CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11040 from Security-Onion-Solutions/2.4/dev

Browse Source 
2.4.10
This commit is contained in:
Mike Reeves
2023-08-15 07:14:03 -04:00
committed by GitHub
parent a13b3f305a 5c2c2908b8
commit 16da0b469a
45 changed files with 682 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.4.5-20230807 ISO image released on 2023/08/07
### 2.4.10-20230815 ISO image released on 2023/08/15
### Download and Verify
2.4.5-20230807 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso
2.4.10-20230815 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso
MD5: F83FD635025A3A65B380EAFCEB61A92E
SHA1: 5864D4CD520617E3328A3D956CAFCC378A8D2D08
SHA256: D333BAE0DD198DFD80DF59375456D228A4E18A24EDCDB15852CD4CA3F92B69A7
MD5: 97AEC929FB1FC22F106C0C93E3476FAB
SHA1: 78AF37FD19FDC34BA324C1A661632D19D1F2284A
SHA256: D04BA45D1664FC3CF7EA2188CB7E570642F6390C3959B4AFBB8222A853859394
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.10-20230815.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.10-20230815.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.4.5-20230807.iso.sig securityonion-2.4.5-20230807.iso
gpg --verify securityonion-2.4.10-20230815.iso.sig securityonion-2.4.10-20230815.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
```
gpg: Signature made Sat 05 Aug 2023 10:12:46 AM EDT using RSA key ID FE507013
gpg: Signature made Sun 13 Aug 2023 05:30:29 PM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.4 Release Candidate 2 (RC2)
## Security Onion 2.4
Security Onion 2.4 Release Candidate 2 (RC2) is here!
Security Onion 2.4 is here!
## Screenshots

2
VERSION
View File

@@ -1 +1 @@
2.4.5
2.4.10

25
salt/common/tools/sbin_jinja/so-desktop-install
View File

@@ -5,15 +5,15 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
source /usr/sbin/so-common
doc_desktop_url="$DOC_BASE_URL/desktop.html"
{# we only want the script to install the desktop if it is Rocky -#}
{% if grains.os == 'Rocky' -%}
{# we only want the script to install the desktop if it is OEL -#}
{% if grains.os == 'OEL' -%}
{# if this is a manager -#}
{% if grains.master == grains.id.split('_')|first -%}
source /usr/sbin/so-common
doc_desktop_url="$DOC_BASE_URL/desktop.html"
pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
pillar_file="/opt/so/saltstack/local/pillar/minions/adv_{{grains.id}}.sls"
if [ -f "$pillar_file" ]; then
if ! grep -q "^desktop:$" "$pillar_file"; then
@@ -65,7 +65,7 @@ if [ -f "$pillar_file" ]; then
fi
else # desktop is already added
echo "The desktop pillar already exists in $pillar_file."
echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file."
echo "To enable/disable the gui, set 'desktop:gui:enabled' to true or false in $pillar_file. Alternatively, this can be set in the SOC UI under advanced."
echo "Additional documentation can be found at $doc_desktop_url."
fi
else # if the pillar file doesn't exist
@@ -75,17 +75,22 @@ fi
{#- if this is not a manager #}
{% else -%}
echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. Please view the documentation at $doc_desktop_url."
echo "Since this is not a manager, the pillar values to enable Security Onion Desktop must be set manually. This can be enabled in the SOC UI under advanced by adding the following:"
echo "desktop:"
echo " gui:"
echo " enabled: true"
echo ""
echo "Please view the documentation at $doc_desktop_url."
{#- endif if this is a manager #}
{% endif -%}
{#- if not Rocky #}
{#- if not OEL #}
{%- else %}
echo "The Security Onion Desktop can only be installed on Rocky Linux. Please view the documentation at $doc_desktop_url."
echo "The Security Onion Desktop can only be installed on Oracle Linux. Please view the documentation at $doc_desktop_url."
{#- endif grains.os == Rocky #}
{#- endif grains.os == OEL #}
{% endif -%}
exit 0

8
salt/desktop/files/00-background Normal file
View File

@@ -0,0 +1,8 @@
# Specify the dconf path
[org/gnome/desktop/background]
# Specify the path to the desktop background image file
picture-uri='file:///usr/local/share/backgrounds/so-wallpaper.jpg'
# Specify one of the rendering options for the background image:
picture-options='zoom'

1
salt/desktop/packages.sls
View File

@@ -3,7 +3,6 @@
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'OEL' %}
desktop_packages:
pkg.installed:
- pkgs:

2
salt/desktop/trusted-ca.sls
View File

@@ -31,6 +31,6 @@ update_ca_certs:
desktop_trusted-ca_os_fail:
test.fail_without_changes:
- comment: 'SO Desktop can only be installed on CentOS'
- comment: 'SO Desktop can only be installed on Oracle Linux'
{% endif %}

17
salt/desktop/xwindows.sls
View File

@@ -35,6 +35,23 @@ convert_gnome_classic:
{% endif %}
{% endfor %}
desktop_wallpaper:
file.managed:
- name: /usr/local/share/backgrounds/so-wallpaper.jpg
- source: salt://desktop/files/so-wallpaper.jpg
- makedirs: True
set_wallpaper:
file.managed:
- name: /etc/dconf/db/local.d/00-background
- source: salt://desktop/files/00-background
run_dconf_update:
cmd.run:
- name: 'dconf update'
- onchanges:
- file: set_wallpaper
{% else %}
desktop_xwindows_os_fail:

8
salt/elasticfleet/defaults.yaml
View File

@@ -28,9 +28,17 @@ elasticfleet:
- aws
- azure
- cloudflare
- elasticsearch
- endpoint
- fleet_server
- fim
- github
- google_workspace
- log
- osquery_manager
- redis
- system
- tcp
- udp
- windows
- 1password

8
salt/elasticfleet/enabled.sls
View File

@@ -22,6 +22,7 @@ include:
so-elastic-fleet-auto-configure-logstash-outputs:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-outputs-update
- retry: True
{% endif %}
# If enabled, automatically update Fleet Server URLs & ES Connection
@@ -29,6 +30,7 @@ so-elastic-fleet-auto-configure-logstash-outputs:
so-elastic-fleet-auto-configure-server-urls:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-urls-update
- retry: True
{% endif %}
# Automatically update Fleet Server Elasticsearch URLs
@@ -36,6 +38,7 @@ so-elastic-fleet-auto-configure-server-urls:
so-elastic-fleet-auto-configure-elasticsearch-urls:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-es-url-update
- retry: True
{% endif %}
{% if SERVICETOKEN != '' %}
@@ -106,6 +109,11 @@ so-elastic-fleet:
so-elastic-fleet-integrations:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-integration-policy-load
so-elastic-agent-grid-upgrade:
cmd.run:
- name: /usr/sbin/so-elastic-agent-grid-upgrade
- retry: True
{% endif %}
delete_so-elastic-fleet_so-status.disabled:

5
salt/elasticfleet/tools/sbin/so-elastic-fleet-common
View File

@@ -56,6 +56,11 @@ elastic_fleet_package_version_check() {
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version'
}
elastic_fleet_package_latest_version_check() {
PACKAGE=$1
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.latestVersion'
}
elastic_fleet_package_install() {
PKGKEY=$1
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY"

3
salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
View File

@@ -9,6 +9,9 @@
RETURN_CODE=0
if [ ! -f /opt/so/state/eaintegrations.txt ]; then
# First, check for any package upgrades
/usr/sbin/so-elastic-fleet-package-upgrade
# Initial Endpoints
for INTEGRATION in /opt/so/conf/elastic-fleet/integrations/endpoints-initial/*.json
do

38
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-grid-upgrade Normal file
View File

@@ -0,0 +1,38 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
# Get current list of Grid Node Agents that need to be upgraded
RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "http://localhost:5601/api/fleet/agents?perPage=20&page=1&kuery=policy_id%20%3A%20so-grid-nodes_%2A&showInactive=false&showUpgradeable=true&getStatusSummary=true")
