diff --git a/README.md b/README.md index d5a8586cf..0662e05be 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,14 @@ -## Security Onion 2.3.140 +## Security Onion 2.3.120 -Security Onion 2.3.140 is here! +Security Onion 2.3.120 is here! ## Screenshots Alerts -![Alerts](./assets/images/screenshots/alerts.png) - -Dashboards -![Dashboards](./assets/images/screenshots/dashboards.png) +![Alerts](./assets/images/screenshots/alerts-1.png) Hunt -![Hunt](./assets/images/screenshots/hunt.png) - -Cases -![Cases](./assets/images/screenshots/cases-comments.png) +![Hunt](./assets/images/screenshots/hunt-1.png) ### Release Notes diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index d48743291..ce56cd48c 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.140-20220718 ISO image built on 2022/07/18 +### 2.3.120-20220425 ISO image built on 2022/04/25 ### Download and Verify -2.3.140-20220718 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso +2.3.120-20220425 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.120-20220425.iso -MD5: 9570065548DBFA6230F28FF623A8B61A -SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75 -SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 +MD5: C99729E452B064C471BEF04532F28556 +SHA1: 60BF07D5347C24568C7B793BFA9792E98479CFBF +SHA256: CD17D0D7CABE21D45FA45E1CF91C5F24EB9608C79FF88480134E5592AFDD696E Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.120-20220425.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.120-20220425.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.120-20220425.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso +gpg --verify securityonion-2.3.120-20220425.iso.sig securityonion-2.3.120-20220425.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013 +gpg: Signature made Mon 25 Apr 2022 08:20:40 AM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/VERSION b/VERSION index 3994a975c..c9583b108 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.3.140 +2.3.170 diff --git a/assets/images/screenshots/alerts-1.png b/assets/images/screenshots/alerts-1.png new file mode 100644 index 000000000..099710f4f Binary files /dev/null and b/assets/images/screenshots/alerts-1.png differ diff --git a/assets/images/screenshots/alerts.png b/assets/images/screenshots/alerts.png deleted file mode 100644 index ac8a1c828..000000000 Binary files a/assets/images/screenshots/alerts.png and /dev/null differ diff --git a/assets/images/screenshots/cases-comments.png b/assets/images/screenshots/cases-comments.png deleted file mode 100644 index 23bc00f95..000000000 Binary files a/assets/images/screenshots/cases-comments.png and /dev/null differ diff --git a/assets/images/screenshots/dashboards.png b/assets/images/screenshots/dashboards.png deleted file mode 100644 index 9f07adedc..000000000 Binary files a/assets/images/screenshots/dashboards.png and /dev/null differ diff --git a/assets/images/screenshots/hunt-1.png b/assets/images/screenshots/hunt-1.png new file mode 100644 index 000000000..089713847 Binary files /dev/null and b/assets/images/screenshots/hunt-1.png differ diff --git a/assets/images/screenshots/hunt.png b/assets/images/screenshots/hunt.png deleted file mode 100644 index f4c4347a8..000000000 Binary files a/assets/images/screenshots/hunt.png and /dev/null differ diff --git a/files/firewall/hostgroups.local.yaml b/files/firewall/hostgroups.local.yaml index 9e7babe00..5e16461a4 100644 --- a/files/firewall/hostgroups.local.yaml +++ b/files/firewall/hostgroups.local.yaml @@ -16,6 +16,10 @@ firewall: ips: delete: insert: + elastic_agent_endpoint: + ips: + delete: + insert: endgame: ips: delete: @@ -44,10 +48,6 @@ firewall: ips: delete: insert: - osquery_endpoint: - ips: - delete: - insert: receiver: ips: delete: @@ -67,16 +67,4 @@ firewall: syslog: ips: delete: - insert: - wazuh_agent: - ips: - delete: - insert: - wazuh_api: - ips: - delete: - insert: - wazuh_authd: - ips: - delete: - insert: + insert: \ No newline at end of file diff --git a/files/salt/master/master b/files/salt/master/master index 5db41fb90..070a6f3f3 100644 --- a/files/salt/master/master +++ b/files/salt/master/master @@ -65,8 +65,6 @@ peer: - x509.sign_remote_certificate reactor: - - 'so/fleet': - - salt://reactor/fleet.sls - 'salt/beacon/*/watch_sqlite_db//opt/so/conf/kratos/db/sqlite.db': - salt://reactor/kratos.sls diff --git a/pillar/logstash/init.sls b/pillar/logstash/init.sls index 4e96b400d..7ad31cf9b 100644 --- a/pillar/logstash/init.sls +++ b/pillar/logstash/init.sls @@ -3,6 +3,7 @@ logstash: port_bindings: - 0.0.0.0:3765:3765 - 0.0.0.0:5044:5044 + - 0.0.0.0:5055:5055 - 0.0.0.0:5644:5644 - 0.0.0.0:6050:6050 - 0.0.0.0:6051:6051 diff --git a/pillar/logstash/manager.sls b/pillar/logstash/manager.sls index 00d82f86a..cfeb0a6ae 100644 --- a/pillar/logstash/manager.sls +++ b/pillar/logstash/manager.sls @@ -5,5 +5,6 @@ logstash: - so/0009_input_beats.conf - so/0010_input_hhbeats.conf - so/0011_input_endgame.conf + - so/0012_input_elastic_agent.conf - so/9999_output_redis.conf.jinja \ No newline at end of file diff --git a/pillar/logstash/nodes.sls b/pillar/logstash/nodes.sls index 935574ff9..18c4b39bf 100644 --- a/pillar/logstash/nodes.sls +++ b/pillar/logstash/nodes.sls @@ -2,7 +2,7 @@ {% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %} {% for minionid, ip in salt.saltutil.runner( 'mine.get', - tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix', + tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ', fun='network.ip_addrs', tgt_type='compound') | dictsort() %} diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index cd810106d..fb10d18e7 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -14,5 +14,5 @@ logstash: - so/9700_output_strelka.conf.jinja - so/9800_output_logscan.conf.jinja - so/9801_output_rita.conf.jinja - - so/9802_output_kratos.conf.jinja + - so/9805_output_elastic_agent.conf.jinja - so/9900_output_endgame.conf.jinja diff --git a/pillar/top.sls b/pillar/top.sls index 1cf3bdc8a..1c3fb9635 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -2,6 +2,10 @@ base: '*': - patch.needs_restarting - logrotate + - docker.soc_docker + - docker.adv_docker + - sensoroni.soc_sensoroni + - sensoroni.adv_sensoroni '* and not *_eval and not *_import': - logstash.nodes @@ -24,113 +28,124 @@ base: '*_manager or *_managersearch': - match: compound - - data.* -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth -{% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets -{% endif %} + {% endif %} - secrets - - global + - soc_global + - adv_global + - manager.soc_manager + - manager.adv_manager + - soc.soc_soc + - soc.adv_soc - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_sensor': - - zeeklogs + - zeek.zeeklogs - healthcheck.sensor - - global + - soc_global + - adv_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_eval': - - data.* - - zeeklogs + - zeel.zeeklogs - secrets - healthcheck.eval - elasticsearch.index_templates -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth -{% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + {% endif %} - kibana.secrets -{% endif %} - - global + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + - soc_global + {% endif %} + - elasticsearch.soc_elasticsearch + - manager.soc_manager + - soc.soc_soc - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_standalone': - logstash - logstash.manager - logstash.search + - logstash.soc_logstash - elasticsearch.index_templates -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth -{% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets -{% endif %} - - data.* - - zeeklogs + {% endif %} + - zeek.zeeklogs - secrets - healthcheck.standalone - - global - - minions.{{ grains.id }} - - '*_node': - - global + - soc_global + - kratos.soc_kratos + - elasticsearch.soc_elasticsearch + - manager.soc_manager + - soc.soc_soc - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_heavynode': - - zeeklogs + - zeek.zeeklogs - elasticsearch.auth - - global - - minions.{{ grains.id }} - - '*_helixsensor': - - fireeye - - zeeklogs - - logstash - - logstash.helix - - global - - minions.{{ grains.id }} - - '*_fleet': - - data.* - - secrets - - global + - soc_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_idh': - - data.* - - global + - soc_global + - adv_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_searchnode': - logstash - logstash.search - elasticsearch.index_templates + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth - - global + {% endif %} + - soc_global + - adv_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} - data.nodestab '*_receiver': - logstash - logstash.receiver + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth - - global + {% endif %} + - soc_global + - adv_global - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_import': - - zeeklogs + - zeek.zeeklogs - secrets - elasticsearch.index_templates -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} - elasticsearch.auth -{% endif %} -{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} + {% endif %} + {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} - kibana.secrets -{% endif %} - - global + {% endif %} + - soc_global + - adv_global + - manager.soc_manager - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} '*_workstation': - minions.{{ grains.id }} + - minions.adv_{{ grains.id }} diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 3dbc6d24a..ed530ac91 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -1,10 +1,11 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} -{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %} {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} -{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} -{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} @@ -35,6 +36,7 @@ 'grafana', 'soc', 'kratos', + 'elastic-fleet', 'firewall', 'idstools', 'suricata.manager', @@ -77,24 +79,10 @@ 'tcpreplay', 'docker_clean' ], - 'so-fleet': [ - 'ssl', - 'nginx', - 'telegraf', - 'firewall', - 'mysql', - 'redis', - 'fleet', - 'fleet.install_package', - 'filebeat', - 'schedule', - 'docker_clean' - ], 'so-idh': [ 'ssl', 'telegraf', 'firewall', - 'fleet.install_package', 'filebeat', 'idh', 'schedule', @@ -133,6 +121,7 @@ 'grafana', 'soc', 'kratos', + 'elastic-fleet', 'firewall', 'idstools', 'suricata.manager', @@ -153,6 +142,7 @@ 'grafana', 'soc', 'kratos', + 'elastic-fleet', 'firewall', 'manager', 'idstools', @@ -163,7 +153,7 @@ 'docker_clean', 'learn' ], - 'so-node': [ + 'so-searchnode': [ 'ssl', 'nginx', 'telegraf', @@ -183,6 +173,7 @@ 'grafana', 'soc', 'kratos', + 'elastic-fleet', 'firewall', 'idstools', 'suricata.manager', @@ -204,7 +195,6 @@ 'pcap', 'suricata', 'healthcheck', - 'wazuh', 'filebeat', 'schedule', 'tcpreplay', @@ -221,26 +211,14 @@ ], }, grain='role') %} - {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %} + {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %} {% do allowed_states.append('filebeat') %} {% endif %} - {% if ((FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %} + {% if (PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %} {% do allowed_states.append('mysql') %} {% endif %} - {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} - {% do allowed_states.append('fleet.install_package') %} - {% endif %} - - {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} - {% do allowed_states.append('fleet') %} - {% endif %} - - {% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval'] %} - {% do allowed_states.append('redis') %} - {% endif %} - {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} {% do allowed_states.append('zeek') %} {%- endif %} @@ -249,11 +227,7 @@ {% do allowed_states.append('strelka') %} {% endif %} - {% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%} - {% do allowed_states.append('wazuh') %} - {% endif %} - - {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %} + {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %} {% do allowed_states.append('elasticsearch') %} {% endif %} @@ -266,7 +240,7 @@ {% do allowed_states.append('kibana.secrets') %} {% endif %} - {% if grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-manager'] %} + {% if grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-manager'] %} {% do allowed_states.append('curator') %} {% endif %} @@ -282,15 +256,7 @@ {% do allowed_states.append('redis') %} {% endif %} - {% if (FREQSERVER !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} - {% do allowed_states.append('freqserver') %} - {% endif %} - - {% if (DOMAINSTATS !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} - {% do allowed_states.append('domainstats') %} - {% endif %} - - {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} + {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %} {% do allowed_states.append('logstash') %} {% endif %} diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 8bddd4798..c857b331e 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,10 +1,16 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + include: - ca.dirs -{% set manager = salt['grains.get']('master') %} /etc/salt/minion.d/signing_policies.conf: file.managed: - source: salt://ca/files/signing_policies.conf @@ -25,7 +31,7 @@ pki_public_ca_crt: x509.certificate_managed: - name: /etc/pki/ca.crt - signing_private_key: /etc/pki/ca.key - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - C: US - ST: Utah - L: Salt Lake City diff --git a/salt/common/init.sls b/salt/common/init.sls index 0eaf5e77e..c391c127e 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -2,10 +2,10 @@ {% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} -{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} include: - common.soup_scripts + - common.packages {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} - manager.elasticsearch # needed for elastic_curl_config state {% endif %} @@ -15,11 +15,6 @@ rmvariablesfile: file.absent: - name: /tmp/variables.txt -dockergroup: - group.present: - - name: docker - - gid: 920 - # Add socore Group socoregroup: group.present: @@ -88,92 +83,6 @@ vimconfig: - source: salt://common/files/vimrc - replace: False -# Install common packages -{% if grains['os'] != 'CentOS' %} -commonpkgs: - pkg.installed: - - skip_suggestions: True - - pkgs: - - apache2-utils - - wget - - ntpdate - - jq - - python3-docker - - curl - - ca-certificates - - software-properties-common - - apt-transport-https - - openssl - - netcat - - python3-mysqldb - - sqlite3 - - libssl-dev - - python3-dateutil - - python3-m2crypto - - python3-mysqldb - - python3-packaging - - python3-lxml - - git - - vim - -heldpackages: - pkg.installed: - - pkgs: - {% if grains['oscodename'] == 'bionic' %} - - containerd.io: 1.4.4-1 - - docker-ce: 5:20.10.5~3-0~ubuntu-bionic - - docker-ce-cli: 5:20.10.5~3-0~ubuntu-bionic - - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-bionic - {% elif grains['oscodename'] == 'focal' %} - - containerd.io: 1.4.9-1 - - docker-ce: 5:20.10.8~3-0~ubuntu-focal - - docker-ce-cli: 5:20.10.5~3-0~ubuntu-focal - - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal - {% endif %} - - hold: True - - update_holds: True - -{% else %} -commonpkgs: - pkg.installed: - - skip_suggestions: True - - pkgs: - - wget - - ntpdate - - bind-utils - - jq - - tcpdump - - httpd-tools - - net-tools - - curl - - sqlite - - mariadb-devel - - nmap-ncat - - python3 - - python36-docker - - python36-dateutil - - python36-m2crypto - - python36-mysql - - python36-packaging - - python36-lxml - - yum-utils - - device-mapper-persistent-data - - lvm2 - - openssl - - git - - vim-enhanced - -heldpackages: - pkg.installed: - - pkgs: - - containerd.io: 1.4.4-3.1.el7 - - docker-ce: 3:20.10.5-3.el7 - - docker-ce-cli: 1:20.10.5-3.el7 - - docker-ce-rootless-extras: 20.10.5-3.el7 - - hold: True - - update_holds: True -{% endif %} - # Always keep these packages up to date alwaysupdated: @@ -188,7 +97,6 @@ alwaysupdated: Etc/UTC: timezone.system -{% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} elastic_curl_config: file.managed: - name: /opt/so/conf/elasticsearch/curl.config @@ -200,7 +108,6 @@ elastic_curl_config: - require: - file: elastic_curl_config_distributed {% endif %} -{% endif %} # Sync some Utilities utilsyncscripts: @@ -211,10 +118,6 @@ utilsyncscripts: - file_mode: 755 - template: jinja - source: salt://common/tools/sbin - - defaults: - ELASTICCURL: 'curl' - - context: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} - exclude_pat: - so-common - so-firewall @@ -339,32 +242,6 @@ soversionfile: {% endif %} -# Manager daemon.json -docker_daemon: - file.managed: - - source: salt://common/files/daemon.json - - name: /etc/docker/daemon.json - - template: jinja - -# Make sure Docker is always running -docker: - service.running: - - enable: True - - watch: - - file: docker_daemon - -# Reserve OS ports for Docker proxy in case boot settings are not already applied/present -# 55000 = Wazuh, 57314 = Strelka, 47760-47860 = Zeek -dockerapplyports: - cmd.run: - - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760-47860"; fi - -# Reserve OS ports for Docker proxy -dockerreserveports: - file.managed: - - source: salt://common/files/99-reserved-ports.conf - - name: /etc/sysctl.d/99-reserved-ports.conf - {% if salt['grains.get']('sosmodel', '') %} {% if grains['os'] == 'CentOS' %} # Install Raid tools diff --git a/salt/common/packages.sls b/salt/common/packages.sls new file mode 100644 index 000000000..c6dfe8f7b --- /dev/null +++ b/salt/common/packages.sls @@ -0,0 +1,61 @@ +{% if grains['os'] != 'CentOS' %} +commonpkgs: + pkg.installed: + - skip_suggestions: True + - pkgs: + - wget + - jq + - tcpdump + - httpd-tools + - net-tools + - curl + - sqlite + - mariadb-devel + - python3-dnf-plugin-versionlock + - nmap-ncat + - createrepo + - python3-lxml + - python3-packaging + - yum-utils + - device-mapper-persistent-data + - lvm2 + - openssl + - git + - vim-enhanced + - python3-docker + + +{% else %} +commonpkgs: + pkg.installed: + - skip_suggestions: True + - pkgs: + - wget + - ntpdate + - bind-utils + - jq + - tcpdump + - httpd-tools + - net-tools + - curl + - sqlite + - mariadb-devel + - nmap-ncat + - python3 + - python36-packaging + - python36-lxml + - python36-docker + - python36-dateutil + - python36-m2crypto + - python36-mysql + - python36-packaging + - python36-lxml + - yum-utils + - device-mapper-persistent-data + - lvm2 + - openssl + - git + - vim-enhanced + - yum-plugin-versionlock + +{% endif %} \ No newline at end of file diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index faa546774..6738126df 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + import ipaddress import textwrap @@ -28,17 +20,13 @@ from datetime import timezone as tz LOCAL_SALT_DIR='/opt/so/saltstack/local' -WAZUH_CONF='/nsm/wazuh/etc/ossec.conf' VALID_ROLES = { 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, - 'o': { 'role': 'osquery_endpoint', 'desc': 'Osquery endpoint - 8090/tcp' }, 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, - 'w': { 'role': 'wazuh_agent', 'desc': 'Wazuh agent - 1514/tcp/udp' }, - 'p': { 'role': 'wazuh_api', 'desc': 'Wazuh API - 55000/tcp' }, - 'r': { 'role': 'wazuh_authd', 'desc': 'Wazuh registration service - 1515/tcp' } + 't': { 'role': 'elastic_agent_endpoint', 'desc': 'Elastic Agent endpoint - 8220/tcp,5055/tcp' } } @@ -77,65 +65,15 @@ def ip_prompt() -> str: sys.exit(1) -def wazuh_enabled() -> bool: - file = f'{LOCAL_SALT_DIR}/pillar/global.sls' - with open(file, 'r') as pillar: - if 'wazuh: 1' in pillar.read(): - return True - return False - - -def root_to_str(root: ET.ElementTree) -> str: - return ET.tostring(root, encoding='unicode', method='xml', xml_declaration=False, pretty_print=True) - - -def add_wl(ip): - parser = ET.XMLParser(remove_blank_text=True) - with open(WAZUH_CONF, 'rb') as wazuh_conf: - tree = ET.parse(wazuh_conf, parser) - root = tree.getroot() - - source_comment = ET.Comment(f'Address {ip} added by /usr/sbin/so-allow on {dt.utcnow().replace(tzinfo=tz.utc).strftime("%a %b %e %H:%M:%S %Z %Y")}') - new_global = ET.Element("global") - new_wl = ET.SubElement(new_global, 'white_list') - new_wl.text = ip - - root.append(source_comment) - root.append(new_global) - - with open(WAZUH_CONF, 'w') as add_out: - add_out.write(root_to_str(root)) - - def apply(role: str, ip: str) -> int: firewall_cmd = ['so-firewall', 'includehost', role, ip] salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True'] - restart_wazuh_cmd = ['so-wazuh-restart'] print(f'Adding {ip} to the {role} role. This can take a few seconds...') cmd = subprocess.run(firewall_cmd) if cmd.returncode == 0: cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL) else: return cmd.returncode - if cmd.returncode == 0: - if wazuh_enabled() and role=='analyst': - try: - add_wl(ip) - print(f'Added whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) - except Exception as e: - print(f'Failed to add whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) - print(e) - return 1 - print('Restarting OSSEC Server...') - cmd = subprocess.run(restart_wazuh_cmd) - else: - return cmd.returncode - else: - print(f'Commmand \'{" ".join(salt_cmd)}\' failed.', file=sys.stderr) - return cmd.returncode - if cmd.returncode != 0: - print('Failed to restart OSSEC server.') - return cmd.returncode def main(): @@ -156,11 +94,8 @@ def main(): group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") - group.add_argument('-o', dest='roles', action='append_const', const=VALID_ROLES['o']['role'], help="Osquery endpoint - 8090/tcp") group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") - group.add_argument('-w', dest='roles', action='append_const', const=VALID_ROLES['w']['role'], help="Wazuh agent - 1514/tcp/udp") - group.add_argument('-p', dest='roles', action='append_const', const=VALID_ROLES['p']['role'], help="Wazuh API - 55000/tcp") - group.add_argument('-r', dest='roles', action='append_const', const=VALID_ROLES['r']['role'], help="Wazuh registration service - 1515/tcp") + group.add_argument('-t', dest='roles', action='append_const', const=VALID_ROLES['t']['role'], help="Elastic Agent endpoint - 8220/tcp,5055/tcp") ip_g = main_parser.add_argument_group(title='allow') ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip') diff --git a/salt/common/tools/sbin/so-allow-view b/salt/common/tools/sbin/so-allow-view index 37c6ad87a..58b972ee2 100755 --- a/salt/common/tools/sbin/so-allow-view +++ b/salt/common/tools/sbin/so-allow-view @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index 12b940897..656aa5e4c 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html" {# we only want the script to install the workstation if it is CentOS -#} diff --git a/salt/common/tools/sbin/so-checkin b/salt/common/tools/sbin/so-checkin index 0858a96e2..db35af410 100755 --- a/salt/common/tools/sbin/so-checkin +++ b/salt/common/tools/sbin/so-checkin @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 7b5f29c00..c0b028130 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + DEFAULT_SALT_DIR=/opt/so/saltstack/default @@ -162,15 +154,12 @@ elastic_license() { read -r -d '' message <<- EOM \n -Starting in Elastic Stack version 7.11, the Elastic Stack binaries are only available under the Elastic License: -https://securityonion.net/elastic-license - -Please review the Elastic License: +Elastic Stack binaries and Security Onion components are only available under the Elastic License version 2 (ELv2): https://www.elastic.co/licensing/elastic-license -Do you agree to the terms of the Elastic License? +Do you agree to the terms of ELv2? -If so, type AGREE to accept the Elastic License and continue. Otherwise, press Enter to exit this program without making any changes. +If so, type AGREE to accept ELv2 and continue. Otherwise, press Enter to exit this program without making any changes. EOM AGREED=$(whiptail --title "$whiptail_title" --inputbox \ @@ -206,7 +195,7 @@ gpg_rpm_import() { local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/centos/keys" fi - RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'GPG-KEY-WAZUH' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') + RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY diff --git a/salt/common/tools/sbin/so-config-backup b/salt/common/tools/sbin/so-config-backup index fee7c4ffe..3a84d9ee8 100755 --- a/salt/common/tools/sbin/so-config-backup +++ b/salt/common/tools/sbin/so-config-backup @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see .. /usr/sbin/so-common +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common {% set BACKUPLOCATIONS = salt['pillar.get']('backup:locations', {}) %} TODAY=$(date '+%Y_%m_%d') diff --git a/salt/common/tools/sbin/so-cortex-restart b/salt/common/tools/sbin/so-cortex-restart index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-cortex-restart +++ b/salt/common/tools/sbin/so-cortex-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-cortex-start b/salt/common/tools/sbin/so-cortex-start index 787393583..25b2c99c5 100755 --- a/salt/common/tools/sbin/so-cortex-start +++ b/salt/common/tools/sbin/so-cortex-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-cortex-stop b/salt/common/tools/sbin/so-cortex-stop index 73745a1fc..036ab5689 100755 --- a/salt/common/tools/sbin/so-cortex-stop +++ b/salt/common/tools/sbin/so-cortex-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-cortex-user-add b/salt/common/tools/sbin/so-cortex-user-add index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-cortex-user-add +++ b/salt/common/tools/sbin/so-cortex-user-add @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-cortex-user-enable b/salt/common/tools/sbin/so-cortex-user-enable index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-cortex-user-enable +++ b/salt/common/tools/sbin/so-cortex-user-enable @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-curator-restart b/salt/common/tools/sbin/so-curator-restart index 2f8a19467..f57e7b22e 100755 --- a/salt/common/tools/sbin/so-curator-restart +++ b/salt/common/tools/sbin/so-curator-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-curator-start b/salt/common/tools/sbin/so-curator-start index ce92fcea9..c5f0fc4d1 100755 --- a/salt/common/tools/sbin/so-curator-start +++ b/salt/common/tools/sbin/so-curator-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-curator-stop b/salt/common/tools/sbin/so-curator-stop index 8daf2bd52..30fb07e4b 100755 --- a/salt/common/tools/sbin/so-curator-stop +++ b/salt/common/tools/sbin/so-curator-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-deny b/salt/common/tools/sbin/so-deny index efacbab45..a8814b7ea 100755 --- a/salt/common/tools/sbin/so-deny +++ b/salt/common/tools/sbin/so-deny @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + import ipaddress import textwrap @@ -27,17 +19,12 @@ from xml.dom import minidom LOCAL_SALT_DIR='/opt/so/saltstack/local' -WAZUH_CONF='/nsm/wazuh/etc/ossec.conf' VALID_ROLES = { 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, - 'o': { 'role': 'osquery_endpoint', 'desc': 'Osquery endpoint - 8090/tcp' }, 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, - 'w': { 'role': 'wazuh_agent', 'desc': 'Wazuh agent - 1514/tcp/udp' }, - 'p': { 'role': 'wazuh_api', 'desc': 'Wazuh API - 55000/tcp' }, - 'r': { 'role': 'wazuh_authd', 'desc': 'Wazuh registration service - 1515/tcp' } } @@ -76,73 +63,15 @@ def ip_prompt() -> str: sys.exit(1) -def wazuh_enabled() -> bool: - for file in os.listdir(f'{LOCAL_SALT_DIR}/pillar'): - with open(file, 'r') as pillar: - if 'wazuh: 1' in pillar.read(): - return True - return False - - -def root_to_str(root: ET.ElementTree) -> str: - xml_str = ET.tostring(root, encoding='unicode', method='xml').replace('\n', '') - xml_str = re.sub(r'(?:(?<=>) *)', '', xml_str) - - # Remove specific substrings to better format comments on intial parse/write - xml_str = re.sub(r' -', '', xml_str) - xml_str = re.sub(r' -->', ' -->', xml_str) - - dom = minidom.parseString(xml_str) - return dom.toprettyxml(indent=" ") - - -def rem_wl(ip): - parser = ET.XMLParser(remove_blank_text=True) - with open(WAZUH_CONF, 'rb') as wazuh_conf: - tree = ET.parse(wazuh_conf, parser) - root = tree.getroot() - - global_elems = root.findall(f"global/white_list[. = '{ip}']/..") - if len(global_elems) > 0: - for g_elem in global_elems: - ge_index = list(root).index(g_elem) - if ge_index > 0 and root[list(root).index(g_elem) - 1].tag == ET.Comment: - root.remove(root[ge_index - 1]) - root.remove(g_elem) - - with open(WAZUH_CONF, 'w') as out: - out.write(root_to_str(root)) - - def apply(role: str, ip: str) -> int: firewall_cmd = ['so-firewall', 'excludehost', role, ip] salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True'] - restart_wazuh_cmd = ['so-wazuh-restart'] print(f'Removing {ip} from the {role} role. This can take a few seconds...') cmd = subprocess.run(firewall_cmd) if cmd.returncode == 0: cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL) else: return cmd.returncode - if cmd.returncode == 0: - if wazuh_enabled and role=='analyst': - try: - rem_wl(ip) - print(f'Removed whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) - except Exception as e: - print(f'Failed to remove whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr) - print(e) - return 1 - print('Restarting OSSEC Server...') - cmd = subprocess.run(restart_wazuh_cmd) - else: - return cmd.returncode - else: - print(f'Commmand \'{" ".join(salt_cmd)}\' failed.', file=sys.stderr) - return cmd.returncode - if cmd.returncode != 0: - print('Failed to restart OSSEC server.') - return cmd.returncode def main(): @@ -163,11 +92,7 @@ def main(): group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") - group.add_argument('-o', dest='roles', action='append_const', const=VALID_ROLES['o']['role'], help="Osquery endpoint - 8090/tcp") group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") - group.add_argument('-w', dest='roles', action='append_const', const=VALID_ROLES['w']['role'], help="Wazuh agent - 1514/tcp/udp") - group.add_argument('-p', dest='roles', action='append_const', const=VALID_ROLES['p']['role'], help="Wazuh API - 55000/tcp") - group.add_argument('-r', dest='roles', action='append_const', const=VALID_ROLES['r']['role'], help="Wazuh registration service - 1515/tcp") ip_g = main_parser.add_argument_group(title='allow') ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip') diff --git a/salt/common/tools/sbin/so-docker-prune b/salt/common/tools/sbin/so-docker-prune index adb22cf5f..224cbd222 100755 --- a/salt/common/tools/sbin/so-docker-prune +++ b/salt/common/tools/sbin/so-docker-prune @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + import sys, argparse, re, docker from packaging.version import Version, InvalidVersion diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh index 0b72edf89..45d1e2785 100755 --- a/salt/common/tools/sbin/so-docker-refresh +++ b/salt/common/tools/sbin/so-docker-refresh @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common . /usr/sbin/so-image-common diff --git a/salt/common/tools/sbin/so-elastalert-restart b/salt/common/tools/sbin/so-elastalert-restart index bfd02ce35..4f0c68bf2 100755 --- a/salt/common/tools/sbin/so-elastalert-restart +++ b/salt/common/tools/sbin/so-elastalert-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elastalert-start b/salt/common/tools/sbin/so-elastalert-start index eeb96c16d..6c9f1abf1 100755 --- a/salt/common/tools/sbin/so-elastalert-start +++ b/salt/common/tools/sbin/so-elastalert-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elastalert-stop b/salt/common/tools/sbin/so-elastalert-stop index ab175a153..4523ab018 100755 --- a/salt/common/tools/sbin/so-elastalert-stop +++ b/salt/common/tools/sbin/so-elastalert-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elastic-agent-gen-installers b/salt/common/tools/sbin/so-elastic-agent-gen-installers new file mode 100644 index 000000000..837745050 --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-agent-gen-installers @@ -0,0 +1,32 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + +#so-elastic-agent-gen-installers $FleetHost $EnrollmentToken + +. /usr/sbin/so-common + +ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key') + +FLEETHOST=$(lookup_pillar "server:url" "elasticfleet") + +#FLEETHOST=$1 +#ENROLLMENTOKEN=$2 +CONTAINERGOOS=( "linux" "darwin" "windows" ) + +rm -rf /tmp/elastic-agent-workspace +mkdir -p /tmp/elastic-agent-workspace + +for OS in "${CONTAINERGOOS[@]}" +do + printf "\n\nGenerating $OS Installer..." + cp /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz + docker run -e CGO_ENABLED=0 -e GOOS=$OS \ + --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ + --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ + --mount type=bind,source=/opt/so/conf/elastic-fleet/so_agent-installers/,target=/output/ \ + so-elastic-agent-builder go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS + printf "\n $OS Installer Generated..." +done diff --git a/salt/common/tools/sbin/so-elastic-auth b/salt/common/tools/sbin/so-elastic-auth deleted file mode 100755 index fe4d04f49..000000000 --- a/salt/common/tools/sbin/so-elastic-auth +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -if [ -f "/usr/sbin/so-common" ]; then - . /usr/sbin/so-common -fi - -ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls} -ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users} - -authEnable=$1 - -if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then - echo "Elastic auth pillar file is invalid. Unable to proceed." - exit 1 -fi - -function restart() { - if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then - echo "Elasticsearch on all affected minions will now be stopped and then restarted..." - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' cmd.run so-elastic-stop queue=True - echo "Applying highstate to all affected minions..." - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.highstate queue=True - fi -} - -if [[ "$authEnable" == "true" ]]; then - if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then - sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR" - restart - echo "Elastic auth is now enabled." - if grep -q "argon" "$ES_USERS_FILE"; then - echo "" - echo "IMPORTANT: The following users will need to change their password, after logging into SOC, in order to access Kibana:" - grep argon "$ES_USERS_FILE" | cut -d ":" -f 1 - fi - else - echo "Auth is already enabled." - fi -elif [[ "$authEnable" == "false" ]]; then - if grep -q "enabled: True" "$ES_AUTH_PILLAR"; then - sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR" - restart - echo "Elastic auth is now disabled." - else - echo "Auth is already disabled." - fi -else - echo "Usage: $0 " - echo "" - echo "Toggles Elastic authentication. Elasticsearch will be restarted on each affected minion." - echo "" -fi diff --git a/salt/common/tools/sbin/so-elastic-auth-password-reset b/salt/common/tools/sbin/so-elastic-auth-password-reset index 0dc66b056..17404e953 100644 --- a/salt/common/tools/sbin/so-elastic-auth-password-reset +++ b/salt/common/tools/sbin/so-elastic-auth-password-reset @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . source $(dirname $0)/so-common require_manager @@ -98,18 +89,18 @@ function killAllSaltJobs() { function soUserSync() { # apply this state to update /opt/so/saltstack/local/salt/elasticsearch/curl.config on the manager salt-call state.sls_id elastic_curl_config_distributed manager queue=True - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' saltutil.kill_all_jobs + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' saltutil.kill_all_jobs # apply this state to get the curl.config - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.sls_id elastic_curl_config common queue=True + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.sls_id elastic_curl_config common queue=True $(dirname $0)/so-user sync printf "\nApplying logstash state to the appropriate nodes.\n\n" - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply logstash queue=True + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply logstash queue=True printf "\nApplying filebeat state to the appropriate nodes.\n\n" - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode or G@role:so-sensor or G@role:so-fleet' state.apply filebeat queue=True + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode or G@role:so-sensor or G@role:so-fleet' state.apply filebeat queue=True printf "\nApplying kibana state to the appropriate nodes.\n\n" salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch' state.apply kibana queue=True printf "\nApplying curator state to the appropriate nodes.\n\n" - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply curator queue=True + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply curator queue=True } function highstateManager() { diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear index ef4c79358..d441e4d65 100755 --- a/salt/common/tools/sbin/so-elastic-clear +++ b/salt/common/tools/sbin/so-elastic-clear @@ -1,20 +1,12 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common SKIP=0 @@ -50,7 +42,7 @@ done if [ $SKIP -ne 1 ]; then # List indices echo - {{ ELASTICCURL }} -k -L https://{{ NODEIP }}:9200/_cat/indices?v + curl -K /opt/so/conf/elasticsearch/curl.config -k -L https://{{ NODEIP }}:9200/_cat/indices?v echo # Inform user we are about to delete all data echo @@ -89,10 +81,10 @@ fi # Delete data echo "Deleting data..." -INDXS=$({{ ELASTICCURL }} -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') +INDXS=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') for INDX in ${INDXS} do - {{ ELASTICCURL }} -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 + curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 done #Start Logstash/Filebeat diff --git a/salt/common/tools/sbin/so-elastic-diagnose b/salt/common/tools/sbin/so-elastic-diagnose index fc3c8923d..a94384fe8 100755 --- a/salt/common/tools/sbin/so-elastic-diagnose +++ b/salt/common/tools/sbin/so-elastic-diagnose @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Source common settings . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup new file mode 100644 index 000000000..a41beb5a6 --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -0,0 +1,81 @@ + +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. +{% from 'vars/globals.map.jinja' import GLOBALS %} + +. /usr/sbin/so-common + + +# Create ES Token +ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value) +printf "ESTOKEN = $ESTOKEN \n" + +# Add SO-Manager Fleet URL +## This array replaces whatever URLs are currently configured +printf "\n" +curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220"]}' +printf "\n\n" + +# Create Logstash Output payload +cp /etc/ssl/certs/intca.crt /opt/so/conf/filebeat/etc/pki/ +LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt) +LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/filebeat/etc/pki/filebeat.key) +LOGSTASHCA=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/intca.crt) +JSON_STRING=$( jq -n \ + --arg LOGSTASHCRT "$LOGSTASHCRT" \ + --arg LOGSTASHKEY "$LOGSTASHKEY" \ + --arg LOGSTASHCA "$LOGSTASHCA" \ + '{"name":"so-manager_logstash","id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}' + ) + +# Add SO-Manager Logstash Ouput +curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" +printf "\n\n" + +# Add Elastic Fleet Integrations + +# Add Elastic Fleet Server Agent Policy +#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ +#-X POST "localhost:5601/api/fleet/agent_policies" \ +#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ +#-d '{"name":"SO-Manager","id":"so-manager","description":"SO Manager Fleet Server Policy","namespace":"default","monitoring_enabled":["logs"],"has_fleet_server":true}' + +# Add Agent Policy - SOS Grid Nodes +#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ +#-X POST "localhost:5601/api/fleet/agent_policies" \ +#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ +#-d '{"name":"SO-Grid","id":"so-grid","description":"SO Grid Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}' + +# Add Agent Policy - Default endpoints +#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \ +#-X POST "localhost:5601/api/fleet/agent_policies" \ +#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \ +#-d '{"name":"Endpoints-Initalization","id":"endpoints","description":"Initial Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}' + +# Store needed data in minion pillar +pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls +printf '%s\n'\ + "elasticfleet:"\ + " server:"\ + " es_token: '$ESTOKEN'"\ + " url: '{{ GLOBALS.manager_ip }}'"\ + "" >> "$pillar_file" + + +# Call Elastic-Fleet Salt State +salt-call state.apply elastic-fleet + +# Temp +wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz + +git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git +cd securityonion-image/so-elastic-agent-builder +docker build -t so-elastic-agent-builder . + +so-elastic-agent-gen-installers +/opt/so/conf/elastic-fleet/so_agent-installers/so-elastic-agent_linux \ No newline at end of file diff --git a/salt/common/tools/sbin/so-elastic-restart b/salt/common/tools/sbin/so-elastic-restart index de7a261f8..4fb8ae10b 100755 --- a/salt/common/tools/sbin/so-elastic-restart +++ b/salt/common/tools/sbin/so-elastic-restart @@ -1,24 +1,16 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common -{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%} /usr/sbin/so-restart elasticsearch $1 {%- endif %} @@ -26,15 +18,15 @@ /usr/sbin/so-restart kibana $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-restart logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} /usr/sbin/so-restart filebeat $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-restart curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-elastic-start b/salt/common/tools/sbin/so-elastic-start index f1000311c..04c076662 100755 --- a/salt/common/tools/sbin/so-elastic-start +++ b/salt/common/tools/sbin/so-elastic-start @@ -1,24 +1,16 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common -{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%} /usr/sbin/so-start elasticsearch $1 {%- endif %} @@ -26,15 +18,15 @@ /usr/sbin/so-start kibana $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-start logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} /usr/sbin/so-start filebeat $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-start curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-elastic-stop b/salt/common/tools/sbin/so-elastic-stop index f9f4d0d0c..45e8fd18b 100755 --- a/salt/common/tools/sbin/so-elastic-stop +++ b/salt/common/tools/sbin/so-elastic-stop @@ -1,24 +1,16 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common -{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%} /usr/sbin/so-stop elasticsearch $1 {%- endif %} @@ -26,15 +18,15 @@ /usr/sbin/so-stop kibana $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-stop logstash $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%} /usr/sbin/so-stop filebeat $1 {%- endif %} -{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%} /usr/sbin/so-stop curator $1 {%- endif %} diff --git a/salt/common/tools/sbin/so-elasticsearch-component-templates-list b/salt/common/tools/sbin/so-elasticsearch-component-templates-list index 69deb1873..f8eab884e 100755 --- a/salt/common/tools/sbin/so-elasticsearch-component-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-component-templates-list @@ -1,23 +1,15 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-index-templates-list b/salt/common/tools/sbin/so-elasticsearch-index-templates-list index 84fecc565..35c478f90 100755 --- a/salt/common/tools/sbin/so-elasticsearch-index-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-index-templates-list @@ -1,23 +1,15 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-list b/salt/common/tools/sbin/so-elasticsearch-indices-list index f7662f4e2..a71f127eb 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-list +++ b/salt/common/tools/sbin/so-elasticsearch-indices-list @@ -14,8 +14,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common -{{ ELASTICCURL }} -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index" +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index" diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-rw b/salt/common/tools/sbin/so-elasticsearch-indices-rw index 5aa24f91a..724dd9dcf 100755 --- a/salt/common/tools/sbin/so-elasticsearch-indices-rw +++ b/salt/common/tools/sbin/so-elasticsearch-indices-rw @@ -1,23 +1,15 @@ #!/bin/bash # # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} ESPORT=9200 echo "Removing read only attributes for indices..." echo -{{ ELASTICCURL }} -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats index da808d743..8f541d2ee 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-stats +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-stats @@ -14,12 +14,12 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" fi diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-view b/salt/common/tools/sbin/so-elasticsearch-pipeline-view index 0c6648c0b..03e3c2a6a 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipeline-view +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view @@ -14,12 +14,12 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[] + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[] fi diff --git a/salt/common/tools/sbin/so-elasticsearch-pipelines-list b/salt/common/tools/sbin/so-elasticsearch-pipelines-list index 4ea3bc752..3e6246e31 100755 --- a/salt/common/tools/sbin/so-elasticsearch-pipelines-list +++ b/salt/common/tools/sbin/so-elasticsearch-pipelines-list @@ -1,23 +1,15 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-query b/salt/common/tools/sbin/so-elasticsearch-query index 3cc5f4602..e5d1f58e6 100755 --- a/salt/common/tools/sbin/so-elasticsearch-query +++ b/salt/common/tools/sbin/so-elasticsearch-query @@ -34,4 +34,4 @@ fi QUERYPATH=$1 shift -{{ ELASTICCURL }} -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${QUERYPATH}" "$@" +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${QUERYPATH}" "$@" diff --git a/salt/common/tools/sbin/so-elasticsearch-restart b/salt/common/tools/sbin/so-elasticsearch-restart index 0e16b5181..7a770faf1 100755 --- a/salt/common/tools/sbin/so-elasticsearch-restart +++ b/salt/common/tools/sbin/so-elasticsearch-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-shards-list b/salt/common/tools/sbin/so-elasticsearch-shards-list index 19d072f65..378888873 100755 --- a/salt/common/tools/sbin/so-elasticsearch-shards-list +++ b/salt/common/tools/sbin/so-elasticsearch-shards-list @@ -14,8 +14,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common -{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty diff --git a/salt/common/tools/sbin/so-elasticsearch-start b/salt/common/tools/sbin/so-elasticsearch-start index 1822c6837..eba1ec54a 100755 --- a/salt/common/tools/sbin/so-elasticsearch-start +++ b/salt/common/tools/sbin/so-elasticsearch-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-stop b/salt/common/tools/sbin/so-elasticsearch-stop index 27272701b..3a3c4d5f5 100755 --- a/salt/common/tools/sbin/so-elasticsearch-stop +++ b/salt/common/tools/sbin/so-elasticsearch-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-elasticsearch-template-remove b/salt/common/tools/sbin/so-elasticsearch-template-remove index f037fc9c8..d69b82fc4 100755 --- a/salt/common/tools/sbin/so-elasticsearch-template-remove +++ b/salt/common/tools/sbin/so-elasticsearch-template-remove @@ -14,8 +14,8 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common -{{ ELASTICCURL }} -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1 +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1 diff --git a/salt/common/tools/sbin/so-elasticsearch-template-view b/salt/common/tools/sbin/so-elasticsearch-template-view index 661e390e4..6d549d7c0 100755 --- a/salt/common/tools/sbin/so-elasticsearch-template-view +++ b/salt/common/tools/sbin/so-elasticsearch-template-view @@ -14,12 +14,12 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq . + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq . else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq . + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq . fi diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-list b/salt/common/tools/sbin/so-elasticsearch-templates-list index 905abd713..e63c8cf54 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-list +++ b/salt/common/tools/sbin/so-elasticsearch-templates-list @@ -1,23 +1,15 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +{%- set NODEIP = salt['pillar.get']('host:mainip', '') -%} . /usr/sbin/so-common if [ "$1" == "" ]; then - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys' + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys' else - {{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq fi diff --git a/salt/common/tools/sbin/so-elasticsearch-wait b/salt/common/tools/sbin/so-elasticsearch-wait index f56aafcd3..5bb081a16 100755 --- a/salt/common/tools/sbin/so-elasticsearch-wait +++ b/salt/common/tools/sbin/so-elasticsearch-wait @@ -2,4 +2,4 @@ . /usr/sbin/so-common -wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "{{ ELASTICCURL }}" +wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index 945c3c58a..43c816087 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set mainint = salt['pillar.get']('host:mainint') %} {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} @@ -31,7 +23,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -48,8 +40,8 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then echo fi echo "Testing to see if the pipelines are already applied" -ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") -PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c) +ESVER=$(curl -K /opt/so/conf/elasticsearch/curl.config -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") +PIPELINES=$(curl -K /opt/so/conf/elasticsearch/curl.config -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c) if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then echo "Setting up ingest pipeline(s)" diff --git a/salt/common/tools/sbin/so-filebeat-restart b/salt/common/tools/sbin/so-filebeat-restart index 0fe2ccb0a..97ccbb0ee 100755 --- a/salt/common/tools/sbin/so-filebeat-restart +++ b/salt/common/tools/sbin/so-filebeat-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-filebeat-start b/salt/common/tools/sbin/so-filebeat-start index ae7b998ad..cf148d49a 100755 --- a/salt/common/tools/sbin/so-filebeat-start +++ b/salt/common/tools/sbin/so-filebeat-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-filebeat-stop b/salt/common/tools/sbin/so-filebeat-stop index d5b1e5711..d3c50fef0 100755 --- a/salt/common/tools/sbin/so-filebeat-stop +++ b/salt/common/tools/sbin/so-filebeat-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-firewall b/salt/common/tools/sbin/so-firewall index 2a394fdff..669d9597b 100755 --- a/salt/common/tools/sbin/so-firewall +++ b/salt/common/tools/sbin/so-firewall @@ -1,19 +1,10 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + import os import re diff --git a/salt/common/tools/sbin/so-firewall-minion b/salt/common/tools/sbin/so-firewall-minion new file mode 100644 index 000000000..a732fa8ac --- /dev/null +++ b/salt/common/tools/sbin/so-firewall-minion @@ -0,0 +1,82 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +. /usr/sbin/so-common + +if [[ $# -lt 1 ]]; then + echo "Usage: $0 --role= --ip=" + echo "" + echo " Example: so-firewall-minion --role=manager --ip=192.168.254.100" + echo "" + exit 1 +fi + +for i in "$@"; do + case $i in + -r=*|--role=*) + ROLE="${i#*=}" + shift + ;; + -i=*|--ip=*) + IP="${i#*=}" + shift + ;; + -*|--*) + echo "Unknown option $i" + exit 1 + ;; + *) + ;; + esac +done + +ROLE=${ROLE^^} + +if [ -z "$ROLE" ]; then + echo "Please specify a role with --role=" + exit 1 +fi +if [ -z "$IP" ]; then + echo "Please specify an IP address with --ip=" + exit 1 +fi + + case "$ROLE" in + + 'MANAGER') + so-firewall includehost manager "$IP" + so-firewall --apply includehost minion "$IP" + ;; + 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') + so-firewall includehost manager "$IP" + so-firewall includehost minion "$IP" + so-firewall includehost sensor "$IP" + so-firewall --apply includehost search_node "$IP" + ;; + 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') + so-firewall includehost minion "$IP" + case "$ROLE" in + 'SENSOR') + so-firewall --apply includehost sensor "$IP" + ;; + 'SEARCHNODE') + so-firewall --apply includehost search_node "$IP" + ;; + 'HEAVYNODE') + so-firewall includehost sensor "$IP" + so-firewall --apply includehost heavy_node "$IP" + ;; + 'IDH') + so-firewall --apply includehost beats_endpoint_ssl "$IP" + ;; + 'RECEIVER') + so-firewall --apply includehost receiver "$IP" + ;; + esac + ;; + esac diff --git a/salt/common/tools/sbin/so-fleet-restart b/salt/common/tools/sbin/so-fleet-restart deleted file mode 100755 index 50bfd1200..000000000 --- a/salt/common/tools/sbin/so-fleet-restart +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -/usr/sbin/so-restart fleet $1 diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup deleted file mode 100755 index d3ea4dca3..000000000 --- a/salt/common/tools/sbin/so-fleet-setup +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash - -#so-fleet-setup $FleetEmail $FleetPassword - -. /usr/sbin/so-common - -if [[ $# -ne 2 ]] ; then - echo "Username or Password was not set - exiting now." - exit 1 -fi - -USER_EMAIL=$1 -USER_PW=$2 - -# Checking to see if required containers are started... -if [ ! "$(docker ps -q -f name=so-fleet)" ]; then - echo "Starting Docker Containers..." - salt-call state.apply mysql queue=True >> /root/fleet-setup.log - salt-call state.apply fleet queue=True >> /root/fleet-setup.log - salt-call state.apply redis queue=True >> /root/fleet-setup.log -fi - -docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet -docker exec so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done' - -# Create Security Onion Fleet Service Account + Setup Fleet -FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email) -FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password) -docker exec so-fleet fleetctl setup --email $FLEET_SA_EMAIL --password $FLEET_SA_PW --name SO_ServiceAccount --org-name SO - -# Create User Account -echo "$USER_PW" | so-fleet-user-add "$USER_EMAIL" - -# Import Packs & Configs -docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml -docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml -docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml -docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done' -docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf - - -# Update the Enroll Secret -echo "Updating the Enroll Secret..." -salt-call state.apply fleet.event_update-enroll-secret queue=True >> /root/fleet-setup.log -salt-call state.apply nginx queue=True >> /root/fleet-setup.log - -# Generate osquery install packages -echo "Generating osquery install packages - this will take some time..." -salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log -sleep 120 - -echo "Installing launcher via salt..." -salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log -salt-call state.apply filebeat queue=True >> /root/fleet-setup.log -docker stop so-nginx -salt-call state.apply nginx queue=True >> /root/fleet-setup.log - -echo "Fleet Setup Complete - Login with the username and password you ran the script with." diff --git a/salt/common/tools/sbin/so-fleet-start b/salt/common/tools/sbin/so-fleet-start deleted file mode 100755 index cf51f51a6..000000000 --- a/salt/common/tools/sbin/so-fleet-start +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -/usr/sbin/so-start fleet $1 diff --git a/salt/common/tools/sbin/so-fleet-stop b/salt/common/tools/sbin/so-fleet-stop deleted file mode 100755 index 6ca6d9750..000000000 --- a/salt/common/tools/sbin/so-fleet-stop +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -/usr/sbin/so-stop fleet $1 diff --git a/salt/common/tools/sbin/so-fleet-user-add b/salt/common/tools/sbin/so-fleet-user-add deleted file mode 100755 index 4c0f2105e..000000000 --- a/salt/common/tools/sbin/so-fleet-user-add +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -usage() { - echo "Usage: $0 " - echo "" - echo "Adds a new user to Fleet. The new password will be read from STDIN." - exit 1 -} - -if [ $# -ne 1 ]; then - usage -fi - - -USER_EMAIL=$1 -FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email) -FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password) -MYSQL_PW=$(lookup_pillar_secret mysql) - -# Read password for new user from stdin -test -t 0 -if [[ $? == 0 ]]; then - echo "Enter new password:" -fi -read -rs USER_PASS - -check_password_and_exit "$USER_PASS" - -# Config fleetctl & login with the SO Service Account -CONFIG_OUTPUT=$(docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet 2>&1 ) -SALOGIN_OUTPUT=$(docker exec so-fleet fleetctl login --email $FLEET_SA_EMAIL --password $FLEET_SA_PW 2>&1) - -if [[ $? -ne 0 ]]; then - echo "Unable to add user to Fleet; Fleet Service account login failed" - echo "$SALOGIN_OUTPUT" - exit 2 -fi - -# Create New User -CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $USER_PASS --global-role admin 2>&1) - -if [[ $? -eq 0 ]]; then - echo "Successfully added user to Fleet" -else - echo "Unable to add user to Fleet; user might already exist" - echo "$CREATE_OUTPUT" - exit 2 -fi - -# Disable forced password reset -MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \ -"UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1) diff --git a/salt/common/tools/sbin/so-fleet-user-delete b/salt/common/tools/sbin/so-fleet-user-delete deleted file mode 100644 index d02bc3ab3..000000000 --- a/salt/common/tools/sbin/so-fleet-user-delete +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -usage() { - echo "Usage: $0 " - echo "" - echo "Deletes a user in Fleet" - exit 1 -} - -if [ $# -ne 1 ]; then - usage -fi - -USER_EMAIL=$1 -FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email) -FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password) - -# Config fleetctl & login with the SO Service Account -CONFIG_OUTPUT=$(docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet 2>&1 ) -SALOGIN_OUTPUT=$(docker exec so-fleet fleetctl login --email $FLEET_SA_EMAIL --password $FLEET_SA_PW 2>&1) - -if [[ $? -ne 0 ]]; then - echo "Unable to delete user from Fleet; Fleet Service account login failed" - echo "$SALOGIN_OUTPUT" - exit 2 -fi - -# Delete User -DELETE_OUTPUT=$(docker exec so-fleet fleetctl user delete --email $USER_EMAIL 2>&1) - -if [[ $? -eq 0 ]]; then - echo "Successfully deleted user from Fleet" -else - echo "Unable to delete user from Fleet" - echo "$DELETE_OUTPUT" - exit 2 -fi - - diff --git a/salt/common/tools/sbin/so-fleet-user-update b/salt/common/tools/sbin/so-fleet-user-update deleted file mode 100755 index 36d4b2250..000000000 --- a/salt/common/tools/sbin/so-fleet-user-update +++ /dev/null @@ -1,75 +0,0 @@ -#!