Merge branch 'master' of https://github.com/TOoSmOotH/securityonion-saltstack

2025-12-06 09:12:45 +01:00 · 2018-12-13 13:22:04 -05:00
parent eb04bd1bb4 f538eddb5f
commit 07a2b34583
12 changed files with 478 additions and 14 deletions
--- a/salt/common/nginx/nginx.conf.so-eval
+++ b/salt/common/nginx/nginx.conf.so-eval
@@ -110,6 +110,20 @@ http {
          proxy_set_header      Proxy "";

        }
+
+        location /api/ {
+          proxy_pass https://{{ masterip }}:8080/api/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }
+
        location /fleet/ {
 	  rewrite /fleet/(.*) /$1 break;
          proxy_pass https://{{ masterip }}:8080/;
--- a/salt/common/nginx/nginx.conf.so-master
+++ b/salt/common/nginx/nginx.conf.so-master
@@ -111,6 +111,18 @@ http {

        }

+        location /api/ {
+          proxy_pass https://{{ masterip }}:8080/api/;
+          proxy_read_timeout    90;
+          proxy_connect_timeout 90;
+          proxy_set_header      Upgrade $http_upgrade;
+          proxy_set_header      Connection "Upgrade";
+          proxy_set_header      Host $host;
+          proxy_set_header      X-Real-IP $remote_addr;
+          proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header      Proxy "";
+
+        }

        location /fleet/ {
 	  rewrite /fleet/(.*) /$1 break;
--- a/salt/filebeat/etc/filebeat.yml
+++ b/salt/filebeat/etc/filebeat.yml
@@ -12,6 +12,7 @@ filebeat.modules:
 # List of prospectors to fetch data.
 filebeat.prospectors:
 #------------------------------ Log prospector --------------------------------
+{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" %}
 {%- if BROVER != 'SURICATA' %}
 {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '')  %}
  - type: log
@@ -36,6 +37,7 @@ filebeat.prospectors:
    fields_under_root: true
    clean_removed: false
    close_removed: false
+{%- endif %}

 {%- if WAZUHENABLED == '1' %}

@@ -47,6 +49,16 @@ filebeat.prospectors:
    fields_under_root: true
    clean_removed: false
    close_removed: false
+
+  - type: log
+    paths:
+      - /wazuh/archives/archives.json
+    fields:
+      type: ossec_archive
+    fields_under_root: true
+    clean_removed: false
+    close_removed: false
+
 {%- endif %}

 #----------------------------- Logstash output ---------------------------------
@@ -63,7 +75,6 @@ output.logstash:
  # Set gzip compression level.
  compression_level: 3

-
  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
  ssl.enabled: true

@@ -87,7 +98,6 @@ output.logstash:
  # Client Certificate Key
  ssl.key: "/usr/share/filebeat/filebeat.key"

-
 # Elasticsearch template settings
 #setup.template.settings:

--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -61,8 +61,15 @@ so-filebeat:
      - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
      - /nsm/bro:/nsm/bro:ro
      - /opt/so/log/suricata:/suricata:ro
+      - /opt/so/wazuh/logs/alerts/:/wazuh/alerts:ro
+      - /opt/so/wazuh/logs/archives/:/wazuh/archives:ro
+{%- if grains['role'] == 'so-master' %}
+      - /etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
+      - /etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- else %}
      - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro
      - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro
+{%- endif %} 
      - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
    - watch:
      - file: /opt/so/conf/filebeat/etc
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,5 +1,19 @@
 # Firewall Magic for the grid

+{% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+
+{% elif grains['role'] == 'so-node'%}
+
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+
+{% elif grains['role'] == 'so-sensor'%}
+
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
+
+{% endif %}
+
 # Keep localhost in the game
 iptables_allow_localhost:
  iptables.append:
@@ -86,6 +100,29 @@ enable_docker_user_established:
    - match: conntrack
    - ctstate: 'RELATED,ESTABLISHED'

