CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge with dev and resolve conflicts

Browse Source
This commit is contained in:
m0duspwnens
2020-04-02 15:24:23 -04:00
parent ec60b7a2d4 1cac115009
commit 290abaf1d7
26 changed files with 123 additions and 377 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pillar/logstash/search.sls
View File

@@ -2,7 +2,7 @@ logstash:
pipelines:
search:
config:
- so/0900_input_redis.conf.jinja
- so/0900_input_redis.conf.jinja
- so/9000_output_zeek.conf.jinja
- so/9002_output_import.conf.jinja
- so/9100_output_osquery.conf.jinja

6
pillar/top.sls
View File

@@ -21,7 +21,7 @@ base:
- static
- firewall.*
- data.*
- auth #Shared secrets
- secrets
- minions.{{ grains.id }}
'*_master':
@@ -33,7 +33,7 @@ base:
- firewall.*
- data.*
- brologs
- auth #Shared secrets
- secrets
- logstash
- logstash.eval
- healthcheck.eval
@@ -63,5 +63,5 @@ base:
- static
- firewall.*
- data.*
- auth #Shared secrets
- secrets
- minions.{{ grains.id }}

30
salt/auth/init.sls
View File

@@ -1,30 +0,0 @@
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
{% set MASTER = salt['grains.get']('master') %}
so-auth-api-dir:
file.directory:
- name: /opt/so/conf/auth/api
- user: 939
- group: 939
- makedirs: True
so-auth-api:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-auth-api:{{ VERSION }}
- hostname: so-auth-api
- name: so-auth-api
- environment:
- BASE_PATH: "/so-auth/api"
- AUTH_TOKEN_TIMEOUT: 32400
- binds:
- /opt/so/conf/auth/api:/data
- port_bindings:
- 0.0.0.0:5656:5656
so-auth-ui:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-auth-ui:{{ VERSION }}
- hostname: so-auth-ui
- name: so-auth-ui
- port_bindings:
- 0.0.0.0:4242:80

163
salt/common/nginx/index.html
View File

@@ -1,163 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>Security Onion - Hybrid Hunter</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
<style>
* {
box-sizing: border-box;
font-family: Arial, Helvetica, sans-serif;
padding-left: 30px;
padding-right: 30px;
}
body {
font-family: Arial, Helvetica, sans-serif;
background-color: #2a2a2a;
}
a {
color: #f2f2f2;
text-align: left;
padding: 0px;
}
.center-content {
margin: 0 auto;
}
.center-image {
display: block;
margin-left: auto;
margin-right: auto;
width: 50%;
}
/* Style the top navigation bar */
.topnav {
overflow: hidden;
background-color: #333;
width: 1080px;
display: flex;
align-content: center;
}
/* Style the topnav links */
.topnav a {
margin: auto;
color: #f2f2f2;
text-align: center;
padding: 14px 16px;
text-decoration: none;
}
/* Change color on hover */
.topnav a:hover {
background-color: #ddd;
color: black;
}
/* Style the content */
.content {
background-color: #2a2a2a;
padding: 10px;
padding-top: 20px;
padding-left: 60px;
color: #E3DBCC;
width: 1080px;
}
/* Style the footer */
.footer {
background-color: #2a2a2a;
padding: 60px;
color: #E3DBCC;
width: 1080px;
}
</style>
</head>
<body>
<div class="center-content">
<div class="topnav center-content">
<a href="/so-auth/loginpage/create-user" target="_blank">Create New User</a>
<a href="/kibana/" target="_blank">Kibana</a>
<a href="/grafana/" target="_blank">Grafana</a>
<a href="/sensoroni/" target="_blank">Sensoroni</a>
<a href="/playbook/" target="_blank">Playbook</a>
<a href="/fleet/" target="_blank">Fleet</a>
<a href="/thehive/" target="_blank">TheHive</a>
<a href="/packages/" target="_blank">Osquery Packages</a>
<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
<a href="https://blog.securityonion.net" target="_blank">Blog</a>
</div>
<div class="content center-content">
<div style="text-align: center;">
<a href="https://securityonion.net">
<img style="border: none;" src="alpha_logo.jpg" alt="Security Onion" class="center-image" target="_blank">
</a>
<br/>
</div>
<p>
<div style="text-align: center;">
<h1>Hybrid Hunter Alpha 1.1.4 - Feature Parity Release</h1>
</div>
<br/>
<h2>Changes:</h2>
<ul>
<li>Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth).</li>
<li>Web user creation is done via the browser now instead of so-user-add.</li>
<li>New Logstash pipeline setup. Now uses multiple pipelines.</li>
<li>New Master + Search node type and well as a Heavy Node type in the install.</li>
<li>Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub.</li>
<li>Zeek 3.0.1</li>
<li>Elastic 6.8.6</li>
<li>New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`).</li>
<li>BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)).</li>
<li>Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them.</li>
<li>Added so-status script which gives an easy to read look at container status.</li>
<li>Manage threshold.conf for Suricata using the thresholding pillar.</li>
<li>The ISO now includes all the docker containers for faster install speeds.</li>
<li>You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup.</li>
<li>Updated Helix parsers for better compatibility.</li>
<li>Updated telegraf docker to include curl and jq.</li>
<li>CVE-2020-0601 Zeek Detection Script.</li>
<li>ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup.</li>
<li>Check out the <a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide" target="_blank">Hybrid Hunter Quick Start Guide</a>.</li>
</ul>
</p>
</div>
<div class="footer center-content">
<b>Disclaimer of Warranty</b>
<br/>
<small>
THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM
.AS IS. WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE,
YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
</small>
<br/>
<br/>
<b>Limitation of Liability</b>
<br/>
<small>
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER,
OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM
(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES
OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
</small>
<br/>
</div>
</div>
</body>
</html>

1
salt/common/nginx/nginx.conf.so-eval
View File

@@ -27,6 +27,7 @@ http {
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 1024M;
include /etc/nginx/mime.types;
default_type application/octet-stream;

8
salt/common/nginx/nginx.conf.so-fleet
View File

@@ -86,14 +86,6 @@ http {
}
error_page 401 = @error401;
location @error401 {
add_header Set-Cookie "NSREDIRECT=http://{{ MAINIP }}$request_uri;Domain={{ MAINIP }};Path=/;Max-Age=60000";
return 302 http://{{ MAINIP }}/so-auth/loginpage/;
}
error_page 404 /404.html;
location = /40x.html {
}

1
salt/common/nginx/nginx.conf.so-master
View File

@@ -27,6 +27,7 @@ http {
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 1024M;
include /etc/nginx/mime.types;
default_type application/octet-stream;

1
salt/common/nginx/nginx.conf.so-mastersearch
View File

@@ -27,6 +27,7 @@ http {
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 1024M;
include /etc/nginx/mime.types;
default_type application/octet-stream;

21
salt/common/tools/sbin/so-auth-restart
View File

@@ -1,21 +0,0 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart auth $1

20
salt/common/tools/sbin/so-auth-start
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start auth $1

20
salt/common/tools/sbin/so-auth-stop
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop auth $1

2
salt/common/tools/sbin/so-elastic-download
View File

@@ -2,8 +2,6 @@
MASTER=MASTER
VERSION="HH1.1.4"
TRUSTED_CONTAINERS=( \
"so-auth-api:$VERSION" \
"so-auth-ui:$VERSION" \
"so-core:$VERSION" \
"so-thehive-cortex:$VERSION" \
"so-curator:$VERSION" \

1
salt/common/tools/sbin/so-restart
View File

@@ -32,6 +32,5 @@ fi
case $1 in
"cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
"steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
"auth") docker stop so-auth-api; docker stop so-auth-ui; salt-call state.apply auth queue=True;;
*) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
esac

11
salt/common/tools/sbin/so-start
View File

@@ -32,16 +32,5 @@ fi
case $1 in
"all") salt-call state.highstate queue=True;;
"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;;
"auth")
if docker ps | grep -q so-auth-api; then
if docker ps | grep -q so-auth-ui; then
printf "\n$1 is already running!\n\n"
else
docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
fi
else
docker rm so-auth-api >/dev/null 2>&1; docker rm so-auth-ui >/dev/null 2>&1; salt-call state.apply $1 queue=True
fi
;;
*) if docker ps | grep -q so-$1; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;;
esac

1
salt/common/tools/sbin/so-stop
View File

@@ -24,7 +24,6 @@ printf "Stopping $1...\n"
echo $banner
case $1 in
"auth") docker stop so-auth-api; docker rm so-auth-api; docker stop so-auth-ui; docker rm so-auth-ui ;;
*) docker stop so-$1 ; docker rm so-$1 ;;
esac

44
salt/common/tools/sbin/so-user
View File

@@ -22,8 +22,13 @@ got_root() {
got_root
if [[ $# < 1 || $# > 2 ]]; then
echo "Usage: $0 <list|add|update|delete|checkpw> [email]"
echo "Note that checkpw only checks that the given password meets the minimum requirements, it does not test that it matches for an existing user."
echo "Usage: $0 <list|add|update|delete|validate> [email]"
echo ""
echo " list: Lists all user email addresses currently defined in the identity system"
echo " add: Adds a new user to the identity system; requires 'email' parameter"
echo " update: Updates a user's password; requires 'email' parameter"
echo " delete: Deletes an existing user; requires 'email' parameter"
echo " validate: Validates that the given email address and password are acceptable for defining a new user; requires 'email' parameter"
exit 1
fi
@@ -50,14 +55,16 @@ function require() {
}
# Verify this environment is capable of running this script
require "argon2"
require "jq"
require "curl"
require "openssl"
require "sqlite3"
[[ ! -f $databasePath ]] && fail "Unable to find database file; specify path via KRATOS_DB_PATH environment variable"
response=$(curl -Ss ${kratosUrl}/)
[[ "$response" != "404 page not found" ]] && fail "Unable to communicate with Kratos; specify URL via KRATOS_URL environment variable"
function verifyEnvironment() {
require "argon2"
require "jq"
require "curl"
require "openssl"
require "sqlite3"
[[ ! -f $databasePath ]] && fail "Unable to find database file; specify path via KRATOS_DB_PATH environment variable"
response=$(curl -Ss ${kratosUrl}/)
[[ "$response" != "404 page not found" ]] && fail "Unable to communicate with Kratos; specify URL via KRATOS_URL environment variable"
}
function findIdByEmail() {
email=$1
@@ -77,6 +84,15 @@ function validatePassword() {
fi
}
function validateEmail() {
email=$1
# (?:[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*|"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\])
if [[ ! "$email" =~ ^[[:alnum:]._%+-]+@[[:alnum:].-]+\.[[:alpha:]]{2,}$ ]]; then
echo "Email address is invalid"
exit 3
fi
}
function updatePassword() {
identityId=$1
@@ -164,17 +180,21 @@ function deleteUser() {
case "${operation}" in
"add")
verifyEnvironment
[[ "$email" == "" ]] && fail "Email address must be provided"
validateEmail "$email"
createUser "$email"
echo "Successfully added new user"
;;
"list")
verifyEnvironment
listUsers
;;
"update")
verifyEnvironment
[[ "$email" == "" ]] && fail "Email address must be provided"
updateUser "$email"
@@ -182,13 +202,15 @@ case "${operation}" in
;;
"delete")
verifyEnvironment
[[ "$email" == "" ]] && fail "Email address must be provided"
deleteUser "$email"
echo "Successfully deleted user"
;;
"checkpw")
"validate")
validateEmail "$email"
updatePassword
echo "Password is acceptable"
;;

6
salt/fleet/init.sls
View File

@@ -1,6 +1,6 @@
{%- set MYSQLPASS = salt['pillar.get']('auth:mysql', None) -%}
{%- set FLEETPASS = salt['pillar.get']('auth:fleet', None) -%}
{%- set FLEETJWT = salt['pillar.get']('auth:fleet_jwt', None) -%}
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
{%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%}
{%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%}
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
{% set MASTER = salt['grains.get']('master') %}
{% set MAINIP = salt['pillar.get']('node:mainip') %}

2
salt/master/files/registry/scripts/so-docker-download
View File

@@ -17,8 +17,6 @@ TRUSTED_CONTAINERS=( \
"so-thehive-es:$VERSION" \
"so-wazuh:$VERSION" \
"so-kibana:$VERSION" \
"so-auth-ui:$VERSION" \
"so-auth-api:$VERSION" \
"so-elastalert:$VERSION" \
"so-navigator:$VERSION" \
"so-filebeat:$VERSION" \

