From 6359e03ba6ee8c1203d718505f664eb410efcc2d Mon Sep 17 00:00:00 2001 From: jtgreen-cse <67059096+jtgreen-cse@users.noreply.github.com> Date: Thu, 29 Oct 2020 15:03:13 -0400 Subject: [PATCH 01/10] fix for Windows events via osquery This change was required to properly let Windows events flow through their specific pipelines. Otherwise, the `temp` field stays around and gets ingested in ES. --- salt/elasticsearch/files/ingest/osquery.query_result | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/osquery.query_result b/salt/elasticsearch/files/ingest/osquery.query_result index 3a6ed15a3..67a0b39f8 100644 --- a/salt/elasticsearch/files/ingest/osquery.query_result +++ b/salt/elasticsearch/files/ingest/osquery.query_result @@ -6,7 +6,7 @@ { "gsub": { "field": "message2.columns.data", "pattern": "\\\\xC2\\\\xAE", "replacement": "", "ignore_missing": true } }, { "rename": { "if": "ctx.message2.columns?.eventid != null", "field": "message2.columns", "target_field": "winlog", "ignore_missing": true } }, { "json": { "field": "winlog.data", "target_field": "temp", "ignore_failure": true } }, - { "rename": { "field": "temp.Data", "target_field": "winlog.event_data", "ignore_missing": true } }, + { "rename": { "field": "temp.EventData", "target_field": "winlog.event_data", "ignore_missing": true } }, { "rename": { "field": "winlog.source", "target_field": "winlog.channel", "ignore_missing": true } }, { "rename": { "field": "winlog.eventid", "target_field": "winlog.event_id", "ignore_missing": true } }, { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, @@ -22,4 +22,4 @@ { "set": { "field": "event.dataset", "value": "{{osquery.result.name}}", "override": false} }, { "pipeline": { "name": "common" } } ] -} \ No newline at end of file +} From 79ec1de83a8d1b853d5c1293afb7632ec2986e77 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 20 Nov 2020 09:56:48 -0500 Subject: [PATCH 02/10] [fix] Add exit check for static ip whiptail menus Fixes #1992 --- setup/so-whiptail | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 07e534c0f..bf40a99dd 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -697,6 +697,8 @@ whiptail_management_interface_dns() { MDNS=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your DNS servers separated by a space:" 10 60 8.8.8.8 8.8.4.4 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_interface_dns_search() { @@ -706,6 +708,8 @@ whiptail_management_interface_dns_search() { MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your DNS search domain:" 10 60 searchdomain.local 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_interface_gateway() { @@ -715,6 +719,8 @@ whiptail_management_interface_gateway() { MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your gateway:" 10 60 X.X.X.X 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_interface_ip() { @@ -724,6 +730,8 @@ whiptail_management_interface_ip() { MIP=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your IP address:" 10 60 X.X.X.X 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_interface_mask() { @@ -733,6 +741,8 @@ whiptail_management_interface_mask() { MMASK=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter the bit mask for your subnet:" 10 60 24 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_management_nic() { From e62b52da1b39c360493703ba4ad19159a766fac0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 20 Nov 2020 09:58:07 -0500 Subject: [PATCH 03/10] [fix] Add condition to zeek state during setup for ZEEKVERSION Fixes #1990 --- setup/so-setup | 8 +++++--- setup/so-whiptail | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index e1550ff03..22e429ad4 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -639,12 +639,14 @@ fi salt-call state.apply -l info pcap >> $setup_log 2>&1 fi - if [[ $is_sensor || $is_import ]]; then + if [[ $is_sensor || $is_import || $is_helix ]]; then set_progress_str 66 "$(print_salt_state_apply 'suricata')" salt-call state.apply -l info suricata >> $setup_log 2>&1 - set_progress_str 67 "$(print_salt_state_apply 'zeek')" - salt-call state.apply -l info zeek >> $setup_log 2>&1 + if [[ $ZEEKVERSION == 'ZEEK' ]]; then + set_progress_str 67 "$(print_salt_state_apply 'zeek')" + salt-call state.apply -l info zeek >> $setup_log 2>&1 + fi fi if [[ $is_node ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index bf40a99dd..11d968910 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -97,7 +97,8 @@ whiptail_zeek_version() { [ -n "$TESTING" ] && return - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)" ON \ + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \ + "ZEEK" "Zeek (formerly known as Bro)" ON \ "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) local exitstatus=$? From 9d837f7b45f3b2c4561acf5f5c572e1c73531b9f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 20 Nov 2020 10:09:14 -0500 Subject: [PATCH 04/10] [fix] Reload sshd if config changes are made Fixes #1976 --- salt/common/tools/sbin/so-ssh-harden | 75 ++++++++++++++++++++++------ 1 file changed, 59 insertions(+), 16 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 2f78a7af8..1cfdc482d 100644 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -3,47 +3,90 @@ . /usr/sbin/so-common if [[ $1 =~ ^(q|--quiet) ]]; then - quiet=true + quiet=true fi +before= +after= +reload_required=false + print_sshd_t() { - local string=$1 - local state=$2 - echo "${state}:" - sshd -T | grep "^${string}" + local string=$1 + local state=$2 + echo "${state}:" + + local grep_out + grep_out=$(sshd -T | grep "^${string}") + + if [[ $state == "Before" ]]; then + before=$grep_out + else + after=$grep_out + fi + + echo $grep_out +} + +print_msg() { + local msg=$1 + + printf "%s\n" \ + "----" + "$msg" + "----" + "" } if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi sshd -T | grep "^ciphers" | sed -e "s/\(3des-cbc\|aes128-cbc\|aes192-cbc\|aes256-cbc\|arcfour\|arcfour128\|arcfour256\|blowfish-cbc\|cast128-cbc\|rijndael-cbc@lysator.liu.se\)\,\?//g" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then - print_sshd_t "ciphers" "After" - echo "" + print_sshd_t "ciphers" "After" + echo "" +fi + +if [[ $before != $after ]]; then + reload_required=true fi if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then - print_sshd_t "kexalgorithms" "After" - echo "" + print_sshd_t "kexalgorithms" "After" + echo "" +fi + +if [[ $before != $after ]]; then + reload_required=true fi if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then - print_sshd_t "macs" "After" - echo "" + print_sshd_t "macs" "After" + echo "" +fi + +if [[ $before != $after ]]; then + reload_required=true fi if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config if ! [[ $quiet ]]; then - print_sshd_t "hostkeyalgorithms" "After" - echo "" + print_sshd_t "hostkeyalgorithms" "After" + echo "" +fi + +if [[ $before != $after ]]; then + reload_required=true +fi + +if [[ $reload_required == true ]]; then + print_msg "Reloading sshd to load config changes..." + systemctl reload sshd fi {% if grains['os'] != 'CentOS' %} -echo "----" -echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." -echo "----" +print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting." {% endif %} From 1a11c24f0304ccaf764db921aed0154d977d164a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 20 Nov 2020 11:13:40 -0500 Subject: [PATCH 05/10] [fix] Add newline escapes to so-ssh-harden --- salt/common/tools/sbin/so-ssh-harden | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 1cfdc482d..531c64cfd 100644 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -31,9 +31,9 @@ print_msg() { local msg=$1 printf "%s\n" \ - "----" - "$msg" - "----" + "----" \ + "$msg" \ + "----" \ "" } From 2e6be747d92f303f2f606072f83787647778a545 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 20 Nov 2020 11:18:40 -0500 Subject: [PATCH 06/10] [fix] Fixes for quiet flag in so-ssh-harden --- salt/common/tools/sbin/so-ssh-harden | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden index 531c64cfd..1fd7d58d9 100644 --- a/salt/common/tools/sbin/so-ssh-harden +++ b/salt/common/tools/sbin/so-ssh-harden @@ -2,7 +2,7 @@ . /usr/sbin/so-common -if [[ $1 =~ ^(q|--quiet) ]]; then +if [[ $1 =~ ^(-q|--quiet) ]]; then quiet=true fi @@ -29,12 +29,13 @@ print_sshd_t() { print_msg() { local msg=$1 - + if ! [[ $quiet ]]; then printf "%s\n" \ "----" \ "$msg" \ "----" \ "" + fi } if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi From f074179656d6f39eed0f767f687a6de010af2646 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 20 Nov 2020 14:13:44 -0500 Subject: [PATCH 07/10] Correct so-import-pcap wrapping; add so-pcap-import alias for so-import-pcap; prompt to reboot after changing IP address on manager; ensure all tools have exec bit set --- salt/common/tools/sbin/so-import-pcap | 3 +-- salt/common/tools/sbin/so-ip-update | 6 +++--- salt/common/tools/sbin/so-playbook-reset | 0 salt/common/tools/sbin/so-ssh-harden | 0 salt/common/tools/sbin/so-wazuh-user-add | 0 salt/common/tools/sbin/so-wazuh-user-passwd | 0 salt/common/tools/sbin/so-wazuh-user-remove | 0 7 files changed, 4 insertions(+), 5 deletions(-) mode change 100644 => 100755 salt/common/tools/sbin/so-ip-update mode change 100644 => 100755 salt/common/tools/sbin/so-playbook-reset mode change 100644 => 100755 salt/common/tools/sbin/so-ssh-harden mode change 100644 => 100755 salt/common/tools/sbin/so-wazuh-user-add mode change 100644 => 100755 salt/common/tools/sbin/so-wazuh-user-passwd mode change 100644 => 100755 salt/common/tools/sbin/so-wazuh-user-remove diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index f10f5fad9..2dc5b0504 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -27,8 +27,7 @@ function usage { cat << EOF Usage: $0 [pcap-file-2] [pcap-file-N] -Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and -made available for review in the Security Onion toolset. +Imports one or more PCAP files onto a sensor node. The PCAP traffic will be analyzed and made available for review in the Security Onion toolset. EOF } diff --git a/salt/common/tools/sbin/so-ip-update b/salt/common/tools/sbin/so-ip-update old mode 100644 new mode 100755 index 7321a5587..8ab012ccf --- a/salt/common/tools/sbin/so-ip-update +++ b/salt/common/tools/sbin/so-ip-update @@ -50,9 +50,9 @@ if [ "$CONTINUE" == "y" ]; then echo "The IP has been changed from $OLD_IP to $NEW_IP." - if [ -z "$SKIP_STATE_APPLY" ]; then - echo "Re-applying salt states." - salt-call state.highstate queue=True + read -n 1 -p "The system must reboot to ensure all services have restarted with the new configuration. Reboot now? (y/N)" CONTINUE + if [ "$CONTINUE" == "y" ]; then + reboot fi else echo "Exiting without changes." diff --git a/salt/common/tools/sbin/so-playbook-reset b/salt/common/tools/sbin/so-playbook-reset old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-ssh-harden b/salt/common/tools/sbin/so-ssh-harden old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-wazuh-user-add b/salt/common/tools/sbin/so-wazuh-user-add old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-wazuh-user-passwd b/salt/common/tools/sbin/so-wazuh-user-passwd old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-wazuh-user-remove b/salt/common/tools/sbin/so-wazuh-user-remove old mode 100644 new mode 100755 From bc40a2bfc5d36e1a3a2dd82fa9fe5cfcfb60776b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 20 Nov 2020 14:13:57 -0500 Subject: [PATCH 08/10] Correct so-import-pcap wrapping; add so-pcap-import alias for so-import-pcap; prompt to reboot after changing IP address on manager; ensure all tools have exec bit set --- salt/common/tools/sbin/so-pcap-import | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100755 salt/common/tools/sbin/so-pcap-import diff --git a/salt/common/tools/sbin/so-pcap-import b/salt/common/tools/sbin/so-pcap-import new file mode 100755 index 000000000..667bf064e --- /dev/null +++ b/salt/common/tools/sbin/so-pcap-import @@ -0,0 +1,18 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +$(dirname $0)/so-import-pcap $@ From 0d3754200fd5054a95d1877b261db08be12bc7ee Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 20 Nov 2020 14:27:07 -0500 Subject: [PATCH 09/10] fix issue with proper salt.minion state execution for ubuntu --- salt/salt/map.jinja | 9 ++++++++- salt/salt/minion.sls | 6 +++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index e5fa79a8e..7ef63bd68 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -1,6 +1,13 @@ {% import_yaml 'salt/minion.defaults.yaml' as saltminion %} {% set SALTVERSION = saltminion.salt.minion.version %} -{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split('-')[0] %} + +{% if grains.os == 'Ubuntu' %} + {% set SPLITCHAR = '+' %} +{% else %} + {% set SPLITCHAR = '-' %} +{% endif %} + +{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% if grains.os|lower == 'ubuntu' %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index f7d2126c1..de85693c6 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -13,7 +13,7 @@ install_salt_minion: exec 1>&- # close stdout exec 2>&- # close stderr nohup /bin/sh -c '{{ UPGRADECOMMAND }}' & - - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' != '{{SALTVERSION}}' ]]" + - onlyif: test "{{INSTALLEDSALTVERSION}}" != "{{SALTVERSION}}" salt_minion_package: pkg.installed: @@ -21,10 +21,10 @@ salt_minion_package: - {{ COMMON }} - salt-minion - hold: True - - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' == '{{SALTVERSION}}' ]]" + - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}" salt_minion_service: service.running: - name: salt-minion - enable: True - - onlyif: "[[ '{{INSTALLEDSALTVERSION}}' == '{{SALTVERSION}}' ]]" \ No newline at end of file + - onlyif: test "{{INSTALLEDSALTVERSION}}" == "{{SALTVERSION}}" \ No newline at end of file From 78f5727f6f493511f747ac3601b497e66bab580d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 20 Nov 2020 15:16:07 -0500 Subject: [PATCH 10/10] Improve so-ip-update prompts --- salt/common/tools/sbin/so-ip-update | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/common/tools/sbin/so-ip-update b/salt/common/tools/sbin/so-ip-update index 8ab012ccf..9976a42e8 100755 --- a/salt/common/tools/sbin/so-ip-update +++ b/salt/common/tools/sbin/so-ip-update @@ -39,6 +39,7 @@ fi echo "About to change old IP $OLD_IP to new IP $NEW_IP." +echo read -n 1 -p "Would you like to continue? (y/N) " CONTINUE echo @@ -50,7 +51,10 @@ if [ "$CONTINUE" == "y" ]; then echo "The IP has been changed from $OLD_IP to $NEW_IP." + echo read -n 1 -p "The system must reboot to ensure all services have restarted with the new configuration. Reboot now? (y/N)" CONTINUE + echo + if [ "$CONTINUE" == "y" ]; then reboot fi