From 52867394142c46721df55f85f1b14ba598b17a0f Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 24 Sep 2024 10:51:52 -0400 Subject: [PATCH 1/4] Disable by default --- salt/elasticfleet/config.sls | 4 +++- salt/elasticfleet/enabled.sls | 11 +++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 43bfb8af9..c5be686a7 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -85,7 +85,7 @@ soresourcesrepoclone: git.latest: - name: https://github.com/Security-Onion-Solutions/securityonion-resources.git - target: /nsm/securityonion-resources - - rev: 'dev/defend_filters' + - rev: 'main' - depth: 1 {% endif %} @@ -112,6 +112,7 @@ elasticdefendcustom: - group: 939 - mode: 600 +{% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %} cronelasticdefendfilters: cron.present: - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log @@ -122,6 +123,7 @@ cronelasticdefendfilters: - daymonth: '*' - month: '*' - dayweek: '*' +{% endif %} eaintegrationsdir: file.directory: diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 26738b688..8cc79bf57 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -17,10 +17,12 @@ include: - elasticfleet.sostatus - ssl +{% if grains.role not in ['so-fleet'] %} # Wait for Elasticsearch to be ready - no reason to try running Elastic Fleet server if ES is not ready wait_for_elasticsearch_elasticfleet: cmd.run: - name: so-elasticsearch-wait +{% endif %} # If enabled, automatically update Fleet Logstash Outputs {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %} @@ -146,6 +148,15 @@ so-elastic-agent-grid-upgrade: so-elastic-fleet-integration-upgrade: cmd.run: - name: /usr/sbin/so-elastic-fleet-integration-upgrade + +{% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %} +so-elastic-defend-manage-filters-file-watch: + cmd.run: + - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log + - onchanges: + - file: /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters-raw + - file: /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml +{% endif %} {% endif %} delete_so-elastic-fleet_so-status.disabled: From 01f87218de9140d8b59ded233e47b2605af5668d Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 24 Sep 2024 12:04:24 -0400 Subject: [PATCH 2/4] Airgap support --- salt/manager/tools/sbin/soup | 6 ++++++ setup/so-functions | 5 +++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 452300bba..2a1f3f2f8 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -888,6 +888,12 @@ update_airgap_rules() { rsync -av $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/ rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/ rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/ + # Checkout the stable summaries branch and copy them over for SOC + git -C $UPDATE_DIR/agrules/securityonion-resources/ checkout generated-summaries-stable + rsync -av $UPDATE_DIR/agrules/securityonion-resources/* /opt/so/conf/soc/ai_summary_repos + # Checkout the main branch and copy them over to nsm + git -C $UPDATE_DIR/agrules/securityonion-resources/ checkout main + rsync -av $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/ } update_airgap_repo() { diff --git a/setup/so-functions b/setup/so-functions index 0c2cbf3e0..5693abcb3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -42,9 +42,10 @@ logCmd() { ### End Logging Section ### airgap_rules() { - # Copy the rules for suricata if using Airgap + # Copy the rules for detections if using Airgap mkdir -p /nsm/rules - cp -Rv /root/SecurityOnion/agrules/* /nsm/rules/ + rsync -av --exclude='securityonion-resources' /root/SecurityOnion/agrules/ /nsm/rules/ + rsync -av /root/SecurityOnion/agrules/securityonion-resources/ /nsm/ } add_admin_user() { From 0a74a532549e127044e335d7a48c655275dc6a3f Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 24 Sep 2024 12:38:49 -0400 Subject: [PATCH 3/4] Remove cron if disabled --- salt/elasticfleet/config.sls | 6 +++++- salt/elasticfleet/enabled.sls | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index c5be686a7..4ff284ffa 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -113,7 +113,7 @@ elasticdefendcustom: - mode: 600 {% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %} -cronelasticdefendfilters: +cron-elastic-defend-filters-add: cron.present: - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log - identifier: elastic-defend-filters @@ -123,6 +123,10 @@ cronelasticdefendfilters: - daymonth: '*' - month: '*' - dayweek: '*' +{% else %} +cron-elastic-defend-filters-remove: + cron.absent: + - identifier: elastic-defend-filters {% endif %} eaintegrationsdir: diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 8cc79bf57..51d2d1430 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -154,8 +154,8 @@ so-elastic-defend-manage-filters-file-watch: cmd.run: - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log - onchanges: - - file: /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters-raw - - file: /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml + - file: elasticdefendcustom + - file: elasticdefenddisabled {% endif %} {% endif %} From d2397c3c1c1309176ab6dce8915e03a89a7d3653 Mon Sep 17 00:00:00 2001 From: defensivedepth Date: Tue, 24 Sep 2024 13:03:51 -0400 Subject: [PATCH 4/4] Refactor cron logic --- salt/elasticfleet/config.sls | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 4ff284ffa..d29b9ddb2 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -113,8 +113,12 @@ elasticdefendcustom: - mode: 600 {% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %} -cron-elastic-defend-filters-add: - cron.present: +{% set ap = "present" %} +{% else %} +{% set ap = "absent" %} +{% endif %} +cron-elastic-defend-filters: + cron.{{ap}}: - name: python3 /sbin/so-elastic-defend-manage-filters.py -c /opt/so/conf/elasticsearch/curl.config -d /opt/so/conf/elastic-fleet/defend-exclusions/disabled-filters.yaml -i /nsm/securityonion-resources/event_filters/ -i /opt/so/conf/elastic-fleet/defend-exclusions/rulesets/custom-filters/ &>> /opt/so/log/elasticfleet/elastic-defend-manage-filters.log - identifier: elastic-defend-filters - user: root @@ -123,11 +127,6 @@ cron-elastic-defend-filters-add: - daymonth: '*' - month: '*' - dayweek: '*' -{% else %} -cron-elastic-defend-filters-remove: - cron.absent: - - identifier: elastic-defend-filters -{% endif %} eaintegrationsdir: file.directory: