CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11040 from Security-Onion-Solutions/2.4/dev

Browse Source 
2.4.10
This commit is contained in:
Mike Reeves
2023-08-15 07:14:03 -04:00
committed by GitHub
parent a13b3f305a 5c2c2908b8
commit 16da0b469a
45 changed files with 682 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.4.5-20230807 ISO image released on 2023/08/07 ### 2.4.10-20230815 ISO image released on 2023/08/15
### Download and Verify ### Download and Verify
2.4.5-20230807 ISO image: 2.4.10-20230815 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso
MD5: F83FD635025A3A65B380EAFCEB61A92E MD5: 97AEC929FB1FC22F106C0C93E3476FAB
SHA1: 5864D4CD520617E3328A3D956CAFCC378A8D2D08 SHA1: 78AF37FD19FDC34BA324C1A661632D19D1F2284A
SHA256: D333BAE0DD198DFD80DF59375456D228A4E18A24EDCDB15852CD4CA3F92B69A7 SHA256: D04BA45D1664FC3CF7EA2188CB7E570642F6390C3959B4AFBB8222A853859394
Signature for ISO image: Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig
Signing key: Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO: Download the signature file for the ISO:
``` ```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig
``` ```
Download the ISO image: Download the ISO image:
``` ```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso
``` ```
Verify the downloaded ISO image using the signature file: Verify the downloaded ISO image using the signature file:
``` ```
gpg --verify securityonion-2.4.5-20230807.iso.sig securityonion-2.4.5-20230807.iso gpg --verify securityonion-2.4.10-20230815.iso.sig securityonion-2.4.10-20230815.iso
``` ```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below: The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
``` ```
gpg: Signature made Sat 05 Aug 2023 10:12:46 AM EDT using RSA key ID FE507013 gpg: Signature made Sun 13 Aug 2023 05:30:29 PM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>" gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.4 Release Candidate 2 (RC2) ## Security Onion 2.4
Security Onion 2.4 Release Candidate 2 (RC2) is here! Security Onion 2.4 is here!
## Screenshots ## Screenshots

2
VERSION
View File

@@ -1 +1 @@
2.4.5 2.4.10

25
salt/common/tools/sbin_jinja/so-desktop-install
View File

@@ -5,15 +5,15 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
source /usr/sbin/so-common
doc_desktop_url="$DOC_BASE_URL/desktop.html"
{# we only want the script to install the desktop if it is Rocky -#} {# we only want the script to install the desktop if it is OEL -#}
{% if grains.os == 'Rocky' -%} {% if grains.os == 'OEL' -%}
{# if this is a manager -#} {# if this is a manager -#}
{% if grains.master == grains.id.split('_')|first -%} {% if grains.master == grains.id.split('_')|first -%}
source /usr/sbin/so-common pillar_file="/opt/so/saltstack/local/pillar/minions/adv_{{grains.id}}.sls"
doc_desktop_url="$DOC_BASE_URL/desktop.html"
pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
if [ -f "$pillar_file" ]; then if [ -f "$pillar_file" ]; then
if ! grep -q "^desktop:$" "$pillar_file"; then if ! grep -q "^desktop:$" "$pillar_file"; then
@@ -65,7 +65,7 @@ if [ -f "$pillar_file" ]; then
fi fi
else # desktop is already added else # desktop is already added
echo "The desktop pillar already exists in $pillar_file." echo "The desktop pillar already exists in $pillar_file."
echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file." echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file. Alternatively, this can be set in the SOC UI under advanced."
echo "Additional documentation can be found at $doc_desktop_url." echo "Additional documentation can be found at $doc_desktop_url."
fi fi
else # if the pillar file doesn't exist else # if the pillar file doesn't exist
@@ -75,17 +75,22 @@ fi
{#- if this is not a manager #} {#- if this is not a manager #}
{% else -%} {% else -%}
echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. Please view the documentation at $doc_desktop_url." echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. This can be enabled in the SOC UI under advanced by adding the following:"
echo "desktop:"
echo " gui:"
echo " enabled: true"
echo ""
echo "Please view the documentation at $doc_desktop_url."
{#- endif if this is a manager #} {#- endif if this is a manager #}
{% endif -%} {% endif -%}
{#- if not Rocky #} {#- if not OEL #}
{%- else %} {%- else %}
echo "The Security Onion Desktop can only be installed on Rocky Linux. Please view the documentation at $doc_desktop_url." echo "The Security Onion Desktop can only be installed on Oracle Linux. Please view the documentation at $doc_desktop_url."
{#- endif grains.os == Rocky #} {#- endif grains.os == OEL #}
{% endif -%} {% endif -%}
exit 0 exit 0

8
salt/desktop/files/00-background Normal file
View File

@@ -0,0 +1,8 @@
# Specify the dconf path
[org/gnome/desktop/background]
# Specify the path to the desktop background image file
picture-uri='file:///usr/local/share/backgrounds/so-wallpaper.jpg'
# Specify one of the rendering options for the background image:
picture-options='zoom'

1
salt/desktop/packages.sls
View File

@@ -3,7 +3,6 @@
{# we only want this state to run it is CentOS #} {# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'OEL' %} {% if GLOBALS.os == 'OEL' %}
desktop_packages: desktop_packages:
pkg.installed: pkg.installed:
- pkgs: - pkgs:

2
salt/desktop/trusted-ca.sls
View File

@@ -31,6 +31,6 @@ update_ca_certs:
desktop_trusted-ca_os_fail: desktop_trusted-ca_os_fail:
test.fail_without_changes: test.fail_without_changes:
- comment: 'SO Desktop can only be installed on CentOS' - comment: 'SO Desktop can only be installed on Oracle Linux'
{% endif %} {% endif %}

17
salt/desktop/xwindows.sls
View File

@@ -35,6 +35,23 @@ convert_gnome_classic:
{% endif %} {% endif %}
{% endfor %} {% endfor %}
desktop_wallpaper:
file.managed:
- name: /usr/local/share/backgrounds/so-wallpaper.jpg
- source: salt://desktop/files/so-wallpaper.jpg
- makedirs: True
set_wallpaper:
file.managed:
- name: /etc/dconf/db/local.d/00-background
- source: salt://desktop/files/00-background
run_dconf_update:
cmd.run:
- name: 'dconf update'
- onchanges:
- file: set_wallpaper
{% else %} {% else %}
desktop_xwindows_os_fail: desktop_xwindows_os_fail:

8
salt/elasticfleet/defaults.yaml
View File

@@ -28,9 +28,17 @@ elasticfleet:
- aws - aws
- azure - azure
- cloudflare - cloudflare
- elasticsearch
- endpoint - endpoint
- fleet_server
- fim - fim
- github - github
- google_workspace - google_workspace
- log - log
- osquery_manager
- redis
- system
- tcp
- udp
- windows
- 1password - 1password

8
salt/elasticfleet/enabled.sls
View File

@@ -22,6 +22,7 @@ include:
so-elastic-fleet-auto-configure-logstash-outputs: so-elastic-fleet-auto-configure-logstash-outputs:
cmd.run: cmd.run:
- name: /usr/sbin/so-elastic-fleet-outputs-update - name: /usr/sbin/so-elastic-fleet-outputs-update
- retry: True
{% endif %} {% endif %}
# If enabled, automatically update Fleet Server URLs & ES Connection # If enabled, automatically update Fleet Server URLs & ES Connection
@@ -29,6 +30,7 @@ so-elastic-fleet-auto-configure-logstash-outputs:
so-elastic-fleet-auto-configure-server-urls: so-elastic-fleet-auto-configure-server-urls:
cmd.run: cmd.run:
- name: /usr/sbin/so-elastic-fleet-urls-update - name: /usr/sbin/so-elastic-fleet-urls-update
- retry: True
{% endif %} {% endif %}
# Automatically update Fleet Server Elasticsearch URLs # Automatically update Fleet Server Elasticsearch URLs
@@ -36,6 +38,7 @@ so-elastic-fleet-auto-configure-server-urls:
so-elastic-fleet-auto-configure-elasticsearch-urls: so-elastic-fleet-auto-configure-elasticsearch-urls:
cmd.run: cmd.run:
- name: /usr/sbin/so-elastic-fleet-es-url-update - name: /usr/sbin/so-elastic-fleet-es-url-update
- retry: True
{% endif %} {% endif %}
{% if SERVICETOKEN != '' %} {% if SERVICETOKEN != '' %}
@@ -106,6 +109,11 @@ so-elastic-fleet:
so-elastic-fleet-integrations: so-elastic-fleet-integrations:
cmd.run: cmd.run:
- name: /usr/sbin/so-elastic-fleet-integration-policy-load - name: /usr/sbin/so-elastic-fleet-integration-policy-load
so-elastic-agent-grid-upgrade:
cmd.run:
- name: /usr/sbin/so-elastic-agent-grid-upgrade
- retry: True
{% endif %} {% endif %}
delete_so-elastic-fleet_so-status.disabled: delete_so-elastic-fleet_so-status.disabled:

5
salt/elasticfleet/tools/sbin/so-elastic-fleet-common
View File

@@ -56,6 +56,11 @@ elastic_fleet_package_version_check() {
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version' curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version'
} }
elastic_fleet_package_latest_version_check() {
PACKAGE=$1
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.latestVersion'
}
elastic_fleet_package_install() { elastic_fleet_package_install() {
PKGKEY=$1 PKGKEY=$1
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY" curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY"

3
salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
View File

@@ -9,6 +9,9 @@
RETURN_CODE=0 RETURN_CODE=0
if [ ! -f /opt/so/state/eaintegrations.txt ]; then if [ ! -f /opt/so/state/eaintegrations.txt ]; then
# First, check for any package upgrades
/usr/sbin/so-elastic-fleet-package-upgrade
# Initial Endpoints # Initial Endpoints
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
do do

38
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade Normal file
View File

@@ -0,0 +1,38 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
# Get current list of Grid Node Agents that need to be upgraded
RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true")
# Check to make sure that the server responded with good data - else, bail from script
CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")
if [ "$CHECKSUM" -ne 1 ]; then
printf "Failed to query for current Grid Agents...\n"
exit 1
fi
# Generate list of Node Agents that need updates
OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)' <<< "$RAW_JSON")
if [ "$OUTDATED_LIST" != '[]' ]; then
AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON")
printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n"
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }')
# Update Node Agents
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
else
printf "No Agents need updates... Exiting\n\n"
exit 0
fi

15
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
View File

@@ -12,9 +12,13 @@ if ! is_manager_node; then
fi fi
function update_es_urls() { function update_es_urls() {
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":false,"is_default_monitoring":false,"config_yaml":""}')
# Generate updated JSON payload
{% if grains.role not in ['so-import', 'so-eval'] %}
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"config_yaml":""}')
{%- else %}
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
{%- endif %}
# Update Fleet Elasticsearch URLs # Update Fleet Elasticsearch URLs
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
} }
@@ -42,6 +46,13 @@ NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "$
NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}') NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
# Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs # Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
if [ "$1" = "--force" ]; then
printf "\nUpdating List, since --force was specified.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
update_es_urls
exit 0
fi
if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
printf "\nHashes match - no update needed.\n" printf "\nHashes match - no update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
{%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %}
. /usr/sbin/so-elastic-fleet-common
{%- for PACKAGE in SUPPORTED_PACKAGES %}
echo "Upgrading {{ PACKAGE }} package..."
VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}")
elastic_fleet_package_install "{{ PACKAGE }}-$VERSION"
echo
{%- endfor %}
echo

144
salt/elasticsearch/defaults.yaml
View File

@@ -113,7 +113,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-system.auth: so-logs-system_x_auth:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -132,7 +132,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-system.syslog: so-logs-system_x_syslog:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -151,7 +151,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-system.system: so-logs-system_x_system:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -170,7 +170,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-system.application: so-logs-system_x_application:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -189,7 +189,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-system.security: so-logs-system_x_security:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -208,7 +208,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-windows.forwarded: so-logs-windows_x_forwarded:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -226,7 +226,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-windows.powershell: so-logs-windows_x_powershell:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -244,7 +244,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-windows.powershell_operational: so-logs-windows_x_powershell_operational:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -262,7 +262,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-windows.sysmon_operational: so-logs-windows_x_sysmon_operational:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -280,7 +280,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.cloudtrail: so-logs-aws_x_cloudtrail:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -298,7 +298,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.cloudwatch_logs: so-logs-aws_x_cloudwatch_logs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -316,7 +316,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.ec2_logs: so-logs-aws_x_ec2_logs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -334,7 +334,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.elb_logs: so-logs-aws_x_elb_logs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -352,7 +352,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.firewall_logs: so-logs-aws_x_firewall_logs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -370,7 +370,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.route53_public_logs: so-logs-aws_x_route53_public_logs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -388,7 +388,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.route53_resolver_logs: so-logs-aws_x_route53_resolver_logs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -406,7 +406,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.s3access: so-logs-aws_x_s3access:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -424,7 +424,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.vpcflow: so-logs-aws_x_vpcflow:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -442,7 +442,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-aws.waf: so-logs-aws_x_waf:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -460,7 +460,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.activitylogs: so-logs-azure_x_activitylogs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -478,7 +478,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.application_gateway: so-logs-azure_x_application_gateway:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -496,7 +496,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.auditlogs: so-logs-azure_x_auditlogs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -514,7 +514,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.eventhub: so-logs-azure_x_eventhub:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -532,7 +532,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.firewall_logs: so-logs-azure_x_firewall_logs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -550,7 +550,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.identity_protection: so-logs-azure_x_identity_protection:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -568,7 +568,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.platformlogs: so-logs-azure_x_platformlogs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -586,7 +586,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.provisioning: so-logs-azure_x_provisioning:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -604,7 +604,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.signinlogs: so-logs-azure_x_signinlogs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -622,7 +622,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-azure.springcloudlogs: so-logs-azure_x_springcloudlogs:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -640,7 +640,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-cloudflare.audit: so-logs-cloudflare_x_audit:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -658,7 +658,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-cloudflare.logpull: so-logs-cloudflare_x_logpull:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -676,7 +676,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-fim.event: so-logs-fim_x_event:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -694,7 +694,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-github.audit: so-logs-github_x_audit:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -712,7 +712,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-github.code_scanning: so-logs-github_x_code_scanning:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -730,7 +730,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-github.dependabot: so-logs-github_x_dependabot:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -748,7 +748,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-github.issues: so-logs-github_x_issues:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -766,7 +766,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-github.secret_scanning: so-logs-github_x_secret_scanning:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -784,7 +784,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.access_transparency: so-logs-google_workspace_x_access_transparency:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -802,7 +802,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.admin: so-logs-google_workspace_x_admin:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -820,7 +820,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.alert: so-logs-google_workspace_x_alert:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -838,7 +838,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.context_aware_access: so-logs-google_workspace_x_context_aware_access:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -856,7 +856,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.device: so-logs-google_workspace_x_device:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -874,7 +874,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.drive: so-logs-google_workspace_x_drive:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -892,7 +892,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.gcp: so-logs-google_workspace_x_gcp:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -910,7 +910,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.group_enterprise: so-logs-google_workspace_x_group_enterprise:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -928,7 +928,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.groups: so-logs-google_workspace_x_groups:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -946,7 +946,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.login: so-logs-google_workspace_x_login:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -964,7 +964,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.rules: so-logs-google_workspace_x_rules:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -982,7 +982,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.saml: so-logs-google_workspace_x_saml:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1000,7 +1000,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.token: so-logs-google_workspace_x_token:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1018,7 +1018,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-google_workspace.user_accounts: so-logs-google_workspace_x_user_accounts:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1036,7 +1036,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-1password.item_usages: so-logs-1password_x_item_usages:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1054,7 +1054,7 @@ elasticsearch:
data_stream: data_stream:
hidden: false hidden: false
allow_custom_routing: false allow_custom_routing: false
so-logs-1password.signin_attempts: so-logs-1password_x_signin_attempts:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1089,7 +1089,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-osquery-manager-action.responses: so-logs-osquery-manager-action_x_responses:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1106,7 +1106,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.apm_server: so-logs-elastic_agent_x_apm_server:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1160,7 +1160,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.auditbeat: so-logs-elastic_agent_x_auditbeat:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1214,7 +1214,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.cloudbeat: so-logs-elastic_agent_x_cloudbeat:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1265,7 +1265,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.endpoint_security: so-logs-elastic_agent_x_endpoint_security:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1314,7 +1314,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.alerts: so-logs-endpoint_x_alerts:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1363,7 +1363,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.events.api: so-logs-endpoint_x_events_x_api:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1412,7 +1412,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.events.file: so-logs-endpoint_x_events_x_file:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1461,7 +1461,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.events.library: so-logs-endpoint_x_events_x_library:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1510,7 +1510,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.events.network: so-logs-endpoint_x_events_x_network:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1559,7 +1559,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.events.process: so-logs-endpoint_x_events_x_process:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1608,7 +1608,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.events.registry: so-logs-endpoint_x_events_x_registry:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1657,7 +1657,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.events.security: so-logs-endpoint_x_events_x_security:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1706,7 +1706,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.filebeat: so-logs-elastic_agent_x_filebeat:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1755,7 +1755,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.fleet_server: so-logs-elastic_agent_x_fleet_server:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1801,7 +1801,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.heartbeat: so-logs-elastic_agent_x_heartbeat:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1907,7 +1907,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.metricbeat: so-logs-elastic_agent_x_metricbeat:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -1956,7 +1956,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.osquerybeat: so-logs-elastic_agent_x_osquerybeat:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:
@@ -2005,7 +2005,7 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-elastic_agent.packetbeat: so-logs-elastic_agent_x_packetbeat:
index_sorting: False index_sorting: False
index_template: index_template:
index_patterns: index_patterns:

179
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -47,27 +47,25 @@ elasticsearch:
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
index_settings: index_settings:
so-elasticsearch: &indexSettings so-logs: &indexSettings
warm:
description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch.
global: True
helpLink: elasticsearch.html
close:
description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index.
global: True
helpLink: elasticsearch.html
delete:
description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable.
global: True
helpLink: elasticsearch.html
index_sorting: index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption. description: Sorts the index by event time, at the cost of additional processing resource consumption.
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
index_template: index_template:
index_patterns:
description: Patterns for matching multiple indices or tables.
forceType: "[]string"
multiline: True
global: True
helpLink: elasticsearch.html
template: template:
settings: settings:
index: index:
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
global: True
helpLink: elasticsearch.html
mapping: mapping:
total_fields: total_fields:
limit: limit:
@@ -75,17 +73,59 @@ elasticsearch:
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
refresh_interval: refresh_interval:
description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation.
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
number_of_shards: number_of_shards:
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
global: True
helpLink: elasticsearch.html
sort:
field:
description: The field to sort by. Must set index_sorting to True.
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
number_of_replicas: order:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs. description: The order to sort by. Must set index_sorting to True.
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
mappings:
_meta:
package:
name:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed_by:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed:
description: Meta settings for the mapping.
forcedType: bool
global: True
helpLink: elasticsearch.html
composed_of:
description: The index template is composed of these component templates.
forcedType: "[]string"
global: True
helpLink: elasticsearch.html
priority:
description: The priority of the index template.
forcedType: int
global: True
helpLink: elasticsearch.html
data_stream:
hidden:
description: Hide the data stream.
forcedType: bool
global: True
helpLink: elasticsearch.html
allow_custom_routing:
description: Allow custom routing for the data stream.
forcedType: bool
global: True
helpLink: elasticsearch.html
policy: policy:
phases: phases:
hot: hot:
@@ -97,6 +137,7 @@ elasticsearch:
set_priority: set_priority:
priority: priority:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
rollover: rollover:
@@ -117,19 +158,111 @@ elasticsearch:
set_priority: set_priority:
priority: priority:
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities. description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True global: True
helpLink: elasticsearch.html helpLink: elasticsearch.html
delete: delete:
min_age: min_age:
description: Minimum age of index. This determines when the index should be deleted. description: Minimum age of index. This determines when the index should be deleted.
global: True global: True
helpLink: elastic helpLink: elasticsearch.html
_meta:
package:
name:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed_by:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed:
description: Meta settings for the mapping.
forcedType: bool
global: True
helpLink: elasticsearch.html
so-logs-system_x_auth: *indexSettings
so-logs-system_x_syslog: *indexSettings
so-logs-system_x_system: *indexSettings
so-logs-system_x_application: *indexSettings
so-logs-system_x_security: *indexSettings
so-logs-windows_x_forwarded: *indexSettings
so-logs-windows_x_powershell: *indexSettings
so-logs-windows_x_powershell_operational: *indexSettings
so-logs-windows_x_sysmon_operational: *indexSettings
so-logs-aws_x_cloudtrail: *indexSettings
so-logs-aws_x_cloudwatch_logs: *indexSettings
so-logs-aws_x_ec2_logs: *indexSettings
so-logs-aws_x_elb_logs: *indexSettings
so-logs-aws_x_firewall_logs: *indexSettings
so-logs-aws_x_route53_public_logs: *indexSettings
so-logs-aws_x_route53_resolver_logs: *indexSettings
so-logs-aws_x_s3access: *indexSettings
so-logs-aws_x_vpcflow: *indexSettings
so-logs-aws_x_waf: *indexSettings
so-logs-azure_x_activitylogs: *indexSettings
so-logs-azure_x_application_gateway: *indexSettings
so-logs-azure_x_auditlogs: *indexSettings
so-logs-azure_x_eventhub: *indexSettings
so-logs-azure_x_firewall_logs: *indexSettings
so-logs-azure_x_identity_protection: *indexSettings
so-logs-azure_x_platformlogs: *indexSettings
so-logs-azure_x_provisioning: *indexSettings
so-logs-azure_x_signinlogs: *indexSettings
so-logs-azure_x_springcloudlogs: *indexSettings
so-logs-cloudflare_x_audit: *indexSettings
so-logs-cloudflare_x_logpull: *indexSettings
so-logs-fim_x_event: *indexSettings
so-logs-github_x_audit: *indexSettings
so-logs-github_x_code_scanning: *indexSettings
so-logs-github_x_dependabot: *indexSettings
so-logs-github_x_issues: *indexSettings
so-logs-github_x_secret_scanning: *indexSettings
so-logs-google_workspace_x_access_transparency: *indexSettings
so-logs-google_workspace_x_admin: *indexSettings
so-logs-google_workspace_x_alert: *indexSettings
so-logs-google_workspace_x_context_aware_access: *indexSettings
so-logs-google_workspace_x_device: *indexSettings
so-logs-google_workspace_x_drive: *indexSettings
so-logs-google_workspace_x_gcp: *indexSettings
so-logs-google_workspace_x_group_enterprise: *indexSettings
so-logs-google_workspace_x_groups: *indexSettings
so-logs-google_workspace_x_login: *indexSettings
so-logs-google_workspace_x_rules: *indexSettings
so-logs-google_workspace_x_saml: *indexSettings
so-logs-google_workspace_x_token: *indexSettings
so-logs-google_workspace_x_user_accounts: *indexSettings
so-logs-1password_x_item_usages: *indexSettings
so-logs-1password_x_signin_attempts: *indexSettings
so-logs-osquery-manager-actions: *indexSettings
so-logs-osquery-manager-action_x_responses: *indexSettings
so-logs-elastic_agent_x_apm_server: *indexSettings
so-logs-elastic_agent_x_auditbeat: *indexSettings
so-logs-elastic_agent_x_cloudbeat: *indexSettings
so-logs-elastic_agent_x_endpoint_security: *indexSettings
so-logs-endpoint_x_alerts: *indexSettings
so-logs-endpoint_x_events_x_api: *indexSettings
so-logs-endpoint_x_events_x_file: *indexSettings
so-logs-endpoint_x_events_x_library: *indexSettings
so-logs-endpoint_x_events_x_network: *indexSettings
so-logs-endpoint_x_events_x_process: *indexSettings
so-logs-endpoint_x_events_x_registry: *indexSettings
so-logs-endpoint_x_events_x_security: *indexSettings
so-logs-elastic_agent_x_filebeat: *indexSettings
so-logs-elastic_agent_x_fleet_server: *indexSettings
so-logs-elastic_agent_x_heartbeat: *indexSettings
so-logs-elastic_agent: *indexSettings
so-logs-elastic_agent_x_metricbeat: *indexSettings
so-logs-elastic_agent_x_osquerybeat: *indexSettings
so-logs-elastic_agent_x_packetbeat: *indexSettings
so-case: *indexSettings
so-common: *indexSettings
so-endgame: *indexSettings so-endgame: *indexSettings
so-firewall: *indexSettings so-idh: *indexSettings
so-suricata: *indexSettings
so-import: *indexSettings so-import: *indexSettings
so-kibana: *indexSettings so-kratos: *indexSettings
so-logstash: *indexSettings so-logstash: *indexSettings
so-osquery: *indexSettings
so-redis: *indexSettings so-redis: *indexSettings
so-strelka: *indexSettings so-strelka: *indexSettings
so-syslog: *indexSettings so-syslog: *indexSettings

6
salt/elasticsearch/template.map.jinja
View File

@@ -1,9 +1,11 @@
{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %} {% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %} {%- set ES_INDEX_SETTINGS_ORIG = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
{% for index, settings in ES_INDEX_SETTINGS.items() %} {% set ES_INDEX_SETTINGS = {} %}
{% for index, settings in ES_INDEX_SETTINGS_ORIG.items() %}
{% if settings.index_template is defined %} {% if settings.index_template is defined %}
{% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %} {% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
{% do settings.index_template.template.settings.index.pop('sort') %} {% do settings.index_template.template.settings.index.pop('sort') %}
{% endif %} {% endif %}
{% endif %} {% endif %}
{% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_ORIG[index]}) %}
{% endfor %} {% endfor %}

3
salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
View File

@@ -6,8 +6,7 @@
. /usr/sbin/so-common . /usr/sbin/so-common
{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %} {%- from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
{%- for index, settings in ES_INDEX_SETTINGS.items() %} {%- for index, settings in ES_INDEX_SETTINGS.items() %}
{%- if settings.policy is defined %} {%- if settings.policy is defined %}

17
salt/firewall/defaults.yaml
View File

@@ -20,13 +20,12 @@ firewall:
managersearch: [] managersearch: []
receiver: [] receiver: []
searchnode: [] searchnode: []
securityonion_desktop: []
self: [] self: []
sensor: [] sensor: []
standalone: [] standalone: []
strelka_frontend: [] strelka_frontend: []
syslog: [] syslog: []
workstation: [] desktop: []
customhostgroup0: [] customhostgroup0: []
customhostgroup1: [] customhostgroup1: []
customhostgroup2: [] customhostgroup2: []
@@ -462,7 +461,7 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
workstation: desktop:
portgroups: portgroups:
- yum - yum
customhostgroup0: customhostgroup0:
@@ -514,7 +513,7 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
workstation: desktop:
portgroups: portgroups:
- salt_manager - salt_manager
self: self:
@@ -650,7 +649,7 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
workstation: desktop:
portgroups: portgroups:
- yum - yum
customhostgroup0: customhostgroup0:
@@ -702,7 +701,7 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
workstation: desktop:
portgroups: portgroups:
- salt_manager - salt_manager
self: self:
@@ -846,7 +845,7 @@ firewall:
strelka_frontend: strelka_frontend:
portgroups: portgroups:
- strelka_frontend - strelka_frontend
workstation: desktop:
portgroups: portgroups:
- yum - yum
customhostgroup0: customhostgroup0:
@@ -901,7 +900,7 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
workstation: desktop:
portgroups: portgroups:
- salt_manager - salt_manager
self: self:
@@ -1200,7 +1199,7 @@ firewall:
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
workstation: desktop:
portgroups: portgroups:
- yum - yum
customhostgroup0: customhostgroup0:

19
salt/firewall/soc_firewall.yaml
View File

@@ -39,13 +39,12 @@ firewall:
managersearch: *hostgroupsettings managersearch: *hostgroupsettings
receiver: *hostgroupsettings receiver: *hostgroupsettings
searchnode: *hostgroupsettings searchnode: *hostgroupsettings
securityonion_desktop: *hostgroupsettings
self: *ROhostgroupsettingsadv self: *ROhostgroupsettingsadv
sensor: *hostgroupsettings sensor: *hostgroupsettings
standalone: *hostgroupsettings standalone: *hostgroupsettings
strelka_frontend: *hostgroupsettings strelka_frontend: *hostgroupsettings
syslog: *hostgroupsettings syslog: *hostgroupsettings
workstation: *hostgroupsettings desktop: *hostgroupsettings
customhostgroup0: &customhostgroupsettings customhostgroup0: &customhostgroupsettings
description: List of IP or CIDR blocks to allow to this hostgroup. description: List of IP or CIDR blocks to allow to this hostgroup.
forcedType: "[]string" forcedType: "[]string"
@@ -216,7 +215,7 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation: desktop:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
@@ -366,7 +365,7 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation: desktop:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
@@ -404,7 +403,7 @@ firewall:
portgroups: *portgroupshost portgroups: *portgroupshost
heavynode: heavynode:
portgroups: *portgroupshost portgroups: *portgroupshost
workstation: desktop:
portgroups: *portgroupshost portgroups: *portgroupshost
customhostgroup0: customhostgroup0:
portgroups: *portgroupshost portgroups: *portgroupshost
@@ -457,7 +456,7 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation: desktop:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
@@ -495,7 +494,7 @@ firewall:
portgroups: *portgroupshost portgroups: *portgroupshost
heavynode: heavynode:
portgroups: *portgroupshost portgroups: *portgroupshost
workstation: desktop:
portgroups: *portgroupshost portgroups: *portgroupshost
customhostgroup0: customhostgroup0:
portgroups: *portgroupshost portgroups: *portgroupshost
@@ -554,7 +553,7 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation: desktop:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
@@ -596,7 +595,7 @@ firewall:
portgroups: *portgroupshost portgroups: *portgroupshost
heavynode: heavynode:
portgroups: *portgroupshost portgroups: *portgroupshost
workstation: desktop:
portgroups: *portgroupshost portgroups: *portgroupshost
customhostgroup0: customhostgroup0:
portgroups: *portgroupshost portgroups: *portgroupshost
@@ -822,7 +821,7 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation: desktop:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker

12
salt/idstools/enabled.sls
View File

@@ -63,12 +63,22 @@ delete_so-idstools_so-status.disabled:
so-rule-update: so-rule-update:
cron.present: cron.present:
- name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1 - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download_cron.log 2>&1
- identifier: so-rule-update - identifier: so-rule-update
- user: root - user: root
- minute: '1' - minute: '1'
- hour: '7' - hour: '7'
# order this last to give so-idstools container time to be ready
run_so-rule-update:
cmd.run:
- name: '/usr/sbin/so-rule-update > /opt/so/log/idstools/download_idstools_state.log 2>&1'
- require:
- docker_container: so-idstools
- onchanges:
- file: idstoolsetcsync
- order: last
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:

17
salt/idstools/sync_files.sls
View File

@@ -26,6 +26,13 @@ rulesdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
SOrulesdir:
file.directory:
- name: /opt/so/rules/nids/sorules
- user: 939
- group: 939
- makedirs: True
# Don't show changes because all.rules can be large # Don't show changes because all.rules can be large
synclocalnidsrules: synclocalnidsrules:
file.recurse: file.recurse:
@@ -35,3 +42,13 @@ synclocalnidsrules:
- group: 939 - group: 939
- show_changes: False - show_changes: False
- include_pat: 'E@.rules' - include_pat: 'E@.rules'
# Don't show changes because all.rules can be large
syncnidsSOrules:
file.recurse:
- name: /opt/so/rules/nids/sorules
- source: salt://idstools/sorules/
- user: 939
- group: 939
- show_changes: False
- include_pat: 'E@.rules'

34
salt/idstools/tools/sbin_jinja/so-rule-update
View File

@@ -1,5 +1,9 @@
#!/bin/bash #!/bin/bash
. /usr/sbin/so-common
# if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
. /usr/sbin/so-common
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
@@ -9,28 +13,30 @@
# Download the rules from the internet # Download the rules from the internet
{%- if proxy %} {%- if proxy %}
export http_proxy={{ proxy }} export http_proxy={{ proxy }}
export https_proxy={{ proxy }} export https_proxy={{ proxy }}
export no_proxy="{{ noproxy }}" export no_proxy="{{ noproxy }}"
{%- endif %} {%- endif %}
mkdir -p /nsm/rules/suricata mkdir -p /nsm/rules/suricata
chown -R socore:socore /nsm/rules/suricata chown -R socore:socore /nsm/rules/suricata
# Download the rules from the internet # Download the rules from the internet
{%- if GLOBALS.airgap != 'True' %} {%- if GLOBALS.airgap != 'True' %}
{%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} {%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %}
docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
{%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} {%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}
docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }} docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
{%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %} {%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %}
docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }}
{%- endif %} {%- endif %}
{%- endif %} {%- endif %}
argstr="" argstr=""
for arg in "$@"; do for arg in "$@"; do
argstr="${argstr} \"${arg}\"" argstr="${argstr} \"${arg}\""
done done
docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}" docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}"
fi

4
salt/manager/tools/sbin/so-firewall-minion
View File

@@ -79,7 +79,7 @@ fi
'RECEIVER') 'RECEIVER')
so-firewall includehost receiver "$IP" --apply so-firewall includehost receiver "$IP" --apply
;; ;;
'WORKSTATION') 'DESKTOP')
so-firewall includehost workstation "$IP" --apply so-firewall includehost desktop "$IP" --apply
;; ;;
esac esac

17
salt/manager/tools/sbin/soup
View File

@@ -393,6 +393,7 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3 [[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3
[[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4 [[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4
[[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5 [[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5
[[ "$INSTALLEDVERSION" == 2.4.5 ]] && up_to_2.4.10
true true
} }
@@ -403,6 +404,7 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3 [[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3
[[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4
[[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5
[[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10
true true
} }
@@ -422,6 +424,12 @@ post_to_2.4.5() {
POSTVERSION=2.4.5 POSTVERSION=2.4.5
} }
post_to_2.4.10() {
echo "Updating Elastic Fleet ES URLs...."
/sbin/so-elastic-fleet-es-url-update --force
POSTVERSION=2.4.10
}
stop_salt_master() { stop_salt_master() {
# kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts # kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
set +e set +e
@@ -482,6 +490,12 @@ up_to_2.4.5() {
INSTALLEDVERSION=2.4.5 INSTALLEDVERSION=2.4.5
} }
up_to_2.4.10() {
echo "Nothing to do for 2.4.10"
INSTALLEDVERSION=2.4.10
}
determine_elastic_agent_upgrade() { determine_elastic_agent_upgrade() {
if [[ $is_airgap -eq 0 ]]; then if [[ $is_airgap -eq 0 ]]; then
update_elastic_agent_airgap update_elastic_agent_airgap
@@ -492,6 +506,7 @@ determine_elastic_agent_upgrade() {
update_elastic_agent_airgap() { update_elastic_agent_airgap() {
rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/ rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/
tar -xf "$ELASTIC_AGENT_FILE" -C "$ELASTIC_AGENT_EXPANSION_DIR"
} }
verify_upgradespace() { verify_upgradespace() {
@@ -547,7 +562,7 @@ update_version() {
echo "Updating the Security Onion version file." echo "Updating the Security Onion version file."
echo $NEWVERSION > /etc/soversion echo $NEWVERSION > /etc/soversion
echo $HOTFIXVERSION > /etc/sohotfix echo $HOTFIXVERSION > /etc/sohotfix
sed -i "/ soversion:/c\ soversion: $NEWVERSION" /opt/so/saltstack/local/pillar/global/soc_global.sls sed -i "s/soversion:.*/soversion: $NEWVERSION/" /opt/so/saltstack/local/pillar/global/soc_global.sls
} }
upgrade_check() { upgrade_check() {

11
salt/soc/defaults.yaml
View File

@@ -69,7 +69,7 @@ soc:
- log.id.uid - log.id.uid
- network.community_id - network.community_id
- event.dataset - event.dataset
':kratos:kratos.audit': ':kratos:audit':
- soc_timestamp - soc_timestamp
- http_request.headers.x-real-ip - http_request.headers.x-real-ip
- identity_id - identity_id
@@ -570,14 +570,13 @@ soc:
- destination.geo.country_iso_code - destination.geo.country_iso_code
- user.name - user.name
- source.ip - source.ip
':windows.sysmon_operational:': '::sysmon_operational':
- soc_timestamp - soc_timestamp
- event.action - event.action
- process.executable - winlog.computer_name
- user.name - user.name
- file.target - process.executable
- dns.question.name - process.pid
- winlog.event_data.TargetObject
'::network_connection': '::network_connection':
- soc_timestamp - soc_timestamp
- source.ip - source.ip

4
salt/soc/files/soc/motd.md
View File

@@ -8,6 +8,10 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link. To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
## Enterprise Appliances
Want the best hardware for your enterprise deployment? Check out our [enterprise appliances](https://securityonionsolutions.com/hardware/)!
## Customize This Space ## Customize This Space
Make this area your own by customizing the content in the [Config](/#/config?s=soc.files.soc.motd__md) interface. Make this area your own by customizing the content in the [Config](/#/config?s=soc.files.soc.motd__md) interface.

10
salt/soc/soc_soc.yaml
View File

@@ -45,9 +45,10 @@ soc:
actions: actions:
description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
global: True global: True
forcedType: "[]{}"
eventFields: eventFields:
default: default:
description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset". description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
global: True global: True
advanced: True advanced: True
server: server:
@@ -139,6 +140,7 @@ soc:
description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
global: True global: True
advanced: True advanced: True
forcedType: "[]{}"
hunt: &appSettings hunt: &appSettings
groupItemsPerPage: groupItemsPerPage:
description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.
@@ -164,6 +166,12 @@ soc:
queries: queries:
description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
global: True global: True
forcedType: "[]{}"
queryToggleFilters:
description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query.