+# Add rule(s) for Wazuh manager
+enable_wazuh_manager_1514_tcp_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
+enable_wazuh_manager_1514_udp_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: udp
+    - source: {{ ip }}
+    - dport: 1514
+    - position: 1
+    - save: True
+
 # Rules if you are a Master
 {% if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
 #This should be more granular
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -10,6 +10,13 @@ fleetcdir:
    - group: 939
    - makedirs: True

+fleetlogdir:
+  file.directory:
+    - name: /opt/so/log/fleet
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 fleetdb:
  mysql_database.present:
    - name: fleet
@@ -44,8 +51,11 @@ so-fleet:
      - KOLIDE_SERVER_KEY=/ssl/server.key
      - KOLIDE_LOGGING_JSON=true
      - KOLIDE_AUTH_JWT_KEY=thisisatest
+      - KOLIDE_OSQUERY_STATUS_LOG_FILE=/var/log/osquery/status.log
+      - KOLIDE_OSQUERY_RESULT_LOG_FILE=/var/log/osquery/result.log
    - binds:
      - /etc/pki/fleet.key:/ssl/server.key:ro
-      - /etc/pki/fleet.crt:/ssl/server.cert
+      - /etc/pki/fleet.crt:/ssl/server.cert:ro
+      - /opt/so/log/fleet:/var/log/osquery
    - watch:
      - /opt/so/conf/fleet/etc
--- a/salt/logstash/files/dynamic/0006_input_beats.conf
+++ b/salt/logstash/files/dynamic/0006_input_beats.conf
@@ -9,7 +9,7 @@ input {
  }
 }
 filter {
-  if [type] == "ids" {
+  if [type] == "ids" or [type] =~ "bro" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
@@ -17,11 +17,10 @@ filter {
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
    }
  }
-  if "bro" in [tags] {
+  if [type] =~ "ossec" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
-      add_field => { "sensor_name" => "%{[beat][name]}" }
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
    }
  }
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -10,6 +10,7 @@ base:
    {%- if BROVER != 'SURICATA' %}
    - bro
    {%- endif %}
+    - wazuh
    - filebeat
    - schedule

@@ -29,11 +30,11 @@ base:
    - bro
    - curator
    - elastalert
+    - fleet
+    - wazuh
    - filebeat
    - utility
    - schedule
-    - fleet
-    - wazuh


  'G@role:so-master':
@@ -49,6 +50,8 @@ base:
    - logstash
    - kibana
    - elastalert
+    - wazuh
+    - filebeat
    - utility
    - schedule
    - fleet
@@ -87,6 +90,8 @@ base:
    - logstash
    - elasticsearch
    - curator
+    - wazuh
+    - filebeat
    - schedule

