From 6cdf1ef857a961210f22cd51944e38469bd3c197 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 11 Dec 2018 19:44:32 +0000 Subject: [PATCH 01/22] Firewall - Add rules for Wazuh Manager --- salt/firewall/init.sls | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 71575e3d6..ef2acd81f 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,5 +1,19 @@ # Firewall Magic for the grid +{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} + +{%- set ip = salt['pillar.get']('static:masterip', '') %} + +{% elif grains['role'] == 'so-node'%} + +{%- set ip = salt['pillar.get']('node:mainip', '') %} + +{% elif grains['role'] == 'so-sensor'%} + +{%- set ip = salt['pillar.get']('node:mainip', '') %} + +{% endif %} + # Keep localhost in the game iptables_allow_localhost: iptables.append: @@ -86,6 +100,29 @@ enable_docker_user_established: - match: conntrack - ctstate: 'RELATED,ESTABLISHED' +# Add rule(s) for Wazuh manager +enable_wazuh_manager_1514_tcp_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: tcp + - source: {{ ip }} + - dport: 1514 + - position: 1 + - save: True + +enable_wazuh_manager_1514_udp_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: udp + - source: {{ ip }} + - dport: 1514 + - position: 1 + - save: True + # Rules if you are a Master {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} #This should be more granular From 223237f8c25a31f0330a352e68fe9a2fe4aaa750 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 11 Dec 2018 19:45:56 +0000 Subject: [PATCH 02/22] Wazuh - Expose both UDP and TCP ports --- salt/wazuh/init.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index a7f06ab33..622ef20e8 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -48,7 +48,8 @@ so-wazuh: - name: so-wazuh - detach: True - port_bindings: - - 0.0.0.0:1514:1514 + - 0.0.0.0:1515:1514/udp + - 0.0.0.0:1514:1514/tcp - 0.0.0.0:55000:55000 - binds: - /opt/so/wazuh/:/var/ossec/data/:rw From 9a021164ace4824cfef6976b2caf71d567b2b241 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 01:42:05 +0000 Subject: [PATCH 03/22] Wazuh - Fix port, add agent conf, and agent registration script --- salt/wazuh/files/agent/ossec.conf | 195 ++++++++++++++++++++ salt/wazuh/files/agent/wazuh-register-agent | 131 +++++++++++++ salt/wazuh/init.sls | 11 +- 3 files changed, 336 insertions(+), 1 deletion(-) create mode 100644 salt/wazuh/files/agent/ossec.conf create mode 100755 salt/wazuh/files/agent/wazuh-register-agent diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf new file mode 100644 index 000000000..c89b9ce06 --- /dev/null +++ b/salt/wazuh/files/agent/ossec.conf @@ -0,0 +1,195 @@ +{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} +{%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- endif %} + + + + + +
{{ip}}
+ 1514 + udp + + ubuntu, ubuntu16, ubuntu16.04 + 10 + 60 + yes + aes + + + + + no + 5000 + 500 + + + + + no + yes + yes + yes + yes + yes + yes + yes + yes + + + 43200 + + /var/ossec/etc/shared/rootkit_files.txt + /var/ossec/etc/shared/rootkit_trojans.txt + + /var/ossec/etc/shared/system_audit_rcl.txt + /var/ossec/etc/shared/system_audit_ssh.txt + + yes + + + + yes + 1800 + 1d + yes + + + + yes + 1800 + 1d + yes + + wodles/java + wodles/ciscat + + + + + yes + yes + /var/log/osquery/osqueryd.results.log + /etc/osquery/osquery.conf + yes + + + + + no + 1h + yes + yes + yes + yes + yes + yes + yes + + + + + no + + + 43200 + + yes + + + /etc,/usr/bin,/usr/sbin + /bin,/sbin,/boot + + + /etc/mtab + /etc/hosts.deny + /etc/mail/statistics + /etc/random-seed + /etc/random.seed + /etc/adjtime + /etc/httpd/logs + /etc/utmpx + /etc/wtmpx + /etc/cups/certs + /etc/dumpdates + /etc/svc/volatile + /sys/kernel/security + /sys/kernel/debug + + + /etc/ssl/private.key + + yes + + + yes + + + yes + + + + + command + df -P + 360 + + + + full_command + netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d + netstat listening ports + 360 + + + + full_command + last -n 20 + 360 + + + + + no + /var/ossec/etc/wpk_root.pem + yes + + + + + plain + + + + + + + syslog + /var/ossec/logs/active-responses.log + + + + syslog + /var/log/auth.log + + + + syslog + /var/log/syslog + + + + syslog + /var/log/dpkg.log + + + + syslog + /var/log/kern.log + + + diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent new file mode 100755 index 000000000..e9f9dbeb5 --- /dev/null +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -0,0 +1,131 @@ +#!/bin/bash + +### +# Shell script for registering agents automatically with the API +# Copyright (C) 2017 Wazuh, Inc. All rights reserved. +# Wazuh.com +# +# This program is a free software; you can redistribute it +# and/or modify it under the terms of the GNU General Public +# License (version 2) as published by the FSF - Free Software +# Foundation. +### +# +# 12/11/2018 +# This script has been modified by Security Onion Solutions +# - Added Agent IP variable and option +### + +# Connection variables +API_IP="localhost" +API_PORT="55000" +PROTOCOL="https" +USER="foo" +PASSWORD="bar" +AGENT_NAME=$(hostname) +AGENT_IP="" + +display_help() { +cat < agent is not registered +# if ! [ "$AGENT_ID" -eq "$AGENT_ID" ] 2> /dev/null ; then +# echo "Starting registration process ..." +# : +# elif [[ "$FORCE" = true && "$SILENT" = "true" ]] ; then +# remove_agent > /dev/null 2>&1 +# else +# if [[ "$FORCE" = true ]] ; then +# remove_agent +# fi +# fi + +# Default action -> try to register the agent +register_agent +#remove_agent diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 622ef20e8..2dace4cac 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -41,6 +41,15 @@ wazuhpkgs: - pkgs: - wazuh-agent +# Add Wazuh agent conf +eslog4jfile: + file.managed: + - name: /var/ossec/etc/ossec.conf + - source: salt://wazuh/files/agent/ossec.conf + - user: 0 + - group: 945 + - template: jinja + so-wazuh: docker_container.running: - image: soshybridhunter/so-wazuh:HH1.0.5 @@ -48,7 +57,7 @@ so-wazuh: - name: so-wazuh - detach: True - port_bindings: - - 0.0.0.0:1515:1514/udp + - 0.0.0.0:1514:1514/udp - 0.0.0.0:1514:1514/tcp - 0.0.0.0:55000:55000 - binds: From 634c435ad60d4aab737a7fc652834cc25c3bdd79 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 01:51:30 +0000 Subject: [PATCH 04/22] Setup - Configure Wazuh agent --- so-setup-network.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/so-setup-network.sh b/so-setup-network.sh index 0f563a4b3..77d77fbd5 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -220,6 +220,14 @@ configure_minion() { } +configure_wazuh_agent(){ + + # Configure Wazuh agent to talk to manager + echo "Configuring Wazuh agent to talk to manager..." + /usr/sbin/wazuh-register-agent -i $MAINIP + +} + copy_master_config() { # Copy the master config template to the proper directory @@ -1660,6 +1668,7 @@ if (whiptail_you_sure); then salt_checkin_message salt_checkin checkin_at_boot + configure_wazuh_agent whiptail_setup_complete fi From 113f03087333fc5d15565f5fb4c8f7d66c0cf9e8 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 02:26:38 +0000 Subject: [PATCH 05/22] Wazuh - Add agent register script to init.sls --- salt/wazuh/init.sls | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 2dace4cac..335f29bc9 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -42,7 +42,7 @@ wazuhpkgs: - wazuh-agent # Add Wazuh agent conf -eslog4jfile: +wazuhagentconf: file.managed: - name: /var/ossec/etc/ossec.conf - source: salt://wazuh/files/agent/ossec.conf @@ -50,6 +50,14 @@ eslog4jfile: - group: 945 - template: jinja +# Add Wazuh agent conf +wazuhagentregister: + file.managed: + - name: /usr/sbin/wazuh-agent-register + - source: salt://wazuh/files/agent/wazuh-register-agent + - user: 0 + - group: 0 + so-wazuh: docker_container.running: - image: soshybridhunter/so-wazuh:HH1.0.5 From 86a72984c76fe15331bec58caf138a5ab0e9f301 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 02:58:09 +0000 Subject: [PATCH 06/22] Setup - Add auth pillar to eval mode --- so-setup-network.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/so-setup-network.sh b/so-setup-network.sh index 77d77fbd5..065847fac 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -1633,6 +1633,7 @@ if (whiptail_you_sure); then CURCLOSEDAYS=30 whiptail_make_changes generate_passwords + auth_pillar clear_master mkdir -p /nsm get_filesystem_root From 1a4a7382e254257308344a8d3b07332a84ff402e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 03:18:55 +0000 Subject: [PATCH 07/22] Wazuh - Fix Wazuh agent registration script name --- salt/wazuh/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 335f29bc9..ff6de8b84 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -53,7 +53,7 @@ wazuhagentconf: # Add Wazuh agent conf wazuhagentregister: file.managed: - - name: /usr/sbin/wazuh-agent-register + - name: /usr/sbin/wazuh-register-agent - source: salt://wazuh/files/agent/wazuh-register-agent - user: 0 - group: 0 From 823a589fae2631388d24bdee461d6bc8c10dba40 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 04:01:13 +0000 Subject: [PATCH 08/22] Wazuh - Set mode for agent registration script --- salt/wazuh/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index ff6de8b84..1d0b9a99e 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -57,6 +57,7 @@ wazuhagentregister: - source: salt://wazuh/files/agent/wazuh-register-agent - user: 0 - group: 0 + - mode: 755 so-wazuh: docker_container.running: From 8404897fe3cf7fe9dbd66b15552e8a995bbf3b05 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 06:05:13 +0000 Subject: [PATCH 09/22] Wazuh - Move agent config to init.sls --- salt/wazuh/files/agent/wazuh-register-agent | 5 +++-- salt/wazuh/init.sls | 13 ++++++++----- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index e9f9dbeb5..1854f55ff 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -1,3 +1,4 @@ +{%- set ip = salt['pillar.get']('static:masterip', '') %} #!/bin/bash ### @@ -23,7 +24,7 @@ PROTOCOL="https" USER="foo" PASSWORD="bar" AGENT_NAME=$(hostname) -AGENT_IP="" +AGENT_IP="{{ip}}" display_help() { cat < Date: Wed, 12 Dec 2018 13:10:27 +0000 Subject: [PATCH 10/22] Setup - Remark Wazuh agent config --- so-setup-network.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/so-setup-network.sh b/so-setup-network.sh index 065847fac..72496657d 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -1669,7 +1669,7 @@ if (whiptail_you_sure); then salt_checkin_message salt_checkin checkin_at_boot - configure_wazuh_agent + #configure_wazuh_agent whiptail_setup_complete fi From 5822842d2e874f5b13b21924e966f7b1523ecfd4 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 13:36:13 +0000 Subject: [PATCH 11/22] Wazuh - Add sleep to wait for API --- salt/wazuh/files/agent/wazuh-register-agent | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index 1854f55ff..b6199cf9a 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -128,5 +128,6 @@ shift $(($OPTIND - 1)) # fi # Default action -> try to register the agent +sleep 10s register_agent #remove_agent From e20ab3b4073051febe20d76a843e36b87112434e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 14:48:17 +0000 Subject: [PATCH 12/22] Filebeat - Config for Wazuh alerts --- salt/filebeat/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 251274606..7563ad72a 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -61,6 +61,7 @@ so-filebeat: - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - /nsm/bro:/nsm/bro:ro - /opt/so/log/suricata:/suricata:ro + - /opt/so/wazuh/alerts/alerts.json:/wazuh/alerts/alerts.json:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro From 9d86744e076dd38ff01bd566afa3bf1ec02df29a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 15:19:51 +0000 Subject: [PATCH 13/22] Filebeat - Fix Wazuh alerts path --- salt/filebeat/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 7563ad72a..8b0ec3f4c 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -61,7 +61,7 @@ so-filebeat: - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - /nsm/bro:/nsm/bro:ro - /opt/so/log/suricata:/suricata:ro - - /opt/so/wazuh/alerts/alerts.json:/wazuh/alerts/alerts.json:ro + - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro From 8496834f8bc539e3075944fcc09938d1f7c9b768 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 15:48:59 +0000 Subject: [PATCH 14/22] Wazuh - Re-order top.sls so Filebeat does not overrite Wazuh logs --- salt/top.