From 504d22de830cb3f4fd54b8f87926a12078843927 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 18 Mar 2020 10:49:51 -0400 Subject: [PATCH 1/6] fix issue lsetcsync if node doesnt have templates defined --- salt/logstash/init.sls | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 93da70bdc..9df9c0ca0 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -145,10 +145,12 @@ lsetcsync: - group: 939 - template: jinja - clean: True +{% if TEMPLATES %} - require: -{% for TEMPLATE in TEMPLATES %} + {% for TEMPLATE in TEMPLATES %} - file: ls_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} -{% endfor %} + {% endfor %} +{% endif %} - exclude_pat: pipelines* # Create the import directory From fcc5c306ea5dd61bf051e3747266a8f6a65c709c Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 18 Mar 2020 16:42:06 +0000 Subject: [PATCH 2/6] fix index names --- salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja | 2 +- .../logstash/pipelines/config/so/9700_output_strelka.conf.jinja | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index b32cb44df..53dae8825 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -21,7 +21,7 @@ output { elasticsearch { pipeline => "%{event_type}" hosts => "{{ ES }}" - index => "so-common-%{+YYYY.MM.dd}" + index => "so-ossec-%{+YYYY.MM.dd}" template_name => "so-common" template => "/so-common-template.json" template_overwrite => true diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 6c498c2bb..5da6d0b12 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -20,7 +20,7 @@ output { if [event_type] =~ "strelka" { elasticsearch { hosts => "{{ ES }}" - index => "so-common-%{+YYYY.MM.dd}" + index => "so-strelka-%{+YYYY.MM.dd}" template_name => "so-common" template => "/so-common-template.json" template_overwrite => true From 150eaf59fd659aefb8d290a05aabb46f674de290 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 18 Mar 2020 20:05:42 +0000 Subject: [PATCH 3/6] don't load FB template --- salt/filebeat/etc/filebeat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 5affc2411..3aa8fa565 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -226,7 +226,7 @@ output.elasticsearch: # Client Certificate Key #ssl.key: "/usr/share/filebeat/filebeat.key" - +setup.template.enabled: false # A dictionary of settings to place into the settings.index dictionary # of the Elasticsearch template. For more details, please check # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html From 5072095eeb90b5ca4e3ad211827747d89de60a7c Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 18 Mar 2020 20:15:10 +0000 Subject: [PATCH 4/6] removing mapping types --- .../pipelines/templates/so/so-beats-template.json | 12 +++++------- .../pipelines/templates/so/so-common-template.json | 4 +--- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/salt/logstash/pipelines/templates/so/so-beats-template.json b/salt/logstash/pipelines/templates/so/so-beats-template.json index f6a9c2d27..a48a6e3eb 100644 --- a/salt/logstash/pipelines/templates/so/so-beats-template.json +++ b/salt/logstash/pipelines/templates/so/so-beats-template.json @@ -2,7 +2,6 @@ "index_patterns": [ "so-beats-*" ], - "mappings": { "doc": { "_meta": { "version": "6.1.3" @@ -1265,12 +1264,11 @@ "ignore_above": 1024, "type": "keyword" } - } - } - } - } - } - } + } + } + } + } + } }, "order": 1, "settings": { diff --git a/salt/logstash/pipelines/templates/so/so-common-template.json b/salt/logstash/pipelines/templates/so/so-common-template.json index 90241924f..295653dfa 100644 --- a/salt/logstash/pipelines/templates/so/so-common-template.json +++ b/salt/logstash/pipelines/templates/so/so-common-template.json @@ -8,7 +8,6 @@ "index.refresh_interval":"30s" }, "mappings":{ - "doc":{ "dynamic": false, "date_detection": false, "properties":{ @@ -349,7 +348,6 @@ "type":"object", "dynamic": true } - } - } + } } } From 7a71a2c4593fbbbe88ee1a85bbff6bd3a67e0588 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 18 Mar 2020 20:17:57 +0000 Subject: [PATCH 5/6] removing mapping types --- salt/logstash/pipelines/templates/so/so-beats-template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/logstash/pipelines/templates/so/so-beats-template.json b/salt/logstash/pipelines/templates/so/so-beats-template.json index a48a6e3eb..858f1d5e5 100644 --- a/salt/logstash/pipelines/templates/so/so-beats-template.json +++ b/salt/logstash/pipelines/templates/so/so-beats-template.json @@ -2,7 +2,7 @@ "index_patterns": [ "so-beats-*" ], - "doc": { + "mappings": { "_meta": { "version": "6.1.3" }, From c58e6d6cba7d1cd54ee7f5cfa9ecc4a5420993c0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 19 Mar 2020 10:08:15 -0400 Subject: [PATCH 6/6] [fix] HTML formatting and css changes * Centered osquery packages page * Fixed HTML formatting on main and osquery pages --- salt/common/nginx/index.html | 145 +++++++++++++++++++------------ salt/fleet/osquery-packages.html | 138 ++++++++++++++++------------- 2 files changed, 167 insertions(+), 116 deletions(-) diff --git a/salt/common/nginx/index.html b/salt/common/nginx/index.html index 2f832e2c0..e501e5377 100644 --- a/salt/common/nginx/index.html +++ b/salt/common/nginx/index.html @@ -8,14 +8,14 @@ -
-
+
+
Create New User Kibana Grafana @@ -89,41 +96,67 @@ a { Blog
-
-
Security Onion
- -

