Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into dev

2025-12-09 18:52:52 +01:00 · 2020-11-23 09:29:18 -05:00
parent d178a7c5f3 426769588a
commit 22ebb5af03
13 changed files with 117 additions and 32 deletions
--- a/salt/common/tools/sbin/so-import-pcap
+++ b/salt/common/tools/sbin/so-import-pcap
@@ -27,8 +27,7 @@ function usage {
  cat << EOF
 Usage: $0 <pcap-file-1> [pcap-file-2] [pcap-file-N]

-Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and
-made available for review in the Security Onion toolset.
+Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and made available for review in the Security Onion toolset.
 EOF
 }

--- a/salt/common/tools/sbin/so-ip-update
+++ b/salt/common/tools/sbin/so-ip-update
@@ -39,6 +39,7 @@ fi

 echo "About to change old IP $OLD_IP to new IP $NEW_IP."

+echo
 read -n 1 -p "Would you like to continue? (y/N) " CONTINUE
 echo

@@ -50,9 +51,12 @@ if [ "$CONTINUE" == "y" ]; then

 	echo "The IP has been changed from $OLD_IP to $NEW_IP."

-	if [ -z "$SKIP_STATE_APPLY" ]; then
-		echo "Re-applying salt states."
-		salt-call state.highstate queue=True
+	echo
+	read -n 1 -p "The system must reboot to ensure all services have restarted with the new configuration. Reboot now? (y/N)" CONTINUE
+	echo
+
+	if [ "$CONTINUE" == "y" ]; then
+		reboot
 	fi
 else
 	echo "Exiting without changes."
--- a/salt/common/tools/sbin/so-pcap-import
+++ b/salt/common/tools/sbin/so-pcap-import
@@ -0,0 +1,18 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+$(dirname $0)/so-import-pcap $@
--- a/salt/common/tools/sbin/so-playbook-reset
+++ b/salt/common/tools/sbin/so-playbook-reset
--- a/salt/common/tools/sbin/so-ssh-harden
+++ b/salt/common/tools/sbin/so-ssh-harden
@@ -2,48 +2,92 @@

 . /usr/sbin/so-common

-if [[ $1 =~ ^(q|--quiet) ]]; then
-    quiet=true
+if [[ $1 =~ ^(-q|--quiet) ]]; then
+	quiet=true
 fi

+before=
+after=
+reload_required=false
+
 print_sshd_t() {
-    local string=$1
-    local state=$2
-    echo "${state}:"
-    sshd -T | grep "^${string}"
+	local string=$1
+	local state=$2
+	echo "${state}:"
+
+	local grep_out
+	grep_out=$(sshd -T | grep "^${string}")
+
+	if [[ $state == "Before" ]]; then
+		before=$grep_out
+	else
+		after=$grep_out
+	fi
+
+	echo $grep_out
+}
+
+print_msg() {
+	local msg=$1
+	if ! [[ $quiet ]]; then
+	printf "%s\n" \
+		"----" \
+		"$msg" \
+		"----" \
+		""
+	fi
 }

 if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi
 sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
-    print_sshd_t "ciphers" "After"
-    echo ""
+	print_sshd_t "ciphers" "After"
+	echo ""
+fi
+
+if [[ $before != $after ]]; then
+	reload_required=true
 fi

 if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi
 sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
-    print_sshd_t "kexalgorithms" "After"
-    echo ""
+	print_sshd_t "kexalgorithms" "After"
+	echo ""
+fi
+
+if [[ $before != $after ]]; then
+	reload_required=true
 fi

 if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi
 sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
-    print_sshd_t "macs" "After"
-    echo ""
+	print_sshd_t "macs" "After"
+	echo ""
+fi
+
+if [[ $before != $after ]]; then
+	reload_required=true
 fi

 if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi
 sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
-    print_sshd_t "hostkeyalgorithms" "After"
-    echo ""
+	print_sshd_t "hostkeyalgorithms" "After"
+	echo ""
+fi
+
+if [[ $before != $after ]]; then
+	reload_required=true
+fi
+
+if [[ $reload_required == true ]]; then
+	print_msg "Reloading sshd to load config changes..."
+	systemctl reload sshd
 fi

 {% if grains['os'] != 'CentOS' %}
-echo "----"
-echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
-echo "----"
+print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
 {% endif %}