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 413a120f6..03c220047 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -29,11 +29,11 @@ base: - bro - curator - elastalert + - fleet + - wazuh - filebeat - utility - schedule - - fleet - - wazuh 'G@role:so-master': From 54c35cdc0dc1e9fb2ac0d35f65cef5009aed7d34 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 20:51:41 +0000 Subject: [PATCH 15/22] Filebeat - Add Wazuh archive logs --- salt/filebeat/etc/filebeat.yml | 10 ++++++++++ salt/filebeat/init.sls | 1 + 2 files changed, 11 insertions(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 342b925a0..4384d124e 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -47,6 +47,16 @@ filebeat.prospectors: fields_under_root: true clean_removed: false close_removed: false + + - type: log + paths: + - /wazuh/archives/archives.json + fields: + type: ossec_archive + fields_under_root: true + clean_removed: false + close_removed: false + {%- endif %} #----------------------------- Logstash output --------------------------------- diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 8b0ec3f4c..da8f0637c 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -62,6 +62,7 @@ so-filebeat: - /nsm/bro:/nsm/bro:ro - /opt/so/log/suricata:/suricata:ro - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro + - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro From 41e9c4c7e0caf0fbe3fe3860d740c8510179cbfe Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 12 Dec 2018 20:52:18 +0000 Subject: [PATCH 16/22] Logstash - Alter input for Wazuh logs --- salt/logstash/files/dynamic/0006_input_beats.conf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/logstash/files/dynamic/0006_input_beats.conf b/salt/logstash/files/dynamic/0006_input_beats.conf index b263e611b..bd41a3024 100644 --- a/salt/logstash/files/dynamic/0006_input_beats.conf +++ b/salt/logstash/files/dynamic/0006_input_beats.conf @@ -9,7 +9,7 @@ input { } } filter { - if [type] == "ids" { + if [type] == "ids" or [type] =~ "bro" { mutate { rename => { "host" => "beat_host" } remove_tag => ["beat"] @@ -17,11 +17,10 @@ filter { add_field => { "syslog-host_from" => "%{[beat][name]}" } } } - if "bro" in [tags] { + if [type] =~ "ossec" { mutate { rename => { "host" => "beat_host" } remove_tag => ["beat"] - add_field => { "sensor_name" => "%{[beat][name]}" } add_field => { "syslog-host_from" => "%{[beat][name]}" } } } From 5c737e9fda6340572ce3912ab034dba1143c14a0 Mon Sep 17 00:00:00 2001 From: dlee35 Date: Wed, 12 Dec 2018 16:19:35 -0500 Subject: [PATCH 17/22] Updated Fleet init.sls and nginx confs for fleet --- salt/common/nginx/nginx.conf.so-eval | 14 ++++++++++++++ salt/common/nginx/nginx.conf.so-master | 12 ++++++++++++ salt/fleet/init.sls | 12 +++++++++++- 3 files changed, 37 insertions(+), 1 deletion(-) diff --git a/salt/common/nginx/nginx.conf.so-eval b/salt/common/nginx/nginx.conf.so-eval index 4ffb2835f..50f48497d 100644 --- a/salt/common/nginx/nginx.conf.so-eval +++ b/salt/common/nginx/nginx.conf.so-eval @@ -110,6 +110,20 @@ http { proxy_set_header Proxy ""; } + + location /api/ { + proxy_pass https://{{ masterip }}:8080/api/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + + } + location /fleet/ { rewrite /fleet/(.*) /$1 break; proxy_pass https://{{ masterip }}:8080/; diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master index 535009c71..50f48497d 100644 --- a/salt/common/nginx/nginx.conf.so-master +++ b/salt/common/nginx/nginx.conf.so-master @@ -111,6 +111,18 @@ http { } + location /api/ { + proxy_pass https://{{ masterip }}:8080/api/; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + + } location /fleet/ { rewrite /fleet/(.