From 1675b787bfacb2b7301f0769287d6e1eecccc5d8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Jun 2023 13:27:34 -0400 Subject: [PATCH 1/8] exclude rocky-repos and remove files --- salt/repo/client/files/rocky/yum.conf.jinja | 5 +++-- salt/repo/client/map.jinja | 4 ++++ setup/so-functions | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/salt/repo/client/files/rocky/yum.conf.jinja b/salt/repo/client/files/rocky/yum.conf.jinja index bd31ac007..54ae35a41 100644 --- a/salt/repo/client/files/rocky/yum.conf.jinja +++ b/salt/repo/client/files/rocky/yum.conf.jinja @@ -12,6 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -{% if proxy -%} +exclude=rocky-repos +{%- if proxy %} proxy={{ proxy }} -{% endif %} +{%- endif %} diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja index 1e5d9351f..515ec515b 100644 --- a/salt/repo/client/map.jinja +++ b/salt/repo/client/map.jinja @@ -11,6 +11,10 @@ 'Rocky-Sources.repo', 'Rocky-Vault.repo', 'Rocky-x86_64-kernel.repo', + 'rocky-addons.repo', + 'rocky-devel.repo', + 'rocky-extras.repo', + 'rocky.repo', 'docker-ce.repo', 'epel.repo', 'epel-testing.repo', diff --git a/setup/so-functions b/setup/so-functions index 2a69f0d36..5ecba8408 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2402,7 +2402,7 @@ update_sudoers_for_testing() { update_packages() { if [[ $is_rocky ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*,rocky-repos" else info "Running apt-get update" retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup From 7e37cd0f05e2be9092d9faf8e9a4b6ec792e4014 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 21 Jun 2023 14:29:54 -0400 Subject: [PATCH 2/8] Parse xff --- .../files/ingest/suricata.common | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/salt/elasticsearch/files/ingest/suricata.common b/salt/elasticsearch/files/ingest/suricata.common index 4dea07b8b..e12fea0be 100644 --- a/salt/elasticsearch/files/ingest/suricata.common +++ b/salt/elasticsearch/files/ingest/suricata.common @@ -1,20 +1,21 @@ { "description" : "suricata.common", "processors" : [ - { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, - { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, - { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, - { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, - { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, - { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, - { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, - { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, - { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, - { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, - { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, - { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, + { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, + { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, + { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, + { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, + { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, + { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, + { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, + { "rename": { "field": "message2.xff", "target_field": "xff.ip", "ignore_missing": true } }, + { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, + { "set": { "field": "observer.name", "value": "{{agent.name}}" } }, + { "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, - { "remove":{ "field": "agent", "ignore_failure": true } }, + { "remove":{ "field": "agent", "ignore_failure": true } }, { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } } ] } From 4e849ecc908770660540720d3192a9e27255c361 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 21 Jun 2023 15:14:53 -0400 Subject: [PATCH 3/8] issues with exclude rocky-repos --- salt/repo/client/files/rocky/yum.conf.jinja | 1 - setup/so-functions | 7 ++++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/salt/repo/client/files/rocky/yum.conf.jinja b/salt/repo/client/files/rocky/yum.conf.jinja index 54ae35a41..118bffeef 100644 --- a/salt/repo/client/files/rocky/yum.conf.jinja +++ b/salt/repo/client/files/rocky/yum.conf.jinja @@ -12,7 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -exclude=rocky-repos {%- if proxy %} proxy={{ proxy }} {%- endif %} diff --git a/setup/so-functions b/setup/so-functions index 5ecba8408..ef4e44eaa 