--- a/salt/common/tools/sbin/so-wazuh-user-add
+++ b/salt/common/tools/sbin/so-wazuh-user-add
--- a/salt/common/tools/sbin/so-wazuh-user-passwd
+++ b/salt/common/tools/sbin/so-wazuh-user-passwd
--- a/salt/common/tools/sbin/so-wazuh-user-remove
+++ b/salt/common/tools/sbin/so-wazuh-user-remove
--- a/salt/elasticsearch/files/ingest/osquery.query_result
+++ b/salt/elasticsearch/files/ingest/osquery.query_result
@@ -6,7 +6,7 @@
    { "gsub":        { "field": "message2.columns.data",                              "pattern": "\\\\xC2\\\\xAE",             "replacement": "", "ignore_missing": true  } },
    { "rename":      { "if": "ctx.message2.columns?.eventid != null", "field": "message2.columns",  "target_field": "winlog",       "ignore_missing": true  } },
    { "json":        { "field": "winlog.data",                              "target_field": "temp",             "ignore_failure": true  } },
-    { "rename":      { "field": "temp.Data",               "target_field": "winlog.event_data",       "ignore_missing": true  } },   
+    { "rename":      { "field": "temp.EventData",               "target_field": "winlog.event_data",       "ignore_missing": true  } },   
    { "rename":      { "field": "winlog.source",               "target_field": "winlog.channel",       "ignore_missing": true  } },    
    { "rename":      { "field": "winlog.eventid",               "target_field": "winlog.event_id",       "ignore_missing": true  } },   
    { "pipeline":      { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'",   "name": "sysmon"  }  },
@@ -22,4 +22,4 @@
    { "set":           { "field": "event.dataset", "value": "{{osquery.result.name}}", "override": false}  },
    { "pipeline":    { "name": "common" } }
  ]
-}
+}
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -1,6 +1,13 @@
 {% import_yaml 'salt/minion.defaults.yaml' as saltminion %}
 {% set SALTVERSION = saltminion.salt.minion.version %}
-{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split('-')[0] %}
+
+{% if grains.os == 'Ubuntu' %}
+  {% set SPLITCHAR = '+' %}
+{% else %}
+  {% set SPLITCHAR = '-' %}
+{% endif %}
+
+{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
 {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}

 {% if grains.os|lower == 'ubuntu' %}
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -13,7 +13,7 @@ install_salt_minion:
        exec 1>&- # close stdout
        exec 2>&- # close stderr
        nohup /bin/sh -c '{{ UPGRADECOMMAND }}' &
-    - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' != '{{SALTVERSION}}' ]]"
+    - onlyif: test "{{INSTALLEDSALTVERSION}}" != "{{SALTVERSION}}"

 salt_minion_package:
  pkg.installed:
@@ -21,10 +21,10 @@ salt_minion_package:
      - {{ COMMON }}
      - salt-minion
    - hold: True
-    - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' == '{{SALTVERSION}}' ]]"
+    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"

 salt_minion_service:
  service.running:
    - name: salt-minion
    - enable: True
-    - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' == '{{SALTVERSION}}' ]]"
+    - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}"
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -639,12 +639,14 @@ fi
 		salt-call state.apply -l info pcap >> $setup_log 2>&1
 	fi

-	if [[ $is_sensor || $is_import ]]; then
+	if [[ $is_sensor || $is_import || $is_helix ]]; then
 		set_progress_str 66 "$(print_salt_state_apply 'suricata')"
 		salt-call state.apply -l info suricata >> $setup_log 2>&1

-		set_progress_str 67 "$(print_salt_state_apply 'zeek')"
-		salt-call state.apply -l info zeek >> $setup_log 2>&1
+		if [[ $ZEEKVERSION == 'ZEEK' ]]; then
+			set_progress_str 67 "$(print_salt_state_apply 'zeek')"
+			salt-call state.apply -l info zeek >> $setup_log 2>&1
+		fi
 	fi

 	if [[ $is_node ]]; then
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -97,7 +97,8 @@ whiptail_zeek_version() {

 	[ -n "$TESTING" ] && return

-	ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)"  ON \
+	ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \
+	"ZEEK" "Zeek (formerly known as Bro)"  ON \
 	"SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3)

 	local exitstatus=$?
@@ -697,6 +698,8 @@ whiptail_management_interface_dns() {
 	MDNS=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your DNS servers separated by a space:" 10 60 8.8.8.8 8.8.4.4 3>&1 1>&2 2>&3)

+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }

 whiptail_management_interface_dns_search() {
@@ -706,6 +709,8 @@ whiptail_management_interface_dns_search() {
 	MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your DNS search domain:" 10 60 searchdomain.local 3>&1 1>&2 2>&3)

+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }

 whiptail_management_interface_gateway() {
@@ -715,6 +720,8 @@ whiptail_management_interface_gateway() {
 	MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your gateway:" 10 60 X.X.X.X 3>&1 1>&2 2>&3)

+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }

 whiptail_management_interface_ip() {
@@ -724,6 +731,8 @@ whiptail_management_interface_ip() {
 	MIP=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your IP address:" 10 60 X.X.X.X 3>&1 1>&2 2>&3)

+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }

 whiptail_management_interface_mask() {
@@ -733,6 +742,8 @@ whiptail_management_interface_mask() {
 	MMASK=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter the bit mask for your subnet:" 10 60 24 3>&1 1>&2 2>&3)

+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }

 whiptail_management_nic() {