CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into 2.4/zeekbpf

Browse Source
This commit is contained in:
m0duspwnens
2023-03-21 08:45:07 -04:00
parent 0fff3a5a11 1f23e4aafe
commit 02c79463e1
17 changed files with 102 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
salt/allowed_states.map.jinja
View File

@@ -34,7 +34,7 @@
'influxdb', 'influxdb',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elasticfleet',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',
@@ -105,7 +105,7 @@
'schedule', 'schedule',
'tcpreplay', 'tcpreplay',
'docker_clean', 'docker_clean',
'elastic-fleet' 'elasticfleet'
], ],
'so-manager': [ 'so-manager': [
'salt.master', 'salt.master',
@@ -118,7 +118,7 @@
'influxdb', 'influxdb',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elasticfleet',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',
@@ -137,7 +137,7 @@
'influxdb', 'influxdb',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elasticfleet',
'firewall', 'firewall',
'manager', 'manager',
'idstools', 'idstools',
@@ -166,7 +166,7 @@
'influxdb', 'influxdb',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet', 'elasticfleet',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',

4
salt/common/tools/sbin/so-elastic-agent-gen-installers
View File

@@ -24,11 +24,11 @@ mkdir -p /tmp/elastic-agent-workspace
for OS in "${CONTAINERGOOS[@]}" for OS in "${CONTAINERGOOS[@]}"
do do
printf "\n\nGenerating $OS Installer..." printf "\n\nGenerating $OS Installer..."
cp /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz
docker run -e CGO_ENABLED=0 -e GOOS=$OS \ docker run -e CGO_ENABLED=0 -e GOOS=$OS \
--mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
--mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
--mount type=bind,source=/opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/,target=/output/ \ --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \
{{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS
printf "\n $OS Installer Generated..." printf "\n $OS Installer Generated..."
done done

6
salt/common/tools/sbin/so-elastic-fleet-integration-policy-load
View File

@@ -17,7 +17,9 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http:
# Disable certain Features from showing up in the Kibana UI # Disable certain Features from showing up in the Kibana UI
echo echo
echo "Setting up default Security Onion package policies for Elastic Agent..." echo "Disable certain Features from showing up in the Kibana UI"
so-kibana-space-defaults
echo
# Suricata logs # Suricata logs
echo echo
@@ -71,7 +73,7 @@ echo
# Kratos logs # Kratos logs
echo echo
echo "Setting up Kratos package policy..." echo "Setting up Kratos package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- rename:\n fields:\n - from: \"audience\"\n to: \"event.dataset\"\n ignore_missing: true\n- add_fields:\n when:\n not: \n has_fields: ['event.dataset']\n target: ''\n fields:\n event.dataset: access", "custom": "pipeline: kratos" }}}}}}' curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos" }}}}}}'
echo echo
# RITA Logs # RITA Logs

10
salt/common/tools/sbin/so-elastic-fleet-setup
View File

@@ -91,19 +91,19 @@ printf '%s\n'\
"" >> "$global_pillar_file" "" >> "$global_pillar_file"
# Call Elastic-Fleet Salt State # Call Elastic-Fleet Salt State
salt-call state.apply elastic-fleet queue=True salt-call state.apply elasticfleet queue=True
# Load Elastic Fleet integrations # Load Elastic Fleet integrations
/usr/sbin/so-elastic-fleet-integration-policy-load /usr/sbin/so-elastic-fleet-integration-policy-load
# Temp # Temp
wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz
wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz
wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz
#git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git #git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git
#cd securityonion-image/so-elastic-agent-builder #cd securityonion-image/so-elastic-agent-builder
#docker build -t so-elastic-agent-builder . #docker build -t so-elastic-agent-builder .
so-elastic-agent-gen-installers so-elastic-agent-gen-installers
salt-call state.apply elastic-fleet.install_agent_grid queue=True salt-call state.apply elasticfleet.install_agent_grid queue=True

2
salt/common/tools/sbin/so-kibana-space-defaults
View File

@@ -13,6 +13,6 @@ echo "Setting up default Space:"
{% if HIGHLANDER %} {% if HIGHLANDER %}
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
{% else %} {% else %}
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log
{% endif %} {% endif %}
echo echo

2
salt/common/tools/sbin/so-minion
View File

@@ -23,7 +23,7 @@ if [[ $# -lt 1 ]]; then
echo " accept: Accepts a new key and adds the minion files" echo " accept: Accepts a new key and adds the minion files"
echo " delete: Removes the key and deletes the minion files" echo " delete: Removes the key and deletes the minion files"
echo " reject: Rejects a key" echo " reject: Rejects a key"
echo " test: Ingest test data" echo " test: Perform minion test"
echo "" echo ""
exit 1 exit 1
fi fi

0
salt/elastic-fleet/files/so_agent-installers/readme → salt/elasticfleet/files/so_agent-installers/readme
View File

0
salt/elastic-fleet/init.sls → salt/elasticfleet/init.sls
View File

2
salt/elastic-fleet/install_agent_grid.sls → salt/elasticfleet/install_agent_grid.sls
View File

@@ -9,7 +9,7 @@
run_installer: run_installer:
cmd.script: cmd.script:
- name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux
- args: -token={{ GRIDNODETOKEN }} - args: -token={{ GRIDNODETOKEN }}
{% endif %} {% endif %}

18
salt/elasticfleet/soc_elasticfleet.yaml Normal file
View File

@@ -0,0 +1,18 @@
elasticfleet:
server:
endpoints_enrollment:
description: Endpoint enrollment key.
global: True
helpLink: elastic-fleet.html
es_token:
description: Elastic auth token.
global: True
helpLink: elastic-fleet.html
grid_enrollment:
description: Grid enrollment key.
global: True
helpLink: elastic-fleet.html
url:
description: Agent connection URL.
global: True
helpLink: elastic-fleet.html

4
salt/elasticsearch/files/ingest/kratos
View File

@@ -1,7 +1,9 @@
{ {
"description" : "kratos", "description" : "kratos",
"processors" : [ "processors" : [
{ "set": { "field": "event.dataset", "value": "access" } }, {"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}},
{"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}},
{"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }},
{ "pipeline": { "name": "common" } } { "pipeline": { "name": "common" } }
] ]
} }

2
salt/idh/init.sls
View File

@@ -74,8 +74,6 @@ so-idh:
- file: opencanary_config - file: opencanary_config
- require: - require:
- file: opencanary_config - file: opencanary_config
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
append_so-idh_so-status.conf: append_so-idh_so-status.conf:
file.append: file.append:

2
salt/nginx/init.sls
View File

@@ -95,7 +95,7 @@ so-nginx:
- /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/log/nginx/:/var/log/nginx:rw
- /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw
- /opt/so/tmp/nginx/:/run:rw - /opt/so/tmp/nginx/:/run:rw
- /opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/:/opt/socore/html/packages - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages
{% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %}
- /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro
- /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro

6
salt/ssl/init.sls
View File

@@ -210,19 +210,19 @@ chownilogstashelasticfleetp8:
# Create Symlinks to the keys so I can distribute it to all the things # Create Symlinks to the keys so I can distribute it to all the things
elasticfleetdircerts: elasticfleetdircerts:
file.directory: file.directory:
- name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs
- makedirs: True - makedirs: True
efkeylink: efkeylink:
file.symlink: file.symlink:
- name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.p8 - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.p8
- target: /etc/pki/elasticfleet.p8 - target: /etc/pki/elasticfleet.p8
- user: socore - user: socore
- group: socore - group: socore
efcrtlink: efcrtlink:
file.symlink: file.symlink:
- name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.crt - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.crt
- target: /etc/pki/elasticfleet.crt - target: /etc/pki/elasticfleet.crt
- user: socore - user: socore
- group: socore - group: socore

18
salt/top.sls
View File

@@ -59,7 +59,7 @@ base:
{%- endif %} {%- endif %}
- schedule - schedule
- docker_clean - docker_clean
- elastic-fleet.install_agent_grid - elasticfleet.install_agent_grid
'*_eval and G@saltversion:{{saltversion}}': '*_eval and G@saltversion:{{saltversion}}':
- match: compound - match: compound
@@ -147,7 +147,7 @@ base:
- schedule - schedule
- soctopus - soctopus
- playbook - playbook
- elastic-fleet - elasticfleet
- docker_clean - docker_clean
'*_standalone and G@saltversion:{{saltversion}}': '*_standalone and G@saltversion:{{saltversion}}':
@@ -198,7 +198,7 @@ base:
- schedule - schedule
- soctopus - soctopus
- playbook - playbook
- elastic-fleet - elasticfleet
- docker_clean - docker_clean
'*_searchnode and G@saltversion:{{saltversion}}': '*_searchnode and G@saltversion:{{saltversion}}':
@@ -215,7 +215,7 @@ base:
- logstash - logstash
{%- endif %} {%- endif %}
- schedule - schedule
- elastic-fleet.install_agent_grid - elasticfleet.install_agent_grid
- docker_clean - docker_clean
'*_managersearch and G@saltversion:{{saltversion}}': '*_managersearch and G@saltversion:{{saltversion}}':
@@ -257,7 +257,7 @@ base:
- schedule - schedule
- soctopus - soctopus
- playbook - playbook
- elastic-fleet - elasticfleet
- docker_clean - docker_clean
'*_heavynode and G@saltversion:{{saltversion}}': '*_heavynode and G@saltversion:{{saltversion}}':
@@ -286,7 +286,7 @@ base:
- zeek - zeek
{%- endif %} {%- endif %}
- schedule - schedule
- elastic-fleet.install_agent_grid - elasticfleet.install_agent_grid
- docker_clean - docker_clean
'*_import and G@saltversion:{{saltversion}}': '*_import and G@saltversion:{{saltversion}}':
@@ -317,7 +317,7 @@ base:
- suricata - suricata
- zeek - zeek
- schedule - schedule
- elastic-fleet - elasticfleet
- docker_clean - docker_clean
'*_receiver and G@saltversion:{{saltversion}}': '*_receiver and G@saltversion:{{saltversion}}':
@@ -333,7 +333,7 @@ base:
- redis - redis
{%- endif %} {%- endif %}
- schedule - schedule
- elastic-fleet.install_agent_grid - elasticfleet.install_agent_grid
- docker_clean - docker_clean
'*_idh and G@saltversion:{{saltversion}}': '*_idh and G@saltversion:{{saltversion}}':
@@ -343,7 +343,7 @@ base:
- telegraf - telegraf
- firewall - firewall
- schedule - schedule
- elastic-fleet.install_agent_grid - elasticfleet.install_agent_grid
- docker_clean - docker_clean
- idh - idh

