From 29c5f3212f50792ad534d986517cb861d81d5f7b Mon Sep 17 00:00:00 2001 From: Pete Date: Wed, 17 Feb 2021 16:53:31 +0000 Subject: [PATCH 01/17] make log_size_limit calculation more specific Extend the directory traversal into /nsm/elasticsearch in case that's a separate mountpoint from /nsm/. --- setup/so-functions | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index c12ae0a8c..5bce16236 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1743,6 +1743,9 @@ set_default_log_size() { if [ -d /nsm ]; then disk_dir="/nsm" fi + if [ -d /nsm/elasticsearch ]; then + disk_dir="/nsm/elasticsearch" + fi local disk_size_1k disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}') From 09c94ddf95742e36c618a89f84f49a45a2a908bb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 08:57:25 -0500 Subject: [PATCH 02/17] Docker Cleanup --- salt/docker_clean/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index 21e672c00..0f9e5d26f 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -3,7 +3,7 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2']%} +{% set OLDVERSIONS = ['2.0.0-rc.1','2.0.1-rc.1','2.0.2-rc.1','2.0.3-rc.1','2.1.0-rc.2','2.2.0-rc.3','2.3.0','2.3.1','2.3.2','2.3.10','2.3.20']%} {% for VERSION in OLDVERSIONS %} remove_images_{{ VERSION }}: @@ -53,4 +53,4 @@ remove_images_{{ VERSION }}: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 1d45472b48f3a8424ff654b55e49065ee6b6e828 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 11:30:43 -0500 Subject: [PATCH 03/17] Fix Strelka Rule updates, repo fix --- salt/common/tools/sbin/soup | 6 ++++- salt/docker_clean/init.sls | 35 ++++++++++++++++++++++++++++++ salt/registry/bin/so-buildregistry | 12 ---------- salt/registry/init.sls | 11 ---------- setup/so-functions | 14 +++++++++--- 5 files changed, 51 insertions(+), 27 deletions(-) delete mode 100644 salt/registry/bin/so-buildregistry diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index c1b649610..b6df582f1 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -159,7 +159,7 @@ generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) [ -d /opt/so/repo ] || mkdir -p /opt/so/repo - tar -cxf "/opt/so/repo/$new_version.tar.gz" "$UPDATE_DIR" + tar -czf "/opt/so/repo/$new_version.tar.gz" "$UPDATE_DIR" find "/opt/so/repo" -type f -not -name "$new_version.tar.gz" -exec rm -rf {} \; } @@ -340,6 +340,10 @@ up_2.3.2X_to_2.3.30() { for pillar in "${minion_pillars[@]}"; do sed -i -r "s/ (\{\{.*}})$/ '\1'/g" "$pillar" done + + # Change the IMAGEREPO + sed -i "/ imagerepo: 'securityonion'/c\ imagerepo: 'security-onion-solutions'" /opt/so/saltstack/local/pillar/global.sls + sed -i "/ imagerepo: securityonion/c\ imagerepo: 'security-onion-solutions'" /opt/so/saltstack/local/pillar/global.sls } space_check() { diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index 21e672c00..57bc47ef6 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -45,6 +45,41 @@ remove_images_{{ VERSION }}: - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-thehive-es:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }}' - '{{ MANAGER }}:5000/{{ IMAGEREPO }}/so-zeek:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-acng:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-thehive-cortex:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-curator:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-domainstats:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-elastalert:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-elasticsearch:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-filebeat:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-fleet:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-fleet-launcher:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-freqserver:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-grafana:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-idstools:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-influxdb:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-kibana:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-kratos:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-logstash:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-minio:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-mysql:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-nginx:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-pcaptools:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-playbook:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-redis:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-soc:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-soctopus:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-steno:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-strelka-frontend:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-strelka-manager:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-strelka-backend:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-strelka-filestream:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-suricata:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-telegraf:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-thehive:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-thehive-es:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-wazuh:{{ VERSION }}' + - '{{ MANAGER }}:5000/securityonion/so-zeek:{{ VERSION }}' {% endfor %} {% else %} diff --git a/salt/registry/bin/so-buildregistry b/salt/registry/bin/so-buildregistry deleted file mode 100644 index 01756fc67..000000000 --- a/salt/registry/bin/so-buildregistry +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -VERSION=HH1.1.4 -TARBALL=/nsm/docker-registry/docker/so-dockers-$VERSION.tar - -# See if the tarball is there. If so do soemthing otherwise peace out. -if [ -f "$TARBALL" ]; then - cd /nsm/docker-registry/docker - tar xvf so-dockers-$VERSION.tar -fi - -exit 0 diff --git a/salt/registry/init.sls b/salt/registry/init.sls index d733b6f54..1cec55fd2 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -29,17 +29,6 @@ dockerregistryconf: - name: /opt/so/conf/docker-registry/etc/config.yml - source: salt://registry/etc/config.yml -# Copy the registry script -#dockerregistrybuild: -# file.managed: -# - name: /opt/so/conf/docker-registry/so-buildregistry -# - source: salt://registry/bin/so-buildregistry -# - mode: 755 - -#dockerexpandregistry: -# cmd.run: -# - name: /opt/so/conf/docker-registry/so-buildregistry - # Install the registry container so-dockerregistry: docker_container.running: diff --git a/setup/so-functions b/setup/so-functions index 4410e7443..a42da1b52 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1558,9 +1558,17 @@ manager_global() { " node_checkin_interval_ms: $NODE_CHECKIN_INTERVAL_MS"\ "strelka:"\ " enabled: $STRELKA"\ - " rules: 1"\ - " repos:"\ - " - https://github.com/Neo23x0/signature-base"\ + " rules: 1" >> "$global_pillar" + if [[ $is_airgap ]]; then + printf '%s\n'\ + " repos:"\ + " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" + else + printf '%s\n'\ + " repos:"\ + " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" + fi + printf '%s\n'\ "curator:"\ " hot_warm: False"\ "elastic:"\ From 2be7ccac33881255a9164002baf0eef16538e5e2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Feb 2021 12:24:32 -0500 Subject: [PATCH 04/17] Add function to notify user that log_size_limit may be incorrect --- salt/common/tools/sbin/soup | 54 +++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index c1b649610..b7471c9f8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -120,6 +120,58 @@ check_sudoers() { fi } +check_log_size_limit() { + local num_minion_pillars + num_minion_pillars=$(find /opt/so/saltstack/local/pillar/minions/ -type f | wc -l) + + if [[ $num_minion_pillars -gt 1 ]]; then + echo "[INFO] The value of log_size_limit in the minion pillars may be incorrect." + echo " -> We recommend checking and adjusting the values as necessary." + else + local minion_id + minion_id=$(lookup_salt_value "id" "" "grains") + + local minion_arr + IFS='_' read -ra minion_arr <<< "$minion_id" + + local node_type="${minion_arr[0]}" + + local current_limit + current_limit=$(lookup_pillar "log_size_limit" "elasticsearch") + + local percent + case $node_type in + 'standalone' | 'eval') + percent=50 + ;; + *) + percent=80 + ;; + esac + + local disk_dir="/" + if [ -d /nsm ]; then + disk_dir="/nsm" + fi + + local disk_size_1k + disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}') + + local ratio="1048576" + + local disk_size_gb + disk_size_gb=$( echo "$disk_size_1k" "$ratio" | awk '{print($1/$2)}' ) + + local new_limit + new_limit=$( echo "$disk_size_gb" "$percent" | awk '{printf("%.0f", $1 * ($2/100))}') + + if [[ $current_limit != "$new_limit" ]]; then + echo "[WARNING] The value of log_size_limit (${current_limit}) does not match the recommended value of ${new_limit}." + echo " -> We recommend checking and adjusting the value as necessary." + fi + fi +} + clean_dockers() { # Place Holder for cleaning up old docker images echo "Trying to clean up old dockers." @@ -662,6 +714,8 @@ fi check_sudoers +check_log_size_limit + } main "$@" | tee /dev/fd/3 From 4507a89d9510909cafb7875130f93368d74cba60 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Feb 2021 12:24:54 -0500 Subject: [PATCH 05/17] tar arg fix (-x -> -z) --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b7471c9f8..1a33a7895 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -211,7 +211,7 @@ generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) [ -d /opt/so/repo ] || mkdir -p /opt/so/repo - tar -cxf "/opt/so/repo/$new_version.tar.gz" "$UPDATE_DIR" + tar -czf "/opt/so/repo/$new_version.tar.gz" "$UPDATE_DIR" find "/opt/so/repo" -type f -not -name "$new_version.tar.gz" -exec rm -rf {} \; } From ac6f1df86f30dd2818b6b2d2df2d1eb8915ba8c5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Feb 2021 12:33:36 -0500 Subject: [PATCH 06/17] [fix] Only check log_size_limit on .2X -> .30 * Since we're showing a message in the middle of soup, wait for keypress if it's shown --- salt/common/tools/sbin/soup | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1a33a7895..76addeb13 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -121,10 +121,13 @@ check_sudoers() { } check_log_size_limit() { + local wait_for_enter=false + local num_minion_pillars num_minion_pillars=$(find /opt/so/saltstack/local/pillar/minions/ -type f | wc -l) if [[ $num_minion_pillars -gt 1 ]]; then + wait_for_enter=true echo "[INFO] The value of log_size_limit in the minion pillars may be incorrect." echo " -> We recommend checking and adjusting the values as necessary." else @@ -166,9 +169,16 @@ check_log_size_limit() { new_limit=$( echo "$disk_size_gb" "$percent" | awk '{printf("%.0f", $1 * ($2/100))}') if [[ $current_limit != "$new_limit" ]]; then + wait_for_enter=true echo "[WARNING] The value of log_size_limit (${current_limit}) does not match the recommended value of ${new_limit}." echo " -> We recommend checking and adjusting the value as necessary." fi + + if [[ $wait_for_enter == true ]]; then + echo "" + read -n 1 -s -r -p "Press any key to continue..." + echo "" # Since read doesn't print a newline, print one for it + fi fi } @@ -392,6 +402,7 @@ up_2.3.2X_to_2.3.30() { for pillar in "${minion_pillars[@]}"; do sed -i -r "s/ (\{\{.*}})$/ '\1'/g" "$pillar" done + check_log_size_limit } space_check() { @@ -714,7 +725,7 @@ fi check_sudoers -check_log_size_limit + } From ece79379a504ef315ed96b3ce40ecb5ce6ab7b68 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Feb 2021 12:54:14 -0500 Subject: [PATCH 07/17] Add file name/path to log_size_limit message --- salt/common/tools/sbin/soup | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 76addeb13..7cdd0dd2c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -130,6 +130,7 @@ check_log_size_limit() { wait_for_enter=true echo "[INFO] The value of log_size_limit in the minion pillars may be incorrect." echo " -> We recommend checking and adjusting the values as necessary." + echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" else local minion_id minion_id=$(lookup_salt_value "id" "" "grains") @@ -172,6 +173,7 @@ check_log_size_limit() { wait_for_enter=true echo "[WARNING] The value of log_size_limit (${current_limit}) does not match the recommended value of ${new_limit}." echo " -> We recommend checking and adjusting the value as necessary." + echo " -> File: /opt/so/saltstack/local/pillar/minions/${minion_id}.sls" fi if [[ $wait_for_enter == true ]]; then From 298f7da90bab838ff8709bb5dc41b526a4b00397 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Feb 2021 13:56:33 -0500 Subject: [PATCH 08/17] Fix indent in set_default_log_size --- setup/so-functions | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4410e7443..9275199c4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2283,28 +2283,29 @@ sensor_pillar() { } set_default_log_size() { - local percentage + local percentage case $install_type in STANDALONE | EVAL | HEAVYNODE) percentage=50 - ;; + ;; *) - percentage=80 - ;; - esac + percentage=80 + ;; + esac local disk_dir="/" if [ -d /nsm ]; then disk_dir="/nsm" fi + local disk_size_1k disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}') - local ratio="1048576" + local ratio="1048576" - local disk_size_gb - disk_size_gb=$( echo "$disk_size_1k" "$ratio" | awk '{print($1/$2)}' ) + local disk_size_gb + disk_size_gb=$( echo "$disk_size_1k" "$ratio" | awk '{print($1/$2)}' ) log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}') } From e500e248020f16603221f9e85154247ebc183d10 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Feb 2021 13:56:59 -0500 Subject: [PATCH 09/17] Only show log_size_limit warning on dist if heavynode pillars exist --- salt/common/tools/sbin/soup | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 7cdd0dd2c..1081ea6aa 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -127,10 +127,12 @@ check_log_size_limit() { num_minion_pillars=$(find /opt/so/saltstack/local/pillar/minions/ -type f | wc -l) if [[ $num_minion_pillars -gt 1 ]]; then - wait_for_enter=true - echo "[INFO] The value of log_size_limit in the minion pillars may be incorrect." - echo " -> We recommend checking and adjusting the values as necessary." - echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" + if find /opt/so/saltstack/local/pillar/minions/ -type f | grep -q "_heavynode"; then + wait_for_enter=true + echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect." + echo " -> We recommend checking and adjusting the values as necessary." + echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" + fi else local minion_id minion_id=$(lookup_salt_value "id" "" "grains") From 775f274962d0d3966fa1cfb5c7cc6d8ded95d05e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Feb 2021 14:36:41 -0500 Subject: [PATCH 10/17] Also check /nsm/elasticsearch in soup log_size_limit check Reflect changes from PR#3079 --- setup/so-functions | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 9275199c4..1336406b6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2298,6 +2298,9 @@ set_default_log_size() { if [ -d /nsm ]; then disk_dir="/nsm" fi + if [ -d /nsm/elasticsearch ]; then + disk_dir="/nsm/elasticsearch" + fi local disk_size_1k disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}') From 6ea8eab9af98f05681e21b677f2f9a0fa8efed79 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 24 Feb 2021 20:32:47 +0000 Subject: [PATCH 11/17] Modify soup to add Strelka rule repo in pillar --- salt/common/tools/sbin/soup | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index c1b649610..12ead2cf2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -338,8 +338,16 @@ up_2.3.2X_to_2.3.30() { # Replace any curly brace scalars with the same scalar in single quotes readarray -t minion_pillars <<< "$(find /opt/so/saltstack/local/pillar/minions -type f -name '*.sls')" for pillar in "${minion_pillars[@]}"; do - sed -i -r "s/ (\{\{.*}})$/ '\1'/g" "$pillar" + sed -i -r "s/ (\{\{.*}})$/ '\1'/g" "$pillar" done + # Strelka rule repo pillar addition + if [ $is_airgap -eq 0 ]; then + # Add manager as default Strelka YARA rule repo + sed -i "/^strelka:/a \\ repos: \n - https://$HOSTNAME/repo/rules/strelka" /opt/so/saltstack/local/pillar/global.sls; + else + # Add Github repo for Strelka YARA rules + sed -i "/^strelka:/a \\ repos: \n - https://github.com/Neo23x0/signature-base" /opt/so/saltstack/local/pillar/global.sls; + fi } space_check() { From ef7cdf27bfa035fad5fd44518fe6e05c94ad25f5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 25 Feb 2021 07:43:11 -0500 Subject: [PATCH 12/17] Add automation files for Suricata metadata --- .../distributed-net-ubuntu-manager-suricata | 77 +++++++++++++++++++ setup/automation/standalone-iso-suricata | 77 +++++++++++++++++++ 2 files changed, 154 insertions(+) create mode 100644 setup/automation/distributed-net-ubuntu-manager-suricata create mode 100644 setup/automation/standalone-iso-suricata diff --git a/setup/automation/distributed-net-ubuntu-manager-suricata b/setup/automation/distributed-net-ubuntu-manager-suricata new file mode 100644 index 000000000..d1fdf158d --- /dev/null +++ b/setup/automation/distributed-net-ubuntu-manager-suricata @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=7 +BASICSURI=7 +# BLOGS= +#BNICS=eth1 +ZEEKVERSION=SURICATA +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-manager +install_type=MANAGER +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=ens18 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-iso-suricata b/setup/automation/standalone-iso-suricata new file mode 100644 index 000000000..f4697f308 --- /dev/null +++ b/setup/automation/standalone-iso-suricata @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=SURICATA +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=STANDALONE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r From 34dab9009c2f1aa61531b8e2af180055806b0a17 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 25 Feb 2021 08:10:13 -0500 Subject: [PATCH 13/17] Ensure Zeek spool dir is owned by Zeek to allow Zeek to start correctly --- salt/zeek/init.sls | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 8cb9f5d21..fe6478464 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -73,6 +73,14 @@ zeekpolicysync: - group: 939 - template: jinja +# Ensure the zeek spool tree (and state.db) ownership is correct +zeekspoolownership: + file.directory: + - name: /nsm/zeek/spool + - user: 937 + - recurse: + - user + # Sync Intel zeekintelloadsync: file.managed: From d52abcbcbdfcd29b0d29ce2bbe39a3bdef26cdaf Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 09:58:07 -0500 Subject: [PATCH 14/17] ensure zeekctl is run as user zeek https://github.com/Security-Onion-Solutions/securityonion/issues/3130 --- salt/common/tools/sbin/so-zeek-stats | 4 ++-- salt/zeek/cron/packetloss.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index ff89c6506..9ebef1217 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -24,11 +24,11 @@ show_stats() { echo echo "Average throughput:" echo - docker exec -it so-zeek /opt/zeek/bin/zeekctl capstats + docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl capstats'" echo echo "Average packet loss:" echo - docker exec -it so-zeek /opt/zeek/bin/zeekctl netstats + docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" echo } diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index c8750dd92..a083895d7 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 +/usr/bin/docker exec so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 From add66e750ec95980bafca9bea078b97f82c8a378 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 10:49:09 -0500 Subject: [PATCH 15/17] forgot to add -c --- salt/common/tools/sbin/so-zeek-stats | 4 ++-- salt/zeek/cron/packetloss.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index 9ebef1217..e5eb90b61 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -24,11 +24,11 @@ show_stats() { echo echo "Average throughput:" echo - docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl capstats'" + docker exec -it so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'" echo echo "Average packet loss:" echo - docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" + docker exec -it so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" echo } diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index a083895d7..581246971 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 +/usr/bin/docker exec so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 From c8213fa3d4a2f5c42da1fc1b677514664026b094 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 11:07:54 -0500 Subject: [PATCH 16/17] change docker exec --- salt/common/tools/sbin/so-zeek-stats | 4 ++-- salt/zeek/cron/packetloss.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index e5eb90b61..1fdffda48 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -24,11 +24,11 @@ show_stats() { echo echo "Average throughput:" echo - docker exec -it so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'" + docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'" echo echo "Average packet loss:" echo - docker exec -it so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" + docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" echo } diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index 581246971..5991c4d23 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 +/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 From fcd3f81400b93b87dedf0f6bf3955ef5300f052e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 11:16:53 -0500 Subject: [PATCH 17/17] fix quotes --- salt/common/tools/sbin/so-zeek-stats | 4 ++-- salt/zeek/cron/packetloss.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index 1fdffda48..d3e9b40a6 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -24,11 +24,11 @@ show_stats() { echo echo "Average throughput:" echo - docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'" + docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats' echo echo "Average packet loss:" echo - docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" + docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats' echo } diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index 5991c4d23..0a3df7a18 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 +/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats' | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1