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -. /usr/sbin/so-common - -usage() { - echo "Usage: $0 " - echo "" - echo "Update password for an existing Fleet user. The new password will be read from STDIN." - exit 1 -} - -if [ $# -ne 1 ]; then - usage -fi - -USER=$1 - -MYSQL_PASS=$(lookup_pillar_secret mysql) -FLEET_IP=$(lookup_pillar fleet_ip) -FLEET_USER=$USER - -# test existence of user -MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \ - "SELECT count(1) FROM users WHERE email='$FLEET_USER'" 2>/dev/null | tail -1) -if [[ $? -ne 0 ]] || [[ $MYSQL_OUTPUT -ne 1 ]] ; then - echo "Test for email [${FLEET_USER}] failed" - echo " expect 1 hit in users database, return $MYSQL_OUTPUT hit(s)." - echo "Unable to update Fleet user password." - exit 2 -fi - -# Read password for new user from stdin -test -t 0 -if [[ $? == 0 ]]; then - echo "Enter new password:" -fi -read -rs FLEET_PASS - -if ! check_password "$FLEET_PASS"; then - echo "Password is invalid. Please exclude single quotes, double quotes, dollar signs, and backslashes from the password." - exit 2 -fi - -FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1) -if [[ $? -ne 0 ]]; then - echo "Failed to generate Fleet password hash" - exit 2 -fi - - -MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \ - "UPDATE users SET password='$FLEET_HASH', salt='' where email='$FLEET_USER'" 2>&1) - -if [[ $? -eq 0 ]]; then - echo "Successfully updated Fleet user password" -else - echo "Unable to update Fleet user password" - echo "$MYSQL_OUTPUT" - exit 2 -fi diff --git a/salt/common/tools/sbin/so-grafana-restart b/salt/common/tools/sbin/so-grafana-restart index e82d80ba1..f8fbcb9c1 100755 --- a/salt/common/tools/sbin/so-grafana-restart +++ b/salt/common/tools/sbin/so-grafana-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-grafana-start b/salt/common/tools/sbin/so-grafana-start index be885aafa..dfea3b8dc 100755 --- a/salt/common/tools/sbin/so-grafana-start +++ b/salt/common/tools/sbin/so-grafana-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-grafana-stop b/salt/common/tools/sbin/so-grafana-stop index 50028231b..62552f17f 100755 --- a/salt/common/tools/sbin/so-grafana-stop +++ b/salt/common/tools/sbin/so-grafana-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idh-restart b/salt/common/tools/sbin/so-idh-restart index ce6dd9843..78d760897 100644 --- a/salt/common/tools/sbin/so-idh-restart +++ b/salt/common/tools/sbin/so-idh-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idh-start b/salt/common/tools/sbin/so-idh-start index 2f300ba01..6d2fc4eee 100644 --- a/salt/common/tools/sbin/so-idh-start +++ b/salt/common/tools/sbin/so-idh-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idh-stop b/salt/common/tools/sbin/so-idh-stop index 48e974be2..488c2eb0d 100644 --- a/salt/common/tools/sbin/so-idh-stop +++ b/salt/common/tools/sbin/so-idh-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idstools-restart b/salt/common/tools/sbin/so-idstools-restart index 5a247a589..f2abbd0a5 100755 --- a/salt/common/tools/sbin/so-idstools-restart +++ b/salt/common/tools/sbin/so-idstools-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idstools-start b/salt/common/tools/sbin/so-idstools-start index 1ee9f2e9d..e17b5e521 100755 --- a/salt/common/tools/sbin/so-idstools-start +++ b/salt/common/tools/sbin/so-idstools-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-idstools-stop b/salt/common/tools/sbin/so-idstools-stop index 546cd681a..f2d188d06 100755 --- a/salt/common/tools/sbin/so-idstools-stop +++ b/salt/common/tools/sbin/so-idstools-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 00d4233d0..b29f4bd45 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # NOTE: This script depends on so-common IMAGEREPO=security-onion-solutions @@ -32,7 +24,6 @@ container_list() { if [ $MANAGERCHECK == 'so-import' ]; then TRUSTED_CONTAINERS=( - "so-acng" "so-elasticsearch" "so-filebeat" "so-idstools" @@ -47,13 +38,10 @@ container_list() { ) elif [ $MANAGERCHECK != 'so-helix' ]; then TRUSTED_CONTAINERS=( - "so-acng" "so-curator" "so-elastalert" "so-elasticsearch" "so-filebeat" - "so-fleet" - "so-fleet-launcher" "so-grafana" "so-idh" "so-idstools" @@ -75,7 +63,6 @@ container_list() { "so-strelka-manager" "so-suricata" "so-telegraf" - "so-wazuh" "so-zeek" ) else diff --git a/salt/common/tools/sbin/so-image-pull b/salt/common/tools/sbin/so-image-pull index 9bc87d310..915547c8e 100755 --- a/salt/common/tools/sbin/so-image-pull +++ b/salt/common/tools/sbin/so-image-pull @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common . /usr/sbin/so-image-common diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx index 4737a2419..522816df7 100755 --- a/salt/common/tools/sbin/so-import-evtx +++ b/salt/common/tools/sbin/so-import-evtx @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set MANAGER = salt['grains.get']('master') %} {%- set VERSION = salt['pillar.get']('global:soversion') %} diff --git a/salt/common/tools/sbin/so-import-pcap b/salt/common/tools/sbin/so-import-pcap index 04a177e0b..4dad845f0 100755 --- a/salt/common/tools/sbin/so-import-pcap +++ b/salt/common/tools/sbin/so-import-pcap @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set MANAGER = salt['grains.get']('master') %} {%- set VERSION = salt['pillar.get']('global:soversion') %} diff --git a/salt/common/tools/sbin/so-index-list b/salt/common/tools/sbin/so-index-list index a71c5f280..1e4595b35 100755 --- a/salt/common/tools/sbin/so-index-list +++ b/salt/common/tools/sbin/so-index-list @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -{{ ELASTICCURL }} -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index" + + +curl -K /opt/so/conf/elasticsearch/curl.config-X GET -k -L "https://localhost:9200/_cat/indices?v&s=index" diff --git a/salt/common/tools/sbin/so-influxdb-clean b/salt/common/tools/sbin/so-influxdb-clean index 0cbaf91d3..1b903bbe5 100755 --- a/salt/common/tools/sbin/so-influxdb-clean +++ b/salt/common/tools/sbin/so-influxdb-clean @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-influxdb-downsample b/salt/common/tools/sbin/so-influxdb-downsample index 85af5c1b4..ef44cd91d 100755 --- a/salt/common/tools/sbin/so-influxdb-downsample +++ b/salt/common/tools/sbin/so-influxdb-downsample @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set role = grains.id.split('_') | last %} {%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %} {%- import_yaml 'influxdb/defaults.yaml' as default_settings %} diff --git a/salt/common/tools/sbin/so-influxdb-drop-autogen b/salt/common/tools/sbin/so-influxdb-drop-autogen index 788d166b7..5fe7b6e73 100755 --- a/salt/common/tools/sbin/so-influxdb-drop-autogen +++ b/salt/common/tools/sbin/so-influxdb-drop-autogen @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-influxdb-restart b/salt/common/tools/sbin/so-influxdb-restart index f8a2590eb..0d478e58d 100755 --- a/salt/common/tools/sbin/so-influxdb-restart +++ b/salt/common/tools/sbin/so-influxdb-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-influxdb-start b/salt/common/tools/sbin/so-influxdb-start index aba50fab5..a7b4e25e5 100755 --- a/salt/common/tools/sbin/so-influxdb-start +++ b/salt/common/tools/sbin/so-influxdb-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-influxdb-stop b/salt/common/tools/sbin/so-influxdb-stop index fa85f0bfc..53a91d9d7 100755 --- a/salt/common/tools/sbin/so-influxdb-stop +++ b/salt/common/tools/sbin/so-influxdb-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-kibana-config-export b/salt/common/tools/sbin/so-kibana-config-export index 6013dd3b7..1c15fc54c 100755 --- a/salt/common/tools/sbin/so-kibana-config-export +++ b/salt/common/tools/sbin/so-kibana-config-export @@ -5,27 +5,19 @@ # {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %} # {%- set MANAGER = salt['pillar.get']('global:url_base', '') %} # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + KIBANA_HOST={{ MANAGER }} KSO_PORT=5601 OUTFILE="saved_objects.ndjson" -SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://$KIBANA_HOST:$KSO_PORT/ | grep sid | awk '{print $7}') -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE +SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://$KIBANA_HOST:$KSO_PORT/ | grep sid | awk '{print $7}') +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE # Clean up using PLACEHOLDER sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE diff --git a/salt/common/tools/sbin/so-kibana-restart b/salt/common/tools/sbin/so-kibana-restart index e43bba87f..d7de55b7f 100755 --- a/salt/common/tools/sbin/so-kibana-restart +++ b/salt/common/tools/sbin/so-kibana-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-kibana-savedobjects-defaults b/salt/common/tools/sbin/so-kibana-savedobjects-defaults index b27830a29..5c218e272 100755 --- a/salt/common/tools/sbin/so-kibana-savedobjects-defaults +++ b/salt/common/tools/sbin/so-kibana-savedobjects-defaults @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index b52e609dc..9175a36bc 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -1,18 +1,18 @@ #!/bin/bash . /usr/sbin/so-common {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "{{ ELASTICCURL }}" +wait_for_web_response "http://localhost:5601/api/spaces/space/default" "default" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" ## This hackery will be removed if using Elastic Auth ## # Let's snag a cookie from Kibana -SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') +SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # Disable certain Features from showing up in the Kibana UI echo echo "Setting up default Space:" {% if HIGHLANDER %} -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo diff --git a/salt/common/tools/sbin/so-kibana-start b/salt/common/tools/sbin/so-kibana-start index 947d3f61a..d553ca575 100755 --- a/salt/common/tools/sbin/so-kibana-start +++ b/salt/common/tools/sbin/so-kibana-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-kibana-stop b/salt/common/tools/sbin/so-kibana-stop index 2cd20bd43..697ae95b1 100755 --- a/salt/common/tools/sbin/so-kibana-stop +++ b/salt/common/tools/sbin/so-kibana-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-learn b/salt/common/tools/sbin/so-learn index 39e384862..2b766c738 100755 --- a/salt/common/tools/sbin/so-learn +++ b/salt/common/tools/sbin/so-learn @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + from itertools import chain from typing import List diff --git a/salt/common/tools/sbin/so-logstash-get-parsed b/salt/common/tools/sbin/so-logstash-get-parsed index 394e17007..1575010ac 100755 --- a/salt/common/tools/sbin/so-logstash-get-parsed +++ b/salt/common/tools/sbin/so-logstash-get-parsed @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-get-unparsed b/salt/common/tools/sbin/so-logstash-get-unparsed index 394e17007..1575010ac 100755 --- a/salt/common/tools/sbin/so-logstash-get-unparsed +++ b/salt/common/tools/sbin/so-logstash-get-unparsed @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-restart b/salt/common/tools/sbin/so-logstash-restart index 4ecd75471..a0f0d7923 100755 --- a/salt/common/tools/sbin/so-logstash-restart +++ b/salt/common/tools/sbin/so-logstash-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-start b/salt/common/tools/sbin/so-logstash-start index a89dc1bc7..d36a475ae 100755 --- a/salt/common/tools/sbin/so-logstash-start +++ b/salt/common/tools/sbin/so-logstash-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-logstash-stop b/salt/common/tools/sbin/so-logstash-stop index e21317fe2..efebd22bb 100755 --- a/salt/common/tools/sbin/so-logstash-stop +++ b/salt/common/tools/sbin/so-logstash-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-minion b/salt/common/tools/sbin/so-minion new file mode 100755 index 000000000..858d2706c --- /dev/null +++ b/salt/common/tools/sbin/so-minion @@ -0,0 +1,258 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +. /usr/sbin/so-common + +if [[ $# -lt 1 ]]; then + echo "Usage: $0 -o= -m=[id]" + echo "" + echo " where is one of the following:" + echo "" + echo " list: Lists all keys with hashes" + echo " accept: Accepts a new key and adds the minion files" + echo " delete: Removes the key and deletes the minion files" + echo " reject: Rejects a key" + echo "" + exit 1 +fi + +for i in "$@"; do + case $i in + -o=*|--operation=*) + OPERATION="${i#*=}" + shift + ;; + -m=*|--minionid=*) + MINION_ID="${i#*=}" + shift + ;; + -e=*|--esheap=*) + ES_HEAP_SIZE="${i#*=}" + shift + ;; + -n=*|--mgmtnic=*) + MNIC="${i#*=}" + shift + ;; + -d=*|--description=*) + NODE_DESCRIPTION="${i#*=}" + shift + ;; + -a=*|--monitor=*) + INTERFACE="${i#*=}" + shift + ;; + -i=*|--ip=*) + MAINIP="${i#*=}" + shift + ;; + -*|--*) + echo "Unknown option $i" + exit 1 + ;; + *) + ;; + esac +done + +PILLARFILE=/opt/so/saltstack/local/pillar/minions/$MINION_ID.sls +ADVPILLARFILE=/opt/so/saltstack/local/pillar/minions/adv_$MINION_ID.sls + +function getinstallinfo() { + # Pull from file + INSTALLVARS=$(sudo salt "$MINION_ID" cp.get_file_str /opt/so/install.txt --out=newline_values_only) + source <(echo $INSTALLVARS) +} + +function listminions() { + salt-key list -F --out=json + exit $? +} + +function rejectminion() { + salt-key -y -r $MINION_ID + exit $? +} + +function acceptminion() { + salt-key -y -a $MINION_ID +} + +function deleteminion() { + salt-key -y -d $MINION_ID +} + +function deleteminionfiles () { + rm -f $PILLARFILE + rm -f $ADVPILLARFILE +} + +# Create the minion file +function create_minion_files() { + mkdir -p /opt/so/saltstack/local/pillar/minions + touch $ADVPILLARFILE + if [ -f "$PILLARFILE" ]; then + rm $PILLARFILE + fi +} + +# Add Elastic settings to the minion file +function add_elastic_to_minion() { + printf '%s\n'\ + "elasticsearch:"\ + " esheap: '$ES_HEAP_SIZE'"\ + " config:"\ + " node:"\ + " attr:"\ + " box_type: hot"\ + " " >> $PILLARFILE +} + +# Analyst Workstation +function add_analyst_to_minion() { + printf '%s\n'\ + "host:"\ + " mainint: '$MNIC'"\ + "workstation:"\ + " gui:"\ + " enabled: true"\ + "sensoroni:"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'" >> $PILLARFILE +} + +# Add basic host info to the minion file +function add_host_to_minion() { + printf '%s\n'\ + "host:"\ + " mainip: '$MAINIP'"\ + " mainint: '$MNIC'" >> $PILLARFILE +} + +# Add sensoroni specific information - Can we pull node_adrees from the host pillar? +function add_sensoroni_to_minion() { + + printf '%s\n'\ + "sensoroni:"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'"\ + " " >> $PILLARFILE +} + +# Patch pillar settings. +function add_patch_pillar_to_minion() { + + printf '%s\n'\ + "patch:"\ + " os:"\ + " source: '$source'"\ + " schedule_name: '$PATCHSCHEDULENAME'"\ + " enabled: True"\ + " splay: 300"\ + "" >> $PILLARFILE + +} + +# Sensor settings for the minion pillar +function add_sensor_to_minion() { + echo "sensor:" >> $PILLARFILE + echo " interface: '$INTERFACE'" >> $PILLARFILE + echo " zeekpin: False" >> $PILLARFILE + echo " zeekpins:" >> $PILLARFILE + echo " - 1" >> $PILLARFILE + echo " zeek_lbprocs: $CORECOUNT" >> $PILLARFILE + echo " suripin: False" >> $PILLARFILE + echo " suripins:" >> $PILLARFILE + echo " - 2" >> $PILLARFILE + echo " suriprocs: $CORECOUNT" >> $PILLARFILE + echo " mtu: 9000" >> $PILLARFILE + echo " uniqueid: $(date '+%s')" >> $PILLARFILE + echo "steno:" >> $PILLARFILE + echo " stenopin: False" >> $PILLARFILE + echo " stenopins:" >> $PILLARFILE + echo " - 3" >> $PILLARFILE + echo " enabled: True" >> $PILLARFILE + echo " disks:" >> $PILLARFILE + echo " - '/some/path'" >> $PILLARFILE +} + +function createSTANDALONE() { + add_elastic_to_minion + add_sensor_to_minion +} + +function createMASTER() { + add_elastic_to_minion +} + +function createMASTERSEARCH() { + add_elastic_to_minion +} + +function createHEAVYNODE() { + add_elastic_to_minion + add_sensor_to_minion +} + +function createEVAL() { + add_elastic_to_minion + add_sensor_to_minion +} + +function createSENSOR() { + add_sensor_to_minion +} + +function createSEARCHNODE() { + add_elastic_to_minion +} + +function createIDHNODE() { + echo "Nothing custom needed for IDH nodes" +} + +function testConnection() { + salt "$MINION_ID" test.ping + local ret=$? + if [[ $ret != 0 ]]; then + echo "The Minion has been accepted but is not online. Try again later" + exit 1 + fi +} + +if [[ "$OPERATION" = 'list' ]]; then + listminions +fi + +if [[ "$OPERATION" = 'delete' ]]; then + deleteminionfiles + deleteminion +fi + +if [[ "$OPERATION" = 'add' || "$OPERATION" = 'setup' ]]; then + # Skip this if its setup + if [ $OPERATION != 'setup' ]; then + # Accept the salt key + acceptminion + # Let the keys echange + sleep 3 + # Need logic here to try and salt ping.. If it doesn't work need to do something + testConnection + # Pull the info from the file to build what is needed + getinstallinfo + fi + # Check to see if nodetype is set + if [ -z $NODETYPE ]; then + echo "No node type specified" + exit 1 + fi + create_minion_files + add_host_to_minion + add_patch_pillar_to_minion + add_sensoroni_to_minion + create$NODETYPE + echo "Minion file created for $MINION_ID" +fi diff --git a/salt/common/tools/sbin/so-mysql-restart b/salt/common/tools/sbin/so-mysql-restart index aee13c1ef..8c0583232 100755 --- a/salt/common/tools/sbin/so-mysql-restart +++ b/salt/common/tools/sbin/so-mysql-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-mysql-start b/salt/common/tools/sbin/so-mysql-start index 67201a606..e68536809 100755 --- a/salt/common/tools/sbin/so-mysql-start +++ b/salt/common/tools/sbin/so-mysql-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-mysql-stop b/salt/common/tools/sbin/so-mysql-stop index c46212048..58f6072f2 100755 --- a/salt/common/tools/sbin/so-mysql-stop +++ b/salt/common/tools/sbin/so-mysql-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nginx-restart b/salt/common/tools/sbin/so-nginx-restart index 9c830be0a..d17e76bd4 100755 --- a/salt/common/tools/sbin/so-nginx-restart +++ b/salt/common/tools/sbin/so-nginx-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nginx-start b/salt/common/tools/sbin/so-nginx-start index fafcac307..d8b7c829f 100755 --- a/salt/common/tools/sbin/so-nginx-start +++ b/salt/common/tools/sbin/so-nginx-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nginx-stop b/salt/common/tools/sbin/so-nginx-stop index 2b13fe3a3..48ca098c8 100755 --- a/salt/common/tools/sbin/so-nginx-stop +++ b/salt/common/tools/sbin/so-nginx-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nodered-restart b/salt/common/tools/sbin/so-nodered-restart index 1c61b879f..06060b764 100755 --- a/salt/common/tools/sbin/so-nodered-restart +++ b/salt/common/tools/sbin/so-nodered-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nodered-start b/salt/common/tools/sbin/so-nodered-start index fc7a12dee..f5ab36c80 100755 --- a/salt/common/tools/sbin/so-nodered-start +++ b/salt/common/tools/sbin/so-nodered-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nodered-stop b/salt/common/tools/sbin/so-nodered-stop index f56559f48..0286a175c 100755 --- a/salt/common/tools/sbin/so-nodered-stop +++ b/salt/common/tools/sbin/so-nodered-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear index 1a126766a..3d9596238 100755 --- a/salt/common/tools/sbin/so-nsm-clear +++ b/salt/common/tools/sbin/so-nsm-clear @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common SKIP=0 diff --git a/salt/common/tools/sbin/so-pcap-export b/salt/common/tools/sbin/so-pcap-export index 25b89d4b7..6f13f01c5 100755 --- a/salt/common/tools/sbin/so-pcap-export +++ b/salt/common/tools/sbin/so-pcap-export @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + if [ $# -lt 2 ]; then echo "Usage: $0 Output-Filename" diff --git a/salt/common/tools/sbin/so-pcap-import b/salt/common/tools/sbin/so-pcap-import index 4b6f31ada..e69e3657b 100755 --- a/salt/common/tools/sbin/so-pcap-import +++ b/salt/common/tools/sbin/so-pcap-import @@ -1,18 +1,10 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + $(dirname $0)/so-import-pcap $@ diff --git a/salt/common/tools/sbin/so-pcap-restart b/salt/common/tools/sbin/so-pcap-restart index d9e0d1d00..a35ed5aa2 100755 --- a/salt/common/tools/sbin/so-pcap-restart +++ b/salt/common/tools/sbin/so-pcap-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-pcap-start b/salt/common/tools/sbin/so-pcap-start index 4f6cc59c5..b65a35087 100755 --- a/salt/common/tools/sbin/so-pcap-start +++ b/salt/common/tools/sbin/so-pcap-start @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-pcap-stop b/salt/common/tools/sbin/so-pcap-stop index 23524e4a9..8f43841be 100755 --- a/salt/common/tools/sbin/so-pcap-stop +++ b/salt/common/tools/sbin/so-pcap-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-import b/salt/common/tools/sbin/so-playbook-import index 6e4316398..d775656a1 100755 --- a/salt/common/tools/sbin/so-playbook-import +++ b/salt/common/tools/sbin/so-playbook-import @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-reset b/salt/common/tools/sbin/so-playbook-reset index 927d2ef9c..0ece18b54 100755 --- a/salt/common/tools/sbin/so-playbook-reset +++ b/salt/common/tools/sbin/so-playbook-reset @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-restart b/salt/common/tools/sbin/so-playbook-restart index b4f9aaab8..c59e7f7eb 100755 --- a/salt/common/tools/sbin/so-playbook-restart +++ b/salt/common/tools/sbin/so-playbook-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-ruleupdate b/salt/common/tools/sbin/so-playbook-ruleupdate index 1d8479e8c..cbfe72bce 100755 --- a/salt/common/tools/sbin/so-playbook-ruleupdate +++ b/salt/common/tools/sbin/so-playbook-ruleupdate @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-sigma-refresh b/salt/common/tools/sbin/so-playbook-sigma-refresh index 76873b3d5..fefd4ca68 100755 --- a/salt/common/tools/sbin/so-playbook-sigma-refresh +++ b/salt/common/tools/sbin/so-playbook-sigma-refresh @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-start b/salt/common/tools/sbin/so-playbook-start index 0075e7ae8..070bcc4f7 100755 --- a/salt/common/tools/sbin/so-playbook-start +++ b/salt/common/tools/sbin/so-playbook-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-stop b/salt/common/tools/sbin/so-playbook-stop index d1751a2aa..64ce83b2b 100755 --- a/salt/common/tools/sbin/so-playbook-stop +++ b/salt/common/tools/sbin/so-playbook-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index c2d20766e..7f6ba4e31 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-raid-status b/salt/common/tools/sbin/so-raid-status index 4729246dd..c5ac5fac6 100755 --- a/salt/common/tools/sbin/so-raid-status +++ b/salt/common/tools/sbin/so-raid-status @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-redis-count b/salt/common/tools/sbin/so-redis-count index fda16d95d..e90e0754e 100755 --- a/salt/common/tools/sbin/so-redis-count +++ b/salt/common/tools/sbin/so-redis-count @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-redis-restart b/salt/common/tools/sbin/so-redis-restart index 0406b8cbf..05d7d4823 100755 --- a/salt/common/tools/sbin/so-redis-restart +++ b/salt/common/tools/sbin/so-redis-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-redis-start b/salt/common/tools/sbin/so-redis-start index 2af62dd3e..249f420ae 100755 --- a/salt/common/tools/sbin/so-redis-start +++ b/salt/common/tools/sbin/so-redis-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-redis-stop b/salt/common/tools/sbin/so-redis-stop index 3041f2f2f..f355e46d1 100755 --- a/salt/common/tools/sbin/so-redis-stop +++ b/salt/common/tools/sbin/so-redis-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart index dda4baf57..3790625f7 100755 --- a/salt/common/tools/sbin/so-restart +++ b/salt/common/tools/sbin/so-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Usage: so-restart filebeat | kibana | playbook diff --git a/salt/common/tools/sbin/so-rule b/salt/common/tools/sbin/so-rule index 603a6cae9..19618c9f5 100755 --- a/salt/common/tools/sbin/so-rule +++ b/salt/common/tools/sbin/so-rule @@ -1,19 +1,11 @@ #!/usr/bin/env python3 -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + """ Local exit codes: diff --git a/salt/common/tools/sbin/so-salt-minion-check b/salt/common/tools/sbin/so-salt-minion-check index 95d4a40ae..47d3bb7e1 100755 --- a/salt/common/tools/sbin/so-salt-minion-check +++ b/salt/common/tools/sbin/so-salt-minion-check @@ -2,20 +2,12 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # this script checks the time the file /opt/so/log/salt/state-apply-test was last modified and restarts the salt-minion service if it is outside a threshold date/time # the file is modified via file.touch using a scheduled job healthcheck.salt-minion.state-apply-test that runs a state.apply. diff --git a/salt/common/tools/sbin/so-salt-start b/salt/common/tools/sbin/so-salt-start index b332eb1c4..4d72ce923 100755 --- a/salt/common/tools/sbin/so-salt-start +++ b/salt/common/tools/sbin/so-salt-start @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-salt-stop b/salt/common/tools/sbin/so-salt-stop index 8a7cff146..6b251ecd0 100755 --- a/salt/common/tools/sbin/so-salt-stop +++ b/salt/common/tools/sbin/so-salt-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/common/tools/sbin/so-saltstack-update index 81b00ace5..b15fce008 100755 --- a/salt/common/tools/sbin/so-saltstack-update +++ b/salt/common/tools/sbin/so-saltstack-update @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + default_salt_dir=/opt/so/saltstack/default clone_to_tmp() { diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 624ff8106..472663bb1 100755 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -2,20 +2,11 @@ # Delete Zeek Logs based on defined CRIT_DISK_USAGE value -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . SENSOR_DIR='/nsm' CRIT_DISK_USAGE=90 @@ -81,23 +72,6 @@ clean() { done fi - # Clean Wazuh archives - # Slightly different code since we have 2 files to remove (.json and .log) - WAZUH_ARCHIVE='/nsm/wazuh/logs/archives' - OLDEST_WAZUH=$(find $WAZUH_ARCHIVE -type f ! -name "archives.json" -printf "%T+\t%p\n" | sort -n | awk '{print $1}' | head -n 1) - # Make sure we don't delete the current files - find $WAZUH_ARCHIVE -type f ! -name "archives.json" -printf "%T+\t%p\n" | sort -n | awk '{print $2}' | head -n 1 >/tmp/files$$ - if [[ $(wc -l >$LOG - while read -r line; do - echo "$(date) - Removing file: $line" >>$LOG - rm "$line" - done >$LOG - fi - rm /tmp/files$$ - ## Clean up extracted pcaps from Steno PCAPS='/nsm/pcapout' OLDEST_PCAP=$(find $PCAPS -type f -printf '%T+ %p\n' | sort -n | head -n 1) diff --git a/salt/common/tools/sbin/so-soc-restart b/salt/common/tools/sbin/so-soc-restart index 4e479c007..9d252e2c1 100755 --- a/salt/common/tools/sbin/so-soc-restart +++ b/salt/common/tools/sbin/so-soc-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soc-start b/salt/common/tools/sbin/so-soc-start index 3dd9f779b..12f3287f8 100755 --- a/salt/common/tools/sbin/so-soc-start +++ b/salt/common/tools/sbin/so-soc-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soc-stop b/salt/common/tools/sbin/so-soc-stop index 0b3d2d2c4..d4cc0d508 100755 --- a/salt/common/tools/sbin/so-soc-stop +++ b/salt/common/tools/sbin/so-soc-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soctopus-restart b/salt/common/tools/sbin/so-soctopus-restart index 563d02609..24b3aff85 100755 --- a/salt/common/tools/sbin/so-soctopus-restart +++ b/salt/common/tools/sbin/so-soctopus-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soctopus-start b/salt/common/tools/sbin/so-soctopus-start index b493e6f01..990ece70e 100755 --- a/salt/common/tools/sbin/so-soctopus-start +++ b/salt/common/tools/sbin/so-soctopus-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-soctopus-stop b/salt/common/tools/sbin/so-soctopus-stop index 28af78459..39efa6435 100755 --- a/salt/common/tools/sbin/so-soctopus-stop +++ b/salt/common/tools/sbin/so-soctopus-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start index a592388d4..6e208a6af 100755 --- a/salt/common/tools/sbin/so-start +++ b/salt/common/tools/sbin/so-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Usage: so-start all | filebeat | kibana | playbook diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 61db01ada..bb68bd099 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + display_help() { diff --git a/salt/common/tools/sbin/so-stop b/salt/common/tools/sbin/so-stop index 544846606..3538b2fd3 100755 --- a/salt/common/tools/sbin/so-stop +++ b/salt/common/tools/sbin/so-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Usage: so-stop filebeat | kibana | playbook | thehive diff --git a/salt/common/tools/sbin/so-strelka-restart b/salt/common/tools/sbin/so-strelka-restart index 29da04998..b2d0ef6fa 100755 --- a/salt/common/tools/sbin/so-strelka-restart +++ b/salt/common/tools/sbin/so-strelka-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-strelka-start b/salt/common/tools/sbin/so-strelka-start index 42ba8c654..8f0e76365 100755 --- a/salt/common/tools/sbin/so-strelka-start +++ b/salt/common/tools/sbin/so-strelka-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-strelka-stop b/salt/common/tools/sbin/so-strelka-stop index e700a29d7..3f71298e7 100755 --- a/salt/common/tools/sbin/so-strelka-stop +++ b/salt/common/tools/sbin/so-strelka-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-suricata-restart b/salt/common/tools/sbin/so-suricata-restart index 85b435f52..d435b2a86 100755 --- a/salt/common/tools/sbin/so-suricata-restart +++ b/salt/common/tools/sbin/so-suricata-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-suricata-start b/salt/common/tools/sbin/so-suricata-start index 98ae4bdd1..41225f75d 100755 --- a/salt/common/tools/sbin/so-suricata-start +++ b/salt/common/tools/sbin/so-suricata-start @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-suricata-stop b/salt/common/tools/sbin/so-suricata-stop index 7970c1494..7481fd4ed 100755 --- a/salt/common/tools/sbin/so-suricata-stop +++ b/salt/common/tools/sbin/so-suricata-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-suricata-testrule b/salt/common/tools/sbin/so-suricata-testrule index 0e4450f75..e1f355508 100755 --- a/salt/common/tools/sbin/so-suricata-testrule +++ b/salt/common/tools/sbin/so-suricata-testrule @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set MANAGER = salt['grains.get']('master') %} {%- set VERSION = salt['pillar.get']('global:soversion') %} {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} diff --git a/salt/common/tools/sbin/so-tcpreplay-restart b/salt/common/tools/sbin/so-tcpreplay-restart index 2e61dc186..2fadc707c 100755 --- a/salt/common/tools/sbin/so-tcpreplay-restart +++ b/salt/common/tools/sbin/so-tcpreplay-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-tcpreplay-stop b/salt/common/tools/sbin/so-tcpreplay-stop index 7395b90f2..269bd374c 100755 --- a/salt/common/tools/sbin/so-tcpreplay-stop +++ b/salt/common/tools/sbin/so-tcpreplay-stop @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-telegraf-restart b/salt/common/tools/sbin/so-telegraf-restart index 25fd087d9..e596bd3c8 100755 --- a/salt/common/tools/sbin/so-telegraf-restart +++ b/salt/common/tools/sbin/so-telegraf-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-telegraf-start b/salt/common/tools/sbin/so-telegraf-start index 9bc0e48d2..ada60822a 100755 --- a/salt/common/tools/sbin/so-telegraf-start +++ b/salt/common/tools/sbin/so-telegraf-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-telegraf-stop b/salt/common/tools/sbin/so-telegraf-stop index 9f6cf807d..a0e0c88ce 100755 --- a/salt/common/tools/sbin/so-telegraf-stop +++ b/salt/common/tools/sbin/so-telegraf-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-es-restart b/salt/common/tools/sbin/so-thehive-es-restart index 73745a1fc..036ab5689 100755 --- a/salt/common/tools/sbin/so-thehive-es-restart +++ b/salt/common/tools/sbin/so-thehive-es-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-es-start b/salt/common/tools/sbin/so-thehive-es-start index 97b575a40..feeb5cafd 100755 --- a/salt/common/tools/sbin/so-thehive-es-start +++ b/salt/common/tools/sbin/so-thehive-es-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-es-stop b/salt/common/tools/sbin/so-thehive-es-stop index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-es-stop +++ b/salt/common/tools/sbin/so-thehive-es-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-restart b/salt/common/tools/sbin/so-thehive-restart index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-restart +++ b/salt/common/tools/sbin/so-thehive-restart @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-start b/salt/common/tools/sbin/so-thehive-start index 97b575a40..feeb5cafd 100755 --- a/salt/common/tools/sbin/so-thehive-start +++ b/salt/common/tools/sbin/so-thehive-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-stop b/salt/common/tools/sbin/so-thehive-stop index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-stop +++ b/salt/common/tools/sbin/so-thehive-stop @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-user-add b/salt/common/tools/sbin/so-thehive-user-add index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-user-add +++ b/salt/common/tools/sbin/so-thehive-user-add @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-user-enable b/salt/common/tools/sbin/so-thehive-user-enable index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-user-enable +++ b/salt/common/tools/sbin/so-thehive-user-enable @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-thehive-user-update b/salt/common/tools/sbin/so-thehive-user-update index 3ebf42430..fe8193bf7 100755 --- a/salt/common/tools/sbin/so-thehive-user-update +++ b/salt/common/tools/sbin/so-thehive-user-update @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 96059968c..81bfa0d76 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . source $(dirname $0)/so-common @@ -288,7 +279,7 @@ function syncElastic() { if [[ -z "$SKIP_STATE_APPLY" ]]; then echo "Elastic state will be re-applied to affected minions. This may take several minutes..." echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1 - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 fi else echo "Newly generated users/roles files are incomplete; aborting." diff --git a/salt/common/tools/sbin/so-wazuh-agent-manage b/salt/common/tools/sbin/so-wazuh-agent-manage deleted file mode 100755 index e754619d9..000000000 --- a/salt/common/tools/sbin/so-wazuh-agent-manage +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -if docker ps |grep so-wazuh >/dev/null 2>&1; then - docker exec -it so-wazuh /var/ossec/bin/manage_agents "$@" -else - echo "Wazuh manager is not running. Please start it with so-wazuh-start." -fi diff --git a/salt/common/tools/sbin/so-wazuh-agent-upgrade b/salt/common/tools/sbin/so-wazuh-agent-upgrade deleted file mode 100755 index aa0dcf330..000000000 --- a/salt/common/tools/sbin/so-wazuh-agent-upgrade +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -if docker ps |grep so-wazuh >/dev/null 2>&1; then - docker exec -it so-wazuh /var/ossec/bin/agent_upgrade "$@" -else - echo "Wazuh manager is not running. Please start it with so-wazuh-start." -fi diff --git a/salt/common/tools/sbin/so-wazuh-restart b/salt/common/tools/sbin/so-wazuh-restart deleted file mode 100755 index 5eebec045..000000000 --- a/salt/common/tools/sbin/so-wazuh-restart +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -. /usr/sbin/so-common - -/usr/sbin/so-restart wazuh $1 diff --git a/salt/common/tools/sbin/so-wazuh-start b/salt/common/tools/sbin/so-wazuh-start deleted file mode 100755 index 4d000fc44..000000000 --- a/salt/common/tools/sbin/so-wazuh-start +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -. /usr/sbin/so-common - -/usr/sbin/so-start wazuh $1 - diff --git a/salt/common/tools/sbin/so-wazuh-stop b/salt/common/tools/sbin/so-wazuh-stop deleted file mode 100755 index 70be6a1bb..000000000 --- a/salt/common/tools/sbin/so-wazuh-stop +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -. /usr/sbin/so-common - -/usr/sbin/so-stop wazuh $1 - diff --git a/salt/common/tools/sbin/so-wazuh-user-add b/salt/common/tools/sbin/so-wazuh-user-add deleted file mode 100755 index 5a4657878..000000000 --- a/salt/common/tools/sbin/so-wazuh-user-add +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd /var/ossec/api/configuration/auth/user $1 diff --git a/salt/common/tools/sbin/so-wazuh-user-passwd b/salt/common/tools/sbin/so-wazuh-user-passwd deleted file mode 100755 index 5a4657878..000000000 --- a/salt/common/tools/sbin/so-wazuh-user-passwd +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd /var/ossec/api/configuration/auth/user $1 diff --git a/salt/common/tools/sbin/so-wazuh-user-remove b/salt/common/tools/sbin/so-wazuh-user-remove deleted file mode 100755 index 75065ea2a..000000000 --- a/salt/common/tools/sbin/so-wazuh-user-remove +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -docker exec -it so-wazuh /usr/bin/node /var/ossec/api/configuration/auth/htpasswd -D /var/ossec/api/configuration/auth/user $1 diff --git a/salt/common/tools/sbin/so-yara-update b/salt/common/tools/sbin/so-yara-update index 2cf893ba5..b4e83a172 100755 --- a/salt/common/tools/sbin/so-yara-update +++ b/salt/common/tools/sbin/so-yara-update @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} echo "Starting to check for yara rule updates at $(date)..." diff --git a/salt/common/tools/sbin/so-zeek-restart b/salt/common/tools/sbin/so-zeek-restart index a328da1c8..05c282e93 100755 --- a/salt/common/tools/sbin/so-zeek-restart +++ b/salt/common/tools/sbin/so-zeek-restart @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-zeek-start b/salt/common/tools/sbin/so-zeek-start index fff333b3c..6f6305eaf 100755 --- a/salt/common/tools/sbin/so-zeek-start +++ b/salt/common/tools/sbin/so-zeek-start @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index 43f39eb2f..1ca6f8a8d 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Show Zeek stats (capstats, netstats) diff --git a/salt/common/tools/sbin/so-zeek-stop b/salt/common/tools/sbin/so-zeek-stop index dfe55a19b..cba54eb65 100755 --- a/salt/common/tools/sbin/so-zeek-stop +++ b/salt/common/tools/sbin/so-zeek-stop @@ -1,19 +1,11 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 527bf1fc2..43d35f875 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . . /usr/sbin/so-common @@ -371,6 +362,74 @@ clone_to_tmp() { fi } +elastalert_indices_check() { + + # Stop Elastalert to prevent Elastalert indices from being re-created + if grep -q "^so-elastalert$" /opt/so/conf/so-status/so-status.conf ; then + so-elastalert-stop || true + fi + + # Wait for ElasticSearch to initialize + echo -n "Waiting for ElasticSearch..." + COUNT=0 + ELASTICSEARCH_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query / -k --output /dev/null + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + + # Unable to connect to Elasticsearch + if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 + fi + + # Check Elastalert indices + echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." + CHECK_COUNT=0 + while [[ "$CHECK_COUNT" -le 2 ]]; do + # Delete Elastalert indices + for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do + so-elasticsearch-query $i -XDELETE; + done + + # Check to ensure Elastalert indices are deleted + COUNT=0 + ELASTALERT_INDICES_DELETED="no" + while [[ "$COUNT" -le 240 ]]; do + RESPONSE=$(so-elasticsearch-query elastalert*) + if [[ "$RESPONSE" == "{}" ]]; then + ELASTALERT_INDICES_DELETED="yes" + echo "Elastalert indices successfully deleted." + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + ((CHECK_COUNT+=1)) + done + + # If we were unable to delete the Elastalert indices, exit the script + if [ "$ELASTALERT_INDICES_DELETED" == "no" ]; then + echo + echo -e "Unable to connect to delete Elastalert indices. Exiting." + echo + exit 1 + fi +} + enable_highstate() { echo "Enabling highstate." salt-call state.enable highstate -l info --local @@ -825,40 +884,7 @@ up_to_2.3.130() { } up_to_2.3.140() { - ## Deleting Elastalert indices to prevent issues with upgrade to Elastic 8 ## - echo "Deleting Elastalert indices to prevent issues with upgrade to Elastic 8..." - # Wait for ElasticSearch to initialize - echo -n "Waiting for ElasticSearch..." - COUNT=0 - ELASTICSEARCH_CONNECTED="no" - while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query / -k --output /dev/null - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo - exit 1 - fi - - # Delete Elastalert indices - for i in $(so-elasticsearch-query _cat/indices | grep elastalert | awk '{print $3}'); do so-elasticsearch-query $i -XDELETE; done - # Check to ensure Elastalert indices have been deleted - RESPONSE=$(so-elasticsearch-query elastalert*) - if [[ "$RESPONSE" == "{}" ]]; then - echo "Elastalert indices have been deleted." - else - fail "Something went wrong. Could not delete the Elastalert indices. Exiting." - fi + elastalert_indices_check ## INSTALLEDVERSION=2.3.140 } @@ -1178,6 +1204,7 @@ main() { verify_latest_update_script es_version_check es_indices_check + elastalert_indices_check echo "" set_palette check_elastic_license diff --git a/salt/curator/defaults.yaml b/salt/curator/defaults.yaml new file mode 100644 index 000000000..68c2b07d7 --- /dev/null +++ b/salt/curator/defaults.yaml @@ -0,0 +1,179 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +elasticsearch: + index_settings: + so-aws: + warm: 7 + close: 30 + delete: 365 + so-azure: + warm: 7 + close: 30 + delete: 365 + so-barracuda: + warm: 7 + close: 30 + delete: 365 + so-beats: + warm: 7 + close: 30 + delete: 365 + so-bluecoat: + warm: 7 + close: 30 + delete: 365 + so-cef: + warm: 7 + close: 30 + delete: 365 + so-checkpoint: + warm: 7 + close: 30 + delete: 365 + so-cisco: + warm: 7 + close: 30 + delete: 365 + so-cyberark: + warm: 7 + close: 30 + delete: 365 + so-cylance: + warm: 7 + close: 30 + delete: 365 + so-elasticsearch: + warm: 7 + close: 30 + delete: 365 + so-endgame: + warm: 7 + close: 30 + delete: 365 + so-f5: + warm: 7 + close: 30 + delete: 365 + so-firewall: + warm: 7 + close: 30 + delete: 365 + so-fortinet: + warm: 7 + close: 30 + delete: 365 + so-gcp: + warm: 7 + close: 30 + delete: 365 + so-google_workspace: + warm: 7 + close: 30 + delete: 365 + so-ids: + warm: 7 + close: 30 + delete: 365 + so-imperva: + warm: 7 + close: 30 + delete: 365 + so-import: + warm: 7 + close: 30 + delete: 365 + so-infoblox: + warm: 7 + close: 30 + delete: 365 + so-juniper: + warm: 7 + close: 30 + delete: 365 + so-kibana: + warm: 7 + close: 30 + delete: 365 + so-logstash: + warm: 7 + close: 30 + delete: 365 + so-microsoft: + warm: 7 + close: 30 + delete: 365 + so-misp: + warm: 7 + close: 30 + delete: 365 + so-netflow: + warm: 7 + close: 30 + delete: 365 + so-netscout: + warm: 7 + close: 30 + delete: 365 + so-o365: + warm: 7 + close: 30 + delete: 365 + so-okta: + warm: 7 + close: 30 + delete: 365 + so-osquery: + warm: 7 + close: 30 + delete: 365 + so-proofpoint: + warm: 7 + close: 30 + delete: 365 + so-radware: + warm: 7 + close: 30 + delete: 365 + so-redis: + warm: 7 + close: 30 + delete: 365 + so-snort: + warm: 7 + close: 30 + delete: 365 + so-snyk: + warm: 7 + close: 30 + delete: 365 + so-sonicwall: + warm: 7 + close: 30 + delete: 365 + so-sophos: + warm: 7 + close: 30 + delete: 365 + so-strelka: + warm: 7 + close: 30 + delete: 365 + so-syslog: + warm: 7 + close: 30 + delete: 365 + so-tomcat: + warm: 7 + close: 30 + delete: 365 + so-zeek: + warm: 7 + close: 30 + delete: 365 + so-zscaler: + warm: 7 + close: 30 + delete: 365 \ No newline at end of file diff --git a/salt/curator/files/action/delete.yml b/salt/curator/files/action/delete.yml index 6e31b03b6..1a4afaabf 100644 --- a/salt/curator/files/action/delete.yml +++ b/salt/curator/files/action/delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set log_size_limit = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-aws-close.yml b/salt/curator/files/action/so-aws-close.yml index 44f0bfa97..1bf9bfe81 100644 --- a/salt/curator/files/action/so-aws-close.yml +++ b/salt/curator/files/action/so-aws-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-aws:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-aws-delete.yml b/salt/curator/files/action/so-aws-delete.yml index a67ee88b8..82d29a9f0 100644 --- a/salt/curator/files/action/so-aws-delete.yml +++ b/salt/curator/files/action/so-aws-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-aws-warm.yml b/salt/curator/files/action/so-aws-warm.yml index 5369ed9a9..90d5e11f9 100644 --- a/salt/curator/files/action/so-aws-warm.yml +++ b/salt/curator/files/action/so-aws-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-azure-close.yml b/salt/curator/files/action/so-azure-close.yml index 901b2c0ba..74d799c55 100644 --- a/salt/curator/files/action/so-azure-close.yml +++ b/salt/curator/files/action/so-azure-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-azure:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-azure-delete.yml b/salt/curator/files/action/so-azure-delete.yml index 102a69d3d..a736eadc0 100644 --- a/salt/curator/files/action/so-azure-delete.yml +++ b/salt/curator/files/action/so-azure-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-azure-warm.yml b/salt/curator/files/action/so-azure-warm.yml index d6f606125..63fb42f33 100644 --- a/salt/curator/files/action/so-azure-warm.yml +++ b/salt/curator/files/action/so-azure-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-azure:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-barracuda-close.yml b/salt/curator/files/action/so-barracuda-close.yml index 496832db7..6249cdde6 100644 --- a/salt/curator/files/action/so-barracuda-close.yml +++ b/salt/curator/files/action/so-barracuda-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-barracuda-delete.yml b/salt/curator/files/action/so-barracuda-delete.yml index 49d472618..cb7231836 100644 --- a/salt/curator/files/action/so-barracuda-delete.yml +++ b/salt/curator/files/action/so-barracuda-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-barracuda-warm.yml b/salt/curator/files/action/so-barracuda-warm.yml index 334a4114a..6cb5f1641 100644 --- a/salt/curator/files/action/so-barracuda-warm.yml +++ b/salt/curator/files/action/so-barracuda-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-barracuda:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-beats-close.yml b/salt/curator/files/action/so-beats-close.yml index 4c606d4bc..594767b28 100644 --- a/salt/curator/files/action/so-beats-close.yml +++ b/salt/curator/files/action/so-beats-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-beats:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-beats-delete.yml b/salt/curator/files/action/so-beats-delete.yml index 77931d661..88e8b8bd4 100644 --- a/salt/curator/files/action/so-beats-delete.yml +++ b/salt/curator/files/action/so-beats-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-beats-warm.yml b/salt/curator/files/action/so-beats-warm.yml index da9f76656..9cbd49b15 100644 --- a/salt/curator/files/action/so-beats-warm.yml +++ b/salt/curator/files/action/so-beats-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-beats:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-bluecoat-close.yml b/salt/curator/files/action/so-bluecoat-close.yml index 86d9277eb..213ebd8b0 100644 --- a/salt/curator/files/action/so-bluecoat-close.yml +++ b/salt/curator/files/action/so-bluecoat-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-bluecoat-delete.yml b/salt/curator/files/action/so-bluecoat-delete.yml index 318624416..23e9724a0 100644 --- a/salt/curator/files/action/so-bluecoat-delete.yml +++ b/salt/curator/files/action/so-bluecoat-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-bluecoat-warm.yml b/salt/curator/files/action/so-bluecoat-warm.yml index 47a8d712f..a61009380 100644 --- a/salt/curator/files/action/so-bluecoat-warm.yml +++ b/salt/curator/files/action/so-bluecoat-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-bluecoat:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-cef-close.yml b/salt/curator/files/action/so-cef-close.yml index 49e07f764..994f20308 100644 --- a/salt/curator/files/action/so-cef-close.yml +++ b/salt/curator/files/action/so-cef-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cef:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-cef-delete.yml b/salt/curator/files/action/so-cef-delete.yml index 0ee7d6501..eb3038514 100644 --- a/salt/curator/files/action/so-cef-delete.yml +++ b/salt/curator/files/action/so-cef-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cef-warm.yml b/salt/curator/files/action/so-cef-warm.yml index 0a79fd2ba..59d3c1c8d 100644 --- a/salt/curator/files/action/so-cef-warm.yml +++ b/salt/curator/files/action/so-cef-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cef:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-checkpoint-close.yml b/salt/curator/files/action/so-checkpoint-close.yml index cffdf6473..12be685f5 100644 --- a/salt/curator/files/action/so-checkpoint-close.yml +++ b/salt/curator/files/action/so-checkpoint-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-checkpoint-delete.yml b/salt/curator/files/action/so-checkpoint-delete.yml index d1ac13efe..31ce55f49 100644 --- a/salt/curator/files/action/so-checkpoint-delete.yml +++ b/salt/curator/files/action/so-checkpoint-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-checkpoint-warm.yml b/salt/curator/files/action/so-checkpoint-warm.yml index 0aaec1e19..db0754e7a 100644 --- a/salt/curator/files/action/so-checkpoint-warm.yml +++ b/salt/curator/files/action/so-checkpoint-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-checkpoint:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-cisco-close.yml b/salt/curator/files/action/so-cisco-close.yml index cd1faade1..f958d9450 100644 --- a/salt/curator/files/action/so-cisco-close.yml +++ b/salt/curator/files/action/so-cisco-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cisco:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-cisco-delete.yml b/salt/curator/files/action/so-cisco-delete.yml index bb5e06f7f..4e5697ebe 100644 --- a/salt/curator/files/action/so-cisco-delete.yml +++ b/salt/curator/files/action/so-cisco-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cisco-warm.yml b/salt/curator/files/action/so-cisco-warm.yml index a143a95c2..0f80f0547 100644 --- a/salt/curator/files/action/so-cisco-warm.yml +++ b/salt/curator/files/action/so-cisco-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cisco:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-cyberark-close.yml b/salt/curator/files/action/so-cyberark-close.yml index e352e8355..35bda7814 100644 --- a/salt/curator/files/action/so-cyberark-close.yml +++ b/salt/curator/files/action/so-cyberark-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-cyberark-delete.yml b/salt/curator/files/action/so-cyberark-delete.yml index 784f6881e..61b157ff6 100644 --- a/salt/curator/files/action/so-cyberark-delete.yml +++ b/salt/curator/files/action/so-cyberark-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cyberark-warm.yml b/salt/curator/files/action/so-cyberark-warm.yml index 8eae0b542..a361a6bd9 100644 --- a/salt/curator/files/action/so-cyberark-warm.yml +++ b/salt/curator/files/action/so-cyberark-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cyberark:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-cylance-close.yml b/salt/curator/files/action/so-cylance-close.yml index d808569fb..c031753eb 100644 --- a/salt/curator/files/action/so-cylance-close.yml +++ b/salt/curator/files/action/so-cylance-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-cylance:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-cylance-delete.yml b/salt/curator/files/action/so-cylance-delete.yml index 54cf3938b..579ec7f68 100644 --- a/salt/curator/files/action/so-cylance-delete.yml +++ b/salt/curator/files/action/so-cylance-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-cylance-warm.yml b/salt/curator/files/action/so-cylance-warm.yml index c9da7e68a..e27185cf0 100644 --- a/salt/curator/files/action/so-cylance-warm.yml +++ b/salt/curator/files/action/so-cylance-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-cylance:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-elasticsearch-close.yml b/salt/curator/files/action/so-elasticsearch-close.yml index 3c4ff0dac..3ee9372cc 100644 --- a/salt/curator/files/action/so-elasticsearch-close.yml +++ b/salt/curator/files/action/so-elasticsearch-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-elasticsearch-delete.yml b/salt/curator/files/action/so-elasticsearch-delete.yml index 05cc68abe..e2071ff3a 100644 --- a/salt/curator/files/action/so-elasticsearch-delete.yml +++ b/salt/curator/files/action/so-elasticsearch-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-elasticsearch-warm.yml b/salt/curator/files/action/so-elasticsearch-warm.yml index 9d82fc27b..05a6a5e85 100644 --- a/salt/curator/files/action/so-elasticsearch-warm.yml +++ b/salt/curator/files/action/so-elasticsearch-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-elasticsearch:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-endgame-close.yml b/salt/curator/files/action/so-endgame-close.yml index 4c4d38341..248638e6c 100644 --- a/salt/curator/files/action/so-endgame-close.yml +++ b/salt/curator/files/action/so-endgame-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-endgame:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-endgame-delete.yml b/salt/curator/files/action/so-endgame-delete.yml index 53d34b6d6..ce16c4d87 100644 --- a/salt/curator/files/action/so-endgame-delete.yml +++ b/salt/curator/files/action/so-endgame-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-endgame-warm.yml b/salt/curator/files/action/so-endgame-warm.yml index 4856a3928..d6b3c6fc2 100644 --- a/salt/curator/files/action/so-endgame-warm.yml +++ b/salt/curator/files/action/so-endgame-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-endgame:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-f5-close.yml b/salt/curator/files/action/so-f5-close.yml index e1cdb48a1..33d856a4d 100644 --- a/salt/curator/files/action/so-f5-close.yml +++ b/salt/curator/files/action/so-f5-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-f5:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-f5-delete.yml b/salt/curator/files/action/so-f5-delete.yml index 06704010a..566fbfb5f 100644 --- a/salt/curator/files/action/so-f5-delete.yml +++ b/salt/curator/files/action/so-f5-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-f5-warm.yml b/salt/curator/files/action/so-f5-warm.yml index 12fbbe7ad..92e3a02f9 100644 --- a/salt/curator/files/action/so-f5-warm.yml +++ b/salt/curator/files/action/so-f5-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-f5:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-firewall-close.yml b/salt/curator/files/action/so-firewall-close.yml index c30daa6bb..4b8dd0121 100644 --- a/salt/curator/files/action/so-firewall-close.yml +++ b/salt/curator/files/action/so-firewall-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-firewall:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-firewall-delete.yml b/salt/curator/files/action/so-firewall-delete.yml index 7588de437..8b6f6f45f 100644 --- a/salt/curator/files/action/so-firewall-delete.yml +++ b/salt/curator/files/action/so-firewall-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-firewall-warm.yml b/salt/curator/files/action/so-firewall-warm.yml index 2e9643dc3..727983618 100644 --- a/salt/curator/files/action/so-firewall-warm.yml +++ b/salt/curator/files/action/so-firewall-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-firewall:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-fortinet-close.yml b/salt/curator/files/action/so-fortinet-close.yml index e11fb86c6..067a5b412 100644 --- a/salt/curator/files/action/so-fortinet-close.yml +++ b/salt/curator/files/action/so-fortinet-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-fortinet-delete.yml b/salt/curator/files/action/so-fortinet-delete.yml index 9379e47c2..cf18f7513 100644 --- a/salt/curator/files/action/so-fortinet-delete.yml +++ b/salt/curator/files/action/so-fortinet-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-fortinet-warm.yml b/salt/curator/files/action/so-fortinet-warm.yml index db9a6f2db..e65e9cc5b 100644 --- a/salt/curator/files/action/so-fortinet-warm.yml +++ b/salt/curator/files/action/so-fortinet-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-fortinet:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-gcp-close.yml b/salt/curator/files/action/so-gcp-close.yml index f9dd0af24..9dd783f63 100644 --- a/salt/curator/files/action/so-gcp-close.yml +++ b/salt/curator/files/action/so-gcp-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-gcp:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-gcp-delete.yml b/salt/curator/files/action/so-gcp-delete.yml index 5c8ab33d8..799d624fb 100644 --- a/salt/curator/files/action/so-gcp-delete.yml +++ b/salt/curator/files/action/so-gcp-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-gcp-warm.yml b/salt/curator/files/action/so-gcp-warm.yml index 3bb9eee80..aba256c69 100644 --- a/salt/curator/files/action/so-gcp-warm.yml +++ b/salt/curator/files/action/so-gcp-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-gcp:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-google_workspace-close.yml b/salt/curator/files/action/so-google_workspace-close.yml index 1ecda5893..6aac7f2e0 100644 --- a/salt/curator/files/action/so-google_workspace-close.yml +++ b/salt/curator/files/action/so-google_workspace-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-google_workspace-delete.yml b/salt/curator/files/action/so-google_workspace-delete.yml index 923feda8f..5d26648b8 100644 --- a/salt/curator/files/action/so-google_workspace-delete.yml +++ b/salt/curator/files/action/so-google_workspace-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-google_workspace-warm.yml b/salt/curator/files/action/so-google_workspace-warm.yml index 7eb2d883f..ddb5cf58c 100644 --- a/salt/curator/files/action/so-google_workspace-warm.yml +++ b/salt/curator/files/action/so-google_workspace-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-google_workspace:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-ids-close.yml b/salt/curator/files/action/so-ids-close.yml index 05583d853..a38acbf98 100644 --- a/salt/curator/files/action/so-ids-close.yml +++ b/salt/curator/files/action/so-ids-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ids:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-ids-delete.yml b/salt/curator/files/action/so-ids-delete.yml index e5bda4e34..fd7b5c79f 100644 --- a/salt/curator/files/action/so-ids-delete.yml +++ b/salt/curator/files/action/so-ids-delete.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-ids-warm.yml b/salt/curator/files/action/so-ids-warm.yml index 0edad5b5b..01271f226 100644 --- a/salt/curator/files/action/so-ids-warm.yml +++ b/salt/curator/files/action/so-ids-warm.yml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ids:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-imperva-close.yml b/salt/curator/files/action/so-imperva-close.yml index 55ec2e472..420b03b29 100644 --- a/salt/curator/files/action/so-imperva-close.yml +++ b/salt/curator/files/action/so-imperva-close.yml @@ -1,11 +1,10 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-imperva:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-imperva-delete.yml b/salt/curator/files/action/so-imperva-delete.yml index b5526e2fb..7c7fe40ac 100644 --- a/salt/curator/files/action/so-imperva-delete.yml +++ b/salt/curator/files/action/so-imperva-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-imperva-warm.yml b/salt/curator/files/action/so-imperva-warm.yml index 0297d5cd6..3b4130b86 100644 --- a/salt/curator/files/action/so-imperva-warm.yml +++ b/salt/curator/files/action/so-imperva-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-imperva:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-import-close.yml b/salt/curator/files/action/so-import-close.yml index d7ae725d1..9debb2928 100644 --- a/salt/curator/files/action/so-import-close.yml +++ b/salt/curator/files/action/so-import-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-import:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-import-delete.yml b/salt/curator/files/action/so-import-delete.yml index aa9808c5f..99388e7cb 100644 --- a/salt/curator/files/action/so-import-delete.yml +++ b/salt/curator/files/action/so-import-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-import-warm.yml b/salt/curator/files/action/so-import-warm.yml index 3a6fa3d3d..49e9dae3a 100644 --- a/salt/curator/files/action/so-import-warm.yml +++ b/salt/curator/files/action/so-import-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-import:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-infoblox-close.yml b/salt/curator/files/action/so-infoblox-close.yml index 9fd4c5070..cb3d0dce3 100644 --- a/salt/curator/files/action/so-infoblox-close.yml +++ b/salt/curator/files/action/so-infoblox-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-infoblox-delete.yml b/salt/curator/files/action/so-infoblox-delete.yml index 0a7fdafbe..1e0958eb1 100644 --- a/salt/curator/files/action/so-infoblox-delete.yml +++ b/salt/curator/files/action/so-infoblox-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-infoblox-warm.yml b/salt/curator/files/action/so-infoblox-warm.yml index a2f571b7a..cc757c75b 100644 --- a/salt/curator/files/action/so-infoblox-warm.yml +++ b/salt/curator/files/action/so-infoblox-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-infoblox:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-juniper-close.yml b/salt/curator/files/action/so-juniper-close.yml index 466a51eca..0fa8b4f9c 100644 --- a/salt/curator/files/action/so-juniper-close.yml +++ b/salt/curator/files/action/so-juniper-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-juniper:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-juniper-delete.yml b/salt/curator/files/action/so-juniper-delete.yml index 18abc86ac..901c014a6 100644 --- a/salt/curator/files/action/so-juniper-delete.yml +++ b/salt/curator/files/action/so-juniper-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-juniper:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-juniper-warm.yml b/salt/curator/files/action/so-juniper-warm.yml index 5369ed9a9..90d5e11f9 100644 --- a/salt/curator/files/action/so-juniper-warm.yml +++ b/salt/curator/files/action/so-juniper-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-aws:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-kibana-close.yml b/salt/curator/files/action/so-kibana-close.yml index 7347fb01c..7c9908086 100644 --- a/salt/curator/files/action/so-kibana-close.yml +++ b/salt/curator/files/action/so-kibana-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kibana:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-kibana-delete.yml b/salt/curator/files/action/so-kibana-delete.yml index 5a775b8de..4d227ccb9 100644 --- a/salt/curator/files/action/so-kibana-delete.yml +++ b/salt/curator/files/action/so-kibana-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-kibana-warm.yml b/salt/curator/files/action/so-kibana-warm.yml index b5674c8c3..a5a0899ee 100644 --- a/salt/curator/files/action/so-kibana-warm.yml +++ b/salt/curator/files/action/so-kibana-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kibana:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-kratos-close.yml b/salt/curator/files/action/so-kratos-close.yml index 9a3b0c5a8..c24cc2b40 100644 --- a/salt/curator/files/action/so-kratos-close.yml +++ b/salt/curator/files/action/so-kratos-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-kratos:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-kratos-delete.yml b/salt/curator/files/action/so-kratos-delete.yml index 6b4ae8705..c5bd26651 100644 --- a/salt/curator/files/action/so-kratos-delete.yml +++ b/salt/curator/files/action/so-kratos-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-kratos-warm.yml b/salt/curator/files/action/so-kratos-warm.yml index ace3c8db1..51b35a8f9 100644 --- a/salt/curator/files/action/so-kratos-warm.yml +++ b/salt/curator/files/action/so-kratos-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-kratos:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-logstash-close.yml b/salt/curator/files/action/so-logstash-close.yml index 23787e237..63df86874 100644 --- a/salt/curator/files/action/so-logstash-close.yml +++ b/salt/curator/files/action/so-logstash-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-logstash:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-logstash-delete.yml b/salt/curator/files/action/so-logstash-delete.yml index d9ff848da..9132fbbc9 100644 --- a/salt/curator/files/action/so-logstash-delete.yml +++ b/salt/curator/files/action/so-logstash-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-logstash-warm.yml b/salt/curator/files/action/so-logstash-warm.yml index 826bf2975..a47ffae2a 100644 --- a/salt/curator/files/action/so-logstash-warm.yml +++ b/salt/curator/files/action/so-logstash-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-logstash:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-microsoft-close.yml b/salt/curator/files/action/so-microsoft-close.yml index f4eaf738f..7f8e1f912 100644 --- a/salt/curator/files/action/so-microsoft-close.yml +++ b/salt/curator/files/action/so-microsoft-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-microsoft-delete.yml b/salt/curator/files/action/so-microsoft-delete.yml index f1a854c83..fcf4a74b7 100644 --- a/salt/curator/files/action/so-microsoft-delete.yml +++ b/salt/curator/files/action/so-microsoft-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-microsoft-warm.yml b/salt/curator/files/action/so-microsoft-warm.yml index 551d0cb56..8b3e4716a 100644 --- a/salt/curator/files/action/so-microsoft-warm.yml +++ b/salt/curator/files/action/so-microsoft-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-microsoft:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-misp-close.yml b/salt/curator/files/action/so-misp-close.yml index e39781353..14998cdcc 100644 --- a/salt/curator/files/action/so-misp-close.yml +++ b/salt/curator/files/action/so-misp-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-misp:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-misp-delete.yml b/salt/curator/files/action/so-misp-delete.yml index ceaa9c73d..868441932 100644 --- a/salt/curator/files/action/so-misp-delete.yml +++ b/salt/curator/files/action/so-misp-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-misp-warm.yml b/salt/curator/files/action/so-misp-warm.yml index af29975b0..d1c7b1591 100644 --- a/salt/curator/files/action/so-misp-warm.yml +++ b/salt/curator/files/action/so-misp-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-misp:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-netflow-close.yml b/salt/curator/files/action/so-netflow-close.yml index cc9ade28d..d1e39e07e 100644 --- a/salt/curator/files/action/so-netflow-close.yml +++ b/salt/curator/files/action/so-netflow-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netflow:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-netflow-delete.yml b/salt/curator/files/action/so-netflow-delete.yml index 5bc76ad15..19d7406de 100644 --- a/salt/curator/files/action/so-netflow-delete.yml +++ b/salt/curator/files/action/so-netflow-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-netflow-warm.yml b/salt/curator/files/action/so-netflow-warm.yml index ea57bb72b..60d844efd 100644 --- a/salt/curator/files/action/so-netflow-warm.yml +++ b/salt/curator/files/action/so-netflow-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netflow:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-netscout-close.yml b/salt/curator/files/action/so-netscout-close.yml index d99374d2f..b15d4c30d 100644 --- a/salt/curator/files/action/so-netscout-close.yml +++ b/salt/curator/files/action/so-netscout-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-netscout:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-netscout-delete.yml b/salt/curator/files/action/so-netscout-delete.yml index 3c0e249b5..a12bb27b6 100644 --- a/salt/curator/files/action/so-netscout-delete.yml +++ b/salt/curator/files/action/so-netscout-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-netscout-warm.yml b/salt/curator/files/action/so-netscout-warm.yml index 1b93c3118..c36846994 100644 --- a/salt/curator/files/action/so-netscout-warm.yml +++ b/salt/curator/files/action/so-netscout-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-netscout:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-o365-close.yml b/salt/curator/files/action/so-o365-close.yml index 4dece060f..33ee84a20 100644 --- a/salt/curator/files/action/so-o365-close.yml +++ b/salt/curator/files/action/so-o365-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-o365:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-o365-delete.yml b/salt/curator/files/action/so-o365-delete.yml index 13c7c1344..41cc31e06 100644 --- a/salt/curator/files/action/so-o365-delete.yml +++ b/salt/curator/files/action/so-o365-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-o365-warm.yml b/salt/curator/files/action/so-o365-warm.yml index cbb7bc24e..0c2788ead 100644 --- a/salt/curator/files/action/so-o365-warm.yml +++ b/salt/curator/files/action/so-o365-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-o365:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-okta-close.yml b/salt/curator/files/action/so-okta-close.yml index 10f7e4b60..29539551b 100644 --- a/salt/curator/files/action/so-okta-close.yml +++ b/salt/curator/files/action/so-okta-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-okta:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-okta-warm.yml b/salt/curator/files/action/so-okta-warm.yml index 75764860d..57da23031 100644 --- a/salt/curator/files/action/so-okta-warm.yml +++ b/salt/curator/files/action/so-okta-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-okta.delete.yml b/salt/curator/files/action/so-okta.delete.yml index 1beeb0fc0..a236a9059 100644 --- a/salt/curator/files/action/so-okta.delete.yml +++ b/salt/curator/files/action/so-okta.delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-okta:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-osquery-close.yml b/salt/curator/files/action/so-osquery-close.yml index e58643175..9be61456f 100644 --- a/salt/curator/files/action/so-osquery-close.yml +++ b/salt/curator/files/action/so-osquery-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-osquery:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-osquery-delete.yml b/salt/curator/files/action/so-osquery-delete.yml index d77b1b3d1..190da5783 100644 --- a/salt/curator/files/action/so-osquery-delete.yml +++ b/salt/curator/files/action/so-osquery-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-osquery-warm.yml b/salt/curator/files/action/so-osquery-warm.yml index 156a83c7a..477c3bf26 100644 --- a/salt/curator/files/action/so-osquery-warm.yml +++ b/salt/curator/files/action/so-osquery-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-osquery:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-ossec-close.yml b/salt/curator/files/action/so-ossec-close.yml index 6243fabd6..85ce62967 100644 --- a/salt/curator/files/action/so-ossec-close.yml +++ b/salt/curator/files/action/so-ossec-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-ossec:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-ossec-delete.yml b/salt/curator/files/action/so-ossec-delete.yml index 7aea13e41..4c86054b3 100644 --- a/salt/curator/files/action/so-ossec-delete.yml +++ b/salt/curator/files/action/so-ossec-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-ossec-warm.yml b/salt/curator/files/action/so-ossec-warm.yml index 769d6cbea..c6ef1b95f 100644 --- a/salt/curator/files/action/so-ossec-warm.yml +++ b/salt/curator/files/action/so-ossec-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-ossec:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-proofpoint-close.yml b/salt/curator/files/action/so-proofpoint-close.yml index 888c9fc64..12386cb19 100644 --- a/salt/curator/files/action/so-proofpoint-close.yml +++ b/salt/curator/files/action/so-proofpoint-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-proofpoint-delete.yml b/salt/curator/files/action/so-proofpoint-delete.yml index 903dde204..7eec6bef6 100644 --- a/salt/curator/files/action/so-proofpoint-delete.yml +++ b/salt/curator/files/action/so-proofpoint-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-proofpoint-warm.yml b/salt/curator/files/action/so-proofpoint-warm.yml index 8304ae41a..78da530c0 100644 --- a/salt/curator/files/action/so-proofpoint-warm.yml +++ b/salt/curator/files/action/so-proofpoint-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-proofpoint:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-radware-close.yml b/salt/curator/files/action/so-radware-close.yml index 59a7bbafd..d4d2e404b 100644 --- a/salt/curator/files/action/so-radware-close.yml +++ b/salt/curator/files/action/so-radware-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-radware:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-radware-delete.yml b/salt/curator/files/action/so-radware-delete.yml index 1fe09cded..d482300f6 100644 --- a/salt/curator/files/action/so-radware-delete.yml +++ b/salt/curator/files/action/so-radware-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-radware-warm.yml b/salt/curator/files/action/so-radware-warm.yml index 8d4337aaf..780a428dc 100644 --- a/salt/curator/files/action/so-radware-warm.yml +++ b/salt/curator/files/action/so-radware-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-radware:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-redis-close.yml b/salt/curator/files/action/so-redis-close.yml index b69935f21..a427b8a39 100644 --- a/salt/curator/files/action/so-redis-close.yml +++ b/salt/curator/files/action/so-redis-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-redis:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-redis-delete.yml b/salt/curator/files/action/so-redis-delete.yml index f6e73dce8..009ae9ab0 100644 --- a/salt/curator/files/action/so-redis-delete.yml +++ b/salt/curator/files/action/so-redis-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-redis-warm.yml b/salt/curator/files/action/so-redis-warm.yml index a5b1055c3..c9ee80602 100644 --- a/salt/curator/files/action/so-redis-warm.yml +++ b/salt/curator/files/action/so-redis-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-redis:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-snort-close.yml b/salt/curator/files/action/so-snort-close.yml index 8f6209255..0dfe42438 100644 --- a/salt/curator/files/action/so-snort-close.yml +++ b/salt/curator/files/action/so-snort-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snort:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-snort-delete.yml b/salt/curator/files/action/so-snort-delete.yml index 50f68988b..ab911c691 100644 --- a/salt/curator/files/action/so-snort-delete.yml +++ b/salt/curator/files/action/so-snort-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-snort-warm.yml b/salt/curator/files/action/so-snort-warm.yml index 3bbc977e2..c3e96c31b 100644 --- a/salt/curator/files/action/so-snort-warm.yml +++ b/salt/curator/files/action/so-snort-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snort:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-snyk-close.yml b/salt/curator/files/action/so-snyk-close.yml index e13d8f98d..4dfe142e0 100644 --- a/salt/curator/files/action/so-snyk-close.yml +++ b/salt/curator/files/action/so-snyk-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-snyk:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-snyk-delete.yml b/salt/curator/files/action/so-snyk-delete.yml index cec0b942f..f6e864149 100644 --- a/salt/curator/files/action/so-snyk-delete.yml +++ b/salt/curator/files/action/so-snyk-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-snyk-warm.yml b/salt/curator/files/action/so-snyk-warm.yml index f9b10bbdd..6aadc5048 100644 --- a/salt/curator/files/action/so-snyk-warm.yml +++ b/salt/curator/files/action/so-snyk-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-snyk:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-sonicwall-close.yml b/salt/curator/files/action/so-sonicwall-close.yml index 9cc23d3af..12fe05cd4 100644 --- a/salt/curator/files/action/so-sonicwall-close.yml +++ b/salt/curator/files/action/so-sonicwall-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-sonicwall-delete.yml b/salt/curator/files/action/so-sonicwall-delete.yml index c7d38361f..7033a6459 100644 --- a/salt/curator/files/action/so-sonicwall-delete.yml +++ b/salt/curator/files/action/so-sonicwall-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-sonicwall-warm.yml b/salt/curator/files/action/so-sonicwall-warm.yml index fa8ceb3e4..bf74418f5 100644 --- a/salt/curator/files/action/so-sonicwall-warm.yml +++ b/salt/curator/files/action/so-sonicwall-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sonicwall:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-sophos-close.yml b/salt/curator/files/action/so-sophos-close.yml index b7574b996..ed655f19c 100644 --- a/salt/curator/files/action/so-sophos-close.yml +++ b/salt/curator/files/action/so-sophos-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-sophos:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-sophos-delete.yml b/salt/curator/files/action/so-sophos-delete.yml index 433df908a..5684cdada 100644 --- a/salt/curator/files/action/so-sophos-delete.yml +++ b/salt/curator/files/action/so-sophos-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-sophos-warm.yml b/salt/curator/files/action/so-sophos-warm.yml index 40cc60084..a725ec018 100644 --- a/salt/curator/files/action/so-sophos-warm.yml +++ b/salt/curator/files/action/so-sophos-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-sophos:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-strelka-close.yml b/salt/curator/files/action/so-strelka-close.yml index da0fafcbb..b7d0e3925 100644 --- a/salt/curator/files/action/so-strelka-close.yml +++ b/salt/curator/files/action/so-strelka-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-strelka:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-strelka-delete.yml b/salt/curator/files/action/so-strelka-delete.yml index 3487aeb6d..293446303 100644 --- a/salt/curator/files/action/so-strelka-delete.yml +++ b/salt/curator/files/action/so-strelka-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-strelka-warm.yml b/salt/curator/files/action/so-strelka-warm.yml index cfa88b0c1..4f2950dcf 100644 --- a/salt/curator/files/action/so-strelka-warm.yml +++ b/salt/curator/files/action/so-strelka-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-strelka:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-syslog-close.yml b/salt/curator/files/action/so-syslog-close.yml index 225458048..954a2eedb 100644 --- a/salt/curator/files/action/so-syslog-close.yml +++ b/salt/curator/files/action/so-syslog-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-syslog:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-syslog-delete.yml b/salt/curator/files/action/so-syslog-delete.yml index 5fe7417ad..0a9500cd2 100644 --- a/salt/curator/files/action/so-syslog-delete.yml +++ b/salt/curator/files/action/so-syslog-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-syslog-warm.yml b/salt/curator/files/action/so-syslog-warm.yml index e5ebb2fa6..6c04d9a9d 100644 --- a/salt/curator/files/action/so-syslog-warm.yml +++ b/salt/curator/files/action/so-syslog-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-syslog:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-tomcat-close.yml b/salt/curator/files/action/so-tomcat-close.yml index ea0d95b0a..da9b3d21d 100644 --- a/salt/curator/files/action/so-tomcat-close.yml +++ b/salt/curator/files/action/so-tomcat-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-tomcat-delete.yml b/salt/curator/files/action/so-tomcat-delete.yml index 77035613f..7062d6adb 100644 --- a/salt/curator/files/action/so-tomcat-delete.yml +++ b/salt/curator/files/action/so-tomcat-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-tomcat-warm.yml b/salt/curator/files/action/so-tomcat-warm.yml index 8fb7884c0..0213e7e5f 100644 --- a/salt/curator/files/action/so-tomcat-warm.yml +++ b/salt/curator/files/action/so-tomcat-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-tomcat:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-zeek-close.yml b/salt/curator/files/action/so-zeek-close.yml index 7692d26eb..82041df5e 100644 --- a/salt/curator/files/action/so-zeek-close.yml +++ b/salt/curator/files/action/so-zeek-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zeek:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-zeek-delete.yml b/salt/curator/files/action/so-zeek-delete.yml index 0694c2aed..2640136a9 100644 --- a/salt/curator/files/action/so-zeek-delete.yml +++ b/salt/curator/files/action/so-zeek-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-zeek-warm.yml b/salt/curator/files/action/so-zeek-warm.yml index 2b4b6a729..b62bf90e9 100644 --- a/salt/curator/files/action/so-zeek-warm.yml +++ b/salt/curator/files/action/so-zeek-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zeek:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/action/so-zscaler-close.yml b/salt/curator/files/action/so-zscaler-close.yml index 5a008a27d..d7559097f 100644 --- a/salt/curator/files/action/so-zscaler-close.yml +++ b/salt/curator/files/action/so-zscaler-close.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set cur_close_days = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:close', 30) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: close diff --git a/salt/curator/files/action/so-zscaler-delete.yml b/salt/curator/files/action/so-zscaler-delete.yml index 238fea083..8a7cffcdb 100644 --- a/salt/curator/files/action/so-zscaler-delete.yml +++ b/salt/curator/files/action/so-zscaler-delete.yml @@ -1,11 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set DELETE_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:delete', 365) -%} ---- -# Remember, leave a key empty if there is no value. None will be a string, -# not a Python "NoneType" -# -# Also remember that all examples have 'disable_action' set to True. If you -# want to use this action as a template, be sure to set this to False after -# copying it. actions: 1: action: delete_indices diff --git a/salt/curator/files/action/so-zscaler-warm.yml b/salt/curator/files/action/so-zscaler-warm.yml index 8a7d8187a..5e34177d1 100644 --- a/salt/curator/files/action/so-zscaler-warm.yml +++ b/salt/curator/files/action/so-zscaler-warm.yml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set WARM_DAYS = salt['pillar.get']('elasticsearch:index_settings:so-zscaler:warm', 7) -%} actions: 1: diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index 5370b1135..4d6fbe602 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -1,19 +1,8 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. APP=close lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/bin/so-curator-closed-delete b/salt/curator/files/bin/so-curator-closed-delete index fedb520d9..e585df406 100755 --- a/salt/curator/files/bin/so-curator-closed-delete +++ b/salt/curator/files/bin/so-curator-closed-delete @@ -1,19 +1,9 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + #. /usr/sbin/so-elastic-common #. /etc/nsm/securityonion.conf diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index b872a7aeb..70b032db5 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -1,29 +1,25 @@ - #!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -{%- if grains['role'] in ['so-node', 'so-heavynode'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%} + +{%- if grains['role'] in ['so-searchnode', 'so-heavynode'] %} + {%- set ELASTICSEARCH_HOST = salt['pillar.get']('host:mainip', '') -%} {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port', '') -%} {%- elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} - {%- set ELASTICSEARCH_HOST = salt['pillar.get']('manager:mainip', '') -%} + {%- set ELASTICSEARCH_HOST = salt['pillar.get']('global:managerip', '') -%} {%- set ELASTICSEARCH_PORT = salt['pillar.get']('manager:es_port', '') -%} {%- endif -%} {%- set LOG_SIZE_LIMIT = salt['pillar.get']('elasticsearch:log_size_limit', '') -%} -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + LOG="/opt/so/log/curator/so-curator-closed-delete.log" @@ -35,12 +31,12 @@ overlimit() { closedindices() { # If we can't query Elasticsearch, then immediately return false. - {{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1 + curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed >/dev/null 2>&1 [ $? -eq 1 ] && return false # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. # Next, filter out any so-case indices. # Finally, use grep's -q option to return true if there are any remaining logstash- or so- indices. - {{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)" + curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -q -E "(logstash-|so-)" } # Check for 2 conditions: @@ -54,10 +50,10 @@ while overlimit && closedindices; do # Next, filter out any so-case indices and only select the remaining logstash- or so- indices. # Then, sort by date by telling sort to use hyphen as delimiter and sort on the third field. # Finally, select the first entry in that sorted list. - OLDEST_INDEX=$({{ ELASTICCURL }} -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) + OLDEST_INDEX=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -v "so-case" | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) # Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it. - {{ ELASTICCURL }} -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} + curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} # Finally, write a log entry that says we deleted it. echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OLDEST_INDEX} deleted ..." >> ${LOG} diff --git a/salt/curator/files/bin/so-curator-cluster-close b/salt/curator/files/bin/so-curator-cluster-close index ed56e965e..95d882619 100644 --- a/salt/curator/files/bin/so-curator-cluster-close +++ b/salt/curator/files/bin/so-curator-cluster-close @@ -1,19 +1,8 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. APP=close lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/bin/so-curator-cluster-delete b/salt/curator/files/bin/so-curator-cluster-delete index 202ad4997..9ec5129af 100644 --- a/salt/curator/files/bin/so-curator-cluster-delete +++ b/salt/curator/files/bin/so-curator-cluster-delete @@ -1,19 +1,8 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. APP=delete lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/bin/so-curator-cluster-warm b/salt/curator/files/bin/so-curator-cluster-warm index 1a03d273f..7de6dd391 100644 --- a/salt/curator/files/bin/so-curator-cluster-warm +++ b/salt/curator/files/bin/so-curator-cluster-warm @@ -1,19 +1,9 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + APP=warm lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/bin/so-curator-delete b/salt/curator/files/bin/so-curator-delete index dfa5ca763..2d128bfdf 100644 --- a/salt/curator/files/bin/so-curator-delete +++ b/salt/curator/files/bin/so-curator-delete @@ -1,19 +1,9 @@ #!/bin/bash -# -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + APP=delete lf=/tmp/$APP-pidLockFile diff --git a/salt/curator/files/curator.yml b/salt/curator/files/curator.yml index 2f9b44dbc..5eaa97c73 100644 --- a/salt/curator/files/curator.yml +++ b/salt/curator/files/curator.yml @@ -1,15 +1,15 @@ -{% if grains['role'] in ['so-node', 'so-heavynode'] %} - {%- set elasticsearch = salt['pillar.get']('elasticsearch:mainip', '') -%} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% if grains['role'] in ['so-searchnode', 'so-heavynode'] %} + {%- set elasticsearch = salt['pillar.get']('host:mainip', '') -%} {% elif grains['role'] in ['so-eval', 'so-managersearch', 'so-standalone', 'so-manager'] %} - {%- set elasticsearch = salt['pillar.get']('manager:mainip', '') -%} + {%- set elasticsearch = salt['pillar.get']('global:managerip', '') -%} {%- endif %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} --- # Remember, leave a key empty if there is no value. None will be a string, @@ -18,10 +18,8 @@ client: hosts: - {{elasticsearch}} port: 9200 -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username: "{{ ES_USER }}" password: "{{ ES_PASS }}" -{%- endif %} url_prefix: use_ssl: True certificate: diff --git a/salt/curator/init.sls b/salt/curator/init.sls index a01a8a292..164dece6b 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,15 +1,16 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} {% set REMOVECURATORCRON = False %} -{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} -{% set HOTWARM = salt['pillar.get']('elasticsearch:hot_warm_enabled', False) %} -{% if grains['role'] in ['so-eval', 'so-node', 'so-managersearch', 'so-heavynode', 'so-standalone', 'so-manager'] %} - {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} +{% if grains['role'] in ['so-eval', 'so-managersearch', 'so-heavynode', 'so-standalone', 'so-manager'] %} {% from "curator/map.jinja" import CURATOROPTIONS with context %} # Curator # Create the group @@ -74,8 +75,6 @@ curcloseddeldel: - group: 939 - mode: 755 - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} curclose: file.managed: @@ -123,8 +122,7 @@ curclustercwarm: so-curator: docker_container.{{ CURATOROPTIONS.status }}: - {% if CURATOROPTIONS.status == 'running' %} - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-curator:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-curator:{{ GLOBALS.so_version }} - start: {{ CURATOROPTIONS.start }} - hostname: curator - name: so-curator @@ -139,70 +137,13 @@ so-curator: - file: actionconfs - file: curconf - file: curlogdir - {% else %} - - force: True - {% endif %} - {% if CURATOROPTIONS.manage_sostatus %} -append_so-curator_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-curator - - unless: grep -q so-curator /opt/so/conf/so-status/so-status.conf - - {% if not CURATOROPTIONS.start %} -so-curator_so-status.disabled: - file.comment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-curator$ - - # need to remove cronjobs here since curator is disabled - {% set REMOVECURATORCRON = True %} - {% else %} -delete_so-curator_so-status.disabled: - file.uncomment: - - name: /opt/so/conf/so-status/so-status.conf - - regex: ^so-curator$ - - {% endif %} - - {% else %} -delete_so-curator_so-status: - file.line: - - name: /opt/so/conf/so-status/so-status.conf - - match: ^so-curator$ - - mode: delete - - # need to remove cronjobs here since curator is disabled - {% set REMOVECURATORCRON = True %} - - {% endif %} - - {% if REMOVECURATORCRON %} -so-curatorcloseddeletecron: - cron.absent: - - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1 - - user: root - -so-curatorclosecron: - cron.absent: - - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1 - - user: root - -so-curatordeletecron: - cron.absent: - - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1 - - user: root - - {% else %} - - {% if TRUECLUSTER is sameas true %} so-curatorclusterclose: cron.present: - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1 - user: root - - minute: '5' - - hour: '1' + - minute: '2' + - hour: '*/1' - daymonth: '*' - month: '*' - dayweek: '*' @@ -211,56 +152,22 @@ so-curatorclusterdelete: cron.present: - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-delete.log 2>&1 - user: root - - minute: '5' - - hour: '1' + - minute: '2' + - hour: '*/1' - daymonth: '*' - month: '*' - dayweek: '*' - {% if HOTWARM is sameas true %} + so-curatorclusterwarm: cron.present: - name: /usr/sbin/so-curator-cluster-warm > /opt/so/log/curator/cron-warm.log 2>&1 - user: root - - minute: '5' - - hour: '1' - - daymonth: '*' - - month: '*' - - dayweek: '*' - {% endif %} - - {% else %} -so-curatorcloseddeletecron: - cron.present: - - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1 - - user: root - - minute: '*/5' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -so-curatorclosecron: - cron.present: - - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1 - - user: root - - minute: '*/5' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - -so-curatordeletecron: - cron.present: - - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1 - - user: root - - minute: '*/5' - - hour: '*' + - minute: '2' + - hour: '*/1' - daymonth: '*' - month: '*' - dayweek: '*' - {% endif %} - {% endif %} {% endif %} {% else %} diff --git a/salt/deprecated-launcher/init.sls b/salt/deprecated-launcher/init.sls deleted file mode 100644 index 3805be5d7..000000000 --- a/salt/deprecated-launcher/init.sls +++ /dev/null @@ -1,12 +0,0 @@ -{%- set FLEETSETUP = salt['pillar.get']('global:fleetsetup', '0') -%} - -{%- if FLEETSETUP != 0 %} -launcherpkg: - pkg.installed: - - sources: - {% if grains['os'] == 'CentOS' %} - - launcher-final: salt://launcher/packages/launcher.rpm - {% elif grains['os'] == 'Ubuntu' %} - - launcher-final: salt://launcher/packages/launcher.deb - {% endif %} -{%- endif %} diff --git a/salt/deprecated-launcher/packages/info.txt b/salt/deprecated-launcher/packages/info.txt deleted file mode 100644 index 5529d123c..000000000 --- a/salt/deprecated-launcher/packages/info.txt +++ /dev/null @@ -1 +0,0 @@ -Fleet Packages will be copied to this folder diff --git a/salt/docker/init.sls b/salt/docker/init.sls index c01bb8e67..8b698c281 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -1,19 +1,52 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -installdocker: +dockergroup: + group.present: + - name: docker + - gid: 920 + +dockerheldpackages: pkg.installed: - - name: docker-ce + - pkgs: + - containerd.io: 1.4.4-3.1.el7 + - docker-ce: 3:20.10.5-3.el7 + - docker-ce-cli: 1:20.10.5-3.el7 + - docker-ce-rootless-extras: 20.10.5-3.el7 + - hold: True + - update_holds: True -# Make sure Docker is running! -docker: +# Make sure etc/docker exists +dockeretc: + file.directory: + - name: /etc/docker + +# Manager daemon.json +docker_daemon: + file.managed: + - source: salt://common/files/daemon.json + - name: /etc/docker/daemon.json + - template: jinja + +# Make sure Docker is always running +docker_running: service.running: + - name: docker - enable: True + - watch: + - file: docker_daemon -{% else %} +# Reserve OS ports for Docker proxy in case boot settings are not already applied/present +# 57314 = Strelka, 47760-47860 = Zeek +dockerapplyports: + cmd.run: + - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="57314,47760-47860"; fi -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed +# Reserve OS ports for Docker proxy +dockerreserveports: + file.managed: + - source: salt://common/files/99-reserved-ports.conf + - name: /etc/sysctl.d/99-reserved-ports.conf -{% endif %} \ No newline at end of file diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index a92d3aedd..c11af4f56 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls deleted file mode 100644 index 0aa9a6507..000000000 --- a/salt/domainstats/init.sls +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} - -# Create the group -dstatsgroup: - group.present: - - name: domainstats - - gid: 936 - -# Add user -domainstats: - user.present: - - uid: 936 - - gid: 936 - - home: /opt/so/conf/domainstats - - createhome: False - -# Create the log directory -dstatslogdir: - file.directory: - - name: /opt/so/log/domainstats - - user: 936 - - group: 939 - - makedirs: True - -so-domainstatsimage: - cmd.run: - - name: docker pull {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }} - -so-domainstats: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }} - - hostname: domainstats - - name: so-domainstats - - user: domainstats - - binds: - - /opt/so/log/domainstats:/var/log/domain_stats - - require: - - file: dstatslogdir - - cmd: so-domainstatsimage - -append_so-domainstats_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-domainstats - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 819a3cbbd..f21bab4c3 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} elastalert: @@ -11,8 +16,8 @@ elastalert: minutes: 10 old_query_limit: minutes: 5 - es_host: {{salt['pillar.get']('manager:mainip', '')}} - es_port: {{salt['pillar.get']('manager:es_port', '')}} + es_host: {{salt['pillar.get']('global:managerip', '')}} + es_port: 9200 es_conn_timeout: 55 max_query_size: 5000 #aws_region: us-east-1 @@ -21,10 +26,8 @@ elastalert: use_ssl: true verify_certs: false #es_send_get_body_as: GET -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} es_username: "{{ ES_USER }}" es_password: "{{ ES_PASS }}" -{%- endif %} writeback_index: elastalert_status alert_time_limit: days: 2 diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index bae967001..62afab41e 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -1,5 +1,11 @@ # -*- coding: utf-8 -*- +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + from time import gmtime, strftime import requests,json from elastalert.alerts import Alerter diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index ed2549a36..3184c5c5c 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -1,17 +1,6 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} @@ -23,16 +12,8 @@ {%- set MANAGER_URL = salt['pillar.get']('global:url_base', '') %} {%- set MANAGER_IP = salt['pillar.get']('global:managerip', '') %} -{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} - {% set esalert = salt['pillar.get']('manager:elastalert', '1') %} - {% set esip = salt['pillar.get']('manager:mainip', '') %} - {% set esport = salt['pillar.get']('manager:es_port', '') %} -{% elif grains['role'] == 'so-node' %} - {% set esalert = salt['pillar.get']('elasticsearch:elastalert', '0') %} -{% endif %} # Elastalert -{% if esalert == 1 %} # Create the group elastagroup: @@ -138,8 +119,6 @@ append_so-elastalert_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-elastalert -{% endif %} - {% else %} {{sls}}_state_not_allowed: diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml new file mode 100644 index 000000000..bb7f20300 --- /dev/null +++ b/salt/elastalert/soc_elastalert.yaml @@ -0,0 +1,25 @@ +elastalert: + config: + disable_rules_on_error: false + description: Disable rules on failure. + run_every: + minutes: 3 + description: Amount of time in minutes between searches. + buffer_time: + minutes: 10 + description: Amount of time in minutes to look through. + old_query_limit: + minutes: 5 + description: Amount of time in minutes between queries to start at the most recently run query. + es_conn_timeout: 55 + description: Timeout in seconds for connecting to and reading from Elasticsearch. + max_query_size: 5000 + description: The maximum number of documents that will be downloaded from Elasticsearch in a single query. + alert_time_limit: + days: 2 + description: The retry window for failed alerts. + index_settings: + shards: 1 + description: The amount of shards to use for elastalert. + replicas: 0 + description: The amount of replicas for the Elastalert index. diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls new file mode 100644 index 000000000..a4b8fbf3d --- /dev/null +++ b/salt/elastic-fleet/init.sls @@ -0,0 +1,56 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. +{% from 'allowed_states.map.jinja' import allowed_states %} +{% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +# These values are generated during node install and stored in minion pillar +{% set SERVICETOKEN = salt['pillar.get']('elasticfleet:server:es_token','') %} +{% set FLEETSERVERPOLICY = salt['pillar.get']('elasticfleet:server:server_policy','so-manager') %} +{% set FLEETURL = salt['pillar.get']('elasticfleet:server:url') %} + +elasticfleetdir: + file.directory: + - name: /opt/so/conf/elastic-fleet/state + - makedirs: True + +elasticagentinstallersdir: + file.directory: + - name: /opt/so/conf/elastic-fleet/so_agent-installers + - makedirs: True + + {% if SERVICETOKEN != '' %} +so-elastic-fleet: + docker_container.running: + - image: docker.elastic.co/beats/elastic-agent:8.4.1 + - name: so-elastic-fleet + - hostname: elastic-fleet-{{ GLOBALS.hostname }} + - detach: True + - user: root + - extra_hosts: + - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} + - port_bindings: + - 0.0.0.0:8220:8220 + - binds: + - /opt/so/conf/filebeat/etc/pki:/etc/pki:ro + - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw + - environment: + - FLEET_SERVER_ENABLE=true + - FLEET_URL=https://{{ FLEETURL }}:8220 + - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager_ip }}:9200 + - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} + - FLEET_SERVER_POLICY_ID={{ FLEETSERVERPOLICY }} + - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/intca.crt + - FLEET_SERVER_CERT=/etc/pki/filebeat.crt + - FLEET_SERVER_CERT_KEY=/etc/pki/filebeat.key + - FLEET_CA=/etc/pki/intca.crt + {% endif %} + +{% else %} + +{{sls}}_state_not_allowed: + test.fail_without_changes: + - name: {{sls}}_state_not_allowed + +{% endif %} \ No newline at end of file diff --git a/salt/elastic-fleet/install_agent_grid.sls b/salt/elastic-fleet/install_agent_grid.sls new file mode 100644 index 000000000..36249a67f --- /dev/null +++ b/salt/elastic-fleet/install_agent_grid.sls @@ -0,0 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + + +{% set AGENT_STATUS = salt['service.available']('elastic-agent') %} +{% if not AGENT_STATUS %} + +run_installer: + cmd.run: + - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux + +{% endif %} diff --git a/salt/elasticsearch/auth.map.jinja b/salt/elasticsearch/auth.map.jinja deleted file mode 100644 index 3c3b42cdc..000000000 --- a/salt/elasticsearch/auth.map.jinja +++ /dev/null @@ -1,7 +0,0 @@ -{% set ELASTICAUTH = salt['pillar.filter_by']({ - True: { - 'user': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user'), - 'pass': salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass'), - 'elasticcurl':'curl -K /opt/so/conf/elasticsearch/curl.config' }, - False: {'elasticcurl': 'curl'}, -}, pillar='elasticsearch:auth:enabled', default=False) %} diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls index ad9f3df04..f3aefa6b9 100644 --- a/salt/elasticsearch/auth.sls +++ b/salt/elasticsearch/auth.sls @@ -11,8 +11,7 @@ {% set so_logstash_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass', salt['random.get_str'](72, chars=CHARS)) %} {% set so_beats_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass', salt['random.get_str'](72, chars=CHARS)) %} {% set so_monitor_user_pass = salt['pillar.get']('elasticsearch:auth:users:so_monitor_user:pass', salt['random.get_str'](72, chars=CHARS)) %} - {% set auth_enabled = salt['pillar.get']('elasticsearch:auth:enabled', False) %} - + elastic_auth_pillar: file.managed: - name: /opt/so/saltstack/local/pillar/elasticsearch/auth.sls @@ -21,7 +20,6 @@ elastic_auth_pillar: - contents: | elasticsearch: auth: - enabled: {{ auth_enabled }} users: so_elastic_user: user: so_elastic diff --git a/salt/elasticsearch/config.map.jinja b/salt/elasticsearch/config.map.jinja index 9a80ce30f..86b9c47ae 100644 --- a/salt/elasticsearch/config.map.jinja +++ b/salt/elasticsearch/config.map.jinja @@ -1,36 +1,32 @@ {% import_yaml 'elasticsearch/defaults.yaml' as ESCONFIG with context %} +{% from 'logstash/map.jinja' import REDIS_NODES with context %} + {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -{% if not salt['pillar.get']('elasticsearch:auth:enabled', False) %} - {% do ESCONFIG.elasticsearch.config.xpack.security.authc.anonymous.update({'username': 'anonymous_user', 'roles': 'superuser', 'authz_exception': 'true'}) %} -{% endif %} - -{% if salt['pillar.get']('elasticsearch:true_cluster', False) %} - {% if grains.id.split('_') | last in ['manager','managersearch'] %} - {% if salt['pillar.get']('nodestab', {}) %} - {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} - {% if HIGHLANDER %} - {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %} - {% endif %} - {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} - {% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(SN.split('_')|first) %} - {% endfor %} - {% endif %} - {% if grains.id.split('_') | last == 'manager' %} - {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': ''}) %} - {% endif %} - {% else %} - {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %} +{% if grains.id.split('_') | last in ['manager','managersearch'] %} + {% if REDIS_NODES | length > 1 %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %} {% if HIGHLANDER %} - {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} + {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %} {% endif %} - {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %} {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} + {% for SN in REDIS_NODES.keys() %} + {% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(SN) %} + {% endfor %} {% endif %} - {% if HIGHLANDER %} - {% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %} - {% endif %} + {% if grains.id.split('_') | last == 'manager' %} + {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': ''}) %} + {% endif %} +{% elif grains.id.split('_') | last not in ['eval', 'standalone', 'import'] %} + {% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %} + {% if HIGHLANDER %} + {% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %} + {% endif %} + {% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %} + {% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [grains.master]}}) %} +{% endif %} +{% if HIGHLANDER %} + {% do ESCONFIG.elasticsearch.config.xpack.ml.update({'enabled': true}) %} {% endif %} {# merge with the elasticsearch pillar #} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 1d1518b3c..bc33598f3 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -1,53 +1,27 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} include: - ssl -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} -{% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} -{% set MANAGERIP = salt['pillar.get']('global:managerip') %} - -{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} - {% set esclustername = salt['pillar.get']('manager:esclustername') %} - {% set esheap = salt['pillar.get']('manager:esheap') %} - {% set ismanager = True %} -{% elif grains['role'] in ['so-node','so-heavynode'] %} - {% set esclustername = salt['pillar.get']('elasticsearch:esclustername') %} - {% set esheap = salt['pillar.get']('elasticsearch:esheap') %} - {% set ismanager = False %} -{% elif grains['role'] == 'so-helix' %} - {% set ismanager = True %} {# Solely for the sake of running so-catrust #} -{% endif %} - {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} {% set ROLES = salt['pillar.get']('elasticsearch:roles', {}) %} -{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} {% from 'elasticsearch/config.map.jinja' import ESCONFIG with context %} {% from 'elasticsearch/template.map.jinja' import ES_INDEX_SETTINGS without context %} +{% from 'logstash/map.jinja' import REDIS_NODES with context %} + +{% from 'vars/globals.map.jinja' import GLOBALS %} vm.max_map_count: sysctl.present: - value: 262144 -{% if ismanager %} +{% if GLOBALS.is_manager %} # We have to add the Manager CA to the CA list cascriptsync: file.managed: @@ -75,10 +49,6 @@ es_sync_scripts: - file_mode: 755 - template: jinja - source: salt://elasticsearch/tools/sbin - - defaults: - ELASTICCURL: 'curl' - - context: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} - exclude_pat: - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state @@ -90,8 +60,6 @@ so-elasticsearch-pipelines-script: - group: 939 - mode: 754 - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} # Move our new CA over so Elastic and Logstash can use SSL with the internal CA catrustdir: @@ -115,7 +83,7 @@ capemz: - user: 939 - group: 939 -{% if grains['role'] != 'so-helix' %} + # Add ES Group elasticsearchgroup: @@ -315,27 +283,16 @@ auth_users_roles_inode: so-elasticsearch: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-elasticsearch:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch - - extra_hosts: - {% if ismanager %} - - {{ grains.host }}:{{ NODEIP }} - {% if salt['pillar.get']('nodestab', {}) %} - {% for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - - {{ SN.split('_')|first }}:{{ SNDATA.ip }} - {% endfor %} - {% endif %} - {% else %} - - {{ grains.host }}:{{ NODEIP }} - - {{ MANAGER }}:{{ MANAGERIP }} - {% endif %} + - extra_hosts: {{ REDIS_NODES }} - environment: - {% if TRUECLUSTER is sameas false or (TRUECLUSTER is sameas true and not salt['pillar.get']('nodestab', {})) %} + {% if REDIS_NODES | length == 1 %} - discovery.type=single-node {% endif %} - - ES_JAVA_OPTS=-Xms{{ esheap }} -Xmx{{ esheap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true + - ES_JAVA_OPTS=-Xms{{ GLOBALS.elasticsearch.es_heap }} -Xmx{{ GLOBALS.elasticsearch.es_heap }} -Des.transport.cname_in_publish_address=true -Dlog4j2.formatMsgNoLookups=true ulimits: - memlock=-1:-1 - nofile=65536:65536 @@ -349,7 +306,7 @@ so-elasticsearch: - /nsm/elasticsearch:/usr/share/elasticsearch/data:rw - /opt/so/log/elasticsearch:/var/log/elasticsearch:rw - /opt/so/conf/ca/cacerts:/usr/share/elasticsearch/jdk/lib/security/cacerts:ro - {% if ismanager %} + {% if GLOBALS.is_manager %} - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/usr/share/elasticsearch/config/ca.crt:ro @@ -357,10 +314,8 @@ so-elasticsearch: - /etc/pki/elasticsearch.crt:/usr/share/elasticsearch/config/elasticsearch.crt:ro - /etc/pki/elasticsearch.key:/usr/share/elasticsearch/config/elasticsearch.key:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro - {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - /opt/so/conf/elasticsearch/users_roles:/usr/share/elasticsearch/config/users_roles:ro - /opt/so/conf/elasticsearch/users:/usr/share/elasticsearch/config/users:ro - {% endif %} {% if ESCONFIG.path.get('repo', False) %} {% for repo in ESCONFIG.path.repo %} - {{ repo }}:{{ repo }}:rw @@ -378,15 +333,13 @@ so-elasticsearch: - x509: /etc/pki/elasticsearch.crt - x509: /etc/pki/elasticsearch.key - file: elasticp12perms - {% if ismanager %} + {% if GLOBALS.is_manager %} - x509: pki_public_ca_crt {% else %} - x509: trusttheca {% endif %} - {% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - cmd: auth_users_roles_inode - cmd: auth_users_inode - {% endif %} append_so-elasticsearch_so-status.conf: file.append: @@ -404,7 +357,7 @@ so-elasticsearch-templates: so-elasticsearch-pipelines: cmd.run: - - name: /usr/sbin/so-elasticsearch-pipelines {{ grains.host }} + - name: /usr/sbin/so-elasticsearch-pipelines {{ GLOBALS.hostname }} - require: - docker_container: so-elasticsearch - file: so-elasticsearch-pipelines-script @@ -418,7 +371,6 @@ so-elasticsearch-roles-load: - docker_container: so-elasticsearch - file: es_sync_scripts -{% endif %} {# if grains['role'] != 'so-helix' #} {% else %} diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml new file mode 100644 index 000000000..0e8faf4a2 --- /dev/null +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -0,0 +1,104 @@ +elasticsearch: + config: + cluster: + name: + description: The name of the Security Onion Elasticsearch cluster, for identification purposes. + readonly: True + global: True + routing: + allocation: + disk: + threshold_enabled: + description: Specifies whether the Elasticsearch node will monitor the available disk space for low disk space conditions and take action to protect the cluster. + watermark: + low: + description: The lower percentage of used disk space representing a healthy node. + high: + description: The higher percentage of used disk space representing an unhealthy node. + flood_stage: + description: The max percentage of used disk space that will cause the node to take protective actions, such as blocking incoming events. + + script: + max_compilations_rate: + description: Max rate of script compilations permitted in the Elasticsearch cluster. Larger values will consume more resources. + global: True + indices: + query: + bool: + max_clause_count: + description: Max number of boolean clauses per query. + global: True + index_settings: + so-aws: &indexSettings + warm: + description: Age (in days) of this index before it will move to warm storage, if warm nodes are present. Once moved, events on this index can take longer to fetch. + global: True + close: + description: Age (in days) of this index before it will be closed. Once closed, events on this index cannot be retrieved without first re-opening the index. + global: True + delete: + description: Age (in days) of this index before it will be deleted. Once deleted, events are permanently unrecoverable. + global: True + index_sorting: + description: Sorts the index by event time, at the cost of additional processing resource consumption. + global: True + index_template: + template: + settings: + index: + mapping: + total_fields: + limit: + description: Max number of fields that can exist on a single index. Larger values will consume more resources. + global: True + refresh_interval: + description: Seconds between index refreshes. Shorter intervals can cause query performance to suffer since this is a synchronous and resource-intensive operation. + global: True + number_of_shards: + description: Number of shards required for this index. Using multiple shards increases fault tolerance, but also increases storage and network costs. + global: True + number_of_replicas: + description: Number of replicas required for this index. Multiple replicas protects against data loss, while also increasing storage costs. + global: True + so-azure: *indexSettings + so-barracuda: *indexSettings + so-beats: *indexSettings + so-bluecoat: *indexSettings + so-cef: *indexSettings + so-checkpoint: *indexSettings + so-cisco: *indexSettings + so-cyberark: *indexSettings + so-cylance: *indexSettings + so-elasticsearch: *indexSettings + so-endgame: *indexSettings + so-f5: *indexSettings + so-firewall: *indexSettings + so-fortinet: *indexSettings + so-gcp: *indexSettings + so-google_workspace: *indexSettings + so-ids: *indexSettings + so-imperva: *indexSettings + so-import: *indexSettings + so-infoblox: *indexSettings + so-juniper: *indexSettings + so-kibana: *indexSettings + so-logstash: *indexSettings + so-microsoft: *indexSettings + so-misp: *indexSettings + so-netflow: *indexSettings + so-netscout: *indexSettings + so-o365: *indexSettings + so-okta: *indexSettings + so-osquery: *indexSettings + so-proofpoint: *indexSettings + so-radware: *indexSettings + so-redis: *indexSettings + so-snort: *indexSettings + so-snyk: *indexSettings + so-sonicwall: *indexSettings + so-sophos: *indexSettings + so-strelka: *indexSettings + so-syslog: *indexSettings + so-tomcat: *indexSettings + so-zeek: *indexSettings + so-zscaler: *indexSettings \ No newline at end of file diff --git a/salt/elasticsearch/tools/sbin/so-catrust b/salt/elasticsearch/tools/sbin/so-catrust index ac9ef8a82..253208064 100644 --- a/salt/elasticsearch/tools/sbin/so-catrust +++ b/salt/elasticsearch/tools/sbin/so-catrust @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set VERSION = salt['pillar.get']('global:soversion', '') %} {%- set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {%- set MANAGER = salt['grains.get']('master') %} diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines index 0fbfa8b4d..04cd86c23 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + RETURN_CODE=0 ELASTICSEARCH_HOST=$1 @@ -30,7 +22,7 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -50,7 +42,7 @@ if [ ! -f /opt/so/state/espipelines.txt ]; then cd ${ELASTICSEARCH_INGEST_PIPELINES} echo "Loading pipelines..." - for i in *; do echo $i; RESPONSE=$({{ ELASTICCURL }} -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done + for i in *; do echo $i; RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -k -XPUT -L https://${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}/_ingest/pipeline/$i -H 'Content-Type: application/json' -d@$i 2>/dev/null); echo $RESPONSE; if [[ "$RESPONSE" == *"error"* ]]; then RETURN_CODE=1; fi; done echo cd - >/dev/null diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load index 7ce907f87..ab8e5b707 100755 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-roles-load @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set mainint = salt['pillar.get']('host:mainint') %} {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} @@ -29,7 +21,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 240 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load old mode 100644 new mode 100755 index e776e84a0..e341c3d40 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load @@ -1,18 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {%- set mainint = salt['pillar.get']('host:mainint') %} {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 75b45d4e6..afcfcd27b 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -7,12 +7,9 @@ {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} {%- set HOSTNAME = salt['grains.get']('host', '') %} -{%- set ZEEKVER = salt['pillar.get']('global:mdengine', 'COMMUNITY') %} -{%- set WAZUHENABLED = salt['pillar.get']('global:wazuh', '0') %} +{%- set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} {%- set STRELKAENABLED = salt['pillar.get']('strelka:enabled', '0') %} {%- set RITAENABLED = salt['pillar.get']('rita:enabled', False) -%} -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} {%- set FBMEMEVENTS = salt['pillar.get']('filebeat:mem_events', 2048) -%} {%- set FBMEMFLUSHMINEVENTS = salt['pillar.get']('filebeat:mem_flush_min_events', 2048) -%} {%- set FBLSWORKERS = salt['pillar.get']('filebeat:ls_workers', 1) -%} @@ -236,46 +233,6 @@ filebeat.inputs: {%- endif %} {%- endif %} -{%- if WAZUHENABLED == 1 %} - -- type: filestream - id: wazuh - paths: - - /wazuh/archives/archives.json - fields: - module: ossec - category: host - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - pipeline: "ossec" - fields_under_root: true - clean_removed: false - close_removed: false - -{%- endif %} - -{%- if FLEETMANAGER or FLEETNODE %} - -- type: filestream - id: osquery - paths: - - /nsm/osquery/fleet/result.log - fields: - module: osquery - dataset: query_result - category: host - - processors: - - drop_fields: - fields: ["source", "prospector", "input", "offset", "beat"] - - fields_under_root: true - clean_removed: false - close_removed: false - -{%- endif %} - {%- if RITAENABLED %} - type: filestream id: rita-beacon @@ -420,10 +377,8 @@ output.{{ type }}: output.elasticsearch: enabled: true hosts: ["https://{{ MANAGER }}:9200"] -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username: "{{ ES_USER }}" password: "{{ ES_PASS }}" -{%- endif %} ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] pipelines: - pipeline: "%{[module]}.%{[dataset]}" @@ -472,7 +427,7 @@ output.logstash: {% else -%} {% set dmz_nodes = [] -%} {% endif -%} -{%- if grains.role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %} +{%- if grains.role in ['so-sensor', 'so-fleet', 'so-searchnode', 'so-idh'] %} {%- set LOGSTASH = namespace() %} {%- set LOGSTASH.count = 0 %} {%- set LOGSTASH.loadbalance = false %} diff --git a/salt/filebeat/etc/module-setup.yml b/salt/filebeat/etc/module-setup.yml index 6c2f91d18..d0ecd5d22 100644 --- a/salt/filebeat/etc/module-setup.yml +++ b/salt/filebeat/etc/module-setup.yml @@ -1,16 +1,10 @@ -{%- if grains['role'] in ['so-managersearch', 'so-heavynode', 'so-node'] %} -{%- set MANAGER = salt['grains.get']('host' '') %} -{%- else %} -{%- set MANAGER = salt['grains.get']('master') %} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output.elasticsearch: enabled: true - hosts: ["https://{{ MANAGER }}:9200"] -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} + hosts: ["https://{{ ES }}:9200"] username: "{{ ES_USER }}" password: "{{ ES_PASS }}" -{% endif %} ssl.certificate_authorities: ["/usr/share/filebeat/intraca.crt"] diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 24a26bd39..dd30d4205 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -21,7 +21,7 @@ {% from 'filebeat/modules.map.jinja' import MODULESMERGED with context %} {% from 'filebeat/modules.map.jinja' import MODULESENABLED with context %} {% from 'filebeat/map.jinja' import FILEBEAT_EXTRA_HOSTS with context %} -{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %} +{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-searchnode', 'so-heavynode', 'so-import'] %} include: - ssl diff --git a/salt/filebeat/map.jinja b/salt/filebeat/map.jinja index a93eedce0..47537ca41 100644 --- a/salt/filebeat/map.jinja +++ b/salt/filebeat/map.jinja @@ -2,7 +2,7 @@ {% set FILEBEAT_EXTRA_HOSTS = [] %} {% set mainint = salt['pillar.get']('host:mainint') %} {% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %} -{% if role in ['so-sensor', 'so-fleet', 'so-node', 'so-idh'] %} +{% if role in ['so-sensor', 'so-fleet', 'so-searchnode', 'so-idh'] %} {% set node_data = salt['pillar.get']('logstash:nodes') %} {% for node_type, node_details in node_data.items() | sort %} {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} diff --git a/salt/filebeat/securityoniondefaults.yaml b/salt/filebeat/securityoniondefaults.yaml index be4f81bd1..56b0a386e 100644 --- a/salt/filebeat/securityoniondefaults.yaml +++ b/salt/filebeat/securityoniondefaults.yaml @@ -4,7 +4,7 @@ } %} securityonion_filebeat: modules: - {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} + {%- if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone','so-searchnode', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} elasticsearch: server: enabled: true diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 257c45808..7f8c01910 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -10,16 +10,12 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -29,10 +25,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} - {{ portgroups.sensoroni }} sensor: portgroups: @@ -60,24 +53,16 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} - osquery_endpoint: + elastic_agent_endpoint: portgroups: - - {{ portgroups.fleet_api }} + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} strelka_frontend: portgroups: - {{ portgroups.strelka_frontend }} syslog: portgroups: - {{ portgroups.syslog }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} analyst: portgroups: - {{ portgroups.nginx }} @@ -101,16 +86,12 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -123,10 +104,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} - {{ portgroups.sensoroni }} {% if ISAIRGAP is sameas true %} - {{ portgroups.yum }} @@ -165,18 +143,6 @@ role: endgame: portgroups: - {{ portgroups.endgame }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} analyst: portgroups: - {{ portgroups.nginx }} @@ -200,16 +166,12 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -219,10 +181,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} - {{ portgroups.sensoroni }} - {{ portgroups.yum }} sensor: @@ -251,24 +210,16 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + elastic_agent_endpoint: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} endgame: portgroups: - {{ portgroups.endgame }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} syslog: portgroups: - {{ portgroups.syslog }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} analyst: portgroups: - {{ portgroups.nginx }} @@ -292,16 +243,12 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.wazuh_authd }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -311,10 +258,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - - {{ portgroups.fleet_api }} - {{ portgroups.sensoroni }} - {{ portgroups.yum }} sensor: @@ -343,27 +287,19 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + elastic_agent_endpoint: + portgroups: + - {{ portgroups.elastic_agent_control }} + - {{ portgroups.elastic_agent_data }} endgame: portgroups: - {{ portgroups.endgame }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} strelka_frontend: portgroups: - {{ portgroups.strelka_frontend }} syslog: portgroups: - {{ portgroups.syslog }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} analyst: portgroups: - {{ portgroups.nginx }} @@ -387,13 +323,11 @@ role: hostgroups: manager: portgroups: - - {{ portgroups.wazuh_agent }} - {{ portgroups.playbook }} - {{ portgroups.mysql }} - {{ portgroups.kibana }} - {{ portgroups.redis }} - {{ portgroups.influxdb }} - - {{ portgroups.fleet_api }} - {{ portgroups.cortex }} - {{ portgroups.elasticsearch_rest }} - {{ portgroups.elasticsearch_node }} @@ -403,9 +337,7 @@ role: portgroups: - {{ portgroups.acng }} - {{ portgroups.docker_registry }} - - {{ portgroups.osquery_8080 }} - {{ portgroups.influxdb }} - - {{ portgroups.wazuh_api }} - {{ portgroups.sensoroni }} sensor: portgroups: @@ -421,12 +353,6 @@ role: beats_endpoint: portgroups: - {{ portgroups.beats_5044 }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} analyst: portgroups: - {{ portgroups.nginx }} @@ -531,39 +457,6 @@ role: localhost: portgroups: - {{ portgroups.all }} - fleet: - chain: - DOCKER-USER: - hostgroups: - self: - portgroups: - - {{ portgroups.redis }} - - {{ portgroups.mysql }} - - {{ portgroups.osquery_8080 }} - localhost: - portgroups: - - {{ portgroups.mysql }} - - {{ portgroups.osquery_8080 }} - analyst: - portgroups: - - {{ portgroups.fleet_webui }} - minion: - portgroups: - - {{ portgroups.fleet_api }} - osquery_endpoint: - portgroups: - - {{ portgroups.fleet_api}} - INPUT: - hostgroups: - anywhere: - portgroups: - - {{ portgroups.ssh }} - dockernet: - portgroups: - - {{ portgroups.all }} - localhost: - portgroups: - - {{ portgroups.all }} import: chain: DOCKER-USER: @@ -642,15 +535,6 @@ role: endgame: portgroups: - {{ portgroups.endgame }} - wazuh_agent: - portgroups: - - {{ portgroups.wazuh_agent }} - wazuh_api: - portgroups: - - {{ portgroups.wazuh_api }} - wazuh_authd: - portgroups: - - {{ portgroups.wazuh_authd }} INPUT: hostgroups: anywhere: diff --git a/salt/firewall/portgroups.yaml b/salt/firewall/portgroups.yaml index 1a183a178..a2780270d 100644 --- a/salt/firewall/portgroups.yaml +++ b/salt/firewall/portgroups.yaml @@ -48,15 +48,15 @@ firewall: elasticsearch_rest: tcp: - 9200 + elastic_agent_control: + tcp: + - 8220 + elastic_agent_data: + tcp: + - 5055 endgame: tcp: - 3765 - fleet_api: - tcp: - - 8090 - fleet_webui: - tcp: - - 443 influxdb: tcp: - 8086 @@ -73,9 +73,6 @@ firewall: tcp: - 80 - 443 - osquery_8080: - tcp: - - 8080 playbook: tcp: - 3200 @@ -101,17 +98,6 @@ firewall: - 514 udp: - 514 - wazuh_agent: - tcp: - - 1514 - udp: - - 1514 - wazuh_api: - tcp: - - 55000 - wazuh_authd: - tcp: - - 1515 yum: tcp: - 443 diff --git a/salt/fleet/event_enable-fleet.sls b/salt/fleet/event_enable-fleet.sls deleted file mode 100644 index 52a15269c..000000000 --- a/salt/fleet/event_enable-fleet.sls +++ /dev/null @@ -1,10 +0,0 @@ -{% set MAININT = salt['pillar.get']('host:mainint') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} - -so/fleet: - event.send: - - data: - action: 'enablefleet' - hostname: {{ grains.host }} - mainip: {{ MAINIP }} - role: {{ grains.role }} \ No newline at end of file diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls deleted file mode 100644 index 7506763dd..000000000 --- a/salt/fleet/event_gen-packages.sls +++ /dev/null @@ -1,28 +0,0 @@ -{% set MANAGER = salt['grains.get']('master') %} -{% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %} -{% set CURRENTPACKAGEVERSION = salt['pillar.get']('global:fleet_packages-version') %} -{% set VERSION = salt['pillar.get']('global:soversion') %} -{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node') -%} - -{% if CUSTOM_FLEET_HOSTNAME != None and CUSTOM_FLEET_HOSTNAME != '' %} - {% set HOSTNAME = CUSTOM_FLEET_HOSTNAME %} -{% elif FLEETNODE %} - {% set HOSTNAME = grains.host %} -{% else %} - {% set HOSTNAME = salt['pillar.get']('global:url_base') %} -{% endif %} - -so/fleet: - event.send: - - data: - action: 'genpackages' - package-hostname: {{ HOSTNAME }} - role: {{ grains.role }} - mainip: {{ grains.host }} - enroll-secret: {{ ENROLLSECRET }} - current-package-version: {{ CURRENTPACKAGEVERSION }} - manager: {{ MANAGER }} - version: {{ VERSION }} - imagerepo: {{ IMAGEREPO }} \ No newline at end of file diff --git a/salt/fleet/event_update-custom-hostname.sls b/salt/fleet/event_update-custom-hostname.sls deleted file mode 100644 index b404b2828..000000000 --- a/salt/fleet/event_update-custom-hostname.sls +++ /dev/null @@ -1,9 +0,0 @@ -{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} - -so/fleet: - event.send: - - data: - action: 'update_custom_hostname' - custom_hostname: {{ CUSTOM_FLEET_HOSTNAME }} - role: {{ grains.role }} - \ No newline at end of file diff --git a/salt/fleet/event_update-enroll-secret.sls b/salt/fleet/event_update-enroll-secret.sls deleted file mode 100644 index 475c3e968..000000000 --- a/salt/fleet/event_update-enroll-secret.sls +++ /dev/null @@ -1,7 +0,0 @@ -{% set ENROLLSECRET = salt['cmd.shell']('docker exec so-fleet fleetctl get enroll-secret --json | jq -r ".spec.secrets[].secret"') %} - -so/fleet: - event.send: - - data: - action: 'update-enrollsecret' - enroll-secret: {{ ENROLLSECRET }} \ No newline at end of file diff --git a/salt/fleet/files/packs/osquery-config.conf b/salt/fleet/files/packs/osquery-config.conf deleted file mode 100644 index 04659f3de..000000000 --- a/salt/fleet/files/packs/osquery-config.conf +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: v1 -kind: config -spec: - agent_options: - config: - decorators: - always: - - SELECT codename FROM os_version; - - SELECT uuid AS live_query FROM system_info; - - SELECT address AS endpoint_ip1 FROM interface_addresses where address not - like '%:%' and address not like '127%' and address not like '169%' order by - interface desc limit 1; - - SELECT address AS endpoint_ip2 FROM interface_addresses where address not - like '%:%' and address not like '127%' and address not like '169%' order by - interface asc limit 1; - - SELECT hardware_serial FROM system_info; - - SELECT hostname AS hostname FROM system_info; - options: - decorations_top_level: true - disable_distributed: false - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - distributed_tls_read_endpoint: /api/v1/osquery/distributed/read - distributed_tls_write_endpoint: /api/v1/osquery/distributed/write - enable_windows_events_publisher: true - enable_windows_events_subscriber: true - logger_plugin: tls - logger_tls_endpoint: /api/v1/osquery/log - logger_tls_period: 10 - pack_delimiter: _ - host_settings: - enable_software_inventory: false - server_settings: - enable_analytics: false \ No newline at end of file diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml deleted file mode 100644 index 4f1aa0348..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml +++ /dev/null @@ -1,706 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: mac-pack - queries: - - description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ - which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' - interval: 3600 - name: emond - platform: darwin - query: emond - - description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/ - or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' - interval: 28800 - name: emond_snapshot - platform: darwin - query: emond_snapshot - snapshot: true - - description: Track time/action changes to files specified in configuration data. - interval: 300 - name: file_events - platform: darwin - query: file_events - removed: false - - description: The installed homebrew package database. - interval: 28800 - name: homebrew_packages_snapshot - platform: darwin - query: homebrew_packages_snapshot - snapshot: true - - description: List kernel extensions, their signing status, and their hashes (excluding - extensions signed by Apple) - interval: 3600 - name: macosx_kextstat - platform: darwin - query: macosx_kextstat - - description: Checks the MD5 hash of /etc/rc.common and records the results if - the hash differs from the default value. /etc/rc.common can be used for persistence. - interval: 3600 - name: rc.common - platform: darwin - query: rc.common - - description: Returns information about installed event taps. Can be used to detect - keyloggers - interval: 300 - name: event_taps - platform: darwin - query: event_taps - - description: LaunchAgents and LaunchDaemons from default search paths. - interval: 3600 - name: launchd - platform: darwin - query: launchd - - description: Snapshot query for launchd - interval: 28800 - name: launchd_snapshot - platform: darwin - query: launchd_snapshot - snapshot: true - - description: Detect the presence of the LD_PRELOAD environment variable - interval: 60 - name: ld_preload - platform: darwin - query: ld_preload - removed: false - - description: USB devices that are actively plugged into the host system. - interval: 300 - name: usb_devices - platform: darwin - query: usb_devices - - description: System mounted devices and filesystems (not process specific). - interval: 3600 - name: mounts - platform: darwin - query: mounts - removed: false - - description: Apple NVRAM variable listing. - interval: 3600 - name: nvram - platform: darwin - query: nvram - removed: false - - description: Line parsed values from system and user cron/tab. - interval: 3600 - name: crontab - platform: darwin - query: crontab - - description: Hardware (PCI/USB/HID) events from UDEV or IOKit. - interval: 300 - name: hardware_events - platform: darwin - query: hardware_events - removed: false - - description: The installed homebrew package database. - interval: 3600 - name: homebrew_packages - platform: darwin - query: homebrew_packages - - description: OS X applications installed in known search paths (e.g., /Applications). - interval: 3600 - name: installed_applications - platform: darwin - query: installed_applications - - description: System logins and logouts. - interval: 3600 - name: last - platform: darwin - query: last - removed: false - - description: Snapshot query for macosx_kextstat - interval: 28800 - name: macosx_kextstat_snapshot - platform: darwin - query: macosx_kextstat_snapshot - snapshot: true - - description: Checks the MD5 hash of /etc/rc.common and records the results if - the hash differs from the default value. /etc/rc.common can be used for persistence. - interval: 28800 - name: rc.common_snapshot - platform: darwin - query: rc.common_snapshot - snapshot: true - - description: Safari browser extension details for all users. - interval: 3600 - name: safari_extensions - platform: darwin - query: safari_extensions - - description: suid binaries in common locations. - interval: 28800 - name: suid_bin - platform: darwin - query: suid_bin - removed: false - - description: Local system users. - interval: 28800 - name: users - platform: darwin - query: users - - description: List authorized_keys for each user on the system - interval: 28800 - name: authorized_keys - platform: darwin - query: authorized_keys - - description: Application, System, and Mobile App crash logs. - interval: 3600 - name: crashes - platform: darwin - query: crashes - removed: false - - description: Displays the percentage of free space available on the primary disk - partition - interval: 3600 - name: disk_free_space_pct - platform: darwin - query: disk_free_space_pct - snapshot: true - - description: Retrieve the interface name, IP address, and MAC address for all - interfaces on the host. - interval: 600 - name: network_interfaces_snapshot - platform: darwin - query: network_interfaces_snapshot - snapshot: true - - description: Information about EFI/UEFI/ROM and platform/boot. - interval: 28800 - name: platform_info - platform: darwin - query: platform_info - removed: false - - description: System uptime - interval: 1800 - name: uptime - platform: darwin - query: uptime - snapshot: true - - description: MD5 hash of boot.efi - interval: 28800 - name: boot_efi_hash - platform: darwin - query: boot_efi_hash - - description: Snapshot query for Chrome extensions - interval: 28800 - name: chrome_extensions_snapshot - platform: darwin - query: chrome_extensions_snapshot - - description: Snapshot query for installed_applications - interval: 28800 - name: installed_applications_snapshot - platform: darwin - query: installed_applications_snapshot - snapshot: true - - description: NFS shares exported by the host. - interval: 3600 - name: nfs_shares - platform: darwin - query: nfs_shares - removed: false - - description: List the version of the resident operating system - interval: 28800 - name: os_version - platform: darwin - query: os_version - - description: Applications and binaries set as user/login startup items. - interval: 3600 - name: startup_items - platform: darwin - query: startup_items - - description: All C/NPAPI browser plugin details for all users. - interval: 3600 - name: browser_plugins - platform: darwin - query: browser_plugins - - description: List installed Firefox addons for all users - interval: 3600 - name: firefox_addons - platform: darwin - query: firefox_addons - - description: Discover hosts that have IP forwarding enabled - interval: 28800 - name: ip_forwarding_enabled - platform: darwin - query: ip_forwarding_enabled - removed: false - - description: Platform info snapshot query - interval: 28800 - name: platform_info_snapshot - platform: darwin - query: platform_info_snapshot - - description: Python packages installed in a system. - interval: 3600 - name: python_packages - platform: darwin - query: python_packages - - description: List installed Chrome Extensions for all users - interval: 3600 - name: chrome_extensions - platform: darwin - query: chrome_extensions - - description: Disk encryption status and information. - interval: 3600 - name: disk_encryption_snapshot - platform: darwin - query: disk_encryption_snapshot - snapshot: true - - description: Local system users. - interval: 28800 - name: users_snapshot - platform: darwin - query: users_snapshot - - description: OS X known/remembered Wi-Fi networks list. - interval: 28800 - name: wireless_networks - platform: darwin - query: wireless_networks - removed: false - - description: Determine if the host is running the expected EFI firmware version - given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy) - interval: 28800 - name: efigy - platform: darwin - query: efigy - snapshot: true - - description: List the contents of /etc/hosts - interval: 28800 - name: etc_hosts - platform: darwin - query: etc_hosts - - description: Operating system version snapshot query - interval: 28800 - name: os_version_snapshot - platform: darwin - query: os_version_snapshot - snapshot: true - - description: Information about the resident osquery process - interval: 28800 - name: osquery_info - platform: darwin - query: osquery_info - snapshot: true - - description: Apple's System Integrity Protection (rootless) status. - interval: 3600 - name: sip_config - platform: darwin - query: sip_config - - description: Shows information about the wifi network that a host is currently connected to. - interval: 28800 - name: wifi_status_snapshot - platform: darwin - query: wifi_status_snapshot - snapshot: true - - description: Returns the private keys in the users ~/.ssh directory and whether - or not they are encrypted. - interval: 3600 - name: user_ssh_keys - platform: darwin - query: user_ssh_keys - removed: false - targets: - labels: - - macOS ---- -apiVersion: v1 -kind: query -spec: - description: 'Query to monitor files for changes inside of /etc/emon.d/ or /private/var/db/emondClients/ - which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' - name: emond - query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' - AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' - AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' - AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND - sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND - sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND - sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND - sha256!='') OR (path LIKE '/private/var/db/emondClients/%'); ---- -apiVersion: v1 -kind: query -spec: - description: 'Snapshot query to monitor files for changes inside of /etc/emon.d/ - or /private/var/db/emondClients/ which can be used for persistence: (https://www.xorrior.com/emond-persistence/)' - name: emond_snapshot - query: SELECT * FROM file JOIN hash USING (path) WHERE (path LIKE '/etc/emond.d/%%' - AND sha256!='f19f881084f599fa261243918d922373eab14623e78d23c41fcc031aa21ca7b6' - AND sha256!='20909c75c14c9f5360a48c889d06a0d6cfbfa28080348940fc077761744f2aa5' - AND sha256!='36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068'AND - sha256!='2aafb4238cbdd40c66591c01798da942f62c7f06bb84c9328a40581fc22c4af8'AND - sha256!='590192452963fdddc1990cd42c3bf77b3532b3e4a2c13e14e42c0d6a4c881ac4'AND - sha256!='69f416293592c0a96733498788b79d6516ed1ad5327ac7cafd6d12e8b231519f'AND - sha256!='') OR (path LIKE '/private/var/db/emondClients/%'); ---- -apiVersion: v1 -kind: query -spec: - description: Track time/action changes to files specified in configuration data. - name: file_events - query: SELECT * FROM file_events; ---- -apiVersion: v1 -kind: query -spec: - description: The installed homebrew package database. - name: homebrew_packages_snapshot - query: SELECT name, version FROM homebrew_packages; ---- -apiVersion: v1 -kind: query -spec: - description: List kernel extensions, their signing status, and their hashes (excluding - extensions signed by Apple) - name: macosx_kextstat - query: SELECT kernel_extensions.idx, kernel_extensions.refs, kernel_extensions.size, - kernel_extensions.name, kernel_extensions.version, kernel_extensions.linked_against, - kernel_extensions.path, signature.signed, signature.identifier, signature.cdhash, - signature.team_identifier, signature.authority, hash.md5 FROM hash JOIN kernel_extensions - ON hash.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature - ON signature.path LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE - signature.authority!='Software Signing'; ---- -apiVersion: v1 -kind: query -spec: - description: Checks the MD5 hash of /etc/rc.common and records the results if the - hash differs from the default value. /etc/rc.common can be used for persistence. - name: rc.common - query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' - and md5!=''; ---- -apiVersion: v1 -kind: query -spec: - description: Returns information about installed event taps. Can be used to detect - keyloggers - name: event_taps - query: SELECT * FROM event_taps INNER JOIN processes ON event_taps.tapping_process = processes.pid - WHERE event_tapped NOT LIKE '%mouse%' AND processes.path NOT IN ('/usr/libexec/airportd', - '/usr/sbin/universalaccessd') AND processes.path NOT LIKE '/System/Library/%' AND processes.path - NOT LIKE '%/steamapps/%' AND processes.path NOT LIKE '%.app%' AND event_taps.enabled=1; ---- -apiVersion: v1 -kind: query -spec: - description: LaunchAgents and LaunchDaemons from default search paths. - name: launchd - query: SELECT * FROM launchd; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for launchd - name: launchd_snapshot - query: SELECT path, name, label, program, run_at_load, program_arguments FROM launchd - WHERE run_at_load=1; ---- -apiVersion: v1 -kind: query -spec: - description: Detect the presence of the LD_PRELOAD environment variable - name: ld_preload - query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, - processes.path, processes.cmdline, processes.cwd FROM process_envs join processes - USING (pid) WHERE key = 'LD_PRELOAD'; ---- -apiVersion: v1 -kind: query -spec: - description: USB devices that are actively plugged into the host system. - name: usb_devices - query: SELECT * FROM usb_devices; ---- -apiVersion: v1 -kind: query -spec: - description: System mounted devices and filesystems (not process specific). - name: mounts - query: SELECT device, device_alias, path, type, blocks_size FROM mounts; ---- -apiVersion: v1 -kind: query -spec: - description: Apple NVRAM variable listing. - name: nvram - query: SELECT * FROM nvram; ---- -apiVersion: v1 -kind: query -spec: - description: Line parsed values from system and user cron/tab. - name: crontab - query: SELECT * FROM crontab; ---- -apiVersion: v1 -kind: query -spec: - description: Hardware (PCI/USB/HID) events from UDEV or IOKit. - name: hardware_events - query: SELECT * FROM hardware_events; ---- -apiVersion: v1 -kind: query -spec: - description: The installed homebrew package database. - name: homebrew_packages - query: SELECT * FROM homebrew_packages; ---- -apiVersion: v1 -kind: query -spec: - description: OS X applications installed in known search paths (e.g., /Applications). - name: installed_applications - query: SELECT * FROM apps; ---- -apiVersion: v1 -kind: query -spec: - description: System logins and logouts. - name: last - query: SELECT * FROM last; ---- -apiVersion: v1 -kind: query -spec: - description: Shows information about the wifi network that a host is currently connected to. - name: wifi_status_snapshot - query: SELECT * FROM wifi_status; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for macosx_kextstat - name: macosx_kextstat_snapshot - query: SELECT kernel_extensions.name, kernel_extensions.version, kernel_extensions.path, - signature.signed, signature.identifier, signature.cdhash, signature.team_identifier, - signature.authority, hash.md5 FROM hash JOIN kernel_extensions ON hash.path LIKE - printf('%s/Contents/MacOS/%', kernel_extensions.path) JOIN signature ON signature.path - LIKE printf('%s/Contents/MacOS/%', kernel_extensions.path) WHERE signature.authority!='Software - Signing'; ---- -apiVersion: v1 -kind: query -spec: - description: Checks the MD5 hash of /etc/rc.common and records the results if the - hash differs from the default value. /etc/rc.common can be used for persistence. - name: rc.common_snapshot - query: SELECT * FROM hash WHERE path='/etc/rc.common' AND md5!='28ce428faefe6168618867f3ff5527f9' - and md5!=''; ---- -apiVersion: v1 -kind: query -spec: - description: Safari browser extension details for all users. - name: safari_extensions - query: SELECT * FROM users CROSS JOIN safari_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: suid binaries in common locations. - name: suid_bin - query: SELECT * FROM suid_bin; ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: List authorized_keys for each user on the system - name: authorized_keys - query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Application, System, and Mobile App crash logs. - name: crashes - query: SELECT uid, datetime, responsible, exception_type, identifier, version, crash_path - FROM users CROSS JOIN crashes USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Displays the percentage of free space available on the primary disk - partition - name: disk_free_space_pct - query: SELECT (blocks_available * 100 / blocks) AS pct FROM mounts WHERE device='/dev/disk1s1'; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieve the interface name, IP address, and MAC address for all interfaces - on the host. - name: network_interfaces_snapshot - query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details - d USING (interface); ---- -apiVersion: v1 -kind: query -spec: - description: Information about EFI/UEFI/ROM and platform/boot. - name: platform_info - query: SELECT * FROM platform_info; ---- -apiVersion: v1 -kind: query -spec: - description: System uptime - name: uptime - query: SELECT * FROM uptime; ---- -apiVersion: v1 -kind: query -spec: - description: MD5 hash of boot.efi - name: boot_efi_hash - query: SELECT path, md5 FROM hash WHERE path='/System/Library/CoreServices/boot.efi'; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for Chrome extensions - name: chrome_extensions_snapshot - query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for installed_applications - name: installed_applications_snapshot - query: SELECT name, path, bundle_short_version, bundle_version, display_name FROM - apps; ---- -apiVersion: v1 -kind: query -spec: - description: NFS shares exported by the host. - name: nfs_shares - query: SELECT * FROM nfs_shares; ---- -apiVersion: v1 -kind: query -spec: - description: List the version of the resident operating system - name: os_version - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: Applications and binaries set as user/login startup items. - name: startup_items - query: SELECT * FROM startup_items; ---- -apiVersion: v1 -kind: query -spec: - description: All C/NPAPI browser plugin details for all users. - name: browser_plugins - query: SELECT * FROM users CROSS JOIN browser_plugins USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: List installed Firefox addons for all users - name: firefox_addons - query: SELECT * FROM users CROSS JOIN firefox_addons USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Discover hosts that have IP forwarding enabled - name: ip_forwarding_enabled - query: SELECT * FROM system_controls WHERE name LIKE '%forwarding%' AND name LIKE - '%ip%' AND current_value=1; ---- -apiVersion: v1 -kind: query -spec: - description: Platform info snapshot query - name: platform_info_snapshot - query: SELECT vendor, version, date, revision from platform_info; ---- -apiVersion: v1 -kind: query -spec: - description: Python packages installed in a system. - name: python_packages - query: SELECT * FROM python_packages; ---- -apiVersion: v1 -kind: query -spec: - description: List installed Chrome Extensions for all users - name: chrome_extensions - query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Disk encryption status and information. - name: disk_encryption_snapshot - query: SELECT * FROM disk_encryption; ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users_snapshot - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: OS X known/remembered Wi-Fi networks list. - name: wireless_networks - query: SELECT ssid, network_name, security_type, last_connected, captive_portal, - possibly_hidden, roaming, roaming_profile FROM wifi_networks; ---- -apiVersion: v1 -kind: query -spec: - description: Determine if the host is running the expected EFI firmware version - given their Mac hardware and OS build version (https://github.com/duo-labs/EFIgy) - name: efigy - query: SELECT * FROM efigy; ---- -apiVersion: v1 -kind: query -spec: - description: List the contents of /etc/hosts - name: etc_hosts - query: SELECT * FROM etc_hosts; ---- -apiVersion: v1 -kind: query -spec: - description: Operating system version snapshot query - name: os_version_snapshot - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: Information about the resident osquery process - name: osquery_info - query: SELECT * FROM osquery_info; ---- -apiVersion: v1 -kind: query -spec: - description: Apple's System Integrity Protection (rootless) status. - name: sip_config - query: SELECT * FROM sip_config; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the private keys in the users ~/.ssh directory and whether - or not they are encrypted. - name: user_ssh_keys - query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid); diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml deleted file mode 100644 index 3aa9da280..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/Windows/osquery.yaml +++ /dev/null @@ -1,538 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: windows-pack - queries: - - description: System info snapshot query - interval: 28800 - name: system_info_snapshot - platform: windows - query: system_info_snapshot - snapshot: true - - description: List in-use Windows drivers - interval: 3600 - name: drivers - platform: windows - query: drivers - - description: Displays shared resources on a computer system running Windows. This - may be a disk drive, printer, interprocess communication, or other sharable - device. - interval: 3600 - name: shared_resources - platform: windows - query: shared_resources - - description: Lists all the patches applied - interval: 3600 - name: patches - platform: windows - query: patches - removed: false - - description: Pipes snapshot query - interval: 28800 - name: pipes_snapshot - platform: windows - query: pipes_snapshot - snapshot: true - - description: Programs snapshot query - interval: 28800 - name: programs_snapshot - platform: windows - query: programs_snapshot - snapshot: true - - description: Services snapshot query - interval: 28800 - name: services_snapshot - platform: windows - query: services_snapshot - snapshot: true - - description: WMI CommandLineEventConsumer, which can be used for persistence on - Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf - for more details. - interval: 3600 - name: wmi_cli_event_consumers - platform: windows - query: wmi_cli_event_consumers - - description: Lists the relationship between event consumers and filters. - interval: 3600 - name: wmi_filter_consumer_binding - platform: windows - query: wmi_filter_consumer_binding - - description: Snapshot query for Chrome extensions - interval: 3600 - name: chrome_extensions_snapshot - platform: windows - query: chrome_extensions_snapshot - - description: Retrieve the interface name, IP address, and MAC address for all - interfaces on the host. - interval: 600 - name: network_interfaces_snapshot - platform: windows - query: network_interfaces_snapshot - snapshot: true - - description: Local system users. - interval: 3600 - name: users - platform: windows - query: users - - description: Snapshot query for WMI event consumers. - interval: 28800 - name: wmi_cli_event_consumers_snapshot - platform: windows - query: wmi_cli_event_consumers_snapshot - snapshot: true - - description: List all certificates in the trust store - interval: 3600 - name: certificates - platform: windows - query: certificates - removed: false - - description: Drivers snapshot query - interval: 28800 - name: drivers_snapshot - platform: windows - query: drivers_snapshot - snapshot: true - - description: Lists WMI event filters. - interval: 3600 - name: wmi_event_filters - platform: windows - query: wmi_event_filters - - description: List installed Internet Explorer extensions - interval: 3600 - name: ie_extensions - platform: windows - query: ie_extensions - - description: List the kernel path, version, etc. - interval: 3600 - name: kernel_info - platform: windows - query: kernel_info - - description: List the version of the resident operating system - interval: 3600 - name: os_version - platform: windows - query: os_version - - description: Patches snapshot query - interval: 28800 - name: patches_snapshot - platform: windows - query: patches_snapshot - snapshot: true - - description: Named and Anonymous pipes. - interval: 3600 - name: pipes - platform: windows - query: pipes - removed: false - - description: Lists installed programs - interval: 0 - name: programs - platform: windows - query: programs - - description: List all certificates in the trust store (snapshot query) - interval: 0 - name: certificates_snapshot - platform: windows - query: certificates_snapshot - snapshot: true - - description: List the contents of the Windows hosts file - interval: 3600 - name: etc_hosts - platform: windows - query: etc_hosts - - description: Lists all of the tasks in the Windows task scheduler - interval: 3600 - name: scheduled_tasks - platform: windows - query: scheduled_tasks - - description: Extracted information from Windows crash logs (Minidumps). - interval: 3600 - name: windows_crashes - platform: windows - query: windows_crashes - removed: false - - description: System uptime - interval: 3600 - name: uptime - platform: windows - query: uptime - snapshot: true - - description: Snapshot query for WMI script event consumers. - interval: 3600 - name: wmi_script_event_consumers - platform: windows - query: wmi_script_event_consumers - snapshot: true - - description: List installed Chocolatey packages - interval: 3600 - name: chocolatey_packages - platform: windows - query: chocolatey_packages - - description: Shared resources snapshot query - interval: 28800 - name: shared_resources_snapshot - platform: windows - query: shared_resources_snapshot - snapshot: true - - description: Lists all installed services configured to start automatically at - boot - interval: 3600 - name: services - platform: windows - query: services - - description: Users snapshot query - interval: 28800 - name: users_snapshot - platform: windows - query: users_snapshot - snapshot: true - - description: List installed Chrome Extensions for all users - interval: 3600 - name: chrome_extensions - platform: windows - query: chrome_extensions - - description: Operating system version snapshot query - interval: 28800 - name: os_version_snapshot - platform: windows - query: os_version_snapshot - snapshot: true - - description: System information for identification. - interval: 3600 - name: system_info - platform: windows - query: system_info - - description: Snapshot query for WMI event filters. - interval: 28800 - name: wmi_event_filters_snapshot - platform: windows - query: wmi_event_filters_snapshot - snapshot: true - - description: Snapshot query for WMI filter consumer bindings. - interval: 28800 - name: wmi_filter_consumer_binding_snapshot - platform: windows - query: wmi_filter_consumer_binding_snapshot - snapshot: true - - description: Information about the resident osquery process - interval: 28800 - name: osquery_info - platform: windows - query: osquery_info - snapshot: true - - description: Scheduled Tasks snapshot query - interval: 28800 - name: scheduled_tasks_snapshot - platform: windows - query: scheduled_tasks_snapshot - snapshot: true - - description: Appcompat shims (.sdb files) installed on Windows hosts. - interval: 3600 - name: appcompat_shims - platform: windows - query: appcompat_shims - - description: Disk encryption status and information snapshot query. - interval: 28800 - name: bitlocker_info_snapshot - platform: windows - query: bitlocker_info_snapshot - snapshot: true - targets: - labels: - - MS Windows ---- -apiVersion: v1 -kind: query -spec: - description: Appcompat shims (.sdb files) installed on Windows hosts. - name: appcompat_shims - query: SELECT * FROM appcompat_shims WHERE description!='EMET_Database' AND - executable NOT IN ('setuphost.exe','setupprep.exe','iisexpress.exe'); ---- -apiVersion: v1 -kind: query -spec: - description: Disk encryption status and information snapshot query. - name: bitlocker_info_snapshot - query: SELECT * FROM bitlocker_info; ---- -apiVersion: v1 -kind: query -spec: - description: System info snapshot query - name: system_info_snapshot - query: SELECT * FROM system_info; ---- -apiVersion: v1 -kind: query -spec: - description: List in-use Windows drivers - name: drivers - query: SELECT * FROM drivers; ---- -apiVersion: v1 -kind: query -spec: - description: Displays shared resources on a computer system running Windows. This - may be a disk drive, printer, interprocess communication, or other sharable device. - name: shared_resources - query: SELECT * FROM shared_resources; ---- -apiVersion: v1 -kind: query -spec: - description: Lists all the patches applied - name: patches - query: SELECT * FROM patches; ---- -apiVersion: v1 -kind: query -spec: - description: Pipes snapshot query - name: pipes_snapshot - query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, - pipes.name, pid FROM pipes JOIN processes USING (pid); ---- -apiVersion: v1 -kind: query -spec: - description: Programs snapshot query - name: programs_snapshot - query: SELECT * FROM programs; ---- -apiVersion: v1 -kind: query -spec: - description: Services snapshot query - name: services_snapshot - query: SELECT * FROM services; ---- -apiVersion: v1 -kind: query -spec: - description: WMI CommandLineEventConsumer, which can be used for persistence on - Windows. See https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf - for more details. - name: wmi_cli_event_consumers - query: SELECT * FROM wmi_cli_event_consumers; ---- -apiVersion: v1 -kind: query -spec: - description: Lists the relationship between event consumers and filters. - name: wmi_filter_consumer_binding - query: SELECT * FROM wmi_filter_consumer_binding; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for Chrome extensions - name: chrome_extensions_snapshot - query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Retrieve the interface name, IP address, and MAC address for all interfaces - on the host. - name: network_interfaces_snapshot - query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details - d USING (interface); ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for WMI event consumers. - name: wmi_cli_event_consumers_snapshot - query: SELECT * FROM wmi_cli_event_consumers; ---- -apiVersion: v1 -kind: query -spec: - description: List all certificates in the trust store - name: certificates - query: SELECT * FROM certificates WHERE path != 'Other People'; ---- -apiVersion: v1 -kind: query -spec: - description: Drivers snapshot query - name: drivers_snapshot - query: SELECT * FROM drivers; ---- -apiVersion: v1 -kind: query -spec: - description: Lists WMI event filters. - name: wmi_event_filters - query: SELECT * FROM wmi_event_filters; ---- -apiVersion: v1 -kind: query -spec: - description: List installed Internet Explorer extensions - name: ie_extensions - query: SELECT * FROM ie_extensions; ---- -apiVersion: v1 -kind: query -spec: - description: List the kernel path, version, etc. - name: kernel_info - query: SELECT * FROM kernel_info; ---- -apiVersion: v1 -kind: query -spec: - description: List the version of the resident operating system - name: os_version - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: Patches snapshot query - name: patches_snapshot - query: SELECT * FROM patches; ---- -apiVersion: v1 -kind: query -spec: - description: Named and Anonymous pipes. - name: pipes - query: SELECT processes.path, processes.cmdline, processes.uid, processes.on_disk, - pipes.name, pid FROM pipes JOIN processes USING (pid); ---- -apiVersion: v1 -kind: query -spec: - description: Lists installed programs - name: programs - query: SELECT * FROM programs; ---- -apiVersion: v1 -kind: query -spec: - description: List all certificates in the trust store (snapshot query) - name: certificates_snapshot - query: SELECT * FROM certificates WHERE path != 'Other People'; ---- -apiVersion: v1 -kind: query -spec: - description: List the contents of the Windows hosts file - name: etc_hosts - query: SELECT * FROM etc_hosts; ---- -apiVersion: v1 -kind: query -spec: - description: Lists all of the tasks in the Windows task scheduler - name: scheduled_tasks - query: SELECT * FROM scheduled_tasks; ---- -apiVersion: v1 -kind: query -spec: - description: Extracted information from Windows crash logs (Minidumps). - name: windows_crashes - query: SELECT * FROM windows_crashes; ---- -apiVersion: v1 -kind: query -spec: - description: System uptime - name: uptime - query: SELECT * FROM uptime; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for WMI script event consumers. - name: wmi_script_event_consumers - query: SELECT * FROM wmi_script_event_consumers; ---- -apiVersion: v1 -kind: query -spec: - description: List installed Chocolatey packages - name: chocolatey_packages - query: SELECT * FROM chocolatey_packages; ---- -apiVersion: v1 -kind: query -spec: - description: Shared resources snapshot query - name: shared_resources_snapshot - query: SELECT * FROM shared_resources; ---- -apiVersion: v1 -kind: query -spec: - description: Lists all installed services configured to start automatically at boot - name: services - query: SELECT * FROM services WHERE start_type='DEMAND_START' OR start_type='AUTO_START'; ---- -apiVersion: v1 -kind: query -spec: - description: Users snapshot query - name: users_snapshot - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: List installed Chrome Extensions for all users - name: chrome_extensions - query: SELECT * FROM users CROSS JOIN chrome_extensions USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Operating system version snapshot query - name: os_version_snapshot - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: System information for identification. - name: system_info - query: SELECT * FROM system_info; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for WMI event filters. - name: wmi_event_filters_snapshot - query: SELECT * FROM wmi_event_filters; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query for WMI filter consumer bindings. - name: wmi_filter_consumer_binding_snapshot - query: SELECT * FROM wmi_filter_consumer_binding; ---- -apiVersion: v1 -kind: query -spec: - description: Information about the resident osquery process - name: osquery_info - query: SELECT * FROM osquery_info; ---- -apiVersion: v1 -kind: query -spec: - description: Scheduled Tasks snapshot query - name: scheduled_tasks_snapshot - query: SELECT * FROM scheduled_tasks; diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml deleted file mode 100644 index f2bb85d8c..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/options.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: options -spec: - config: - decorators: - load: - - SELECT uuid AS host_uuid FROM system_info; - - SELECT hostname AS hostname FROM system_info; - file_paths: - binaries: - - /usr/bin/%% - - /usr/sbin/%% - - /bin/%% - - /sbin/%% - - /usr/local/bin/%% - - /usr/local/sbin/%% - - /opt/bin/%% - - /opt/sbin/%% - configuration: - - /etc/%% - efi: - - /System/Library/CoreServices/boot.efi - options: - disable_distributed: false - disable_tables: windows_events - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - distributed_tls_read_endpoint: /api/v1/osquery/distributed/read - distributed_tls_write_endpoint: /api/v1/osquery/distributed/write - logger_plugin: tls - logger_snapshot_event_type: true - logger_tls_endpoint: /api/v1/osquery/log - logger_tls_period: 10 - pack_delimiter: / - schedule_splay_percent: 10 - overrides: {} diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml deleted file mode 100644 index e8116bbb1..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/performance-metrics.yaml +++ /dev/null @@ -1,71 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: performance-metrics - queries: - - description: Records the CPU time and memory usage for each individual query. - Helpful for identifying queries that may impact performance. - interval: 1800 - name: per_query_perf - query: per_query_perf - snapshot: true - - description: Track the amount of CPU time used by osquery. - interval: 1800 - name: runtime_perf - query: runtime_perf - snapshot: true - - description: Track the percentage of total CPU time utilized by $endpoint_security_tool - interval: 1800 - name: endpoint_security_tool_perf - query: endpoint_security_tool_perf - snapshot: true - - description: Track the percentage of total CPU time utilized by $backup_tool - interval: 1800 - name: backup_tool_perf - query: backup_tool_perf - snapshot: true - targets: - labels: - - MS Windows - - macOS ---- -apiVersion: v1 -kind: query -spec: - description: Records the CPU time and memory usage for each individual query. Helpful - for identifying queries that may impact performance. - name: per_query_perf - query: SELECT name, interval, executions, output_size, wall_time, (user_time/executions) - AS avg_user_time, (system_time/executions) AS avg_system_time, average_memory - FROM osquery_schedule; ---- -apiVersion: v1 -kind: query -spec: - description: Track the amount of CPU time used by osquery. - name: runtime_perf - query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename - AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes - AS counter, db.db_size_mb AS database_size FROM osquery_info i, os_version ov, - processes p, time, (SELECT (sum(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT - value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE - path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid; ---- -apiVersion: v1 -kind: query -spec: - description: Track the percentage of total CPU time utilized by $endpoint_security_tool - name: endpoint_security_tool_perf - query: SELECT ((tool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct FROM - processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) AS tool_time - FROM processes WHERE name='endpoint_security_tool'); ---- -apiVersion: v1 -kind: query -spec: - description: Track the percentage of total CPU time utilized by $backup_tool - name: backup_tool_perf - query: SELECT ((backuptool_time*100)/(SUM(system_time) + SUM(user_time))) AS pct - FROM processes, (SELECT (SUM(processes.system_time)+SUM(processes.user_time)) - AS backuptool_time FROM processes WHERE name='backup_tool'); diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml deleted file mode 100644 index 79172d46a..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/security-tooling-checks.yaml +++ /dev/null @@ -1,61 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: security-tooling-checks - queries: - - description: Returns an event if a EndpointSecurityTool process is not found running - from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe' - (Windows) - interval: 28800 - name: endpoint_security_tool_not_running - platform: windows,darwin - query: endpoint_security_tool_not_running - snapshot: true - - description: "Returns an event if a BackupTool process is not found running from - '/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)" - interval: 28800 - name: backup_tool_not_running - platform: windows,darwin - query: backup_tool_not_running - snapshot: true - - description: Returns the content of the key if the backend server does not match - the expected value - interval: 3600 - name: endpoint_security_tool_backend_server_registry_misconfigured - platform: windows - query: endpoint_security_tool_backend_server_registry_misconfigured - targets: - labels: - - MS Windows - - macOS ---- -apiVersion: v1 -kind: query -spec: - description: Returns an event if a EndpointSecurityTool process is not found running - from /Applications/EndpointSecurityTool' (OSX) or 'c:\endpointsecuritytool.exe' - (Windows) - name: endpoint_security_tool_not_running - query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as - process_count from processes where path='/Applications/EndpointSecurityTool' OR - lower(path)='c:\endpointsecuritytool.exe') where process_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: "Returns an event if a BackupTool process is not found running from - '/Applications/BackupTool' (OSX) or 'c:\backuptool.exe' (Windows)" - name: backup_tool_not_running - query: SELECT IFNULL(process_count,0) as process_exists FROM (SELECT count(*) as - process_count from processes where path='/Applications/BackupTool' OR lower(path) - LIKE 'c:\backuptool.exe') where process_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if the backend server does not match - the expected value - name: endpoint_security_tool_backend_server_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\EndpointSecurityTool\BackendServerLocation' - AND data!='https://expected_endpoint.local'; diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml deleted file mode 100644 index d1008e3cd..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-application-security.yaml +++ /dev/null @@ -1,94 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: windows-application-security - queries: - - description: Controls Bitlocker full-disk encryption settings. - interval: 3600 - name: bitlocker_autoencrypt_settings_registry - platform: windows - query: bitlocker_autoencrypt_settings_registry - - description: Controls Bitlocker full-disk encryption settings. - interval: 3600 - name: bitlocker_fde_settings_registry - platform: windows - query: bitlocker_fde_settings_registry - - description: Controls Google Chrome plugins that are forcibly installed. - interval: 3600 - name: chrome_extension_force_list_registry - platform: windows - query: chrome_extension_force_list_registry - - description: Controls EMET-protected applications and system settings. - interval: 3600 - name: emet_settings_registry - platform: windows - query: emet_settings_registry - - description: Controls Local Administrative Password Solution (LAPS) settings. - interval: 3600 - name: microsoft_laps_settings_registry - platform: windows - query: microsoft_laps_settings_registry - - description: Controls Windows Passport for Work (Hello) settings. - interval: 3600 - name: passport_for_work_settings_registry - platform: windows - query: passport_for_work_settings_registry - - description: Controls UAC. A setting of 0 indicates that UAC is disabled. - interval: 3600 - name: uac_settings_registry - platform: windows - query: uac_settings_registry - targets: - labels: - - MS Windows ---- -apiVersion: v1 -kind: query -spec: - description: Controls Bitlocker full-disk encryption settings. - name: bitlocker_autoencrypt_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Bitlocker\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Bitlocker full-disk encryption settings. - name: bitlocker_fde_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Google Chrome plugins that are forcibly installed. - name: chrome_extension_force_list_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls EMET-protected applications and system settings. - name: emet_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Local Administrative Password Solution (LAPS) settings. - name: microsoft_laps_settings_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft - Services\AdmPwd'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Windows Passport for Work (Hello) settings. - name: passport_for_work_settings_registry - query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PassportForWork\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls UAC. A setting of 0 indicates that UAC is disabled. - name: uac_settings_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA'; diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml deleted file mode 100644 index 38ff4857e..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-compliance.yaml +++ /dev/null @@ -1,322 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: windows-compliance - queries: - - description: 'This key does not exist by default and controls enabling/disabling - error reporting display. Some malware creates this key and sets the value to - 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: error_display_ui_registry - platform: windows - query: error_display_ui_registry - - description: Entries for the FileRenameOperation support the MoveFileEx delayed-rename - and delayed-delete capabilities. Sometimes used as a self-deletion technique - for malware. - interval: 3600 - name: filerenameoperations_registry - platform: windows - query: filerenameoperations_registry - - description: Controls which security packages store credentials in LSA memory, - secure boot, etc. - interval: 3600 - name: local_security_authority_registry - platform: windows - query: local_security_authority_registry - - description: 'This key exists by default and has a default value of 1. Setting - this key to 0 disables logging errors/crashes to the System event channel. Some - malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: log_errors_registry - platform: windows - query: log_errors_registry - - description: Controls Windows security provider configurations - interval: 3600 - name: security_providers_registry - platform: windows - query: security_providers_registry - - description: Controls Windows Update server location and installation behavior. - interval: 3600 - name: windows_update_settings_registry - platform: windows - query: windows_update_settings_registry - - description: 'Controls enabling/disabling crash dumps. This key has a default - value of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: crash_dump_registry - platform: windows - query: crash_dump_registry - - description: 'This registry key specifies the path to a DLL to be loaded by a - Windows DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83' - interval: 3600 - name: dns_plugin_dll_registry - platform: windows - query: dns_plugin_dll_registry - - description: The KnownDlls key defines the set of DLLs that are first searched - during system startup. - interval: 3600 - name: knowndlls_registry - platform: windows - query: knowndlls_registry - - description: This key exists by default and has a default value of 1. Terminal - service connections are allowed to the host when the key value is set to 0 - interval: 3600 - name: terminal_service_deny_registry - platform: windows - query: terminal_service_deny_registry - - description: Controls Windows command-line auditing - interval: 3600 - name: command_line_auditing_registry - platform: windows - query: command_line_auditing_registry - - description: 'This key (and subkeys) exist by default and are required to allow - post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: dr_watson_registry - platform: windows - query: dr_watson_registry - - description: Controls how many simultaneous terminal services sessions can use - the same account - interval: 3600 - name: per_user_ts_session_registry - platform: windows - query: per_user_ts_session_registry - - description: Controls Powershell execution policy, script execution, logging, - and more. - interval: 3600 - name: powershell_settings_registry - platform: windows - query: powershell_settings_registry - - description: Controls enabling/disabling SMBv1. Setting this key to 0 disables - the SMBv1 protocol on the host. - interval: 3600 - name: smbv1_registry - platform: windows - query: smbv1_registry - - description: Lists information about SecureBoot status. - interval: 3600 - name: secure_boot_registry - platform: windows - query: secure_boot_registry - - description: This key does not exist by default and controls enabling/disabling - error reporting. Some malware creates this key sets the value to 0 (disables - error reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx - and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html - interval: 3600 - name: error_report_registry - platform: windows - query: error_report_registry - - description: Controls behavior, size, and rotation strategy for primary windows - event log files. - interval: 3600 - name: event_log_settings_registry - platform: windows - query: event_log_settings_registry - - description: Controls system TPM settings - interval: 3600 - name: tpm_registry - platform: windows - query: tpm_registry - - description: Controls local WinRM client configuration and security. - interval: 3600 - name: winrm_settings_registry - platform: windows - query: winrm_settings_registry - - description: 'Controls the suppression of error dialog boxes. The default value - is 0 (all messages are visible), but some malware sets this value to 2 (all - messages are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - interval: 3600 - name: error_mode_registry - platform: windows - query: error_mode_registry - - description: Controls sending administrative notifications after a crash. Some - malware sets this value to 0 - interval: 3600 - name: send_error_alert_registry - platform: windows - query: send_error_alert_registry - targets: - labels: - - MS Windows ---- -apiVersion: v1 -kind: query -spec: - description: 'This key does not exist by default and controls enabling/disabling - error reporting display. Some malware creates this key and sets the value to 0. - See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: error_display_ui_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ShowUI'; ---- -apiVersion: v1 -kind: query -spec: - description: Entries for the FileRenameOperation support the MoveFileEx delayed-rename - and delayed-delete capabilities. Sometimes used as a self-deletion technique for - malware. - name: filerenameoperations_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session - Manager\FileRenameOperations'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls which security packages store credentials in LSA memory, secure - boot, etc. - name: local_security_authority_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: 'This key exists by default and has a default value of 1. Setting this - key to 0 disables logging errors/crashes to the System event channel. Some malware - sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: log_errors_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Windows security provider configurations - name: security_providers_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Windows Update server location and installation behavior. - name: windows_update_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: 'Controls enabling/disabling crash dumps. This key has a default value - of 7, but some malware sets this value to 0. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: crash_dump_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled'; ---- -apiVersion: v1 -kind: query -spec: - description: 'This registry key specifies the path to a DLL to be loaded by a Windows - DNS server. This key does not exist by default. Can allow privesc: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83' - name: dns_plugin_dll_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll'; ---- -apiVersion: v1 -kind: query -spec: - description: The KnownDlls key defines the set of DLLs that are first searched during - system startup. - name: knowndlls_registry - query: SELECT * FROM registry WHERE path LIKE 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session - Manager\KnownDLLs\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: This key exists by default and has a default value of 1. Terminal service - connections are allowed to the host when the key value is set to 0 - name: terminal_service_deny_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal - Server\fDenyTSConnections'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Windows command-line auditing - name: command_line_auditing_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit'; ---- -apiVersion: v1 -kind: query -spec: - description: 'This key (and subkeys) exist by default and are required to allow - post-mortem debuggers like Dr. Watson. Some malware deletes this key. See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: dr_watson_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows - NT\CurrentVersion\AeDebug'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls how many simultaneous terminal services sessions can use the - same account - name: per_user_ts_session_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal - Server\fSingleSessionPerUser'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls Powershell execution policy, script execution, logging, and - more. - name: powershell_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls enabling/disabling SMBv1. Setting this key to 0 disables the - SMBv1 protocol on the host. - name: smbv1_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1'; ---- -apiVersion: v1 -kind: query -spec: - description: Lists information about SecureBoot status. - name: secure_boot_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot'; ---- -apiVersion: v1 -kind: query -spec: - description: This key does not exist by default and controls enabling/disabling - error reporting. Some malware creates this key sets the value to 0 (disables error - reports). See https://msdn.microsoft.com/en-us/library/aa939342(v=winembedded.5).aspx - and https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html - name: error_report_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\DoReport'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls behavior, size, and rotation strategy for primary windows - event log files. - name: event_log_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls system TPM settings - name: tpm_registry - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\TPM'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls local WinRM client configuration and security. - name: winrm_settings_registry - query: SELECT * FROM registry WHERE key LIKE 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\%%'; ---- -apiVersion: v1 -kind: query -spec: - description: 'Controls the suppression of error dialog boxes. The default value - is 0 (all messages are visible), but some malware sets this value to 2 (all messages - are invisible). See: https://www.documentcloud.org/documents/3477047-Document-07-Neel-Mehta-Billy-Leonard-and-Shane.html' - name: error_mode_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode'; ---- -apiVersion: v1 -kind: query -spec: - description: Controls sending administrative notifications after a crash. Some malware - sets this value to 0 - name: send_error_alert_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\SendAlert'; diff --git a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml b/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml deleted file mode 100644 index 89f01494b..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Endpoints/packs/windows-registry-monitoring.yaml +++ /dev/null @@ -1,476 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: windows-registry-monitoring - queries: - - description: Technique used by attackers to prevent computer accounts from changing - their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011) - interval: 3600 - name: computer_password_change_disabled_registry - platform: windows - query: computer_password_change_disabled_registry - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: error_mode_registry_missing - platform: windows - query: error_mode_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: per_user_ts_session_registry_missing - platform: windows - query: per_user_ts_session_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: powershell_invocationheader_registry_missing - platform: windows - query: powershell_invocationheader_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: bitlocker_encryption_settings_registry_misconfigured - platform: windows - query: bitlocker_encryption_settings_registry_misconfigured - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: bitlocker_mbam_registry_misconfigured - platform: windows - query: bitlocker_mbam_registry_misconfigured - - description: Returns the content of this key if it exists, which it shouldn't - by default - interval: 3600 - name: dns_plugin_dll_registry_exists - platform: windows - query: dns_plugin_dll_registry_exists - - description: Returns the content of this key if it exists, which it shouldn't - by default - interval: 3600 - name: error_display_ui_registry_exists - platform: windows - query: error_display_ui_registry_exists - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: log_errors_registry_misconfigured - platform: windows - query: log_errors_registry_misconfigured - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: subscription_manager_registry_misconfigured - platform: windows - query: subscription_manager_registry_misconfigured - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: subscription_manager_registry_missing - platform: windows - query: subscription_manager_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: command_line_auditing_registry_misconfigured - platform: windows - query: command_line_auditing_registry_misconfigured - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: crash_dump_registry_missing - platform: windows - query: crash_dump_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: error_mode_registry_misconfigured - platform: windows - query: error_mode_registry_misconfigured - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: log_errors_registry_missing - platform: windows - query: log_errors_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: winrm_settings_registry_misconfigured - platform: windows - query: winrm_settings_registry_misconfigured - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: crash_dump_registry_misconfigured - platform: windows - query: crash_dump_registry_misconfigured - - description: Detect a registry based persistence mechanism that allows an attacker - to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105) - interval: 3600 - name: physicalstore_dll_registry_persistence - platform: windows - query: physicalstore_dll_registry_persistence - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: powershell_logging_registry_misconfigured - platform: windows - query: powershell_logging_registry_misconfigured - - description: 'A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)' - interval: 3600 - name: amsi_disabled_registry - platform: windows - query: amsi_disabled_registry - - description: Controls how often to rotate the local computer password (defaults - to 30 days). A modification of this value may be an indicator of attacker activity. - interval: 3600 - name: computer_maximum_password_age_changed_registry - platform: windows - query: computer_maximum_password_age_changed_registry - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: dr_watson_registry_missing - platform: windows - query: dr_watson_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: per_user_ts_session_registry_misconfigured - platform: windows - query: per_user_ts_session_registry_misconfigured - - description: Registry based persistence mechanism to load DLLs at reboot time - and avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/). - Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will - remain. - interval: 3600 - name: runonceex_persistence_registry - platform: windows - query: runonceex_persistence_registry - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: smbv1_registry_missing - platform: windows - query: smbv1_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: powershell_transcription_logging_registry_missing - platform: windows - query: powershell_transcription_logging_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: powershell_module_logging_registry_missing - platform: windows - query: powershell_module_logging_registry_missing - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: powershell_scriptblock_logging_registry_missing - platform: windows - query: powershell_scriptblock_logging_registry_missing - - description: Returns the content of the key if it does not match the expected - value - interval: 3600 - name: bitlocker_mbam_endpoint_registry_misconfigured - platform: windows - query: bitlocker_mbam_endpoint_registry_misconfigured - - description: Returns 0 as a result if the registry key does not exist - interval: 3600 - name: command_line_auditing_registry_missing - platform: windows - query: command_line_auditing_registry_missing - - description: "" - interval: 3600 - name: smbv1_registry_misconfigured - platform: windows - query: smbv1_registry_misconfigured - - description: Returns the content of this key if it exists, which it shouldn't - by default - interval: 3600 - name: send_error_alert_registry_exists - platform: windows - query: send_error_alert_registry_exists - targets: - labels: - - MS Windows ---- -apiVersion: v1 -kind: query -spec: - description: Technique used by attackers to prevent computer accounts from changing - their password, thus extending the life of Kerberos silver tickets (https://adsecurity.org/?p=2011) - name: computer_password_change_disabled_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange' - AND data!=0; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: error_mode_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: per_user_ts_session_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal - Server\fSingleSessionPerUser') WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: powershell_invocationheader_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableInvocationHeader') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: bitlocker_encryption_settings_registry_misconfigured - query: SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\ShouldEncryptOSDrive' - OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\OSDriveProtector') - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: bitlocker_mbam_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\UseMBAMServices' - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of this key if it exists, which it shouldn't by - default - name: dns_plugin_dll_registry_exists - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of this key if it exists, which it shouldn't by - default - name: error_display_ui_registry_exists - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting\ShowUI'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: log_errors_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent' - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: subscription_manager_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1' - AND (data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC' - AND data!='Server=http://subdomain.domain.com:5985/wsman/SubscriptionManager/WEC'); ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: subscription_manager_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: command_line_auditing_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled' - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: crash_dump_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: error_mode_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows\ErrorMode' - AND data=2; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: log_errors_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\LogEvent') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: winrm_settings_registry_misconfigured - query: 'SELECT * FROM registry WHERE (path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowCredSSP'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowCredSSP'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic'' - OR path=''HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess'') - AND data!=0; ' ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: crash_dump_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\CrashDumpEnabled' - AND data=0; ---- -apiVersion: v1 -kind: query -spec: - description: Detect a registry based persistence mechanism that allows an attacker - to specify a DLL to be loaded when cryptographic libraries are called (https://twitter.com/PsiDragon/status/978367732793135105) - name: physicalstore_dll_registry_persistence - query: SELECT key, path, name, mtime, username FROM registry r, users WHERE path - LIKE 'HKEY_USERS\'||uuid||'\Software\Microsoft\SystemCertificates\CA\PhysicalStores\%%' - OR path LIKE 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType - 0\CertDllOpenStoreProv\%%' AND name!='#16' AND name!='Ldap'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: powershell_logging_registry_misconfigured - query: SELECT * FROM registry WHERE (path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging\EnableModuleLogging' - OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging\EnableScriptBlockLogging' - OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableTranscripting' - OR path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableInvocationHeader') - AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: 'A registry key can be created to disable AMSI on Windows: (https://twitter.com/Moriarty_Meng/status/1011568060883333120)' - name: amsi_disabled_registry - query: SELECT key, r.path, r.name, r.mtime, r.data, username from registry r, users - WHERE path = 'HKEY_USERS\'||uuid||'\Software\Microsoft\Windows Script\Settings\AmsiEnable' - AND data=0; ---- -apiVersion: v1 -kind: query -spec: - description: Controls how often to rotate the local computer password (defaults - to 30 days). A modification of this value may be an indicator of attacker activity. - name: computer_maximum_password_age_changed_registry - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge' - and data!=30; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: dr_watson_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry where key='HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug') - WHERE key_exists!=2; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: per_user_ts_session_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal - Server\fSingleSessionPerUser' AND data!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Registry based persistence mechanism to load DLLs at reboot time and - avoids detection by Autoruns (https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/). - Subkeys will be deleted after they run, thus (RunOnce). The RunOnceEx key will - remain. - name: runonceex_persistence_registry - query: SELECT * FROM registry WHERE path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: smbv1_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: powershell_transcription_logging_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\Transcription\EnableTranscripting') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: powershell_module_logging_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging\EnableModuleLogging') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: powershell_scriptblock_logging_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Powershell\ScriptBlockLogging\EnableScriptBlockLogging') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of the key if it does not match the expected value - name: bitlocker_mbam_endpoint_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\KeyRecoveryServiceEndPoint' - AND data!='https://mbam.server.com/MBAMRecoveryAndHardwareService/CoreService.svc'; ---- -apiVersion: v1 -kind: query -spec: - description: Returns 0 as a result if the registry key does not exist - name: command_line_auditing_registry_missing - query: SELECT IFNULL(key_count,0) AS key_exists FROM (SELECT COUNT(*) AS key_count - FROM registry WHERE path='HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled') - WHERE key_exists!=1; ---- -apiVersion: v1 -kind: query -spec: - name: smbv1_registry_misconfigured - query: SELECT * FROM registry WHERE path='HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' - AND data!=0; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the content of this key if it exists, which it shouldn't by - default - name: send_error_alert_registry_exists - query: SELECT * FROM registry WHERE key='HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl\SendAlert'; diff --git a/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml b/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml deleted file mode 100644 index 62ae6d458..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Servers/Linux/osquery.yaml +++ /dev/null @@ -1,580 +0,0 @@ ---- -apiVersion: v1 -kind: pack -spec: - name: LinuxPack - queries: - - description: Retrieves all the jobs scheduled in crontab in the target system. - interval: 86400 - name: crontab_snapshot - platform: linux - query: crontab_snapshot - snapshot: true - - description: Various Linux kernel integrity checked attributes. - interval: 86400 - name: kernel_integrity - platform: linux - query: kernel_integrity - - description: Linux kernel modules both loaded and within the load search path. - interval: 3600 - name: kernel_modules - platform: linux - query: kernel_modules - - description: Retrieves the current list of mounted drives in the target system. - interval: 86400 - name: mounts - platform: linux - query: mounts - - description: Socket events collected from the audit framework - interval: 10 - name: socket_events - platform: linux - query: socket_events - - description: Record the network interfaces and their associated IP and MAC addresses - interval: 600 - name: network_interfaces_snapshot - platform: linux - query: network_interfaces_snapshot - snapshot: true - - description: Information about the running osquery configuration - interval: 86400 - name: osquery_info - platform: linux - query: osquery_info - snapshot: true - - description: Display all installed RPM packages - interval: 86400 - name: rpm_packages - platform: centos - query: rpm_packages - snapshot: true - - description: Record shell history for all users on system (instead of just root) - interval: 3600 - name: shell_history - platform: linux - query: shell_history - - description: File events collected from file integrity monitoring - interval: 10 - name: file_events - platform: linux - query: file_events - removed: false - - description: Retrieve the EC2 metadata for this endpoint - interval: 3600 - name: ec2_instance_metadata - platform: linux - query: ec2_instance_metadata - - description: Retrieve the EC2 tags for this endpoint - interval: 3600 - name: ec2_instance_tags - platform: linux - query: ec2_instance_tags - - description: Snapshot query to retrieve the EC2 tags for this instance - interval: 86400 - name: ec2_instance_tags_snapshot - platform: linux - query: ec2_instance_tags_snapshot - snapshot: true - - description: Retrieves the current filters and chains per filter in the target - system. - interval: 86400 - name: iptables - platform: linux - query: iptables - - description: Display any SUID binaries that are owned by root - interval: 86400 - name: suid_bin - platform: linux - query: suid_bin - - description: Display all installed DEB packages - interval: 86400 - name: deb_packages - platform: ubuntu - query: deb_packages - snapshot: true - - description: Find shell processes that have open sockets - interval: 600 - name: behavioral_reverse_shell - platform: linux - query: behavioral_reverse_shell - - description: Retrieves all the jobs scheduled in crontab in the target system. - interval: 3600 - name: crontab - platform: linux - query: crontab - - description: Local system users. - interval: 86400 - name: users - platform: linux - query: users - - description: Process events collected from the audit framework - interval: 10 - name: process_events - platform: linux - query: process_events - - description: Retrieves the list of the latest logins with PID, username and timestamp. - interval: 3600 - name: last - platform: linux - query: last - - description: Any processes that run with an LD_PRELOAD environment variable - interval: 60 - name: ld_preload - platform: linux - query: ld_preload - snapshot: true - - description: Information about the system hardware and name - interval: 86400 - name: system_info - platform: linux - query: system_info - snapshot: true - - description: Returns the private keys in the users ~/.ssh directory and whether - or not they are encrypted - interval: 86400 - name: user_ssh_keys - platform: linux - query: user_ssh_keys - - description: Local system users. - interval: 86400 - name: users_snapshot - platform: linux - query: users_snapshot - snapshot: true - - description: DNS resolvers used by the host - interval: 3600 - name: dns_resolvers - platform: linux - query: dns_resolvers - - description: Retrieves information from the current kernel in the target system. - interval: 86400 - name: kernel_info - platform: linux - query: kernel_info - snapshot: true - - description: Linux kernel modules both loaded and within the load search path. - interval: 86400 - name: kernel_modules_snapshot - platform: linux - query: kernel_modules_snapshot - snapshot: true - - description: Generates an event if ld.so.preload is present - used by rootkits - such as Jynx - interval: 3600 - name: ld_so_preload_exists - platform: linux - query: ld_so_preload_exists - snapshot: true - - description: Records system/user time, db size, and many other system metrics - interval: 1800 - name: runtime_perf - platform: linux - query: runtime_perf - - description: Retrieves all the entries in the target system /etc/hosts file. - interval: 86400 - name: etc_hosts_snapshot - platform: linux - query: etc_hosts_snapshot - snapshot: true - - description: Snapshot query to retrieve the EC2 metadata for this endpoint - interval: 86400 - name: ec2_instance_metadata_snapshot - platform: linux - query: ec2_instance_metadata_snapshot - snapshot: true - - description: "" - interval: 10 - name: hardware_events - platform: linux - query: hardware_events - removed: false - - description: Information about memory usage on the system - interval: 3600 - name: memory_info - platform: linux - query: memory_info - - description: Displays information from /proc/stat file about the time the CPU - cores spent in different parts of the system - interval: 3600 - name: cpu_time - platform: linux - query: cpu_time - - description: Retrieves all the entries in the target system /etc/hosts file. - interval: 3600 - name: etc_hosts - platform: linux - query: etc_hosts - - description: Retrieves information from the Operating System where osquery is - currently running. - interval: 86400 - name: os_version - platform: linux - query: os_version - snapshot: true - - description: A snapshot of all processes running on the host. Useful for outlier - analysis. - interval: 86400 - name: processes_snapshot - platform: linux - query: processes_snapshot - snapshot: true - - description: Retrieves the current list of USB devices in the target system. - interval: 120 - name: usb_devices - platform: linux - query: usb_devices - - description: A line-delimited authorized_keys table. - interval: 86400 - name: authorized_keys - platform: linux - query: authorized_keys - - description: Display apt package manager sources. - interval: 86400 - name: apt_sources - platform: ubuntu - query: apt_sources - snapshot: true - - description: Gather information about processes that are listening on a socket. - interval: 86400 - name: listening_ports - platform: linux - query: listening_ports - snapshot: true - - description: Display yum package manager sources. - interval: 86400 - name: yum_sources - platform: centos - query: yum_sources - snapshot: true - targets: - labels: - - Ubuntu Linux - - CentOS Linux ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves all the jobs scheduled in crontab in the target system. - name: crontab_snapshot - query: SELECT * FROM crontab; ---- -apiVersion: v1 -kind: query -spec: - description: Various Linux kernel integrity checked attributes. - name: kernel_integrity - query: SELECT * FROM kernel_integrity; ---- -apiVersion: v1 -kind: query -spec: - description: Linux kernel modules both loaded and within the load search path. - name: kernel_modules - query: SELECT * FROM kernel_modules; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves the current list of mounted drives in the target system. - name: mounts - query: SELECT device, device_alias, path, type, blocks_size, flags FROM mounts; ---- -apiVersion: v1 -kind: query -spec: - description: Socket events collected from the audit framework - name: socket_events - query: SELECT action, auid, family, local_address, local_port, path, pid, remote_address, - remote_port, success, time FROM socket_events WHERE success=1 AND path NOT IN - ('/usr/bin/hostname') AND remote_address NOT IN ('127.0.0.1', '169.254.169.254', - '', '0000:0000:0000:0000:0000:0000:0000:0001', '::1', '0000:0000:0000:0000:0000:ffff:7f00:0001', - 'unknown', '0.0.0.0', '0000:0000:0000:0000:0000:0000:0000:0000'); ---- -apiVersion: v1 -kind: query -spec: - description: Record the network interfaces and their associated IP and MAC addresses - name: network_interfaces_snapshot - query: SELECT a.interface, a.address, d.mac FROM interface_addresses a JOIN interface_details - d USING (interface); ---- -apiVersion: v1 -kind: query -spec: - description: Information about the running osquery configuration - name: osquery_info - query: SELECT * FROM osquery_info; ---- -apiVersion: v1 -kind: query -spec: - description: Display all installed RPM packages - name: rpm_packages - query: SELECT name, version, release, arch FROM rpm_packages; ---- -apiVersion: v1 -kind: query -spec: - description: Record shell history for all users on system (instead of just root) - name: shell_history - query: SELECT * FROM users CROSS JOIN shell_history USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: File events collected from file integrity monitoring - name: file_events - query: SELECT * FROM file_events; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieve the EC2 metadata for this endpoint - name: ec2_instance_metadata - query: SELECT * FROM ec2_instance_metadata; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieve the EC2 tags for this endpoint - name: ec2_instance_tags - query: SELECT * FROM ec2_instance_tags; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query to retrieve the EC2 tags for this instance - name: ec2_instance_tags_snapshot - query: SELECT * FROM ec2_instance_tags; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves the current filters and chains per filter in the target system. - name: iptables - query: SELECT * FROM iptables; ---- -apiVersion: v1 -kind: query -spec: - description: Display any SUID binaries that are owned by root - name: suid_bin - query: SELECT * FROM suid_bin; ---- -apiVersion: v1 -kind: query -spec: - description: Display all installed DEB packages - name: deb_packages - query: SELECT * FROM deb_packages; ---- -apiVersion: v1 -kind: query -spec: - description: Find shell processes that have open sockets - name: behavioral_reverse_shell - query: SELECT DISTINCT(processes.pid), processes.parent, processes.name, processes.path, - processes.cmdline, processes.cwd, processes.root, processes.uid, processes.gid, - processes.start_time, process_open_sockets.remote_address, process_open_sockets.remote_port, - (SELECT cmdline FROM processes AS parent_cmdline WHERE pid=processes.parent) AS - parent_cmdline FROM processes JOIN process_open_sockets USING (pid) LEFT OUTER - JOIN process_open_files ON processes.pid = process_open_files.pid WHERE (name='sh' - OR name='bash') AND remote_address NOT IN ('0.0.0.0', '::', '') AND remote_address - NOT LIKE '10.%' AND remote_address NOT LIKE '192.168.%'; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves all the jobs scheduled in crontab in the target system. - name: crontab - query: SELECT * FROM crontab; ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: Process events collected from the audit framework - name: process_events - query: SELECT auid, cmdline, ctime, cwd, egid, euid, gid, parent, path, pid, time, - uid FROM process_events WHERE path NOT IN ('/bin/sed', '/usr/bin/tr', '/bin/gawk', - '/bin/date', '/bin/mktemp', '/usr/bin/dirname', '/usr/bin/head', '/usr/bin/jq', - '/bin/cut', '/bin/uname', '/bin/basename') and cmdline NOT LIKE '%_key%' AND cmdline - NOT LIKE '%secret%'; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves the list of the latest logins with PID, username and timestamp. - name: last - query: SELECT * FROM last; ---- -apiVersion: v1 -kind: query -spec: - description: Any processes that run with an LD_PRELOAD environment variable - name: ld_preload - query: SELECT process_envs.pid, process_envs.key, process_envs.value, processes.name, - processes.path, processes.cmdline, processes.cwd FROM process_envs join processes - USING (pid) WHERE key = 'LD_PRELOAD'; ---- -apiVersion: v1 -kind: query -spec: - description: Information about the system hardware and name - name: system_info - query: SELECT * FROM system_info; ---- -apiVersion: v1 -kind: query -spec: - description: Returns the private keys in the users ~/.ssh directory and whether - or not they are encrypted - name: user_ssh_keys - query: SELECT * FROM users CROSS JOIN user_ssh_keys USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Local system users. - name: users_snapshot - query: SELECT * FROM users; ---- -apiVersion: v1 -kind: query -spec: - description: DNS resolvers used by the host - name: dns_resolvers - query: SELECT * FROM dns_resolvers; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves information from the current kernel in the target system. - name: kernel_info - query: SELECT * FROM kernel_info; ---- -apiVersion: v1 -kind: query -spec: - description: Linux kernel modules both loaded and within the load search path. - name: kernel_modules_snapshot - query: SELECT * FROM kernel_modules; ---- -apiVersion: v1 -kind: query -spec: - description: Generates an event if ld.so.preload is present - used by rootkits such - as Jynx - name: ld_so_preload_exists - query: SELECT * FROM file WHERE path='/etc/ld.so.preload' AND path!=''; ---- -apiVersion: v1 -kind: query -spec: - description: Records system/user time, db size, and many other system metrics - name: runtime_perf - query: SELECT ov.version AS os_version, ov.platform AS os_platform, ov.codename - AS os_codename, i.*, p.resident_size, p.user_time, p.system_time, time.minutes - AS counter, db.db_size_mb AS database_size from osquery_info i, os_version ov, - processes p, time, (SELECT (SUM(size) / 1024) / 1024.0 AS db_size_mb FROM (SELECT - value FROM osquery_flags WHERE name = 'database_path' LIMIT 1) flags, file WHERE - path LIKE flags.value || '%%' AND type = 'regular') db WHERE p.pid = i.pid; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves all the entries in the target system /etc/hosts file. - name: etc_hosts_snapshot - query: SELECT * FROM etc_hosts; ---- -apiVersion: v1 -kind: query -spec: - description: Snapshot query to retrieve the EC2 metadata for this endpoint - name: ec2_instance_metadata_snapshot - query: SELECT * FROM ec2_instance_metadata; ---- -apiVersion: v1 -kind: query -spec: - name: hardware_events - query: SELECT * FROM hardware_events; ---- -apiVersion: v1 -kind: query -spec: - description: Information about memory usage on the system - name: memory_info - query: SELECT * FROM memory_info; ---- -apiVersion: v1 -kind: query -spec: - description: Displays information from /proc/stat file about the time the CPU cores - spent in different parts of the system - name: cpu_time - query: SELECT * FROM cpu_time; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves all the entries in the target system /etc/hosts file. - name: etc_hosts - query: SELECT * FROM etc_hosts; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves information from the Operating System where osquery is currently - running. - name: os_version - query: SELECT * FROM os_version; ---- -apiVersion: v1 -kind: query -spec: - description: A snapshot of all processes running on the host. Useful for outlier - analysis. - name: processes_snapshot - query: select name, path, cmdline, cwd, on_disk from processes; ---- -apiVersion: v1 -kind: query -spec: - description: Retrieves the current list of USB devices in the target system. - name: usb_devices - query: SELECT * FROM usb_devices; ---- -apiVersion: v1 -kind: query -spec: - description: A line-delimited authorized_keys table. - name: authorized_keys - query: SELECT * FROM users CROSS JOIN authorized_keys USING (uid); ---- -apiVersion: v1 -kind: query -spec: - description: Display apt package manager sources. - name: apt_sources - query: SELECT * FROM apt_sources; ---- -apiVersion: v1 -kind: query -spec: - description: Gather information about processes that are listening on a socket. - name: listening_ports - query: SELECT pid, port, processes.path, cmdline, cwd FROM listening_ports JOIN processes USING (pid) WHERE port!=0; ---- -apiVersion: v1 -kind: query -spec: - description: Display yum package manager sources. - name: yum_sources - query: SELECT name, baseurl, enabled, gpgcheck FROM yum_sources; diff --git a/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml b/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml deleted file mode 100644 index 2329f085f..000000000 --- a/salt/fleet/files/packs/palantir/Fleet/Servers/options.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: v1 -kind: options -spec: - config: - decorators: - load: - - SELECT uuid AS host_uuid FROM system_info; - - SELECT hostname AS hostname FROM system_info; - file_paths: - binaries: - - /usr/bin/%% - - /usr/sbin/%% - - /bin/%% - - /sbin/%% - - /usr/local/bin/%% - - /usr/local/sbin/%% - configuration: - - /etc/passwd - - /etc/shadow - - /etc/ld.so.preload - - /etc/ld.so.conf - - /etc/ld.so.conf.d/%% - - /etc/pam.d/%% - - /etc/resolv.conf - - /etc/rc%/%% - - /etc/my.cnf - - /etc/modules - - /etc/hosts - - /etc/hostname - - /etc/fstab - - /etc/crontab - - /etc/cron%/%% - - /etc/init/%% - - /etc/rsyslog.conf - options: - audit_allow_config: true - audit_allow_sockets: true - audit_persist: true - disable_audit: false - events_expiry: 1 - events_max: 500000 - disable_distributed: false - disable_subscribers: user_events - distributed_interval: 10 - distributed_plugin: tls - distributed_tls_max_attempts: 3 - distributed_tls_read_endpoint: /api/v1/osquery/distributed/read - distributed_tls_write_endpoint: /api/v1/osquery/distributed/write - logger_min_status: 1 - logger_plugin: tls - logger_snapshot_event_type: true - logger_tls_endpoint: /api/v1/osquery/log - logger_tls_period: 10 - pack_delimiter: / - schedule_splay_percent: 10 - watchdog_memory_limit: 350 - watchdog_utilization_limit: 130 - overrides: {} diff --git a/salt/fleet/files/packs/palantir/LICENSE.md b/salt/fleet/files/packs/palantir/LICENSE.md deleted file mode 100755 index e9a9bab22..000000000 --- a/salt/fleet/files/packs/palantir/LICENSE.md +++ /dev/null @@ -1,22 +0,0 @@ -# License -MIT License - -Copyright (c) 2017 Palantir Technologies Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/salt/fleet/files/packs/palantir/README.md b/salt/fleet/files/packs/palantir/README.md deleted file mode 100755 index a7ea61a37..000000000 --- a/salt/fleet/files/packs/palantir/README.md +++ /dev/null @@ -1,164 +0,0 @@ -# Palantir osquery Configuration - -## About This Repository -This repository is the companion to the [osquery Across the Enterprise](https://medium.com/@palantir/osquery-across-the-enterprise-3c3c9d13ec55) blog post. - -The goal of this project is to provide a baseline template for any organization considering a deployment of osquery in a production environment. It is -our belief that queries which are likely to have a high level of utility for a large percentage of users should be committed directly to the osquery project, which is -exactly what we have done with our [unwanted-chrome-extensions](https://github.com/facebook/osquery/pull/3889) query pack and [additions](https://github.com/facebook/osquery/pull/3922) to the windows-attacks pack. - -However, we have included additional query packs -that are more tailored to our specific environment that may be useful to some or at least serve as a reference to other organizations. osquery operates best when -operators have carefully considered the datasets to be collected and the potential use-cases for that data. -* [performance-metrics.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/performance-metrics.conf) -* [security-tooling-checks.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/security-tooling-checks.conf) -* [windows-application-security.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-application-security.conf) -* [windows-compliance.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-compliance.conf) -* [windows-registry-monitoring.conf](https://github.com/palantir/osquery-configuration/blob/master/Classic/Endpoints/packs/windows-registry-monitoring.conf) - - -**Note**: We also utilize packs that are maintained in the official osquery project. In order to ensure you receive the most up to date version of the pack, please view them using the links below: -* [ossec-rootkit.conf](https://github.com/facebook/osquery/blob/master/packs/ossec-rootkit.conf) -* [osx-attacks.conf](https://github.com/facebook/osquery/blob/master/packs/osx-attacks.conf) -* [unwanted-chrome-extensions.conf](https://github.com/facebook/osquery/blob/master/packs/unwanted-chrome-extensions.conf) -* [windows-attacks.conf](https://github.com/facebook/osquery/blob/master/packs/windows-attacks.conf) - -## Repository Layout -This repository is organized as follows: -* At the top level, there are two directories titled "Classic" and "Fleet" - * The [Classic](./Classic/) directory contains configuration files for a standard osquery deployment - * The [Fleet](./Fleet/) directory contains YAML files to be imported into Kolide's [Fleet](https://github.com/kolide/fleet) osquery management tool - -Within each of those folders, you will find the following subdirectories: -* **Endpoints**: The contents of this folder are tailored towards monitoring MacOS and Windows endpoints that are not expected to be online at all times. You may notice the interval of many queries in this folder set to 28800. We purposely set the interval to this value because the interval timer only moves forward when a host is online and we would only expect an endpoint to be online for about 8 hours, or 28800 seconds, per day. -* **Servers**: The contents of this folder are tailored towards monitoring Linux servers. This configuration has process and network auditing enabled, so expect an exponentially higher volume of logs to be returned from the agent. - - -## Using This Repository -**Note**: We recommend that you spin up a lab environment before deploying any of these configurations to a production -environment. - -**Endpoints Configuration Overview** -* The configurations in this folder are meant for MacOS and Windows and the interval timings assume that these hosts are only online for ~8 hours per day -* The flags included in this configuration enable TLS client mode in osquery and assume it will be connected to a TLS server. We have also included non-TLS flagfiles for local testing. -* File integrity monitoring on MacOS is enabled for specific files and directories defined in [osquery.conf](./Classic/Endpoints/MacOS/osquery.conf) -* Events are disabled on Windows via the `--disable_events` flag in [osquery.flags](./Classic/Endpoints/Windows/osquery.flags). We use [Windows Event Forwarding](https://github.com/palantir/windows-event-forwarding) and don't have a need for osquery to process Windows event logs. -* These configuration files utilize packs within the [packs](./Classic/Endpoints/packs) folder and may generate errors if started without them - -**Servers Configuration Overview** -* This configuration assumes the destination operating system is Linux-based and that the hosts are online at all times -* Auditing mode is enabled for processes and network events. Ensure auditd is disabled or removed from the system where this will be running as it may conflict with osqueryd. -* File integrity monitoring is enabled for specific files and directories defined in [osquery.conf](./Classic/Servers/Linux/osquery.conf) -* Requires the [ossec-rootkit.conf](./Classic/Servers/Linux/packs/ossec-rootkit.conf) pack found to be located at `/etc/osquery/packs/ossec-rootkit.conf` -* The subscriber for `user_events` is disabled - -## Quickstart - Classic -1. [Install osquery](https://osquery.io/downloads/) -2. Copy the osquery.conf and osquery.flags files from this repository onto the system and match the directory structure shown below -3. Start osquery via `sudo osqueryctl start` on Linux/MacOS or `Start-Process osqueryd` on Windows -4. Logs are located in `/var/log/osquery` (Linux/MacOS) and `c:\ProgramData\osquery\logs` (Windows) - -## Quickstart - Fleet -Install Fleet version 2.0.0 or higher -2. [Enroll hosts to your Fleet server](https://github.com/kolide/fleet/blob/master/docs/infrastructure/adding-hosts-to-fleet.md) by configuring the appropriate [flags] -3. [Configure the fleetctl utility](https://github.com/kolide/fleet/blob/master/docs/cli/setup-guide.md#fleetctl-setup) to communicate with your Fleet server -4. Assuming you'd like to use the endpoint configs, you can use the commands below to apply them: - -``` -git clone https://github.com/palantir/osquery-configuration.git -fleetctl apply -f osquery-configuration/Fleet/Endpoints/options.yaml -fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml -fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml -for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml; - do fleetctl apply -f "$pack" -done -``` - -The desired osquery directory structure for Linux, MacOS, and Windows is outlined below: - -**Linux** -``` -$ git clone https://github.com/palantir/osquery-configuration.git -$ cp -R osquery-configuration/Fleet/Servers/Linux/* /etc/osquery -$ sudo osqueryctl start - -/etc/osquery -├── osquery.conf -├── osquery.db -├── osquery.flags -└── packs - └── ossec-rootkit.conf - -``` -**MacOS** -``` -$ git clone https://github.com/palantir/osquery-configuration.git -$ cp osquery-configuration/Fleet/Endpoints/MacOS/* /var/osquery -$ cp osquery-configuration/Fleet/Endpoints/packs/* /var/osquery/packs -$ mv /var/osquery/osquery_no_tls.flags /var/osquery/osquery.flags ## Non-TLS server testing -$ sudo osqueryctl start - -/var/osquery -├── certfile.crt [if using TLS endpoint] -├── osquery.conf -├── osquery.db -├── osquery.flags -└── packs - ├── performance-metrics.conf - ├── security-tooling-checks.conf - ├── unwanted-chrome-extensions.conf - └── osx-attacks.conf -``` - -**Windows** -``` -PS> git clone https://github.com/palantir/osquery-configuration.git -PS> copy-item osquery-configuration/Fleet/Endpoints/Windows/* c:\ProgramData\osquery -PS> copy-item osquery-configuration/Fleet/Endpoints/packs/* c:\ProgramData\osquery\packs -PS> copy-item c:\ProgramData\osquery\osquery_no_tls.flags c:\ProgramData\osquery\osquery.flags -force ## Non-TLS server testing -PS> start-service osqueryd - -c:\ProgramData\osquery -├── certfile.crt [if using TLS endpoint] -├── log -├── osquery.conf -├── osquery.db -├── osquery.flags -├── osqueryi.exe -├─── osqueryd -| └── osqueryd.exe -└── packs - ├── performance-metrics.conf - ├── security-tooling-checks.conf - ├── unwanted-chrome-extensions.conf - ├── windows-application-security.conf - ├── windows-compliance.conf - ├── windows-registry-monitoring.conf - └── windows-attacks.conf -``` - -## Contributing -Contributions, fixes, and improvements can be submitted directly against this project as a GitHub issue or pull request. - -## License -MIT License - -Copyright (c) 2017 Palantir Technologies Inc. - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff --git a/salt/fleet/files/packs/so/so-default.yml b/salt/fleet/files/packs/so/so-default.yml deleted file mode 100644 index b0a9d97b1..000000000 --- a/salt/fleet/files/packs/so/so-default.yml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: query -spec: - name: users - description: Users on the system - query: select * from users; ---- -apiVersion: v1 -kind: query -spec: - name: chrome-extensions - description: Chrome extensions for all users on the system - query: select users.username,chrome_extensions.*,chrome_extensions.path from users cross join chrome_extensions using (uid) where identifier not in ('aapocclcgogkmnckokdopfmhonfmgoek', 'aohghmighlieiainnegkcijnfilokake', 'apdfllckaahabafndbhieahigkjlhalf','felcaaldnbdncclmgdcncolpebgiejap','pjkljhegncpnkpknbcohdijeoejaedia','pkedcjkdefgpdelpbcmbmeomcjbeemfm','blpcfgokakmgnkcojhhkbfbldkacnbeo','ghbmnnjooekpmoecnnnilnnbdlolhkhi','nmmhkkegccagdldgiimedpiccmgmieda'); ---- -apiVersion: v1 -kind: pack -spec: - name: examples - targets: - labels: - - All Hosts - queries: - - query: users - interval: 180 - removed: false - - query: chrome-extensions - interval: 180 - removed: false diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls deleted file mode 100644 index bfdb42efa..000000000 --- a/salt/fleet/init.sls +++ /dev/null @@ -1,149 +0,0 @@ -{# this state can run regardless if in allowed_states or not #} -{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} -{%- set FLEETPASS = salt['pillar.get']('secrets:fleet', None) -%} -{%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set FLEETARCH = salt['grains.get']('role') %} - -{% if FLEETARCH == "so-fleet" %} - {% set MAININT = salt['pillar.get']('host:mainint') %} - {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} -{% else %} - {% set MAINIP = salt['pillar.get']('global:managerip') %} -{% endif %} -{% set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} - - -include: - - ssl - - mysql - -# Fleet Setup -fleetcdir: - file.directory: - - name: /opt/so/conf/fleet/etc - - user: 939 - - group: 939 - - makedirs: True - -fleetpackcdir: - file.directory: - - name: /opt/so/conf/fleet/packs - - user: 939 - - group: 939 - - makedirs: True - -fleetnsmdir: - file.directory: - - name: /nsm/osquery/fleet - - user: 939 - - group: 939 - - makedirs: True - -fleetpacksync: - file.recurse: - - name: /opt/so/conf/fleet/packs - - source: salt://fleet/files/packs - - user: 939 - - group: 939 - -fleetpackagessync: - file.recurse: - - name: /opt/so/conf/fleet/packages - - source: salt://fleet/packages/ - - user: 939 - - group: 939 - -fleetlogdir: - file.directory: - - name: /opt/so/log/fleet - - user: 939 - - group: 939 - - makedirs: True - -fleetdb: - mysql_database.present: - - name: fleet - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - - require: - - sls: mysql - -fleetdbuser: - mysql_user.present: - - host: {{ DNET }}/255.255.255.0 - - password: {{ FLEETPASS }} - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - - require: - - fleetdb - -fleetdbpriv: - mysql_grants.present: - - grant: all privileges - - database: fleet.* - - user: fleetdbuser - - host: {{ DNET }}/255.255.255.0 - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - - require: - - fleetdb - - -{% if FLEETPASS == None or FLEETJWT == None %} - -fleet_password_none: - test.configurable_test_state: - - changes: False - - result: False - - comment: "Fleet MySQL Password or JWT Key Error - Not Starting Fleet" - -{% else %} - -so-fleet: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-fleet:{{ VERSION }} - - hostname: so-fleet - - port_bindings: - - 0.0.0.0:8080:8080 - - environment: - - FLEET_MYSQL_ADDRESS={{ MAINIP }}:3306 - - FLEET_REDIS_ADDRESS={{ MAINIP }}:6379 - - FLEET_MYSQL_DATABASE=fleet - - FLEET_MYSQL_USERNAME=fleetdbuser - - FLEET_MYSQL_PASSWORD={{ FLEETPASS }} - - FLEET_SERVER_CERT=/ssl/server.cert - - FLEET_SERVER_KEY=/ssl/server.key - - FLEET_LOGGING_JSON=true - - FLEET_AUTH_JWT_KEY= {{ FLEETJWT }} - - FLEET_FILESYSTEM_STATUS_LOG_FILE=/var/log/fleet/status.log - - FLEET_FILESYSTEM_RESULT_LOG_FILE=/var/log/osquery/result.log - - FLEET_SERVER_URL_PREFIX=/fleet - - FLEET_FILESYSTEM_ENABLE_LOG_ROTATION=true - - FLEET_FILESYSTEM_ENABLE_LOG_COMPRESSION=true - - binds: - - /etc/pki/fleet.key:/ssl/server.key:ro - - /etc/pki/fleet.crt:/ssl/server.cert:ro - - /opt/so/log/fleet:/var/log/fleet - - /nsm/osquery/fleet:/var/log/osquery - - /opt/so/conf/fleet/packs:/packs - - watch: - - /opt/so/conf/fleet/etc - - require: - - x509: fleet_key - - x509: fleet_crt - -append_so-fleet_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-fleet - -{% endif %} diff --git a/salt/fleet/install_package.sls b/salt/fleet/install_package.sls deleted file mode 100644 index 9063464d8..000000000 --- a/salt/fleet/install_package.sls +++ /dev/null @@ -1,30 +0,0 @@ -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) -%} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) -%} -{%- set FLEETHOSTNAME = salt['pillar.get']('global:fleet_hostname', False) -%} -{%- set FLEETIP = salt['pillar.get']('global:fleet_ip', False) -%} -{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} - -{% if CUSTOM_FLEET_HOSTNAME != (None and '') %} - -{{ CUSTOM_FLEET_HOSTNAME }}: - host.present: - - ip: {{ FLEETIP }} - - clean: True - -{% elif FLEETNODE and grains['role'] != 'so-fleet' %} - -{{ FLEETHOSTNAME }}: - host.present: - - ip: {{ FLEETIP }} - - clean: True - -{% endif %} - -launcherpkg: - pkg.installed: - - sources: - {% if grains['os'] == 'CentOS' %} - - launcher-final: salt://fleet/packages/launcher.rpm - {% elif grains['os'] == 'Ubuntu' %} - - launcher-final: salt://fleet/packages/launcher.deb - {% endif %} diff --git a/salt/fleet/packages/info.txt b/salt/fleet/packages/info.txt deleted file mode 100644 index 726dcf0d7..000000000 --- a/salt/fleet/packages/info.txt +++ /dev/null @@ -1 +0,0 @@ -Osquery Packages will be copied to this folder \ No newline at end of file diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls deleted file mode 100644 index c550e7ce6..000000000 --- a/salt/freqserver/init.sls +++ /dev/null @@ -1,69 +0,0 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} - -# Create the user -fservergroup: - group.present: - - name: freqserver - - gid: 935 - -# Add ES user -freqserver: - user.present: - - uid: 935 - - gid: 935 - - home: /opt/so/conf/freqserver - - createhome: False - -# Create the log directory -freqlogdir: - file.directory: - - name: /opt/so/log/freq_server - - user: 935 - - group: 935 - - makedirs: True - -so-freqimage: - cmd.run: - - name: docker pull {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-freqserver:{{ VERSION }} - -so-freq: - docker_container.running: - - require: - - so-freqimage - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-freqserver:{{ VERSION }} - - hostname: freqserver - - name: so-freqserver - - user: freqserver - - binds: - - /opt/so/log/freq_server:/var/log/freq_server:rw - -append_so-freq_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-freq - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} - diff --git a/salt/grafana/defaults.yaml b/salt/grafana/grafana_defaults.yaml similarity index 100% rename from salt/grafana/defaults.yaml rename to salt/grafana/grafana_defaults.yaml diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 667d2052b..f71bc3acb 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -7,7 +7,7 @@ {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set ADMINPASS = salt['pillar.get']('secrets:grafana_admin') %} -{% import_yaml 'grafana/defaults.yaml' as default_settings %} +{% import_yaml 'grafana/grafana_defaults.yaml' as default_settings %} {% set GRAFANA_SETTINGS = salt['grains.filter_by'](default_settings, default='grafana', merge=salt['pillar.get']('grafana', {})) %} {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 70a5d370d..bcde7212a 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -16,7 +16,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set MAININT = salt['pillar.get']('host:mainint') %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index a8d4c622c..fa08125f5 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -1,24 +1,15 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set ENGINE = salt['pillar.get']('global:mdengine', '') %} +{% set ENGINE = salt['pillar.get']('global:mdengine') %} {% set proxy = salt['pillar.get']('manager:proxy') %} include: diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml new file mode 100644 index 000000000..9b062c300 --- /dev/null +++ b/salt/idstools/soc_idstools.yaml @@ -0,0 +1,21 @@ +idstools: + config: + oinkcode: + description: Enter your registration code for paid rulesets. + global: True + ruleset: + description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. + global: True + urls: + description: This is a list of additional rule download locations. + global: True + sids: + disabled: + description: List of disables SIDS. + global: True + enabled: + description: List of SIDS that are disabled by the rule source that you want to enable. + global: True + modify: + description: List of SIDS that are modified. + global: True \ No newline at end of file diff --git a/salt/idstools/sync_files.sls b/salt/idstools/sync_files.sls index c74f5a19b..dee7dd01f 100644 --- a/salt/idstools/sync_files.sls +++ b/salt/idstools/sync_files.sls @@ -1,17 +1,8 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . idstoolsdir: file.directory: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index f2bdc1a1a..637be9054 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -6,7 +6,7 @@ {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] or (grains.role == 'so-eval' and GRAFANA == 1) %} {% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% import_yaml 'influxdb/defaults.yaml' as default_settings %} {% set influxdb = salt['grains.filter_by'](default_settings, default='influxdb', merge=salt['pillar.get']('influxdb', {})) %} diff --git a/salt/influxdb/soc_influxdb.yaml b/salt/influxdb/soc_influxdb.yaml new file mode 100644 index 000000000..5dc8ef763 --- /dev/null +++ b/salt/influxdb/soc_influxdb.yaml @@ -0,0 +1,16 @@ +influxdb: + retention_policies: + so_short_term: + duration: 30d + description: Amount of time to keep short term data. + shard_duration: 1d + description: Time range + so_long_term: + duration: 0d + description: Amount of time to keep long term downsampled data. + shard_duration: 7d + description: Amount of the time range covered by the shard group. + downsample: + so_long_term: + resolution: 5m + description: Amount of time to turn into a single data point. \ No newline at end of file diff --git a/salt/kibana/bin/so-kibana-config-load b/salt/kibana/bin/so-kibana-config-load index e19f25439..a642e9e55 100644 --- a/salt/kibana/bin/so-kibana-config-load +++ b/salt/kibana/bin/so-kibana-config-load @@ -1,4 +1,9 @@ #!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {%- set MANAGER = salt['pillar.get']('global:url_base', '') %} {%- set ENDGAMEHOST = salt['pillar.get']('soc:endgamehost', 'ENDGAMEHOST') %} . /usr/sbin/so-common @@ -34,13 +39,13 @@ import() { sed -i "s/ENDGAMEHOST/{{ ENDGAMEHOST }}/g" "$ndjson_file" fi - wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" + wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" RETURN_CODE=$? - SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') + SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # Load saved objects - RESPONSE=$({{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/saved_objects/_import?overwrite=true" -H "kbn-xsrf: true" --form file=@"$ndjson_file") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/saved_objects/_import?overwrite=true" -H "kbn-xsrf: true" --form file=@"$ndjson_file") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi if [[ "$RETURN_CODE" != "1" ]]; then @@ -54,12 +59,12 @@ import() { update() { local BASENAME=$(basename $1 | cut -d'.' -f1) if [ ! -f "/opt/so/state/kibana_$BASENAME.txt" ]; then - wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "{{ ELASTICCURL }}" + wait_for_web_response "http://localhost:5601/app/kibana" "Elastic" 300 "curl -K /opt/so/conf/elasticsearch/curl.config" RETURN_CODE=$? IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do - RESPONSE=$({{ ELASTICCURL }} -X PUT "localhost:5601/api/saved_objects/config/8.3.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") + RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config-X PUT "localhost:5601/api/saved_objects/config/8.4.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done diff --git a/salt/kibana/config.map.jinja b/salt/kibana/config.map.jinja index cadfcab4e..32768a5eb 100644 --- a/salt/kibana/config.map.jinja +++ b/salt/kibana/config.map.jinja @@ -1,11 +1,7 @@ {% import_yaml 'kibana/defaults.yaml' as KIBANACONFIG with context %} {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} -{% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} - {% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} -{% else %} - {% do KIBANACONFIG.kibana.config.xpack.update({'security': {'authc': {'providers': {'anonymous': {'anonymous1': {'order': 0, 'credentials': 'elasticsearch_anonymous_user'}}}}}}) %} -{% endif %} +{% do KIBANACONFIG.kibana.config.elasticsearch.update({'username': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:user'), 'password': salt['pillar.get']('elasticsearch:auth:users:so_kibana_user:pass')}) %} {% if salt['pillar.get']('kibana:secrets') %} {% do KIBANACONFIG.kibana.config.xpack.update({'encryptedSavedObjects': {'encryptionKey': pillar['kibana']['secrets']['encryptedSavedObjects']['encryptionKey']}}) %} diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index de78fc12c..6480c9e55 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -8,7 +8,7 @@ kibana: publicBaseUrl: https://{{salt['pillar.get']('global:url_base')}}/kibana elasticsearch: hosts: - - https://{{salt['pillar.get']('manager:mainip')}}:9200 + - https://{{salt['pillar.get']('global:managerip')}}:9200 ssl: verificationMode: none requestTimeout: 90000 @@ -33,3 +33,60 @@ kibana: reporting: kibanaServer: hostname: localhost + fleet: + packages: + - name: fleet_server + version: latest + - name: osquery_manager + version: latest + - name: system + version: latest + - name: windows + version: latest + agentPolicies: + - name: SO-Manager + id: so-manager + description: "SO Manager Fleet Server Policy" + namespace: default + is_default_fleet_server: true + monitoring_enabled: ['logs'] + package_policies: + - name: fleet-server_manager + package: + name: fleet_server + - name: SO-Grid-Nodes + id: so-grid-nodes + description: "SO Grid Node Policy" + namespace: default + monitoring_enabled: ['logs'] + package_policies: + - name: osquery-grid-nodes + package: + name: osquery_manager + - name: system-grid-nodes + package: + name: system + inputs: + - type: system/metrics + enabled: false + - name: Endpoints-Initial + id: endpoints + description: "Initial Endpoint Policy" + namespace: default + monitoring_enabled: ['logs'] + package_policies: + - name: system-endpoints + package: + name: system + inputs: + - type: system/metrics + enabled: false + - name: osquery-endpoints + package: + name: osquery_manager + - name: windows-endpoints + package: + name: windows + inputs: + - type: windows/metrics + enabled: false \ No newline at end of file diff --git a/salt/kibana/files/config_saved_objects.ndjson b/salt/kibana/files/config_saved_objects.ndjson index 4ec8f9ca7..68beb2dab 100644 --- a/salt/kibana/files/config_saved_objects.ndjson +++ b/salt/kibana/files/config_saved_objects.ndjson @@ -1 +1 @@ -{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.3.2","id": "8.3.2","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} +{"attributes": {"buildNum": 39457,"defaultIndex": "2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.4.1","id": "8.4.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index ff88b731a..11361cb5c 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,10 +1,12 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} {% import_yaml 'kibana/defaults.yaml' as default_settings %} {% set KIBANA_SETTINGS = salt['grains.filter_by'](default_settings, default='kibana', merge=salt['pillar.get']('kibana', {})) %} @@ -73,19 +75,17 @@ kibanabin: - source: salt://kibana/bin/so-kibana-config-load - mode: 755 - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} # Start the kibana docker so-kibana: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kibana:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kibana:{{ GLOBALS.so_version }} - hostname: kibana - user: kibana - environment: - - ELASTICSEARCH_HOST={{ MANAGER }} + - ELASTICSEARCH_HOST={{ GLOBALS.manager }} - ELASTICSEARCH_PORT=9200 - - MANAGER={{ MANAGER }} + - MANAGER={{ GLOBALS.manager }} - binds: - /opt/so/conf/kibana/etc:/usr/share/kibana/config:rw - /opt/so/log/kibana:/var/log/kibana:rw diff --git a/salt/kibana/secrets.sls b/salt/kibana/secrets.sls index 16438f528..f97aa4d59 100644 --- a/salt/kibana/secrets.sls +++ b/salt/kibana/secrets.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} diff --git a/salt/kibana/so_config_load.sls b/salt/kibana/so_config_load.sls index 9730882fc..ea9655688 100644 --- a/salt/kibana/so_config_load.sls +++ b/salt/kibana/so_config_load.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + include: - kibana diff --git a/salt/kibana/so_dashboard_load.sls b/salt/kibana/so_dashboard_load.sls index 9245ff94d..26cc13f83 100644 --- a/salt/kibana/so_dashboard_load.sls +++ b/salt/kibana/so_dashboard_load.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %} include: - kibana diff --git a/salt/kibana/so_savedobjects_defaults.sls b/salt/kibana/so_savedobjects_defaults.sls index 4cf6cef34..135053c68 100644 --- a/salt/kibana/so_savedobjects_defaults.sls +++ b/salt/kibana/so_savedobjects_defaults.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + include: - kibana - kibana.so_config_load diff --git a/salt/kibana/so_securitySolution_load.sls b/salt/kibana/so_securitySolution_load.sls index 0a92c749b..0f72adcda 100644 --- a/salt/kibana/so_securitySolution_load.sls +++ b/salt/kibana/so_securitySolution_load.sls @@ -1,3 +1,8 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + include: - kibana diff --git a/salt/kibana/soc_kibana.yaml b/salt/kibana/soc_kibana.yaml new file mode 100644 index 000000000..80e15df85 --- /dev/null +++ b/salt/kibana/soc_kibana.yaml @@ -0,0 +1,5 @@ +kibana: + config: + elasticsearch: + requestTimeout: 90000 + description: Request timeout length. diff --git a/salt/kratos/files/kratos.yaml b/salt/kratos/files/kratos.yaml index b300eac48..b9561b4fd 100644 --- a/salt/kratos/files/kratos.yaml +++ b/salt/kratos/files/kratos.yaml @@ -1,7 +1,7 @@ {%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%} {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} -{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%} -{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', 'Security Onion') -%} +{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '') -%} +{%- set MFA_ISSUER = salt['pillar.get']('kratos:mfa_issuer', '') -%} session: lifespan: {{ SESSIONTIMEOUT }} diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index e44c09b63..40e2d4fdd 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -1,9 +1,11 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} # Add Kratos Group kratosgroup: @@ -51,7 +53,7 @@ kratos_yaml: so-kratos: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-kratos:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-kratos:{{ GLOBALS.so_version }} - hostname: kratos - name: so-kratos - binds: @@ -78,7 +80,7 @@ append_so-kratos_so-status.conf: wait_for_kratos: http.wait_for_successful_query: - - name: 'http://{{ MANAGER }}:4434/' + - name: 'http://{{ GLOBALS.manager }}:4434/' - ssl: True - verify_ssl: False - status: diff --git a/salt/logstash/dmz_nodes.yaml b/salt/logstash/dmz_nodes.yaml index 982f72080..460088a7d 100644 --- a/salt/logstash/dmz_nodes.yaml +++ b/salt/logstash/dmz_nodes.yaml @@ -1,3 +1,9 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # Do not edit this file. Copy it to /opt/so/saltstack/local/salt/logstash/ and make changes there. It should be formatted as a list. # logstash: # dmz_nodes: @@ -6,4 +12,4 @@ # - mydmznodehostname3 logstash: - dmz_nodes: + dmz_nodes: \ No newline at end of file diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index fc397938c..cb94d60b2 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -1,48 +1,30 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} - {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} - {% set MANAGER = salt['grains.get']('master') %} - {% set MANAGERIP = salt['pillar.get']('global:managerip') %} + {% from 'logstash/map.jinja' import REDIS_NODES with context %} + {% from 'vars/globals.map.jinja' import GLOBALS %} # Logstash Section - Decide which pillar to use - {% set lsheap = salt['pillar.get']('logstash_settings:lsheap', '') %} - {% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} - {% set freq = salt['pillar.get']('manager:freq', '0') %} - {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} - {% set nodetype = salt['grains.get']('role', '') %} - {% elif grains['role'] == 'so-helix' %} - {% set freq = salt['pillar.get']('manager:freq', '0') %} - {% set dstats = salt['pillar.get']('manager:domainstats', '0') %} - {% set nodetype = salt['grains.get']('role', '') %} + {% set lsheap = salt['pillar.get']('logstash_settings:lsheap') %} + {% if GLOBALS.role in ['so-eval','so-managersearch', 'so-manager', 'so-standalone'] %} + {% set nodetype = GLOBALS.role %} {% endif %} {% set PIPELINES = salt['pillar.get']('logstash:pipelines', {}) %} {% set DOCKER_OPTIONS = salt['pillar.get']('logstash:docker_options', {}) %} {% set TEMPLATES = salt['pillar.get']('elasticsearch:templates', {}) %} - {% from 'logstash/map.jinja' import REDIS_NODES with context %} - include: - ssl -{% if grains.role not in ['so-receiver'] %} + {% if GLOBALS.role not in ['so-receiver'] %} - elasticsearch -{% endif %} + {% endif %} # Create the logstash group logstashgroup: @@ -150,7 +132,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-logstash:{{ VERSION }} + - image: {{ GLOBALS.manager }}:5000/{{ GLOBALS.image_repo }}/so-logstash:{{ GLOBALS.so_version }} - hostname: so-logstash - name: so-logstash - user: logstash @@ -171,24 +153,22 @@ so-logstash: - /opt/so/log/logstash:/var/log/logstash:rw - /sys/fs/cgroup:/sys/fs/cgroup:ro - /opt/so/conf/logstash/etc/certs:/usr/share/logstash/certs:ro - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-receiver'] %} - /etc/pki/filebeat.crt:/usr/share/logstash/filebeat.crt:ro - /etc/pki/filebeat.p8:/usr/share/logstash/filebeat.key:ro {% endif %} - {% if grains['role'] in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %} - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro {% else %} - /etc/ssl/certs/intca.crt:/usr/share/filebeat/ca.crt:ro {% endif %} - {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-node'] %} + {% if GLOBALS.