From 4f15e14cc2ba15ebfe2a3ae9266f43321ec08bd1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 28 Mar 2019 14:24:17 +0000 Subject: [PATCH 1/8] TheHive: Add initial user --- salt/hive/thehive/files/hive_init.sh | 37 ++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100755 salt/hive/thehive/files/hive_init.sh diff --git a/salt/hive/thehive/files/hive_init.sh b/salt/hive/thehive/files/hive_init.sh new file mode 100755 index 000000000..d1893e200 --- /dev/null +++ b/salt/hive/thehive/files/hive_init.sh @@ -0,0 +1,37 @@ +#!/bin/bash +{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set HIVEUSER = salt['pillar.get']('static:hiveuser', '') %} +{%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} +{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} + +hive_init(){ + + HIVE_IP="{{MASTERIP}}" + HIVE_USER="{{HIVEUSER}}" + HIVE_PASSWORD="{{HIVEPASSWORD}}" + SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" + + # Migrate DB + curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate" + + # Generate unique ID for apikey + HIVE_KEY="{{HIVEKEY}}" + + # Create intial TheHive user + curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_$USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" + + # Update SOCtopus config with apikey value + sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG + + # Check for correct authentication + #curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER" + + touch /opt/so/state/thehive.txt + +} + +if [ -f /opt/so/state/thehive.txt ]; then + exit 0 +else + hive_init +fi From fce80236de55ee4577eebc5a0747c0c73f54bfe1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Mar 2019 10:40:29 -0400 Subject: [PATCH 2/8] The Hive - Wes Mods --- salt/hive/thehive/{files => scripts}/hive_init.sh | 8 ++++---- salt/soctopus/files/SOCtopus.conf | 5 +++-- so-setup-network.sh | 4 ++++ 3 files changed, 11 insertions(+), 6 deletions(-) rename salt/hive/thehive/{files => scripts}/hive_init.sh (93%) diff --git a/salt/hive/thehive/files/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh similarity index 93% rename from salt/hive/thehive/files/hive_init.sh rename to salt/hive/thehive/scripts/hive_init.sh index d1893e200..255bf0502 100755 --- a/salt/hive/thehive/files/hive_init.sh +++ b/salt/hive/thehive/scripts/hive_init.sh @@ -5,7 +5,7 @@ {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} hive_init(){ - + sleep 60 HIVE_IP="{{MASTERIP}}" HIVE_USER="{{HIVEUSER}}" HIVE_PASSWORD="{{HIVEPASSWORD}}" @@ -16,16 +16,16 @@ hive_init(){ # Generate unique ID for apikey HIVE_KEY="{{HIVEKEY}}" - + # Create intial TheHive user curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_$USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" # Update SOCtopus config with apikey value - sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG + #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG # Check for correct authentication #curl -v -k -H "Authorization: Bearer $HIVE_KEY" "https://$HIVE_IP/thehive/api/user/$USER" - + touch /opt/so/state/thehive.txt } diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 3ce772082..1a48ad92f 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,4 +1,5 @@ {%- set ip = salt['pillar.get']('static:masterip', '') %} +{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} [es] es_url = http://{{ip}}:9200 @@ -20,14 +21,14 @@ grr_pass = YOURGRRPASS [hive] hive_url = https://{{ip}}/thehive/ -hive_key = YOURHIVEKEY +hive_key = {{ HIVEKEY }} hive_tlp = 3 hive_verifycert = False [misp] misp_url = YOURMISPURL misp_key = YOURMISPKEY -misp_verifycert = False +misp_verifycert = False distrib = 0 threat = 4 analysis = 0 diff --git a/so-setup-network.sh b/so-setup-network.sh index 1643d3e42..dde654eb3 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -427,6 +427,7 @@ generate_passwords(){ # Generate Random Passwords for Things MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) + HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) } get_filesystem_nsm(){ @@ -588,6 +589,9 @@ master_static() { echo " broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls echo " ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls echo " masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls + echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls + echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls + echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else From fd027cb95465aebd97c90e301b647f1de7b192bd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Mar 2019 10:55:32 -0400 Subject: [PATCH 3/8] The Hive - Fix the user creation script --- salt/hive/thehive/scripts/hive_init.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh index 255bf0502..54c658474 100755 --- a/salt/hive/thehive/scripts/hive_init.sh +++ b/salt/hive/thehive/scripts/hive_init.sh @@ -18,7 +18,7 @@ hive_init(){ HIVE_KEY="{{HIVEKEY}}" # Create intial TheHive user - curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_$USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" + curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" # Update SOCtopus config with apikey value #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG From 77c90ce752bdbe4168c2304f8d1213216f2d0d84 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Mar 2019 11:23:06 -0400 Subject: [PATCH 4/8] The Hive - Just scripted filed left --- salt/hive/init.sls | 5 +++++ salt/hive/thehive/scripts/hive_init.sh | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/hive/init.sls b/salt/hive/init.sls index d0af62fc3..371e790de 100644 --- a/salt/hive/init.sls +++ b/salt/hive/init.sls @@ -78,3 +78,8 @@ so-thehive: - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro - port_bindings: - 0.0.0.0:9000:9000 + +hivescript: + cmd.script: + - source: salt://hive/thehive/scripts/hive_init.sh + - template: jinja diff --git a/salt/hive/thehive/scripts/hive_init.sh b/salt/hive/thehive/scripts/hive_init.sh index 54c658474..cb901e36b 100755 --- a/salt/hive/thehive/scripts/hive_init.sh +++ b/salt/hive/thehive/scripts/hive_init.sh @@ -18,7 +18,7 @@ hive_init(){ HIVE_KEY="{{HIVEKEY}}" # Create intial TheHive user - curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" + curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" # Update SOCtopus config with apikey value #sed -i "s/hive_key = .