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2402,7 +2402,12 @@ update_sudoers_for_testing() { update_packages() { if [[ $is_rocky ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*,rocky-repos" + logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*" + RMREPOFILES=("rocky-addons.repo" "rocky-devel.repo" "rocky-extras.repo" "rocky.repo") + info "Removing repo files added by rocky-repos package update" + for FILE in ${RMREPOFILES[@]}; do + logCmd "rm -f /etc/yum.repos.d/$FILE" + done else info "Running apt-get update" retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup From b5e5bd57ad9acb0a807d21da6b87d6b811aaa973 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 21 Jun 2023 15:41:16 -0600 Subject: [PATCH 4/8] Fix for Upload Import Needed to mount /nsm/soc/uploads into soc container. Made the upload route configurable. Added gpg logging to salt-relay. --- salt/soc/defaults.yaml | 1 + salt/soc/enabled.sls | 3 ++- salt/soc/files/bin/salt-relay.sh | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index dfc5c3753..8eb222e01 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1006,6 +1006,7 @@ soc: baseUrl: / maxPacketCount: 5000 htmlDir: html + importUploadDir: /opt/sensoroni/uploads airgapEnabled: false modules: cases: soc diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index bc55f2d94..c5e116db2 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -1,5 +1,5 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. @@ -23,6 +23,7 @@ so-soc: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw + - /nsm/soc/uploads:/opt/sensoroni/uploads:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 3e893e64c..22be8d3e4 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -185,7 +185,8 @@ function send_file() { log "Cleanup: $cleanup" log "encrypting..." - gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from" + response=$(gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from") + log Response:$'\n'"$response" fromgpg="$from.gpg" filename=$(basename "$fromgpg") From 6769386c86e173678b39cb683ea561e5698340dc Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 22 Jun 2023 10:59:24 -0600 Subject: [PATCH 5/8] Change upload path --- salt/soc/defaults.yaml | 16 ++++++++-------- salt/soc/enabled.sls | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 8eb222e01..156446b7f 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -580,18 +580,18 @@ soc: - event.dataset - process.executable - user.name - '::process_terminated': + '::process_terminated': - soc_timestamp - process.executable - process.pid - winlog.computer_name - '::file_create': + '::file_create': - soc_timestamp - file.target - process.executable - process.pid - winlog.computer_name - '::registry_value_set': + '::registry_value_set': - soc_timestamp - winlog.event_data.TargetObject - process.executable @@ -1000,13 +1000,13 @@ soc: - destination.port - tds.header_type - log.id.uid - - event.dataset + - event.dataset server: bindAddress: 0.0.0.0:9822 baseUrl: / maxPacketCount: 5000 htmlDir: html - importUploadDir: /opt/sensoroni/uploads + importUploadDir: /nsm/soc/uploads airgapEnabled: false modules: cases: soc @@ -1034,7 +1034,7 @@ soc: asyncThreshold: 10 influxdb: hostUrl: - token: + token: org: Security Onion bucket: telegraf/so_short_term verifyCert: false @@ -1409,7 +1409,7 @@ soc: - name: Host Registry Changes description: Windows Registry changes query: 'event.category: registry | groupby -sankey event.action host.name | groupby event.dataset event.action | groupby host.name | groupby process.executable | groupby registry.path | groupby process.executable registry.path' - - name: Host DNS & Process Mappings + - name: Host DNS & Process Mappings description: DNS queries mapped to originating processes query: 'event.category: network AND _exists_:process.executable AND (_exists_:dns.question.name OR _exists_:dns.answers.data) | groupby -sankey host.name dns.question.name | groupby event.dataset event.type | groupby host.name | groupby process.executable | groupby dns.question.name | groupby dns.answers.data' - name: Host Process Activity @@ -1686,7 +1686,7 @@ soc: - name: Templates query: 'so_case.category:template' case: - analyzerNodeId: + analyzerNodeId: mostRecentlyUsedLimit: 5 renderAbbreviatedCount: 30 presets: diff --git a/salt/soc/enabled.sls b/salt/soc/enabled.sls index c5e116db2..4169f90ca 100644 --- a/salt/soc/enabled.sls +++ b/salt/soc/enabled.sls @@ -23,7 +23,7 @@ so-soc: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw - - /nsm/soc/uploads:/opt/sensoroni/uploads:rw + - /nsm/soc/uploads:/nsm/soc/uploads:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro From 0d92a1594a9715c7396a96b116b68a679133053c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 22 Jun 2023 14:41:39 -0400 Subject: [PATCH 6/8] fix quotations --- salt/soc/files/bin/salt-relay.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 22be8d3e4..7f68677ce 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -229,18 +229,19 @@ function import_file() { filegpg="$file.gpg" log "decrypting..." - $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'" + $CMD_PREFIX salt "$node" cmd.run "gpg --passphrase \"infected\" -o \"$file.tmp\" --batch --decrypt \"$filegpg\"" decrypt_code=$? if [[ $decrypt_code -eq 0 ]]; then + mv "$file.tmp" "$file" log "importing..." case $importer in pcap) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'") + response=$($CMD_PREFIX salt "$node" cmd.run "so-import-pcap $file --json") exit_code=$? ;; evtx) - response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'") + response=$($CMD_PREFIX salt "$node" cmd.run "so-import-evtx $file --json") exit_code=$? ;; *) From 2b323ab6613abdb9ecaadb7bf28e256ee95cb68b Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Thu, 22 Jun 2023 17:30:56 -0600 Subject: [PATCH 7/8] Fix `salt cmd.run` commands for importing Functional and easy to read. --- salt/soc/files/bin/salt-relay.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 7f68677ce..832067316 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -229,7 +229,8 @@ function import_file() { filegpg="$file.gpg" log "decrypting..." - $CMD_PREFIX salt "$node" cmd.run "gpg --passphrase \"infected\" -o \"$file.tmp\" --batch --decrypt \"$filegpg\"" + decrypt_cmd="gpg --passphrase infected -o $file.tmp --batch --decrypt $filegpg" + $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\"" decrypt_code=$? if [[ $decrypt_code -eq 0 ]]; then @@ -237,11 +238,13 @@ function import_file() { log "importing..." case $importer in pcap) - response=$($CMD_PREFIX salt "$node" cmd.run "so-import-pcap $file --json") + import_cmd="so-import-pcap $file --json" + response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"") exit_code=$? ;; evtx) - response=$($CMD_PREFIX salt "$node" cmd.run "so-import-evtx $file --json") + import_cmd="so-import-evtx $file --json" + response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"") exit_code=$? ;; *) From b21b545756277fbbccca4fbaf47f0599da765f6a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 23 Jun 2023 09:37:41 -0400 Subject: [PATCH 8/8] use cluster-unique password for import encryption --- salt/soc/files/bin/salt-relay.sh | 8 ++++++-- setup/so-functions | 2 ++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 832067316..a9a37ba3e 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -4,6 +4,8 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +. /usr/sbin/so-common + PIPE_OWNER=${PIPE_OWNER:-socore} PIPE_GROUP=${PIPE_GROUP:-socore} SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe} @@ -185,7 +187,8 @@ function send_file() { log "Cleanup: $cleanup" log "encrypting..." - response=$(gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from") + password=$(lookup_pillar_secret import_pass) + response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from") log Response:$'\n'"$response" fromgpg="$from.gpg" @@ -229,7 +232,8 @@ function import_file() { filegpg="$file.gpg" log "decrypting..." - decrypt_cmd="gpg --passphrase infected -o $file.tmp --batch --decrypt $filegpg" + password=$(lookup_pillar_secret import_pass) + decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg" $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\"" decrypt_code=$? diff --git a/setup/so-functions b/setup/so-functions index ef4e44eaa..d43469edb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1296,6 +1296,7 @@ generate_passwords(){ KRATOSKEY=$(get_random_value) REDISPASS=$(get_random_value) SOCSRVKEY=$(get_random_value 64) + IMPORTPASS=$(get_random_value) } generate_interface_vars() { @@ -2102,6 +2103,7 @@ secrets_pillar(){ " playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ " playbook_automation_api_key: "\ + " import_pass: $IMPORTPASS"\ " influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls fi }