.2.epel7.* -0:mono-mvc-5.20.1.34-0.xamarin.2.epel7.* -0:mono-nunit-5.20.1.34-0.xamarin.2.epel7.* -0:mono-reactive-5.20.1.34-0.xamarin.2.epel7.* -0:mono-wcf-5.20.1.34-0.xamarin.2.epel7.* -0:mono-web-5.20.1.34-0.xamarin.2.epel7.* -0:mono-winforms-5.20.1.34-0.xamarin.2.epel7.* -0:mono-winfxcore-5.20.1.34-0.xamarin.2.epel7.* -0:monodoc-core-5.20.1.34-0.xamarin.2.epel7.* +0:mono-complete-4.2.1.102-0.xamarin.1.* +0:mono-core-4.2.1.102-0.xamarin.1.* +0:mono-data-4.2.1.102-0.xamarin.1.* +0:mono-data-oracle-4.2.1.102-0.xamarin.1.* +0:mono-data-sqlite-4.2.1.102-0.xamarin.1.* +0:mono-devel-4.2.1.102-0.xamarin.1.* +0:mono-extras-4.2.1.102-0.xamarin.1.* +0:mono-locale-extras-4.2.1.102-0.xamarin.1.* +0:mono-mvc-4.2.1.102-0.xamarin.1.* +0:mono-nunit-4.2.1.102-0.xamarin.1.* +0:mono-reactive-4.2.1.102-0.xamarin.1.* +0:mono-wcf-4.2.1.102-0.xamarin.1.* +0:mono-web-4.2.1.102-0.xamarin.1.* +0:mono-winforms-4.2.1.102-0.xamarin.1.* +0:mono-winfxcore-4.2.1.102-0.xamarin.1.* EOF fi @@ -63,11 +61,11 @@ fi # Install Mono - prereq for NetworkMiner rpmkeys --import "http://pool.sks-keyservers.net/pks/lookup?op=get&search=0x3fa7e0328081bff6a14da29aa6a19b38d3d831ef"; curl https://download.mono-project.com/repo/centos7-stable.repo | tee /etc/yum.repos.d/mono-centos7-stable.repo; -yum -y install mono-devel; +yum -y install mono-core mono-basic mono-winforms expect # Install NetworkMiner yum -y install libcanberra-gtk2; -wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip; +wget https://www.netresec.com/?download=NetworkMiner_2-4 -O /tmp/nm.zip; mkdir -p /opt/networkminer/ unzip /tmp/nm.zip -d /opt/networkminer/; rm /tmp/nm.zip; From 39cc7151a5c5373635c45a97cc6c0d161621a407 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 4 Sep 2020 14:14:53 -0400 Subject: [PATCH 12/40] Update SOCtopus.conf --- salt/soctopus/files/SOCtopus.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 39e9c276d..74e2274a7 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -65,6 +65,7 @@ playbook_ext_url = https://{{MANAGER}}/playbook playbook_key = de6639318502476f2fa5aa06f43f51fb389a3d7f playbook_verifycert = no playbook_unit_test_index = playbook-testing +playbook_rulesets = windows [log] logfile = /var/log/SOCtopus/soctopus.log From f27e5164d0549f7eea083d9ce7fd4279c5de6bb9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 4 Sep 2020 17:01:45 -0400 Subject: [PATCH 13/40] Update to latest kratos; add support for a custom status trait to represent whether a user is locked or not; refactor so-user to use new enable/disable capabilities in SOC; remove 'delete' option from so-user usage to avoid having user lists out of sync across SOC and external apps --- salt/common/tools/sbin/so-cortex-user-add | 1 + salt/common/tools/sbin/so-cortex-user-enable | 1 + salt/common/tools/sbin/so-fleet-user-add | 1 + salt/common/tools/sbin/so-fleet-user-enable | 1 + salt/common/tools/sbin/so-thehive-user-add | 1 + salt/common/tools/sbin/so-user | 78 +++++++++++++++----- salt/soc/files/kratos/kratos.yaml | 60 ++++++--------- salt/soc/files/kratos/schema.json | 71 ++++++++++-------- 8 files changed, 129 insertions(+), 85 deletions(-) diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add index 43126f709..dbb5b9716 100755 --- a/salt/common/tools/sbin/so-cortex-user-add +++ b/salt/common/tools/sbin/so-cortex-user-add @@ -48,6 +48,7 @@ if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to Cortex." else echo "Unable to add user to Cortex; user might already exist." + echo $resp exit 2 fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-cortex-user-enable b/salt/common/tools/sbin/so-cortex-user-enable index 63cd2f089..cbfdceb25 100755 --- a/salt/common/tools/sbin/so-cortex-user-enable +++ b/salt/common/tools/sbin/so-cortex-user-enable @@ -51,6 +51,7 @@ if [[ "$resp" =~ \"status\":\"Locked\" || "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully updated user in Cortex." else echo "Failed to update user in Cortex." + echo $resp exit 2 fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add index 9637aa63c..5560b0522 100755 --- a/salt/common/tools/sbin/so-fleet-user-add +++ b/salt/common/tools/sbin/so-fleet-user-add @@ -54,5 +54,6 @@ if [[ $? -eq 0 ]]; then echo "Successfully added user to Fleet." else echo "Unable to add user to Fleet; user might already exist." + echo $resp exit 2 fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-fleet-user-enable b/salt/common/tools/sbin/so-fleet-user-enable index 0ea826391..a632844bb 100755 --- a/salt/common/tools/sbin/so-fleet-user-enable +++ b/salt/common/tools/sbin/so-fleet-user-enable @@ -53,5 +53,6 @@ if [[ $? -eq 0 ]]; then echo "Successfully updated user in Fleet." else echo "Failed to update user in Fleet." + echo $resp exit 2 fi \ No newline at end of file diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add index 0c9553abc..fc7a56f63 100755 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -47,5 +47,6 @@ if [[ "$resp" =~ \"status\":\"Ok\" ]]; then echo "Successfully added user to TheHive." else echo "Unable to add user to TheHive; user might already exist." + echo $resp exit 2 fi diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 4616be3f5..57f51fe9a 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -11,12 +11,13 @@ . /usr/sbin/so-common if [[ $# < 1 || $# > 2 ]]; then - echo "Usage: $0 [email]" + echo "Usage: $0 [email]" echo "" echo " list: Lists all user email addresses currently defined in the identity system" echo " add: Adds a new user to the identity system; requires 'email' parameter" echo " update: Updates a user's password; requires 'email' parameter" - echo " delete: Deletes an existing user; requires 'email' parameter" + echo " enable: Enables a user; requires 'email' parameter" + echo " disable: Disables a user; requires 'email' parameter" echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter" echo " valemail: Validates that the given email address is acceptable for defining a new user; requires 'email' parameter" echo " valpass: Validates that a password is acceptable for defining a new user" @@ -63,7 +64,7 @@ function findIdByEmail() { email=$1 response=$(curl -Ss ${kratosUrl}/identities) - identityId=$(echo "${response}" | jq ".[] | select(.addresses[0].value == \"$email\") | .id") + identityId=$(echo "${response}" | jq ".[] | select(.verifiable_addresses[0].value == \"$email\") | .id") echo $identityId } @@ -113,7 +114,7 @@ function listUsers() { response=$(curl -Ss ${kratosUrl}/identities) [[ $? != 0 ]] && fail "Unable to communicate with Kratos" - echo "${response}" | jq -r ".[] | .addresses[0].value" | sort + echo "${response}" | jq -r ".[] | .verifiable_addresses[0].value" | sort } function createUser() { @@ -122,17 +123,8 @@ function createUser() { now=$(date -u +%FT%TZ) addUserJson=$(cat < Date: Sat, 5 Sep 2020 12:15:55 +0000 Subject: [PATCH 14/40] Fix typo --- .../sbin/{so-wazuh-agent-upggrade => so-wazuh-agent-upgrade} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename salt/common/tools/sbin/{so-wazuh-agent-upggrade => so-wazuh-agent-upgrade} (100%) diff --git a/salt/common/tools/sbin/so-wazuh-agent-upggrade b/salt/common/tools/sbin/so-wazuh-agent-upgrade similarity index 100% rename from salt/common/tools/sbin/so-wazuh-agent-upggrade rename to salt/common/tools/sbin/so-wazuh-agent-upgrade From f5916e26a263014cfd37db5e9ad8263736c33c69 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 7 Sep 2020 04:42:11 -0400 Subject: [PATCH 15/40] read ca.crt from filesystem when possible --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 70d4c4b6a..733deed92 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -8,7 +8,7 @@ {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import'] %} - {% set trusttheca_text = salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %} + {% set trusttheca_text = salt['cmd.shell']('cat /etc/pki/ca.crt')|replace('\n','') %} {% set ca_server = grains.id %} {% else %} {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %} From f8ebed43d7a71326edd9d147d63996a80a4ecb16 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 7 Sep 2020 04:45:26 -0400 Subject: [PATCH 16/40] fix spacing --- salt/ssl/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 733deed92..1d4cb2f37 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -8,10 +8,10 @@ {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import'] %} - {% set trusttheca_text = salt['cmd.shell']('cat /etc/pki/ca.crt')|replace('\n','') %} + {% set trusttheca_text = salt['cmd.shell']('cat /etc/pki/ca.crt')|replace('\n', '') %} {% set ca_server = grains.id %} {% else %} - {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %} + {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %} {% for host in x509dict %} {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} From 7371f9236eca16d6197ba2c06b67f50eabc510e3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 