CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into issue/3933

Browse Source
This commit is contained in:
m0duspwnens
2021-10-12 10:07:40 -04:00
parent 89d1df8a1d 2561480371
commit 19489f3626
6 changed files with 69 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/common/tools/sbin/so-kibana-space-defaults
View File

@@ -1,5 +1,5 @@
. /usr/sbin/so-common . /usr/sbin/so-common
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}"
## This hackery will be removed if using Elastic Auth ## ## This hackery will be removed if using Elastic Auth ##
@@ -9,5 +9,9 @@ SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid
# Disable certain Features from showing up in the Kibana UI # Disable certain Features from showing up in the Kibana UI
echo echo
echo "Setting up default Space:" echo "Setting up default Space:"
{% if HIGHLANDER %}
{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log
{% else %}
{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log {{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet"]} ' >> /opt/so/log/kibana/misc.log
{% endif %}
echo echo

55
salt/common/tools/sbin/so-user
View File

@@ -101,6 +101,9 @@ function validatePassword() {
if [[ $len -lt 6 ]]; then if [[ $len -lt 6 ]]; then
fail "Password does not meet the minimum requirements" fail "Password does not meet the minimum requirements"
fi fi
if [[ $len -gt 72 ]]; then
fail "Password is too long (max: 72)"
fi
check_password_and_exit "$password" check_password_and_exit "$password"
} }
@@ -237,8 +240,12 @@ function syncElastic() {
if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then
# Append the SOC users # Append the SOC users
echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \ echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
"from identity_credential_identifiers ici, identity_credentials ic " \ "from identity_credential_identifiers ici, identity_credentials ic, identities i " \
"where ici.identity_credential_id=ic.id and instr(ic.config, 'hashed_password') " \ "where " \
" ici.identity_credential_id=ic.id " \
" and ic.identity_id=i.id " \
" and instr(ic.config, 'hashed_password') " \
" and i.state == 'active' " \
"order by ici.identifier;" | \ "order by ici.identifier;" | \
sqlite3 "$databasePath" | \ sqlite3 "$databasePath" | \
jq -r '.user + ":" + .data.hashed_password' \ jq -r '.user + ":" + .data.hashed_password' \
@@ -381,6 +388,19 @@ EOF
fi fi
} }
function migrateLockedUsers() {
# This is a migration function to convert locked users from prior to 2.3.90
# to inactive users using the newer Kratos functionality. This should only
# find locked users once.
lockedEmails=$(curl -s http://localhost:4434/identities | jq -r '.[] | select(.traits.status == "locked") | .traits.email')
if [[ -n "$lockedEmails" ]]; then
echo "Disabling locked users..."
for email in $lockedEmails; do
updateStatus "$email" locked
done
fi
}
function updateStatus() { function updateStatus() {
email=$1 email=$1
status=$2 status=$2
@@ -391,24 +411,18 @@ function updateStatus() {
response=$(curl -Ss -L "${kratosUrl}/identities/$identityId") response=$(curl -Ss -L "${kratosUrl}/identities/$identityId")
[[ $? != 0 ]] && fail "Unable to communicate with Kratos" [[ $? != 0 ]] && fail "Unable to communicate with Kratos"
oldConfig=$(echo "select config from identity_credentials where identity_id='${identityId}';" | sqlite3 "$databasePath") schemaId=$(echo "$response" | jq -r .schema_id)
# Capture traits and remove obsolete 'status' trait if exists
traitBlock=$(echo "$response" | jq -c .traits | sed -re 's/,?"status":".*?"//')
state="active"
if [[ "$status" == "locked" ]]; then if [[ "$status" == "locked" ]]; then
config=$(echo $oldConfig | sed -e 's/hashed/locked/') state="inactive"
echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id='${identityId}';" | sqlite3 "$databasePath"
[[ $? != 0 ]] && fail "Unable to lock credential record"
echo "delete from sessions where identity_id='${identityId}';" | sqlite3 "$databasePath"
[[ $? != 0 ]] && fail "Unable to invalidate sessions"
else
config=$(echo $oldConfig | sed -e 's/locked/hashed/')
echo "update identity_credentials set config=CAST('${config}' as BLOB) where identity_id='${identityId}';" | sqlite3 "$databasePath"
[[ $? != 0 ]] && fail "Unable to unlock credential record"
fi fi
body="{ \"schema_id\": \"$schemaId\", \"state\": \"$state\", \"traits\": $traitBlock }"
updatedJson=$(echo "$response" | jq ".traits.status = \"$status\" | del(.verifiable_addresses) | del(.id) | del(.schema_url) | del(.created_at) | del(.updated_at)") response=$(curl -fSsL -XPUT "${kratosUrl}/identities/$identityId" -d "$body")
response=$(curl -Ss -XPUT -L ${kratosUrl}/identities/$identityId -d "$updatedJson") [[ $? != 0 ]] && fail "Unable to update user"
[[ $? != 0 ]] && fail "Unable to mark user as locked"
} }
function updateUser() { function updateUser() {
@@ -547,6 +561,11 @@ case "${operation}" in
echo "Password is acceptable" echo "Password is acceptable"
;; ;;
"migrate")
migrateLockedUsers
echo "User migration complete"
;;
*) *)
fail "Unsupported operation: $operation" fail "Unsupported operation: $operation"
;; ;;