  'G@role:mastersensor':
--- a/salt/wazuh/files/agent/ossec.conf
+++ b/salt/wazuh/files/agent/ossec.conf
@@ -0,0 +1,199 @@
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- elif grains['role'] == 'so-node' }
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+{%- elif grains['role'] == 'so-sensor' }
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
+{%- endif %} 
+<!--
+  Wazuh - Agent - Default configuration for ubuntu 16.04
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <client>
+    <server>
+      <address>{{ip}}</address>
+      <port>1514</port>
+      <protocol>udp</protocol>
+    </server>
+    <config-profile>ubuntu, ubuntu16, ubuntu16.04</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>5000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_unixaudit>yes</check_unixaudit>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
+    <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="open-scap">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+  </wodle>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+  </wodle>
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
+    <directories check_all="yes">/bin,/sbin,/boot</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+    <ignore>/sys/kernel/security</ignore>
+    <ignore>/sys/kernel/debug</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+
+    <!-- Remove not monitored files -->
+    <remove_old_diff>yes</remove_old_diff>
+
+    <!-- Allow the system to restart Auditd after installing the plugin -->
+    <restart_audit>yes</restart_audit>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+</ossec_config>
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -0,0 +1,139 @@
+{%- if grains['role'] == 'so-master' or grains['role'] == 'so-eval' %}
+{%- set ip = salt['pillar.get']('static:masterip', '') %}
+{%- elif grains['role'] == 'so-node' } 
+{%- set ip = salt['pillar.get']('node:mainip', '') %}
+{%- elif grains['role'] == 'so-sensor' }
+{%- set ip = salt['pillar.get']('sensor:mainip', '') %}
+{%- endif %}
+#!/bin/bash
+
+###
+#  Shell script for registering agents automatically with the API
+#  Copyright (C) 2017 Wazuh, Inc. All rights reserved.
+#  Wazuh.com
+#
+#  This program is a free software; you can redistribute it
+#  and/or modify it under the terms of the GNU General Public
+#  License (version 2) as published by the FSF - Free Software
+#  Foundation.
+###
+#
+#  12/11/2018
+#  This script has been modified by Security Onion Solutions
+#  - Added Agent IP variable and option
+###
+
+# Connection variables
+API_IP="localhost"
+API_PORT="55000"
+PROTOCOL="https"
+USER="foo"
+PASSWORD="bar"
+AGENT_NAME=$(hostname)
+AGENT_IP="{{ip}}"
+
+display_help() {
+cat <<HELP_USAGE
+
+    $0  [-h] [-f|--force] [-q|--quiet] [agent]
+
+   -h             Show this message.
+   -f|--force     Force agent removal (if already registered)
+                  The agent will be re-regitered with a new ID
+   -s|--silent    Surpress the output while removing the agent
+   agent          Agent name (if missing we will use the output
+                  of the hostname command) 
+HELP_USAGE
+}
+
+register_agent() {
+  # Adding agent and getting Id from manager
+  echo ""
+  echo "Adding agent:"
+  echo "curl -s -u $USER:**** -k -X POST -d 'name=$AGENT_NAME&ip=$AGENT_IP' $PROTOCOL://$API_IP:$API_PORT/agents"
+  API_RESULT=$(curl -s -u $USER:"$PASSWORD" -k -X POST -d 'name='$AGENT_NAME'&ip='$AGENT_IP $PROTOCOL://$API_IP:$API_PORT/agents)
+  echo -e $API_RESULT | grep -q "\"error\":0" 2>&1
+
+  if [ "$?" != "0" ]; then
+    echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
+    exit 0
+  fi
+  # Get agent id and agent key 
+  AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
+  AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
+
+  echo "Agent '$AGENT_NAME' with ID '$AGENT_ID' added."
+  echo "Key for agent '$AGENT_ID' received."
+
+  # Importing key
+  echo ""
+  echo "Importing authentication key:"
+  echo "y" | /var/ossec/bin/manage_agents -i $AGENT_KEY
+
+  # Restarting agent
+  echo ""
+  echo "Restarting:"
+  echo ""
+  /var/ossec/bin/ossec-control restart
+
+  exit 0
+}
+
+remove_agent() {
+  echo "Found: $AGENT_ID"
+  echo "Removing previous registration for '$AGENT_NAME' using ID: $AGENT_ID ..."
+  # curl -u foo:bar -k -X DELETE "https://127.0.0.1:55000/agents/001
+  REMOVE_AGENT=$(curl -s -u $USER:"$PASSWORD" -k -X DELETE $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID)
+  echo -e $REMOVE_AGENT
+}
+
+get_agent_id() {
+  echo ""
+  echo "Checking for Agent ID..."
+  AGENT_ID=$(curl -s -u $USER:"$PASSWORD" -k -X GET $PROTOCOL://$API_IP:$API_PORT/agents/name/$AGENT_NAME | rev | cut -d: -f1 | rev | grep -o '".*"' | tr -d '"')
+}
+
+# MAIN
+# ENTRY POINT
+
+while getopts ':hfsi:' OPTION; do
+  case "$OPTION" in
+    h)
+      display_help
+      exit 0
+      ;;
+    f|--force)
+      FORCE=true
+      ;;
+    i|--ip)
+      AGENT_IP=${OPTARG}
+      ;;
+    s|--silent)
+      SILENT=true
+      ;;
+  esac
+done
+# reset $1, $2 .... as normal argument after the flag
+shift $(($OPTIND - 1))
+
+# if no arguments are passed in after the flags, we assign the hostname value to the AGENT_NAME 
+#AGENT_NAME=${1:-$(hostname)}
+
+#get_agent_id
+
+# check the return value. If we get an integer back then the agent is already registered. Anything else -> agent is not registered
+#  if ! [ "$AGENT_ID" -eq "$AGENT_ID" ] 2> /dev/null ; then
+#   echo "Starting registration process ..."
+#   :
+#  elif [[ "$FORCE" = true && "$SILENT" = "true" ]] ; then
+#   remove_agent > /dev/null 2>&1
+#  else
+#    if [[ "$FORCE" = true ]] ; then
+#      remove_agent
+#    fi
+#  fi
+
+# Default action -> try to register the agent
+sleep 10s
+register_agent
+#remove_agent
--- a/salt/wazuh/init.sls
+++ b/salt/wazuh/init.sls
@@ -1,10 +1,6 @@
 {%- set HOSTNAME = salt['grains.get']('host', '') %}