8 Sep 2020 14:18:56 -0400 Subject: [PATCH 17/40] Update top.sls --- salt/top.sls | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index d96880c33..eb18c9614 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -9,8 +9,7 @@ {%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%} {% import_yaml 'salt/minion.defaults.yaml' as salt %} {% set saltversion = salt.salt.minion.version %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap') %} - +{% set ISAIRGAP = salt['pillar.get']('global:airgap'), '' %} base: 'not G@saltversion:{{saltversion}}': From 7c41c313596207fc1ef69a55dd4fe49df545f9a8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 8 Sep 2020 14:48:37 -0400 Subject: [PATCH 18/40] Fix airgap statement --- salt/top.sls | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index eb18c9614..416128ab9 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,15 +1,16 @@ -{%- set ZEEKVER = salt['pillar.get']('global:zeekversion', '') -%} -{%- set WAZUH = salt['pillar.get']('global:wazuh', '0') -%} -{%- set THEHIVE = salt['pillar.get']('manager:thehive', '0') -%} -{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') -%} -{%- set FREQSERVER = salt['pillar.get']('manager:freq', '0') -%} -{%- set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') -%} -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} -{%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%} -{% import_yaml 'salt/minion.defaults.yaml' as salt %} -{% set saltversion = salt.salt.minion.version %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap'), '' %} +{% set ZEEKVER = salt['pillar.get']('global:zeekversion', '') %} +{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %} +{% set THEHIVE = salt['pillar.get']('manager:thehive', '0') %} +{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} +{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} +{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} +{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} +{% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} +{% import_yaml 'salt/minion.defaults.yaml' as saltversion %} +{% set saltversion = saltversion.salt.minion.version %} + base: 'not G@saltversion:{{saltversion}}': From 710a2be422535563d814a2617957a91b6344b442 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 8 Sep 2020 16:24:11 -0400 Subject: [PATCH 19/40] Add new so-user-enable script and change so-user-disable to call 'so-user disable' instead of deleting the SOC user --- salt/common/tools/sbin/so-user-disable | 2 +- salt/common/tools/sbin/so-user-enable | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100755 salt/common/tools/sbin/so-user-enable diff --git a/salt/common/tools/sbin/so-user-disable b/salt/common/tools/sbin/so-user-disable index 293f57525..77bc4fcd0 100755 --- a/salt/common/tools/sbin/so-user-disable +++ b/salt/common/tools/sbin/so-user-disable @@ -1,2 +1,2 @@ #!/bin/bash -so-user delete $* \ No newline at end of file +so-user disable $* \ No newline at end of file diff --git a/salt/common/tools/sbin/so-user-enable b/salt/common/tools/sbin/so-user-enable new file mode 100755 index 000000000..1c4a2f774 --- /dev/null +++ b/salt/common/tools/sbin/so-user-enable @@ -0,0 +1,2 @@ +#!/bin/bash +so-user enable $* \ No newline at end of file From da3d0948b44e8edcb9e4fec1415d83c0b747ed60 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 8 Sep 2020 16:49:38 -0400 Subject: [PATCH 20/40] creating engine to watch the health of the salt mine --- salt/salt/engines/checkmine.py | 28 ++++++++++++++++++++++++++++ salt/salt/files/engines.conf | 6 ++++++ salt/salt/master.sls | 23 ++++++++++++++++++++++- 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 salt/salt/engines/checkmine.py create mode 100644 salt/salt/files/engines.conf diff --git a/salt/salt/engines/checkmine.py b/salt/salt/engines/checkmine.py new file mode 100644 index 000000000..5cc0a5ad3 --- /dev/null +++ b/salt/salt/engines/checkmine.py @@ -0,0 +1,28 @@ +# -*- coding: utf-8 -*- + +import logging +from time import sleep +from os import remove + +log = logging.getLogger(__name__) + +def start(interval=30): + log.info("checkmine engine started") + minionid = __grains__['id'] + while True: + try: + ca_crt = __salt__['saltutil.runner']('mine.get', tgt=minionid, fun='x509.get_pem_entries')[minionid]['/etc/pki/ca.crt'] + log.info('Successfully queried Salt mine for the CA.') + except: + log.error('Could not pull CA from the Salt mine.') + log.info('Removing /var/cache/salt/master/minions/%s/mine.p to force Salt mine to be repopulated.' % minionid) + try: + remove('/var/cache/salt/master/minions/%s/mine.p' % minionid) + log.info('Removed /var/cache/salt/master/minions/%s/mine.p' % minionid) + except FileNotFoundError: + log.error('/var/cache/salt/master/minions/%s/mine.p does not exist' % minionid) + + __salt__['mine.send'](name='x509.get_pem_entries', glob_path='/etc/pki/ca.crt') + log.warning('Salt mine repopulated with /etc/pki/ca.crt') + + sleep(interval) \ No newline at end of file diff --git a/salt/salt/files/engines.conf b/salt/salt/files/engines.conf new file mode 100644 index 000000000..c9e20adf3 --- /dev/null +++ b/salt/salt/files/engines.conf @@ -0,0 +1,6 @@ +engines_dirs: + - /etc/salt/engines + +engines: + - checkmine: + interval: 30 \ No newline at end of file diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 481be743a..25d3acfca 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -1,3 +1,6 @@ +include: + - salt.minion + salt_master_package: pkg.installed: - pkgs: @@ -8,4 +11,22 @@ salt_master_package: salt_master_service: service.running: - name: salt-master - - enable: True \ No newline at end of file + - enable: True + +engines: + file.directory: + - name: /etc/salt/engines + +checkmine_engine: + file.managed: + - name: /etc/salt/engines/checkmine.py + - source: salt://salt/engines/checkmine.py + - watch_in: + - service: salt_minion_service + +engines_config: + file.managed: + - name: /etc/salt/minion.d/engines.conf + - source: salt://salt/files/engines.conf + - watch_in: + - service: salt_minion_service \ No newline at end of file From eeb6c3128b591a1faf104a18e8a416758b8a7647 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 8 Sep 2020 17:27:13 -0400 Subject: [PATCH 21/40] add salt.master state to manager nodes --- salt/top.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/top.sls b/salt/top.sls index d5277cafb..fbd48d8d5 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -28,9 +28,10 @@ base: - common - patch.os.schedule - motd - + '*_helix and G@saltversion:{{saltversion}}': - match: compound + - salt.master - ca - ssl - common @@ -72,6 +73,7 @@ base: '*_eval and G@saltversion:{{saltversion}}': - match: compound + - salt.master - ca - ssl - common @@ -129,6 +131,7 @@ base: '*_manager and G@saltversion:{{saltversion}}': - match: compound + - salt.master - ca - ssl - common @@ -175,6 +178,7 @@ base: '*_standalone and G@saltversion:{{saltversion}}': - match: compound + - salt.master - ca - ssl - common @@ -299,6 +303,7 @@ base: '*_managersearch and G@saltversion:{{saltversion}}': - match: compound + - salt.master - ca - ssl - common @@ -389,6 +394,7 @@ base: '*_import and G@saltversion:{{saltversion}}': - match: compound + - salt.master - ca - ssl - common From da34222931d7656375e192ffa762d243f78ac909 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 8 Sep 2020 17:36:27 -0400 Subject: [PATCH 22/40] makedirs --- salt/salt/master.sls | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 25d3acfca..ca1bead2d 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -13,14 +13,11 @@ salt_master_service: - name: salt-master - enable: True -engines: - file.directory: - - name: /etc/salt/engines - checkmine_engine: file.managed: - name: /etc/salt/engines/checkmine.py - source: salt://salt/engines/checkmine.py + - makedirs: True - watch_in: - service: salt_minion_service From 7d524a072378934aa2b545945127309078ea0644 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 8 Sep 2020 18:51:14 -0400 Subject: [PATCH 23/40] Add Firewall Rule for yum and airgap --- salt/firewall/assigned_hostgroups.map.yaml | 5 ++++- salt/firewall/portgroups.yaml | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index f7f87eb5f..0105542ad 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -117,6 +117,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.wazuh_api }} - {{ portgroups.fleet_api }} + - {{ portgroups.yum }} sensor: portgroups: - {{ portgroups.sensoroni }} @@ -200,6 +201,7 @@ role: - {{ portgroups.influxdb }} - {{ portgroups.wazuh_api }} - {{ portgroups.fleet_api }} + - {{ portgroups.yum }} sensor: portgroups: - {{ portgroups.sensoroni }} @@ -282,7 +284,8 @@ role: - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} + - {{ portgroups.fleet_api }} + - {{ portgroups.yum }} sensor: portgroups: - {{ portgroups.sensoroni }} diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 8771df8ef..177f35fdd 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -94,3 +94,6 @@ firewall: wazuh_authd: tcp: - 1515 + yum: + tcp: + - 443 From ad05e75ce77dfe5db71ebb472ecbdcf2e3e8be3c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 9 Sep 2020 00:46:18 -0400 Subject: [PATCH 24/40] Add new quick actions to SOC config template --- salt/soc/files/soc/soc.