*/hive_key = $HIVE_KEY/" $SOCTOPUS_CONFIG From 87fde50eb148bdbc557dad411cd5ca22cbf80d47 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Mar 2019 14:46:20 -0400 Subject: [PATCH 5/8] Top.sls - Add SOCtopus as default docker to get loaded --- salt/top.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/top.sls b/salt/top.sls index bd917428e..2a34c7548 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -44,6 +44,7 @@ base: - filebeat - utility - schedule + - soctopus 'G@role:so-master': @@ -64,6 +65,7 @@ base: - utility - schedule - fleet + - soctopus # Storage node logic From 2dd6558826897b526d5aa1e6cf0411539c774146 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Apr 2019 11:10:44 -0400 Subject: [PATCH 6/8] Suricata Module - Suricata 4.1.3 --- salt/suricata/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index ea29c69a0..48106a83a 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -72,7 +72,7 @@ suriconfigsync: so-suricata: docker_container.running: - - image: soshybridhunter/so-suricata:HH1.0.6 + - image: soshybridhunter/so-suricata:HH1.0.7 - privileged: True - environment: - INTERFACE={{ interface }} From 139f0cd281f941b87e5edad810d3b024751b67de Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Apr 2019 17:22:22 -0400 Subject: [PATCH 7/8] 1.0.7 Upgrade --- salt/common/init.sls | 8 ++++---- salt/kibana/init.sls | 2 +- salt/master/init.sls | 2 +- salt/mysql/init.sls | 2 +- salt/redis/init.sls | 2 +- salt/wazuh/init.sls | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 74735a185..eadf4f142 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -103,7 +103,7 @@ nginxtmp: # Start the core docker so-core: docker_container.running: - - image: soshybridhunter/so-core:HH1.0.5 + - image: soshybridhunter/so-core:HH1.0.7 - hostname: so-core - user: socore - binds: @@ -156,7 +156,7 @@ tgrafconf: so-telegraf: docker_container.running: - - image: soshybridhunter/so-telegraf:HH1.0.4 + - image: soshybridhunter/so-telegraf:HH1.0.7 - environment: - HOST_PROC=/host/proc - HOST_ETC=/host/etc @@ -211,7 +211,7 @@ influxdbconf: so-influxdb: docker_container.running: - - image: soshybridhunter/so-influxdb:HH1.0.4 + - image: soshybridhunter/so-influxdb:HH1.0.7 - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false @@ -368,7 +368,7 @@ dashboard-{{ SN }}: # Install the docker. This needs to be behind nginx at some point so-grafana: docker_container.running: - - image: soshybridhunter/so-grafana:HH1.0.4 + - image: soshybridhunter/so-grafana:HH1.0.7 - hostname: grafana - user: socore - binds: diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 3b5037336..050582c82 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -57,7 +57,7 @@ synckibanacustom: # Start the kibana docker so-kibana: docker_container.running: - - image: soshybridhunter/so-kibana:HH1.0.6 + - image: soshybridhunter/so-kibana:HH1.0.7 - hostname: kibana - user: kibana - environment: diff --git a/salt/master/init.sls b/salt/master/init.sls index 35f6c5254..8f20ef69f 100644 --- a/salt/master/init.sls +++ b/salt/master/init.sls @@ -49,7 +49,7 @@ acngcopyconf: # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - - image: soshybridhunter/so-acng:HH1.0.5 + - image: soshybridhunter/so-acng:HH1.0.7 - hostname: so-acng - port_bindings: - 0.0.0.0:3142:3142 diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index af80030ee..b1e875578 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -50,7 +50,7 @@ mysqldatadir: so-mysql: docker_container.running: - - image: soshybridhunter/so-mysql:HH1.0.5 + - image: soshybridhunter/so-mysql:HH1.0.7 - hostname: so-mysql - user: socore - port_bindings: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index cd982a137..6dfbb473d 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -49,7 +49,7 @@ toosmooth/so-redis:test2: so-redis: docker_container.running: - - image: soshybridhunter/so-redis:HH1.0.5 + - image: soshybridhunter/so-redis:HH1.0.7 - hostname: so-redis - user: socore - port_bindings: diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index ac05f1984..4e5c136b5 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -58,7 +58,7 @@ wazuhagentregister: so-wazuh: docker_container.running: - - image: soshybridhunter/so-wazuh:HH1.0.5 + - image: soshybridhunter/so-wazuh:HH1.0.7 - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh - detach: True From 2bbd31c9549101b4aebf02c0b3c774ccd94a343a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 2 Apr 2019 11:21:57 -0400 Subject: [PATCH 8/8] Core Module - Update packages mapping --- salt/common/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index eadf4f142..22e36d1d2 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -114,6 +114,7 @@ so-core: - /opt/so/tmp/nginx/:/run:rw - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro + - /opt/so/conf/fleet/packages:/opt/so/html/packages - cap_add: NET_BIND_SERVICE - port_bindings: - 80:80