-#vm.max_map_count:
-#  sysctl.present:
-#    - value: 262144
-
-# Add ossec Group
+# Add ossec group
 ossecgroup:
  group.present:
    - name: ossec
@@ -41,6 +37,25 @@ wazuhpkgs:
   - pkgs:
     - wazuh-agent

+# Add Wazuh agent conf
+wazuhagentconf:
+  file.managed:
+    - name: /var/ossec/etc/ossec.conf
+    - source: salt://wazuh/files/agent/ossec.conf
+    - user: 0
+    - group: 945
+    - template: jinja
+
+# Add Wazuh agent conf
+wazuhagentregister:
+  file.managed:
+    - name: /usr/sbin/wazuh-register-agent
+    - source: salt://wazuh/files/agent/wazuh-register-agent
+    - user: 0
+    - group: 0
+    - mode: 755
+    - template: jinja
+
 so-wazuh:
  docker_container.running:
    - image: soshybridhunter/so-wazuh:HH1.0.5
@@ -48,8 +63,15 @@ so-wazuh:
    - name: so-wazuh
    - detach: True
    - port_bindings:
-      - 0.0.0.0:1514:1514
+      - 0.0.0.0:1514:1514/udp
+      - 0.0.0.0:1514:1514/tcp
      - 0.0.0.0:55000:55000
    - binds:
      - /opt/so/wazuh/:/var/ossec/data/:rw

+# Register the agent
+registertheagent:
+  cmd.run:
+    - name: /usr/sbin/wazuh-register-agent
+    - cwd: /
+    #- stateful: True
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -220,6 +220,14 @@ configure_minion() {

 }

+configure_wazuh_agent(){
+
+  # Configure Wazuh agent to talk to manager
+  echo "Configuring Wazuh agent to talk to manager..."
+  /usr/sbin/wazuh-register-agent -i $MAINIP
+
+}
+
 copy_master_config() {

  # Copy the master config template to the proper directory
@@ -1629,6 +1637,7 @@ if (whiptail_you_sure); then
    CURCLOSEDAYS=30
    whiptail_make_changes
    generate_passwords
+    auth_pillar
    clear_master
    mkdir -p /nsm
    get_filesystem_root
@@ -1664,6 +1673,7 @@ if (whiptail_you_sure); then
    salt_checkin_message
    salt_checkin
    checkin_at_boot
+    #configure_wazuh_agent
    whiptail_setup_complete
  fi