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index f4a817ff3..81efcb447 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -141,6 +141,11 @@ { "name": "x509", "description": "x.509 grouped by issuer", "query": "event.dataset:x509 | groupby x509.certificate.issuer"}, { "name": "x509", "description": "x.509 grouped by subject", "query": "event.dataset:x509 | groupby x509.certificate.subject"}, { "name": "Firewall", "description": "Firewall events grouped by action", "query": "event_type:firewall | groupby action"} + ], + "actions": [ + { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" }, + { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" }, + { "name": "", "description": "actionVirtusTotalHelp", "icon": "fa-globe", "link": "https://www.virustotal.com/gui/ip-address/{value}/detection", "fields": [ "source.ip", "destination.ip" ] } ] } } From 7facff2b7dfd37ed56094c0afad0c7d0ff9883e2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 10:34:53 -0400 Subject: [PATCH 25/40] change from cmd.run to cp.get_file_str --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 1d4cb2f37..416e13af5 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -8,7 +8,7 @@ {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import'] %} - {% set trusttheca_text = salt['cmd.shell']('cat /etc/pki/ca.crt')|replace('\n', '') %} + {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %} {% set ca_server = grains.id %} {% else %} {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %} From eaf3281ab7ca31d4c28baf067b6350429b123f82 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 9 Sep 2020 10:43:41 -0400 Subject: [PATCH 26/40] Remove Suricata version numbers from Setup screens #1300 https://github.com/Security-Onion-Solutions/securityonion/issues/1300 --- setup/so-whiptail | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index e590a30d9..d760373af 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -97,8 +97,8 @@ whiptail_zeek_version() { [ -n "$TESTING" ] && return - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 75 4 "ZEEK" "Install Zeek (aka Bro)" ON \ - "SURICATA" "Use Suricata 5" OFF 3>&1 1>&2 2>&3) + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)" ON \ + "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -623,7 +623,7 @@ whiptail_nids() { NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ "Choose which IDS to run. \n Snort 3.0 support will be added once it is out of beta:" 25 75 4 \ - "Suricata" "Suricata 4.X" ON \ + "Suricata" "Suricata" ON \ "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? From 426257443ac135f28e39ae2f6732a2b6e97a2045 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Sep 2020 10:54:47 -0400 Subject: [PATCH 27/40] Final airgap tweaks --- salt/airgap/init.sls | 7 ++++++- salt/idstools/localrules/local.rules | 2 +- salt/nginx/etc/nginx.conf.so-eval | 17 ++++++++++++++++- salt/nginx/etc/nginx.conf.so-manager | 15 +++++++++++++++ salt/nginx/etc/nginx.conf.so-managersearch | 15 +++++++++++++++ salt/nginx/etc/nginx.conf.so-standalone | 2 +- 6 files changed, 54 insertions(+), 4 deletions(-) diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls index 5e972e877..026598e54 100644 --- a/salt/airgap/init.sls +++ b/salt/airgap/init.sls @@ -9,6 +9,7 @@ airgap.repo: - humanname: Airgap Repo - baseurl: https://{{ MANAGER }}/repo - gpgcheck: 0 + - sslverify: 0 agbase: file.absent: @@ -52,4 +53,8 @@ agtesting: agssrepo: file.absent: - - name: /etc/yum.repos.d/saltstack.repo \ No newline at end of file + - name: /etc/yum.repos.d/saltstack.repo + +agwazrepo: + file.absent: + - name: /etc/yum.repos.d/wazuh.repo \ No newline at end of file diff --git a/salt/idstools/localrules/local.rules b/salt/idstools/localrules/local.rules index 8c8ac2601..1c8b10955 100644 --- a/salt/idstools/localrules/local.rules +++ b/salt/idstools/localrules/local.rules @@ -1 +1 @@ -# Put your own custom Snort/Suricata rules in /opt/so/saltstack/local/salt/idstools/localrules/local.rules \ No newline at end of file +# Put your own custom Snort/Suricata rules in this file! /opt/so/saltstack/local/salt/idstools/localrules/local.rules \ No newline at end of file diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval index 79db008c1..1e1c83675 100644 --- a/salt/nginx/etc/nginx.conf.so-eval +++ b/salt/nginx/etc/nginx.conf.so-eval @@ -2,6 +2,8 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} + # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ @@ -180,7 +182,20 @@ http { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; - } + } + + {%- if ISAIRGAP is sameas true %} + location /repo/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + + {%- endif %} location /grafana/ { auth_request /auth/sessions/whoami; diff --git a/salt/nginx/etc/nginx.conf.so-manager b/salt/nginx/etc/nginx.conf.so-manager index ceae18cb1..76de6de2d 100644 --- a/salt/nginx/etc/nginx.conf.so-manager +++ b/salt/nginx/etc/nginx.conf.so-manager @@ -2,6 +2,8 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} + # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ @@ -232,6 +234,19 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } + {%- if ISAIRGAP is sameas true %} + location /repo/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + + {%- endif %} + {%- if FLEET_NODE %} location /fleet/ { return 301 https://{{ FLEET_IP }}/fleet; diff --git a/salt/nginx/etc/nginx.conf.so-managersearch b/salt/nginx/etc/nginx.conf.so-managersearch index 01a3afdaa..012a91ba3 100644 --- a/salt/nginx/etc/nginx.conf.so-managersearch +++ b/salt/nginx/etc/nginx.conf.so-managersearch @@ -2,6 +2,8 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} + # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ @@ -180,6 +182,19 @@ http { proxy_set_header Proxy ""; proxy_set_header X-Forwarded-Proto $scheme; } + + {%- if ISAIRGAP is sameas true %} + location /repo/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } + + {%- endif %} location /grafana/ { auth_request /auth/sessions/whoami; diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index dca073437..19a029813 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -2,7 +2,7 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} -{%- set ISAIRGAP = salt['pillar.get']('global:airgap') %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ From 9babc445ce111d620049507101c8b1cd96e315d6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 9 Sep 2020 12:07:18 -0400 Subject: [PATCH 28/40] Add Google search quick action to Hunt; Change VirusTotal quick action to be applicable to all field values --- salt/soc/files/soc/soc.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 81efcb447..181ba7a0c 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -145,7 +145,8 @@ "actions": [ { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" }, { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" }, - { "name": "", "description": "actionVirtusTotalHelp", "icon": "fa-globe", "link": "https://www.virustotal.com/gui/ip-address/{value}/detection", "fields": [ "source.ip", "destination.ip" ] } + { "name": "", "description": "actionGoogleHelp", "icon": "fa-google", "link": "https://www.google.com/search?q={value}" }, + { "name": "", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" } ] } } From fc4ad1d556200124b4e989bc825b8f6422f1d88d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 9 Sep 2020 12:22:38 -0400 Subject: [PATCH 29/40] Add Google search quick action to Hunt; Change VirusTotal quick action to be applicable to all field values --- salt/soc/files/soc/soc.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 181ba7a0c..f3c103dc4 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -145,8 +145,8 @@ "actions": [ { "name": "", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}" }, { "name": "", "description": "actionAlertHelp", "icon": "fa-bell", "link": "/soctopus/thehive/alert/{eventId}" }, - { "name": "", "description": "actionGoogleHelp", "icon": "fa-google", "link": "https://www.google.com/search?q={value}" }, - { "name": "", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" } + { "name": "", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}" }, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "", "link": "https://www.virustotal.com/gui/search/{value}" } ] } } From 9ee9a199b149ffec4a9c909be8ece46770903b7c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 12:50:22 -0400 Subject: [PATCH 30/40] predefine each component as 0 to fix issues with it being unset --- setup/so-whiptail | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index d760373af..52f60501a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -412,6 +412,13 @@ whiptail_enable_components() { [ -n "$TESTING" ] && return + GRAFANA=0 + OSQUERY=0 + WAZUH=0 + THEHIVE=0 + PLAYBOOK=0 + STRELKA=0 + COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ "Select Components to install" 20 75 8 \ GRAFANA "Enable Grafana for system monitoring" ON \ From 90ba1be97891f28c1ece1fc5b02f6246bcc3d56e Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 9 Sep 2020 12:55:14 -0400 Subject: [PATCH 31/40] Improve formatting of NIDS selection screen --- setup/so-whiptail | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index d760373af..94459bb10 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -621,8 +621,7 @@ whiptail_nids() { [ -n "$TESTING" ] && return NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose which IDS to run. \n - Snort 3.0 support will be added once it is out of beta:" 25 75 4 \ + "Choose which IDS to run. \n\n(Snort 3.0 support will be added once it is out of beta)" 25 75 4 \ "Suricata" "Suricata" ON \ "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) From 82b582540ef2b451680614d8347f8a005700fd7c Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 9 Sep 2020 12:56:19 -0400 Subject: [PATCH 32/40] Add period --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 94459bb10..ce8b22011 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -621,7 +621,7 @@ whiptail_nids() { [ -n "$TESTING" ] && return NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose which IDS to run. \n\n(Snort 3.0 support will be added once it is out of beta)" 25 75 4 \ + "Choose which IDS to run. \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \ "Suricata" "Suricata" ON \ "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) From 3433b90029c5e5498c85d06d1402a9e6fc628972 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 13:53:10 -0400 Subject: [PATCH 33/40] fix so-status for strelka and wazuh --- salt/common/maps/so-status.map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index 21dd14ec9..448423d83 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -21,7 +21,7 @@ {% if role in ['eval', 'managersearch', 'manager', 'standalone'] %} {{ append_containers('manager', 'grafana', 0) }} {{ append_containers('global', 'fleet_manager', 0) }} - {{ append_containers('manager', 'wazuh', 0) }} + {{ append_containers('global', 'wazuh', 0) }} {{ append_containers('manager', 'thehive', 0) }} {{ append_containers('manager', 'playbook', 0) }} {{ append_containers('manager', 'freq', 0) }} @@ -29,7 +29,7 @@ {% endif %} {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %} - {{ append_containers('global', 'strelka', 0) }} + {{ append_containers('global', 'strelka:enabled', 0) }} {% endif %} {% if role in ['heavynode', 'standalone'] %} From 918d9cf00f0a6e9a7300be7be87218c2ccd6596b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 13:57:53 -0400 Subject: [PATCH 34/40] handle strelka --- salt/common/maps/so-status.map.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index 448423d83..560ea2546 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -5,6 +5,9 @@ # to the list predefined by the role / minion id affix {% macro append_containers(pillar_name, k, compare )%} {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %} + {% if ':enabled' in k %} + {% set k = k.split(':') | first %} + {% endif %} {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %} {% for li in d['containers'] %} {{ docker['containers'].append(li) }} From 05d736d2dfafe831c107f32b4909393316b3408e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 14:00:58 -0400 Subject: [PATCH 35/40] handle strelka --- salt/common/maps/so-status.map.jinja | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index 560ea2546..2aea71c76 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -5,9 +5,6 @@ # to the list predefined by the role / minion id affix {% macro append_containers(pillar_name, k, compare )%} {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %} - {% if ':enabled' in k %} - {% set k = k.split(':') | first %} - {% endif %} {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %} {% for li in d['containers'] %} {{ docker['containers'].append(li) }} @@ -32,7 +29,7 @@ {% endif %} {% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %} - {{ append_containers('global', 'strelka:enabled', 0) }} + {{ append_containers('strelka', 'enabled', 0) }} {% endif %} {% if role in ['heavynode', 'standalone'] %} From a5b87850df451306fc10194e0cf92ed87753c283 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 9 Sep 2020 14:07:36 -0400 Subject: [PATCH 36/40] Remove user sync between SOC and Cortex due to the unnecesary complexities involved with this style of integration --- salt/common/tools/sbin/so-user | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 57f51fe9a..e354bcce4 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -202,7 +202,6 @@ case "${operation}" in createUser "$email" echo "Successfully added new user to SOC" check_container thehive && echo $password | so-thehive-user-add "$email" - check_container cortex && echo $password | so-cortex-user-add "$email" check_container fleet && echo $password | so-fleet-user-add "$email" ;; @@ -226,7 +225,6 @@ case "${operation}" in updateStatus "$email" 'active' echo "Successfully enabled user" check_container thehive && so-thehive-user-enable "$email" true - check_container cortex && so-cortex-user-enable "$email" true check_container fleet && so-fleet-user-enable "$email" true ;; @@ -237,7 +235,6 @@ case "${operation}" in updateStatus "$email" 'locked' echo "Successfully disabled user" check_container thehive && so-thehive-user-enable "$email" false - check_container cortex && so-cortex-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false ;; @@ -248,7 +245,6 @@ case "${operation}" in deleteUser "$email" echo "Successfully deleted user" check_container thehive && so-thehive-user-enable "$email" false - check_container cortex && so-cortex-user-enable "$email" false check_container fleet && so-fleet-user-enable "$email" false ;; From 921262b9a5542aed81acd0475fca4c50b303e3d3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 14:07:38 -0400 Subject: [PATCH 37/40] prevent duplicate containers for so-stauts --- salt/common/tools/sbin/so-status | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 7a7d6c783..85709501a 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -15,7 +15,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {%- from 'common/maps/so-status.map.jinja' import docker with context %} -{%- set container_list = docker['containers'] | sort %} +{%- set container_list = docker['containers'] | sort | unique %} if ! [ "$(id -u)" = 0 ]; then echo "This command must be run as root" From b0c526364fd6c86734ab70052343ddb55684341f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 14:55:54 -0400 Subject: [PATCH 38/40] handle strelka --- salt/common/maps/so-status.map.jinja | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja index 2aea71c76..fb23e6708 100644 --- a/salt/common/maps/so-status.map.jinja +++ b/salt/common/maps/so-status.map.jinja @@ -5,6 +5,9 @@ # to the list predefined by the role / minion id affix {% macro append_containers(pillar_name, k, compare )%} {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %} + {% if k == 'enabled' %} + {% set k = pillar_name %} + {% endif %} {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %} {% for li in d['containers'] %} {{ docker['containers'].append(li) }} From 04f4539385613447e4feac18a27d43d1beb2a009 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 9 Sep 2020 14:57:10 -0400 Subject: [PATCH 39/40] Fix Airgap Repo Name --- salt/airgap/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls index 026598e54..b7ad3da1b 100644 --- a/salt/airgap/init.sls +++ b/salt/airgap/init.sls @@ -4,7 +4,7 @@ airgapyum: - name: /etc/yum/yum.conf - source: salt://airgap/files/yum.conf -airgap.repo: +airgap_repo: pkgrepo.managed: - humanname: Airgap Repo - baseurl: https://{{ MANAGER }}/repo From 39f200f5658b6bd5bb60c377a8071b8faee64b79 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 9 Sep 2020 14:59:21 -0400 Subject: [PATCH 40/40] fix whitespace --- salt/common/tools/sbin/so-status | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 85709501a..8658f4757 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -71,9 +71,9 @@ compare_lists() { # {% endraw %} create_expected_container_list() { - {% for item in container_list%} + {% for item in container_list -%} expected_container_list+=("{{ item }}") - {% endfor %} + {% endfor -%} } populate_container_lists() {