diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 4dea07b8b..e12fea0be 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -1,20 +1,21 @@ { "description" : "suricata.common", "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, - { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, - { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, - { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, - { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, - { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, - { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, - { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, - { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, - { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, - { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, + { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, + { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, + { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, + { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, + { "rename": { "field": "message2.xff", "target_field": "xff.ip", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, + { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, + { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, - { "remove":{ "field": "agent", "ignore_failure": true } }, + { "remove":{ "field": "agent", "ignore_failure": true } }, { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } } ] } diff --git a/salt/repo/client/files/rocky/yum.conf.jinja b/salt/repo/client/files/rocky/yum.conf.jinja index bd31ac007..118bffeef 100644 --- a/salt/repo/client/files/rocky/yum.conf.jinja +++ b/salt/repo/client/files/rocky/yum.conf.jinja @@ -12,6 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -{% if proxy -%} +{%- if proxy %} proxy={{ proxy }} -{% endif %} +{%- endif %} diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja index 1e5d9351f..515ec515b 100644 --- a/salt/repo/client/map.jinja +++ b/salt/repo/client/map.jinja @@ -11,6 +11,10 @@ 'Rocky-Sources.repo', 'Rocky-Vault.repo', 'Rocky-x86_64-kernel.repo', + 'rocky-addons.repo', + 'rocky-devel.repo', + 'rocky-extras.repo', + 'rocky.repo', 'docker-ce.repo', 'epel.repo', 'epel-testing.repo', diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index dfc5c3753..156446b7f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -580,18 +580,18 @@ soc: - event.dataset - process.executable - user.name - '::process_terminated': + '::process_terminated': - soc_timestamp - process.executable - process.pid - winlog.computer_name - '::file_create': + '::file_create': - soc_timestamp - file.target - process.executable - process.pid - winlog.computer_name - '::registry_value_set': + '::registry_value_set': - soc_timestamp - winlog.event_data.TargetObject - process.executable @@ -1000,12 +1000,13 @@ soc: - destination.port - tds.header_type - log.id.uid - - event.dataset + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: / maxPacketCount: 5000 htmlDir: html + importUploadDir: /nsm/soc/uploads airgapEnabled: false modules: cases: soc @@ -1033,7 +1034,7 @@ soc: asyncThreshold: 10 influxdb: hostUrl: - token: + token: org: Security Onion bucket: telegraf/so_short_term verifyCert: false @@ -1408,7 +1409,7 @@ soc: - name: Host Registry Changes description: Windows Registry changes query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path' - - name: Host DNS & Process Mappings + - name: Host DNS & Process Mappings description: DNS queries mapped to originating processes query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity @@ -1685,7 +1686,7 @@ soc: - name: Templates query: 'so_case.category:template' case: - analyzerNodeId: + analyzerNodeId: mostRecentlyUsedLimit: 5 renderAbbreviatedCount: 30 presets: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index bc55f2d94..4169f90ca 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -1,5 +1,5 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. @@ -23,6 +23,7 @@ so-soc: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw + - /nsm/soc/uploads:/nsm/soc/uploads:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 3e893e64c..a9a37ba3e 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -4,6 +4,8 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common + PIPE_OWNER=${PIPE_OWNER:-socore} PIPE_GROUP=${PIPE_GROUP:-socore} SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe} @@ -185,7 +187,9 @@ function send_file() { log "Cleanup: $cleanup" log "encrypting..." - gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from" + password=$(lookup_pillar_secret import_pass) + response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from") + log Response:$'\n'"$response" fromgpg="$from.gpg" filename=$(basename "$fromgpg") @@ -228,18 +232,23 @@ function import_file() { filegpg="$file.gpg" log "decrypting..." - $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'" + password=$(lookup_pillar_secret import_pass) + decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg" + $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\"" decrypt_code=$? if [[ $decrypt_code -eq 0 ]]; then + mv "$file.tmp" "$file" log "importing..." case $importer in pcap) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'") + import_cmd="so-import-pcap $file --json" + response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"") exit_code=$? ;; evtx) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'") + import_cmd="so-import-evtx $file --json" + response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"") exit_code=$? ;; *) diff --git a/setup/so-functions b/setup/so-functions index 2a69f0d36..d43469edb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1296,6 +1296,7 @@ generate_passwords(){ KRATOSKEY=$(get_random_value) REDISPASS=$(get_random_value) SOCSRVKEY=$(get_random_value 64) + IMPORTPASS=$(get_random_value) } generate_interface_vars() { @@ -2102,6 +2103,7 @@ secrets_pillar(){ " playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ " playbook_automation_api_key: "\ + " import_pass: $IMPORTPASS"\ " influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls fi } @@ -2402,7 +2404,12 @@ update_sudoers_for_testing() { update_packages() { if [[ $is_rocky ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*" + RMREPOFILES=("rocky-addons.repo" "rocky-devel.repo" "rocky-extras.repo" "rocky.repo") + info "Removing repo files added by rocky-repos package update" + for FILE in ${RMREPOFILES[@]}; do + logCmd "rm -f /etc/yum.repos.d/$FILE" + done else info "Running apt-get update" retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup