From 3286d55ef270bc30f7c5c5ea7bfeb79e11cb064c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 15 Sep 2022 13:46:14 -0400 Subject: [PATCH 01/46] Modify Steno Config --- salt/pcap/files/config | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/salt/pcap/files/config b/salt/pcap/files/config index 24f9a579e..d6046e0bb 100644 --- a/salt/pcap/files/config +++ b/salt/pcap/files/config @@ -1,19 +1,12 @@ -{%- set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} -{%- set DISKFREEPERCENTAGE = salt['pillar.get']('steno:diskfreepercentage', 10) %} -{%- set MAXFILES = salt['pillar.get']('steno:maxfiles', 30000) %} -{%- set BLOCKS = salt['pillar.get']('steno:blocks', 2048) %} -{%- set FILEMB = salt['pillar.get']('steno:filemb', 4096) %} -{%- set AIOPS = salt['pillar.get']('steno:aiops', 128) %} -{%- set THREADS = salt['pillar.get']('steno:threads', 1) %} +{%- set INTERFACE = salt['pillar.get']('sensor:interface') %} +{%- set DISKFREEPERCENTAGE = salt['pillar.get']('pcap:config:diskfreepercentage') %} +{%- set MAXFILES = salt['pillar.get']('pcap:config:maxdirectoryfiles') %} +{%- set BLOCKS = salt['pillar.get']('pcap:config:blocks') %} +{%- set FILEMB = salt['pillar.get']('pcap:config:preallocate_file_mb') %} +{%- set AIOPS = salt['pillar.get']('pcap:config:aiops') %} { "Threads": [ { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ MAXFILES }}, "DiskFreePercentage": {{ DISKFREEPERCENTAGE }} } - {%- if THREADS > 1 %} - {%- for i in range(2,THREADS+1) %} - , { "PacketsDirectory": "/nsm/pcap" , "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ MAXFILES }}, "DiskFreePercentage": {{ DISKFREEPERCENTAGE }} } - {%- endfor %} - {%- endif %} - ] , "StenotypePath": "/usr/bin/stenotype" , "Interface": "{{ INTERFACE }}" , "Port": 1234 From 9a75d939b4ed0581320390091cd1b760c8a3b975 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 15 Sep 2022 13:55:39 -0400 Subject: [PATCH 02/46] Modify Steno Config --- salt/pcap/config.map.jinja | 3 +++ salt/pcap/files/{config => config.jinja} | 0 2 files changed, 3 insertions(+) create mode 100644 salt/pcap/config.map.jinja rename salt/pcap/files/{config => config.jinja} (100%) diff --git a/salt/pcap/config.map.jinja b/salt/pcap/config.map.jinja new file mode 100644 index 000000000..918c400b1 --- /dev/null +++ b/salt/pcap/config.map.jinja @@ -0,0 +1,3 @@ +{% import_yaml 'pcap/defaults.yaml' as pcap_defaults with context %} +{% set pcap_pillar = pillar.pcap %} +{% set pcapmerge = salt['defaults.merge'](pcap_defaults, pcap_pillar, in_place=False) %} diff --git a/salt/pcap/files/config b/salt/pcap/files/config.jinja similarity index 100% rename from salt/pcap/files/config rename to salt/pcap/files/config.jinja From 52b58ad6ae9adf6fe06f46ec7e3298d45499448a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 15 Sep 2022 15:12:40 -0400 Subject: [PATCH 03/46] jinja for steno/pcap --- salt/pcap/config.map.jinja | 2 +- salt/pcap/files/config.jinja | 12 +++--------- salt/pcap/init.sls | 2 ++ 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/salt/pcap/config.map.jinja b/salt/pcap/config.map.jinja index 918c400b1..f335c9380 100644 --- a/salt/pcap/config.map.jinja +++ b/salt/pcap/config.map.jinja @@ -1,3 +1,3 @@ {% import_yaml 'pcap/defaults.yaml' as pcap_defaults with context %} {% set pcap_pillar = pillar.pcap %} -{% set pcapmerge = salt['defaults.merge'](pcap_defaults, pcap_pillar, in_place=False) %} +{% set PCAPMERGED = salt['defaults.merge'](pcap_defaults, pcap_pillar, in_place=False) %} diff --git a/salt/pcap/files/config.jinja b/salt/pcap/files/config.jinja index d6046e0bb..47a18ed8b 100644 --- a/salt/pcap/files/config.jinja +++ b/salt/pcap/files/config.jinja @@ -1,16 +1,10 @@ -{%- set INTERFACE = salt['pillar.get']('sensor:interface') %} -{%- set DISKFREEPERCENTAGE = salt['pillar.get']('pcap:config:diskfreepercentage') %} -{%- set MAXFILES = salt['pillar.get']('pcap:config:maxdirectoryfiles') %} -{%- set BLOCKS = salt['pillar.get']('pcap:config:blocks') %} -{%- set FILEMB = salt['pillar.get']('pcap:config:preallocate_file_mb') %} -{%- set AIOPS = salt['pillar.get']('pcap:config:aiops') %} { "Threads": [ - { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ MAXFILES }}, "DiskFreePercentage": {{ DISKFREEPERCENTAGE }} } + { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.pcap.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.pcap.config.DISKFREEPERCENTAGE }} } , "StenotypePath": "/usr/bin/stenotype" - , "Interface": "{{ INTERFACE }}" + , "Interface": "{{ pillar.sensor.interface }}" , "Port": 1234 , "Host": "127.0.0.1" - , "Flags": ["-v", "--blocks={{ BLOCKS }}", "--preallocate_file_mb={{ FILEMB }}", "--aiops={{ AIOPS }}", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}] + , "Flags": ["-v", "--blocks={{ PCAPMERGED.pcap.config.blocks }}", "--preallocate_file_mb={{ PCAPMERGED.pcap.config.preallocate_file_mb }}", "--aiops={{ PCAPMERGED.pcap.config.aiops }}", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}] , "CertPath": "/etc/stenographer/certs" } diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 2d047e731..75af50ad6 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -7,6 +7,7 @@ {% if sls in allowed_states %} {% from "pcap/map.jinja" import STENOOPTIONS with context %} +{% from "pcap/config.map.jinja" import PCAPMERGED with context %} {% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} @@ -58,6 +59,7 @@ stenoconf: - mode: 644 - template: jinja - defaults: + PCAPMERGED: {{ PCAPMERGED }} BPF_COMPILED: "{{ BPF_COMPILED }}" stenoca: From 62f5ee04a4967f461f9a3b83ac3e4518cf1697f8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 15 Sep 2022 15:13:40 -0400 Subject: [PATCH 04/46] fix source for steno config --- salt/pcap/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 75af50ad6..d355ec445 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -53,7 +53,7 @@ bpfcompilationfailure: stenoconf: file.managed: - name: /opt/so/conf/steno/config - - source: salt://pcap/files/config + - source: salt://pcap/files/config.jinja - user: stenographer - group: stenographer - mode: 644 From 5a9b3f682127ecf13a9f707e66922eb843b40a54 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 15 Sep 2022 15:39:31 -0400 Subject: [PATCH 05/46] fix diskfreepercantage --- salt/pcap/files/config.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/pcap/files/config.jinja b/salt/pcap/files/config.jinja index 47a18ed8b..087ba1a33 100644 --- a/salt/pcap/files/config.jinja +++ b/salt/pcap/files/config.jinja @@ -1,6 +1,6 @@ { "Threads": [ - { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.pcap.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.pcap.config.DISKFREEPERCENTAGE }} } + { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.pcap.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.pcap.config.diskfreepercentage }} } , "StenotypePath": "/usr/bin/stenotype" , "Interface": "{{ pillar.sensor.interface }}" , "Port": 1234 From 1a90eeb1b14675049db475be640da62541c608d5 Mon Sep 17 00:00:00 2001 From: Wes Date: Thu, 15 Sep 2022 19:45:28 +0000 Subject: [PATCH 06/46] Remove Osquery live query Logstash output configuration --- .../9101_output_osquery_livequery.conf.jinja | 37 ------------------- 1 file changed, 37 deletions(-) delete mode 100644 salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja deleted file mode 100644 index 8d661b8cc..000000000 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ /dev/null @@ -1,37 +0,0 @@ -{%- set ES = salt['grains.get']('master') -%} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} - -filter { - if [type] =~ "live_query" { - - mutate { - rename => { - "[host][hostname]" => "computer_name" - } - } - - prune { - blacklist_names => ["host"] - } - - split { - field => "rows" - } - } -} - - -output { - if [type] =~ "live_query" { - elasticsearch { - pipeline => "osquery.live_query" - hosts => "{{ ES }}" - user => "{{ ES_USER }}" - password => "{{ ES_PASS }}" - index => "so-osquery" - ssl => true - ssl_certificate_verification => false - } - } -} From e6c0c2ce199744d86526da66d7db63c5bb8e630c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 15 Sep 2022 15:46:28 -0400 Subject: [PATCH 07/46] Modify Steno Config --- salt/pcap/files/config.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/pcap/files/config.jinja b/salt/pcap/files/config.jinja index 087ba1a33..420d12639 100644 --- a/salt/pcap/files/config.jinja +++ b/salt/pcap/files/config.jinja @@ -1,6 +1,7 @@ { "Threads": [ { "PacketsDirectory": "/nsm/pcap", "IndexDirectory": "/nsm/pcapindex", "MaxDirectoryFiles": {{ PCAPMERGED.pcap.config.maxdirectoryfiles }}, "DiskFreePercentage": {{ PCAPMERGED.pcap.config.diskfreepercentage }} } + ] , "StenotypePath": "/usr/bin/stenotype" , "Interface": "{{ pillar.sensor.interface }}" , "Port": 1234 From c50a1608af0f40d458074caf2e1ccb8099575095 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 15 Sep 2022 17:01:53 -0400 Subject: [PATCH 08/46] Make test ping retry --- salt/common/tools/sbin/so-minion | 4 +++- setup/so-functions | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 3bfd626ad..8ef986390 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -209,10 +209,12 @@ function createIDHNODE() { } function testConnection() { - salt "$MINION_ID" test.ping + retry 5 10 "salt '$MINION_ID' test.ping" 0 local ret=$? if [[ $ret != 0 ]]; then echo "The Minion has been accepted but is not online. Try again later" + echo "Deleting the key" + deleteminion exit 1 fi } diff --git a/setup/so-functions b/setup/so-functions index 7bba91092..20340436e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1810,7 +1810,7 @@ drop_install_options() { # Drop the install Variable echo "MAINIP=$MAINIP" > /opt/so/install.txt echo "MNIC=$MNIC" >> /opt/so/install.txt - echo "NODE_DESCRIPTION=$NODE_DESCRIPTION" >> /opt/so/install.txt + echo "NODE_DESCRIPTION='$NODE_DESCRIPTION'" >> /opt/so/install.txt echo "ES_HEAP_SIZE=$ES_HEAP_SIZE" >> /opt/so/install.txt echo "PATCHSCHEDULENAME=$PATCHSCHEDULENAME" >> /opt/so/install.txt echo "INTERFACE=$INTERFACE" >> /opt/so/install.txt From 2c0d90bea4662ce960c616312713d24bc64b62f5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 15 Sep 2022 17:07:02 -0400 Subject: [PATCH 09/46] Make test ping retry --- salt/common/tools/sbin/so-minion | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 8ef986390..3a6dabbb2 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -5,6 +5,10 @@ # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +if [ -f /usr/sbin/so-common ]; then + . /usr/sbin/so-common +fi + if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" exit 1 From 9a6fe3e8de7fdf773e94e626d6c84763db114d4e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 08:36:44 -0400 Subject: [PATCH 10/46] Add BPF --- salt/bpf/defaults.yaml | 4 ++++ salt/bpf/soc_bpf.yaml | 7 +++++++ salt/pcap/init.sls | 2 +- salt/suricata/init.sls | 2 +- salt/zeek/init.sls | 2 +- setup/so-variables | 2 +- 6 files changed, 15 insertions(+), 4 deletions(-) create mode 100644 salt/bpf/defaults.yaml create mode 100644 salt/bpf/soc_bpf.yaml diff --git a/salt/bpf/defaults.yaml b/salt/bpf/defaults.yaml new file mode 100644 index 000000000..ec990d1de --- /dev/null +++ b/salt/bpf/defaults.yaml @@ -0,0 +1,4 @@ +bpf: + pcap: [] + suricta: [] + zeek: [] \ No newline at end of file diff --git a/salt/bpf/soc_bpf.yaml b/salt/bpf/soc_bpf.yaml new file mode 100644 index 000000000..62395830f --- /dev/null +++ b/salt/bpf/soc_bpf.yaml @@ -0,0 +1,7 @@ +bpf: + pcap: + description: List of BPF filters to apply to PCAP. + suricata: + description: List of BPF filters to apply to Suricata. + zeek: + description: List of BPF filters to apply to Zeek. diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index d355ec445..a5fd5da68 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -13,7 +13,7 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %} +{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %} {% set BPF_COMPILED = "" %} # PCAP Section diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index a46f7425b..5f628cbdd 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -12,7 +12,7 @@ {% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} +{% set BPF_NIDS = salt['pillar.get']('bpf:suricata', None) %} {% set BPF_STATUS = 0 %} {# import_yaml 'suricata/files/defaults2.yaml' as suricata #} diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index b6f3231ae..5f904bf7d 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -11,7 +11,7 @@ {% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} +{% set BPF_ZEEK = salt['pillar.get']('bpf:zeek', {}) %} {% set BPF_STATUS = 0 %} {% set INTERFACE = salt['pillar.get']('sensor:interface') %} diff --git a/setup/so-variables b/setup/so-variables index 214fa6b6f..5acbc01bc 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -81,7 +81,7 @@ export whiptail_title mkdir -p $local_salt_dir/pillar/minions -for THEDIR in elasticsearch firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert +for THEDIR in bpf pcap elasticsearch firewall redis backup strelka sensoroni curator soc soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh elastalert do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls From 58ab91ea84777b64abb05756ad1449fe719d3003 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 08:50:17 -0400 Subject: [PATCH 11/46] Add BPF --- salt/bpf/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/bpf/defaults.yaml b/salt/bpf/defaults.yaml index ec990d1de..329537494 100644 --- a/salt/bpf/defaults.yaml +++ b/salt/bpf/defaults.yaml @@ -1,4 +1,4 @@ bpf: pcap: [] - suricta: [] + suricata: [] zeek: [] \ No newline at end of file From f02db7a815950b2bf891b6c6448822eba78d86d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 09:05:16 -0400 Subject: [PATCH 12/46] Zeek Test --- salt/zeek/policy/custom/filters/conn | 19 +++++++++++++++++++ salt/zeek/soc_zeek.yaml | 5 +++++ 2 files changed, 24 insertions(+) create mode 100644 salt/zeek/policy/custom/filters/conn diff --git a/salt/zeek/policy/custom/filters/conn b/salt/zeek/policy/custom/filters/conn new file mode 100644 index 000000000..e9181cc1e --- /dev/null +++ b/salt/zeek/policy/custom/filters/conn @@ -0,0 +1,19 @@ +module Filterconn; + +export { + global ignore_services: set[string] = {"dns", "krb", "krb_tcp"}; + } + +hook Conn::log_policy(rec: Conn::Info, id: Log::ID, filter: Log::Filter) + { + # Record only connections not in the ignored services + if ( ! rec?$service || rec$service in ignore_services ) + break; + } + +event zeek_init() +{ + Log::remove_default_filter(Conn::LOG); + local filter: Log::Filter = [$name="conn-filter"]; + Log::add_filter(Conn::LOG, filter); +} \ No newline at end of file diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index adb534281..6ae5c22a7 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -17,6 +17,11 @@ zeek: CompressLogs: description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. policy: + custom: + filters: + conn: + description: Conn Filter for Zeek + file: True file_extraction: description: This is a list of mime types Zeek will extract from the network streams. load: From d5debd9b6bcb9440272e55f8313b8c0f17a46a40 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 16 Sep 2022 09:06:09 -0400 Subject: [PATCH 13/46] Change ssl_ecdh_curve --- salt/nginx/etc/nginx.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 8979535e8..623dae701 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -55,6 +55,7 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; } From 2a51ecb1ac6525954aaebb6e3973acefed11d72f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 09:10:09 -0400 Subject: [PATCH 14/46] Zeek Test --- salt/zeek/soc_zeek.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 6ae5c22a7..29f24144d 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -22,6 +22,8 @@ zeek: conn: description: Conn Filter for Zeek file: True + global: True + advanced: True file_extraction: description: This is a list of mime types Zeek will extract from the network streams. load: From 958d2494a82edbce79d6e53b1bd8f16306c48a2a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 10:27:42 -0400 Subject: [PATCH 15/46] Zeek Test --- salt/zeek/soc_zeek.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 29f24144d..a48ec20dc 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -20,7 +20,7 @@ zeek: custom: filters: conn: - description: Conn Filter for Zeek + description: Conn Filter for Zeek. This is an advanced setting and will take further action to enable. file: True global: True advanced: True From 5e151a9fed5b3cc93fe30e08ada7100cbaae9c74 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 10:43:36 -0400 Subject: [PATCH 16/46] Fix minion pillar for remote sensors --- salt/common/tools/sbin/so-minion | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion index 3a6dabbb2..3a5fcec71 100755 --- a/salt/common/tools/sbin/so-minion +++ b/salt/common/tools/sbin/so-minion @@ -175,6 +175,8 @@ function add_sensor_to_minion() { echo " config:" >> $PILLARFILE echo " af-packet:" >> $PILLARFILE echo " threads: '$CORECOUNT'" >> $PILLARFILE + echo "pcap:" >> $PILLARFILE + echo " enabled: True" >> $PILLARFILE } function createSTANDALONE() { From ae5eea6e3a67af890ace2e263f1c6b9e1b208666 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 11:12:03 -0400 Subject: [PATCH 17/46] IDS Tools rule management --- salt/idstools/rules/extraction.rules | 26 ++++++++++++++++++++++++++ salt/idstools/rules/filters.rules | 11 +++++++++++ salt/idstools/rules/local.rules | 0 salt/idstools/soc_idstools.yaml | 18 +++++++++++++++++- 4 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 salt/idstools/rules/extraction.rules create mode 100644 salt/idstools/rules/filters.rules create mode 100644 salt/idstools/rules/local.rules diff --git a/salt/idstools/rules/extraction.rules b/salt/idstools/rules/extraction.rules new file mode 100644 index 000000000..bccfc69d6 --- /dev/null +++ b/salt/idstools/rules/extraction.rules @@ -0,0 +1,26 @@ +# Extract all PDF mime type +alert http any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100000; rev:1;) +alert smtp any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100001; rev:1;) +alert nfs any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100002; rev:1;) +alert smb any any -> any any (msg:"FILE pdf detected"; filemagic:"PDF document"; filestore; sid:1100003; rev:1;) +# Extract EXE/DLL file types +alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100004; rev:1;) +alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100005; rev:1;) +alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100006; rev:1;) +alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"PE32 executable"; filestore; sid:1100007; rev:1;) +alert http any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100008; rev:1;) +alert smtp any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100009; rev:1;) +alert nfs any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100010; rev:1;) +alert smb any any -> any any (msg:"FILE EXE detected"; filemagic:"MS-DOS executable"; filestore; sid:1100011; rev:1;) + +# Extract all Zip files +alert http any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100012; rev:1;) +alert smtp any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100013; rev:1;) +alert nfs any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100014; rev:1;) +alert smb any any -> any any (msg:"FILE ZIP detected"; filemagic:"Zip"; filestore; sid:1100015; rev:1;) + +# Extract Word Docs +alert http any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100016; rev:1;) +alert smtp any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100017; rev:1;) +alert nfs any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100018; rev:1;) +alert smb any any -> any any (msg:"FILE WORDDOC detected"; filemagic:"Composite Document File V2 Document"; filestore; sid:1100019; rev:1;) \ No newline at end of file diff --git a/salt/idstools/rules/filters.rules b/salt/idstools/rules/filters.rules new file mode 100644 index 000000000..051d1913f --- /dev/null +++ b/salt/idstools/rules/filters.rules @@ -0,0 +1,11 @@ +# Start the filters at sid 1200000 +# Example of filtering out *google.com from being in the dns log. +#config dns any any -> any any (dns.query; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200000;) +# Example of filtering out *google.com from being in the http log. +#config http any any -> any any (http.host; content:"google.com"; config: logging disable, type tx, scope tx; sid:1200001;) +# Example of filtering out someuseragent from being in the http log. +#config http any any -> any any (http.user_agent; content:"someuseragent"; config: logging disable, type tx, scope tx; sid:1200002;) +# Example of filtering out Google's certificate from being in the ssl log. +#config tls any any -> any any (tls.fingerprint; content:"4f:a4:5e:58:7e:d9:db:20:09:d7:b6:c7:ff:58:c4:7b:dc:3f:55:b4"; config: logging disable, type tx, scope tx; sid:1200003;) +# Example of filtering out a md5 of a file from being in the files log. +#config fileinfo any any -> any any (fileinfo.filemd5; content:"7a125dc69c82d5caf94d3913eecde4b5"; config: logging disable, type tx, scope tx; sid:1200004;) diff --git a/salt/idstools/rules/local.rules b/salt/idstools/rules/local.rules new file mode 100644 index 000000000..e69de29bb diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index 9b062c300..d4fb3a8d2 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -18,4 +18,20 @@ idstools: global: True modify: description: List of SIDS that are modified. - global: True \ No newline at end of file + global: True + rules: + local.rules: + description: This is where custom Suricata rules are entered. + file: True + global: True + advanced: True + filters.rules: + description: You can set custom filters for Suricata when using it for meta data creation. + file: True + global: True + advanced: True + extraction.rules: + description: This is a list of mime types for file extraction when Suricata is used for meta data creation. + file: True + global: True + advanced: True \ No newline at end of file From f9e9e4ce1dffa097cd6c15d969abe9f382795f62 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 11:14:09 -0400 Subject: [PATCH 18/46] IDS Tools rule management --- salt/idstools/rules/local.rules | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/idstools/rules/local.rules b/salt/idstools/rules/local.rules index e69de29bb..ac11dfa58 100644 --- a/salt/idstools/rules/local.rules +++ b/salt/idstools/rules/local.rules @@ -0,0 +1 @@ +# Add your custom Suricata rules in this file. \ No newline at end of file From 943b98f0912e9102f6a4c1a395f98679a352623b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 11:16:05 -0400 Subject: [PATCH 19/46] IDS Tools rule management --- salt/idstools/soc_idstools.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index d4fb3a8d2..9c7526c7b 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -20,17 +20,17 @@ idstools: description: List of SIDS that are modified. global: True rules: - local.rules: + local__rules: description: This is where custom Suricata rules are entered. file: True global: True advanced: True - filters.rules: + filters__rules: description: You can set custom filters for Suricata when using it for meta data creation. file: True global: True advanced: True - extraction.rules: + extraction__rules: description: This is a list of mime types for file extraction when Suricata is used for meta data creation. file: True global: True From f14a8f3d0172d93de5f0563652f6704b1f3212b3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 12:55:56 -0400 Subject: [PATCH 20/46] Firewall Fun --- salt/firewall/defaults.yaml | 89 +++++++++++++++++++++++++++++++++ salt/idstools/soc_idstools.yaml | 5 +- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 salt/firewall/defaults.yaml diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml new file mode 100644 index 000000000..246f8f36f --- /dev/null +++ b/salt/firewall/defaults.yaml @@ -0,0 +1,89 @@ +firewall: + hostgroups: + anywhere: + ips: + delete: + insert: + - 0.0.0.0/0 + dockernet: + ips: + delete: + insert: + - 172.17.0.0/24 + localhost: + ips: + delete: + insert: + - 127.0.0.1 + self: + ips: + delete: + insert: [] + analyst: + ips: + delete: [] + insert: [127.0.0.1] + beats_endpoint: + ips: + delete: [] + insert: [127.0.0.1] + beats_endpoint_ssl: + ips: + delete: [] + insert: [] + elastic_agent_endpoint: + ips: + delete: [] + insert: [127.0.0.1] + elasticsearch_rest: + ips: + delete: [] + insert: [] + endgame: + ips: + delete: [] + insert: [127.0.0.1] + fleet: + ips: + delete: [] + insert: [] + heavy_node: + ips: + delete: [] + insert: [] + idh: + ips: + delete: [] + insert: [] + manager: + ips: + delete: [] + insert: [127.0.0.1] + minion: + ips: + delete: [] + insert: [127.0.0.1] + node: + ips: + delete: [] + insert: [] + receiver: + ips: + delete: [] + insert: [] + search_node: + ips: + delete: [] + insert: [127.0.0.1] + sensor: + ips: + delete: [] + insert: [127.0.0.1] + strelka_frontend: + ips: + delete: [] + insert: [] + syslog: + ips: + delete: [] + insert: [] diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index 9c7526c7b..9f1867bb7 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -25,13 +25,16 @@ idstools: file: True global: True advanced: True + title: Local Rules filters__rules: description: You can set custom filters for Suricata when using it for meta data creation. file: True global: True advanced: True + title: Filter Rules extraction__rules: description: This is a list of mime types for file extraction when Suricata is used for meta data creation. file: True global: True - advanced: True \ No newline at end of file + advanced: True + title: Extraction Rules \ No newline at end of file From 384478836a1468fd3b5309217525fc939e1392a2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 13:02:11 -0400 Subject: [PATCH 21/46] Firewall Fun --- salt/firewall/defaults.yaml | 89 +++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 246f8f36f..eb1e51eb4 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1,4 +1,16 @@ firewall: + rules: + analyst_workstations: [] + standalone: + - 1.2.3.4 + sensor: + - 1.2.3.3 + - 2.3.4.5 + searchnode: + - 3.4.5.6 + - 7.8.9.10 + manager: + - 1.33.2.11 hostgroups: anywhere: ips: @@ -87,3 +99,80 @@ firewall: ips: delete: [] insert: [] + portgroups: + all: + tcp: + - '0:65535' + udp: + - '0:65535' + agrules: + tcp: + - 7788 + beats_5044: + tcp: + - 5044 + beats_5644: + tcp: + - 5644 + beats_5066: + tcp: + - 5066 + docker_registry: + tcp: + - 5000 + elasticsearch_node: + tcp: + - 9300 + elasticsearch_rest: + tcp: + - 9200 + elastic_agent_control: + tcp: + - 8220 + elastic_agent_data: + tcp: + - 5055 + endgame: + tcp: + - 3765 + influxdb: + tcp: + - 8086 + kibana: + tcp: + - 5601 + mysql: + tcp: + - 3306 + nginx: + tcp: + - 80 + - 443 + playbook: + tcp: + - 3200 + redis: + tcp: + - 6379 + - 9696 + salt_manager: + tcp: + - 4505 + - 4506 + sensoroni: + tcp: + - 443 + ssh: + tcp: + - 22 + strelka_frontend: + tcp: + - 57314 + syslog: + tcp: + - 514 + udp: + - 514 + yum: + tcp: + - 443 \ No newline at end of file From bc1921bd0ea0dc011f532d3f5eac9e6801b07fe8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 13:30:07 -0400 Subject: [PATCH 22/46] Firewall Fun --- salt/firewall/soc_firewall.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 salt/firewall/soc_firewall.yaml diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml new file mode 100644 index 000000000..d671a0674 --- /dev/null +++ b/salt/firewall/soc_firewall.yaml @@ -0,0 +1,21 @@ +firewall: + grid: + hosts: + analyst_workstations: + description: List of IP Addresses or CIDR blocks to allow analyst workstations. + analyst: + description: List of IP Addresses or CIDR blocks to allow analyst connections. + standalone: + description: List of IP Addresses or CIDR blocks to allow standalone connections. + eval: + description: List of IP Addresses or CIDR blocks to allow eval connections. + idh: + description: List of IP Addresses or CIDR blocks to allow idh connections. + manager: + description: List of IP Addresses or CIDR blocks to allow manager connections. + heavynode: + description: List of IP Addresses or CIDR blocks to allow heavynode connections. + searchnode: + description: List of IP Addresses or CIDR blocks to allow searchnode connections. + receiver: + description: List of IP Addresses or CIDR blocks to allow receiver connections. \ No newline at end of file From 70c95c7c7bc9246efcb958fe8ce019274d05b8f1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 13:31:23 -0400 Subject: [PATCH 23/46] Firewall Fun --- salt/firewall/soc_firewall.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index d671a0674..eda5c9a5e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -3,19 +3,28 @@ firewall: hosts: analyst_workstations: description: List of IP Addresses or CIDR blocks to allow analyst workstations. + global: True analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. + global: True standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. + global: True eval: description: List of IP Addresses or CIDR blocks to allow eval connections. + global: True idh: description: List of IP Addresses or CIDR blocks to allow idh connections. + global: True manager: description: List of IP Addresses or CIDR blocks to allow manager connections. + global: True heavynode: description: List of IP Addresses or CIDR blocks to allow heavynode connections. + global: True searchnode: description: List of IP Addresses or CIDR blocks to allow searchnode connections. + global: True receiver: - description: List of IP Addresses or CIDR blocks to allow receiver connections. \ No newline at end of file + description: List of IP Addresses or CIDR blocks to allow receiver connections. + global: True From 6649ffd8b53253778d373e50e9f0f78a78f5233a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 13:33:26 -0400 Subject: [PATCH 24/46] Firewall Fun --- salt/firewall/defaults.yaml | 289 ++++++++++++++---------------------- 1 file changed, 112 insertions(+), 177 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index eb1e51eb4..1261a9131 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -1,178 +1,113 @@ firewall: - rules: - analyst_workstations: [] - standalone: - - 1.2.3.4 - sensor: - - 1.2.3.3 - - 2.3.4.5 - searchnode: - - 3.4.5.6 - - 7.8.9.10 - manager: - - 1.33.2.11 - hostgroups: - anywhere: - ips: - delete: - insert: - - 0.0.0.0/0 - dockernet: - ips: - delete: - insert: - - 172.17.0.0/24 - localhost: - ips: - delete: - insert: - - 127.0.0.1 - self: - ips: - delete: - insert: [] - analyst: - ips: - delete: [] - insert: [127.0.0.1] - beats_endpoint: - ips: - delete: [] - insert: [127.0.0.1] - beats_endpoint_ssl: - ips: - delete: [] - insert: [] - elastic_agent_endpoint: - ips: - delete: [] - insert: [127.0.0.1] - elasticsearch_rest: - ips: - delete: [] - insert: [] - endgame: - ips: - delete: [] - insert: [127.0.0.1] - fleet: - ips: - delete: [] - insert: [] - heavy_node: - ips: - delete: [] - insert: [] - idh: - ips: - delete: [] - insert: [] - manager: - ips: - delete: [] - insert: [127.0.0.1] - minion: - ips: - delete: [] - insert: [127.0.0.1] - node: - ips: - delete: [] - insert: [] - receiver: - ips: - delete: [] - insert: [] - search_node: - ips: - delete: [] - insert: [127.0.0.1] - sensor: - ips: - delete: [] - insert: [127.0.0.1] - strelka_frontend: - ips: - delete: [] - insert: [] - syslog: - ips: - delete: [] - insert: [] - portgroups: - all: - tcp: - - '0:65535' - udp: - - '0:65535' - agrules: - tcp: - - 7788 - beats_5044: - tcp: - - 5044 - beats_5644: - tcp: - - 5644 - beats_5066: - tcp: - - 5066 - docker_registry: - tcp: - - 5000 - elasticsearch_node: - tcp: - - 9300 - elasticsearch_rest: - tcp: - - 9200 - elastic_agent_control: - tcp: - - 8220 - elastic_agent_data: - tcp: - - 5055 - endgame: - tcp: - - 3765 - influxdb: - tcp: - - 8086 - kibana: - tcp: - - 5601 - mysql: - tcp: - - 3306 - nginx: - tcp: - - 80 - - 443 - playbook: - tcp: - - 3200 - redis: - tcp: - - 6379 - - 9696 - salt_manager: - tcp: - - 4505 - - 4506 - sensoroni: - tcp: - - 443 - ssh: - tcp: - - 22 - strelka_frontend: - tcp: - - 57314 - syslog: - tcp: - - 514 - udp: - - 514 - yum: - tcp: - - 443 \ No newline at end of file + grid: + hosts: + analyst_workstations: [] + analyst: [] + standalone: [] + eval: [] + idh: [] + manager: [] + heavynode: [] + searchnode: [] + receiver: [] + + portgroups: + standalone: + - playbook + - mysql + - kibana + - redis + - influxdb + - elasticsearch_rest + - elasticsearch_node + - docker_registry + - yum + - sensoroni + - beats_5044 + - beats_5644 + - elastic_agent_control + - elastic_agent_data + - elasticsearch_rest + - endgame + - strelka_frontend + - syslog + - nginx + analyst_workstation: [] + ports: + all: + tcp: + - '0:65535' + udp: + - '0:65535' + agrules: + tcp: + - 7788 + beats_5044: + tcp: + - 5044 + beats_5644: + tcp: + - 5644 + beats_5066: + tcp: + - 5066 + docker_registry: + tcp: + - 5000 + elasticsearch_node: + tcp: + - 9300 + elasticsearch_rest: + tcp: + - 9200 + elastic_agent_control: + tcp: + - 8220 + elastic_agent_data: + tcp: + - 5055 + endgame: + tcp: + - 3765 + influxdb: + tcp: + - 8086 + kibana: + tcp: + - 5601 + mysql: + tcp: + - 3306 + nginx: + tcp: + - 80 + - 443 + playbook: + tcp: + - 3200 + redis: + tcp: + - 6379 + - 9696 + salt_manager: + tcp: + - 4505 + - 4506 + sensoroni: + tcp: + - 443 + ssh: + tcp: + - {{ ssh_port }} + strelka_frontend: + tcp: + - 57314 + syslog: + tcp: + - 514 + udp: + - 514 + yum: + tcp: + - 443 + From 0eb6388ea37a50c58830daf23e3c2ab241bccf70 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 13:34:11 -0400 Subject: [PATCH 25/46] Firewall Fun --- salt/firewall/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index 1261a9131..c31fd7ee5 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -98,7 +98,7 @@ firewall: - 443 ssh: tcp: - - {{ ssh_port }} + - 22 strelka_frontend: tcp: - 57314 From 1c9069690faded815b1ea56d2e3ae1269c5d5265 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 13:38:07 -0400 Subject: [PATCH 26/46] Firewall Fun --- salt/firewall/defaults.yaml | 6 +++--- salt/firewall/soc_firewall.