2
salt/mysql/etc/mypass
View File

@@ -1,2 +1,2 @@
{%- set MYSQLPASS = salt['pillar.get']('auth:mysql', None) -%}
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%}
{{ MYSQLPASS }}

2
salt/mysql/init.sls
View File

@@ -1,4 +1,4 @@
{%- set MYSQLPASS = salt['pillar.get']('auth:mysql', None) %}
{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %}
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %}
{% set MASTER = salt['grains.get']('master') %}

2
salt/pcap/files/sensoroni.json
View File

@@ -1,7 +1,7 @@
{%- set MASTER = grains['master'] -%}
{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
{
"logFilename": "/opt/sensoroni/log/sensoroni.log",
"logFilename": "/opt/sensoroni/logs/sensoroni.log",
"logLevel":"debug",
"agent": {
"pollIntervalMs": 10000,

4
salt/top.sls
View File

@@ -57,7 +57,6 @@ base:
- soc
- firewall
- idstools
- auth #Shared secrets
- healthcheck
{%- if FLEETMASTER or FLEETNODE %}
- mysql
@@ -108,7 +107,6 @@ base:
- master
- idstools
- redis
- auth #Shared secrets
{%- if FLEETMASTER or FLEETNODE %}
- mysql
{%- endif %}
@@ -197,7 +195,6 @@ base:
- firewall
- sensor
- master
- auth #Shared secrets
{%- if FLEETMASTER or FLEETNODE %}
- fleet.install_package
{%- endif %}
@@ -213,7 +210,6 @@ base:
- master
- idstools
- redis
- auth #Shared secrects
{%- if FLEETMASTER or FLEETNODE %}
- mysql
{%- endif %}

