CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial changes to add new auth framework

Browse Source 
* Changes to evalmode only at this time
* Cleaned up nginx eval config
This commit is contained in:
William Wernert
2019-12-18 21:55:24 -05:00
parent b97ff72bc2
commit 2b6e2e0465
5 changed files with 94 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
salt/auth/init.sls Normal file
View File

@@ -0,0 +1,44 @@
authdir:
file.directory:
- name: /opt/so/conf/auth
- user: 939
- group: 939
- makedirs: True
authfilesync:
file.recurse:
- name: /opt/so/conf/auth
- source: salt://auth/files
- user: 939
- group: 939
- template: jinja
so-auth-api-image:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-api:HH1.1.3
so-auth-ui-image:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-auth-ui:HH1.1.3
so-auth-api:
docker_container.running:
- require:
- so-auth-api-image
- image: docker.io/soshybridhunter/so-auth-api:HH1.1.3
- hostname: so-auth-api
- name: so-auth-api
- environment:
- BASE_PATH: "/so-auth/api"
- port_bindings:
- 0.0.0.0:5656:5656
so-auth-ui:
docker_container.running:
- require:
- so-auth-ui-image
- image: docker.io/soshybridhunter/so-auth-ui:HH1.1.3
- hostname: so-auth-ui
- name: so-auth-ui
- port_bindings:
- 0.0.0.0:4242:80

74
salt/common/nginx/nginx.conf.so-eval
View File

@@ -58,9 +58,9 @@ http {
# } # }
#} #}
server { server {
listen 80 default_server; listen 80 default_server;
server_name _; server_name _;
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
} }
@@ -88,8 +88,8 @@ http {
# } # }
location /grafana/ { location /grafana/ {
rewrite /grafana/(.*) /$1 break; rewrite /grafana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:3000/; proxy_pass http://{{ masterip }}:3000/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -100,10 +100,9 @@ http {
} }
location /kibana/ { location /kibana/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd; rewrite /kibana/(.*) /$1 break;
rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ masterip }}:5601/;
proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -114,7 +113,7 @@ http {
} }
location /playbook/ { location /playbook/ {
proxy_pass http://{{ masterip }}:3200/playbook/; proxy_pass http://{{ masterip }}:3200/playbook/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -126,9 +125,8 @@ http {
location /navigator/ { location /navigator/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd; proxy_pass http://{{ masterip }}:4200/navigator/;
proxy_pass http://{{ masterip }}:4200/navigator/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -139,7 +137,7 @@ http {
} }
location /api/ { location /api/ {
proxy_pass https://{{ masterip }}:8080/api/; proxy_pass https://{{ masterip }}:8080/api/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
@@ -152,7 +150,7 @@ http {
} }
location /fleet/ { location /fleet/ {
proxy_pass https://{{ masterip }}:8080/fleet/; proxy_pass https://{{ masterip }}:8080/fleet/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -163,10 +161,10 @@ http {
} }
location /thehive/ { location /thehive/ {
proxy_pass http://{{ masterip }}:9000/thehive/; proxy_pass http://{{ masterip }}:9000/thehive/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -175,10 +173,10 @@ http {
} }
location /cortex/ { location /cortex/ {
proxy_pass http://{{ masterip }}:9001/cortex/; proxy_pass http://{{ masterip }}:9001/cortex/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -187,10 +185,10 @@ http {
} }
location /cyberchef/ { location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/; proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -199,7 +197,7 @@ http {
} }
location /soctopus/ { location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/; proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
@@ -210,17 +208,16 @@ http {
} }
location /sensoroni/ { location /sensoroni/ {
auth_basic "Security Onion"; auth_request /so-auth/api/auth/;
auth_basic_user_file /opt/so/conf/nginx/.htpasswd; proxy_pass http://{{ masterip }}:9822/;
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy ""; proxy_set_header Proxy "";
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade"; proxy_set_header Connection "Upgrade";
} }
@@ -237,15 +234,34 @@ http {
} }
location /sensoroniagents/ { location /sensoroniagents/ {
proxy_pass http://{{ masterip }}:9822/; proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy ""; proxy_set_header Proxy "";
} }
location /so-auth/loginpage/ {
proxy_pass http://{{ masterip }}:4242/;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /so-auth/api/ {
proxy_pass http://{{ masterip }}:5656/;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
}
error_page 401 = @error401;
location @error401 {
add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/";
return 302 http://{{ masterip }}/so-auth/loginpage/;
}
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
} }

4
salt/cyberchef/init.sls
View File

@@ -42,13 +42,13 @@ cybercheflog:
so-cyberchefimage: so-cyberchefimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.4 - name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-cyberchef:HH1.1.3
so-cyberchef: so-cyberchef:
docker_container.running: docker_container.running:
- require: - require:
- so-cyberchefimage - so-cyberchefimage
- image: docker.io/soshybridhunter/so-cyberchef:HH1.1.4 - image: docker.io/soshybridhunter/so-cyberchef:HH1.1.3
- interactive: True - interactive: True
- binds: - binds:
- /opt/so/saltstack/salt/cyberchef/build:/prod:rw - /opt/so/saltstack/salt/cyberchef/build:/prod:rw

1
salt/top.sls
View File

@@ -48,6 +48,7 @@ base:
- firewall - firewall
- master - master
- idstools - idstools
- auth
{%- if OSQUERY != 0 %} {%- if OSQUERY != 0 %}
- mysql - mysql
{%- endif %} {%- endif %}

1
setup/so-setup.sh
View File

@@ -655,6 +655,7 @@ if (whiptail_you_sure) ; then
echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX" echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XX\n97\nFinishing touches... \nXXX" echo -e "XX\n97\nFinishing touches... \nXXX"
salt-call state.apply auth >> $SETUPLOG 2>&1
filter_unused_nics >> $SETUPLOG 2>&1 filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1 network_setup >> $SETUPLOG 2>&1
echo -e "XXX\n98\nVerifying Setup... \nXXX" echo -e "XXX\n98\nVerifying Setup... \nXXX"