10
setup/so-setup
View File

@@ -58,6 +58,10 @@ while [[ $# -gt 0 ]]; do
esac esac
done done
# Preserve old setup/error logs
[ -f "$error_log" ] && mv "$error_log" "$error_log.$(date +%Y-%m-%dT%H:%M:%S)"
[ -f "$setup_log" ] && mv "$setup_log" "$setup_log.$(date +%Y-%m-%dT%H:%M:%S)"
# Let's see what OS we are dealing with here # Let's see what OS we are dealing with here
detect_os detect_os
@@ -134,9 +138,7 @@ title "Checking to see if install has run before"
if [[ -f /root/accept_changes ]]; then if [[ -f /root/accept_changes ]]; then
is_reinstall=true is_reinstall=true
whiptail_reinstall whiptail_reinstall
info "Old setup detected. Moving the last setup.log to setup.log.bak" info "Old setup detected. Preparing for reinstallation."
mv "$setup_log" "$setup_log.bak"
[ -f "$error_log" ] && mv "$error_log" "$error_log.bak"
reinstall_init reinstall_init
reset_proxy reset_proxy
fi fi
@@ -267,7 +269,7 @@ if ! [[ -f $install_opt_file ]]; then
if (whiptail_you_sure); then if (whiptail_you_sure); then
true true
else else
error "User cancelled setup." info "User cancelled setup."
whiptail_cancel whiptail_cancel
fi fi
# If this is an analyst install lets streamline the process. # If this is an analyst install lets streamline the process.

28
setup/so-whiptail
View File

@@ -976,7 +976,7 @@ whiptail_manager_unreachable() {
Run the following on the manager: Run the following on the manager:
so-firewall-minion --role=$install_type --ip=$MAINIP sudo so-firewall-minion --role=$install_type --ip=$MAINIP
Would you like to retry? Would you like to retry?
EOM EOM
@@ -1271,19 +1271,35 @@ whiptail_setup_complete() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
if [[ -n "$REDIRECTIT" && $is_manager = true ]]; then
if [[ $waitforstate ]]; then
# Manager-type Nodes - Install Summary
if [[ -n $ALLOW_CIDR ]]; then if [[ -n $ALLOW_CIDR ]]; then
local sentence_prefix="Access" local sentence_prefix="Access"
else else
local sentence_prefix="Run so-allow to access" local sentence_prefix="Run so-allow to access"
fi fi
local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n"
elif [[ $is_idh ]]; then read -r -d '' message <<- EOM
${install_type} setup is now complete!
${sentence_prefix} the Security Onion Console (SOC) web interface by navigating to:
https://${REDIRECTIT}
Then login with the following username and password.
SOC Username: ${WEBUSER}
SOC Password: Use the password that was entered during setup
Press TAB and then the ENTER key to exit this screen.
EOM
whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext
else
if [[ $is_idh ]]; then
local accessMessage="\nSSH for this node has been moved to TCP/2222, accessible only from the Manager node.\n" local accessMessage="\nSSH for this node has been moved to TCP/2222, accessible only from the Manager node.\n"
else else
local accessMessage="" local accessMessage=""
fi fi
MINIONFINGERPRINT=$(salt-call --local key.finger --out=newline_values_only) MINIONFINGERPRINT=$(salt-call --local key.finger --out=newline_values_only)
read -r -d '' message <<- EOM read -r -d '' message <<- EOM
${install_type} initialization is now complete! ${install_type} initialization is now complete!
@@ -1297,12 +1313,12 @@ whiptail_setup_complete() {
Node Hostname: $HOSTNAME Node Hostname: $HOSTNAME
Node Fingerprint: Node Fingerprint:
$MINIONFINGERPRINT $MINIONFINGERPRINT
$accessMessage $accessMessage
Press TAB and then the ENTER key to exit this screen. Press TAB and then the ENTER key to exit this screen.
EOM EOM
whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext
fi
} }
whiptail_setup_failed() { whiptail_setup_failed() {