CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into desktop

Browse Source
This commit is contained in:
Mike Reeves
2023-06-26 15:20:43 -04:00
parent 3952c1a9b7 d247c9d704
commit 12d10d7d42
7 changed files with 51 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
salt/elasticsearch/files/ingest/suricata.common
View File

@@ -1,20 +1,21 @@
{ {
"description" : "suricata.common", "description" : "suricata.common",
"processors" : [ "processors" : [
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } }, { "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } }, { "rename": { "field": "message2.proto", "target_field": "network.transport", "ignore_failure": true } },
{ "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } }, { "rename": { "field": "message2.flow_id", "target_field": "log.id.uid", "ignore_failure": true } },
{ "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } }, { "rename": { "field": "message2.src_ip", "target_field": "source.ip", "ignore_failure": true } },
{ "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } }, { "rename": { "field": "message2.src_port", "target_field": "source.port", "ignore_failure": true } },
{ "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } }, { "rename": { "field": "message2.dest_ip", "target_field": "destination.ip", "ignore_failure": true } },
{ "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } }, { "rename": { "field": "message2.dest_port", "target_field": "destination.port", "ignore_failure": true } },
{ "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } }, { "rename": { "field": "message2.vlan", "target_field": "network.vlan.id", "ignore_failure": true } },
{ "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } }, { "rename": { "field": "message2.community_id", "target_field": "network.community_id", "ignore_missing": true } },
{ "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } }, { "rename": { "field": "message2.xff", "target_field": "xff.ip", "ignore_missing": true } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" } }, { "set": { "field": "event.dataset", "value": "{{ message2.event_type }}" } },
{ "set": { "field": "event.ingested", "value": "{{@timestamp}}" } }, { "set": { "field": "observer.name", "value": "{{agent.name}}" } },
{ "set": { "field": "event.ingested", "value": "{{@timestamp}}" } },
{ "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } }, { "date": { "field": "message2.timestamp", "target_field": "@timestamp", "formats": ["ISO8601", "UNIX"], "timezone": "UTC", "ignore_failure": true } },
{ "remove":{ "field": "agent", "ignore_failure": true } }, { "remove":{ "field": "agent", "ignore_failure": true } },
{ "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } } { "pipeline": { "if": "ctx?.event?.dataset != null", "name": "suricata.{{event.dataset}}" } }
] ]
} }

4
salt/repo/client/files/rocky/yum.conf.jinja
View File

@@ -12,6 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release distroverpkg=centos-release
clean_requirements_on_remove=1 clean_requirements_on_remove=1
{% if proxy -%} {%- if proxy %}
proxy={{ proxy }} proxy={{ proxy }}
{% endif %} {%- endif %}

4
salt/repo/client/map.jinja
View File

@@ -11,6 +11,10 @@
'Rocky-Sources.repo', 'Rocky-Sources.repo',
'Rocky-Vault.repo', 'Rocky-Vault.repo',
'Rocky-x86_64-kernel.repo', 'Rocky-x86_64-kernel.repo',
'rocky-addons.repo',
'rocky-devel.repo',
'rocky-extras.repo',
'rocky.repo',
'docker-ce.repo', 'docker-ce.repo',
'epel.repo', 'epel.repo',
'epel-testing.repo', 'epel-testing.repo',

1
salt/soc/defaults.yaml
View File

@@ -1006,6 +1006,7 @@ soc:
baseUrl: / baseUrl: /
maxPacketCount: 5000 maxPacketCount: 5000
htmlDir: html htmlDir: html
importUploadDir: /nsm/soc/uploads
airgapEnabled: false airgapEnabled: false
modules: modules:
cases: soc cases: soc

1
salt/soc/enabled.sls
View File

@@ -23,6 +23,7 @@ so-soc:
- ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - ipv4_address: {{ DOCKER.containers['so-soc'].ip }}
- binds: - binds:
- /nsm/soc/jobs:/opt/sensoroni/jobs:rw - /nsm/soc/jobs:/opt/sensoroni/jobs:rw
- /nsm/soc/uploads:/nsm/soc/uploads:rw
- /opt/so/log/soc/:/opt/sensoroni/logs/:rw - /opt/so/log/soc/:/opt/sensoroni/logs/:rw
- /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro

17
salt/soc/files/bin/salt-relay.sh
View File

@@ -4,6 +4,8 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
. /usr/sbin/so-common
PIPE_OWNER=${PIPE_OWNER:-socore} PIPE_OWNER=${PIPE_OWNER:-socore}
PIPE_GROUP=${PIPE_GROUP:-socore} PIPE_GROUP=${PIPE_GROUP:-socore}
SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe} SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe}
@@ -185,7 +187,9 @@ function send_file() {
log "Cleanup: $cleanup" log "Cleanup: $cleanup"
log "encrypting..." log "encrypting..."
gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from" password=$(lookup_pillar_secret import_pass)
response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from")
log Response:$'\n'"$response"
fromgpg="$from.gpg" fromgpg="$from.gpg"
filename=$(basename "$fromgpg") filename=$(basename "$fromgpg")
@@ -228,18 +232,23 @@ function import_file() {
filegpg="$file.gpg" filegpg="$file.gpg"
log "decrypting..." log "decrypting..."
$CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'" password=$(lookup_pillar_secret import_pass)
decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg"
$CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\""
decrypt_code=$? decrypt_code=$?
if [[ $decrypt_code -eq 0 ]]; then if [[ $decrypt_code -eq 0 ]]; then
mv "$file.tmp" "$file"
log "importing..." log "importing..."
case $importer in case $importer in
pcap) pcap)
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'") import_cmd="so-import-pcap $file --json"
response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
exit_code=$? exit_code=$?
;; ;;
evtx) evtx)
response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'") import_cmd="so-import-evtx $file --json"
response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
exit_code=$? exit_code=$?
;; ;;
*) *)

9
setup/so-functions
View File

@@ -1296,6 +1296,7 @@ generate_passwords(){
KRATOSKEY=$(get_random_value) KRATOSKEY=$(get_random_value)
REDISPASS=$(get_random_value) REDISPASS=$(get_random_value)
SOCSRVKEY=$(get_random_value 64) SOCSRVKEY=$(get_random_value 64)
IMPORTPASS=$(get_random_value)
} }
generate_interface_vars() { generate_interface_vars() {
@@ -2102,6 +2103,7 @@ secrets_pillar(){
" playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_admin: $PLAYBOOKADMINPASS"\
" playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\
" playbook_automation_api_key: "\ " playbook_automation_api_key: "\
" import_pass: $IMPORTPASS"\
" influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls " influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls
fi fi
} }
@@ -2402,7 +2404,12 @@ update_sudoers_for_testing() {
update_packages() { update_packages() {
if [[ $is_rocky ]]; then if [[ $is_rocky ]]; then
logCmd "dnf repolist" logCmd "dnf repolist"
logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
RMREPOFILES=("rocky-addons.repo" "rocky-devel.repo" "rocky-extras.repo" "rocky.repo")
info "Removing repo files added by rocky-repos package update"
for FILE in ${RMREPOFILES[@]}; do
logCmd "rm -f /etc/yum.repos.d/$FILE"
done
else else
info "Running apt-get update" info "Running apt-get update"
retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup