diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index f10f5fad9..2dc5b0504 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -27,8 +27,7 @@ function usage { cat << EOF Usage: $0 [pcap-file-2] [pcap-file-N] -Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and -made available for review in the Security Onion toolset. +Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and made available for review in the Security Onion toolset. EOF } diff --git a/salt/common/tools/sbin/so-ip-update b/salt/common/tools/sbin/so-ip-update old mode 100644 new mode 100755 index 7321a5587..9976a42e8 --- a/salt/common/tools/sbin/so-ip-update +++ b/salt/common/tools/sbin/so-ip-update @@ -39,6 +39,7 @@ fi echo "About to change old IP $OLD_IP to new IP $NEW_IP." +echo read -n 1 -p "Would you like to continue? (y/N) " CONTINUE echo @@ -50,9 +51,12 @@ if [ "$CONTINUE" == "y" ]; then echo "The IP has been changed from $OLD_IP to $NEW_IP." - if [ -z "$SKIP_STATE_APPLY" ]; then - echo "Re-applying salt states." - salt-call state.highstate queue=True + echo + read -n 1 -p "The system must reboot to ensure all services have restarted with the new configuration. Reboot now? (y/N)" CONTINUE + echo + + if [ "$CONTINUE" == "y" ]; then + reboot fi else echo "Exiting without changes." diff --git a/salt/common/tools/sbin/so-pcap-import b/salt/common/tools/sbin/so-pcap-import new file mode 100755 index 000000000..667bf064e --- /dev/null +++ b/salt/common/tools/sbin/so-pcap-import @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +$(dirname $0)/so-import-pcap $@ diff --git a/salt/common/tools/sbin/so-playbook-reset b/salt/common/tools/sbin/so-playbook-reset old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden old mode 100644 new mode 100755 index 2f78a7af8..1fd7d58d9 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -2,48 +2,92 @@ . /usr/sbin/so-common -if [[ $1 =~ ^(q|--quiet) ]]; then - quiet=true +if [[ $1 =~ ^(-q|--quiet) ]]; then + quiet=true fi +before= +after= +reload_required=false + print_sshd_t() { - local string=$1 - local state=$2 - echo "${state}:" - sshd -T | grep "^${string}" + local string=$1 + local state=$2 + echo "${state}:" + + local grep_out + grep_out=$(sshd -T | grep "^${string}") + + if [[ $state == "Before" ]]; then + before=$grep_out + else + after=$grep_out + fi + + echo $grep_out +} + +print_msg() { + local msg=$1 + if ! [[ $quiet ]]; then + printf "%s\n" \ + "----" \ + "$msg" \ + "----" \ + "" + fi } if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then - print_sshd_t "ciphers" "After" - echo "" + print_sshd_t "ciphers" "After" + echo "" +fi + +if [[ $before != $after ]]; then + reload_required=true fi if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then - print_sshd_t "kexalgorithms" "After" - echo "" + print_sshd_t "kexalgorithms" "After" + echo "" +fi + +if [[ $before != $after ]]; then + reload_required=true fi if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then - print_sshd_t "macs" "After" - echo "" + print_sshd_t "macs" "After" + echo "" +fi + +if [[ $before != $after ]]; then + reload_required=true fi if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then - print_sshd_t "hostkeyalgorithms" "After" - echo "" + print_sshd_t "hostkeyalgorithms" "After" + echo "" +fi + +if [[ $before != $after ]]; then + reload_required=true +fi + +if [[ $reload_required == true ]]; then + print_msg "Reloading sshd to load config changes..." + systemctl reload sshd fi {% if grains['os'] != 'CentOS' %} -echo "----" -echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." -echo "----" +print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." {% endif %} diff --git a/salt/common/tools/sbin/so-wazuh-user-add b/salt/common/tools/sbin/so-wazuh-user-add old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-wazuh-user-passwd b/salt/common/tools/sbin/so-wazuh-user-passwd old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-wazuh-user-remove b/salt/common/tools/sbin/so-wazuh-user-remove old mode 100644 new mode 100755 diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result index 3a6ed15a3..67a0b39f8 100644 --- a/salt/elasticsearch/files/ingest/osquery.query_result +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -6,7 +6,7 @@ { "gsub": { "field": "message2.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "", "ignore_missing": true } }, { "rename": { "if": "ctx.message2.columns?.eventid != null", "field": "message2.columns", "target_field": "winlog", "ignore_missing": true } }, { "json": { "field": "winlog.data", "target_field": "temp", "ignore_failure": true } }, - { "rename": { "field": "temp.Data", "target_field": "winlog.event_data", "ignore_missing": true } }, + { "rename": { "field": "temp.EventData", "target_field": "winlog.event_data", "ignore_missing": true } }, { "rename": { "field": "winlog.source", "target_field": "winlog.channel", "ignore_missing": true } }, { "rename": { "field": "winlog.eventid", "target_field": "winlog.event_id", "ignore_missing": true } }, { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, @@ -22,4 +22,4 @@ { "set": { "field": "event.dataset", "value": "{{osquery.result.name}}", "override": false} }, { "pipeline": { "name": "common" } } ] -} \ No newline at end of file +} diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index e5fa79a8e..7ef63bd68 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -1,6 +1,13 @@ {% import_yaml 'salt/minion.defaults.yaml' as saltminion %} {% set SALTVERSION = saltminion.salt.minion.version %} -{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split('-')[0] %} + +{% if grains.os == 'Ubuntu' %} + {% set SPLITCHAR = '+' %} +{% else %} + {% set SPLITCHAR = '-' %} +{% endif %} + +{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% if grains.os|lower == 'ubuntu' %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index f7d2126c1..de85693c6 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -13,7 +13,7 @@ install_salt_minion: exec 1>&- # close stdout exec 2>&- # close stderr nohup /bin/sh -c '{{ UPGRADECOMMAND }}' & - - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' != '{{SALTVERSION}}' ]]" + - onlyif: test "{{INSTALLEDSALTVERSION}}" != "{{SALTVERSION}}" salt_minion_package: pkg.installed: @@ -21,10 +21,10 @@ salt_minion_package: - {{ COMMON }} - salt-minion - hold: True - - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' == '{{SALTVERSION}}' ]]" + - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}" salt_minion_service: service.running: - name: salt-minion - enable: True - - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' == '{{SALTVERSION}}' ]]" \ No newline at end of file + - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}" \ No newline at end of file diff --git a/setup/so-setup b/setup/so-setup index e1550ff03..22e429ad4 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -639,12 +639,14 @@ fi salt-call state.apply -l info pcap >> $setup_log 2>&1 fi - if [[ $is_sensor || $is_import ]]; then + if [[ $is_sensor || $is_import || $is_helix ]]; then set_progress_str 66 "$(print_salt_state_apply 'suricata')" salt-call state.apply -l info suricata >> $setup_log 2>&1 - set_progress_str 67 "$(print_salt_state_apply 'zeek')" - salt-call state.apply -l info zeek >> $setup_log 2>&1 + if [[ $ZEEKVERSION == 'ZEEK' ]]; then + set_progress_str 67 "$(print_salt_state_apply 'zeek')" + salt-call state.apply -l info zeek >> $setup_log 2>&1 + fi fi if [[ $is_node ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index 07e534c0f..11d968910 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -97,7 +97,8 @@ whiptail_zeek_version() { [ -n "$TESTING" ] && return - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)" ON \ + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \ + "ZEEK" "Zeek (formerly known as Bro)" ON \ "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) local exitstatus=$? @@ -697,6 +698,8 @@ whiptail_management_interface_dns() { MDNS=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your DNS servers separated by a space:" 10 60 8.8.8.8 8.8.4.4 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_interface_dns_search() { @@ -706,6 +709,8 @@ whiptail_management_interface_dns_search() { MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your DNS search domain:" 10 60 searchdomain.local 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_interface_gateway() { @@ -715,6 +720,8 @@ whiptail_management_interface_gateway() { MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your gateway:" 10 60 X.X.X.X 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_interface_ip() { @@ -724,6 +731,8 @@ whiptail_management_interface_ip() { MIP=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your IP address:" 10 60 X.X.X.X 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_interface_mask() { @@ -733,6 +742,8 @@ whiptail_management_interface_mask() { MMASK=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the bit mask for your subnet:" 10 60 24 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_nic() {