# Check to make sure that the server responded with good data - else, bail from script
CHECKSUM=$(jq -r '.page' <<< "$RAW_JSON")
if [ "$CHECKSUM" -ne 1 ]; then
printf "Failed to query for current Grid Agents...\n"
exit 1
fi
# Generate list of Node Agents that need updates
OUTDATED_LIST=$(jq -r '.items | map(.id) | (tojson)' <<< "$RAW_JSON")
if [ "$OUTDATED_LIST" != '[]' ]; then
AGENTNUMBERS=$(jq -r '.total' <<< "$RAW_JSON")
printf "Initiating upgrades for $AGENTNUMBERS Agents to Elastic $ELASTIC_AGENT_TARBALL_VERSION...\n\n"
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg ELASTICVERSION $ELASTIC_AGENT_TARBALL_VERSION --arg UPDATELIST $OUTDATED_LIST '{"version": $ELASTICVERSION,"agents": $UPDATELIST }')
# Update Node Agents
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "http://localhost:5601/api/fleet/agents/bulk_upgrade" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
else
printf "No Agents need updates... Exiting\n\n"
exit 0
fi

15
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update
View File

@@ -12,9 +12,13 @@ if ! is_manager_node; then
fi
function update_es_urls() {
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":false,"is_default_monitoring":false,"config_yaml":""}')
# Generate updated JSON payload
{% if grains.role not in ['so-import', 'so-eval'] %}
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"config_yaml":""}')
{%- else %}
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
{%- endif %}
# Update Fleet Elasticsearch URLs
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
}
@@ -42,6 +46,13 @@ NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "$
NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
# Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
if [ "$1" = "--force" ]; then
printf "\nUpdating List, since --force was specified.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
update_es_urls
exit 0
fi
if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
printf "\nHashes match - no update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-upgrade Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %}
{%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %}
. /usr/sbin/so-elastic-fleet-common
{%- for PACKAGE in SUPPORTED_PACKAGES %}
echo "Upgrading {{ PACKAGE }} package..."
VERSION=$(elastic_fleet_package_latest_version_check "{{ PACKAGE }}")
elastic_fleet_package_install "{{ PACKAGE }}-$VERSION"
echo
{%- endfor %}
echo

144
salt/elasticsearch/defaults.yaml
View File

@@ -113,7 +113,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-system.auth:
so-logs-system_x_auth:
index_sorting: False
index_template:
index_patterns:
@@ -132,7 +132,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.syslog:
so-logs-system_x_syslog:
index_sorting: False
index_template:
index_patterns:
@@ -151,7 +151,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.system:
so-logs-system_x_system:
index_sorting: False
index_template:
index_patterns:
@@ -170,7 +170,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.application:
so-logs-system_x_application:
index_sorting: False
index_template:
index_patterns:
@@ -189,7 +189,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system.security:
so-logs-system_x_security:
index_sorting: False
index_template:
index_patterns:
@@ -208,7 +208,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.forwarded:
so-logs-windows_x_forwarded:
index_sorting: False
index_template:
index_patterns:
@@ -226,7 +226,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.powershell:
so-logs-windows_x_powershell:
index_sorting: False
index_template:
index_patterns:
@@ -244,7 +244,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.powershell_operational:
so-logs-windows_x_powershell_operational:
index_sorting: False
index_template:
index_patterns:
@@ -262,7 +262,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows.sysmon_operational:
so-logs-windows_x_sysmon_operational:
index_sorting: False
index_template:
index_patterns:
@@ -280,7 +280,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.cloudtrail:
so-logs-aws_x_cloudtrail:
index_sorting: False
index_template:
index_patterns:
@@ -298,7 +298,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.cloudwatch_logs:
so-logs-aws_x_cloudwatch_logs:
index_sorting: False
index_template:
index_patterns:
@@ -316,7 +316,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.ec2_logs:
so-logs-aws_x_ec2_logs:
index_sorting: False
index_template:
index_patterns:
@@ -334,7 +334,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.elb_logs:
so-logs-aws_x_elb_logs:
index_sorting: False
index_template:
index_patterns:
@@ -352,7 +352,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.firewall_logs:
so-logs-aws_x_firewall_logs:
index_sorting: False
index_template:
index_patterns:
@@ -370,7 +370,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.route53_public_logs:
so-logs-aws_x_route53_public_logs:
index_sorting: False
index_template:
index_patterns:
@@ -388,7 +388,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.route53_resolver_logs:
so-logs-aws_x_route53_resolver_logs:
index_sorting: False
index_template:
index_patterns:
@@ -406,7 +406,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.s3access:
so-logs-aws_x_s3access:
index_sorting: False
index_template:
index_patterns:
@@ -424,7 +424,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.vpcflow:
so-logs-aws_x_vpcflow:
index_sorting: False
index_template:
index_patterns:
@@ -442,7 +442,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws.waf:
so-logs-aws_x_waf:
index_sorting: False
index_template:
index_patterns:
@@ -460,7 +460,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.activitylogs:
so-logs-azure_x_activitylogs:
index_sorting: False
index_template:
index_patterns:
@@ -478,7 +478,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.application_gateway:
so-logs-azure_x_application_gateway:
index_sorting: False
index_template:
index_patterns:
@@ -496,7 +496,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.auditlogs:
so-logs-azure_x_auditlogs:
index_sorting: False
index_template:
index_patterns:
@@ -514,7 +514,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.eventhub:
so-logs-azure_x_eventhub:
index_sorting: False
index_template:
index_patterns:
@@ -532,7 +532,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.firewall_logs:
so-logs-azure_x_firewall_logs:
index_sorting: False
index_template:
index_patterns:
@@ -550,7 +550,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.identity_protection:
so-logs-azure_x_identity_protection:
index_sorting: False
index_template:
index_patterns:
@@ -568,7 +568,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.platformlogs:
so-logs-azure_x_platformlogs:
index_sorting: False
index_template:
index_patterns:
@@ -586,7 +586,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.provisioning:
so-logs-azure_x_provisioning:
index_sorting: False
index_template:
index_patterns:
@@ -604,7 +604,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.signinlogs:
so-logs-azure_x_signinlogs:
index_sorting: False
index_template:
index_patterns:
@@ -622,7 +622,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure.springcloudlogs:
so-logs-azure_x_springcloudlogs:
index_sorting: False
index_template:
index_patterns:
@@ -640,7 +640,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-cloudflare.audit:
so-logs-cloudflare_x_audit:
index_sorting: False
index_template:
index_patterns:
@@ -658,7 +658,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-cloudflare.logpull:
so-logs-cloudflare_x_logpull:
index_sorting: False
index_template:
index_patterns:
@@ -676,7 +676,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-fim.event:
so-logs-fim_x_event:
index_sorting: False
index_template:
index_patterns:
@@ -694,7 +694,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.audit:
so-logs-github_x_audit:
index_sorting: False
index_template:
index_patterns:
@@ -712,7 +712,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.code_scanning:
so-logs-github_x_code_scanning:
index_sorting: False
index_template:
index_patterns:
@@ -730,7 +730,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.dependabot:
so-logs-github_x_dependabot:
index_sorting: False
index_template:
index_patterns:
@@ -748,7 +748,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.issues:
so-logs-github_x_issues:
index_sorting: False
index_template:
index_patterns:
@@ -766,7 +766,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github.secret_scanning:
so-logs-github_x_secret_scanning:
index_sorting: False
index_template:
index_patterns:
@@ -784,7 +784,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.access_transparency:
so-logs-google_workspace_x_access_transparency:
index_sorting: False
index_template:
index_patterns:
@@ -802,7 +802,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.admin:
so-logs-google_workspace_x_admin:
index_sorting: False
index_template:
index_patterns:
@@ -820,7 +820,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.alert:
so-logs-google_workspace_x_alert:
index_sorting: False
index_template:
index_patterns:
@@ -838,7 +838,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.context_aware_access:
so-logs-google_workspace_x_context_aware_access:
index_sorting: False
index_template:
index_patterns:
@@ -856,7 +856,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.device:
so-logs-google_workspace_x_device:
index_sorting: False
index_template:
index_patterns:
@@ -874,7 +874,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.drive:
so-logs-google_workspace_x_drive:
index_sorting: False
index_template:
index_patterns:
@@ -892,7 +892,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.gcp:
so-logs-google_workspace_x_gcp:
index_sorting: False
index_template:
index_patterns:
@@ -910,7 +910,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.group_enterprise:
so-logs-google_workspace_x_group_enterprise:
index_sorting: False
index_template:
index_patterns:
@@ -928,7 +928,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.groups:
so-logs-google_workspace_x_groups:
index_sorting: False
index_template:
index_patterns:
@@ -946,7 +946,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.login:
so-logs-google_workspace_x_login:
index_sorting: False
index_template:
index_patterns:
@@ -964,7 +964,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.rules:
so-logs-google_workspace_x_rules:
index_sorting: False
index_template:
index_patterns:
@@ -982,7 +982,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.saml:
so-logs-google_workspace_x_saml:
index_sorting: False
index_template:
index_patterns:
@@ -1000,7 +1000,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.token:
so-logs-google_workspace_x_token:
index_sorting: False
index_template:
index_patterns:
@@ -1018,7 +1018,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace.user_accounts:
so-logs-google_workspace_x_user_accounts:
index_sorting: False
index_template:
index_patterns:
@@ -1036,7 +1036,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-1password.item_usages:
so-logs-1password_x_item_usages:
index_sorting: False
index_template:
index_patterns:
@@ -1054,7 +1054,7 @@ elasticsearch:
data_stream:
hidden: false
allow_custom_routing: false
so-logs-1password.signin_attempts:
so-logs-1password_x_signin_attempts:
index_sorting: False
index_template:
index_patterns:
@@ -1089,7 +1089,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-osquery-manager-action.responses:
so-logs-osquery-manager-action_x_responses:
index_sorting: False
index_template:
index_patterns:
@@ -1106,7 +1106,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.apm_server:
so-logs-elastic_agent_x_apm_server:
index_sorting: False
index_template:
index_patterns:
@@ -1160,7 +1160,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.auditbeat:
so-logs-elastic_agent_x_auditbeat:
index_sorting: False
index_template:
index_patterns:
@@ -1214,7 +1214,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.cloudbeat:
so-logs-elastic_agent_x_cloudbeat:
index_sorting: False
index_template:
index_patterns:
@@ -1265,7 +1265,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.endpoint_security:
so-logs-elastic_agent_x_endpoint_security:
index_sorting: False
index_template:
index_patterns:
@@ -1314,7 +1314,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.alerts:
so-logs-endpoint_x_alerts:
index_sorting: False
index_template:
index_patterns:
@@ -1363,7 +1363,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.api:
so-logs-endpoint_x_events_x_api:
index_sorting: False
index_template:
index_patterns:
@@ -1412,7 +1412,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.file:
so-logs-endpoint_x_events_x_file:
index_sorting: False
index_template:
index_patterns:
@@ -1461,7 +1461,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.library:
so-logs-endpoint_x_events_x_library:
index_sorting: False
index_template:
index_patterns:
@@ -1510,7 +1510,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.network:
so-logs-endpoint_x_events_x_network:
index_sorting: False
index_template:
index_patterns:
@@ -1559,7 +1559,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.process:
so-logs-endpoint_x_events_x_process:
index_sorting: False
index_template:
index_patterns:
@@ -1608,7 +1608,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.registry:
so-logs-endpoint_x_events_x_registry:
index_sorting: False
index_template:
index_patterns:
@@ -1657,7 +1657,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.security:
so-logs-endpoint_x_events_x_security:
index_sorting: False
index_template:
index_patterns:
@@ -1706,7 +1706,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.filebeat:
so-logs-elastic_agent_x_filebeat:
index_sorting: False
index_template:
index_patterns:
@@ -1755,7 +1755,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.fleet_server:
so-logs-elastic_agent_x_fleet_server:
index_sorting: False
index_template:
index_patterns:
@@ -1801,7 +1801,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.heartbeat:
so-logs-elastic_agent_x_heartbeat:
index_sorting: False
index_template:
index_patterns:
@@ -1907,7 +1907,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.metricbeat:
so-logs-elastic_agent_x_metricbeat:
index_sorting: False
index_template:
index_patterns:
@@ -1956,7 +1956,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.osquerybeat:
so-logs-elastic_agent_x_osquerybeat:
index_sorting: False
index_template:
index_patterns:
@@ -2005,7 +2005,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.packetbeat:
so-logs-elastic_agent_x_packetbeat:
index_sorting: False
index_template:
index_patterns:

171
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -47,27 +47,25 @@ elasticsearch:
global: True
helpLink: elasticsearch.html
index_settings:
so-elasticsearch: &indexSettings
warm:
description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch.
global: True
helpLink: elasticsearch.html
close:
description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index.
global: True
helpLink: elasticsearch.html
delete:
description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable.
global: True
helpLink: elasticsearch.html
so-logs: &indexSettings
index_sorting:
description: Sorts the index by event time, at the cost of additional processing resource consumption.
global: True
helpLink: elasticsearch.html
index_template:
index_patterns:
description: Patterns for matching multiple indices or tables.
forceType: "[]string"
multiline: True
global: True
helpLink: elasticsearch.html
template:
settings:
index:
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
global: True
helpLink: elasticsearch.html
mapping:
total_fields:
limit:
@@ -82,8 +80,50 @@ elasticsearch:
description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs.
global: True
helpLink: elasticsearch.html
number_of_replicas:
description: Number of replicas required for this index. Multiple replicas protects against data loss, but also increases storage costs.
sort:
field:
description: The field to sort by. Must set index_sorting to True.
global: True
helpLink: elasticsearch.html
order:
description: The order to sort by. Must set index_sorting to True.
global: True
helpLink: elasticsearch.html
mappings:
_meta:
package:
name:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed_by:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed:
description: Meta settings for the mapping.
forcedType: bool
global: True
helpLink: elasticsearch.html
composed_of:
description: The index template is composed of these component templates.
forcedType: "[]string"
global: True
helpLink: elasticsearch.html
priority:
description: The priority of the index template.
forcedType: int
global: True
helpLink: elasticsearch.html
data_stream:
hidden:
description: Hide the data stream.
forcedType: bool
global: True
helpLink: elasticsearch.html
allow_custom_routing:
description: Allow custom routing for the data stream.
forcedType: bool
global: True
helpLink: elasticsearch.html
policy:
@@ -97,6 +137,7 @@ elasticsearch:
set_priority:
priority:
description: Priority of index. This is used for recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True
helpLink: elasticsearch.html
rollover:
@@ -117,19 +158,111 @@ elasticsearch:
set_priority:
priority:
description: Used for index recovery after a node restart. Indices with higher priorities are recovered before indices with lower priorities.
forcedType: int
global: True
helpLink: elasticsearch.html
delete:
min_age:
description: Minimum age of index. This determines when the index should be deleted.
global: True
helpLink: elastic
helpLink: elasticsearch.html
_meta:
package:
name:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed_by:
description: Meta settings for the mapping.
global: True
helpLink: elasticsearch.html
managed:
description: Meta settings for the mapping.
forcedType: bool
global: True
helpLink: elasticsearch.html
so-logs-system_x_auth: *indexSettings
so-logs-system_x_syslog: *indexSettings
so-logs-system_x_system: *indexSettings
so-logs-system_x_application: *indexSettings
so-logs-system_x_security: *indexSettings
so-logs-windows_x_forwarded: *indexSettings
so-logs-windows_x_powershell: *indexSettings
so-logs-windows_x_powershell_operational: *indexSettings
so-logs-windows_x_sysmon_operational: *indexSettings
so-logs-aws_x_cloudtrail: *indexSettings
so-logs-aws_x_cloudwatch_logs: *indexSettings
so-logs-aws_x_ec2_logs: *indexSettings
so-logs-aws_x_elb_logs: *indexSettings
so-logs-aws_x_firewall_logs: *indexSettings
so-logs-aws_x_route53_public_logs: *indexSettings
so-logs-aws_x_route53_resolver_logs: *indexSettings
so-logs-aws_x_s3access: *indexSettings
so-logs-aws_x_vpcflow: *indexSettings
so-logs-aws_x_waf: *indexSettings
so-logs-azure_x_activitylogs: *indexSettings
so-logs-azure_x_application_gateway: *indexSettings
so-logs-azure_x_auditlogs: *indexSettings
so-logs-azure_x_eventhub: *indexSettings
so-logs-azure_x_firewall_logs: *indexSettings
so-logs-azure_x_identity_protection: *indexSettings
so-logs-azure_x_platformlogs: *indexSettings
so-logs-azure_x_provisioning: *indexSettings
so-logs-azure_x_signinlogs: *indexSettings
so-logs-azure_x_springcloudlogs: *indexSettings
so-logs-cloudflare_x_audit: *indexSettings
so-logs-cloudflare_x_logpull: *indexSettings
so-logs-fim_x_event: *indexSettings
so-logs-github_x_audit: *indexSettings
so-logs-github_x_code_scanning: *indexSettings
so-logs-github_x_dependabot: *indexSettings
so-logs-github_x_issues: *indexSettings
so-logs-github_x_secret_scanning: *indexSettings
so-logs-google_workspace_x_access_transparency: *indexSettings
so-logs-google_workspace_x_admin: *indexSettings
so-logs-google_workspace_x_alert: *indexSettings
so-logs-google_workspace_x_context_aware_access: *indexSettings
so-logs-google_workspace_x_device: *indexSettings
so-logs-google_workspace_x_drive: *indexSettings
so-logs-google_workspace_x_gcp: *indexSettings
so-logs-google_workspace_x_group_enterprise: *indexSettings
so-logs-google_workspace_x_groups: *indexSettings
so-logs-google_workspace_x_login: *indexSettings
so-logs-google_workspace_x_rules: *indexSettings
so-logs-google_workspace_x_saml: *indexSettings
so-logs-google_workspace_x_token: *indexSettings
so-logs-google_workspace_x_user_accounts: *indexSettings
so-logs-1password_x_item_usages: *indexSettings
so-logs-1password_x_signin_attempts: *indexSettings
so-logs-osquery-manager-actions: *indexSettings
so-logs-osquery-manager-action_x_responses: *indexSettings
so-logs-elastic_agent_x_apm_server: *indexSettings
so-logs-elastic_agent_x_auditbeat: *indexSettings
so-logs-elastic_agent_x_cloudbeat: *indexSettings
so-logs-elastic_agent_x_endpoint_security: *indexSettings
so-logs-endpoint_x_alerts: *indexSettings
so-logs-endpoint_x_events_x_api: *indexSettings
so-logs-endpoint_x_events_x_file: *indexSettings
so-logs-endpoint_x_events_x_library: *indexSettings
so-logs-endpoint_x_events_x_network: *indexSettings
so-logs-endpoint_x_events_x_process: *indexSettings
so-logs-endpoint_x_events_x_registry: *indexSettings
so-logs-endpoint_x_events_x_security: *indexSettings
so-logs-elastic_agent_x_filebeat: *indexSettings
so-logs-elastic_agent_x_fleet_server: *indexSettings
so-logs-elastic_agent_x_heartbeat: *indexSettings
so-logs-elastic_agent: *indexSettings
so-logs-elastic_agent_x_metricbeat: *indexSettings
so-logs-elastic_agent_x_osquerybeat: *indexSettings
so-logs-elastic_agent_x_packetbeat: *indexSettings
so-case: *indexSettings
so-common: *indexSettings
so-endgame: *indexSettings
so-firewall: *indexSettings
so-idh: *indexSettings
so-suricata: *indexSettings
so-import: *indexSettings
so-kibana: *indexSettings
so-kratos: *indexSettings
so-logstash: *indexSettings
so-osquery: *indexSettings
so-redis: *indexSettings
so-strelka: *indexSettings
so-syslog: *indexSettings

6
salt/elasticsearch/template.map.jinja
View File

@@ -1,9 +1,11 @@
{% import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS with context %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
{% for index, settings in ES_INDEX_SETTINGS.items() %}
{%- set ES_INDEX_SETTINGS_ORIG = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
{% set ES_INDEX_SETTINGS = {} %}
{% for index, settings in ES_INDEX_SETTINGS_ORIG.items() %}
{% if settings.index_template is defined %}
{% if not settings.get('index_sorting', False) | to_bool and settings.index_template.template.settings.index.sort is defined %}
{% do settings.index_template.template.settings.index.pop('sort') %}
{% endif %}
{% endif %}
{% do ES_INDEX_SETTINGS.update({index | replace("_x_", "."): ES_INDEX_SETTINGS_ORIG[index]}) %}
{% endfor %}

3
salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-ilm-policy-load
View File

@@ -6,8 +6,7 @@
. /usr/sbin/so-common
{%- import_yaml 'elasticsearch/defaults.yaml' as ELASTICSEARCHDEFAULTS %}
{%- set ES_INDEX_SETTINGS = salt['pillar.get']('elasticsearch:index_settings', default=ELASTICSEARCHDEFAULTS.elasticsearch.index_settings, merge=True) %}
{%- from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS %}
{%- for index, settings in ES_INDEX_SETTINGS.items() %}
{%- if settings.policy is defined %}

17
salt/firewall/defaults.yaml
View File

@@ -20,13 +20,12 @@ firewall:
managersearch: []
receiver: []
searchnode: []
securityonion_desktop: []
self: []
sensor: []
standalone: []
strelka_frontend: []
syslog: []
workstation: []
desktop: []
customhostgroup0: []
customhostgroup1: []
customhostgroup2: []
@@ -462,7 +461,7 @@ firewall:
endgame:
portgroups:
- endgame
workstation:
desktop:
portgroups:
- yum
customhostgroup0:
@@ -514,7 +513,7 @@ firewall:
receiver:
portgroups:
- salt_manager
workstation:
desktop:
portgroups:
- salt_manager
self:
@@ -650,7 +649,7 @@ firewall:
endgame:
portgroups:
- endgame
workstation:
desktop:
portgroups:
- yum
customhostgroup0:
@@ -702,7 +701,7 @@ firewall:
receiver:
portgroups:
- salt_manager
workstation:
desktop:
portgroups:
- salt_manager
self:
@@ -846,7 +845,7 @@ firewall:
strelka_frontend:
portgroups:
- strelka_frontend
workstation:
desktop:
portgroups:
- yum
customhostgroup0:
@@ -901,7 +900,7 @@ firewall:
receiver:
portgroups:
- salt_manager
workstation:
desktop:
portgroups:
- salt_manager
self:
@@ -1200,7 +1199,7 @@ firewall:
analyst:
portgroups:
- nginx
workstation:
desktop:
portgroups:
- yum
customhostgroup0:

19
salt/firewall/soc_firewall.yaml
View File

@@ -39,13 +39,12 @@ firewall:
managersearch: *hostgroupsettings
receiver: *hostgroupsettings
searchnode: *hostgroupsettings
securityonion_desktop: *hostgroupsettings
self: *ROhostgroupsettingsadv
sensor: *hostgroupsettings
standalone: *hostgroupsettings
strelka_frontend: *hostgroupsettings
syslog: *hostgroupsettings
workstation: *hostgroupsettings
desktop: *hostgroupsettings
customhostgroup0: &customhostgroupsettings
description: List of IP or CIDR blocks to allow to this hostgroup.
forcedType: "[]string"
@@ -216,7 +215,7 @@ firewall:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
workstation:
desktop:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
@@ -366,7 +365,7 @@ firewall:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
workstation:
desktop:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
@@ -404,7 +403,7 @@ firewall:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
workstation:
desktop:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
@@ -457,7 +456,7 @@ firewall:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
workstation:
desktop:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
@@ -495,7 +494,7 @@ firewall:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
workstation:
desktop:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
@@ -554,7 +553,7 @@ firewall:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
workstation:
desktop:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker
@@ -596,7 +595,7 @@ firewall:
portgroups: *portgroupshost
heavynode:
portgroups: *portgroupshost
workstation:
desktop:
portgroups: *portgroupshost
customhostgroup0:
portgroups: *portgroupshost
@@ -822,7 +821,7 @@ firewall:
portgroups: *portgroupsdocker
analyst:
portgroups: *portgroupsdocker
workstation:
desktop:
portgroups: *portgroupsdocker
customhostgroup0:
portgroups: *portgroupsdocker

12
salt/idstools/enabled.sls
View File

@@ -63,12 +63,22 @@ delete_so-idstools_so-status.disabled:
so-rule-update:
cron.present:
- name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
- name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download_cron.log 2>&1
- identifier: so-rule-update
- user: root
- minute: '1'
- hour: '7'
# order this last to give so-idstools container time to be ready
run_so-rule-update:
cmd.run:
- name: '/usr/sbin/so-rule-update > /opt/so/log/idstools/download_idstools_state.log 2>&1'
- require:
- docker_container: so-idstools
- onchanges:
- file: idstoolsetcsync
- order: last
{% else %}
{{sls}}_state_not_allowed:

17
salt/idstools/sync_files.sls
View File

@@ -26,6 +26,13 @@ rulesdir:
- group: 939
- makedirs: True
SOrulesdir:
file.directory:
- name: /opt/so/rules/nids/sorules
- user: 939
- group: 939
- makedirs: True
# Don't show changes because all.rules can be large
synclocalnidsrules:
file.recurse:
@@ -35,3 +42,13 @@ synclocalnidsrules:
- group: 939
- show_changes: False
- include_pat: 'E@.rules'
# Don't show changes because all.rules can be large
syncnidsSOrules:
file.recurse:
- name: /opt/so/rules/nids/sorules
- source: salt://idstools/sorules/
- user: 939
- group: 939
- show_changes: False
- include_pat: 'E@.rules'

6
salt/idstools/tools/sbin_jinja/so-rule-update
View File

@@ -1,4 +1,8 @@
#!/bin/bash
# if this script isn't already running
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
. /usr/sbin/so-common
{%- from 'vars/globals.map.jinja' import GLOBALS %}
@@ -34,3 +38,5 @@ for arg in "$@"; do
done
docker exec so-idstools /bin/bash -c "cd /opt/so/idstools/etc && idstools-rulecat --force ${argstr}"
fi

4
salt/manager/tools/sbin/so-firewall-minion
View File

@@ -79,7 +79,7 @@ fi
'RECEIVER')
so-firewall includehost receiver "$IP" --apply
;;
'WORKSTATION')
so-firewall includehost workstation "$IP" --apply
'DESKTOP')
so-firewall includehost desktop "$IP" --apply
;;
esac

17
salt/manager/tools/sbin/soup
View File

@@ -393,6 +393,7 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.4.2 ]] && up_to_2.4.3
[[ "$INSTALLEDVERSION" == 2.4.3 ]] && up_to_2.4.4
[[ "$INSTALLEDVERSION" == 2.4.4 ]] && up_to_2.4.5
[[ "$INSTALLEDVERSION" == 2.4.5 ]] && up_to_2.4.10
true
}
@@ -403,6 +404,7 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3
[[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4
[[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5
[[ "$POSTVERSION" == 2.4.5 ]] && post_to_2.4.10
true
}
@@ -422,6 +424,12 @@ post_to_2.4.5() {
POSTVERSION=2.4.5
}
post_to_2.4.10() {
echo "Updating Elastic Fleet ES URLs...."
/sbin/so-elastic-fleet-es-url-update --force
POSTVERSION=2.4.10
}
stop_salt_master() {
# kill all salt jobs across the grid because the hang indefinitely if they are queued and salt-master restarts
set +e
@@ -482,6 +490,12 @@ up_to_2.4.5() {
INSTALLEDVERSION=2.4.5
}
up_to_2.4.10() {
echo "Nothing to do for 2.4.10"
INSTALLEDVERSION=2.4.10
}
determine_elastic_agent_upgrade() {
if [[ $is_airgap -eq 0 ]]; then
update_elastic_agent_airgap
@@ -492,6 +506,7 @@ determine_elastic_agent_upgrade() {
update_elastic_agent_airgap() {
rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/
tar -xf "$ELASTIC_AGENT_FILE" -C "$ELASTIC_AGENT_EXPANSION_DIR"
}
verify_upgradespace() {
@@ -547,7 +562,7 @@ update_version() {
echo "Updating the Security Onion version file."
echo $NEWVERSION > /etc/soversion
echo $HOTFIXVERSION > /etc/sohotfix
sed -i "/ soversion:/c\ soversion: $NEWVERSION" /opt/so/saltstack/local/pillar/global/soc_global.sls
sed -i "s/soversion:.*/soversion: $NEWVERSION/" /opt/so/saltstack/local/pillar/global/soc_global.sls
}
upgrade_check() {

11
salt/soc/defaults.yaml
View File

@@ -69,7 +69,7 @@ soc:
- log.id.uid
- network.community_id
- event.dataset
':kratos:kratos.audit':
':kratos:audit':
- soc_timestamp
- http_request.headers.x-real-ip
- identity_id
@@ -570,14 +570,13 @@ soc:
- destination.geo.country_iso_code
- user.name
- source.ip
':windows.sysmon_operational:':
'::sysmon_operational':
- soc_timestamp
- event.action
- process.executable
- winlog.computer_name
- user.name
- file.target
- dns.question.name
- winlog.event_data.TargetObject
- process.executable
- process.pid
'::network_connection':
- soc_timestamp
- source.ip

4
salt/soc/files/soc/motd.md
View File

@@ -8,6 +8,10 @@ If you're ready to dive in, take a look at the [Alerts](/#/alerts) interface to
To see all the latest features and fixes in this version of Security Onion, click the upper-right menu and then click the [What's New](/docs/release-notes.html) link.
## Enterprise Appliances
Want the best hardware for your enterprise deployment? Check out our [enterprise appliances](https://securityonionsolutions.com/hardware/)!
## Customize This Space
Make this area your own by customizing the content in the [Config](/#/config?s=soc.files.soc.motd__md) interface.

10
salt/soc/soc_soc.yaml
View File

@@ -45,9 +45,10 @@ soc:
actions:
description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
global: True
forcedType: "[]{}"
eventFields:
default:
description: The list of fields to show as columns in the Hunt/Dashboards event table, when no other specific mapping applies. Mappings are defined by the format ":event.module:event.dataset".
description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. This 'default' entry is used for all events that do not match an existing mapping defined in the list to the left.
global: True
advanced: True
server:
@@ -139,6 +140,7 @@ soc:
description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL.
global: True
advanced: True
forcedType: "[]{}"
hunt: &appSettings
groupItemsPerPage:
description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.
@@ -164,6 +166,12 @@ soc:
queries:
description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key.
global: True
forcedType: "[]{}"
queryToggleFilters:
description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query.
global: True
advanced: True
forcedType: "[]{}"
alerts: *appSettings
cases: *appSettings
dashboards: *appSettings

8
salt/ssl/init.sls
View File

@@ -153,8 +153,8 @@ etc_elasticfleet_crt:
- ca_server: {{ ca_server }}
- signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-server.key
- CN: {{ GLOBALS.url_base }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -210,8 +210,8 @@ etc_elasticfleet_logstash_crt:
- ca_server: {{ ca_server }}
- signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-logstash.key
- CN: {{ GLOBALS.url_base }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
- CN: {{ GLOBALS.hostname }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
- days_remaining: 0
- days_valid: 820
- backup: True

48
salt/strelka/filestream/config.sls
View File

@@ -6,6 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import filecheck_runas %}
include:
@@ -78,6 +79,46 @@ filecheck_script:
- group: 939
- mode: 755
filecheck.log:
file.managed:
- name: /opt/so/log/strelka/filecheck.log
- user: {{ filecheck_runas }}
- group: {{ filecheck_runas }}
filecheck_stdout.log:
file.managed:
- name: /opt/so/log/strelka/filecheck_stdout.log
- user: {{ filecheck_runas }}
- group: {{ filecheck_runas }}
{% if GLOBALS.md_engine == 'ZEEK' %}
filecheck_run_socore:
cron.present:
- name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- identifier: filecheck_run_socore
- user: socore
remove_filecheck_run_suricata:
cron.absent:
- identifier: filecheck_run_suricata
- user: suricata
{% elif GLOBALS.md_engine == 'SURICATA'%}
filecheck_run_suricata:
cron.present:
- name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- identifier: filecheck_run_suricata
- user: suricata
remove_filecheck_run_socore:
cron.absent:
- identifier: filecheck_run_socore
- user: socore
{% endif %}
filecheck_restart:
cmd.run:
- name: pkill -f "python3 /opt/so/conf/strelka/filecheck"
@@ -85,12 +126,7 @@ filecheck_restart:
- success_retcodes: [0,1]
- onchanges:
- file: filecheck_script
filecheck_run:
cron.present:
- name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &'
- identifier: filecheck_run
- user: {{ filecheck_runas }}
- file: filecheck_conf
filcheck_history_clean:
cron.present:

1
salt/suricata/defaults.yaml
View File

@@ -416,7 +416,6 @@ suricata:
enabled: "yes"
filename: keyword_perf.log
append: "yes"
prefilter:
enabled: "yes"
filename: prefilter_perf.log

2
salt/suricata/map.jinja
View File

@@ -11,7 +11,7 @@
{# suricata.config.af-packet has to be rewritten here since we cant display '- interface' in the ui #}
{# we are limited to only one iterface #}
{% load_yaml as afpacket %}
- interface: {{ SURICATAMERGED.config['af-packet'].interface }}
- interface: {{ GLOBALS.sensor.interface }}
cluster-id: {{ SURICATAMERGED.config['af-packet']['cluster-id'] }}
cluster-type: {{ SURICATAMERGED.config['af-packet']['cluster-type'] }}
defrag: {{ SURICATAMERGED.config['af-packet'].defrag }}

4
salt/suricata/soc_suricata.yaml
View File

@@ -14,7 +14,9 @@ suricata:
config:
af-packet:
interface:
description: The network interface that Suricata will monitor.
description: The network interface that Suricata will monitor. This is set under sensor > interface.
advanced: True
readonly: True
helpLink: suricata.html
cluster-id:
advanced: True

15
salt/telegraf/config.sls
View File

@@ -32,17 +32,16 @@ tgrafetsdir:
- name: /opt/so/conf/telegraf/scripts
- makedirs: True
tgrafsyncscripts:
file.recurse:
- name: /opt/so/conf/telegraf/scripts
{% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
tgraf_sync_script_{{script}}:
file.managed:
- name: /opt/so/conf/telegraf/scripts/{{script}}
- user: root
- group: 939
- file_mode: 770
- mode: 770
- template: jinja
- source: salt://telegraf/scripts
{% if GLOBALS.md_engine == 'SURICATA' %}
- exclude_pat: zeekcaptureloss.sh
{% endif %}
- source: salt://telegraf/scripts/{{script}}
{% endfor %}
telegraf_sbin:
file.recurse:

79
salt/telegraf/defaults.yaml
View File

@@ -9,3 +9,82 @@ telegraf:
flush_jitter: '0s'
debug: 'false'
quiet: 'false'
scripts:
eval:
- beatseps.sh
- checkfiles.sh
- influxdbsize.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
standalone:
- beatseps.sh
- checkfiles.sh
- eps.sh
- influxdbsize.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
manager:
- beatseps.sh
- influxdbsize.sh
- raid.sh
- redis.sh
- sostatus.sh
managersearch:
- beatseps.sh
- eps.sh
- influxdbsize.sh
- raid.sh
- redis.sh
- sostatus.sh
import:
- sostatus.sh
sensor:
- beatseps.sh
- checkfiles.sh
- oldpcap.sh
- raid.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
heavynode:
- beatseps.sh
- checkfiles.sh
- eps.sh
- oldpcap.sh
- raid.sh
- redis.sh
- sostatus.sh
- stenoloss.sh
- suriloss.sh
- zeekcaptureloss.sh
- zeekloss.sh
idh:
- sostatus.sh
searchnode:
- beatseps.sh
- eps.sh
- raid.sh
- sostatus.sh
receiver:
- beatseps.sh
- eps.sh
- raid.sh
- redis.sh
- sostatus.sh
fleet:
- sostatus.sh
desktop: []

5
salt/telegraf/enabled.sls
View File

@@ -7,6 +7,7 @@
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'telegraf/map.jinja' import TELEGRAFMERGED %}
include:
@@ -67,8 +68,10 @@ so-telegraf:
{% endif %}
- watch:
- file: tgrafconf
- file: tgrafsyncscripts
- file: node_config
{% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
- file: tgraf_sync_script_{{script}}
{% endfor %}
- require:
- file: tgrafconf
- file: node_config

112
salt/telegraf/etc/telegraf.conf
View File

@@ -193,7 +193,7 @@
username = "{{ ES_USER }}"
password = "{{ ES_PASS }}"
insecure_skip_verify = true
{%- elif grains['role'] in ['so-searchnode', 'so-hotnode', 'so-warmnode'] %}
{%- elif grains['role'] in ['so-searchnode'] %}
[[inputs.elasticsearch]]
servers = ["https://{{ NODEIP }}:9200"]
cluster_stats = false
@@ -244,6 +244,8 @@
{%- endif %}
# # Read metrics from one or more commands that can output to stdout
{%- if 'sostatus.sh' in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
{%- do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('sostatus.sh') %}
[[inputs.exec]]
commands = [
"/scripts/sostatus.sh"
@@ -251,122 +253,26 @@
data_format = "influx"
timeout = "15s"
interval = "60s"
{%- endif %}
# ## Commands array
{% if grains['role'] in ['so-manager'] %}
{%- if TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] | length > 0 %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
{%- for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
"/scripts/{{script}}"{% if not loop.last %},{% endif %}
{%- endfor %}
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] in ['so-managersearch'] %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] in ['so-searchnode', 'so-receiver'] %}
[[inputs.exec]]
commands = [
"/scripts/eps.sh",
"/scripts/raid.sh",
{% if grains.role == 'so-receiver' %}
"/scripts/redis.sh",
{% endif %}
"/scripts/beatseps.sh"
]
data_format = "influx"
## Timeout for each command to complete.
timeout = "15s"
{% elif grains['role'] == 'so-sensor' %}
[[inputs.exec]]
commands = [
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-heavynode' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-standalone' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/influxdbsize.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/eps.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% elif grains['role'] == 'so-eval' %}
[[inputs.exec]]
commands = [
"/scripts/redis.sh",
"/scripts/stenoloss.sh",
"/scripts/suriloss.sh",
"/scripts/checkfiles.sh",
{%- if MDENGINE == 'ZEEK' and ZEEK_ENABLED %}
"/scripts/zeekloss.sh",
"/scripts/zeekcaptureloss.sh",
{%- endif %}
"/scripts/oldpcap.sh",
"/scripts/influxdbsize.sh",
"/scripts/raid.sh",
"/scripts/beatseps.sh"
]
data_format = "influx"
timeout = "15s"
{% endif %}
{%- if salt['pillar.get']('healthcheck:enabled', False) %}
[[inputs.file]]
files = ["/host/nsm/zeek/logs/zeek_restart.log"]
data_format = "influx"
{%- endif %}
[[inputs.file]]
files = ["/etc/telegraf/node_config.json"]
name_override = "node_config"

10
salt/telegraf/map.jinja
View File

@@ -3,5 +3,15 @@
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'telegraf/defaults.yaml' as TELEGRAFDEFAULTS %}
{% set TELEGRAFMERGED = salt['pillar.get']('telegraf', TELEGRAFDEFAULTS.telegraf, merge=True) %}
{% if GLOBALS.role in ['so-eval', 'so-standalone', 'so-sensor', 'so-heavynode'] %}
{% from 'zeek/config.map.jinja' import ZEEKMERGED %}
{# if the md engine isn't zeek or zeek is disabled, dont run the zeek scripts for telegraf #}
{% if GLOBALS.md_engine != 'ZEEK' or not ZEEKMERGED.enabled %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekloss.sh') %}
{% do TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]].remove('zeekcaptureloss.sh') %}
{% endif %}
{% endif %}

10
salt/telegraf/scripts/zeekcaptureloss.sh
View File

@@ -5,16 +5,18 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp
# if this script isn't already running
{%- from 'zeek/config.map.jinja' import ZEEKMERGED %}
if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then
if [ -d "/host/nsm/zeek/spool/logger" ]; then
WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }}
{%- if ZEEKMERGED.config.node.pins %}
WORKERS={{ ZEEKMERGED.config.node.pins | length }}
{%- else %}
WORKERS={{ ZEEKMERGED.config.node.lb_procs }}
{%- endif %}
ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log
elif [ -d "/host/nsm/zeek/spool/zeeksa" ]; then
WORKERS=1

19
salt/telegraf/soc_telegraf.yaml
View File

@@ -42,4 +42,21 @@ telegraf:
global: True
advanced: True
helpLink: telegraf.html
scripts:
eval: &telegrafscripts
description: List of input.exec scripts to run for this node type. The script must be present in salt/telegraf/scripts.
forcedType: "[]string"
multiline: True
advanced: True
helpLink: telegraf.html
standalone: *telegrafscripts
manager: *telegrafscripts
managersearch: *telegrafscripts
import: *telegrafscripts
sensor: *telegrafscripts
heavynode: *telegrafscripts
idh: *telegrafscripts
searchnode: *telegrafscripts
receiver: *telegrafscripts
fleet: *telegrafscripts
desktop: *telegrafscripts

4
salt/top.sls
View File

@@ -277,10 +277,10 @@ base:
- schedule
- docker_clean
'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )':
'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )':
- match: compound
- desktop
'J@desktop:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:Rocky )':
'J@desktop:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )':
- match: compound
- desktop.remove_gui

11
setup/so-functions
View File

@@ -117,7 +117,7 @@ desktop_pillar() {
" mainint: '$MNIC'"\
"desktop:"\
" gui:"\
" enabled: true" >> "$pillar_file"\
" enabled: true"\
"sensoroni:"\
" config:"\
" node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file
@@ -2302,6 +2302,15 @@ set_default_log_size() {
log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}')
}
set_desktop_background() {
logCmd "mkdir /usr/local/share/backgrounds"
logCmd "cp ../salt/desktop/files/so-wallpaper.jpg /usr/local/share/backgrounds/so-wallpaper.jpg"
logCmd "cp ../salt/desktop/files/00-background /etc/dconf/db/local.d/00-background"
logCmd "dconf update"
}
set_hostname() {
logCmd "hostnamectl set-hostname --static $HOSTNAME"

2
setup/so-setup
View File

@@ -341,6 +341,8 @@ if [[ $is_desktop ]]; then
securityonion_repo
info "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target
info "Setting desktop background"
set_desktop_background
echo "Desktop Install Complete!"
echo ""
echo "Please reboot to start graphical interface."

BIN
sigs/securityonion-2.4.10-20230815.iso.sig Normal file
View File

Binary file not shown.