global: True
advanced: True
forcedType: "[]{}"
alerts: *appSettings alerts: *appSettings
cases: *appSettings cases: *appSettings
dashboards: *appSettings dashboards: *appSettings

8
salt/ssl/init.sls
View File

@@ -153,8 +153,8 @@ etc_elasticfleet_crt:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: elasticfleet - signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-server.key - private_key: /etc/pki/elasticfleet-server.key
- CN: {{ GLOBALS.url_base }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -210,8 +210,8 @@ etc_elasticfleet_logstash_crt:
- ca_server: {{ ca_server }} - ca_server: {{ ca_server }}
- signing_policy: elasticfleet - signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-logstash.key - private_key: /etc/pki/elasticfleet-logstash.key
- CN: {{ GLOBALS.url_base }} - CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True

48
salt/strelka/filestream/config.sls
View File

@@ -6,6 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'strelka/map.jinja' import STRELKAMERGED %} {% from 'strelka/map.jinja' import STRELKAMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import filecheck_runas %} {% from 'strelka/map.jinja' import filecheck_runas %}
include: include:
@@ -78,6 +79,46 @@ filecheck_script:
- group: 939 - group: 939
- mode: 755 - mode: 755
filecheck.log:
file.managed:
- name: /opt/so/log/strelka/filecheck.log
- user: {{ filecheck_runas }}
- group: {{ filecheck_runas }}
filecheck_stdout.log:
file.managed:
- name: /opt/so/log/strelka/filecheck_stdout.log
- user: {{ filecheck_runas }}
- group: {{ filecheck_runas }}
{% if GLOBALS.md_engine == 'ZEEK' %}
filecheck_run_socore:
cron.present:
- name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- identifier: filecheck_run_socore
- user: socore
remove_filecheck_run_suricata:
cron.absent:
- identifier: filecheck_run_suricata
- user: suricata
{% elif GLOBALS.md_engine == 'SURICATA'%}
filecheck_run_suricata:
cron.present:
- name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- identifier: filecheck_run_suricata
- user: suricata
remove_filecheck_run_socore:
cron.absent:
- identifier: filecheck_run_socore
- user: socore
{% endif %}
filecheck_restart: filecheck_restart:
cmd.run: cmd.run:
- name: pkill -f "python3 /opt/so/conf/strelka/filecheck" - name: pkill -f "python3 /opt/so/conf/strelka/filecheck"
@@ -85,12 +126,7 @@ filecheck_restart:
- success_retcodes: [0,1] - success_retcodes: [0,1]
- onchanges: - onchanges:
- file: filecheck_script - file: filecheck_script
- file: filecheck_conf
filecheck_run:
cron.present:
- name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- identifier: filecheck_run
- user: {{ filecheck_runas }}
filcheck_history_clean: filcheck_history_clean:
cron.present: cron.present:

1
salt/suricata/defaults.yaml
View File

@@ -416,7 +416,6 @@ suricata:
enabled: "yes" enabled: "yes"
filename: keyword_perf.log filename: keyword_perf.log
append: "yes" append: "yes"
prefilter: prefilter:
enabled: "yes" enabled: "yes"
filename: prefilter_perf.log filename: prefilter_perf.log

2
salt/suricata/map.jinja
View File

@@ -11,7 +11,7 @@
{# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #} {# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #}
{# we are limited to only one iterface #} {# we are limited to only one iterface #}
{% load_yaml as afpacket %} {% load_yaml as afpacket %}
- interface: {{ SURICATAMERGED.config['af-packet'].interface }} - interface: {{ GLOBALS.sensor.interface }}
cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }} cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }} cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
defrag: {{ SURICATAMERGED.config['af-packet'].defrag }} defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}

4
salt/suricata/soc_suricata.yaml
View File

@@ -14,7 +14,9 @@ suricata:
config: config:
af-packet: af-packet:
interface: interface:
description: The network interface that Suricata will monitor. description: The network interface that Suricata will monitor. This is set under sensor > interface.
advanced: True
readonly: True
helpLink: suricata.html helpLink: suricata.html
cluster-id: cluster-id:
advanced: True advanced: True

15
salt/telegraf/config.sls
View File

@@ -32,17 +32,16 @@ tgrafetsdir:
- name: /opt/so/conf/telegraf/scripts - name: /opt/so/conf/telegraf/scripts
- makedirs: True - makedirs: True
tgrafsyncscripts: {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
file.recurse: tgraf_sync_script_{{script}}:
- name: /opt/so/conf/telegraf/scripts file.managed:
- name: /opt/so/conf/telegraf/scripts/{{script}}
- user: root - user: root
- group: 939 - group: 939
- file_mode: 770 - mode: 770
- template: jinja - template: jinja
- source: salt://telegraf/scripts - source: salt://telegraf/scripts/{{script}}
{% if GLOBALS.md_engine == 'SURICATA' %} {% endfor %}
- exclude_pat: zeekcaptureloss.sh
{% endif %}
telegraf_sbin: telegraf_sbin:
file.recurse: file.recurse:

79
salt/telegraf/defaults.yaml
View File

@@ -9,3 +9,82 @@ telegraf:
flush_jitter: '0s' flush_jitter: '0s'
debug: 'false' debug: 'false'
quiet: 'false' quiet: 'false'
scripts:
eval:
- beatseps.sh
- checkfiles.sh
- influxdbsize.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
standalone:
- beatseps.sh
- checkfiles.sh
- eps.sh
- influxdbsize.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
manager:
- beatseps.sh
- influxdbsize.sh
- raid.sh
- redis.sh
- sostatus.sh
managersearch:
- beatseps.sh
- eps.sh
- influxdbsize.sh
- raid.sh
- redis.sh
- sostatus.sh
import:
- sostatus.sh
sensor:
- beatseps.sh
- checkfiles.sh
- oldpcap.sh
- raid.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
heavynode:
- beatseps.sh
- checkfiles.sh
- eps.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
idh:
- sostatus.sh
searchnode:
- beatseps.sh
- eps.sh
- raid.sh
- sostatus.sh
receiver:
- beatseps.sh
- eps.sh
- raid.sh
- redis.sh
- sostatus.sh
fleet:
- sostatus.sh
desktop: []

5
salt/telegraf/enabled.sls
View File

@@ -7,6 +7,7 @@
{% if sls.split('.')[0] in allowed_states %} {% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
include: include:
@@ -67,8 +68,10 @@ so-telegraf:
{% endif %} {% endif %}
- watch: - watch:
- file: tgrafconf - file: tgrafconf
- file: tgrafsyncscripts
- file: node_config - file: node_config
{% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
- file: tgraf_sync_script_{{script}}
{% endfor %}
- require: - require:
- file: tgrafconf - file: tgrafconf
- file: node_config - file: node_config

114
salt/telegraf/etc/telegraf.conf
View File

@@ -193,7 +193,7 @@
username = "{{ ES_USER }}" username = "{{ ES_USER }}"
password = "{{ ES_PASS }}" password = "{{ ES_PASS }}"
insecure_skip_verify = true insecure_skip_verify = true
{%- elif grains['role'] in ['so-searchnode', 'so-hotnode', 'so-warmnode'] %} {%- elif grains['role'] in ['so-searchnode'] %}
[[inputs.elasticsearch]] [[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"] servers = ["https://{{ NODEIP }}:9200"]
cluster_stats = false cluster_stats = false
@@ -244,6 +244,8 @@
{%- endif %} {%- endif %}
# # Read metrics from one or more commands that can output to stdout # # Read metrics from one or more commands that can output to stdout
{%- if 'sostatus.sh' in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
{%- do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('sostatus.sh') %}
[[inputs.exec]] [[inputs.exec]]
commands = [ commands = [
"/scripts/sostatus.sh" "/scripts/sostatus.sh"
@@ -251,122 +253,26 @@
data_format = "influx" data_format = "influx"
timeout = "15s" timeout = "15s"
interval = "60s" interval = "60s"
{%- endif %}
# ## Commands array {%- if TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] | length > 0 %}
{% if grains['role'] in ['so-manager'] %}
[[inputs.exec]] [[inputs.exec]]
commands = [ commands = [
"/scripts/redis.sh", {%- for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
"/scripts/influxdbsize.sh", "/scripts/{{script}}"{% if not loop.last %},{% endif %}
"/scripts/raid.sh", {%- endfor %}
"/scripts/beatseps.sh"
] ]
data_format = "influx" data_format = "influx"
## Timeout for each command to complete. ## Timeout for each command to complete.
timeout = "15s" timeout = "15s"
{% elif grains['role'] in ['so-managersearch'] %} {%- endif %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] in ['so-searchnode', 'so-receiver'] %}
[[inputs.exec]]
commands = [
"/scripts/eps.sh",
"/scripts/raid.sh",
{% if grains.role == 'so-receiver' %}
"/scripts/redis.sh",
{% endif %}
"/scripts/beatseps.sh"
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] == 'so-sensor' %}
[[inputs.exec]]
commands = [
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-heavynode' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-standalone' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-eval' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/influxdbsize.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% endif %}
{%- if salt['pillar.get']('healthcheck:enabled', False) %} {%- if salt['pillar.get']('healthcheck:enabled', False) %}
[[inputs.file]] [[inputs.file]]
files = ["/host/nsm/zeek/logs/zeek_restart.log"] files = ["/host/nsm/zeek/logs/zeek_restart.log"]
data_format = "influx" data_format = "influx"
{%- endif %} {%- endif %}
[[inputs.file]] [[inputs.file]]
files = ["/etc/telegraf/node_config.json"] files = ["/etc/telegraf/node_config.json"]
name_override = "node_config" name_override = "node_config"

10
salt/telegraf/map.jinja
View File

@@ -3,5 +3,15 @@
https://securityonion.net/license; you may not use this file except in compliance with the https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #} Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'telegraf/defaults.yaml' as TELEGRAFDEFAULTS %} {% import_yaml 'telegraf/defaults.yaml' as TELEGRAFDEFAULTS %}
{% set TELEGRAFMERGED = salt['pillar.get']('telegraf', TELEGRAFDEFAULTS.telegraf, merge=True) %} {% set TELEGRAFMERGED = salt['pillar.get']('telegraf', TELEGRAFDEFAULTS.telegraf, merge=True) %}
{% if GLOBALS.role in ['so-eval', 'so-standalone', 'so-sensor', 'so-heavynode'] %}
{% from 'zeek/config.map.jinja' import ZEEKMERGED %}
{# if the md engine isn't zeek or zeek is disabled, dont run the zeek scripts for telegraf #}
{% if GLOBALS.md_engine != 'ZEEK' or not ZEEKMERGED.enabled %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
{% endif %}
{% endif %}

10
salt/telegraf/scripts/zeekcaptureloss.sh
View File

@@ -5,16 +5,18 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
# This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp
# if this script isn't already running # if this script isn't already running
{%- from 'zeek/config.map.jinja' import ZEEKMERGED %}
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ -d "/host/nsm/zeek/spool/logger" ]; then if [ -d "/host/nsm/zeek/spool/logger" ]; then
WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }} {%- if ZEEKMERGED.config.node.pins %}
WORKERS={{ ZEEKMERGED.config.node.pins | length }}
{%- else %}
WORKERS={{ ZEEKMERGED.config.node.lb_procs }}
{%- endif %}
ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log
elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then
WORKERS=1 WORKERS=1

19
salt/telegraf/soc_telegraf.yaml
View File

@@ -42,4 +42,21 @@ telegraf:
global: True global: True
advanced: True advanced: True
helpLink: telegraf.html helpLink: telegraf.html
scripts:
eval: &telegrafscripts
description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts.
forcedType: "[]string"
multiline: True
advanced: True
helpLink: telegraf.html
standalone: *telegrafscripts
manager: *telegrafscripts
managersearch: *telegrafscripts
import: *telegrafscripts
sensor: *telegrafscripts
heavynode: *telegrafscripts
idh: *telegrafscripts
searchnode: *telegrafscripts
receiver: *telegrafscripts
fleet: *telegrafscripts
desktop: *telegrafscripts

4
salt/top.sls
View File

@@ -277,10 +277,10 @@ base:
- schedule - schedule
- docker_clean - docker_clean
'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )': 'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )':
- match: compound - match: compound
- desktop - desktop
'J@desktop:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )': 'J@desktop:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )':
- match: compound - match: compound
- desktop.remove_gui - desktop.remove_gui

11
setup/so-functions
View File

@@ -117,7 +117,7 @@ desktop_pillar() {
" mainint: '$MNIC'"\ " mainint: '$MNIC'"\
"desktop:"\ "desktop:"\
" gui:"\ " gui:"\
" enabled: true" >> "$pillar_file"\ " enabled: true"\
"sensoroni:"\ "sensoroni:"\
" config:"\ " config:"\
" node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file " node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file
@@ -2302,6 +2302,15 @@ set_default_log_size() {
log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}') log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}')
} }
set_desktop_background() {
logCmd "mkdir /usr/local/share/backgrounds"
logCmd "cp ../salt/desktop/files/so-wallpaper.jpg /usr/local/share/backgrounds/so-wallpaper.jpg"
logCmd "cp ../salt/desktop/files/00-background /etc/dconf/db/local.d/00-background"
logCmd "dconf update"
}
set_hostname() { set_hostname() {
logCmd "hostnamectl set-hostname --static $HOSTNAME" logCmd "hostnamectl set-hostname --static $HOSTNAME"

2
setup/so-setup
View File

@@ -341,6 +341,8 @@ if [[ $is_desktop ]]; then
securityonion_repo securityonion_repo
info "Enabling graphical interface and setting it to load at boot" info "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target systemctl set-default graphical.target
info "Setting desktop background"
set_desktop_background
echo "Desktop Install Complete!" echo "Desktop Install Complete!"
echo "" echo ""
echo "Please reboot to start graphical interface." echo "Please reboot to start graphical interface."

BIN
sigs/securityonion-2.4.10-20230815.iso.sig Normal file
View File

Binary file not shown.