3
salt/common/tools/sbin/soup
View File

@@ -1037,6 +1037,9 @@ main() {
echo "Checking sudoers file." echo "Checking sudoers file."
check_sudoers check_sudoers
echo "Checking for necessary user migrations."
so-user migrate
if [[ -n $lsl_msg ]]; then if [[ -n $lsl_msg ]]; then
case $lsl_msg in case $lsl_msg in
'distributed') 'distributed')

10
salt/elasticsearch/config.map.jinja
View File

@@ -1,4 +1,5 @@
{% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %} {% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %}
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %} {% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %}
{% do ESCONFIG.elasticsearch.config.xpack.security.authc.anonymous.update({'username': 'anonymous_user', 'roles': 'superuser', 'authz_exception': 'true'}) %} {% do ESCONFIG.elasticsearch.config.xpack.security.authc.anonymous.update({'username': 'anonymous_user', 'roles': 'superuser', 'authz_exception': 'true'}) %}
@@ -8,6 +9,9 @@
{% if grains.id.split('_') | last in ['manager','managersearch'] %} {% if grains.id.split('_') | last in ['manager','managersearch'] %}
{% if salt['pillar.get']('nodestab', {}) %} {% if salt['pillar.get']('nodestab', {}) %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %}
{% if HIGHLANDER %}
{% do ESCONFIG.elasticsearch.config.node.roles.append('ml') %}
{% endif %}
{% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %}
{% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} {% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %}
{% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(SN.split('_')|first) %} {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(SN.split('_')|first) %}
@@ -18,9 +22,15 @@
{% endif %} {% endif %}
{% else %} {% else %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %} {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %}
{% if HIGHLANDER %}
{% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master']) %}
{% endif %}
{% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %} {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %}
{% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %}
{% endif %} {% endif %}
{% if HIGHLANDER %}
{% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %}
{% endif %}
{% endif %} {% endif %}
{% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %} {% set ESCONFIG = salt['pillar.get']('elasticsearch:config', default=ESCONFIG.elasticsearch.config, merge=True) %}

12
salt/soc/files/kratos/schema.json
View File

@@ -12,6 +12,7 @@
"format": "email", "format": "email",
"title": "E-Mail", "title": "E-Mail",
"minLength": 6, "minLength": 6,
"maxLength": 100,
"ory.sh/kratos": { "ory.sh/kratos": {
"credentials": { "credentials": {
"password": { "password": {
@@ -25,15 +26,18 @@
}, },
"firstName": { "firstName": {
"type": "string", "type": "string",
"title": "First Name" "title": "First Name",
"maxLength": 100
}, },
"lastName": { "lastName": {
"type": "string", "type": "string",
"title": "Last Name" "title": "Last Name",
"maxLength": 100
}, },
"status": { "note": {
"type": "string", "type": "string",
"title": "Status" "title": "Note",
"maxLength": 100
} }
}, },
"required": [ "required": [

4
setup/so-functions
View File

@@ -1668,6 +1668,10 @@ manager_global() {
" url_base: '$REDIRECTIT'"\ " url_base: '$REDIRECTIT'"\
" managerip: '$MAINIP'" > "$global_pillar" " managerip: '$MAINIP'" > "$global_pillar"
if [[ $HIGHLANDER == 'True' ]]; then
printf '%s\n'\
" highlander: True"\ >> "$global_pillar"
fi
if [[ $is_airgap ]]; then if [[ $is_airgap ]]; then
printf '%s\n'\ printf '%s\n'\
" airgap: True"\ >> "$global_pillar" " airgap: True"\ >> "$global_pillar"