97
setup/so-functions
View File

@@ -29,9 +29,9 @@ accept_salt_key_local() {
accept_salt_key_remote() {
echo "Accept the key remotely on the master" >> $SETUPLOG 2>&1
# Delete the key just in case.
ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $MINION_ID -y
ssh -i /root/.ssh/so.key soremote@$MSRV sudo salt-key -d $MINION_ID -y
salt-call state.apply ca
ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -a $MINION_ID -y
ssh -i /root/.ssh/so.key soremote@$MSRV sudo salt-key -a $MINION_ID -y
}
@@ -65,8 +65,23 @@ add_socore_user_master() {
fi
groupadd --gid 939 socore
$ADDUSER --uid 939 --gid 939 --home-dir /opt/so socore
# Set the password for socore that we got during setup
echo socore:$COREPASS1 | chpasswd --crypt-method=SHA512
}
add_soremote_user_master() {
echo "Add soremote on the master" >>~/sosetup.log 2>&1
# Add user "soremote" to the master. This will be for things like accepting keys.
if [ $OS == 'centos' ]; then
local ADDUSER=adduser
else
local ADDUSER=useradd
fi
groupadd --gid 947 soremote
$ADDUSER --uid 947 --gid 947 soremote
# Set the password for soremote that we got during setup
echo soremote:$REMOTEPASS1 | chpasswd --crypt-method=SHA512
}
@@ -101,17 +116,17 @@ add_web_user() {
echo "Add user result: $?"
}
# Create an auth pillar so that passwords survive re-install
auth_pillar(){
# Create an secrets pillar so that passwords survive re-install
secrets_pillar(){
if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
echo "Creating Auth Pillar" >> $SETUPLOG 2>&1
if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
echo "Creating Secrets Pillar" >> $SETUPLOG 2>&1
mkdir -p /opt/so/saltstack/pillar
echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
echo " fleet: $FLEETPASS" >> /opt/so/saltstack/pillar/auth.sls
echo " fleet_jwt: $FLEETJWT" >> /opt/so/saltstack/pillar/auth.sls
echo " fleet_enroll-secret: False" >> /opt/so/saltstack/pillar/auth.sls
echo "secrets:" >> /opt/so/saltstack/pillar/secrets.sls
echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/secrets.sls
echo " fleet: $FLEETPASS" >> /opt/so/saltstack/pillar/secrets.sls
echo " fleet_jwt: $FLEETJWT" >> /opt/so/saltstack/pillar/secrets.sls
echo " fleet_enroll-secret: False" >> /opt/so/saltstack/pillar/secrets.sls
fi
}
@@ -232,9 +247,9 @@ check_network_manager_conf() {
fi
}
check_socore_pass() {
check_soremote_pass() {
if [ $COREPASS1 == $COREPASS2 ]; then
if [ $SOREMOTEPASS1 == $SOREMOTEPASS2 ]; then
SCMATCH=yes
else
whiptail_passwords_dont_match
@@ -288,10 +303,10 @@ configure_minion() {
echo "mysql.host: '$MAINIP'" >> /etc/salt/minion
echo "mysql.port: 3306" >> /etc/salt/minion
echo "mysql.user: 'root'" >> /etc/salt/minion
if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
echo "mysql.pass: '$MYSQLPASS'" >> /etc/salt/minion
else
OLDPASS=$(cat /opt/so/saltstack/pillar/auth.sls | grep mysql | awk {'print $2'})
OLDPASS=$(cat /opt/so/saltstack/pillar/secrets.sls | grep mysql | awk {'print $2'})
echo "mysql.pass: '$OLDPASS'" >> /etc/salt/minion
fi
elif [ $TYPE == 'helix' ]; then
@@ -337,8 +352,8 @@ copy_minion_tmp_files() {
fi
else
echo "scp pillar and salt files in $TMP to master /opt/so/saltstack"
scp -prv -i /root/.ssh/so.key $TMP/pillar/* socore@$MSRV:/opt/so/saltstack/pillar >> $SETUPLOG 2>&1
scp -prv -i /root/.ssh/so.key $TMP/salt/* socore@$MSRV:/opt/so/saltstack/salt >> $SETUPLOG 2>&1
scp -prv -i /root/.ssh/so.key $TMP/pillar/* soremote@$MSRV:/opt/so/saltstack/pillar >> $SETUPLOG 2>&1
scp -prv -i /root/.ssh/so.key $TMP/salt/* soremote@$MSRV:/opt/so/saltstack/salt >> $SETUPLOG 2>&1
fi
}
@@ -352,7 +367,7 @@ copy_ssh_key() {
chown -R $SUDO_USER:$SUDO_USER /root/.ssh
echo "Copying the SSH key to the master"
#Copy the key over to the master
ssh-copy-id -f -i /root/.ssh/so.key socore@$MSRV
ssh-copy-id -f -i /root/.ssh/so.key soremote@$MSRV
}
@@ -551,8 +566,6 @@ docker_seed_registry() {
if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then
TRUSTED_CONTAINERS=( \
"so-acng:$VERSION" \
"so-auth-api:$VERSION" \
"so-auth-ui:$VERSION" \
"so-core:$VERSION" \
"so-thehive-cortex:$VERSION" \
"so-curator:$VERSION" \
@@ -1018,6 +1031,7 @@ reserve_group_ids() {
groupadd -g 941 stenographer
groupadd -g 945 ossec
groupadd -g 946 cyberchef
groupadd -g 947 soremote
}
@@ -1029,6 +1043,7 @@ saltify() {
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
reserve_group_ids
yum -y install epel-release
yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-py3-2019-2.repo
sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-py3-2019-2.repo
@@ -1262,7 +1277,7 @@ EOF
# Copy down the gpg keys and install them from the master
mkdir $TMP/gpg
echo "scp the gpg keys and install them from the master"
scp -v -i /root/.ssh/so.key socore@$MSRV:/opt/so/gpg/* $TMP/gpg
scp -v -i /root/.ssh/so.key soremote@$MSRV:/opt/so/gpg/* $TMP/gpg
echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH"
apt-key add $TMP/gpg/SALTSTACK-GPG-KEY.pub
apt-key add $TMP/gpg/GPG-KEY-WAZUH
@@ -1462,27 +1477,27 @@ set_initial_firewall_policy() {
fi
if [ $INSTALLTYPE == 'SENSOR' ]; then
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
fi
if [ $INSTALLTYPE == 'SEARCHNODE' ]; then
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
fi
if [ $INSTALLTYPE == 'HEAVYNODE' ]; then
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM
fi
if [ $INSTALLTYPE == 'FLEET' ]; then
ssh -i /root/.ssh/so.key socore@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP
fi
if [ $INSTALLTYPE == 'PARSINGNODE' ]; then
@@ -1558,13 +1573,13 @@ set_version() {
update_sudoers() {
if ! grep -qE '^socore\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
# Update Sudoers so that socore can accept keys without a password
echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
echo "socore ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers
if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
# Update Sudoers so that soremote can accept keys without a password
echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers
else
echo "User socore already granted sudo privileges"
echo "User soremote already granted sudo privileges"
fi
}

35
setup/so-setup
View File

@@ -71,14 +71,6 @@ if (whiptail_you_sure) ; then
# Set management nic
whiptail_management_nic
# whiptail_create_socore_user
# SCMATCH=no
# while [ $SCMATCH != yes ]; do
# whiptail_create_socore_user_password1
# whiptail_create_socore_user_password2
# check_socore_pass
# done
else
# Set the hostname
@@ -169,7 +161,7 @@ if (whiptail_you_sure) ; then
add_admin_user
disable_onion_user
fi
#add_socore_user_master
# Install salt and dependencies
{
sleep 0.5
@@ -291,13 +283,13 @@ if (whiptail_you_sure) ; then
fi
fi
# Get a password for the socore user
whiptail_create_socore_user
# Get a password for the soremote user
whiptail_create_soremote_user
SCMATCH=no
while [ $SCMATCH != yes ]; do
whiptail_create_socore_user_password1
whiptail_create_socore_user_password2
check_socore_pass
whiptail_create_soremote_user_password1
whiptail_create_soremote_user_password2
check_soremote_pass
done
# Get a password for the web admin user
@@ -331,10 +323,8 @@ if (whiptail_you_sure) ; then
fi
# Add the user so we can sit back and relax
#echo ""
#echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
#echo ""
add_socore_user_master
add_soremote_user_master
# Install salt and dependencies
{
@@ -574,13 +564,13 @@ if (whiptail_you_sure) ; then
if [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
# Find out how to handle updates
whiptail_master_updates
# Get a password for the socore user
whiptail_create_socore_user
# Get a password for the soremote user
whiptail_create_soremote_user
SCMATCH=no
while [ $SCMATCH != yes ]; do
whiptail_create_socore_user_password1
whiptail_create_socore_user_password2
check_socore_pass
whiptail_create_soremote_user_password1
whiptail_create_soremote_user_password2
check_soremote_pass
done
fi
# Get a password for the web admin user
@@ -610,6 +600,7 @@ if (whiptail_you_sure) ; then
# Add the user so we can sit back and relax
add_socore_user_master
add_soremote_user_master
{
sleep 0.5
if [ $INSTALLTYPE == 'EVAL' ]; then

16
setup/so-whiptail
View File

@@ -132,26 +132,26 @@ whiptail_create_admin_user_password2() {
}
whiptail_create_socore_user() {
whiptail_create_soremote_user() {
whiptail --title "Security Onion Setup" --msgbox "Set a password for the socore user. This account is used for adding sensors remotely." 8 75
whiptail --title "Security Onion Setup" --msgbox "Set a password for the soremote user. This account is used for adding sensors remotely." 8 75
}
whiptail_create_socore_user_password1() {
whiptail_create_soremote_user_password1() {
COREPASS1=$(whiptail --title "Security Onion Install" --passwordbox \
"Enter a password for user socore" 10 75 3>&1 1>&2 2>&3)
REMOTEPASS1=$(whiptail --title "Security Onion Install" --passwordbox \
"Enter a password for user soremote" 10 75 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_create_socore_user_password2() {
whiptail_create_soremote_user_password2() {
COREPASS2=$(whiptail --title "Security Onion Install" --passwordbox \
"Re-enter a password for user socore" 10 75 3>&1 1>&2 2>&3)
REMOTEPASS2=$(whiptail --title "Security Onion Install" --passwordbox \
"Re-enter a password for user soremote" 10 75 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus

2
upgrade/so-update-functions
View File

@@ -35,8 +35,6 @@ HOSTNAME=$(hostname)
if [ $MASTERCHECK != 'so-helix' ]; then
TRUSTED_CONTAINERS=( \
"so-acng:$BUILD$UPDATEVERSION" \
"so-auth-api:$BUILD$UPDATEVERSION" \
"so-auth-ui:$BUILD$UPDATEVERSION" \
"so-core:$BUILD$UPDATEVERSION" \
"so-thehive-cortex:$BUILD$UPDATEVERSION" \
"so-curator:$BUILD$UPDATEVERSION" \