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index c31fd7ee5..3a6dbf18d 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -7,9 +7,9 @@ firewall: eval: [] idh: [] manager: [] - heavynode: [] - searchnode: [] - receiver: [] + heavynodes: [] + searchnodes: [] + receivers: [] portgroups: standalone: diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index eda5c9a5e..0e9baffa7 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -19,12 +19,12 @@ firewall: manager: description: List of IP Addresses or CIDR blocks to allow manager connections. global: True - heavynode: + heavynodes: description: List of IP Addresses or CIDR blocks to allow heavynode connections. global: True - searchnode: + searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. global: True - receiver: + receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. global: True From d02c6808a42d850248275e4c26b25e451a6c220d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 16 Sep 2022 13:44:54 -0400 Subject: [PATCH 27/46] Firewall Fun --- salt/firewall/soc_firewall.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 0e9baffa7..68d96676e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -4,27 +4,39 @@ firewall: analyst_workstations: description: List of IP Addresses or CIDR blocks to allow analyst workstations. global: True + title: Analyst Workstations analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. global: True + title: Analysts standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. global: True + title: Standalone + advanced: True eval: description: List of IP Addresses or CIDR blocks to allow eval connections. global: True + title: Eval + advanced: True idh: description: List of IP Addresses or CIDR blocks to allow idh connections. global: True + title: IDH Nodes manager: description: List of IP Addresses or CIDR blocks to allow manager connections. global: True + title: Manager + advanced: True heavynodes: description: List of IP Addresses or CIDR blocks to allow heavynode connections. global: True + title: Heavy Nodes searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. global: True + title: Searchnodes receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. global: True + title: Receivers From 12e940f80984454d69d178f689092181ad58fb74 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 16 Sep 2022 20:55:49 +0000 Subject: [PATCH 28/46] Change managed_by value from 'fleet' to 'security_onion' for Elastic Agent templates in defaults.yaml --- salt/elasticsearch/defaults.yaml | 44 ++++++++++++++++---------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index bb22849e5..a14c03e2d 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -75,7 +75,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.apm_server@package" @@ -86,7 +86,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -109,7 +109,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.auditbeat@package" @@ -120,7 +120,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -143,7 +143,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.cloudbeat@package" @@ -154,7 +154,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -177,7 +177,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.endpoint_security@package" @@ -188,7 +188,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -211,7 +211,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.filebeat@package" @@ -222,7 +222,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -245,7 +245,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.fleet_server@package" @@ -256,7 +256,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -279,7 +279,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.heartbeat@package" @@ -290,7 +290,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -313,7 +313,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent@package" @@ -324,7 +324,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -347,7 +347,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.metricbeat@package" @@ -358,7 +358,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -381,7 +381,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.osquerybeat@package" @@ -392,7 +392,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false @@ -415,7 +415,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true composed_of: - "so-logs-elastic_agent.packetbeat@package" @@ -426,7 +426,7 @@ elasticsearch: _meta: package: name: elastic_agent - managed_by: fleet + managed_by: security_onion managed: true data_stream: hidden: false From 9542a5ada20150f26fb94dd9f9e1ae058d123549 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 16 Sep 2022 17:46:52 -0400 Subject: [PATCH 29/46] complete rewrite of so-status --- salt/common/init.sls | 11 +- salt/common/tools/sbin/so-status | 408 ++++++++++-------------------- salt/soc/soc_soc.yaml | 2 + salt/telegraf/scripts/sostatus.sh | 6 +- 4 files changed, 151 insertions(+), 276 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index c391c127e..f8d3c9503 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -192,9 +192,16 @@ sostatus_log: file.managed: - name: /opt/so/log/sostatus/status.log - mode: 644 - + +common_pip_dependencies: + pip.installed: + - user: root + - pkgs: + - rich + - target: /usr/lib64/python3.6/site-packages + # Install sostatus check cron -'/usr/sbin/so-status -q; echo $? > /opt/so/log/sostatus/status.log 2>&1': +'/usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1': cron.present: - user: root - minute: '*/1' diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 596070e4e..5e1487311 100644 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -1,301 +1,165 @@ -#!/bin/bash +#!/usr/bin/env python3 # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. -if ! [ "$(id -u)" = 0 ]; then - echo "This command must be run as root" - exit 1 -fi +import json +import os +from rich import box +from rich.console import Console +from rich.table import Table +import subprocess +import sys +import time -display_help() { -cat < 2: + item = json.loads(line) + if item['Names'] == container: + details['Status'] = item['State'] + details['Details'] = item['Status'] + container_list.append(details) + exists = True + if item['State'] != "running": + code = 1 + break - mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf | tr -d "#") + if not exists: + container_list.append(details) + code = 1 + return code, container_list -} -populate_container_lists() { - systemctl is-active --quiet docker +def check_status(options, console): + container_list = [] + code = check_system_status(options, console) + if code == 0: + code, container_list = check_container_status(options, console) + output(options, console, code, container_list) + return code - if [[ $? = 0 ]]; then - mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \ - | jq -c '.[] | { Name: .Names[0], State: .State }' \ - | tr -d '/{"}') - else - exit 1 - fi - local container_name="" - local container_state="" +def main(): + options = [] + args = sys.argv[1:] + for option in args: + if option.startswith("-"): + options.append(option) + args.remove(option) - for line in "${docker_raw_list[@]}"; do - container_name="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\1/' )" # Get value in the first search group (container names) - container_state="$( echo $line | sed -e 's/Name:\(.*\),State:\(.*\)/\2/' )" # Get value in the second search group (container states) + if len(args) != 0 or "-h" in options: + showUsage(options, None) - temp_container_name_list+=( "${container_name}" ) - temp_container_state_list+=( "${container_state}" ) - done + if os.environ["USER"] != "root": + fail("This program must be run as root") + + console = Console() + sys.exit(check_status(options, console)) - compare_lists -} -parse_status() { - local service_name=${1} - local container_state=${2} +if __name__ == "__main__": + main() - for state in "${GOOD_STATUSES[@]}"; do - [[ $container_state = "$state" ]] && [[ $QUIET = "false" ]] && printf $SUCCESS_STRING && return 0 || [[ $container_state = "$state" ]] && return 0 - done - - for state in "${BAD_STATUSES[@]}"; do - [[ " ${DISABLED_CONTAINERS[@]} " =~ " ${service_name} " ]] && [[ $QUIET = "false" ]] && printf $DISABLED_STRING && return 0 || [[ " ${DISABLED_CONTAINERS[@]} " =~ " ${service_name} " ]] && return 0 - done - - # if a highstate has finished running since the system has started - # then the containers should be running so let's check the status - if [ $LAST_HIGHSTATE_END -ge $SYSTEM_START_TIME ]; then - - [[ $container_state = "missing" ]] && [[ $QUIET = "false" ]] && printf $MISSING_STRING && return 1 || [[ $container_state = "missing" ]] && [[ "$EXITCODE" -lt 2 ]] && EXITCODE=1 && return 1 - - for state in "${PENDING_STATUSES[@]}"; do - [[ $container_state = "$state" ]] && [[ $QUIET = "false" ]] && printf $PENDING_STRING && return 0 - done - - # This is technically not needed since the default is error state - for state in "${BAD_STATUSES[@]}"; do - [[ $container_state = "$state" ]] && [[ $QUIET = "false" ]] && printf $ERROR_STRING && return 1 || [[ $container_state = "$state" ]] && [[ "$EXITCODE" -lt 2 ]] && EXITCODE=1 && return 1 - done - - [[ $QUIET = "false" ]] && printf $ERROR_STRING && return 1 || [[ "$EXITCODE" -lt 2 ]] && EXITCODE=1 && return 1 - - # if a highstate has not run since system start time, but a highstate is currently running - # then show that the containers are STARTING - elif [[ "$HIGHSTATE_RUNNING" == 0 ]]; then - [[ $QUIET = "false" ]] && printf $STARTING_STRING && return 2 || EXITCODE=2 && return 2 - - # if a highstate has not finished running since system startup and isn't currently running - # then just show that the containers are WAIT_START; waiting to be started - else - [[ $QUIET = "false" ]] && printf $WAIT_START_STRING && return 2 || EXITCODE=2 && return 2 - - fi -} - -# {% raw %} - -print_line() { - local service_name=${1} - local service_state="$( parse_status ${1} ${2} )" - local columns=$(tput cols) - local state_color="\e[0m" - - local PADDING_CONSTANT=15 - - if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then - state_color="\e[1;31m" - if [[ "$EXITCODE" -eq 0 ]]; then - EXITCODE=1 - fi - elif [[ $service_state = "$SUCCESS_STRING" ]]; then - state_color="\e[1;32m" - elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then - state_color="\e[1;33m" - EXITCODE=2 - fi - - printf " $service_name " - for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do - printf "${state_color}%b\e[0m" "-" - done - printf " [ " - printf "${state_color}%b\e[0m" "$service_state" - printf "%s \n" " ]" -} - -non_term_print_line() { - local service_name=${1} - local service_state="$( parse_status ${1} ${2} )" - - if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then - if [[ "$EXITCODE" -eq 0 ]]; then - EXITCODE=1 - fi - elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then - EXITCODE=2 - fi - - printf " $service_name " - for i in $(seq 0 $(( 35 - ${#service_name} - ${#service_state} ))); do - printf "-" - done - printf " [ " - printf "$service_state" - printf "%s \n" " ]" -} - -main() { - - # if running from salt - if [ "$CALLER" == 'salt-call' ] || [ "$CALLER" == 'salt-minion' ]; then - printf "\n" - printf "Checking Docker status\n\n" - - systemctl is-active --quiet docker - if [[ $? = 0 ]]; then - non_term_print_line "Docker" "running" - else - non_term_print_line "Docker" "exited" - fi - - populate_container_lists - - printf "\n" - printf "Checking container statuses\n\n" - - local num_containers=${#container_name_list[@]} - - for i in $(seq 0 $(($num_containers - 1 ))); do - non_term_print_line ${container_name_list[$i]} ${container_state_list[$i]} - done - - printf "\n" - - # else if running from a terminal - else - - if [ "$QUIET" = true ]; then - if [ $SYSTEM_START_TIME -lt $LAST_SOSETUP_LOG ]; then - exit 99 - fi - print_or_parse="parse_status" - else - print_or_parse="print_line" - - local focus_color="\e[1;34m" - printf "\n" - printf "${focus_color}%b\e[0m" "Checking Docker status\n\n" - fi - - systemctl is-active --quiet docker - if [[ $? = 0 ]]; then - ${print_or_parse} "Docker" "running" - else - ${print_or_parse} "Docker" "exited" - fi - - populate_container_lists - - if [ "$QUIET" = false ]; then - printf "\n" - printf "${focus_color}%b\e[0m" "Checking container statuses\n\n" - fi - - local num_containers=${#container_name_list[@]} - - for i in $(seq 0 $(($num_containers - 1 ))); do - ${print_or_parse} ${container_name_list[$i]} ${container_state_list[$i]} - done - - if [ "$QUIET" = false ]; then - printf "\n" - fi - fi -} - -# {% endraw %} - -while getopts ':hq' OPTION; do - case "$OPTION" in - h) - display_help - exit 0 - ;; - q) - QUIET=true - ;; - \?) - display_help - exit 0 - ;; - esac -done - -main - -exit $EXITCODE \ No newline at end of file diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 57afc11e3..f16f5da87 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -6,11 +6,13 @@ soc: description: Customize the login page with a specific markdown-formatted message. file: True global: True + syntax: md motd__md: title: Overview Page description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the users' browser. file: True global: True + syntax: md custom__js: title: Custom Javascript description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. diff --git a/salt/telegraf/scripts/sostatus.sh b/salt/telegraf/scripts/sostatus.sh index 567e6b027..d1753eadb 100644 --- a/salt/telegraf/scripts/sostatus.sh +++ b/salt/telegraf/scripts/sostatus.sh @@ -11,10 +11,12 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then SOSTATUSLOG=/var/log/sostatus/status.log - SOSTATUSSTATUS=$(cat /var/log/sostatus/status.log) + SOSTATUSCODE=$(jq -r .status_code /var/log/sostatus/status.log) + SOSTATUSJSON=$(cat /var/log/sostatus/status.log) if [ -f "$SOSTATUSLOG" ]; then - echo "sostatus status=$SOSTATUSSTATUS" + echo "sostatus status=$SOSTATUSCODE" + echo "sostatus json=$SOSTATUSJSON" else exit 0 fi From 4b1031efa421b1ee227581a2663dc67bcad75b7e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 09:34:35 -0400 Subject: [PATCH 30/46] Firewall Fun --- salt/firewall/defaults.yaml | 113 ---------------- salt/firewall/hostgroups/analyst | 0 salt/firewall/hostgroups/analyst_workstations | 0 salt/firewall/hostgroups/eval | 0 salt/firewall/hostgroups/heavynodes | 0 salt/firewall/hostgroups/idh | 0 salt/firewall/hostgroups/manager | 0 salt/firewall/hostgroups/receivers | 0 salt/firewall/hostgroups/searchnodes | 0 salt/firewall/hostgroups/standalone | 0 salt/firewall/portgroups/analyst | 0 salt/firewall/portgroups/analyst_workstations | 0 salt/firewall/portgroups/eval | 0 salt/firewall/portgroups/heavynodes | 0 salt/firewall/portgroups/idh | 0 salt/firewall/portgroups/manager | 0 salt/firewall/portgroups/receivers | 0 salt/firewall/portgroups/searchnodes | 0 salt/firewall/portgroups/standalone | 19 +++ salt/firewall/ports/ports.yaml | 78 +++++++++++ salt/firewall/soc_firewall.yaml | 126 ++++++++++++------ 21 files changed, 182 insertions(+), 154 deletions(-) delete mode 100644 salt/firewall/defaults.yaml create mode 100644 salt/firewall/hostgroups/analyst create mode 100644 salt/firewall/hostgroups/analyst_workstations create mode 100644 salt/firewall/hostgroups/eval create mode 100644 salt/firewall/hostgroups/heavynodes create mode 100644 salt/firewall/hostgroups/idh create mode 100644 salt/firewall/hostgroups/manager create mode 100644 salt/firewall/hostgroups/receivers create mode 100644 salt/firewall/hostgroups/searchnodes create mode 100644 salt/firewall/hostgroups/standalone create mode 100644 salt/firewall/portgroups/analyst create mode 100644 salt/firewall/portgroups/analyst_workstations create mode 100644 salt/firewall/portgroups/eval create mode 100644 salt/firewall/portgroups/heavynodes create mode 100644 salt/firewall/portgroups/idh create mode 100644 salt/firewall/portgroups/manager create mode 100644 salt/firewall/portgroups/receivers create mode 100644 salt/firewall/portgroups/searchnodes create mode 100644 salt/firewall/portgroups/standalone create mode 100644 salt/firewall/ports/ports.yaml diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml deleted file mode 100644 index 3a6dbf18d..000000000 --- a/salt/firewall/defaults.yaml +++ /dev/null @@ -1,113 +0,0 @@ -firewall: - grid: - hosts: - analyst_workstations: [] - analyst: [] - standalone: [] - eval: [] - idh: [] - manager: [] - heavynodes: [] - searchnodes: [] - receivers: [] - - portgroups: - standalone: - - playbook - - mysql - - kibana - - redis - - influxdb - - elasticsearch_rest - - elasticsearch_node - - docker_registry - - yum - - sensoroni - - beats_5044 - - beats_5644 - - elastic_agent_control - - elastic_agent_data - - elasticsearch_rest - - endgame - - strelka_frontend - - syslog - - nginx - analyst_workstation: [] - ports: - all: - tcp: - - '0:65535' - udp: - - '0:65535' - agrules: - tcp: - - 7788 - beats_5044: - tcp: - - 5044 - beats_5644: - tcp: - - 5644 - beats_5066: - tcp: - - 5066 - docker_registry: - tcp: - - 5000 - elasticsearch_node: - tcp: - - 9300 - elasticsearch_rest: - tcp: - - 9200 - elastic_agent_control: - tcp: - - 8220 - elastic_agent_data: - tcp: - - 5055 - endgame: - tcp: - - 3765 - influxdb: - tcp: - - 8086 - kibana: - tcp: - - 5601 - mysql: - tcp: - - 3306 - nginx: - tcp: - - 80 - - 443 - playbook: - tcp: - - 3200 - redis: - tcp: - - 6379 - - 9696 - salt_manager: - tcp: - - 4505 - - 4506 - sensoroni: - tcp: - - 443 - ssh: - tcp: - - 22 - strelka_frontend: - tcp: - - 57314 - syslog: - tcp: - - 514 - udp: - - 514 - yum: - tcp: - - 443 - diff --git a/salt/firewall/hostgroups/analyst b/salt/firewall/hostgroups/analyst new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/analyst_workstations b/salt/firewall/hostgroups/analyst_workstations new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/eval b/salt/firewall/hostgroups/eval new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/heavynodes b/salt/firewall/hostgroups/heavynodes new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/idh b/salt/firewall/hostgroups/idh new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/manager b/salt/firewall/hostgroups/manager new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/receivers b/salt/firewall/hostgroups/receivers new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/searchnodes b/salt/firewall/hostgroups/searchnodes new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/hostgroups/standalone b/salt/firewall/hostgroups/standalone new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/analyst b/salt/firewall/portgroups/analyst new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/analyst_workstations b/salt/firewall/portgroups/analyst_workstations new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/eval b/salt/firewall/portgroups/eval new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/heavynodes b/salt/firewall/portgroups/heavynodes new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/idh b/salt/firewall/portgroups/idh new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/manager b/salt/firewall/portgroups/manager new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/receivers b/salt/firewall/portgroups/receivers new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/searchnodes b/salt/firewall/portgroups/searchnodes new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/standalone b/salt/firewall/portgroups/standalone new file mode 100644 index 000000000..ea8f495f9 --- /dev/null +++ b/salt/firewall/portgroups/standalone @@ -0,0 +1,19 @@ +playbook +mysql +kibana +redis +influxdb +elasticsearch_rest +elasticsearch_node +docker_registry +yum +sensoroni +beats_5044 +beats_5644 +elastic_agent_control +elastic_agent_data +elasticsearch_rest +endgame +strelka_frontend +syslog +nginx \ No newline at end of file diff --git a/salt/firewall/ports/ports.yaml b/salt/firewall/ports/ports.yaml new file mode 100644 index 000000000..d26b373cb --- /dev/null +++ b/salt/firewall/ports/ports.yaml @@ -0,0 +1,78 @@ +firewall: + ports: + all: + tcp: + - '0:65535' + udp: + - '0:65535' + agrules: + tcp: + - 7788 + beats_5044: + tcp: + - 5044 + beats_5644: + tcp: + - 5644 + beats_5066: + tcp: + - 5066 + docker_registry: + tcp: + - 5000 + elasticsearch_node: + tcp: + - 9300 + elasticsearch_rest: + tcp: + - 9200 + elastic_agent_control: + tcp: + - 8220 + elastic_agent_data: + tcp: + - 5055 + endgame: + tcp: + - 3765 + influxdb: + tcp: + - 8086 + kibana: + tcp: + - 5601 + mysql: + tcp: + - 3306 + nginx: + tcp: + - 80 + - 443 + playbook: + tcp: + - 3200 + redis: + tcp: + - 6379 + - 9696 + salt_manager: + tcp: + - 4505 + - 4506 + sensoroni: + tcp: + - 443 + ssh: + tcp: + - 22 + strelka_frontend: + tcp: + - 57314 + syslog: + tcp: + - 514 + udp: + - 514 + yum: + tcp: + - 443 diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 68d96676e..7d5c7efbb 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,42 +1,86 @@ firewall: - grid: - hosts: - analyst_workstations: - description: List of IP Addresses or CIDR blocks to allow analyst workstations. - global: True - title: Analyst Workstations - analyst: - description: List of IP Addresses or CIDR blocks to allow analyst connections. - global: True - title: Analysts - standalone: - description: List of IP Addresses or CIDR blocks to allow standalone connections. - global: True - title: Standalone - advanced: True - eval: - description: List of IP Addresses or CIDR blocks to allow eval connections. - global: True - title: Eval - advanced: True - idh: - description: List of IP Addresses or CIDR blocks to allow idh connections. - global: True - title: IDH Nodes - manager: - description: List of IP Addresses or CIDR blocks to allow manager connections. - global: True - title: Manager - advanced: True - heavynodes: - description: List of IP Addresses or CIDR blocks to allow heavynode connections. - global: True - title: Heavy Nodes - searchnodes: - description: List of IP Addresses or CIDR blocks to allow searchnode connections. - global: True - title: Searchnodes - receivers: - description: List of IP Addresses or CIDR blocks to allow receiver connections. - global: True - title: Receivers + hostgroups: + analyst_workstations: + description: List of IP Addresses or CIDR blocks to allow analyst workstations. + file: True + title: Analyst Workstations + analyst: + description: List of IP Addresses or CIDR blocks to allow analyst connections. + file: True + title: Analysts + standalone: + description: List of IP Addresses or CIDR blocks to allow standalone connections. + file: True + title: Standalone + advanced: True + eval: + description: List of IP Addresses or CIDR blocks to allow eval connections. + file: True + title: Eval + advanced: True + idh: + description: List of IP Addresses or CIDR blocks to allow idh connections. + file: True + title: IDH Nodes + manager: + description: List of IP Addresses or CIDR blocks to allow manager connections. + file: True + title: Manager + advanced: True + heavynodes: + description: List of IP Addresses or CIDR blocks to allow heavynode connections. + file: True + title: Heavy Nodes + searchnodes: + description: List of IP Addresses or CIDR blocks to allow searchnode connections. + file: True + title: Searchnodes + receivers: + description: List of IP Addresses or CIDR blocks to allow receiver connections. + file: True + title: Receivers + portgroups: + analyst_workstations: + description: List of ports for analyst workstations. + file: True + title: Analyst Workstations + analyst: + description: List of ports for analyst connections. + file: True + title: Analysts + standalone: + description: List of ports for standalone connections. + file: True + title: Standalone + advanced: True + eval: + description: List of ports for eval connections. + file: True + title: Eval + advanced: True + idh: + description: List of ports for idh connections. + file: True + title: IDH Nodes + manager: + description: List of ports for manager connections. + file: True + title: Manager + advanced: True + heavynodes: + description: List of ports for heavynode connections. + file: True + title: Heavy Nodes + searchnodes: + description: List of ports for searchnode connections. + file: True + title: Searchnodes + receivers: + description: List of ports for receiver connections. + file: True + title: Receivers + ports: + ports__yaml: + description: List of ports in YAML used for port groups. + file: True + title: Ports \ No newline at end of file From f3056c70574b315743c80462d2d39cca58d6e862 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 09:39:49 -0400 Subject: [PATCH 31/46] Firewall Fun --- salt/firewall/{portgroups => portgroups2}/analyst | 0 salt/firewall/{portgroups => portgroups2}/analyst_workstations | 0 salt/firewall/{portgroups => portgroups2}/eval | 0 salt/firewall/{portgroups => portgroups2}/heavynodes | 0 salt/firewall/{portgroups => portgroups2}/idh | 0 salt/firewall/{portgroups => portgroups2}/manager | 0 salt/firewall/{portgroups => portgroups2}/receivers | 0 salt/firewall/{portgroups => portgroups2}/searchnodes | 0 salt/firewall/{portgroups => portgroups2}/standalone | 0 salt/firewall/soc_firewall.yaml | 2 +- 10 files changed, 1 insertion(+), 1 deletion(-) rename salt/firewall/{portgroups => portgroups2}/analyst (100%) rename salt/firewall/{portgroups => portgroups2}/analyst_workstations (100%) rename salt/firewall/{portgroups => portgroups2}/eval (100%) rename salt/firewall/{portgroups => portgroups2}/heavynodes (100%) rename salt/firewall/{portgroups => portgroups2}/idh (100%) rename salt/firewall/{portgroups => portgroups2}/manager (100%) rename salt/firewall/{portgroups => portgroups2}/receivers (100%) rename salt/firewall/{portgroups => portgroups2}/searchnodes (100%) rename salt/firewall/{portgroups => portgroups2}/standalone (100%) diff --git a/salt/firewall/portgroups/analyst b/salt/firewall/portgroups2/analyst similarity index 100% rename from salt/firewall/portgroups/analyst rename to salt/firewall/portgroups2/analyst diff --git a/salt/firewall/portgroups/analyst_workstations b/salt/firewall/portgroups2/analyst_workstations similarity index 100% rename from salt/firewall/portgroups/analyst_workstations rename to salt/firewall/portgroups2/analyst_workstations diff --git a/salt/firewall/portgroups/eval b/salt/firewall/portgroups2/eval similarity index 100% rename from salt/firewall/portgroups/eval rename to salt/firewall/portgroups2/eval diff --git a/salt/firewall/portgroups/heavynodes b/salt/firewall/portgroups2/heavynodes similarity index 100% rename from salt/firewall/portgroups/heavynodes rename to salt/firewall/portgroups2/heavynodes diff --git a/salt/firewall/portgroups/idh b/salt/firewall/portgroups2/idh similarity index 100% rename from salt/firewall/portgroups/idh rename to salt/firewall/portgroups2/idh diff --git a/salt/firewall/portgroups/manager b/salt/firewall/portgroups2/manager similarity index 100% rename from salt/firewall/portgroups/manager rename to salt/firewall/portgroups2/manager diff --git a/salt/firewall/portgroups/receivers b/salt/firewall/portgroups2/receivers similarity index 100% rename from salt/firewall/portgroups/receivers rename to salt/firewall/portgroups2/receivers diff --git a/salt/firewall/portgroups/searchnodes b/salt/firewall/portgroups2/searchnodes similarity index 100% rename from salt/firewall/portgroups/searchnodes rename to salt/firewall/portgroups2/searchnodes diff --git a/salt/firewall/portgroups/standalone b/salt/firewall/portgroups2/standalone similarity index 100% rename from salt/firewall/portgroups/standalone rename to salt/firewall/portgroups2/standalone diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 7d5c7efbb..b7e536cef 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -39,7 +39,7 @@ firewall: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True title: Receivers - portgroups: + portgroups2: analyst_workstations: description: List of ports for analyst workstations. file: True From b6a104009023f47e801e746f32401eec83433255 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 09:42:35 -0400 Subject: [PATCH 32/46] Firewall Fun --- salt/firewall/{hostgroups => hostgroups2}/analyst | 0 salt/firewall/{hostgroups => hostgroups2}/analyst_workstations | 0 salt/firewall/{hostgroups => hostgroups2}/eval | 0 salt/firewall/{hostgroups => hostgroups2}/heavynodes | 0 salt/firewall/{hostgroups => hostgroups2}/idh | 0 salt/firewall/{hostgroups => hostgroups2}/manager | 0 salt/firewall/{hostgroups => hostgroups2}/receivers | 0 salt/firewall/{hostgroups => hostgroups2}/searchnodes | 0 salt/firewall/{hostgroups => hostgroups2}/standalone | 0 salt/firewall/soc_firewall.yaml | 2 +- 10 files changed, 1 insertion(+), 1 deletion(-) rename salt/firewall/{hostgroups => hostgroups2}/analyst (100%) rename salt/firewall/{hostgroups => hostgroups2}/analyst_workstations (100%) rename salt/firewall/{hostgroups => hostgroups2}/eval (100%) rename salt/firewall/{hostgroups => hostgroups2}/heavynodes (100%) rename salt/firewall/{hostgroups => hostgroups2}/idh (100%) rename salt/firewall/{hostgroups => hostgroups2}/manager (100%) rename salt/firewall/{hostgroups => hostgroups2}/receivers (100%) rename salt/firewall/{hostgroups => hostgroups2}/searchnodes (100%) rename salt/firewall/{hostgroups => hostgroups2}/standalone (100%) diff --git a/salt/firewall/hostgroups/analyst b/salt/firewall/hostgroups2/analyst similarity index 100% rename from salt/firewall/hostgroups/analyst rename to salt/firewall/hostgroups2/analyst diff --git a/salt/firewall/hostgroups/analyst_workstations b/salt/firewall/hostgroups2/analyst_workstations similarity index 100% rename from salt/firewall/hostgroups/analyst_workstations rename to salt/firewall/hostgroups2/analyst_workstations diff --git a/salt/firewall/hostgroups/eval b/salt/firewall/hostgroups2/eval similarity index 100% rename from salt/firewall/hostgroups/eval rename to salt/firewall/hostgroups2/eval diff --git a/salt/firewall/hostgroups/heavynodes b/salt/firewall/hostgroups2/heavynodes similarity index 100% rename from salt/firewall/hostgroups/heavynodes rename to salt/firewall/hostgroups2/heavynodes diff --git a/salt/firewall/hostgroups/idh b/salt/firewall/hostgroups2/idh similarity index 100% rename from salt/firewall/hostgroups/idh rename to salt/firewall/hostgroups2/idh diff --git a/salt/firewall/hostgroups/manager b/salt/firewall/hostgroups2/manager similarity index 100% rename from salt/firewall/hostgroups/manager rename to salt/firewall/hostgroups2/manager diff --git a/salt/firewall/hostgroups/receivers b/salt/firewall/hostgroups2/receivers similarity index 100% rename from salt/firewall/hostgroups/receivers rename to salt/firewall/hostgroups2/receivers diff --git a/salt/firewall/hostgroups/searchnodes b/salt/firewall/hostgroups2/searchnodes similarity index 100% rename from salt/firewall/hostgroups/searchnodes rename to salt/firewall/hostgroups2/searchnodes diff --git a/salt/firewall/hostgroups/standalone b/salt/firewall/hostgroups2/standalone similarity index 100% rename from salt/firewall/hostgroups/standalone rename to salt/firewall/hostgroups2/standalone diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index b7e536cef..21a4814ae 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,5 +1,5 @@ firewall: - hostgroups: + hostgroups2: analyst_workstations: description: List of IP Addresses or CIDR blocks to allow analyst workstations. file: True From 724d5d952a2484013bcbd1b9337d49a889cb4245 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 09:46:07 -0400 Subject: [PATCH 33/46] Firewall Fun --- salt/firewall/soc_firewall.yaml | 45 --------------------------------- 1 file changed, 45 deletions(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 21a4814ae..8389f2f7e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -39,48 +39,3 @@ firewall: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True title: Receivers - portgroups2: - analyst_workstations: - description: List of ports for analyst workstations. - file: True - title: Analyst Workstations - analyst: - description: List of ports for analyst connections. - file: True - title: Analysts - standalone: - description: List of ports for standalone connections. - file: True - title: Standalone - advanced: True - eval: - description: List of ports for eval connections. - file: True - title: Eval - advanced: True - idh: - description: List of ports for idh connections. - file: True - title: IDH Nodes - manager: - description: List of ports for manager connections. - file: True - title: Manager - advanced: True - heavynodes: - description: List of ports for heavynode connections. - file: True - title: Heavy Nodes - searchnodes: - description: List of ports for searchnode connections. - file: True - title: Searchnodes - receivers: - description: List of ports for receiver connections. - file: True - title: Receivers - ports: - ports__yaml: - description: List of ports in YAML used for port groups. - file: True - title: Ports \ No newline at end of file From 8a26b3fa04e8b378baa3df0fe591d35a84ae84cc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 09:47:15 -0400 Subject: [PATCH 34/46] Firewall Fun --- salt/firewall/soc_firewall.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 8389f2f7e..2f18406c4 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -1,5 +1,5 @@ firewall: - hostgroups2: + hostgroups: analyst_workstations: description: List of IP Addresses or CIDR blocks to allow analyst workstations. file: True From e717579113a592a5e07572c141cbecf1e2b14071 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 09:51:26 -0400 Subject: [PATCH 35/46] Firewall Fun --- salt/firewall/{hostgroups2 => hostgroups}/analyst | 0 .../{hostgroups2 => hostgroups}/analyst_workstations | 0 salt/firewall/{hostgroups2 => hostgroups}/eval | 0 salt/firewall/{hostgroups2 => hostgroups}/heavynodes | 0 salt/firewall/{hostgroups2 => hostgroups}/idh | 0 salt/firewall/{hostgroups2 => hostgroups}/manager | 0 salt/firewall/{hostgroups2 => hostgroups}/receivers | 0 salt/firewall/{hostgroups2 => hostgroups}/searchnodes | 0 salt/firewall/{hostgroups2 => hostgroups}/standalone | 0 salt/firewall/{portgroups2 => portgroups}/analyst | 0 .../{portgroups2 => portgroups}/analyst_workstations | 0 salt/firewall/{portgroups2 => portgroups}/eval | 0 salt/firewall/{portgroups2 => portgroups}/heavynodes | 0 salt/firewall/{portgroups2 => portgroups}/idh | 0 salt/firewall/{portgroups2 => portgroups}/manager | 0 salt/firewall/{portgroups2 => portgroups}/receivers | 0 salt/firewall/{portgroups2 => portgroups}/searchnodes | 0 salt/firewall/{portgroups2 => portgroups}/standalone | 0 salt/firewall/soc_firewall.yaml | 10 ++++++++++ 19 files changed, 10 insertions(+) rename salt/firewall/{hostgroups2 => hostgroups}/analyst (100%) rename salt/firewall/{hostgroups2 => hostgroups}/analyst_workstations (100%) rename salt/firewall/{hostgroups2 => hostgroups}/eval (100%) rename salt/firewall/{hostgroups2 => hostgroups}/heavynodes (100%) rename salt/firewall/{hostgroups2 => hostgroups}/idh (100%) rename salt/firewall/{hostgroups2 => hostgroups}/manager (100%) rename salt/firewall/{hostgroups2 => hostgroups}/receivers (100%) rename salt/firewall/{hostgroups2 => hostgroups}/searchnodes (100%) rename salt/firewall/{hostgroups2 => hostgroups}/standalone (100%) rename salt/firewall/{portgroups2 => portgroups}/analyst (100%) rename salt/firewall/{portgroups2 => portgroups}/analyst_workstations (100%) rename salt/firewall/{portgroups2 => portgroups}/eval (100%) rename salt/firewall/{portgroups2 => portgroups}/heavynodes (100%) rename salt/firewall/{portgroups2 => portgroups}/idh (100%) rename salt/firewall/{portgroups2 => portgroups}/manager (100%) rename salt/firewall/{portgroups2 => portgroups}/receivers (100%) rename salt/firewall/{portgroups2 => portgroups}/searchnodes (100%) rename salt/firewall/{portgroups2 => portgroups}/standalone (100%) diff --git a/salt/firewall/hostgroups2/analyst b/salt/firewall/hostgroups/analyst similarity index 100% rename from salt/firewall/hostgroups2/analyst rename to salt/firewall/hostgroups/analyst diff --git a/salt/firewall/hostgroups2/analyst_workstations b/salt/firewall/hostgroups/analyst_workstations similarity index 100% rename from salt/firewall/hostgroups2/analyst_workstations rename to salt/firewall/hostgroups/analyst_workstations diff --git a/salt/firewall/hostgroups2/eval b/salt/firewall/hostgroups/eval similarity index 100% rename from salt/firewall/hostgroups2/eval rename to salt/firewall/hostgroups/eval diff --git a/salt/firewall/hostgroups2/heavynodes b/salt/firewall/hostgroups/heavynodes similarity index 100% rename from salt/firewall/hostgroups2/heavynodes rename to salt/firewall/hostgroups/heavynodes diff --git a/salt/firewall/hostgroups2/idh b/salt/firewall/hostgroups/idh similarity index 100% rename from salt/firewall/hostgroups2/idh rename to salt/firewall/hostgroups/idh diff --git a/salt/firewall/hostgroups2/manager b/salt/firewall/hostgroups/manager similarity index 100% rename from salt/firewall/hostgroups2/manager rename to salt/firewall/hostgroups/manager diff --git a/salt/firewall/hostgroups2/receivers b/salt/firewall/hostgroups/receivers similarity index 100% rename from salt/firewall/hostgroups2/receivers rename to salt/firewall/hostgroups/receivers diff --git a/salt/firewall/hostgroups2/searchnodes b/salt/firewall/hostgroups/searchnodes similarity index 100% rename from salt/firewall/hostgroups2/searchnodes rename to salt/firewall/hostgroups/searchnodes diff --git a/salt/firewall/hostgroups2/standalone b/salt/firewall/hostgroups/standalone similarity index 100% rename from salt/firewall/hostgroups2/standalone rename to salt/firewall/hostgroups/standalone diff --git a/salt/firewall/portgroups2/analyst b/salt/firewall/portgroups/analyst similarity index 100% rename from salt/firewall/portgroups2/analyst rename to salt/firewall/portgroups/analyst diff --git a/salt/firewall/portgroups2/analyst_workstations b/salt/firewall/portgroups/analyst_workstations similarity index 100% rename from salt/firewall/portgroups2/analyst_workstations rename to salt/firewall/portgroups/analyst_workstations diff --git a/salt/firewall/portgroups2/eval b/salt/firewall/portgroups/eval similarity index 100% rename from salt/firewall/portgroups2/eval rename to salt/firewall/portgroups/eval diff --git a/salt/firewall/portgroups2/heavynodes b/salt/firewall/portgroups/heavynodes similarity index 100% rename from salt/firewall/portgroups2/heavynodes rename to salt/firewall/portgroups/heavynodes diff --git a/salt/firewall/portgroups2/idh b/salt/firewall/portgroups/idh similarity index 100% rename from salt/firewall/portgroups2/idh rename to salt/firewall/portgroups/idh diff --git a/salt/firewall/portgroups2/manager b/salt/firewall/portgroups/manager similarity index 100% rename from salt/firewall/portgroups2/manager rename to salt/firewall/portgroups/manager diff --git a/salt/firewall/portgroups2/receivers b/salt/firewall/portgroups/receivers similarity index 100% rename from salt/firewall/portgroups2/receivers rename to salt/firewall/portgroups/receivers diff --git a/salt/firewall/portgroups2/searchnodes b/salt/firewall/portgroups/searchnodes similarity index 100% rename from salt/firewall/portgroups2/searchnodes rename to salt/firewall/portgroups/searchnodes diff --git a/salt/firewall/portgroups2/standalone b/salt/firewall/portgroups/standalone similarity index 100% rename from salt/firewall/portgroups2/standalone rename to salt/firewall/portgroups/standalone diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 2f18406c4..a0b454349 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -3,39 +3,49 @@ firewall: analyst_workstations: description: List of IP Addresses or CIDR blocks to allow analyst workstations. file: True + global: True title: Analyst Workstations analyst: description: List of IP Addresses or CIDR blocks to allow analyst connections. file: True + global: True title: Analysts standalone: description: List of IP Addresses or CIDR blocks to allow standalone connections. file: True + global: True title: Standalone advanced: True eval: description: List of IP Addresses or CIDR blocks to allow eval connections. file: True + global: True title: Eval advanced: True idh: description: List of IP Addresses or CIDR blocks to allow idh connections. file: True + global: True title: IDH Nodes manager: description: List of IP Addresses or CIDR blocks to allow manager connections. file: True + global: True title: Manager advanced: True heavynodes: description: List of IP Addresses or CIDR blocks to allow heavynode connections. file: True + global: True title: Heavy Nodes searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True + globaal: True title: Searchnodes receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True + global: True title: Receivers + From 98ae6149dc7f58ffb91af9fc262e906811177500 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 09:54:20 -0400 Subject: [PATCH 36/46] Firewall Fun --- salt/firewall/soc_firewall.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index a0b454349..45474f627 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -41,11 +41,16 @@ firewall: searchnodes: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True - globaal: True + global: True title: Searchnodes receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True global: True title: Receivers - + portgroups: + analyst: + description: List of ports for use with Analyst connections. + file: True + global: True + title: Analyst Ports From 4a68a5e0542daa8f9382d4772c70ee85b028a9a9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 09:57:43 -0400 Subject: [PATCH 37/46] Firewall Fun --- salt/firewall/soc_firewall.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index 45474f627..ae565751d 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -54,3 +54,13 @@ firewall: file: True global: True title: Analyst Ports + analyst_workstations: + description: List of ports for use with analyst workstations. + file: True + global: True + title: Analyst Workstation Ports + standalone: + description: List of ports for use with Standalone. + file: True + global: True + title: Standalone From d7585e1b3d3e1591b428e17028133556e64d551f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sat, 17 Sep 2022 10:03:18 -0400 Subject: [PATCH 38/46] Firewall Fun --- salt/firewall/soc_firewall.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index ae565751d..a33c4731e 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -42,7 +42,7 @@ firewall: description: List of IP Addresses or CIDR blocks to allow searchnode connections. file: True global: True - title: Searchnodes + title: Search Nodes receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True @@ -64,3 +64,9 @@ firewall: file: True global: True title: Standalone + ports: + ports__yaml: + description: Ports in YAML. + file: True + global: True + title: Ports \ No newline at end of file From 7d965b5cda8d791433deb2f10456f33a5d0ea0cb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 19 Sep 2022 09:17:06 -0400 Subject: [PATCH 39/46] Ensure so-status does not get jinjafied --- salt/common/init.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index f8d3c9503..4bf779e2b 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -123,6 +123,13 @@ utilsyncscripts: - so-firewall - so-image-common - soup + - so-status + +so-status_script: + file.managed: + - name: /usr/sbin/so-status + - source: salt://common/tools/sbin/so-status + - mode: 755 {% if role in ['eval', 'standalone', 'sensor', 'heavynode'] %} # Add sensor cleanup From 9bdb3641225f481a9d5262357f0db6ca39451217 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 09:39:42 -0400 Subject: [PATCH 40/46] Firewall Fun --- salt/firewall/hostgroups/sensors | 0 salt/firewall/portgroups/sensors | 0 salt/firewall/soc_firewall.yaml | 5 +++++ 3 files changed, 5 insertions(+) create mode 100644 salt/firewall/hostgroups/sensors create mode 100644 salt/firewall/portgroups/sensors diff --git a/salt/firewall/hostgroups/sensors b/salt/firewall/hostgroups/sensors new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/portgroups/sensors b/salt/firewall/portgroups/sensors new file mode 100644 index 000000000..e69de29bb diff --git a/salt/firewall/soc_firewall.yaml b/salt/firewall/soc_firewall.yaml index a33c4731e..02199bc79 100644 --- a/salt/firewall/soc_firewall.yaml +++ b/salt/firewall/soc_firewall.yaml @@ -43,6 +43,11 @@ firewall: file: True global: True title: Search Nodes + sensors: + description: List of IP Addresses or CIDR blocks to allow Sensor connections. + file: True + global: True + title: Sensors receivers: description: List of IP Addresses or CIDR blocks to allow receiver connections. file: True From f4508aa53432811a7913ccf81759763031d643c6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 10:22:32 -0400 Subject: [PATCH 41/46] Fix sensoroni Agent --- salt/idstools/init.sls | 8 ++------ salt/sensoroni/files/sensoroni.json | 21 +++++++++------------ salt/sensoroni/init.sls | 6 ++---- salt/vars/globals.map.jinja | 3 +++ 4 files changed, 16 insertions(+), 22 deletions(-) diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index fa08125f5..d99ef17c6 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -2,14 +2,10 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set ENGINE = salt['pillar.get']('global:mdengine') %} {% set proxy = salt['pillar.get']('manager:proxy') %} include: @@ -33,7 +29,7 @@ so-ruleupdatecron: so-idstools: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-idstools:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-idstools:{{ GLOBALS.so_version }} - hostname: so-idstools - user: socore {% if proxy %} diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 2fe385de5..8ca18b535 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,10 +1,7 @@ -{%- set URLBASE = salt['pillar.get']('global:url_base') %} -{%- set DESCRIPTION = salt['pillar.get']('sensoroni:node_description', '') %} -{%- set MODEL = salt['grains.get']('sosmodel', '') %} -{%- set ADDRESS = salt['pillar.get']('sensoroni:node_address') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + {%- set ANALYZE_TIMEOUT_MS = salt['pillar.get']('sensoroni:analyze_timeout_ms', 900000) %} {%- set ANALYZE_PARALLEL_LIMIT = salt['pillar.get']('sensoroni:analyze_parallel_limit', 5) %} -{%- set SENSORONIKEY = salt['pillar.get']('sensoroni:sensoronikey', '') %} {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} {%- set ROLE = grains.id.split('_') | last %} {%- if ROLE in ['eval', 'standalone', 'sensor', 'heavynode'] %} @@ -23,13 +20,13 @@ "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", "agent": { - "nodeId": "{{ grains.host | lower }}", - "role": "{{ grains.role }}", - "description": {{ DESCRIPTION | tojson }}, - "address": "{{ ADDRESS }}", - "model": "{{ MODEL }}", + "nodeId": "{{ GLOBALS.hostname | lower }}", + "role": "{{ GLOBALS.role }}", + "description": {{ GLOBALS.description | tojson }}, + "address": "{{ GLOBALS.node_ip }}", + "model": "{{ GLOBLAS.so_model }}", "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, - "serverUrl": "https://{{ URLBASE }}/sensoroniagents", + "serverUrl": "https://{{ GLOBALS.url_base }}/sensoroniagents", "verifyCert": false, "modules": { {%- if ANALYZEENABLED %} @@ -40,7 +37,7 @@ {%- endif %} "importer": {}, "statickeyauth": { - "apiKey": "{{ SENSORONIKEY }}" + "apiKey": "{{ GLOBALS.sensoroni_key }}" {%- if STENOENABLED %} }, "stenoquery": { diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls index 6d49d33ab..7e0aaa9aa 100644 --- a/salt/sensoroni/init.sls +++ b/salt/sensoroni/init.sls @@ -1,6 +1,4 @@ -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} sensoroniconfdir: file.directory: @@ -43,7 +41,7 @@ analyzerscripts: so-sensoroni: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-soc:{{ GLOBALS.so_version }} - network_mode: host - binds: - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 9a6dd7f33..840ec7584 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -20,7 +20,10 @@ 'pipeline': INIT.PILLAR.global.pipeline, 'so_version': INIT.PILLAR.global.soversion, 'url_base': INIT.PILLAR.global.url_base, + 'so_model': INIT.GRAINS.sosmodel, + 'description': INIT.PILLAR.sensoroni.node_desccription, 'docker_range': INIT.PILLAR.docker.range, + 'sensoroni_key': INIT.PILLAR.sensoroni.sensoronikey, 'application_urls': {}, 'manager_roles': [ 'so-eval', From ae6fbab45d421c4aaf705e694611016b4d602f60 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 19 Sep 2022 10:27:20 -0400 Subject: [PATCH 42/46] refactor sostatus telegraf input script --- salt/telegraf/scripts/sostatus.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/telegraf/scripts/sostatus.sh b/salt/telegraf/scripts/sostatus.sh index d1753eadb..c30220fff 100644 --- a/salt/telegraf/scripts/sostatus.sh +++ b/salt/telegraf/scripts/sostatus.sh @@ -11,12 +11,11 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then SOSTATUSLOG=/var/log/sostatus/status.log - SOSTATUSCODE=$(jq -r .status_code /var/log/sostatus/status.log) - SOSTATUSJSON=$(cat /var/log/sostatus/status.log) + SOSTATUSCODE=$(jq -r .status_code $SOSTATUSLOG) + SOSTATUSJSON=$(cat $SOSTATUSLOG | sed 's/"/\\"/g') if [ -f "$SOSTATUSLOG" ]; then - echo "sostatus status=$SOSTATUSCODE" - echo "sostatus json=$SOSTATUSJSON" + echo "sostatus status=$SOSTATUSCODE,json=\"$SOSTATUSJSON\"" else exit 0 fi From e3e6e7b4e88392a8cc142af307a5ee7e0bc18a65 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 10:41:01 -0400 Subject: [PATCH 43/46] Fix sensoroni Agent --- salt/sensoroni/files/sensoroni.json | 3 +-- salt/vars/globals.map.jinja | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 8ca18b535..c57737612 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,5 +1,4 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - +{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- set ANALYZE_TIMEOUT_MS = salt['pillar.get']('sensoroni:analyze_timeout_ms', 900000) %} {%- set ANALYZE_PARALLEL_LIMIT = salt['pillar.get']('sensoroni:analyze_parallel_limit', 5) %} {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 840ec7584..0dbe0f294 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -21,7 +21,7 @@ 'so_version': INIT.PILLAR.global.soversion, 'url_base': INIT.PILLAR.global.url_base, 'so_model': INIT.GRAINS.sosmodel, - 'description': INIT.PILLAR.sensoroni.node_desccription, + 'description': INIT.PILLAR.sensoroni.node_description, 'docker_range': INIT.PILLAR.docker.range, 'sensoroni_key': INIT.PILLAR.sensoroni.sensoronikey, 'application_urls': {}, From aa8ce074f7e6e4176816568d7a86153c7c219d4d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 10:43:05 -0400 Subject: [PATCH 44/46] Fix sensoroni Agent --- salt/sensoroni/files/sensoroni.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index c57737612..4b545f5e0 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,4 +1,4 @@ -{%- from 'vars/globals.map.jinja' import GLOBALS %} +{%- from 'vars/globals.map.jinja' import GLOBALS -%} {%- set ANALYZE_TIMEOUT_MS = salt['pillar.get']('sensoroni:analyze_timeout_ms', 900000) %} {%- set ANALYZE_PARALLEL_LIMIT = salt['pillar.get']('sensoroni:analyze_parallel_limit', 5) %} {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} @@ -23,7 +23,7 @@ "role": "{{ GLOBALS.role }}", "description": {{ GLOBALS.description | tojson }}, "address": "{{ GLOBALS.node_ip }}", - "model": "{{ GLOBLAS.so_model }}", + "model": "{{ GLOBALS.so_model }}", "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, "serverUrl": "https://{{ GLOBALS.url_base }}/sensoroniagents", "verifyCert": false, From 32034078fa3bf2ed1d0aac57e0925579ec2e8e89 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Sep 2022 10:48:36 -0400 Subject: [PATCH 45/46] Fix sensoroni Agent --- salt/vars/globals.map.jinja | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja index 0dbe0f294..487cdf781 100644 --- a/salt/vars/globals.map.jinja +++ b/salt/vars/globals.map.jinja @@ -20,8 +20,8 @@ 'pipeline': INIT.PILLAR.global.pipeline, 'so_version': INIT.PILLAR.global.soversion, 'url_base': INIT.PILLAR.global.url_base, - 'so_model': INIT.GRAINS.sosmodel, - 'description': INIT.PILLAR.sensoroni.node_description, + 'so_model': INIT.GRAINS.get('sosmodel',''), + 'description': INIT.PILLAR.sensoroni.get('node_description',''), 'docker_range': INIT.PILLAR.docker.range, 'sensoroni_key': INIT.PILLAR.sensoroni.sensoronikey, 'application_urls': {}, From 9095bc220561c297e86ae0fd8c006cbc023fb1b5 Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 19 Sep 2022 15:41:54 +0000 Subject: [PATCH 46/46] Re-establish Elasticsearch cluster (search) settings --- salt/elasticsearch/init.sls | 9 +++++ .../sbin/so-elasticsearch-cluster-settings | 36 +++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100755 salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index bc33598f3..be28a3712 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -346,6 +346,15 @@ append_so-elasticsearch_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-elasticsearch +so-es-cluster-settings: + cmd.run: + - name: /usr/sbin/so-elasticsearch-cluster-settings + - cwd: /opt/so + - template: jinja + - require: + - docker_container: so-elasticsearch + - file: es_sync_scripts + so-elasticsearch-templates: cmd.run: - name: /usr/sbin/so-elasticsearch-templates-load diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings b/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings new file mode 100755 index 000000000..a72ccaf56 --- /dev/null +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-settings @@ -0,0 +1,36 @@ +#!/bin/bash +{% set ES = salt['pillar.get']('manager:mainip', '') %} +{% set MANAGER = salt['grains.get']('master') %} + +ELASTICSEARCH_PORT=9200 + +# Wait for ElasticSearch to come up, so that we can query for version infromation +echo -n "Waiting for ElasticSearch..." +COUNT=0 +ELASTICSEARCH_CONNECTED="no" +while [[ "$COUNT" -le 30 ]]; do + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://localhost:"$ELASTICSEARCH_PORT" + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi +done +if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'docker ps' \n -running 'sudo so-elastic-restart'" + echo + + exit +fi + +# Check to see if config already exists +CLUSTER_SETTINGS=$(so-elasticsearch-query _cluster/settings | jq .persistent.cluster.remote) +if [[ ! -z "$CLUSTER_SETTINGS" ]]; then + echo "Applying cross cluster search config..." + so-elasticsearch-query _cluster/settings -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" -XPUT +fi