Hybrid Hunter Alpha 1.1.4 - Feature Parity Release


+
+
+ + Security Onion + +
+
+

+

+

Hybrid Hunter Alpha 1.1.4 - Feature Parity Release

+
+

Changes:

-
    -
  • Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).
    • -
  • Web user creation is done via the browser now instead of so-user-add.
    • -
  • New Logstash pipeline setup. Now uses multiple pipelines.
    • -
  • New Master + Search node type and well as a Heavy Node type in the install.
    • -
  • Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.
    • -
  • Zeek 3.0.1
    • -
  • Elastic 6.8.6
    • -
  • New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).
    • -
  • BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).
    • -
  • Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.
    • -
  • Added so-status script which gives an easy to read look at container status.
    • -
  • Manage threshold.conf for Suricata using the thresholding pillar.
    • -
  • The ISO now includes all the docker containers for faster install speeds.
    • -
  • You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.
    • -
  • Updated Helix parsers for better compatibility.
    • -
  • Updated telegraf docker to include curl and jq.
    • -
  • CVE-2020-0601 Zeek Detection Script.
    • -
  • ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.
    • -
  • Check out the Hybrid Hunter Quick Start Guide.
    • -
-

+
    +
  • Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).
    • +
  • Web user creation is done via the browser now instead of so-user-add.
    • +
  • New Logstash pipeline setup. Now uses multiple pipelines.
    • +
  • New Master + Search node type and well as a Heavy Node type in the install.
    • +
  • Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.
    • +
  • Zeek 3.0.1
    • +
  • Elastic 6.8.6
    • +
  • New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).
    • +
  • BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).
    • +
  • Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.
    • +
  • Added so-status script which gives an easy to read look at container status.
    • +
  • Manage threshold.conf for Suricata using the thresholding pillar.
    • +
  • The ISO now includes all the docker containers for faster install speeds.
    • +
  • You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.
    • +
  • Updated Helix parsers for better compatibility.
    • +
  • Updated telegraf docker to include curl and jq.
    • +
  • CVE-2020-0601 Zeek Detection Script.
    • +
  • ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.
    • +
  • Check out the Hybrid Hunter Quick Start Guide.
    • +
+

-
- Disclaimer of Warranty
- THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
- Limitation of Liability
- IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+ Disclaimer of Warranty +
+ + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. + EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM + .AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, + YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + +
+
+ Limitation of Liability +
+ + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, + OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, + INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM + (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES + OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE + POSSIBILITY OF SUCH DAMAGES. + +
diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html index c94ba89b9..c1843bf01 100644 --- a/salt/fleet/osquery-packages.html +++ b/salt/fleet/osquery-packages.html @@ -8,14 +8,14 @@ - -
- Kibana - Grafana - Fleet - TheHive - Osquery Binaries - FAQ - Security Onion Solutions - Blog -
- -
- -

Osquery Packages


- -

Notes

-
    -
  • These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from osquery.io
    • -
  • Packages are not signed.
    • -
-

Downloads

- - -

Known Issues

-
    -
  • None
    • -
-

-
- - +
+
+ Create New User + Kibana + Grafana + Sensoroni + Playbook + Fleet + TheHive + Osquery Packages + FAQ + Security Onion Solutions + Blog +
+ +
+

+

+

Osquery Packages

+
+
+

Notes

+
    +
  • These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from osquery.io
    • +
  • Packages are not signed.
    • +
+
+

Downloads

+
+ Generated: N/A +
+
+ Packages: + +
+
+ Config Files: + +
+
+

Known Issues

+
    +
  • None
    • +
+

+
+