*) /$1 break; diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index a90377b1f..c5d77a7ec 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -10,6 +10,13 @@ fleetcdir: - group: 939 - makedirs: True +fleetlogdir: + file.directory: + - name: /opt/so/log/fleet + - user: 939 + - group: 939 + - makedirs: True + fleetdb: mysql_database.present: - name: fleet @@ -44,8 +51,11 @@ so-fleet: - KOLIDE_SERVER_KEY=/ssl/server.key - KOLIDE_LOGGING_JSON=true - KOLIDE_AUTH_JWT_KEY=thisisatest + - KOLIDE_OSQUERY_STATUS_LOG_FILE=/var/log/osquery/status.log + - KOLIDE_OSQUERY_RESULT_LOG_FILE=/var/log/osquery/result.log - binds: - /etc/pki/fleet.key:/ssl/server.key:ro - - /etc/pki/fleet.crt:/ssl/server.cert + - /etc/pki/fleet.crt:/ssl/server.cert:ro + - /opt/so/log/fleet:/var/log/osquery - watch: - /opt/so/conf/fleet/etc From d13e7559fe9349de27edd15b1fc5b588d2a038f3 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 13 Dec 2018 17:32:03 +0000 Subject: [PATCH 18/22] Filebeat - Enabled for master and only enable Bro/Suri inputs when needed --- salt/filebeat/etc/filebeat.yml | 4 ++-- salt/filebeat/init.sls | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 4384d124e..b7ab91e12 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -12,6 +12,7 @@ filebeat.modules: # List of prospectors to fetch data. filebeat.prospectors: #------------------------------ Log prospector -------------------------------- +{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %} {%- if BROVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} - type: log @@ -36,6 +37,7 @@ filebeat.prospectors: fields_under_root: true clean_removed: false close_removed: false +{%- endif %} {%- if WAZUHENABLED == '1' %} @@ -73,7 +75,6 @@ output.logstash: # Set gzip compression level. compression_level: 3 - # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. ssl.enabled: true @@ -97,7 +98,6 @@ output.logstash: # Client Certificate Key ssl.key: "/usr/share/filebeat/filebeat.key" - # Elasticsearch template settings #setup.template.settings: diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index da8f0637c..d3a1dfb14 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -63,8 +63,13 @@ so-filebeat: - /opt/so/log/suricata:/suricata:ro - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro +{%- if grains['role'] == 'so-master' %} + - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro + - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro +{%- else %} - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro +{%- endif %} - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro - watch: - file: /opt/so/conf/filebeat/etc From 62067f37cfa101f37776cb5cfb6022d89b487663 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 13 Dec 2018 17:33:12 +0000 Subject: [PATCH 19/22] Wazuh - Fix agent ip for storage nodes --- salt/wazuh/files/agent/wazuh-register-agent | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index b6199cf9a..7e8574613 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -1,4 +1,8 @@ +{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- elif grains['role'] == 'so-node' } +{% set ip = salt['pillar.get']('node:mainip', '') %} +{%- endif %} #!/bin/bash ### From 5e23859557e1418c6c4ed8c434a9278ef7736aa7 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 13 Dec 2018 17:34:19 +0000 Subject: [PATCH 20/22] Salt - Add Wazuh to other roles --- salt/top.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index 03c220047..a319209ca 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -10,6 +10,7 @@ base: {%- if BROVER != 'SURICATA' %} - bro {%- endif %} + - wazuh - filebeat - schedule @@ -49,6 +50,8 @@ base: - logstash - kibana - elastalert + - wazuh + - filebeat - utility - schedule - fleet @@ -87,6 +90,8 @@ base: - logstash - elasticsearch - curator + - wazuh + - filebeat - schedule 'G@role:mastersensor': From 4db52ec8654b115e798db7ca498c32a098f76424 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 13 Dec 2018 17:56:51 +0000 Subject: [PATCH 21/22] Wazuh - Add logic for sensors --- salt/wazuh/files/agent/ossec.conf | 4 ++++ salt/wazuh/files/agent/wazuh-register-agent | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf index c89b9ce06..b4725075b 100644 --- a/salt/wazuh/files/agent/ossec.conf +++ b/salt/wazuh/files/agent/ossec.conf @@ -1,5 +1,9 @@ {%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %} {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- elif grains['role'] == 'so-node' } +{%- set ip = salt['pillar.get']('node:mainip', '') %} +{%- elif grains['role'] == 'so-sensor' } +{%- set ip = salt['pillar.get']('sensor:mainip', '') %} {%- endif %}