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-searchnode'] %} - /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro - /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro {% endif %} - {%- if grains['role'] == 'so-eval' %} + {%- if GLOBALS.role == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - /nsm/suricata:/suricata:ro - - /nsm/wazuh/logs/alerts:/wazuh/alerts:ro - - /nsm/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro - /opt/so/log/strelka:/strelka:ro {%- endif %} diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 5f27a17e2..d921615c7 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -2,7 +2,7 @@ {% set REDIS_NODES = [] %} {% set mainint = salt['pillar.get']('host:mainint') %} {% set localhostip = salt['grains.get']('ip_interfaces').get(mainint)[0] %} -{% if role in ['so-node', 'so-standalone', 'so-managersearch'] %} +{% if role in ['so-searchnode', 'so-standalone', 'so-managersearch'] %} {% set node_data = salt['pillar.get']('logstash:nodes') %} {% for node_type, node_details in node_data.items() | sort %} {% if node_type in ['manager', 'managersearch', 'standalone', 'receiver' ] %} diff --git a/salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja b/salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja deleted file mode 100644 index 83aa0c02d..000000000 --- a/salt/logstash/pipelines/config/so/0008_input_fleet_livequery.conf.jinja +++ /dev/null @@ -1,19 +0,0 @@ -{%- set MANAGER = salt['grains.get']('master') %} -{%- set THREADS = salt['pillar.get']('logstash_settings:ls_input_threads', '') %} -{% set BATCH = salt['pillar.get']('logstash_settings:ls_pipeline_batch_size', 125) %} - -input { - redis { - host => '{{ MANAGER }}' - port => 6379 - data_type => 'pattern_channel' - key => 'results_*' - type => 'live_query' - add_field => { - "module" => "osquery" - "dataset" => "live_query" - } - threads => {{ THREADS }} - batch_count => {{ BATCH }} - } -} diff --git a/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf b/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf new file mode 100644 index 000000000..ba89001b6 --- /dev/null +++ b/salt/logstash/pipelines/config/so/0012_input_elastic_agent.conf @@ -0,0 +1,12 @@ +input { + elastic_agent { + port => 5055 + tags => [ "elastic-agent" ] + ssl => true + ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"] + ssl_certificate => "/usr/share/logstash/filebeat.crt" + ssl_key => "/usr/share/logstash/filebeat.key" + ssl_verify_mode => "force_peer" + ecs_compatibility => v8 + } +} diff --git a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja index 772a97e17..f0aa95aeb 100644 --- a/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja +++ b/salt/logstash/pipelines/config/so/9000_output_zeek.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-zeek" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja index 58a78c08a..3e34648f8 100644 --- a/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja +++ b/salt/logstash/pipelines/config/so/9002_output_import.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-import" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja index 88fe0d2b7..58505e285 100644 --- a/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja +++ b/salt/logstash/pipelines/config/so/9004_output_flow.conf.jinja @@ -1,18 +1,12 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [event_type] == "sflow" { elasticsearch { hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-flow" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja index 5ce7ee343..b5ef19d65 100644 --- a/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja +++ b/salt/logstash/pipelines/config/so/9033_output_snort.conf.jinja @@ -1,18 +1,12 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [event_type] == "ids" and "import" not in [tags] { elasticsearch { hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-ids" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index b222ec2e1..cce5cbc7e 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-syslog" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja index ef460d463..1fa0967f5 100644 --- a/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja +++ b/salt/logstash/pipelines/config/so/9050_output_filebeatmodules.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -11,10 +7,8 @@ output { id => "filebeat_modules_metadata_pipeline" pipeline => "%{[metadata][pipeline]}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-%{[event][module]}-%{+YYYY.MM.dd}" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja index 745ebeb19..ef55e2441 100644 --- a/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9100_output_osquery.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-osquery" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja index aa4af89fd..8d661b8cc 100644 --- a/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja +++ b/salt/logstash/pipelines/config/so/9101_output_osquery_livequery.conf.jinja @@ -1,9 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -{%- set FEATURES = salt['pillar.get']('elastic:features', False) %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} @@ -32,10 +27,8 @@ output { elasticsearch { pipeline => "osquery.live_query" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-osquery" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja index f6b8d4098..8738a81c8 100644 --- a/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja +++ b/salt/logstash/pipelines/config/so/9200_output_firewall.conf.jinja @@ -1,18 +1,12 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { if [dataset] =~ "firewall" { elasticsearch { hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-firewall" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja index 598e9c741..b2a9cccc5 100644 --- a/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja +++ b/salt/logstash/pipelines/config/so/9400_output_suricata.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-ids" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index 03326a320..84e9e10e8 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -11,10 +7,8 @@ output { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" - {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - {% endif %} index => "so-beats" ssl => true ssl_certificate_verification => false @@ -24,10 +18,8 @@ output { elasticsearch { pipeline => "beats.common" hosts => "{{ ES }}" - {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - {% endif %} index => "so-beats" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja index 4555fb8bb..fa9726f1f 100644 --- a/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja +++ b/salt/logstash/pipelines/config/so/9600_output_ossec.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-ossec" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja index 09a677d1f..3eb8a164a 100644 --- a/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja +++ b/salt/logstash/pipelines/config/so/9700_output_strelka.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-strelka" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja index 8bfa166c4..0e633a1b8 100644 --- a/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja +++ b/salt/logstash/pipelines/config/so/9800_output_logscan.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} @@ -12,10 +8,8 @@ output { id => "logscan_pipeline" pipeline => "logscan.alert" hosts => "{{ ES }}" - {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - {% endif %} index => "so-logscan" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja b/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja index 40c6ad33c..fcbba67e6 100644 --- a/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja +++ b/salt/logstash/pipelines/config/so/9801_output_rita.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} output { @@ -10,10 +6,8 @@ output { elasticsearch { pipeline => "%{module}.%{dataset}" hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" -{% endif %} index => "so-rita" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja b/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja deleted file mode 100644 index c57b16055..000000000 --- a/salt/logstash/pipelines/config/so/9802_output_kratos.conf.jinja +++ /dev/null @@ -1,22 +0,0 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -output { - if [module] =~ "kratos" and "import" not in [tags] { - elasticsearch { - pipeline => "kratos" - hosts => "{{ ES }}" -{% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} - user => "{{ ES_USER }}" - password => "{{ ES_PASS }}" -{% endif %} - index => "so-kratos" - ssl => true - ssl_certificate_verification => false - } - } -} diff --git a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja new file mode 100644 index 000000000..ae5de7f54 --- /dev/null +++ b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja @@ -0,0 +1,17 @@ +{%- set ES = salt['grains.get']('master') -%} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} +output { + if "elastic-agent" in [tags] and "import" not in [tags] { + elasticsearch { + hosts => "{{ ES }}" + ecs_compatibility => v8 + data_stream => true + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + ssl => true + ssl_certificate_verification => false + } + } +} + diff --git a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja index b5920fe40..6f7dc4b34 100644 --- a/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja +++ b/salt/logstash/pipelines/config/so/9900_output_endgame.conf.jinja @@ -1,8 +1,4 @@ -{%- if grains['role'] == 'so-eval' -%} -{%- set ES = salt['pillar.get']('manager:mainip', '') -%} -{%- else %} -{%- set ES = salt['pillar.get']('elasticsearch:mainip', '') -%} -{%- endif %} +{%- set ES = salt['grains.get']('master') -%} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} filter { @@ -17,10 +13,8 @@ output { elasticsearch { id => "endgame_es_output" hosts => "{{ ES }}" - {% if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - {% endif %} index => "endgame-%{+YYYY.MM.dd}" ssl => true ssl_certificate_verification => false diff --git a/salt/logstash/pipelines/config/so/9997_output_helix.conf.jinja b/salt/logstash/pipelines/config/so/9997_output_helix.conf.jinja deleted file mode 100644 index aa586d3b6..000000000 --- a/salt/logstash/pipelines/config/so/9997_output_helix.conf.jinja +++ /dev/null @@ -1,160 +0,0 @@ -{% set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} -{% set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} -{% set CBNAME = grains.host %} - -filter { - if [type] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ { - grok { - match => [ - "source_ip", "^%{IPV4:srcipv4}$", - "source_ip", "(?^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)" - ] - } - grok { - match => [ - "destination_ip", "(?^([0-9A-Fa-f]{0,4}:){2,7}([0-9A-Fa-f]{1,4}$|((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4})$)", - "destination_ip", "^%{IPV4:dstipv4}$" - ] - } - - #geoip { - # source => "[source_ip]" - # target => "source_geo" - #} - #geoip { - # source => "[destination_ip]" - # target => "destination_geo" - #} - mutate { - rename => { "[beat_host][name]" => "sensor" } - copy => { "sensor" => "rawmsghostname" } - rename => { "message" => "rawmsg" } - copy => { "type" => "class" } - copy => { "class" => "program"} - rename => { "source_port" => "srcport" } - rename => { "destination_port" => "dstport" } - rename => { "[log][file][path]" => "filepath" } - add_field => { "meta_cbid" => "{{ UNIQUEID }}" } - add_field => { "meta_cbname" => "{{ CBNAME }}" } - remove_field => ["source_ip", "destination_ip", "syslog-host_from"] - remove_field => ["beat_host", "timestamp", "type", "log", "@version", "@timestamp"] - remove_field => ["sensorname", "sensor_name", "service", "source", "tags", "syslog-host"] - remove_field => ["sensor_name", "source_ips", "ips", "destination_ips", "syslog-priority", "syslog-file_name", "syslog-facility"] - } - if "bro_conn" in [class] { - mutate { - #add_field => { "metaclass" => "connection" } - rename => { "original_bytes" => "sentbytes" } - rename => { "respond_bytes" => "rcvdbytes" } - rename => { "connection_state" => "connstate" } - rename => { "uid" => "connectionid" } - rename => { "respond_packets" => "rcvdpackets" } - rename => { "original_packets" => "sentpackets" } - rename => { "respond_ip_bytes" => "rcvdipbytes" } - rename => { "original_ip_bytes" => "sentipbytes" } - rename => { "local_respond" => "local_resp" } - rename => { "local_orig" => "localorig" } - rename => { "missed_bytes" => "missingbytes" } - rename => { "connection_state_description" => "description" } - } - } - if "bro_dns" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "answers" => "answer" } - rename => { "query" => "domain" } - rename => { "query_class" => "queryclass" } - rename => { "query_class_name" => "queryclassname" } - rename => { "query_type" => "querytype" } - rename => { "query_type_name" => "querytypename" } - rename => { "ra" => "recursionavailable" } - rename => { "rd" => "recursiondesired" } - rename => { "uid" => "connectionid" } - rename => { "ttls" => "ttl" } - rename => { "transaction_id" => "transactionid" } - } - } - if "bro_dhcp" in [class] { - mutate{ - #add_field = { "metaclass" => "dhcp"} - rename => { "message_types" => "direction" } - rename => { "uid" => "connectionid" } - rename => { "lease_time" => "duration" } - } - } - if "bro_files" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "missing_bytes" => "missingbytes" } - rename => { "seen_bytes" => "seenbytes" } - rename => { "overflow_bytes" => "overflowbytes" } - rename => { "fuid" => "fileid" } - rename => { "conn_uids" => "connectionid" } - rename => { "is_orig" => "isorig" } - rename => { "timed_out" => "timedout" } - rename => { "local_orig" => "localorig" } - rename => { "file_ip" => "tx_host" } - } - } - if "bro_http" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "virtual_host" => "hostname" } - rename => { "status_code" => "statuscode" } - rename => { "status_message" => "statusmsg" } - rename => { "resp_mime_types" => "rcvdmimetype" } - rename => { "resp_fuids" => "rcvdfileid" } - rename => { "response_body_len" => "rcvdbodybytes" } - rename => { "request_body_len" => "sentbodybytes" } - rename => { "uid" => "connectionid" } - rename => { "ts"=> "eventtime" } - rename => { "@timestamp"=> "eventtime" } - rename => { "trans_depth" => "depth" } - rename => { "request_body_length" => "sentbodybytes" } - rename => { "response_body_length" => "rcvdbodybytes" } - } - } - if "bro_ssl" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "status_code" => "statuscode" } - rename => { "status_message" => "statusmsg" } - rename => { "resp_mime_types" => "rcvdmimetype" } - rename => { "resp_fuids" => "rcvdfileid" } - rename => { "response_body_len" => "rcvdbodybytes" } - rename => { "request_body_len" => "sentbodybytes" } - rename => { "uid" => "connectionid" } - } - } - if "bro_weird" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "name" => "eventname" } - } - } - if "bro_x509" in [class] { - mutate{ - #add_field = { "metaclass" => "dns"} - rename => { "certificate_common_name" => "certname" } - rename => { "certificate_subject" => "certsubject" } - rename => { "issuer_common_name" => "issuer" } - rename => { "certificate_issuer" => "issuersubject" } - rename => { "certificate_not_valid_before" => "issuetime" } - rename => { "certificate_key_type" => "cert_type" } - } - } - } -} - -output { - if [class] =~ /^bro_conn|bro_dns|bro_http|bro_files|bro_ssl|bro_dhcp|bro_x509|suricata$/ { - http { - url => "https://helix-integrations.cloud.aws.apps.fireeye.com/api/upload" - http_method => post - http_compression => true - socket_timeout => 60 - headers => ["Authorization","{{ HELIX_API_KEY }}"] - format => json_batch - } - } -} diff --git a/salt/logstash/pipelines/config/so/9998_output_minio.conf.jinja b/salt/logstash/pipelines/config/so/9998_output_minio.conf.jinja deleted file mode 100644 index a38d2cd44..000000000 --- a/salt/logstash/pipelines/config/so/9998_output_minio.conf.jinja +++ /dev/null @@ -1,25 +0,0 @@ -{%- set MANAGER = salt['grains.get']('master') %} -{%- set access_key = salt['pillar.get']('minio:access_key', '') %} -{%- set access_secret = salt['pillar.get']('minio:access_secret', '') %} -{%- set SIZE_FILE = salt['pillar.get']('s3_settings:size_file', 2048) %} -{%- set TIME_FILE = salt['pillar.get']('s3_settings:time_file', 1) %} -{%- set UPLOAD_QUEUE_SIZE = salt['pillar.get']('s3_settings:upload_queue_size', 4) %} -{%- set ENCODING = salt['pillar.get']('s3_settings:encoding', 'gzip') %} -output { - s3 { - access_key_id => "{{ access_key }}" - secret_access_key => "{{ access_secret}}" - endpoint => "https://{{ MANAGER }}:9595" - bucket => "logstash" - size_file => {{ SIZE_FILE }} - time_file => {{ TIME_FILE }} - codec => json - encoding => {{ ENCODING }} - upload_queue_size => {{ UPLOAD_QUEUE_SIZE }} - temporary_directory => "/usr/share/logstash/data/tmp" - validate_credentials_on_root_bucket => false - additional_settings => { - "force_path_style" => true - } - } -} diff --git a/salt/manager/elasticsearch.sls b/salt/manager/elasticsearch.sls index 24c509fb4..df93217b8 100644 --- a/salt/manager/elasticsearch.sls +++ b/salt/manager/elasticsearch.sls @@ -1,4 +1,3 @@ -{% if salt['pillar.get']('elasticsearch:auth:enabled', False) %} elastic_curl_config_distributed: file.managed: - name: /opt/so/saltstack/local/salt/elasticsearch/curl.config @@ -6,4 +5,3 @@ elastic_curl_config_distributed: - template: jinja - mode: 600 - show_changes: False -{% endif %} diff --git a/salt/manager/files/so-api.py b/salt/manager/files/so-api.py new file mode 100644 index 000000000..e69de29bb diff --git a/salt/manager/glue.py b/salt/manager/glue.py new file mode 100644 index 000000000..e69de29bb diff --git a/salt/manager/init.sls b/salt/manager/init.sls index e38079b7b..c1062e8ae 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -1,25 +1,10 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} - include: - salt.minion - kibana.secrets @@ -35,74 +20,6 @@ socore_own_saltstack: - user - group -/opt/so/saltstack/default/pillar/data/addtotab.sh: - file.managed: - - mode: 750 - - replace: False - -# Create the directories for apt-cacher-ng -aptcacherconfdir: - file.directory: - - name: /opt/so/conf/aptcacher-ng/etc - - user: 939 - - group: 939 - - makedirs: True - -aptcachercachedir: - file.directory: - - name: /opt/so/conf/aptcacher-ng/cache - - user: 939 - - group: 939 - - makedirs: True - -aptcacherlogdir: - file.directory: - - name: /opt/so/log/aptcacher-ng - - user: 939 - - group: 939 - - makedirs: true - -acngconf: - file.managed: - - name: /opt/so/conf/aptcacher-ng/etc/acng.conf - - source: salt://manager/files/acng/acng.conf - - template: jinja - - show_changes: False - -# Install the apt-cacher-ng container -so-aptcacherng: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-acng:{{ VERSION }} - - hostname: so-acng - - restart_policy: always - - port_bindings: - - 0.0.0.0:3142:3142 - - binds: - - /opt/so/conf/aptcacher-ng/cache:/var/cache/apt-cacher-ng:rw - - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw - - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro - - require: - - file: acngconf - -append_so-aptcacherng_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-aptcacherng - -strelka_yara_update_old_1: - cron.absent: - - user: root - - name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1' - - hour: '7' - - minute: '1' - -strelka_yara_update_old_2: - cron.absent: - - user: root - - name: '/usr/sbin/so-yara-update > /dev/null 2>&1' - - hour: '7' - - minute: '1' - strelka_yara_update: cron.present: - user: root diff --git a/salt/minio/init.sls b/salt/minio/init.sls deleted file mode 100644 index d0c135bd9..000000000 --- a/salt/minio/init.sls +++ /dev/null @@ -1,80 +0,0 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set access_key = salt['pillar.get']('minio:access_key', '') %} -{% set access_secret = salt['pillar.get']('minio:access_secret', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} - -include: - - ssl - -# Minio Setup -minioconfdir: - file.directory: - - name: /opt/so/conf/minio/etc/certs - - user: 939 - - group: 939 - - makedirs: True - -miniodatadir: - file.directory: - - name: /nsm/minio/data/ - - user: 939 - - group: 939 - - makedirs: True - -logstashbucket: - file.directory: - - name: /nsm/minio/data/logstash - - user: 939 - - group: 939 - - makedirs: True - -so-minio: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-minio:{{ VERSION }} - - hostname: so-minio - - user: socore - - port_bindings: - - 0.0.0.0:9595:9595 - - environment: - - MINIO_ACCESS_KEY: {{ access_key }} - - MINIO_SECRET_KEY: {{ access_secret }} - - binds: - - /nsm/minio/data:/data:rw - - /opt/so/conf/minio/etc:/.minio:rw - - /etc/pki/minio.key:/.minio/certs/private.key:ro - - /etc/pki/minio.crt:/.minio/certs/public.crt:ro - - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data" - - require: - - file: minio_key - - file: minio_crt - -append_so-minio_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-minio - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index cb9586984..04ab5b140 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,20 +1,13 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} -{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set MAINIP = salt['pillar.get']('elasticsearch:mainip') %} -{% set FLEETARCH = salt['grains.get']('role') %} - -{% if FLEETARCH == "so-fleet" %} - {% set MAININT = salt['pillar.get']('host:mainint') %} - {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} -{% else %} - {% set MAINIP = salt['pillar.get']('global:managerip') %} -{% endif %} +{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') %} # MySQL Setup mysqlpkgs: @@ -88,13 +81,13 @@ mysql_password_none: so-mysql: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-mysql:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-mysql:{{ GLOBALS.so_version }} - hostname: so-mysql - user: socore - port_bindings: - 0.0.0.0:3306:3306 - environment: - - MYSQL_ROOT_HOST={{ MAINIP }} + - MYSQL_ROOT_HOST={{ GLOBALS.manager_ip }} - MYSQL_ROOT_PASSWORD=/etc/mypass - binds: - /opt/so/conf/mysql/etc/my.cnf:/etc/my.cnf:ro @@ -107,7 +100,7 @@ so-mysql: - file: mysqlcnf - file: mysqlpass cmd.run: - - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done + - name: until nc -z {{ GLOBALS.manager_ip }} 3306; do sleep 1; done - timeout: 600 - onchanges: - docker_container: so-mysql diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index f82d63c1a..8979535e8 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -1,15 +1,8 @@ {%- set role = grains.id.split('_') | last %} -{%- if role == 'fleet' %} - {% set mainint = salt['pillar.get']('host:mainint') %} - {% set main_ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} -{%- endif %} -{%- set manager_ip = salt['pillar.get']('manager:mainip', '') %} +{%- set manager_ip = salt['pillar.get']('global:managerip', '') %} {%- set url_base = salt['pillar.get']('global:url_base') %} -{%- set fleet_manager = salt['pillar.get']('global:fleet_manager') %} -{%- set fleet_node = salt['pillar.get']('global:fleet_node') %} -{%- set fleet_ip = salt['pillar.get']('global:fleet_ip', None) %} {%- set airgap = salt['pillar.get']('global:airgap', 'False') %} @@ -44,45 +37,7 @@ http { include /etc/nginx/conf.d/*.conf; - {%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'fleet', 'import'] %} - - {%- if (fleet_manager or role == 'fleet') and role != 'import' %} - server { - listen 8090 ssl http2 default_server; - server_name {{ url_base }}; - root /opt/socore/html; - index blank.html; - - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - - location ~ ^/kolide.agent.Api/(RequestEnrollment|RequestConfig|RequestQueries|PublishLogs|PublishResults|CheckHealth)$ { - {%- if role == 'fleet' %} - grpc_pass grpcs://{{ main_ip }}:8080; - {%- else %} - grpc_pass grpcs://{{ manager_ip }}:8080; - {%- endif %} - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - - location ~ ^/kolide.launcher.QueryTarget/GetTargets$ { - {%- if role == 'fleet' %} - grpc_pass grpcs://{{ main_ip }}:8080; - {%- else %} - grpc_pass grpcs://{{ manager_ip }}:8080; - {%- endif %} - grpc_set_header Host $host; - grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_buffering off; - } - } - {%- endif %} + {%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %} server { listen 80 default_server; @@ -106,40 +61,8 @@ http { {%- endif %} - {%- if role == 'fleet' %} - server { - listen 443 ssl http2; - server_name {{ main_ip }}; - root /opt/socore/html; - index index.html; + {%- if role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %} - ssl_certificate "/etc/pki/nginx/server.crt"; - ssl_certificate_key "/etc/pki/nginx/server.key"; - ssl_session_cache shared:SSL:1m; - ssl_session_timeout 10m; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; - - location /fleet/ { - proxy_pass https://{{ main_ip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - error_page 500 502 503 504 /50x.html; - location = /usr/share/nginx/html/50x.html { - } - } - {%- elif role in ['eval', 'managersearch', 'manager', 'standalone', 'import'] %} - - {%- if airgap is sameas true %} server { listen 7788; server_name {{ url_base }}; @@ -154,8 +77,7 @@ http { autoindex_localtime on; } } - {%- endif %} - + server { listen 443 ssl http2; server_name {{ url_base }}; @@ -252,7 +174,6 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - {%- if airgap is sameas true %} location /repo/ { allow all; sendfile on; @@ -262,7 +183,6 @@ http { autoindex_format html; autoindex_localtime on; } - {%- endif %} location /grafana/ { auth_request /auth/sessions/whoami; @@ -316,29 +236,7 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } - {%- if fleet_node %} - - location /fleet/ { - return 307 https://{{ fleet_ip }}/fleet; - } - - {%- else %} - - location /fleet/ { - proxy_pass https://{{ manager_ip }}:8080; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - } - - {%- endif %} - + location /soctopus/ { auth_request /auth/sessions/whoami; proxy_pass http://{{ manager_ip }}:7000/; @@ -355,10 +253,6 @@ http { rewrite ^/kibana/app/soc/(.*) /soc/$1 permanent; } - location /kibana/app/fleet/ { - rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent; - } - location /kibana/app/soctopus/ { rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent; } diff --git a/salt/nginx/files/nav_layer_playbook.json b/salt/nginx/files/nav_layer_playbook.json index a26f26542..69db796e8 100644 --- a/salt/nginx/files/nav_layer_playbook.json +++ b/salt/nginx/files/nav_layer_playbook.json @@ -1,52 +1,27 @@ { - "name": "Playbook Coverage", - "versions": { - "attack": "11", - "navigator": "4.6.4", - "layer": "4.3" - }, - "domain": "enterprise-attack", - "description": "", + "name": "Playbook", + "version": "3.0", + "domain": "mitre-enterprise", + "description": "Current Coverage of Playbook", "filters": { + "stages": ["act"], "platforms": [ - "Linux", - "macOS", - "Windows", - "Azure AD", - "Office 365", - "SaaS", - "IaaS", - "Google Workspace", - "PRE", - "Network", - "Containers" + "windows", + "linux", + "mac" ] }, "sorting": 0, - "layout": { - "layout": "side", - "aggregateFunction": "average", - "showID": false, - "showName": true, - "showAggregateScores": false, - "countUnscored": false - }, + "viewMode": 0, "hideDisabled": false, "techniques": [], "gradient": { - "colors": [ - "#ff6666ff", - "#ffe766ff", - "#8ec843ff" - ], + "colors": ["#ff6666", "#ffe766", "#8ec843"], "minValue": 0, "maxValue": 100 }, - "legendItems": [], "metadata": [], - "links": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", - "selectTechniquesAcrossTactics": true, - "selectSubtechniquesWithParent": false -} \ No newline at end of file + "selectTechniquesAcrossTactics": true +} diff --git a/salt/nginx/files/navigator_config.json b/salt/nginx/files/navigator_config.json index 2f4672b48..3fd87139b 100644 --- a/salt/nginx/files/navigator_config.json +++ b/salt/nginx/files/navigator_config.json @@ -1,62 +1,58 @@ {%- set URL_BASE = salt['pillar.get']('global:url_base', '') %} { - "versions": [ - { - "name": "ATT&CK v11", - "version": "11", - "domains": [ - { - "name": "Enterprise", - "identifier": "enterprise-attack", - "data": ["assets/so/enterprise-attack.json"] - } - ] + "enterprise_attack_url": "assets/enterprise-attack.json", + "pre_attack_url": "assets/pre-attack.json", + "mobile_data_url": "assets/mobile-attack.json", + "taxii_server": { + "enabled": false, + "url": "https://cti-taxii.mitre.org/", + "collections": { + "enterprise_attack": "95ecc380-afe9-11e4-9b6c-751b66dd541e", + "pre_attack": "062767bd-02d2-4b72-84ba-56caef0f8658", + "mobile_attack": "2f669986-b40b-4423-b720-4396ca6a462b" } - ], - - "custom_context_menu_items": [ {"label": "view related plays","url": " https://{{URL_BASE}}/playbook/projects/detection-playbooks/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_10&c%5B%5D=cf_13&c%5B%5D=cf_18&c%5B%5D=cf_19&c%5B%5D=cf_1&c%5B%5D=updated_on&v%5Bcf_15%5D%5B%5D=~Technique_ID~"}], - - "default_layers": { - "enabled": true, - "urls": ["assets/so/nav_layer_playbook.json"] }, + "domain": "mitre-enterprise", + + "custom_context_menu_items": [ {"label": "view related plays","url": " https://{{URL_BASE}}/playbook/projects/detection-playbooks/issues?utf8=%E2%9C%93&set_filter=1&sort=id%3Adesc&f%5B%5D=cf_15&op%5Bcf_15%5D=%3D&f%5B%5D=&c%5B%5D=status&c%5B%5D=cf_10&c%5B%5D=cf_13&c%5B%5D=cf_18&c%5B%5D=cf_19&c%5B%5D=cf_1&c%5B%5D=updated_on&v%5Bcf_15%5D%5B%5D=~Technique_ID~"}], + +"default_layers": { + "enabled": true, + "urls": [ + "assets/playbook.json" + ] + }, + "comment_color": "yellow", - "link_color": "blue", - "banner": "", + "features": [ - {"name": "leave_site_dialog", "enabled": true, "description": "Disable to remove the dialog prompt when leaving site."}, {"name": "tabs", "enabled": true, "description": "Disable to remove the ability to open new tabs."}, {"name": "selecting_techniques", "enabled": true, "description": "Disable to remove the ability to select techniques."}, {"name": "header", "enabled": true, "description": "Disable to remove the header containing 'MITRE ATT&CK Navigator' and the link to the help page. The help page can still be accessed from the new tab menu."}, - {"name": "subtechniques", "enabled": true, "description": "Disable to remove all sub-technique features from the interface."}, {"name": "selection_controls", "enabled": true, "description": "Disable to to disable all subfeatures", "subfeatures": [ {"name": "search", "enabled": true, "description": "Disable to remove the technique search panel from the interface."}, {"name": "multiselect", "enabled": true, "description": "Disable to remove the multiselect panel from interface."}, {"name": "deselect_all", "enabled": true, "description": "Disable to remove the deselect all button from the interface."} ]}, - {"name": "layer_controls", "enabled": true, "description": "Disable to disable all subfeatures", "subfeatures": [ - {"name": "layer_info", "enabled": true, "description": "Disable to remove the layer info (name, description and layer metadata) panel from the interface. Note that the layer can still be renamed in the tab."}, + {"name": "layer_controls", "enabled": true, "description": "Disable to to disable all subfeatures", "subfeatures": [ + {"name": "layer_info", "enabled": true, "description": "Disable to remove the layer info (name, description and metadata) panel from the interface. Note that the layer can still be renamed in the tab."}, {"name": "download_layer", "enabled": true, "description": "Disable to remove the button to download the layer."}, - {"name": "export_render", "enabled": true, "description": "Disable to remove the button to render the current layer."}, - {"name": "export_excel", "enabled": true, "description": "Disable to remove the button to export the current layer to MS Excel (.xlsx) format."}, - {"name": "filters", "enabled": true, "description": "Disable to remove the filters panel from interface."}, - {"name": "sorting", "enabled": true, "description": "Disable to remove the sorting button from the interface."}, - {"name": "color_setup", "enabled": true, "description": "Disable to remove the color setup panel from interface, containing customization controls for scoring gradient and tactic row color."}, - {"name": "toggle_hide_disabled", "enabled": true, "description": "Disable to remove the hide disabled techniques button from the interface."}, - {"name": "layout_controls", "enabled": true, "description": "Disable to remove the ability to change the current matrix layout."}, - {"name": "legend", "enabled": true, "description": "Disable to remove the legend panel from the interface."} + {"name": "export_render", "enabled": true, "description": "Disable to the remove the button to render the current layer."}, + {"name": "export_excel", "enabled": true, "description": "Disable to the remove the button to export the current layer to MS Excel (.xlsx) format."}, + {"name": "filters", "enabled": true, "description": "Disable to the remove the filters panel from interface."}, + {"name": "sorting", "enabled": true, "description": "Disable to the remove the sorting button from the interface."}, + {"name": "color_setup", "enabled": true, "description": "Disable to the remove the color setup panel from interface, containing customization controls for scoring gradient and tactic row color."}, + {"name": "toggle_hide_disabled", "enabled": true, "description": "Disable to the remove the hide disabled techniques button from the interface."}, + {"name": "toggle_view_mode", "enabled": true, "description": "Disable to the remove the toggle view mode button from interface."}, + {"name": "legend", "enabled": true, "description": "Disable to the remove the legend panel from the interface."} ]}, - {"name": "technique_controls", "enabled": true, "description": "Disable to disable all subfeatures", "subfeatures": [ - {"name": "disable_techniques", "enabled": true, "description": "Disable to remove the ability to disable techniques."}, - {"name": "manual_color", "enabled": true, "description": "Disable to remove the ability to assign manual colors to techniques."}, - {"name": "scoring", "enabled": true, "description": "Disable to remove the ability to score techniques."}, - {"name": "comments", "enabled": true, "description": "Disable to remove the ability to add comments to techniques."}, - {"name": "comment_underline", "enabled": true, "description": "Disable to remove the comment underline effect on techniques."}, - {"name": "links", "enabled": true, "description": "Disable to remove the ability to assign hyperlinks to techniques."}, - {"name": "link_underline", "enabled": true, "description": "Disable to remove the hyperlink underline effect on techniques."}, - {"name": "metadata", "enabled": true, "description": "Disable to remove the ability to add metadata to techniques."}, + {"name": "technique_controls", "enabled": true, "description": "Disable to to disable all subfeatures", "subfeatures": [ + {"name": "disable_techniques", "enabled": true, "description": "Disable to the remove the ability to disable techniques."}, + {"name": "manual_color", "enabled": true, "description": "Disable to the remove the ability to assign manual colors to techniques."}, + {"name": "scoring", "enabled": true, "description": "Disable to the remove the ability to score techniques."}, + {"name": "comments", "enabled": true, "description": "Disable to the remove the ability to add comments to techniques."}, {"name": "clear_annotations", "enabled": true, "description": "Disable to remove the button to clear all annotations on the selected techniques."} ]} ] diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index cad20996e..72386561b 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -1,10 +1,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap') %} @@ -50,7 +48,7 @@ nginxtmp: navigatorconfig: file.managed: - - name: /opt/so/conf/navigator/config.json + - name: /opt/so/conf/navigator/navigator_config.json - source: salt://nginx/files/navigator_config.json - user: 939 - group: 939 @@ -59,7 +57,7 @@ navigatorconfig: navigatordefaultlayer: file.managed: - - name: /opt/so/conf/navigator/layers/nav_layer_playbook.json + - name: /opt/so/conf/navigator/nav_layer_playbook.json - source: salt://nginx/files/nav_layer_playbook.json - user: 939 - group: 939 @@ -69,7 +67,7 @@ navigatordefaultlayer: navigatorpreattack: file.managed: - - name: /opt/so/conf/navigator/layers/pre-attack.json + - name: /opt/so/conf/navigator/pre-attack.json - source: salt://nginx/files/pre-attack.json - user: 939 - group: 939 @@ -78,7 +76,7 @@ navigatorpreattack: navigatorenterpriseattack: file.managed: - - name: /opt/so/conf/navigator/layers/enterprise-attack.json + - name: /opt/so/conf/navigator/enterprise-attack.json - source: salt://nginx/files/enterprise-attack.json - user: 939 - group: 939 @@ -94,16 +92,17 @@ so-nginx: - /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw - - /opt/so/conf/fleet/packages:/opt/socore/html/packages - {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import', 'so-fleet'] %} + - /opt/so/conf/elastic-fleet/so_agent-installers:/opt/socore/html/packages + {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro # ATT&CK Navigator binds - - /opt/so/conf/navigator/layers/:/opt/socore/html/navigator/assets/so:ro - - /opt/so/conf/navigator/config.json:/opt/socore/html/navigator/assets/config.json:ro - {% endif %} - {% if ISAIRGAP is sameas true %} + - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro + - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro + - /opt/so/conf/navigator/enterprise-attack.json:/opt/socore/html/navigator/assets/enterprise-attack.json:ro + - /opt/so/conf/navigator/pre-attack.json:/opt/socore/html/navigator/assets/pre-attack.json:ro - /nsm/repo:/opt/socore/html/repo:ro + {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: @@ -112,15 +111,12 @@ so-nginx: {% if ISAIRGAP is sameas true %} - 7788:7788 {% endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - 8090:8090 - {%- endif %} - watch: - file: nginxconf - file: nginxconfdir - require: - file: nginxconf - {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import', 'so-fleet'] %} + {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - x509: managerssl_key - x509: managerssl_crt - file: navigatorconfig diff --git a/salt/nodered/files/nodered_load_flows b/salt/nodered/files/nodered_load_flows deleted file mode 100644 index 3d6ed2a8c..000000000 --- a/salt/nodered/files/nodered_load_flows +++ /dev/null @@ -1,12 +0,0 @@ -{%- set ip = salt['pillar.get']('global:managerip', '') -%} -#!/bin/bash -default_salt_dir=/opt/so/saltstack/default - -echo "Waiting for connection" -until $(curl --output /dev/null --silent --head -L http://{{ ip }}:1880); do - echo '.' - sleep 1 -done -echo "Loading flows..." -curl -XPOST -v -H "Content-Type: application/json" -d @$default_salt_dir/salt/nodered/so_flows.json -L {{ ip }}:1880/flows -echo "Done loading..." diff --git a/salt/nodered/files/so_flows.json b/salt/nodered/files/so_flows.json deleted file mode 100644 index 6a0dea7cf..000000000 --- a/salt/nodered/files/so_flows.json +++ /dev/null @@ -1,4 +0,0 @@ -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%} -{%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') -%} -{%- set CORTEXKEY = salt['pillar.get']('global:cortexorgusekey', '') -%} -[{"id":"dca608c3.7d8af8","type":"tab","label":"TheHive - Webhook Events","disabled":false,"info":""},{"id":"4db74fa6.2556d","type":"tls-config","z":"","name":"","cert":"","key":"","ca":"","certname":"","keyname":"","caname":"","servername":"","verifyservercert":false},{"id":"aa6cf50d.a02fc8","type":"http in","z":"dca608c3.7d8af8","name":"TheHive Listener","url":"/thehive","method":"post","upload":false,"swaggerDoc":"","x":120,"y":780,"wires":[["2b92aebb.853dc2","2fce29bb.1b1376","82ad0f08.7a53f"]]},{"id":"2b92aebb.853dc2","type":"debug","z":"dca608c3.7d8af8","name":"","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"payload","targetType":"msg","x":470,"y":940,"wires":[]},{"id":"a4ecb84a.805958","type":"switch","z":"dca608c3.7d8af8","name":"Operation","property":"payload.operation","propertyType":"msg","rules":[{"t":"eq","v":"Creation","vt":"str"},{"t":"eq","v":"Update","vt":"str"},{"t":"eq","v":"Delete","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":580,"y":780,"wires":[["f1e954fd.3c21d8"],["65928861.c90a48"],["a259a26c.a21"]],"outputLabels":["Creation","Update","Delete"]},{"id":"f1e954fd.3c21d8","type":"switch","z":"dca608c3.7d8af8","name":"Creation","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":480,"wires":[["e88b4cc2.f6afe"],["8c54e39.a1b4f2"],["64203fe8.e0ad5"],["3511de51.889a02"],["14544a8b.b6b2f5"],["44c595a4.45d45c"],["3eb4bedf.6e20a2"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact","case_task","case_task_log","action","alert","user"],"info":"No webhook data is received for the following events:\n\n- Creation of Dashboard\n- Creation of Case Templates\n"},{"id":"65928861.c90a48","type":"switch","z":"dca608c3.7d8af8","name":"Update","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_artifact_job","vt":"str"},{"t":"eq","v":"case_task","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"},{"t":"eq","v":"alert","vt":"str"},{"t":"eq","v":"user","vt":"str"}],"checkall":"false","repair":false,"outputs":7,"x":900,"y":860,"wires":[["eebe1748.1cd348"],["d703adc0.12fd1"],["2b738415.408d4c"],["6d97371a.406348"],["4ae621e1.9ae6"],["5786cee2.98109"],["54077728.447648"]],"inputLabels":["Operation"],"outputLabels":["case","case_artifact",null,"case_task","case_task_log","alert","user"]},{"id":"a259a26c.a21","type":"switch","z":"dca608c3.7d8af8","name":"Delete","property":"payload.objectType","propertyType":"msg","rules":[{"t":"eq","v":"case","vt":"str"},{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"case_task_log","vt":"str"}],"checkall":"false","repair":false,"outputs":3,"x":890,"y":1200,"wires":[["60c8bcfb.eff1f4"],["df708bab.348308"],["e9a8650c.e20cc8"]],"outputLabels":["case","case_artifact",""],"info":"Deleting a case task doesnt actually trigger a delete event. It triggers an `update` event where the status = cancelled"},{"id":"54077728.447648","type":"switch","z":"dca608c3.7d8af8","name":"User","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Locked","vt":"str"},{"t":"eq","v":"Ok","vt":"str"}],"checkall":"false","repair":false,"outputs":2,"x":1130,"y":980,"wires":[["9429d6c5.5ac788"],["4e3e091c.d35388"]]},{"id":"9429d6c5.5ac788","type":"function","z":"dca608c3.7d8af8","name":"status: Locked","func":"msg.topic = \"[The Hive] A user account was locked\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1380,"y":972,"wires":[[]],"info":"- User account was locked"},{"id":"4e3e091c.d35388","type":"function","z":"dca608c3.7d8af8","name":"status: Ok","func":"msg.topic = \"[The Hive] A user account was changed\";\nmsg.from = \"from@example.com\";\nmsg.to = \"to@example.com\";\nreturn msg;","outputs":1,"noerr":0,"x":1360,"y":1020,"wires":[[]],"info":"- User account was unlocked\n- User description was changed\n- User role was changed\n- User API key was added\n- User API key was revoked\n"},{"id":"485f3be.1ffcfc4","type":"function","z":"dca608c3.7d8af8","name":"status: Open","func":"// Fires when a Case is updated AND status = open\n// This can include things like TLP/PAP changes\n\nreturn msg;","outputs":1,"noerr":0,"x":1370,"y":660,"wires":[[]]},{"id":"eebe1748.1cd348","type":"switch","z":"dca608c3.7d8af8","name":"case","property":"payload.object.status","propertyType":"msg","rules":[{"t":"eq","v":"Open","vt":"str"}],"checkall":"true","repair":false,"outputs":1,"x":1130,"y":740,"wires":[["485f3be.1ffcfc4","e4b7b4bf.2fb828"]],"info":"- A case was modified"},{"id":"8c54e39.a1b4f2","type":"switch","z":"dca608c3.7d8af8","name":"case_artifact: Run Analyzer","property":"payload.object.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1600,"y":340,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["eb8cfeb7.a7118","a5dd8a8a.065b88"]],"info":"# References\n\n\n"},{"id":"2fce29bb.1b1376","type":"function","z":"dca608c3.7d8af8","name":"Add headers","func":"msg.thehive_url = 'https://{{ MANAGERIP }}/thehive';\nmsg.cortex_url = 'https://{{ MANAGERIP }}/cortex';\nmsg.cortex_id = 'CORTEX-SERVER-ID';\nreturn msg;","outputs":1,"noerr":0,"x":350,"y":780,"wires":[["a4ecb84a.805958"]]},{"id":"e4b7b4bf.2fb828","type":"function","z":"dca608c3.7d8af8","name":"status: Resolved","func":"// Fires when a case is closed (resolved)\n\nreturn msg;","outputs":1,"noerr":0,"x":1390,"y":720,"wires":[[]]},{"id":"e88b4cc2.f6afe","type":"function","z":"dca608c3.7d8af8","name":"case","func":"// Fires when a case is created\n// or when a responder is generated against a case\n\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":320,"wires":[[]]},{"id":"64203fe8.e0ad5","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is created\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":400,"wires":[[]]},{"id":"3511de51.889a02","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"// Fires when a case task log is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1163,"y":440,"wires":[[]]},{"id":"14544a8b.b6b2f5","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"// Fires when a Responder or Analyzser is Run on an existing observable\n\nreturn msg;","outputs":1,"noerr":0,"x":1173,"y":480,"wires":[[]]},{"id":"2b738415.408d4c","type":"function","z":"dca608c3.7d8af8","name":"case_artifact_job","func":"\nreturn msg;","outputs":1,"noerr":0,"x":1170,"y":820,"wires":[[]]},{"id":"3eb4bedf.6e20a2","type":"function","z":"dca608c3.7d8af8","name":"user","func":"// Fires when a user is created\n\nreturn msg;","outputs":1,"noerr":0,"x":1133,"y":560,"wires":[[]]},{"id":"d703adc0.12fd1","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"// Fires when an artifact is updated\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":780,"wires":[[]]},{"id":"6d97371a.406348","type":"function","z":"dca608c3.7d8af8","name":"case_task","func":"// Fires when a case task is updated\nreturn msg;","outputs":1,"noerr":0,"x":1140,"y":860,"wires":[[]]},{"id":"4ae621e1.9ae6","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is updated\n\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":900,"wires":[[]]},{"id":"60c8bcfb.eff1f4","type":"function","z":"dca608c3.7d8af8","name":"case","func":"//Fires when a case is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":1160,"wires":[[]]},{"id":"df708bab.348308","type":"function","z":"dca608c3.7d8af8","name":"case_artifact","func":"//Fires when a case_artifact is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1150,"y":1200,"wires":[[]]},{"id":"e9a8650c.e20cc8","type":"function","z":"dca608c3.7d8af8","name":"case_task_log","func":"//Fires when a case_task_log is deleted\nreturn msg;","outputs":1,"noerr":0,"x":1160,"y":1240,"wires":[[]]},{"id":"5786cee2.98109","type":"function","z":"dca608c3.7d8af8","name":"alert","func":"//Fires when an alert is updated\nreturn msg;","outputs":1,"noerr":0,"x":1130,"y":940,"wires":[[]]},{"id":"44c595a4.45d45c","type":"change","z":"dca608c3.7d8af8","d":true,"name":"Convert Alert Msg to Artifacts","rules":[{"t":"move","p":"payload.object.artifacts","pt":"msg","to":"payload","tot":"msg"}],"action":"","property":"","from":"","to":"","reg":false,"x":1200,"y":520,"wires":[["6dcca25e.04bd2c"]]},{"id":"6dcca25e.04bd2c","type":"split","z":"dca608c3.7d8af8","name":"Split Artifacts","splt":"\\n","spltType":"str","arraySplt":1,"arraySpltType":"len","stream":false,"addname":"","x":1430,"y":520,"wires":[["767c84f2.c9ba2c"]]},{"id":"767c84f2.c9ba2c","type":"switch","z":"dca608c3.7d8af8","name":"alert: Run Analyzer","property":"payload.dataType","propertyType":"msg","rules":[{"t":"eq","v":"ip","vt":"str"},{"t":"eq","v":"domain","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":1630,"y":400,"wires":[["eb8cfeb7.a7118","a5dd8a8a.065b88"],["a5dd8a8a.065b88","eb8cfeb7.a7118"]],"info":"# References\n\n\n"},{"id":"82ad0f08.7a53f","type":"http response","z":"dca608c3.7d8af8","name":"Ack Event Receipt","statusCode":"200","headers":{},"x":250,"y":940,"wires":[]},{"id":"a5dd8a8a.065b88","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: CERT DNS","func":"msg.analyzer_id = \"4f28afc20d78f98df425e36e561af33f\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1930,"y":420,"wires":[["f050a09f.b2201"]]},{"id":"eb8cfeb7.a7118","type":"function","z":"dca608c3.7d8af8","name":"Run Analyzer: Urlscan","func":"msg.analyzer_id = \"54e51b62c6c8ddc3cbc3cbdd889a0557\";\n\nif (msg.payload.objectId) {\n msg.tag = \"case_artifact\"\n msg.artifact_id = msg.payload.objectId\n msg.url = msg.thehive_url + '/api/connector/cortex/job';\n msg.payload = {\n 'cortexId' : msg.cortex_id,\n 'artifactId': msg.artifact_id,\n 'analyzerId': msg.analyzer_id\n };\n}\nelse {\n msg.tag = \"observable\"\n msg.observable = msg.payload.data\n msg.dataType = msg.payload.dataType\n\n msg.url = msg.cortex_url + '/api/analyzer/' + msg.analyzer_id + '/run';\n msg.payload = {\n 'data' : msg.observable,\n 'dataType': msg.dataType \n };\n}\nreturn msg;","outputs":1,"noerr":0,"x":1920,"y":320,"wires":[["f050a09f.b2201"]]},{"id":"1c448528.3032fb","type":"http request","z":"dca608c3.7d8af8","name":"Submit to Cortex","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ CORTEXKEY }}"},"x":2450,"y":420,"wires":[["ea6614fb.752a78"]]},{"id":"ea6614fb.752a78","type":"debug","z":"dca608c3.7d8af8","name":"Debug","active":true,"tosidebar":true,"console":false,"tostatus":false,"complete":"true","targetType":"full","x":2670,"y":360,"wires":[]},{"id":"f050a09f.b2201","type":"switch","z":"dca608c3.7d8af8","name":"Cases vs Alerts","property":"tag","propertyType":"msg","rules":[{"t":"eq","v":"case_artifact","vt":"str"},{"t":"eq","v":"observable","vt":"str"}],"checkall":"true","repair":false,"outputs":2,"x":2200,"y":360,"wires":[["f7fca977.a73b28"],["1c448528.3032fb"]],"inputLabels":["Data"],"outputLabels":["Cases","Alerts"]},{"id":"f7fca977.a73b28","type":"http request","z":"dca608c3.7d8af8","name":"Submit to TheHive","method":"POST","ret":"obj","paytoqs":false,"url":"","tls":"4db74fa6.2556d","persist":false,"proxy":"","authType":"bearer","credentials": {"user": "", "password": "{{ HIVEKEY }}"},"x":2450,"y":280,"wires":[["ea6614fb.752a78"]]}] diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls deleted file mode 100644 index 8029dbaf1..000000000 --- a/salt/nodered/init.sls +++ /dev/null @@ -1,91 +0,0 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} - -# Create the nodered group -noderedgroup: - group.present: - - name: nodered - - gid: 947 - -# Add the nodered user -nodered: - user.present: - - uid: 947 - - gid: 947 - - home: /opt/so/conf/nodered - -#noderedconfdir: -# file.directory: -# - name: /opt/so/conf/nodered -# - user: 947 -# - group: 939 -# - mode: 775 -# - makedirs: True - -noderedflows: - file.recurse: - - name: /opt/so/saltstack/default/salt/nodered/ - - source: salt://nodered/files - - user: 947 - - group: 939 - - template: jinja - -noderedflowsload: - file.managed: - - name: /usr/sbin/so-nodered-load-flows - - source: salt://nodered/files/nodered_load_flows - - user: root - - group: root - - mode: 755 - - template: jinja - -noderedlog: - file.directory: - - name: /opt/so/log/nodered - - user: 947 - - group: 939 - - mode: 755 - - makedirs: True - -so-nodered: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-nodered:{{ VERSION }} - - interactive: True - - binds: - - /opt/so/conf/nodered/:/data:rw - - port_bindings: - - 0.0.0.0:1880:1880 - -append_so-nodered_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-nodered - -so-nodered-flows: - cmd.run: - - name: /usr/sbin/so-nodered-load-flows - - cwd: / - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index ccaf84f52..2d047e731 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -1,23 +1,14 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from "pcap/map.jinja" import STENOOPTIONS with context %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} diff --git a/salt/pcap/soc_pcap.yaml b/salt/pcap/soc_pcap.yaml new file mode 100644 index 000000000..515dd346b --- /dev/null +++ b/salt/pcap/soc_pcap.yaml @@ -0,0 +1,12 @@ +pcap: + config: + enabled: + description: Enable or Disable Stenographer on all sensors or a single sensor + maxfiles: + description: The maximum number of packet/index files to create before cleaning old ones up. + diskfreepercentage: + description: The disk space percent to always keep free for pcap + blocks: + description: The number of 1MB packet blocks used by AF_PACKET to store packets in memory, per thread. You shouldn't need to change this. + preallocate_file_mb: + description: File size to pre-allocate for individual pcap files. You shouldn't need to change this. diff --git a/salt/playbook/OLD_db_init.sls b/salt/playbook/OLD_db_init.sls deleted file mode 100644 index 02d5310b0..000000000 --- a/salt/playbook/OLD_db_init.sls +++ /dev/null @@ -1,14 +0,0 @@ - -# This state will import the initial default playbook database. -# If there is an existing playbook database, it will be overwritten - no backups are made. - -include: - - mysql - -salt://playbook/files/OLD_playbook_db_init.sh: - cmd.script: - - cwd: /root - - template: jinja - -'sleep 5': - cmd.run \ No newline at end of file diff --git a/salt/playbook/automation_user_create.sls b/salt/playbook/automation_user_create.sls index e333a4a99..61662677f 100644 --- a/salt/playbook/automation_user_create.sls +++ b/salt/playbook/automation_user_create.sls @@ -1,4 +1,4 @@ -{% set MAINIP = salt['pillar.get']('global:managerip') %} +{% from 'vars/globals.map.jinja' import GLOBALS %} # This state will create the SecOps Automation user within Playbook @@ -7,7 +7,7 @@ include: wait_for_playbook: cmd.run: - - name: until nc -z {{ MAINIP }} 3200; do sleep 1; done + - name: until nc -z {{ GLOBALS.manager_ip }} 3200; do sleep 1; done - timeout: 300 create_user: diff --git a/salt/playbook/files/OLD_playbook_db_init.sh b/salt/playbook/files/OLD_playbook_db_init.sh deleted file mode 100644 index 22428780c..000000000 --- a/salt/playbook/files/OLD_playbook_db_init.sh +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -# {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) %} - -default_salt_dir=/opt/so/saltstack/default - -docker cp $default_salt_dir/salt/playbook/files/OLD_playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql -docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b -uroot -p{{MYSQLPASS}} < /tmp/playbook_db_init.sql" \ No newline at end of file diff --git a/salt/playbook/files/OLD_playbook_db_init.sql b/salt/playbook/files/OLD_playbook_db_init.sql deleted file mode 100644 index d48f656b9..000000000 --- a/salt/playbook/files/OLD_playbook_db_init.sql +++ /dev/null @@ -1,1767 +0,0 @@ --- MySQL dump 10.13 Distrib 5.7.24, for Linux (x86_64) --- --- Host: localhost Database: playbook --- ------------------------------------------------------ --- Server version 5.7.24 - -/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */; -/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */; -/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */; -/*!40101 SET NAMES utf8 */; -/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */; -/*!40103 SET TIME_ZONE='+00:00' */; -/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */; -/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */; -/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */; -/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */; - --- --- Current Database: `playbook` --- - -CREATE DATABASE /*!32312 IF NOT EXISTS*/ `playbook` /*!40100 DEFAULT CHARACTER SET latin1 */; - -USE `playbook`; - --- --- Table structure for table `ar_internal_metadata` --- - -DROP TABLE IF EXISTS `ar_internal_metadata`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `ar_internal_metadata` ( - `key` varchar(255) NOT NULL, - `value` varchar(255) DEFAULT NULL, - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`key`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `ar_internal_metadata` --- - -LOCK TABLES `ar_internal_metadata` WRITE; -/*!40000 ALTER TABLE `ar_internal_metadata` DISABLE KEYS */; -INSERT INTO `ar_internal_metadata` VALUES ('environment','production','2020-04-26 13:08:38','2020-04-26 13:08:38'); -/*!40000 ALTER TABLE `ar_internal_metadata` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `attachments` --- - -DROP TABLE IF EXISTS `attachments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `attachments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `container_id` int(11) DEFAULT NULL, - `container_type` varchar(30) DEFAULT NULL, - `filename` varchar(255) NOT NULL DEFAULT '', - `disk_filename` varchar(255) NOT NULL DEFAULT '', - `filesize` bigint(20) NOT NULL DEFAULT '0', - `content_type` varchar(255) DEFAULT '', - `digest` varchar(64) NOT NULL DEFAULT '', - `downloads` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `description` varchar(255) DEFAULT NULL, - `disk_directory` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_attachments_on_author_id` (`author_id`), - KEY `index_attachments_on_created_on` (`created_on`), - KEY `index_attachments_on_container_id_and_container_type` (`container_id`,`container_type`), - KEY `index_attachments_on_disk_filename` (`disk_filename`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `attachments` --- - -LOCK TABLES `attachments` WRITE; -/*!40000 ALTER TABLE `attachments` DISABLE KEYS */; -/*!40000 ALTER TABLE `attachments` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `auth_sources` --- - -DROP TABLE IF EXISTS `auth_sources`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `auth_sources` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(60) NOT NULL DEFAULT '', - `host` varchar(60) DEFAULT NULL, - `port` int(11) DEFAULT NULL, - `account` varchar(255) DEFAULT NULL, - `account_password` varchar(255) DEFAULT '', - `base_dn` varchar(255) DEFAULT NULL, - `attr_login` varchar(30) DEFAULT NULL, - `attr_firstname` varchar(30) DEFAULT NULL, - `attr_lastname` varchar(30) DEFAULT NULL, - `attr_mail` varchar(30) DEFAULT NULL, - `onthefly_register` tinyint(1) NOT NULL DEFAULT '0', - `tls` tinyint(1) NOT NULL DEFAULT '0', - `filter` text, - `timeout` int(11) DEFAULT NULL, - `verify_peer` tinyint(1) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `index_auth_sources_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `auth_sources` --- - -LOCK TABLES `auth_sources` WRITE; -/*!40000 ALTER TABLE `auth_sources` DISABLE KEYS */; -/*!40000 ALTER TABLE `auth_sources` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `boards` --- - -DROP TABLE IF EXISTS `boards`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `boards` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `position` int(11) DEFAULT NULL, - `topics_count` int(11) NOT NULL DEFAULT '0', - `messages_count` int(11) NOT NULL DEFAULT '0', - `last_message_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `boards_project_id` (`project_id`), - KEY `index_boards_on_last_message_id` (`last_message_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `boards` --- - -LOCK TABLES `boards` WRITE; -/*!40000 ALTER TABLE `boards` DISABLE KEYS */; -/*!40000 ALTER TABLE `boards` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changes` --- - -DROP TABLE IF EXISTS `changes`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changes` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `changeset_id` int(11) NOT NULL, - `action` varchar(1) NOT NULL DEFAULT '', - `path` text NOT NULL, - `from_path` text, - `from_revision` varchar(255) DEFAULT NULL, - `revision` varchar(255) DEFAULT NULL, - `branch` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `changesets_changeset_id` (`changeset_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changes` --- - -LOCK TABLES `changes` WRITE; -/*!40000 ALTER TABLE `changes` DISABLE KEYS */; -/*!40000 ALTER TABLE `changes` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changeset_parents` --- - -DROP TABLE IF EXISTS `changeset_parents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changeset_parents` ( - `changeset_id` int(11) NOT NULL, - `parent_id` int(11) NOT NULL, - KEY `changeset_parents_changeset_ids` (`changeset_id`), - KEY `changeset_parents_parent_ids` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changeset_parents` --- - -LOCK TABLES `changeset_parents` WRITE; -/*!40000 ALTER TABLE `changeset_parents` DISABLE KEYS */; -/*!40000 ALTER TABLE `changeset_parents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changesets` --- - -DROP TABLE IF EXISTS `changesets`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `repository_id` int(11) NOT NULL, - `revision` varchar(255) NOT NULL, - `committer` varchar(255) DEFAULT NULL, - `committed_on` datetime NOT NULL, - `comments` longtext, - `commit_date` date DEFAULT NULL, - `scmid` varchar(255) DEFAULT NULL, - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `changesets_repos_rev` (`repository_id`,`revision`), - KEY `index_changesets_on_user_id` (`user_id`), - KEY `index_changesets_on_repository_id` (`repository_id`), - KEY `index_changesets_on_committed_on` (`committed_on`), - KEY `changesets_repos_scmid` (`repository_id`,`scmid`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changesets` --- - -LOCK TABLES `changesets` WRITE; -/*!40000 ALTER TABLE `changesets` DISABLE KEYS */; -/*!40000 ALTER TABLE `changesets` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `changesets_issues` --- - -DROP TABLE IF EXISTS `changesets_issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `changesets_issues` ( - `changeset_id` int(11) NOT NULL, - `issue_id` int(11) NOT NULL, - UNIQUE KEY `changesets_issues_ids` (`changeset_id`,`issue_id`), - KEY `index_changesets_issues_on_issue_id` (`issue_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `changesets_issues` --- - -LOCK TABLES `changesets_issues` WRITE; -/*!40000 ALTER TABLE `changesets_issues` DISABLE KEYS */; -/*!40000 ALTER TABLE `changesets_issues` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `comments` --- - -DROP TABLE IF EXISTS `comments`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `comments` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `commented_type` varchar(30) NOT NULL DEFAULT '', - `commented_id` int(11) NOT NULL DEFAULT '0', - `author_id` int(11) NOT NULL DEFAULT '0', - `content` text, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_comments_on_commented_id_and_commented_type` (`commented_id`,`commented_type`), - KEY `index_comments_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `comments` --- - -LOCK TABLES `comments` WRITE; -/*!40000 ALTER TABLE `comments` DISABLE KEYS */; -/*!40000 ALTER TABLE `comments` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_field_enumerations` --- - -DROP TABLE IF EXISTS `custom_field_enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_field_enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `custom_field_id` int(11) NOT NULL, - `name` varchar(255) NOT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `position` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_field_enumerations` --- - -LOCK TABLES `custom_field_enumerations` WRITE; -/*!40000 ALTER TABLE `custom_field_enumerations` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_field_enumerations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields` --- - -DROP TABLE IF EXISTS `custom_fields`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(30) NOT NULL DEFAULT '', - `name` varchar(30) NOT NULL DEFAULT '', - `field_format` varchar(30) NOT NULL DEFAULT '', - `possible_values` text, - `regexp` varchar(255) DEFAULT '', - `min_length` int(11) DEFAULT NULL, - `max_length` int(11) DEFAULT NULL, - `is_required` tinyint(1) NOT NULL DEFAULT '0', - `is_for_all` tinyint(1) NOT NULL DEFAULT '0', - `is_filter` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `searchable` tinyint(1) DEFAULT '0', - `default_value` text, - `editable` tinyint(1) DEFAULT '1', - `visible` tinyint(1) NOT NULL DEFAULT '1', - `multiple` tinyint(1) DEFAULT '0', - `format_store` text, - `description` text, - PRIMARY KEY (`id`), - KEY `index_custom_fields_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=27 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields` --- - -LOCK TABLES `custom_fields` WRITE; -/*!40000 ALTER TABLE `custom_fields` DISABLE KEYS */; -INSERT INTO `custom_fields` VALUES (1,'IssueCustomField','Title','string',NULL,'',NULL,NULL,0,1,1,1,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(2,'IssueCustomField','Author','string',NULL,'',NULL,NULL,0,1,1,2,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(3,'IssueCustomField','Objective','text',NULL,'',NULL,NULL,0,1,1,14,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nfull_width_layout: \'1\'\n',''),(4,'IssueCustomField','Operational Notes','text',NULL,'',NULL,NULL,0,1,0,15,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(5,'IssueCustomField','Result Analysis','text',NULL,'',NULL,NULL,0,1,0,16,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(6,'IssueCustomField','ElastAlert Config','text',NULL,'',NULL,NULL,0,1,0,17,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(7,'IssueCustomField','HiveID','string',NULL,'',NULL,NULL,0,1,1,13,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(8,'IssueCustomField','References','text',NULL,'',NULL,NULL,0,1,0,6,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'0\'\n',''),(9,'IssueCustomField','Sigma','text',NULL,'',NULL,NULL,0,1,0,18,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(10,'IssueCustomField','Level','list','---\n- low\n- medium\n- high\n- critical\n','',NULL,NULL,0,1,1,3,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(11,'IssueCustomField','PlayID','string',NULL,'',NULL,NULL,0,1,1,8,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(12,'IssueCustomField','Rule ID','string',NULL,'',NULL,NULL,0,1,1,9,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(13,'IssueCustomField','Playbook','list','---\n- Internal\n- imported\n- community\n','',NULL,NULL,0,1,1,4,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(15,'IssueCustomField','ATT&CK Technique','list','---\n- T1001\n- T1002\n- T1003\n- T1004\n- T1005\n- T1006\n- T1007\n- T1008\n- T1009\n- T1010\n- T1011\n- T1012\n- T1013\n- T1014\n- T1015\n- T1016\n- T1017\n- T1018\n- T1019\n- T1020\n- T1021\n- T1022\n- T1023\n- T1024\n- T1025\n- T1026\n- T1027\n- T1028\n- T1029\n- T1030\n- T1031\n- T1032\n- T1033\n- T1034\n- T1035\n- T1036\n- T1037\n- T1038\n- T1039\n- T1040\n- T1041\n- T1042\n- T1043\n- T1044\n- T1045\n- T1046\n- T1047\n- T1048\n- T1049\n- T1050\n- T1051\n- T1052\n- T1053\n- T1054\n- T1055\n- T1056\n- T1057\n- T1058\n- T1059\n- T1060\n- T1061\n- T1062\n- T1063\n- T1064\n- T1065\n- T1066\n- T1067\n- T1068\n- T1069\n- T1070\n- T1071\n- T1072\n- T1073\n- T1074\n- T1075\n- T1076\n- T1077\n- T1078\n- T1079\n- T1080\n- T1081\n- T1082\n- T1083\n- T1084\n- T1085\n- T1086\n- T1087\n- T1088\n- T1089\n- T1090\n- T1091\n- T1092\n- T1093\n- T1094\n- T1095\n- T1096\n- T1097\n- T1098\n- T1099\n- T1100\n- T1101\n- T1102\n- T1103\n- T1104\n- T1105\n- T1106\n- T1107\n- T1108\n- T1109\n- T1110\n- T1111\n- T1112\n- T1113\n- T1114\n- T1115\n- T1116\n- T1117\n- T1118\n- T1119\n- T1120\n- T1121\n- T1122\n- T1123\n- T1124\n- T1125\n- T1126\n- T1127\n- T1128\n- T1129\n- T1130\n- T1131\n- T1132\n- T1133\n- T1134\n- T1135\n- T1136\n- T1137\n- T1138\n- T1139\n- T1140\n- T1141\n- T1142\n- T1143\n- T1144\n- T1145\n- T1146\n- T1147\n- T1148\n- T1149\n- T1150\n- T1151\n- T1152\n- T1153\n- T1154\n- T1155\n- T1156\n- T1157\n- T1158\n- T1159\n- T1160\n- T1161\n- T1162\n- T1163\n- T1164\n- T1165\n- T1166\n- T1167\n- T1168\n- T1169\n- T1170\n- T1171\n- T1172\n- T1173\n- T1174\n- T1175\n- T1176\n- T1177\n- T1178\n- T1179\n- T1180\n- T1181\n- T1182\n- T1183\n- T1184\n- T1185\n- T1186\n- T1187\n- T1188\n- T1189\n- T1190\n- T1191\n- T1192\n- T1193\n- T1194\n- T1195\n- T1196\n- T1197\n- T1198\n- T1199\n- T1200\n- T1201\n- T1202\n- T1203\n- T1204\n- T1205\n- T1206\n- T1207\n- T1208\n- T1209\n- T1210\n- T1211\n- T1212\n- T1213\n- T1214\n- T1215\n- T1216\n- T1217\n- T1218\n- T1219\n- T1220\n- T1221\n- T1222\n- T1223\n- T1480\n- T1482\n- T1483\n- T1484\n- T1485\n- T1486\n- T1487\n- T1488\n- T1489\n- T1490\n- T1491\n- T1492\n- T1493\n- T1494\n- T1495\n- T1496\n- T1497\n- T1498\n- T1499\n- T1500\n- T1501\n- T1502\n- T1503\n- T1504\n- T1505\n- T1506\n- T1514\n- T1518\n- T1519\n- T1522\n- T1525\n- T1526\n- T1527\n- T1528\n- T1529\n- T1530\n- T1531\n- T1534\n- T1535\n- T1536\n- T1537\n- T1538\n- T1539\n- T1540\n- T1541\n- T1542\n- T1543\n- T1544\n- T1545\n- T1546\n- T1547\n- T1548\n- T1549\n- T1550\n- T1551\n- T1552\n- T1553\n- T1554\n- T1555\n- T1556\n- T1557\n- T1558\n- T1559\n- T1560\n- T1561\n- T1562\n- T1563\n- T1564\n- T1565\n- T1566\n- T1567\n- T1568\n- T1569\n- T1570\n- T1571\n- T1572\n- T1573\n- T1574\n- T1575\n- T1576\n- T1577\n- T1578\n- T1579\n- T1580\n- T1581\n- T1582\n- T1583\n- T1584\n- T1585\n- T1586\n- T1587\n- T1588\n- T1589\n- T1590\n- T1591\n- T1592\n- T1593\n- T1594\n- T1595\n- T1596\n- T1597\n- T1598\n- T1599\n- T1600\n- T1601\n- T1602\n- T1603\n- T1604\n- T1605\n- T1606\n- T1607\n- T1608\n- T1609\n- T1610\n- T1611\n- T1612\n- T1613\n- T1614\n- T1615\n- T1616\n- T1617\n- T1618\n- T1619\n- T1620\n- T1621\n- T1622\n- T1623\n- T1624\n- T1625\n- T1626\n- T1627\n- T1628\n- T1629\n- T1630\n- T1631\n- T1632\n- T1633\n- T1634\n- T1635\n- T1636\n- T1637\n- T1638\n- T1639\n- T1640\n- T1641\n- T1642\n- T1643\n- T1644\n- T1645\n- T1646\n- T1647\n- T1648\n- T1649\n- T1650\n- T1651\n- T1652\n- T1653\n- T1654\n- T1655\n- T1656\n- T1657\n- T1658\n- T1659\n- T1660\n- T1661\n- T1662\n- T1663\n- T1664\n- T1665\n- T1666\n- T1667\n- T1668\n- T1669\n- T1670\n- T1671\n- T1672\n- T1673\n- T1674\n- T1675\n- T1676\n- T1677\n- T1678\n- T1679\n- T1680\n- T1681\n- T1682\n- T1683\n- T1684\n- T1685\n- T1686\n- T1687\n- T1688\n- T1689\n- T1690\n- T1691\n- T1692\n- T1693\n- T1694\n- T1695\n- T1696\n- T1697\n- T1698\n- T1699\n- T1700\n- T1701\n- T1702\n- T1703\n- T1704\n- T1705\n- T1706\n- T1707\n- T1708\n- T1709\n- T1710\n- T1711\n- T1712\n- T1713\n- T1714\n- T1715\n- T1716\n- T1717\n- T1718\n- T1719\n- T1720\n- T1721\n- T1722\n- T1723\n- T1724\n- T1725\n- T1726\n- T1727\n- T1728\n- T1729\n- T1730\n- T1731\n- T1732\n- T1733\n- T1734\n- T1735\n- T1736\n- T1737\n- T1738\n- T1739\n- T1740\n- T1741\n- T1742\n- T1743\n- T1744\n- T1745\n- T1746\n- T1747\n- T1748\n- T1749\n- T1750\n- T1751\n- T1752\n','',NULL,NULL,0,1,1,7,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://attack.mitre.org/techniques/%value%\nedit_tag_style: \'\'\n',''),(17,'IssueCustomField','Case Analyzers','list','---\n- Urlscan_io_Search - ip,domain,hash,url\n- CERTatPassiveDNS - domain,fqdn,ip\n','',NULL,NULL,0,1,1,12,1,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(18,'IssueCustomField','Ruleset','string',NULL,'',NULL,NULL,0,1,1,10,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(19,'IssueCustomField','Group','string',NULL,'',NULL,NULL,0,1,1,11,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(20,'IssueCustomField','Product','string',NULL,'',NULL,NULL,0,1,1,5,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: \'\'\nurl_pattern: \'\'\n',''),(21,'IssueCustomField','Target Log','text',NULL,'',NULL,NULL,0,1,0,19,0,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\ntext_formatting: full\nfull_width_layout: \'1\'\n',''),(22,'IssueCustomField','Unit Test','list','---\n- Passed\n- Failed\n','',NULL,NULL,0,1,1,20,1,'',1,1,0,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: \'\'\nedit_tag_style: \'\'\n',''),(26,'IssueCustomField','License','list','---\n- Apache-2.0\n- BSD-2-Clause\n- BSD-3-Clause\n- CC0-1.0\n- CC-PDDC\n- DRL-1.0\n- LGPL-3.0-only\n- MIT License\n- GPL-2.0-only\n- GPL-3.0-only\n','',NULL,NULL,0,1,0,21,0,'',1,1,1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nurl_pattern: https://spdx.org/licenses/%value%.html\nedit_tag_style: \'\'\n',''); -/*!40000 ALTER TABLE `custom_fields` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_projects` --- - -DROP TABLE IF EXISTS `custom_fields_projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_projects` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_projects_on_custom_field_id_and_project_id` (`custom_field_id`,`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_projects` --- - -LOCK TABLES `custom_fields_projects` WRITE; -/*!40000 ALTER TABLE `custom_fields_projects` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_fields_projects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_roles` --- - -DROP TABLE IF EXISTS `custom_fields_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_roles` ( - `custom_field_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `custom_fields_roles_ids` (`custom_field_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_roles` --- - -LOCK TABLES `custom_fields_roles` WRITE; -/*!40000 ALTER TABLE `custom_fields_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_fields_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_fields_trackers` --- - -DROP TABLE IF EXISTS `custom_fields_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_fields_trackers` ( - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `index_custom_fields_trackers_on_custom_field_id_and_tracker_id` (`custom_field_id`,`tracker_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_fields_trackers` --- - -LOCK TABLES `custom_fields_trackers` WRITE; -/*!40000 ALTER TABLE `custom_fields_trackers` DISABLE KEYS */; -INSERT INTO `custom_fields_trackers` VALUES (1,1),(2,1),(3,1),(4,1),(5,1),(6,1),(7,1),(8,1),(9,1),(10,1),(11,1),(12,1),(13,1),(15,1),(17,1),(18,1),(19,1),(20,1),(21,1),(22,1),(26,1); -/*!40000 ALTER TABLE `custom_fields_trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `custom_values` --- - -DROP TABLE IF EXISTS `custom_values`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `custom_values` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `customized_type` varchar(30) NOT NULL DEFAULT '', - `customized_id` int(11) NOT NULL DEFAULT '0', - `custom_field_id` int(11) NOT NULL DEFAULT '0', - `value` longtext, - PRIMARY KEY (`id`), - KEY `custom_values_customized` (`customized_type`,`customized_id`), - KEY `index_custom_values_on_custom_field_id` (`custom_field_id`) -) ENGINE=InnoDB AUTO_INCREMENT=145325 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `custom_values` --- - -LOCK TABLES `custom_values` WRITE; -/*!40000 ALTER TABLE `custom_values` DISABLE KEYS */; -/*!40000 ALTER TABLE `custom_values` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `documents` --- - -DROP TABLE IF EXISTS `documents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `documents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `category_id` int(11) NOT NULL DEFAULT '0', - `title` varchar(255) NOT NULL DEFAULT '', - `description` text, - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `documents_project_id` (`project_id`), - KEY `index_documents_on_category_id` (`category_id`), - KEY `index_documents_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `documents` --- - -LOCK TABLES `documents` WRITE; -/*!40000 ALTER TABLE `documents` DISABLE KEYS */; -/*!40000 ALTER TABLE `documents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `email_addresses` --- - -DROP TABLE IF EXISTS `email_addresses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `email_addresses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL, - `address` varchar(255) NOT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `notify` tinyint(1) NOT NULL DEFAULT '1', - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `index_email_addresses_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `email_addresses` --- - -LOCK TABLES `email_addresses` WRITE; -/*!40000 ALTER TABLE `email_addresses` DISABLE KEYS */; -INSERT INTO `email_addresses` VALUES (1,1,'admin@example.net',1,1,'2020-04-26 13:08:38','2020-04-26 13:08:38'),(3,9,'automation@localhost.local',1,1,'2020-04-26 18:47:46','2020-04-26 18:47:46'); -/*!40000 ALTER TABLE `email_addresses` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `enabled_modules` --- - -DROP TABLE IF EXISTS `enabled_modules`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enabled_modules` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL, - PRIMARY KEY (`id`), - KEY `enabled_modules_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=3 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `enabled_modules` --- - -LOCK TABLES `enabled_modules` WRITE; -/*!40000 ALTER TABLE `enabled_modules` DISABLE KEYS */; -INSERT INTO `enabled_modules` VALUES (1,1,'sigma_editor'),(2,1,'issue_tracking'); -/*!40000 ALTER TABLE `enabled_modules` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `enumerations` --- - -DROP TABLE IF EXISTS `enumerations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `enumerations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `is_default` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(255) DEFAULT NULL, - `active` tinyint(1) NOT NULL DEFAULT '1', - `project_id` int(11) DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `position_name` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_enumerations_on_project_id` (`project_id`), - KEY `index_enumerations_on_id_and_type` (`id`,`type`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `enumerations` --- - -LOCK TABLES `enumerations` WRITE; -/*!40000 ALTER TABLE `enumerations` DISABLE KEYS */; -INSERT INTO `enumerations` VALUES (1,'Normal',1,1,'IssuePriority',1,NULL,NULL,'default'); -/*!40000 ALTER TABLE `enumerations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `groups_users` --- - -DROP TABLE IF EXISTS `groups_users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `groups_users` ( - `group_id` int(11) NOT NULL, - `user_id` int(11) NOT NULL, - UNIQUE KEY `groups_users_ids` (`group_id`,`user_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `groups_users` --- - -LOCK TABLES `groups_users` WRITE; -/*!40000 ALTER TABLE `groups_users` DISABLE KEYS */; -INSERT INTO `groups_users` VALUES (6,9),(7,1); -/*!40000 ALTER TABLE `groups_users` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `import_items` --- - -DROP TABLE IF EXISTS `import_items`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `import_items` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `import_id` int(11) NOT NULL, - `position` int(11) NOT NULL, - `obj_id` int(11) DEFAULT NULL, - `message` text, - `unique_id` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_import_items_on_import_id_and_unique_id` (`import_id`,`unique_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `import_items` --- - -LOCK TABLES `import_items` WRITE; -/*!40000 ALTER TABLE `import_items` DISABLE KEYS */; -/*!40000 ALTER TABLE `import_items` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `imports` --- - -DROP TABLE IF EXISTS `imports`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `imports` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `type` varchar(255) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `filename` varchar(255) DEFAULT NULL, - `settings` text, - `total_items` int(11) DEFAULT NULL, - `finished` tinyint(1) NOT NULL DEFAULT '0', - `created_at` datetime NOT NULL, - `updated_at` datetime NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `imports` --- - -LOCK TABLES `imports` WRITE; -/*!40000 ALTER TABLE `imports` DISABLE KEYS */; -/*!40000 ALTER TABLE `imports` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_categories` --- - -DROP TABLE IF EXISTS `issue_categories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_categories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(60) NOT NULL DEFAULT '', - `assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issue_categories_project_id` (`project_id`), - KEY `index_issue_categories_on_assigned_to_id` (`assigned_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_categories` --- - -LOCK TABLES `issue_categories` WRITE; -/*!40000 ALTER TABLE `issue_categories` DISABLE KEYS */; -/*!40000 ALTER TABLE `issue_categories` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_relations` --- - -DROP TABLE IF EXISTS `issue_relations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_relations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issue_from_id` int(11) NOT NULL, - `issue_to_id` int(11) NOT NULL, - `relation_type` varchar(255) NOT NULL DEFAULT '', - `delay` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `index_issue_relations_on_issue_from_id_and_issue_to_id` (`issue_from_id`,`issue_to_id`), - KEY `index_issue_relations_on_issue_from_id` (`issue_from_id`), - KEY `index_issue_relations_on_issue_to_id` (`issue_to_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_relations` --- - -LOCK TABLES `issue_relations` WRITE; -/*!40000 ALTER TABLE `issue_relations` DISABLE KEYS */; -/*!40000 ALTER TABLE `issue_relations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issue_statuses` --- - -DROP TABLE IF EXISTS `issue_statuses`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issue_statuses` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `is_closed` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `default_done_ratio` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_issue_statuses_on_position` (`position`), - KEY `index_issue_statuses_on_is_closed` (`is_closed`) -) ENGINE=InnoDB AUTO_INCREMENT=7 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issue_statuses` --- - -LOCK TABLES `issue_statuses` WRITE; -/*!40000 ALTER TABLE `issue_statuses` DISABLE KEYS */; -INSERT INTO `issue_statuses` VALUES (2,'Draft',0,1,NULL),(3,'Active',0,2,NULL),(4,'Inactive',0,3,NULL),(5,'Archived',0,4,NULL),(6,'Disabled',0,5,NULL); -/*!40000 ALTER TABLE `issue_statuses` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `issues` --- - -DROP TABLE IF EXISTS `issues`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `issues` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL, - `project_id` int(11) NOT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `description` longtext, - `due_date` date DEFAULT NULL, - `category_id` int(11) DEFAULT NULL, - `status_id` int(11) NOT NULL, - `assigned_to_id` int(11) DEFAULT NULL, - `priority_id` int(11) NOT NULL, - `fixed_version_id` int(11) DEFAULT NULL, - `author_id` int(11) NOT NULL, - `lock_version` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `start_date` date DEFAULT NULL, - `done_ratio` int(11) NOT NULL DEFAULT '0', - `estimated_hours` float DEFAULT NULL, - `parent_id` int(11) DEFAULT NULL, - `root_id` int(11) DEFAULT NULL, - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `is_private` tinyint(1) NOT NULL DEFAULT '0', - `closed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `issues_project_id` (`project_id`), - KEY `index_issues_on_status_id` (`status_id`), - KEY `index_issues_on_category_id` (`category_id`), - KEY `index_issues_on_assigned_to_id` (`assigned_to_id`), - KEY `index_issues_on_fixed_version_id` (`fixed_version_id`), - KEY `index_issues_on_tracker_id` (`tracker_id`), - KEY `index_issues_on_priority_id` (`priority_id`), - KEY `index_issues_on_author_id` (`author_id`), - KEY `index_issues_on_created_on` (`created_on`), - KEY `index_issues_on_root_id_and_lft_and_rgt` (`root_id`,`lft`,`rgt`), - KEY `index_issues_on_parent_id` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `issues` --- - -LOCK TABLES `issues` WRITE; -/*!40000 ALTER TABLE `issues` DISABLE KEYS */; -/*!40000 ALTER TABLE `issues` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `journal_details` --- - -DROP TABLE IF EXISTS `journal_details`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journal_details` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journal_id` int(11) NOT NULL DEFAULT '0', - `property` varchar(30) NOT NULL DEFAULT '', - `prop_key` varchar(30) NOT NULL DEFAULT '', - `old_value` longtext, - `value` longtext, - PRIMARY KEY (`id`), - KEY `journal_details_journal_id` (`journal_id`) -) ENGINE=InnoDB AUTO_INCREMENT=792 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `journal_details` --- - -LOCK TABLES `journal_details` WRITE; -/*!40000 ALTER TABLE `journal_details` DISABLE KEYS */; -/*!40000 ALTER TABLE `journal_details` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `journals` --- - -DROP TABLE IF EXISTS `journals`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `journals` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `journalized_id` int(11) NOT NULL DEFAULT '0', - `journalized_type` varchar(30) NOT NULL DEFAULT '', - `user_id` int(11) NOT NULL DEFAULT '0', - `notes` longtext, - `created_on` datetime NOT NULL, - `private_notes` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `journals_journalized_id` (`journalized_id`,`journalized_type`), - KEY `index_journals_on_user_id` (`user_id`), - KEY `index_journals_on_journalized_id` (`journalized_id`), - KEY `index_journals_on_created_on` (`created_on`) -) ENGINE=InnoDB AUTO_INCREMENT=9502 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `journals` --- - -LOCK TABLES `journals` WRITE; -/*!40000 ALTER TABLE `journals` DISABLE KEYS */; -/*!40000 ALTER TABLE `journals` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `member_roles` --- - -DROP TABLE IF EXISTS `member_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `member_roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `member_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - `inherited_from` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_member_roles_on_member_id` (`member_id`), - KEY `index_member_roles_on_role_id` (`role_id`), - KEY `index_member_roles_on_inherited_from` (`inherited_from`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `member_roles` --- - -LOCK TABLES `member_roles` WRITE; -/*!40000 ALTER TABLE `member_roles` DISABLE KEYS */; -INSERT INTO `member_roles` VALUES (1,1,5,NULL),(2,2,3,NULL),(3,3,4,NULL),(4,4,5,1),(7,7,4,3); -/*!40000 ALTER TABLE `member_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `members` --- - -DROP TABLE IF EXISTS `members`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `members` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `project_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `mail_notification` tinyint(1) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - UNIQUE KEY `index_members_on_user_id_and_project_id` (`user_id`,`project_id`), - KEY `index_members_on_user_id` (`user_id`), - KEY `index_members_on_project_id` (`project_id`) -) ENGINE=InnoDB AUTO_INCREMENT=8 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `members` --- - -LOCK TABLES `members` WRITE; -/*!40000 ALTER TABLE `members` DISABLE KEYS */; -INSERT INTO `members` VALUES (1,6,1,'2020-04-26 18:44:14',0),(2,5,1,'2020-04-26 18:44:23',0),(3,7,1,'2020-04-26 18:45:27',0),(4,9,1,'2020-04-26 18:47:51',0),(7,1,1,'2020-05-01 16:42:56',0); -/*!40000 ALTER TABLE `members` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `messages` --- - -DROP TABLE IF EXISTS `messages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `messages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `board_id` int(11) NOT NULL, - `parent_id` int(11) DEFAULT NULL, - `subject` varchar(255) NOT NULL DEFAULT '', - `content` text, - `author_id` int(11) DEFAULT NULL, - `replies_count` int(11) NOT NULL DEFAULT '0', - `last_reply_id` int(11) DEFAULT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - `locked` tinyint(1) DEFAULT '0', - `sticky` int(11) DEFAULT '0', - PRIMARY KEY (`id`), - KEY `messages_board_id` (`board_id`), - KEY `messages_parent_id` (`parent_id`), - KEY `index_messages_on_last_reply_id` (`last_reply_id`), - KEY `index_messages_on_author_id` (`author_id`), - KEY `index_messages_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `messages` --- - -LOCK TABLES `messages` WRITE; -/*!40000 ALTER TABLE `messages` DISABLE KEYS */; -/*!40000 ALTER TABLE `messages` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `news` --- - -DROP TABLE IF EXISTS `news`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `news` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `title` varchar(60) NOT NULL DEFAULT '', - `summary` varchar(255) DEFAULT '', - `description` text, - `author_id` int(11) NOT NULL DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - `comments_count` int(11) NOT NULL DEFAULT '0', - PRIMARY KEY (`id`), - KEY `news_project_id` (`project_id`), - KEY `index_news_on_author_id` (`author_id`), - KEY `index_news_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `news` --- - -LOCK TABLES `news` WRITE; -/*!40000 ALTER TABLE `news` DISABLE KEYS */; -/*!40000 ALTER TABLE `news` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `open_id_authentication_associations` --- - -DROP TABLE IF EXISTS `open_id_authentication_associations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_associations` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `issued` int(11) DEFAULT NULL, - `lifetime` int(11) DEFAULT NULL, - `handle` varchar(255) DEFAULT NULL, - `assoc_type` varchar(255) DEFAULT NULL, - `server_url` blob, - `secret` blob, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `open_id_authentication_associations` --- - -LOCK TABLES `open_id_authentication_associations` WRITE; -/*!40000 ALTER TABLE `open_id_authentication_associations` DISABLE KEYS */; -/*!40000 ALTER TABLE `open_id_authentication_associations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `open_id_authentication_nonces` --- - -DROP TABLE IF EXISTS `open_id_authentication_nonces`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `open_id_authentication_nonces` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `timestamp` int(11) NOT NULL, - `server_url` varchar(255) DEFAULT NULL, - `salt` varchar(255) NOT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `open_id_authentication_nonces` --- - -LOCK TABLES `open_id_authentication_nonces` WRITE; -/*!40000 ALTER TABLE `open_id_authentication_nonces` DISABLE KEYS */; -/*!40000 ALTER TABLE `open_id_authentication_nonces` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `projects` --- - -DROP TABLE IF EXISTS `projects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `description` text, - `homepage` varchar(255) DEFAULT '', - `is_public` tinyint(1) NOT NULL DEFAULT '1', - `parent_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `identifier` varchar(255) DEFAULT NULL, - `status` int(11) NOT NULL DEFAULT '1', - `lft` int(11) DEFAULT NULL, - `rgt` int(11) DEFAULT NULL, - `inherit_members` tinyint(1) NOT NULL DEFAULT '0', - `default_version_id` int(11) DEFAULT NULL, - `default_assigned_to_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_projects_on_lft` (`lft`), - KEY `index_projects_on_rgt` (`rgt`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `projects` --- - -LOCK TABLES `projects` WRITE; -/*!40000 ALTER TABLE `projects` DISABLE KEYS */; -INSERT INTO `projects` VALUES (1,'Detection Playbooks','','',1,NULL,'2020-04-26 13:13:01','2020-07-10 19:33:53','detection-playbooks',1,1,2,0,NULL,NULL); -/*!40000 ALTER TABLE `projects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `projects_trackers` --- - -DROP TABLE IF EXISTS `projects_trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `projects_trackers` ( - `project_id` int(11) NOT NULL DEFAULT '0', - `tracker_id` int(11) NOT NULL DEFAULT '0', - UNIQUE KEY `projects_trackers_unique` (`project_id`,`tracker_id`), - KEY `projects_trackers_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `projects_trackers` --- - -LOCK TABLES `projects_trackers` WRITE; -/*!40000 ALTER TABLE `projects_trackers` DISABLE KEYS */; -INSERT INTO `projects_trackers` VALUES (1,1); -/*!40000 ALTER TABLE `projects_trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `queries` --- - -DROP TABLE IF EXISTS `queries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) DEFAULT NULL, - `name` varchar(255) NOT NULL DEFAULT '', - `filters` text, - `user_id` int(11) NOT NULL DEFAULT '0', - `column_names` text, - `sort_criteria` text, - `group_by` varchar(255) DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `visibility` int(11) DEFAULT '0', - `options` text, - PRIMARY KEY (`id`), - KEY `index_queries_on_project_id` (`project_id`), - KEY `index_queries_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `queries` --- - -LOCK TABLES `queries` WRITE; -/*!40000 ALTER TABLE `queries` DISABLE KEYS */; -INSERT INTO `queries` VALUES (3,1,'All Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(4,NULL,'Inactive Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'4\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(5,NULL,'Draft Plays','---\nstatus_id:\n :operator: \"=\"\n :values:\n - \'2\'\n',1,NULL,'---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(6,NULL,'Playbook - Community Sigma','---\ncf_13:\n :operator: \"=\"\n :values:\n - community\n',1,'---\n- :status\n- :cf_10\n- :cf_18\n- :cf_19\n- :cf_20\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(8,NULL,'Playbook - Internal','---\ncf_13:\n :operator: \"=\"\n :values:\n - Internal\n',1,'---\n- :status\n- :cf_10\n- :cf_14\n- :cf_16\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'),(9,NULL,'Active Plays','---\ntracker_id:\n :operator: \"=\"\n :values:\n - \'1\'\nstatus_id:\n :operator: \"=\"\n :values:\n - \'3\'\n',1,'---\n- :status\n- :cf_10\n- :cf_13\n- :cf_18\n- :cf_19\n- :cf_1\n- :updated_on\n','---\n- - id\n - desc\n','','IssueQuery',2,'---\n:totalable_names: []\n:display_type: list\n:draw_relations: \n:draw_progress_line: \n:draw_selected_columns: \n'); -/*!40000 ALTER TABLE `queries` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `queries_roles` --- - -DROP TABLE IF EXISTS `queries_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `queries_roles` ( - `query_id` int(11) NOT NULL, - `role_id` int(11) NOT NULL, - UNIQUE KEY `queries_roles_ids` (`query_id`,`role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `queries_roles` --- - -LOCK TABLES `queries_roles` WRITE; -/*!40000 ALTER TABLE `queries_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `queries_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `repositories` --- - -DROP TABLE IF EXISTS `repositories`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `repositories` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `url` varchar(255) NOT NULL DEFAULT '', - `login` varchar(60) DEFAULT '', - `password` varchar(255) DEFAULT '', - `root_url` varchar(255) DEFAULT '', - `type` varchar(255) DEFAULT NULL, - `path_encoding` varchar(64) DEFAULT NULL, - `log_encoding` varchar(64) DEFAULT NULL, - `extra_info` longtext, - `identifier` varchar(255) DEFAULT NULL, - `is_default` tinyint(1) DEFAULT '0', - `created_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_repositories_on_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `repositories` --- - -LOCK TABLES `repositories` WRITE; -/*!40000 ALTER TABLE `repositories` DISABLE KEYS */; -/*!40000 ALTER TABLE `repositories` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `roles` --- - -DROP TABLE IF EXISTS `roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `position` int(11) DEFAULT NULL, - `assignable` tinyint(1) DEFAULT '1', - `builtin` int(11) NOT NULL DEFAULT '0', - `permissions` text, - `issues_visibility` varchar(30) NOT NULL DEFAULT 'default', - `users_visibility` varchar(30) NOT NULL DEFAULT 'all', - `time_entries_visibility` varchar(30) NOT NULL DEFAULT 'all', - `all_roles_managed` tinyint(1) NOT NULL DEFAULT '1', - `settings` text, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=6 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `roles` --- - -LOCK TABLES `roles` WRITE; -/*!40000 ALTER TABLE `roles` DISABLE KEYS */; -INSERT INTO `roles` VALUES (1,'Non member',0,1,1,NULL,'default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'0\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(2,'Anonymous',0,1,2,'---\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n'),(3,'Security-Analyst',1,0,0,'---\n- :save_queries\n- :view_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :sigma_editor\n','all','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(4,'SuperAdmin',2,0,0,'---\n- :add_project\n- :edit_project\n- :close_project\n- :select_project_modules\n- :manage_members\n- :manage_versions\n- :add_subprojects\n- :manage_public_queries\n- :save_queries\n- :manage_hook\n- :view_messages\n- :add_messages\n- :edit_messages\n- :edit_own_messages\n- :delete_messages\n- :delete_own_messages\n- :manage_boards\n- :view_calendar\n- :view_documents\n- :add_documents\n- :edit_documents\n- :delete_documents\n- :view_files\n- :manage_files\n- :view_gantt\n- :view_issues\n- :edit_issues\n- :edit_own_issues\n- :copy_issues\n- :manage_issue_relations\n- :manage_subtasks\n- :set_issues_private\n- :set_own_issues_private\n- :add_issue_notes\n- :edit_issue_notes\n- :edit_own_issue_notes\n- :view_private_notes\n- :set_notes_private\n- :delete_issues\n- :view_issue_watchers\n- :add_issue_watchers\n- :delete_issue_watchers\n- :import_issues\n- :manage_categories\n- :view_news\n- :manage_news\n- :comment_news\n- :view_changesets\n- :browse_repository\n- :commit_access\n- :manage_related_issues\n- :manage_repository\n- :sigma_editor\n- :view_time_entries\n- :log_time\n- :edit_time_entries\n- :edit_own_time_entries\n- :manage_project_activities\n- :log_time_for_other_users\n- :import_time_entries\n- :view_wiki_pages\n- :view_wiki_edits\n- :export_wiki_pages\n- :edit_wiki_pages\n- :rename_wiki_pages\n- :delete_wiki_pages\n- :delete_wiki_pages_attachments\n- :protect_wiki_pages\n- :manage_wiki\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'),(5,'Automation',3,0,0,'---\n- :view_issues\n- :add_issues\n- :edit_issues\n- :add_issue_notes\n- :edit_issue_notes\n- :import_issues\n- :sigma_editor\n','default','all','all',1,'--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\npermissions_all_trackers: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: \'1\'\n add_issues: \'1\'\n edit_issues: \'1\'\n add_issue_notes: \'1\'\n delete_issues: \'1\'\npermissions_tracker_ids: !ruby/hash:ActiveSupport::HashWithIndifferentAccess\n view_issues: []\n add_issues: []\n edit_issues: []\n add_issue_notes: []\n delete_issues: []\n'); -/*!40000 ALTER TABLE `roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `roles_managed_roles` --- - -DROP TABLE IF EXISTS `roles_managed_roles`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `roles_managed_roles` ( - `role_id` int(11) NOT NULL, - `managed_role_id` int(11) NOT NULL, - UNIQUE KEY `index_roles_managed_roles_on_role_id_and_managed_role_id` (`role_id`,`managed_role_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `roles_managed_roles` --- - -LOCK TABLES `roles_managed_roles` WRITE; -/*!40000 ALTER TABLE `roles_managed_roles` DISABLE KEYS */; -/*!40000 ALTER TABLE `roles_managed_roles` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `schema_migrations` --- - -DROP TABLE IF EXISTS `schema_migrations`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `schema_migrations` ( - `version` varchar(255) NOT NULL, - PRIMARY KEY (`version`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `schema_migrations` --- - -LOCK TABLES `schema_migrations` WRITE; -/*!40000 ALTER TABLE `schema_migrations` DISABLE KEYS */; -INSERT INTO `schema_migrations` VALUES ('1'),('1-redmine_webhook'),('10'),('100'),('101'),('102'),('103'),('104'),('105'),('106'),('107'),('108'),('11'),('12'),('13'),('14'),('15'),('16'),('17'),('18'),('19'),('2'),('20'),('20090214190337'),('20090312172426'),('20090312194159'),('20090318181151'),('20090323224724'),('20090401221305'),('20090401231134'),('20090403001910'),('20090406161854'),('20090425161243'),('20090503121501'),('20090503121505'),('20090503121510'),('20090614091200'),('20090704172350'),('20090704172355'),('20090704172358'),('20091010093521'),('20091017212227'),('20091017212457'),('20091017212644'),('20091017212938'),('20091017213027'),('20091017213113'),('20091017213151'),('20091017213228'),('20091017213257'),('20091017213332'),('20091017213444'),('20091017213536'),('20091017213642'),('20091017213716'),('20091017213757'),('20091017213835'),('20091017213910'),('20091017214015'),('20091017214107'),('20091017214136'),('20091017214236'),('20091017214308'),('20091017214336'),('20091017214406'),('20091017214440'),('20091017214519'),('20091017214611'),('20091017214644'),('20091017214720'),('20091017214750'),('20091025163651'),('20091108092559'),('20091114105931'),('20091123212029'),('20091205124427'),('20091220183509'),('20091220183727'),('20091220184736'),('20091225164732'),('20091227112908'),('20100129193402'),('20100129193813'),('20100221100219'),('20100313132032'),('20100313171051'),('20100705164950'),('20100819172912'),('20101104182107'),('20101107130441'),('20101114115114'),('20101114115359'),('20110220160626'),('20110223180944'),('20110223180953'),('20110224000000'),('20110226120112'),('20110226120132'),('20110227125750'),('20110228000000'),('20110228000100'),('20110401192910'),('20110408103312'),('20110412065600'),('20110511000000'),('20110902000000'),('20111201201315'),('20120115143024'),('20120115143100'),('20120115143126'),('20120127174243'),('20120205111326'),('20120223110929'),('20120301153455'),('20120422150750'),('20120705074331'),('20120707064544'),('20120714122000'),('20120714122100'),('20120714122200'),('20120731164049'),('20120930112914'),('20121026002032'),('20121026003537'),('20121209123234'),('20121209123358'),('20121213084931'),('20130110122628'),('20130201184705'),('20130202090625'),('20130207175206'),('20130207181455'),('20130215073721'),('20130215111127'),('20130215111141'),('20130217094251'),('20130602092539'),('20130710182539'),('20130713104233'),('20130713111657'),('20130729070143'),('20130911193200'),('20131004113137'),('20131005100610'),('20131124175346'),('20131210180802'),('20131214094309'),('20131215104612'),('20131218183023'),('20140228130325'),('20140903143914'),('20140920094058'),('20141029181752'),('20141029181824'),('20141109112308'),('20141122124142'),('20150113194759'),('20150113211532'),('20150113213922'),('20150113213955'),('20150208105930'),('20150510083747'),('20150525103953'),('20150526183158'),('20150528084820'),('20150528092912'),('20150528093249'),('20150725112753'),('20150730122707'),('20150730122735'),('20150921204850'),('20150921210243'),('20151020182334'),('20151020182731'),('20151021184614'),('20151021185456'),('20151021190616'),('20151024082034'),('20151025072118'),('20151031095005'),('20160404080304'),('20160416072926'),('20160529063352'),('20161001122012'),('20161002133421'),('20161010081301'),('20161010081528'),('20161010081600'),('20161126094932'),('20161220091118'),('20170207050700'),('20170302015225'),('20170309214320'),('20170320051650'),('20170418090031'),('20170419144536'),('20170723112801'),('20180501132547'),('20180913072918'),('20180923082945'),('20180923091603'),('20190315094151'),('20190315102101'),('20190510070108'),('20190620135549'),('21'),('22'),('23'),('24'),('25'),('26'),('27'),('28'),('29'),('3'),('30'),('31'),('32'),('33'),('34'),('35'),('36'),('37'),('38'),('39'),('4'),('40'),('41'),('42'),('43'),('44'),('45'),('46'),('47'),('48'),('49'),('5'),('50'),('51'),('52'),('53'),('54'),('55'),('56'),('57'),('58'),('59'),('6'),('60'),('61'),('62'),('63'),('64'),('65'),('66'),('67'),('68'),('69'),('7'),('70'),('71'),('72'),('73'),('74'),('75'),('76'),('77'),('78'),('79'),('8'),('80'),('81'),('82'),('83'),('84'),('85'),('86'),('87'),('88'),('89'),('9'),('90'),('91'),('92'),('93'),('94'),('95'),('96'),('97'),('98'),('99'); -/*!40000 ALTER TABLE `schema_migrations` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `settings` --- - -DROP TABLE IF EXISTS `settings`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `settings` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(255) NOT NULL DEFAULT '', - `value` text, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_settings_on_name` (`name`) -) ENGINE=InnoDB AUTO_INCREMENT=71 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `settings` --- - -LOCK TABLES `settings` WRITE; -/*!40000 ALTER TABLE `settings` DISABLE KEYS */; -INSERT INTO `settings` VALUES (1,'ui_theme','circle','2020-04-26 13:11:26'),(2,'default_language','en','2020-04-26 13:11:26'),(3,'force_default_language_for_anonymous','0','2020-04-26 13:11:26'),(4,'force_default_language_for_loggedin','0','2020-04-26 13:11:26'),(5,'start_of_week','','2020-04-26 13:11:26'),(6,'date_format','','2020-04-26 13:11:26'),(7,'time_format','','2020-04-26 13:11:26'),(8,'timespan_format','decimal','2020-04-26 13:11:26'),(9,'user_format','firstname_lastname','2020-05-02 12:45:00'),(10,'gravatar_enabled','1','2020-05-02 12:41:07'),(11,'thumbnails_enabled','1','2020-04-26 13:11:26'),(12,'thumbnails_size','100','2020-04-26 13:11:26'),(13,'new_item_menu_tab','0','2020-04-26 13:11:30'),(14,'login_required','0','2020-07-10 19:32:45'),(15,'autologin','0','2020-04-26 13:11:54'),(16,'self_registration','0','2020-04-26 13:11:54'),(17,'show_custom_fields_on_registration','0','2020-04-26 13:11:54'),(18,'password_min_length','8','2020-04-26 13:11:54'),(19,'password_required_char_classes','--- []\n','2020-04-26 13:11:54'),(20,'password_max_age','0','2020-04-26 13:11:54'),(21,'lost_password','1','2020-04-26 13:11:54'),(22,'openid','0','2020-04-26 13:11:55'),(23,'session_lifetime','0','2020-04-26 13:11:55'),(24,'session_timeout','0','2020-04-26 13:11:55'),(25,'rest_api_enabled','1','2020-04-26 13:11:58'),(26,'jsonp_enabled','0','2020-04-26 13:11:58'),(27,'default_projects_public','0','2020-04-26 13:12:21'),(28,'default_projects_modules','---\n- sigma_editor\n','2020-04-26 13:12:21'),(29,'default_projects_tracker_ids','--- []\n','2020-04-26 13:12:21'),(30,'sequential_project_identifiers','0','2020-04-26 13:12:21'),(31,'project_list_defaults','---\n:column_names:\n- name\n- identifier\n- short_description\n','2020-04-26 13:12:21'),(32,'app_title','Playbook','2020-04-26 18:17:51'),(33,'welcome_text','','2020-04-26 18:17:51'),(34,'per_page_options','25,75,150','2020-05-02 12:41:38'),(35,'search_results_per_page','10','2020-04-26 18:17:51'),(36,'activity_days_default','30','2020-04-26 18:17:51'),(37,'host_name','localhost:3000','2020-04-26 18:17:51'),(38,'protocol','http','2020-04-26 18:17:51'),(39,'text_formatting','textile','2020-04-26 18:17:51'),(40,'cache_formatted_text','0','2020-04-26 18:17:51'),(41,'wiki_compression','','2020-04-26 18:17:51'),(42,'feeds_limit','15','2020-04-26 18:17:51'),(43,'plugin_redmine_playbook','--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess\nproject: \'1\'\nconvert_url: http://10.66.166.135:7000/playbook/sigmac\ncreate_url: http://10.66.166.135:7000/playbook/play','2020-05-02 12:39:20'),(44,'cross_project_issue_relations','0','2020-05-01 16:27:33'),(45,'link_copied_issue','no','2020-05-01 16:27:33'),(46,'cross_project_subtasks','','2020-05-01 16:27:33'),(47,'close_duplicate_issues','0','2020-05-01 16:27:33'),(48,'issue_group_assignment','0','2020-05-01 16:27:33'),(49,'default_issue_start_date_to_creation_date','1','2020-05-01 16:27:33'),(50,'display_subprojects_issues','0','2020-05-01 16:27:33'),(51,'issue_done_ratio','issue_field','2020-05-01 16:27:33'),(52,'non_working_week_days','---\n- \'6\'\n- \'7\'\n','2020-05-01 16:27:33'),(53,'issues_export_limit','500','2020-05-01 16:27:33'),(54,'gantt_items_limit','500','2020-05-01 16:27:33'),(55,'gantt_months_limit','24','2020-05-01 16:27:33'),(56,'parent_issue_dates','derived','2020-05-01 16:27:33'),(57,'parent_issue_priority','derived','2020-05-01 16:27:33'),(58,'parent_issue_done_ratio','derived','2020-05-01 16:27:33'),(59,'issue_list_default_columns','---\n- status\n- cf_10\n- cf_13\n- cf_14\n- cf_1\n- updated_on\n','2020-05-01 19:32:13'),(60,'issue_list_default_totals','--- []\n','2020-05-01 16:27:33'),(61,'enabled_scm','--- []\n','2020-05-01 16:27:47'),(62,'autofetch_changesets','0','2020-05-01 16:27:47'),(63,'sys_api_enabled','0','2020-05-01 16:27:47'),(64,'repository_log_display_limit','100','2020-05-01 16:27:47'),(65,'commit_logs_formatting','1','2020-05-01 16:27:47'),(66,'commit_ref_keywords','refs,references,IssueID','2020-05-01 16:27:47'),(67,'commit_cross_project_ref','0','2020-05-01 16:27:47'),(68,'commit_logtime_enabled','0','2020-05-01 16:27:47'),(69,'commit_update_keywords','--- []\n','2020-05-01 16:27:47'),(70,'gravatar_default','','2020-05-02 12:41:07'); -/*!40000 ALTER TABLE `settings` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `time_entries` --- - -DROP TABLE IF EXISTS `time_entries`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `time_entries` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `user_id` int(11) NOT NULL, - `issue_id` int(11) DEFAULT NULL, - `hours` float NOT NULL, - `comments` varchar(1024) DEFAULT NULL, - `activity_id` int(11) NOT NULL, - `spent_on` date NOT NULL, - `tyear` int(11) NOT NULL, - `tmonth` int(11) NOT NULL, - `tweek` int(11) NOT NULL, - `created_on` datetime NOT NULL, - `updated_on` datetime NOT NULL, - PRIMARY KEY (`id`), - KEY `time_entries_project_id` (`project_id`), - KEY `time_entries_issue_id` (`issue_id`), - KEY `index_time_entries_on_activity_id` (`activity_id`), - KEY `index_time_entries_on_user_id` (`user_id`), - KEY `index_time_entries_on_created_on` (`created_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `time_entries` --- - -LOCK TABLES `time_entries` WRITE; -/*!40000 ALTER TABLE `time_entries` DISABLE KEYS */; -/*!40000 ALTER TABLE `time_entries` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `tokens` --- - -DROP TABLE IF EXISTS `tokens`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `tokens` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `action` varchar(30) NOT NULL DEFAULT '', - `value` varchar(40) NOT NULL DEFAULT '', - `created_on` datetime NOT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - PRIMARY KEY (`id`), - UNIQUE KEY `tokens_value` (`value`), - KEY `index_tokens_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=67 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `tokens` --- - -LOCK TABLES `tokens` WRITE; -/*!40000 ALTER TABLE `tokens` DISABLE KEYS */; -INSERT INTO `tokens` VALUES (3,1,'feeds','6e5575602e1227c188cd85ef6d12608bb8701193','2020-04-26 13:10:46','2020-04-26 13:10:46'),(4,1,'session','999412fa9badda7423c6c654d6364c32c20b3eac','2020-04-26 18:07:03','2020-04-26 18:12:02'),(5,1,'session','124ad4acbf87a942426350e7ad028c1d119c3851','2020-04-26 18:17:11','2020-04-26 18:19:24'),(9,1,'session','2890c663e0552f26ddb92acad6ab3b6d05b92915','2020-04-26 18:51:15','2020-04-26 18:51:15'),(19,1,'session','b7ffb106ea0b34650dd9c1770f74c2b0ffe166b2','2020-05-01 16:52:33','2020-05-01 18:02:30'),(20,1,'session','f44cfcf918eef59ffda47991c431d9c2b2ac6113','2020-05-01 18:05:56','2020-05-01 18:05:56'),(23,9,'feeds','211918c9d7168979b5dc19bebb14573b928a5067','2020-05-01 18:26:17','2020-05-01 18:26:17'),(25,9,'api','de6639318502476f2fa5aa06f43f51fb389a3d7f','2020-05-01 18:26:31','2020-05-01 18:26:31'),(46,1,'session','2d0c8f8ae641c06d8c2362746846440d465d53c0','2020-05-06 20:48:01','2020-05-06 20:48:07'),(59,1,'session','2afe6590653d59a697d1436729c64f322a2eff82','2020-07-01 18:11:07','2020-07-01 20:30:43'),(61,1,'session','b01f95709ca1ab086a049cf9c5afd81ca9d4526e','2020-07-15 16:30:42','2020-07-15 16:31:40'),(62,1,'session','d29acdcd0b8e4ebf78ef8f696d3e76df7e2ab2ac','2020-08-17 14:51:59','2020-08-17 14:53:22'); -/*!40000 ALTER TABLE `tokens` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `trackers` --- - -DROP TABLE IF EXISTS `trackers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `trackers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `name` varchar(30) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT NULL, - `is_in_chlog` tinyint(1) NOT NULL DEFAULT '0', - `position` int(11) DEFAULT NULL, - `is_in_roadmap` tinyint(1) NOT NULL DEFAULT '1', - `fields_bits` int(11) DEFAULT '0', - `default_status_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `trackers` --- - -LOCK TABLES `trackers` WRITE; -/*!40000 ALTER TABLE `trackers` DISABLE KEYS */; -INSERT INTO `trackers` VALUES (1,'Play','',0,1,0,255,2); -/*!40000 ALTER TABLE `trackers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `user_preferences` --- - -DROP TABLE IF EXISTS `user_preferences`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `user_preferences` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `user_id` int(11) NOT NULL DEFAULT '0', - `others` text, - `hide_mail` tinyint(1) DEFAULT '1', - `time_zone` varchar(255) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_user_preferences_on_user_id` (`user_id`) -) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `user_preferences` --- - -LOCK TABLES `user_preferences` WRITE; -/*!40000 ALTER TABLE `user_preferences` DISABLE KEYS */; -INSERT INTO `user_preferences` VALUES (1,1,'---\n:no_self_notified: \'1\'\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:recently_used_project_ids: \'1\'\n',1,''),(3,9,'---\n:no_self_notified: \'1\'\n:comments_sorting: asc\n:warn_on_leaving_unsaved: \'1\'\n:textarea_font: \'\'\n:recently_used_projects: 3\n:history_default_tab: notes\n:my_page_layout:\n left:\n - issuesassignedtome\n right:\n - issuesreportedbyme\n:my_page_settings: {}\n:recently_used_project_ids: \'1\'\n',1,''); -/*!40000 ALTER TABLE `user_preferences` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `users` --- - -DROP TABLE IF EXISTS `users`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `users` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `login` varchar(255) NOT NULL DEFAULT '', - `hashed_password` varchar(40) NOT NULL DEFAULT '', - `firstname` varchar(30) NOT NULL DEFAULT '', - `lastname` varchar(255) NOT NULL DEFAULT '', - `admin` tinyint(1) NOT NULL DEFAULT '0', - `status` int(11) NOT NULL DEFAULT '1', - `last_login_on` datetime DEFAULT NULL, - `language` varchar(5) DEFAULT '', - `auth_source_id` int(11) DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `type` varchar(255) DEFAULT NULL, - `identity_url` varchar(255) DEFAULT NULL, - `mail_notification` varchar(255) NOT NULL DEFAULT '', - `salt` varchar(64) DEFAULT NULL, - `must_change_passwd` tinyint(1) NOT NULL DEFAULT '0', - `passwd_changed_on` datetime DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `index_users_on_id_and_type` (`id`,`type`), - KEY `index_users_on_auth_source_id` (`auth_source_id`), - KEY `index_users_on_type` (`type`) -) ENGINE=InnoDB AUTO_INCREMENT=10 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `users` --- - -LOCK TABLES `users` WRITE; -/*!40000 ALTER TABLE `users` DISABLE KEYS */; -INSERT INTO `users` VALUES (1,'admin','95535e9f7a386c412f20134ebb869c00cf346477','Admin','Admin',1,1,'2020-08-17 18:03:20','',NULL,'2020-04-26 13:08:34','2020-04-26 13:10:45','User',NULL,'all','5ceb2c95ce1593d4ba034d385ceefb2f',0,'2020-04-26 13:10:27'),(2,'','','','Anonymous users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupAnonymous',NULL,'',NULL,0,NULL),(3,'','','','Non member users',0,1,NULL,'',NULL,'2020-04-26 13:08:38','2020-04-26 13:08:38','GroupNonMember',NULL,'',NULL,0,NULL),(4,'','','','Anonymous',0,0,NULL,'',NULL,'2020-04-26 13:09:44','2020-04-26 13:09:44','AnonymousUser',NULL,'only_my_events',NULL,0,NULL),(5,'','','','Analysts',0,1,NULL,'',NULL,'2020-04-26 18:43:40','2020-04-26 18:43:40','Group',NULL,'',NULL,0,NULL),(6,'','','','Automation',0,1,NULL,'',NULL,'2020-04-26 18:43:47','2020-04-26 18:43:47','Group',NULL,'',NULL,0,NULL),(7,'','','','Admins',0,1,NULL,'',NULL,'2020-04-26 18:43:58','2020-04-26 18:43:58','Group',NULL,'',NULL,0,NULL),(9,'automation','d2e7d78af1f0c0637765ae8cf1a359c4a30034c9','SecOps','Automation',0,1,'2020-05-01 18:26:17','en',NULL,'2020-04-26 18:47:46','2020-05-01 18:26:10','User',NULL,'none','41043e596f70e327e34fc99c861f5b31',0,'2020-05-01 18:26:10'); -/*!40000 ALTER TABLE `users` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `versions` --- - -DROP TABLE IF EXISTS `versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL DEFAULT '0', - `name` varchar(255) NOT NULL DEFAULT '', - `description` varchar(255) DEFAULT '', - `effective_date` date DEFAULT NULL, - `created_on` timestamp NULL DEFAULT NULL, - `updated_on` timestamp NULL DEFAULT NULL, - `wiki_page_title` varchar(255) DEFAULT NULL, - `status` varchar(255) DEFAULT 'open', - `sharing` varchar(255) NOT NULL DEFAULT 'none', - PRIMARY KEY (`id`), - KEY `versions_project_id` (`project_id`), - KEY `index_versions_on_sharing` (`sharing`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `versions` --- - -LOCK TABLES `versions` WRITE; -/*!40000 ALTER TABLE `versions` DISABLE KEYS */; -/*!40000 ALTER TABLE `versions` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `watchers` --- - -DROP TABLE IF EXISTS `watchers`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `watchers` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `watchable_type` varchar(255) NOT NULL DEFAULT '', - `watchable_id` int(11) NOT NULL DEFAULT '0', - `user_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `watchers_user_id_type` (`user_id`,`watchable_type`), - KEY `index_watchers_on_user_id` (`user_id`), - KEY `index_watchers_on_watchable_id_and_watchable_type` (`watchable_id`,`watchable_type`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `watchers` --- - -LOCK TABLES `watchers` WRITE; -/*!40000 ALTER TABLE `watchers` DISABLE KEYS */; -/*!40000 ALTER TABLE `watchers` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `webhooks` --- - -DROP TABLE IF EXISTS `webhooks`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `webhooks` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `url` varchar(255) DEFAULT NULL, - `project_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`) -) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `webhooks` --- - -LOCK TABLES `webhooks` WRITE; -/*!40000 ALTER TABLE `webhooks` DISABLE KEYS */; -INSERT INTO `webhooks` VALUES (1,'http://10.66.166.135:7000/playbook/webhook',1); -/*!40000 ALTER TABLE `webhooks` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_content_versions` --- - -DROP TABLE IF EXISTS `wiki_content_versions`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_content_versions` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_content_id` int(11) NOT NULL, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `data` longblob, - `compression` varchar(6) DEFAULT '', - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_content_versions_wcid` (`wiki_content_id`), - KEY `index_wiki_content_versions_on_updated_on` (`updated_on`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_content_versions` --- - -LOCK TABLES `wiki_content_versions` WRITE; -/*!40000 ALTER TABLE `wiki_content_versions` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_content_versions` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_contents` --- - -DROP TABLE IF EXISTS `wiki_contents`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_contents` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `page_id` int(11) NOT NULL, - `author_id` int(11) DEFAULT NULL, - `text` longtext, - `comments` varchar(1024) DEFAULT '', - `updated_on` datetime NOT NULL, - `version` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_contents_page_id` (`page_id`), - KEY `index_wiki_contents_on_author_id` (`author_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_contents` --- - -LOCK TABLES `wiki_contents` WRITE; -/*!40000 ALTER TABLE `wiki_contents` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_contents` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_pages` --- - -DROP TABLE IF EXISTS `wiki_pages`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_pages` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) NOT NULL, - `created_on` datetime NOT NULL, - `protected` tinyint(1) NOT NULL DEFAULT '0', - `parent_id` int(11) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wiki_pages_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_pages_on_wiki_id` (`wiki_id`), - KEY `index_wiki_pages_on_parent_id` (`parent_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_pages` --- - -LOCK TABLES `wiki_pages` WRITE; -/*!40000 ALTER TABLE `wiki_pages` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_pages` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wiki_redirects` --- - -DROP TABLE IF EXISTS `wiki_redirects`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wiki_redirects` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `wiki_id` int(11) NOT NULL, - `title` varchar(255) DEFAULT NULL, - `redirects_to` varchar(255) DEFAULT NULL, - `created_on` datetime NOT NULL, - `redirects_to_wiki_id` int(11) NOT NULL, - PRIMARY KEY (`id`), - KEY `wiki_redirects_wiki_id_title` (`wiki_id`,`title`), - KEY `index_wiki_redirects_on_wiki_id` (`wiki_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wiki_redirects` --- - -LOCK TABLES `wiki_redirects` WRITE; -/*!40000 ALTER TABLE `wiki_redirects` DISABLE KEYS */; -/*!40000 ALTER TABLE `wiki_redirects` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `wikis` --- - -DROP TABLE IF EXISTS `wikis`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `wikis` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `project_id` int(11) NOT NULL, - `start_page` varchar(255) NOT NULL, - `status` int(11) NOT NULL DEFAULT '1', - PRIMARY KEY (`id`), - KEY `wikis_project_id` (`project_id`) -) ENGINE=InnoDB DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `wikis` --- - -LOCK TABLES `wikis` WRITE; -/*!40000 ALTER TABLE `wikis` DISABLE KEYS */; -/*!40000 ALTER TABLE `wikis` ENABLE KEYS */; -UNLOCK TABLES; - --- --- Table structure for table `workflows` --- - -DROP TABLE IF EXISTS `workflows`; -/*!40101 SET @saved_cs_client = @@character_set_client */; -/*!40101 SET character_set_client = utf8 */; -CREATE TABLE `workflows` ( - `id` int(11) NOT NULL AUTO_INCREMENT, - `tracker_id` int(11) NOT NULL DEFAULT '0', - `old_status_id` int(11) NOT NULL DEFAULT '0', - `new_status_id` int(11) NOT NULL DEFAULT '0', - `role_id` int(11) NOT NULL DEFAULT '0', - `assignee` tinyint(1) NOT NULL DEFAULT '0', - `author` tinyint(1) NOT NULL DEFAULT '0', - `type` varchar(30) DEFAULT NULL, - `field_name` varchar(30) DEFAULT NULL, - `rule` varchar(30) DEFAULT NULL, - PRIMARY KEY (`id`), - KEY `wkfs_role_tracker_old_status` (`role_id`,`tracker_id`,`old_status_id`), - KEY `index_workflows_on_old_status_id` (`old_status_id`), - KEY `index_workflows_on_role_id` (`role_id`), - KEY `index_workflows_on_new_status_id` (`new_status_id`), - KEY `index_workflows_on_tracker_id` (`tracker_id`) -) ENGINE=InnoDB AUTO_INCREMENT=652 DEFAULT CHARSET=latin1; -/*!40101 SET character_set_client = @saved_cs_client */; - --- --- Dumping data for table `workflows` --- - -LOCK TABLES `workflows` WRITE; -/*!40000 ALTER TABLE `workflows` DISABLE KEYS */; -INSERT INTO `workflows` VALUES (132,1,2,0,3,0,0,'WorkflowPermission','14','readonly'),(134,1,2,0,3,0,0,'WorkflowPermission','16','readonly'),(151,1,3,0,3,0,0,'WorkflowPermission','14','readonly'),(153,1,3,0,3,0,0,'WorkflowPermission','16','readonly'),(170,1,4,0,3,0,0,'WorkflowPermission','14','readonly'),(172,1,4,0,3,0,0,'WorkflowPermission','16','readonly'),(189,1,5,0,3,0,0,'WorkflowPermission','14','readonly'),(191,1,5,0,3,0,0,'WorkflowPermission','16','readonly'),(208,1,6,0,3,0,0,'WorkflowPermission','14','readonly'),(210,1,6,0,3,0,0,'WorkflowPermission','16','readonly'),(220,1,2,3,3,0,0,'WorkflowTransition',NULL,NULL),(221,1,2,3,4,0,0,'WorkflowTransition',NULL,NULL),(222,1,2,3,5,0,0,'WorkflowTransition',NULL,NULL),(226,1,3,4,3,0,0,'WorkflowTransition',NULL,NULL),(227,1,3,4,4,0,0,'WorkflowTransition',NULL,NULL),(228,1,3,4,5,0,0,'WorkflowTransition',NULL,NULL),(229,1,4,5,3,0,0,'WorkflowTransition',NULL,NULL),(230,1,4,5,4,0,0,'WorkflowTransition',NULL,NULL),(231,1,4,5,5,0,0,'WorkflowTransition',NULL,NULL),(232,1,4,6,3,0,0,'WorkflowTransition',NULL,NULL),(233,1,4,6,4,0,0,'WorkflowTransition',NULL,NULL),(234,1,4,6,5,0,0,'WorkflowTransition',NULL,NULL),(239,1,2,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(240,1,3,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(241,1,4,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(242,1,5,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(243,1,6,0,4,0,0,'WorkflowPermission','priority_id','readonly'),(244,1,0,2,5,0,0,'WorkflowTransition',NULL,NULL),(245,1,0,2,4,0,0,'WorkflowTransition',NULL,NULL),(246,1,0,6,5,0,0,'WorkflowTransition',NULL,NULL),(352,1,2,0,3,0,0,'WorkflowPermission','project_id','readonly'),(353,1,2,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(354,1,2,0,3,0,0,'WorkflowPermission','subject','readonly'),(355,1,2,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(356,1,2,0,3,0,0,'WorkflowPermission','is_private','readonly'),(357,1,2,0,3,0,0,'WorkflowPermission','description','readonly'),(358,1,2,0,3,0,0,'WorkflowPermission','1','readonly'),(359,1,2,0,3,0,0,'WorkflowPermission','2','readonly'),(360,1,2,0,3,0,0,'WorkflowPermission','10','readonly'),(361,1,2,0,3,0,0,'WorkflowPermission','20','readonly'),(362,1,2,0,3,0,0,'WorkflowPermission','8','readonly'),(363,1,2,0,3,0,0,'WorkflowPermission','15','readonly'),(364,1,2,0,3,0,0,'WorkflowPermission','11','readonly'),(365,1,2,0,3,0,0,'WorkflowPermission','12','readonly'),(366,1,2,0,3,0,0,'WorkflowPermission','19','readonly'),(367,1,2,0,3,0,0,'WorkflowPermission','7','readonly'),(368,1,2,0,3,0,0,'WorkflowPermission','3','readonly'),(369,1,2,0,3,0,0,'WorkflowPermission','5','readonly'),(370,1,2,0,3,0,0,'WorkflowPermission','6','readonly'),(371,1,2,0,3,0,0,'WorkflowPermission','22','readonly'),(372,1,3,0,3,0,0,'WorkflowPermission','project_id','readonly'),(373,1,3,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(374,1,3,0,3,0,0,'WorkflowPermission','subject','readonly'),(375,1,3,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(376,1,3,0,3,0,0,'WorkflowPermission','is_private','readonly'),(377,1,3,0,3,0,0,'WorkflowPermission','description','readonly'),(378,1,3,0,3,0,0,'WorkflowPermission','1','readonly'),(379,1,3,0,3,0,0,'WorkflowPermission','2','readonly'),(380,1,3,0,3,0,0,'WorkflowPermission','10','readonly'),(381,1,3,0,3,0,0,'WorkflowPermission','20','readonly'),(382,1,3,0,3,0,0,'WorkflowPermission','8','readonly'),(383,1,3,0,3,0,0,'WorkflowPermission','15','readonly'),(384,1,3,0,3,0,0,'WorkflowPermission','11','readonly'),(385,1,3,0,3,0,0,'WorkflowPermission','12','readonly'),(386,1,3,0,3,0,0,'WorkflowPermission','19','readonly'),(387,1,3,0,3,0,0,'WorkflowPermission','7','readonly'),(388,1,3,0,3,0,0,'WorkflowPermission','3','readonly'),(389,1,3,0,3,0,0,'WorkflowPermission','5','readonly'),(390,1,3,0,3,0,0,'WorkflowPermission','6','readonly'),(391,1,3,0,3,0,0,'WorkflowPermission','22','readonly'),(392,1,4,0,3,0,0,'WorkflowPermission','project_id','readonly'),(393,1,4,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(394,1,4,0,3,0,0,'WorkflowPermission','subject','readonly'),(395,1,4,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(396,1,4,0,3,0,0,'WorkflowPermission','is_private','readonly'),(397,1,4,0,3,0,0,'WorkflowPermission','description','readonly'),(398,1,4,0,3,0,0,'WorkflowPermission','1','readonly'),(399,1,4,0,3,0,0,'WorkflowPermission','2','readonly'),(400,1,4,0,3,0,0,'WorkflowPermission','10','readonly'),(401,1,4,0,3,0,0,'WorkflowPermission','20','readonly'),(402,1,4,0,3,0,0,'WorkflowPermission','8','readonly'),(403,1,4,0,3,0,0,'WorkflowPermission','15','readonly'),(404,1,4,0,3,0,0,'WorkflowPermission','11','readonly'),(405,1,4,0,3,0,0,'WorkflowPermission','12','readonly'),(406,1,4,0,3,0,0,'WorkflowPermission','19','readonly'),(407,1,4,0,3,0,0,'WorkflowPermission','7','readonly'),(408,1,4,0,3,0,0,'WorkflowPermission','3','readonly'),(409,1,4,0,3,0,0,'WorkflowPermission','5','readonly'),(410,1,4,0,3,0,0,'WorkflowPermission','6','readonly'),(411,1,4,0,3,0,0,'WorkflowPermission','22','readonly'),(412,1,5,0,3,0,0,'WorkflowPermission','project_id','readonly'),(413,1,5,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(414,1,5,0,3,0,0,'WorkflowPermission','subject','readonly'),(415,1,5,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(416,1,5,0,3,0,0,'WorkflowPermission','is_private','readonly'),(417,1,5,0,3,0,0,'WorkflowPermission','description','readonly'),(418,1,5,0,3,0,0,'WorkflowPermission','1','readonly'),(419,1,5,0,3,0,0,'WorkflowPermission','2','readonly'),(420,1,5,0,3,0,0,'WorkflowPermission','10','readonly'),(421,1,5,0,3,0,0,'WorkflowPermission','20','readonly'),(422,1,5,0,3,0,0,'WorkflowPermission','8','readonly'),(423,1,5,0,3,0,0,'WorkflowPermission','15','readonly'),(424,1,5,0,3,0,0,'WorkflowPermission','11','readonly'),(425,1,5,0,3,0,0,'WorkflowPermission','12','readonly'),(426,1,5,0,3,0,0,'WorkflowPermission','19','readonly'),(427,1,5,0,3,0,0,'WorkflowPermission','7','readonly'),(428,1,5,0,3,0,0,'WorkflowPermission','3','readonly'),(429,1,5,0,3,0,0,'WorkflowPermission','5','readonly'),(430,1,5,0,3,0,0,'WorkflowPermission','6','readonly'),(431,1,5,0,3,0,0,'WorkflowPermission','22','readonly'),(432,1,6,0,3,0,0,'WorkflowPermission','project_id','readonly'),(433,1,6,0,3,0,0,'WorkflowPermission','tracker_id','readonly'),(434,1,6,0,3,0,0,'WorkflowPermission','subject','readonly'),(435,1,6,0,3,0,0,'WorkflowPermission','priority_id','readonly'),(436,1,6,0,3,0,0,'WorkflowPermission','is_private','readonly'),(437,1,6,0,3,0,0,'WorkflowPermission','description','readonly'),(438,1,6,0,3,0,0,'WorkflowPermission','1','readonly'),(439,1,6,0,3,0,0,'WorkflowPermission','2','readonly'),(440,1,6,0,3,0,0,'WorkflowPermission','10','readonly'),(441,1,6,0,3,0,0,'WorkflowPermission','20','readonly'),(442,1,6,0,3,0,0,'WorkflowPermission','8','readonly'),(443,1,6,0,3,0,0,'WorkflowPermission','15','readonly'),(444,1,6,0,3,0,0,'WorkflowPermission','11','readonly'),(445,1,6,0,3,0,0,'WorkflowPermission','12','readonly'),(446,1,6,0,3,0,0,'WorkflowPermission','19','readonly'),(447,1,6,0,3,0,0,'WorkflowPermission','7','readonly'),(448,1,6,0,3,0,0,'WorkflowPermission','3','readonly'),(449,1,6,0,3,0,0,'WorkflowPermission','5','readonly'),(450,1,6,0,3,0,0,'WorkflowPermission','6','readonly'),(451,1,6,0,3,0,0,'WorkflowPermission','22','readonly'),(537,1,2,0,2,0,0,'WorkflowPermission','project_id','readonly'),(538,1,2,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(539,1,2,0,2,0,0,'WorkflowPermission','subject','readonly'),(540,1,2,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(541,1,2,0,2,0,0,'WorkflowPermission','is_private','readonly'),(542,1,2,0,2,0,0,'WorkflowPermission','description','readonly'),(543,1,2,0,2,0,0,'WorkflowPermission','1','readonly'),(544,1,2,0,2,0,0,'WorkflowPermission','2','readonly'),(545,1,2,0,2,0,0,'WorkflowPermission','10','readonly'),(546,1,2,0,2,0,0,'WorkflowPermission','20','readonly'),(547,1,2,0,2,0,0,'WorkflowPermission','8','readonly'),(548,1,2,0,2,0,0,'WorkflowPermission','15','readonly'),(549,1,2,0,2,0,0,'WorkflowPermission','11','readonly'),(550,1,2,0,2,0,0,'WorkflowPermission','12','readonly'),(551,1,2,0,2,0,0,'WorkflowPermission','19','readonly'),(552,1,2,0,2,0,0,'WorkflowPermission','17','readonly'),(553,1,2,0,2,0,0,'WorkflowPermission','7','readonly'),(554,1,2,0,2,0,0,'WorkflowPermission','3','readonly'),(555,1,2,0,2,0,0,'WorkflowPermission','5','readonly'),(556,1,2,0,2,0,0,'WorkflowPermission','6','readonly'),(557,1,2,0,2,0,0,'WorkflowPermission','22','readonly'),(558,1,3,0,2,0,0,'WorkflowPermission','project_id','readonly'),(559,1,3,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(560,1,3,0,2,0,0,'WorkflowPermission','subject','readonly'),(561,1,3,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(562,1,3,0,2,0,0,'WorkflowPermission','is_private','readonly'),(563,1,3,0,2,0,0,'WorkflowPermission','description','readonly'),(564,1,3,0,2,0,0,'WorkflowPermission','1','readonly'),(565,1,3,0,2,0,0,'WorkflowPermission','2','readonly'),(566,1,3,0,2,0,0,'WorkflowPermission','10','readonly'),(567,1,3,0,2,0,0,'WorkflowPermission','20','readonly'),(568,1,3,0,2,0,0,'WorkflowPermission','8','readonly'),(569,1,3,0,2,0,0,'WorkflowPermission','15','readonly'),(570,1,3,0,2,0,0,'WorkflowPermission','11','readonly'),(571,1,3,0,2,0,0,'WorkflowPermission','12','readonly'),(572,1,3,0,2,0,0,'WorkflowPermission','19','readonly'),(573,1,3,0,2,0,0,'WorkflowPermission','17','readonly'),(574,1,3,0,2,0,0,'WorkflowPermission','7','readonly'),(575,1,3,0,2,0,0,'WorkflowPermission','3','readonly'),(576,1,3,0,2,0,0,'WorkflowPermission','5','readonly'),(577,1,3,0,2,0,0,'WorkflowPermission','6','readonly'),(578,1,3,0,2,0,0,'WorkflowPermission','22','readonly'),(579,1,4,0,2,0,0,'WorkflowPermission','project_id','readonly'),(580,1,4,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(581,1,4,0,2,0,0,'WorkflowPermission','subject','readonly'),(582,1,4,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(583,1,4,0,2,0,0,'WorkflowPermission','is_private','readonly'),(584,1,4,0,2,0,0,'WorkflowPermission','description','readonly'),(585,1,4,0,2,0,0,'WorkflowPermission','1','readonly'),(586,1,4,0,2,0,0,'WorkflowPermission','2','readonly'),(587,1,4,0,2,0,0,'WorkflowPermission','10','readonly'),(588,1,4,0,2,0,0,'WorkflowPermission','20','readonly'),(589,1,4,0,2,0,0,'WorkflowPermission','8','readonly'),(590,1,4,0,2,0,0,'WorkflowPermission','15','readonly'),(591,1,4,0,2,0,0,'WorkflowPermission','11','readonly'),(592,1,4,0,2,0,0,'WorkflowPermission','12','readonly'),(593,1,4,0,2,0,0,'WorkflowPermission','19','readonly'),(594,1,4,0,2,0,0,'WorkflowPermission','17','readonly'),(595,1,4,0,2,0,0,'WorkflowPermission','7','readonly'),(596,1,4,0,2,0,0,'WorkflowPermission','3','readonly'),(597,1,4,0,2,0,0,'WorkflowPermission','5','readonly'),(598,1,4,0,2,0,0,'WorkflowPermission','6','readonly'),(599,1,4,0,2,0,0,'WorkflowPermission','22','readonly'),(600,1,5,0,2,0,0,'WorkflowPermission','project_id','readonly'),(601,1,5,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(602,1,5,0,2,0,0,'WorkflowPermission','subject','readonly'),(603,1,5,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(604,1,5,0,2,0,0,'WorkflowPermission','is_private','readonly'),(605,1,5,0,2,0,0,'WorkflowPermission','description','readonly'),(606,1,5,0,2,0,0,'WorkflowPermission','1','readonly'),(607,1,5,0,2,0,0,'WorkflowPermission','2','readonly'),(608,1,5,0,2,0,0,'WorkflowPermission','10','readonly'),(609,1,5,0,2,0,0,'WorkflowPermission','20','readonly'),(610,1,5,0,2,0,0,'WorkflowPermission','8','readonly'),(611,1,5,0,2,0,0,'WorkflowPermission','15','readonly'),(612,1,5,0,2,0,0,'WorkflowPermission','11','readonly'),(613,1,5,0,2,0,0,'WorkflowPermission','12','readonly'),(614,1,5,0,2,0,0,'WorkflowPermission','19','readonly'),(615,1,5,0,2,0,0,'WorkflowPermission','17','readonly'),(616,1,5,0,2,0,0,'WorkflowPermission','7','readonly'),(617,1,5,0,2,0,0,'WorkflowPermission','3','readonly'),(618,1,5,0,2,0,0,'WorkflowPermission','5','readonly'),(619,1,5,0,2,0,0,'WorkflowPermission','6','readonly'),(620,1,5,0,2,0,0,'WorkflowPermission','22','readonly'),(621,1,6,0,2,0,0,'WorkflowPermission','project_id','readonly'),(622,1,6,0,2,0,0,'WorkflowPermission','tracker_id','readonly'),(623,1,6,0,2,0,0,'WorkflowPermission','subject','readonly'),(624,1,6,0,2,0,0,'WorkflowPermission','priority_id','readonly'),(625,1,6,0,2,0,0,'WorkflowPermission','is_private','readonly'),(626,1,6,0,2,0,0,'WorkflowPermission','description','readonly'),(627,1,6,0,2,0,0,'WorkflowPermission','1','readonly'),(628,1,6,0,2,0,0,'WorkflowPermission','2','readonly'),(629,1,6,0,2,0,0,'WorkflowPermission','10','readonly'),(630,1,6,0,2,0,0,'WorkflowPermission','20','readonly'),(631,1,6,0,2,0,0,'WorkflowPermission','8','readonly'),(632,1,6,0,2,0,0,'WorkflowPermission','15','readonly'),(633,1,6,0,2,0,0,'WorkflowPermission','11','readonly'),(634,1,6,0,2,0,0,'WorkflowPermission','12','readonly'),(635,1,6,0,2,0,0,'WorkflowPermission','19','readonly'),(636,1,6,0,2,0,0,'WorkflowPermission','17','readonly'),(637,1,6,0,2,0,0,'WorkflowPermission','7','readonly'),(638,1,6,0,2,0,0,'WorkflowPermission','3','readonly'),(639,1,6,0,2,0,0,'WorkflowPermission','5','readonly'),(640,1,6,0,2,0,0,'WorkflowPermission','6','readonly'),(641,1,6,0,2,0,0,'WorkflowPermission','22','readonly'),(642,1,2,3,2,0,0,'WorkflowTransition',NULL,NULL),(644,1,3,4,2,0,0,'WorkflowTransition',NULL,NULL),(645,1,4,5,2,0,0,'WorkflowTransition',NULL,NULL),(646,1,4,6,2,0,0,'WorkflowTransition',NULL,NULL),(648,1,4,3,2,0,0,'WorkflowTransition',NULL,NULL),(649,1,4,3,3,0,0,'WorkflowTransition',NULL,NULL),(650,1,4,3,4,0,0,'WorkflowTransition',NULL,NULL),(651,1,4,3,5,0,0,'WorkflowTransition',NULL,NULL); -/*!40000 ALTER TABLE `workflows` ENABLE KEYS */; -UNLOCK TABLES; -/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */; - -/*!40101 SET SQL_MODE=@OLD_SQL_MODE */; -/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */; -/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */; -/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */; -/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */; -/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */; -/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */; - --- Dump completed on 2020-08-17 18:06:56 \ No newline at end of file diff --git a/salt/playbook/files/automation_user_create.sh b/salt/playbook/files/automation_user_create.sh index 86f279378..bc827fda6 100644 --- a/salt/playbook/files/automation_user_create.sh +++ b/salt/playbook/files/automation_user_create.sh @@ -37,15 +37,8 @@ while [[ $try_count -le 6 ]]; do \"user_id\" : ${automation_user_id} }" - # Search for the needed keys in the global pillar file, if missing then add them - if (grep -Pzq 'playbook:\n api_key:.*' $local_salt_dir/pillar/global.sls); then - sed -e '1h;2,$H;$!d;g' -e "s/playbook:\n api_key:.*/playbook:\n api_key: ${automation_api_key}/m" -i $local_salt_dir/pillar/global.sls - else - { - echo "playbook:" - echo " api_key: ${automation_api_key}" - } >> $local_salt_dir/pillar/global.sls - fi + # Update the Automation API key in the secrets pillar + sed "s/playbook_automation_api_key:/playbook_automation_api_key: ${automation_api_key}/g" -i $local_salt_dir/pillar/secrets.sls exit 0 fi ((try_count++)) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 57195c21c..75b6b5b2e 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,14 +1,14 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} -{% set MANAGERIP = salt['pillar.get']('manager:mainip', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] %} -{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} -{%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db', None) -%} -{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} +{%- set MYSQLPASS = salt['pillar.get']('secrets:mysql') -%} +{%- set PLAYBOOKPASS = salt['pillar.get']('secrets:playbook_db') -%} include: @@ -18,8 +18,8 @@ create_playbookdbuser: mysql_user.present: - name: playbookdbuser - password: {{ PLAYBOOKPASS }} - - host: {{ DNET }}/255.255.255.0 - - connection_host: {{ MAINIP }} + - host: "{{ GLOBALS.docker_range.split('/')[0] }}/255.255.255.0" + - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -27,8 +27,8 @@ create_playbookdbuser: query_playbookdbuser_grants: mysql_query.run: - database: playbook - - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ DNET }}/255.255.255.0';" - - connection_host: {{ MAINIP }} + - query: "GRANT ALL ON playbook.* TO 'playbookdbuser'@'{{ GLOBALS.docker_range.split('/')[0] }}/255.255.255.0';" + - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -36,21 +36,12 @@ query_playbookdbuser_grants: query_updatwebhooks: mysql_query.run: - database: playbook - - query: "update webhooks set url = 'http://{{MANAGERIP}}:7000/playbook/webhook' where project_id = 1" - - connection_host: {{ MAINIP }} + - query: "update webhooks set url = 'http://{{ GLOBALS.manager_ip }}:7000/playbook/webhook' where project_id = 1" + - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} -query_updatename: - mysql_query.run: - - database: playbook - - query: "update custom_fields set name = 'Custom Filter' where id = 21;" - - connection_host: {{ MAINIP }} - - connection_port: 3306 - - connection_user: root - - connection_pass: {{ MYSQLPASS }} - query_updatepluginurls: mysql_query.run: - database: playbook @@ -58,10 +49,10 @@ query_updatepluginurls: update settings set value = "--- !ruby/hash:ActiveSupport::HashWithIndifferentAccess project: '1' - convert_url: http://{{MANAGERIP}}:7000/playbook/sigmac - create_url: http://{{MANAGERIP}}:7000/playbook/play" + convert_url: http://{{ GLOBALS.manager_ip }}:7000/playbook/sigmac + create_url: http://{{ GLOBALS.manager_ip }}:7000/playbook/play" where id = 43 - - connection_host: {{ MAINIP }} + - connection_host: {{ GLOBALS.manager_ip }} - connection_port: 3306 - connection_user: root - connection_pass: {{ MYSQLPASS }} @@ -86,13 +77,13 @@ playbook_password_none: so-playbook: docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-playbook:{{ VERSION }} + - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-playbook:{{ GLOBALS.so_version }} - hostname: playbook - name: so-playbook - binds: - /opt/so/log/playbook:/playbook/log:rw - environment: - - REDMINE_DB_MYSQL={{ MANAGERIP }} + - REDMINE_DB_MYSQL={{ GLOBALS.manager_ip }} - REDMINE_DB_DATABASE=playbook - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls deleted file mode 100644 index cd548e689..000000000 --- a/salt/reactor/fleet.sls +++ /dev/null @@ -1,95 +0,0 @@ -#!py - -from time import gmtime, strftime -import fileinput -import logging -import re -import subprocess - -def run(): - MINIONID = data['id'] - ACTION = data['data']['action'] - LOCAL_SALT_DIR = "/opt/so/saltstack/local" - STATICFILE = f"{LOCAL_SALT_DIR}/pillar/global.sls" - SECRETSFILE = f"{LOCAL_SALT_DIR}/pillar/secrets.sls" - - if MINIONID.split('_')[-1] in ['manager','eval','fleet','managersearch','standalone']: - if ACTION == 'enablefleet': - logging.info('so/fleet enablefleet reactor') - - MAINIP = data['data']['mainip'] - ROLE = data['data']['role'] - HOSTNAME = data['data']['hostname'] - - # Enable Fleet - for line in fileinput.input(STATICFILE, inplace=True): - if ROLE == 'so-fleet': - line = re.sub(r'fleet_node: \S*', f"fleet_node: True", line.rstrip()) - else: - line = re.sub(r'fleet_manager: \S*', f"fleet_manager: True", line.rstrip()) - print(line) - - # Update the Fleet host in the static pillar - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_hostname: \S*', f"fleet_hostname: '{HOSTNAME}'", line.rstrip()) - print(line) - - # Update the Fleet IP in the static pillar - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_ip: \S*', f"fleet_ip: '{MAINIP}'", line.rstrip()) - print(line) - - if ACTION == 'update-enrollsecret': - logging.info('so/fleet update-enrollsecret reactor') - - ESECRET = data['data']['enroll-secret'] - - # Update the enroll secret in the secrets pillar - if ESECRET != "": - for line in fileinput.input(SECRETSFILE, inplace=True): - line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip()) - print(line) - - - if ACTION == 'genpackages': - logging.info('so/fleet genpackages reactor') - - PACKAGEVERSION = data['data']['current-package-version'] - PACKAGEHOSTNAME = data['data']['package-hostname'] - MANAGER = data['data']['manager'] - VERSION = data['data']['version'] - ESECRET = data['data']['enroll-secret'] - IMAGEREPO = data['data']['imagerepo'] - - # Increment the package version by 1 - PACKAGEVERSION += 1 - - # Run Docker container that will build the packages - gen_packages = subprocess.run(["docker", "run","--rm", "--mount", f"type=bind,source={LOCAL_SALT_DIR}/salt/fleet/packages,target=/output", \ - "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MANAGER }:5000/{ IMAGEREPO }/so-fleet-launcher:{ VERSION }", \ - f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') - - # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_packages-timestamp: \S*', f"fleet_packages-timestamp: '{strftime('%Y-%m-%d-%H:%M', gmtime())}'", line.rstrip()) - print(line) - - # Update the Fleet Osquery package version in the static pillar - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_packages-version: \S*', f"fleet_packages-version: {PACKAGEVERSION}", line.rstrip()) - print(line) - - # Copy over newly-built packages - copy_packages = subprocess.run(["salt-call", "state.apply","fleet"], stdout=subprocess.PIPE, encoding='ascii') - - if ACTION == 'update_custom_hostname': - logging.info('so/fleet update_custom_hostname reactor') - - CUSTOMHOSTNAME = data['data']['custom_hostname'] - - # Update the Fleet host in the static pillar - for line in fileinput.input(STATICFILE, inplace=True): - line = re.sub(r'fleet_custom_hostname:.*$', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip()) - print(line) - - return {} diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 20cf49da2..e80ee1218 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -1,21 +1,12 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} diff --git a/salt/repo/client/centos.sls b/salt/repo/client/centos.sls index 160782267..39ced9ea8 100644 --- a/salt/repo/client/centos.sls +++ b/salt/repo/client/centos.sls @@ -1,27 +1,15 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {% from 'repo/client/map.jinja' import ABSENTFILES with context %} {% from 'repo/client/map.jinja' import REPOPATH with context %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} -{% set managerupdates = salt['pillar.get']('global:managerupdate', 0) %} {% set role = grains.id.split('_') | last %} - -# from airgap state -{% if ISAIRGAP and grains.os == 'CentOS' %} {% set MANAGER = salt['grains.get']('master') %} -airgapyum: - file.managed: - - name: /etc/yum/yum.conf - - source: salt://repo/client/files/centos/airgap/yum.conf +{% if grains['os'] == 'CentOS' %} -airgap_repo: - pkgrepo.managed: - - humanname: Airgap Repo - - baseurl: https://{{ MANAGER }}/repo - - gpgcheck: 0 - - sslverify: 0 - -{% endif %} - -# from airgap and common {% if ABSENTFILES|length > 0%} {% for file in ABSENTFILES %} {{ file }}: @@ -32,9 +20,20 @@ airgap_repo: {% endfor %} {% endif %} -# from common state -# Remove default Repos -{% if grains['os'] == 'CentOS' %} +cleanyum: + cmd.run: + - name: 'yum clean all' + - onchanges: + - so_repo + +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt://repo/client/files/centos/yum.conf.jinja + - mode: 644 + - template: jinja + - show_changes: False + repair_yumdb: cmd.run: - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' @@ -46,53 +45,35 @@ crsynckeys: - name: /etc/pki/rpm_gpg - source: salt://repo/client/files/centos/keys/ -{% if not ISAIRGAP %} - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} -remove_securityonionrepocache: - file.absent: - - name: /etc/yum.repos.d/securityonioncache.repo - {% endif %} - {% if role not in ['eval', 'standalone', 'import', 'manager', 'managersearch'] and managerupdates == 1 %} -remove_securityonionrepo: - file.absent: - - name: /etc/yum.repos.d/securityonion.repo - {% endif %} + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] %} +so_repo: + pkgrepo.managed: + - name: securityonion + - humanname: Security Onion Repo + - baseurl: file:///nsm/repo/ + - enabled: 1 + - gpgcheck: 1 -crsecurityonionrepo: - file.managed: - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - - name: /etc/yum.repos.d/securityonion.repo - - source: salt://repo/client/files/centos/securityonion.repo - {% else %} - - name: /etc/yum.repos.d/securityonioncache.repo - - source: salt://repo/client/files/centos/securityonioncache.repo - {% endif %} - - mode: 644 + {% else %} +so_repo: + pkgrepo.managed: + - name: securityonion + - humanname: Security Onion Repo + - baseurl: https://{{ MANAGER }}/repo + - enabled: 1 + - gpgcheck: 1 -yumconf: - file.managed: - - name: /etc/yum.conf - - source: salt://repo/client/files/centos/yum.conf.jinja - - mode: 644 - - template: jinja - - show_changes: False - -cleanairgap: - file.absent: - - name: /etc/yum.repos.d/airgap_repo.repo -{% endif %} - -cleanyum: - cmd.run: - - name: 'yum clean metadata' - - onchanges: -{% if ISAIRGAP %} - - file: airgapyum - - pkgrepo: airgap_repo -{% else %} - - file: crsecurityonionrepo - - file: yumconf -{% endif %} + {% endif %} {% endif %} + +# TODO: Add a pillar entry for custom repos + + + + + + + + diff --git a/salt/repo/client/files/centos/airgap/yum.conf b/salt/repo/client/files/centos/airgap/yum.conf deleted file mode 100644 index cbab7607d..000000000 --- a/salt/repo/client/files/centos/airgap/yum.conf +++ /dev/null @@ -1,12 +0,0 @@ -[main] -cachedir=/var/cache/yum/$basearch/$releasever -keepcache=0 -debuglevel=2 -logfile=/var/log/yum.log -exactarch=1 -obsoletes=1 -gpgcheck=1 -plugins=1 -installonly_limit=2 -bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum -distroverpkg=centos-release \ No newline at end of file diff --git a/salt/repo/client/files/centos/keys/GPG-KEY-WAZUH b/salt/repo/client/files/centos/keys/GPG-KEY-WAZUH deleted file mode 100644 index b424ccfae..000000000 --- a/salt/repo/client/files/centos/keys/GPG-KEY-WAZUH +++ /dev/null @@ -1,52 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v2.0.22 (GNU/Linux) - -mQINBFeeyYwBEACyf4VwV8c2++J5BmCl6ofLCtSIW3UoVrF4F+P19k/0ngnSfjWb -8pSWB11HjZ3Mr4YQeiD7yY06UZkrCXk+KXDlUjMK3VOY7oNPkqzNaP6+8bDwj4UA -hADMkaXBvWooGizhCoBtDb1bSbHKcAnQ3PTdiuaqF5bcyKk8hv939CHulL2xH+BP -mmTBi+PM83pwvR+VRTOT7QSzf29lW1jD79v4rtXHJs4KCz/amT/nUm/tBpv3q0sT -9M9rH7MTQPdqvzMl122JcZST75GzFJFl0XdSHd5PAh2mV8qYak5NYNnwA41UQVIa -+xqhSu44liSeZWUfRdhrQ/Nb01KV8lLAs11Sz787xkdF4ad25V/Rtg/s4UXt35K3 -klGOBwDnzPgHK/OK2PescI5Ve1z4x1C2bkGze+gk/3IcfGJwKZDfKzTtqkZ0MgpN -7RGghjkH4wpFmuswFFZRyV+s7jXYpxAesElDSmPJ0O07O4lQXQMROE+a2OCcm0eF -3+Cr6qxGtOp1oYMOVH0vOLYTpwOkAM12/qm7/fYuVPBQtVpTojjV5GDl2uGq7p0o -h9hyWnLeNRbAha0px6rXcF9wLwU5n7mH75mq5clps3sP1q1/VtP/Fr84Lm7OGke4 -9eD+tPNCdRx78RNWzhkdQxHk/b22LCn1v6p1Q0qBco9vw6eawEkz1qwAjQARAQAB -tDFXYXp1aC5jb20gKFdhenVoIFNpZ25pbmcgS2V5KSA8c3VwcG9ydEB3YXp1aC5j -b20+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJZHNOBBQkU -SgzvAAoJEJaz7l8pERFF6xUP/3SbcmrI/u7a2EqZ0GxwQ/LRkPzWkJRnozCtNYHD -ZjiZgSB/+77hkPS0tsBK/GXFLKfJAuf13XFrCvEuI4Q/pLOCCKIGumKXItUIwJBD -HiEmVt/XxIijmlF7O1jcWqE/5CQXofjr03WMx+qzNabIwU/6dTKZN4FrR1jDk7yS -6FYBsbhVcSoqSpGYx7EcuK3c3sKKtnbacK2Sw3K9n8Wdj+EK83cbpMg8D/efVRqv -xypeCeojtY10y4bmugEwMYPgFkrSbicuiZc8NA8qhvFp6JFRq/uL0PGACyg05wB3 -S9U4wvSkmlo2/G74awna22UlaoYmSSz3UZdpWd2zBxflx17948QfTqyhO6bM8qLz -dSyR6/6olAcR1N+PBup8PoMdBte4ul/hJp8WIviW0AxJUTZSbVj5v/t43QAKEpCE -IMHvkK8PRHz/9kMd/2xN7LgMtihCrGZOnzErkjhlZvmiJ6kcJoD7ywzFnfJrntOU -DjNb3eqUFSEwmhD60Hd2OCkfmiV7NEE/YTd9B72NSwzj4Za/JUdlF64LMeIiHbYp -Lh7P+mR+lMJf/SWsQmlyuiQ2u8SY2aDFvzBS9WtpwiznuUdrbRN87+TYLSVqDifj -Ea3zOnzLaLYbOr6LHz1xbhAvInv7KLobgiw1E4WnBNWN8xVwVJLKNE7wV88k43XV -3L/RuQINBFeeyYwBEADD1Y3zW5OrnYZ6ghTd5PXDAMB8Z1ienmnb2IUzLM+i0yE2 -TpKSP/XYCTBhFa390rYgFO2lbLDVsiz7Txd94nHrdWXGEQfwrbxsvdlLLWk7iN8l -Fb4B60OfRi3yoR96a/kIPNa0x26+n79LtDuWZ/DTq5JSHztdd9F1sr3h8i5zYmtv -luj99ZorpwYejbBVUm0+gP0ioaXM37uO56UFVQk3po9GaS+GtLnlgoE5volgNYyO -rkeIua4uZVsifREkHCKoLJip6P7S3kTyfrpiSLhouEZ7kV1lbMbFgvHXyjm+/AIx -HIBy+H+e+HNt5gZzTKUJsuBjx44+4jYsOR67EjOdtPOpgiuJXhedzShEO6rbu/O4 -wM1rX45ZXDYa2FGblHCQ/VaS0ttFtztk91xwlWvjTR8vGvp5tIfCi+1GixPRQpbN -Y/oq8Kv4A7vB3JlJscJCljvRgaX0gTBzlaF6Gq0FdcWEl5F1zvsWCSc/Fv5WrUPY -5mG0m69YUTeVO6cZS1aiu9Qh3QAT/7NbUuGXIaAxKnu+kkjLSz+nTTlOyvbG7BVF -a6sDmv48Wqicebkc/rCtO4g8lO7KoA2xC/K/6PAxDrLkVyw8WPsAendmezNfHU+V -32pvWoQoQqu8ysoaEYc/j9fN4H3mEBCN3QUJYCugmHP0pu7VtpWwwMUqcGeUVwAR -AQABiQIlBBgBCAAPAhsMBQJZHNOaBQkUSg0HAAoJEJaz7l8pERFFhpkQAJ09mjjp -n9f18JGSMzP41fVucPuLBZ5XJL/hy2boII1FvgfmOETzNxLPblHdkJVjZS5iMrhL -EJ1jv+GQDtf68/0jO+HXuQIBmUJ53YwbuuQlLWH7CI2AxlSAKAn2kOApWMKsjnAv -JwS3eNGukOKWRfEKTqz2Vwi1H7M7ppypZ9keoyAoSIWb61gm7rXbfT+tVBetHfrU -EM5vz3AS3pJk6Yfqn10IZfiexXmsBD+SpJBNzMBsznCcWO2y4qZNLjFferBoizvV -34UnZyd1bkSN0T/MKp8sgJwqDJBS72tH6ZIM8NNoy29aPDkeaa8XlhkWiBdRizqL -BcxrV/1n3xdzfY9FX6s4KGudo+gYsVpY0mrpZU8jG8YUNLDXQTXnRo4CQOtRJJbA -RFDoZfsDqToZftuEhIsk+MaKlyXoA0eIYqGe6lXa/jEwvViqLYubCNLu0+kgNQ3v -hKF8Pf7eXFDAePw7guuvDvBOMQqBCaKCxsz1HoKRNYBEdUYrEQBJnX235Q4IsdI/ -GcQ/dvERJXaDCG8EPhnwc517EMUJDiJ1CxT4+VMHphmFbiVqmctz0upIj+D037Xk -CcgxNte6LZorGRZ/l1MYINliGJKtCCFK7XGVPKiJ8zyGSyPj1FfwtBy5hUX3aQtm -bvP0H2BRCKoelsbRENu58BkU6YhiUry7pVul -=SJij ------END PGP PUBLIC KEY BLOCK----- diff --git a/salt/repo/client/files/centos/securityonion.repo b/salt/repo/client/files/centos/securityonion.repo deleted file mode 100644 index 397cb7530..000000000 --- a/salt/repo/client/files/centos/securityonion.repo +++ /dev/null @@ -1,71 +0,0 @@ -[base] -name=CentOS-$releasever - Base -baseurl=https://repo.securityonion.net/file/securityonion-repo/base/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#released updates -[updates] -name=CentOS-$releasever - Updates -baseurl=https://repo.securityonion.net/file/securityonion-repo/updates/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#additional packages that may be useful -[extras] -name=CentOS-$releasever - Extras -baseurl=https://repo.securityonion.net/file/securityonion-repo/extras/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#additional packages that extend functionality of existing packages -[centosplus] -name=CentOS-$releasever - Plus -baseurl=https://repo.securityonion.net/file/securityonion-repo/centosplus/ -gpgcheck=1 -enabled=0 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -[epel] -name=Extra Packages for Enterprise Linux 7 - $basearch -baseurl=https://repo.securityonion.net/file/securityonion-repo/epel/ -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 - -[docker-ce-stable] -name=Docker CE Stable - $basearch -baseurl=https://repo.securityonion.net/file/securityonion-repo/docker-ce-stable -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/docker.pub - -[saltstack] -name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/salt/ -enabled=1 -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub - -[wazuh_repo] -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ -protect=1 - -[wazuh4_repo] -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ -protect=1 - -[securityonion] -name=Security Onion Repo repo -baseurl=https://repo.securityonion.net/file/securityonion-repo/securityonion/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub diff --git a/salt/repo/client/files/centos/securityonioncache.repo b/salt/repo/client/files/centos/securityonioncache.repo deleted file mode 100644 index 5064fb598..000000000 --- a/salt/repo/client/files/centos/securityonioncache.repo +++ /dev/null @@ -1,71 +0,0 @@ -[base] -name=CentOS-$releasever - Base -baseurl=http://repocache.securityonion.net/file/securityonion-repo/base/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#released updates -[updates] -name=CentOS-$releasever - Updates -baseurl=http://repocache.securityonion.net/file/securityonion-repo/updates/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#additional packages that may be useful -[extras] -name=CentOS-$releasever - Extras -baseurl=http://repocache.securityonion.net/file/securityonion-repo/extras/ -gpgcheck=1 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -#additional packages that extend functionality of existing packages -[centosplus] -name=CentOS-$releasever - Plus -baseurl=http://repocache.securityonion.net/file/securityonion-repo/centosplus/ -gpgcheck=1 -enabled=0 -gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 - -[epel] -name=Extra Packages for Enterprise Linux 7 - $basearch -baseurl=http://repocache.securityonion.net/file/securityonion-repo/epel/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/RPM-GPG-KEY-EPEL-7 - -[docker-ce-stable] -name=Docker CE Stable - $basearch -baseurl=http://repocache.securityonion.net/file/securityonion-repo/docker-ce-stable -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub - -[saltstack] -name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/salt/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub - -[wazuh_repo] -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ -protect=1 - -[wazuh4_repo] -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh4_repo/ -protect=1 - -[securityonion] -name=Security Onion Repo -baseurl=http://repocache.securityonion.net/file/securityonion-repo/securityonion/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub diff --git a/salt/repo/client/files/centos/securityonionlocal.repo b/salt/repo/client/files/centos/securityonionlocal.repo new file mode 100644 index 000000000..cd928eb79 --- /dev/null +++ b/salt/repo/client/files/centos/securityonionlocal.repo @@ -0,0 +1,8 @@ +[solocal] +name=Security Onion Repo +baseurl=file:///nsm/repo/ +enabled=1 +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + + diff --git a/salt/repo/client/files/centos/yum.conf.jinja b/salt/repo/client/files/centos/yum.conf.jinja index 8af48e99d..bd31ac007 100644 --- a/salt/repo/client/files/centos/yum.conf.jinja +++ b/salt/repo/client/files/centos/yum.conf.jinja @@ -12,8 +12,6 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import']) and ( salt['pillar.get']('global:managerupdate', '0') or salt['pillar.get']('patch:os:source', 'direct') == 'manager' ) -%} -proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 -{% elif proxy -%} +{% if proxy -%} proxy={{ proxy }} {% endif %} diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls deleted file mode 100644 index 345c9e2dc..000000000 --- a/salt/repo/client/ubuntu.sls +++ /dev/null @@ -1,20 +0,0 @@ -# this removes the repo file left by bootstrap-salt.sh without -r -remove_salt.list: - file.absent: - - name: /etc/apt/sources.list.d/salt.list - -saltstack.list: - file.managed: - - name: /etc/apt/sources.list.d/saltstack.list - - contents: - - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt3004.2/ {{grains.oscodename}} main - -apt_update: - cmd.run: - - name: apt-get update - - onchanges: - - file: saltstack.list - - timeout: 30 - - retry: - attempts: 5 - interval: 30 diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index eb9f5ae89..389a95607 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -11,6 +11,7 @@ {% set PYTHON3INFLUX= 'influxdb == ' ~ PYTHONINFLUXVERSION %} {% set PYTHON3INFLUXDEPS= ['certifi', 'chardet', 'python-dateutil', 'pytz', 'requests'] %} {% set PYTHONINSTALLER = 'pip' %} + {% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %} {% else %} {% set SPLITCHAR = '-' %} {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %} @@ -21,6 +22,7 @@ {% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %} {% set PYTHON3INFLUXDEPS= ['python36-certifi', 'python36-chardet', 'python36-dateutil', 'python36-pytz', 'python36-requests'] %} {% set PYTHONINSTALLER = 'pkg' %} + {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %} {% endif %} {% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index fafb6f0f3..15e203d82 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -81,10 +81,10 @@ set_log_levels: - "log_level: error" - "log_level_logfile: error" -salt_minion_service_start_delay: +salt_minion_service_unit_file: file.managed: - - name: /etc/systemd/system/salt-minion.service.d/start-delay.conf - - source: salt://salt/service/start-delay.conf.jinja + - name: {{ SYSTEMD_UNIT_FILE }} + - source: salt://salt/service/salt-minion.service.jinja - template: jinja - defaults: service_start_delay: {{ service_start_delay }} diff --git a/salt/salt/service/salt-minion.service.jinja b/salt/salt/service/salt-minion.service.jinja new file mode 100644 index 000000000..c7bae0bc2 --- /dev/null +++ b/salt/salt/service/salt-minion.service.jinja @@ -0,0 +1,15 @@ +[Unit] +Description=The Salt Minion +Documentation=man:salt-minion(1) file:///usr/share/doc/salt/html/contents.html https://docs.saltstack.com/en/latest/contents.html +After=network.target salt-master.service + +[Service] +KillMode=process +Type=notify +NotifyAccess=all +LimitNOFILE=8192 +ExecStart=/usr/bin/salt-minion +ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/salt/salt/service/start-delay.conf.jinja b/salt/salt/service/start-delay.conf.jinja deleted file mode 100644 index 33917b174..000000000 --- a/salt/salt/service/start-delay.conf.jinja +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -ExecStartPre=/bin/sleep {{ salt['pillar.get']('salt:minion:service_start_delay', service_start_delay) }} diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 04f2abf93..2fe385de5 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -4,7 +4,7 @@ {%- set ADDRESS = salt['pillar.get']('sensoroni:node_address') %} {%- set ANALYZE_TIMEOUT_MS = salt['pillar.get']('sensoroni:analyze_timeout_ms', 900000) %} {%- set ANALYZE_PARALLEL_LIMIT = salt['pillar.get']('sensoroni:analyze_parallel_limit', 5) %} -{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %} +{%- set SENSORONIKEY = salt['pillar.get']('sensoroni:sensoronikey', '') %} {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} {%- set ROLE = grains.id.split('_') | last %} {%- if ROLE in ['eval', 'standalone', 'sensor', 'heavynode'] %} diff --git a/salt/soc/defaults.map.jinja b/salt/soc/defaults.map.jinja new file mode 100644 index 000000000..cc9f57db8 --- /dev/null +++ b/salt/soc/defaults.map.jinja @@ -0,0 +1,23 @@ +{% import_yaml 'soc/defaults.yaml' as SOCDEFAULTS %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + +{% for module, application_url in GLOBALS.application_urls.items() %} +{% do SOCDEFAULTS.soc.server.modules[module].update({'hostUrl': application_url}) %} +{% endfor %} + +{# add nodes from the logstash:nodes pillar to soc.server.modules.elastic.remoteHostUrls #} +{% for node_type, minions in salt['pillar.get']('logstash:nodes', {}).items() %} +{% for m in minions.keys() %} +{% do SOCDEFAULTS.soc.server.modules.elastic.remoteHostUrls.append(m) %} +{% endfor %} +{% endfor %} + +{% do SOCDEFAULTS.soc.server.modules.elastic.update({'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass}) %} + +{% if GLOBALS.role != 'so-import' %} +{% do SOCDEFAULTS.soc.server.modules.influxdb.update({'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':8086'}) %} +{% endif %} + +{% do SOCDEFAULTS.soc.server.modules.statickeyauth.update({'anonymousCidr': GLOBALS.docker_range, 'apiKey': pillar.sensoroni.sensoronikey}) %} + +{% set SOCDEFAULTS = SOCDEFAULTS.soc %} diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml new file mode 100644 index 000000000..9dce3fd8e --- /dev/null +++ b/salt/soc/defaults.yaml @@ -0,0 +1,1153 @@ +soc: + logFilename: /opt/sensoroni/logs/sensoroni-server.log + server: + bindAddress: 0.0.0.0:9822 + baseUrl: / + maxPacketCount: 5000 + htmlDir: html + airgapEnabled: false + modules: + cases: soc + filedatastore: + jobDir: jobs + kratos: + hostUrl: + elastic: + hostUrl: + remoteHostUrls: [] + username: + password: + index: '*:so-*' + cacheMs: 300000 + verifyCert: false + casesEnabled: true + timeoutMs: 0 + influxdb: + hostUrl: + token: '' + org: '' + bucket: telegraf + verifyCert: false + sostatus: + refreshIntervalMs: 30000 + offlineThresholdMs: 900000 + + statickeyauth: + anonymousCidr: + apiKey: + staticrbac: + roleFiles: + - rbac/permissions + - rbac/roles + - rbac/custom_roles + userFiles: + - rbac/users_roles + client: + docsUrl: https://docs.securityonion.net/en/2.3/ + cheatsheetUrl: https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf + releaseNotesUrl: https://docs.securityonion.net/en/2.3/release-notes + apiTimeoutMs: 0 + webSocketTimeoutMs: 0 + tipTimeoutMs: 0 + cacheExpirationMs: 0 + casesEnabled: true + inactiveTools: ['toolUnused'] + tools: + - name: toolKibana + description: toolKibanaHelp + icon: fa-external-link-alt + target: so-kibana + link: /kibana/ + - name: toolGrafana + description: toolGrafanaHelp + icon: fa-external-link-alt + target: so-grafana + link: /grafana/d/so_overview + - name: toolCyberchef + description: toolCyberchefHelp + icon: fa-external-link-alt + target: so-cyberchef + link: /cyberchef/ + - name: toolPlaybook + description: toolPlaybookHelp + icon: fa-external-link-alt + target: so-playbook + link: /playbook/projects/detection-playbooks/issues/ + - name: toolFleet + description: toolFleetHelp + icon: fa-external-link-alt + target: so-fleet + link: /fleet/ + - name: toolNavigator + description: toolNavigatorHelp + icon: fa-external-link-alt + target: so-navigator + link: /navigator/ + hunt: + advanced: true + groupItemsPerPage: 10 + groupFetchLimit: 10 + eventItemsPerPage: 10 + eventFetchLimit: 100 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 5 + ackEnabled: false + escalateEnabled: true + escalateRelatedEventsEnabled: true + eventFields: + default: + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - network.community_id + - event.dataset + ':kratos:audit': + - soc_timestamp + - http_request.headers.x-real-ip + - identity_id + - http_request.headers.user-agent + '::conn': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.protocol + - log.id.uid + - network.community_id + '::dce_rpc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dce_rpc.endpoint + - dce_rpc.named_pipe + - dce_rpc.operation + - log.id.uid + '::dhcp': + - soc_timestamp + - client.address + - server.address + - host.domain + - host.hostname + - dhcp.message_types + - log.id.uid + '::dnp3': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - dnp3.fc_reply + - log.id.uid + '::dns': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - dns.query.name + - dns.query.type_name + - dns.response.code_name + - log.id.uid + - network.community_id + '::dpd': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.protocol + - observer.analyser + - error.reason + - log.id.uid + '::file': + - soc_timestamp + - source.ip + - destination.ip + - file.name + - file.mime_type + - file.source + - file.bytes.total + - log.id.fuid + - log.id.uid + '::ftp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ftp.user + - ftp.command + - ftp.argument + - ftp.reply_code + - file.size + - log.id.uid + '::http': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - http.method + - http.virtual_host + - http.status_code + - http.status_message + - http.request.body.length + - http.response.body.length + - log.id.uid + - network.community_id + '::intel': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - intel.indicator + - intel.indicator_type + - intel.seen_where + - log.id.uid + '::irc': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - irc.username + - irc.nickname + - irc.command.type + - irc.command.value + - irc.command.info + - log.id.uid + '::kerberos': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - kerberos.client + - kerberos.service + - kerberos.request_type + - log.id.uid + '::modbus': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - modbus.function + - log.id.uid + '::mysql': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - mysql.command + - mysql.argument + - mysql.success + - mysql.response + - log.id.uid + '::notice': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - notice.note + - notice.message + - log.id.fuid + - log.id.uid + - network.community_id + '::ntlm': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ntlm.name + - ntlm.success + - ntlm.server.dns.name + - ntlm.server.nb.name + - ntlm.server.tree.name + - log.id.uid + '::pe': + - soc_timestamp + - file.is_64bit + - file.is_exe + - file.machine + - file.os + - file.subsystem + - log.id.fuid + '::radius': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.uid + - username + - radius.framed_address + - radius.reply_message + - radius.result + '::rdp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rdp.client_build + - client_name + - rdp.cookie + - rdp.encryption_level + - rdp.encryption_method + - rdp.keyboard_layout + - rdp.result + - rdp.security_protocol + - log.id.uid + '::rfb': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rfb.authentication.method + - rfb.authentication.success + - rfb.share_flag + - rfb.desktop.name + - log.id.uid + '::signatures': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - note + - signature_id + - event_message + - sub_message + - signature_count + - host.count + - log.id.uid + '::sip': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - sip.method + - sip.uri + - sip.request.from + - sip.request.to + - sip.response.from + - sip.response.to + - sip.call_id + - sip.subject + - sip.user_agent + - sip.status_code + - log.id.uid + '::smb_files': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - log.id.fuid + - file.action + - file.path + - file.name + - file.size + - file.prev_name + - log.id.uid + '::smb_mapping': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smb.path + - smb.service + - smb.share_type + - log.id.uid + '::smtp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - smtp.from + - smtp.recipient_to + - smtp.subject + - smtp.useragent + - log.id.uid + - network.community_id + '::snmp': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - snmp.community + - snmp.version + - log.id.uid + '::socks': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - socks.name + - socks.request.host + - socks.request.port + - socks.status + - log.id.uid + '::software': + - soc_timestamp + - source.ip + - software.name + - software.type + '::ssh': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssh.version + - ssh.hassh_version + - ssh.direction + - ssh.client + - ssh.server + - log.id.uid + '::ssl': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - ssl.server_name + - ssl.certificate.subject + - ssl.validation_status + - ssl.version + - log.id.uid + ':zeek:syslog': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - syslog.facility + - network.protocol + - syslog.severity + - log.id.uid + '::tunnels': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - tunnel_type + - action + - log.id.uid + '::weird': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - weird.name + - log.id.uid + '::x509': + - soc_timestamp + - x509.certificate.subject + - x509.certificate.key.type + - x509.certificate.key.length + - x509.certificate.issuer + - log.id.fuid + '::firewall': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - network.transport + - network.direction + - interface.name + - rule.action + - rule.reason + - network.community_id + ':osquery:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':ossec:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + ':strelka:file': + - soc_timestamp + - file.name + - file.size + - hash.md5 + - file.source + - file.mime_type + - log.id.fuid + ':suricata:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - rule.name + - rule.category + - event.severity_label + - log.id.uid + - network.community_id + ':sysmon:': + - soc_timestamp + - source.ip + - source.port + - destination.ip + - destination.port + - source.hostname + - event.dataset + - process.executable + - user.name + ':windows_eventlog:': + - soc_timestamp + - user.name + ':elasticsearch:': + - soc_timestamp + - agent.name + - message + - log.level + - metadata.version + - metadata.pipeline + - event.dataset + ':kibana:': + - soc_timestamp + - host.name + - message + - kibana.log.meta.req.headers.x-real-ip + - event.dataset + '::rootcheck': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::ossec': + - soc_timestamp + - host.name + - metadata.ip_address + - log.full + - event.dataset + - event.module + '::syscollector': + - soc_timestamp + - host.name + - metadata.ip_address + - wazuh.data.type + - log.full + - event.dataset + - event.module + ':syslog:syslog': + - soc_timestamp + - host.name + - metadata.ip_address + - real_message + - syslog.priority + - syslog.application + ':aws:': + - soc_timestamp + - aws.cloudtrail.event_category + - aws.cloudtrail.event_type + - event.provider + - event.action + - event.outcome + - cloud.region + - user.name + - source.ip + - source.geo.region_iso_code + ':squid:': + - soc_timestamp + - url.original + - destination.ip + - destination.geo.country_iso_code + - user.name + - source.ip + queryBaseFilter: + queryToggleFilters: + - name: caseExcludeToggle + filter: NOT _index:\"*:so-case*\" + enabled: true + queries: + - name: Default Query + description: Show all events grouped by the origin host + query: '* | groupby observer.name' + - name: Log Type + description: Show all events grouped by module and dataset + query: '* | groupby event.module event.dataset' + - name: SOC Auth + description: Users authenticated to SOC grouped by IP address and identity + query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id' + - name: Elastalerts + description: '' + query: '_type:elastalert | groupby rule.name' + - name: Alerts + description: Show all alerts grouped by alert source + query: 'event.dataset: alert | groupby event.module' + - name: NIDS Alerts + description: Show all NIDS alerts grouped by alert + query: 'event.category: network AND event.dataset: alert | groupby rule.category rule.gid rule.uuid rule.name' + - name: Wazuh/OSSEC Alerts + description: Show all Wazuh alerts at Level 5 or higher grouped by category + query: 'event.module:ossec AND event.dataset:alert AND rule.level:>4 | groupby rule.category rule.name' + - name: Wazuh/OSSEC Alerts + description: Show all Wazuh alerts at Level 4 or lower grouped by category + query: 'event.module:ossec AND event.dataset:alert AND rule.level:<5 | groupby rule.category rule.name' + - name: Wazuh/OSSEC Users and Commands + description: Show all Wazuh alerts grouped by username and command line + query: 'event.module:ossec AND event.dataset:alert | groupby user.escalated.keyword process.command_line' + - name: Wazuh/OSSEC Processes + description: Show all Wazuh alerts grouped by process name + query: 'event.module:ossec AND event.dataset:alert | groupby process.name' + - name: Sysmon Events + description: Show all Sysmon logs grouped by event type + query: 'event.module:sysmon | groupby event.dataset' + - name: Sysmon Usernames + description: Show all Sysmon logs grouped by username + query: 'event.module:sysmon | groupby event.dataset, user.name.keyword' + - name: Strelka + description: Show all Strelka logs grouped by file type + query: 'event.module:strelka | groupby file.mime_type' + - name: Zeek Notice + description: Show notices from Zeek + query: 'event.dataset:notice | groupby notice.note notice.message' + - name: Connections + description: Connections grouped by IP and Port + query: 'event.dataset:conn | groupby source.ip destination.ip network.protocol destination.port' + - name: Connections + description: Connections grouped by Service + query: 'event.dataset:conn | groupby network.protocol destination.port' + - name: Connections + description: Connections grouped by destination country + query: 'event.dataset:conn | groupby destination.geo.country_name' + - name: Connections + description: Connections grouped by source country + query: 'event.dataset:conn | groupby source.geo.country_name' + - name: DCE_RPC + description: DCE_RPC grouped by operation + query: 'event.dataset:dce_rpc | groupby dce_rpc.operation' + - name: DHCP + description: DHCP leases + query: 'event.dataset:dhcp | groupby host.hostname client.address' + - name: DHCP + description: DHCP grouped by message type + query: 'event.dataset:dhcp | groupby dhcp.message_types' + - name: DNP3 + description: DNP3 grouped by reply + query: 'event.dataset:dnp3 | groupby dnp3.fc_reply' + - name: DNS + description: DNS queries grouped by port + query: 'event.dataset:dns | groupby dns.query.name destination.port' + - name: DNS + description: DNS queries grouped by type + query: 'event.dataset:dns | groupby dns.query.type_name destination.port' + - name: DNS + description: DNS queries grouped by response code + query: 'event.dataset:dns | groupby dns.response.code_name destination.port' + - name: DNS + description: DNS highest registered domain + query: 'event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port' + - name: DNS + description: DNS grouped by parent domain + query: 'event.dataset:dns | groupby dns.parent_domain.keyword destination.port' + - name: DPD + description: Dynamic Protocol Detection errors + query: 'event.dataset:dpd | groupby error.reason' + - name: Files + description: Files grouped by mimetype + query: 'event.dataset:file | groupby file.mime_type source.ip' + - name: Files + description: Files grouped by source + query: 'event.dataset:file | groupby file.source source.ip' + - name: FTP + description: FTP grouped by command and argument + query: 'event.dataset:ftp | groupby ftp.command ftp.argument' + - name: FTP + description: FTP grouped by username and argument + query: 'event.dataset:ftp | groupby ftp.user ftp.argument' + - name: HTTP + description: HTTP grouped by destination port + query: 'event.dataset:http | groupby destination.port' + - name: HTTP + description: HTTP grouped by status code and message + query: 'event.dataset:http | groupby http.status_code http.status_message' + - name: HTTP + description: HTTP grouped by method and user agent + query: 'event.dataset:http | groupby http.method http.useragent' + - name: HTTP + description: HTTP grouped by virtual host + query: 'event.dataset:http | groupby http.virtual_host' + - name: HTTP + description: HTTP with exe downloads + query: 'event.dataset:http AND (file.resp_mime_types:dosexec OR file.resp_mime_types:executable) | groupby http.virtual_host' + - name: Intel + description: Intel framework hits grouped by indicator + query: 'event.dataset:intel | groupby intel.indicator.keyword' + - name: IRC + description: IRC grouped by command + query: 'event.dataset:irc | groupby irc.command.type' + - name: KERBEROS + description: KERBEROS grouped by service + query: 'event.dataset:kerberos | groupby kerberos.service' + - name: MODBUS + description: MODBUS grouped by function + query: 'event.dataset:modbus | groupby modbus.function' + - name: MYSQL + description: MYSQL grouped by command + query: 'event.dataset:mysql | groupby mysql.command' + - name: NOTICE + description: Zeek notice logs grouped by note and message + query: 'event.dataset:notice | groupby notice.note notice.message' + - name: NTLM + description: NTLM grouped by computer name + query: 'event.dataset:ntlm | groupby ntlm.server.dns.name' + - name: Osquery Live Queries + description: Osquery Live Query results grouped by computer name + query: 'event.dataset:live_query | groupby host.hostname' + - name: PE + description: PE files list + query: 'event.dataset:pe | groupby file.machine file.os file.subsystem' + - name: RADIUS + description: RADIUS grouped by username + query: 'event.dataset:radius | groupby user.name.keyword' + - name: RDP + description: RDP grouped by client name + query: 'event.dataset:rdp | groupby client.name' + - name: RFB + description: RFB grouped by desktop name + query: 'event.dataset:rfb | groupby rfb.desktop.name.keyword' + - name: Signatures + description: Zeek signatures grouped by signature id + query: 'event.dataset:signatures | groupby signature_id' + - name: SIP + description: SIP grouped by user agent + query: 'event.dataset:sip | groupby client.user_agent' + - name: SMB_Files + description: SMB files grouped by action + query: 'event.dataset:smb_files | groupby file.action' + - name: SMB_Mapping + description: SMB mapping grouped by path + query: 'event.dataset:smb_mapping | groupby smb.path' + - name: SMTP + description: SMTP grouped by subject + query: 'event.dataset:smtp | groupby smtp.subject' + - name: SNMP + description: SNMP grouped by version and string + query: 'event.dataset:snmp | groupby snmp.community snmp.version' + - name: Software + description: List of software seen on the network + query: 'event.dataset:software | groupby software.type software.name' + - name: SSH + description: SSH grouped by version and client + query: 'event.dataset:ssh | groupby ssh.version ssh.client' + - name: SSL + description: SSL grouped by version and server name + query: 'event.dataset:ssl | groupby ssl.version ssl.server_name' + - name: SYSLOG + description: 'SYSLOG grouped by severity and facility ' + query: 'event.dataset:syslog | groupby syslog.severity_label syslog.facility_label' + - name: Tunnel + description: Tunnels grouped by type and action + query: 'event.dataset:tunnel | groupby tunnel.type event.action' + - name: Weird + description: Zeek weird log grouped by name + query: 'event.dataset:weird | groupby weird.name' + - name: x509 + description: x.509 grouped by key length and name + query: 'event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns' + - name: x509 + description: x.509 grouped by name and issuer + query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer' + - name: x509 + description: x.509 grouped by name and subject + query: 'event.dataset:x509 | groupby x509.san_dns x509.certificate.subject' + - name: Firewall + description: Firewall events grouped by action + query: 'event.dataset:firewall | groupby rule.action' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + job: + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + alerts: + advanced: false + groupItemsPerPage: 50 + groupFetchLimit: 500 + eventItemsPerPage: 50 + eventFetchLimit: 500 + relativeTimeValue: 24 + relativeTimeUnit: 30 + mostRecentlyUsedLimit: 5 + ackEnabled: true + escalateEnabled: true + escalateRelatedEventsEnabled: true + eventfields: + default: + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.gid + - rule.uuid + - rule.category + - rule.rev + ':ossec:': + - soc_timestamp + - rule.name + - event.severity_label + - source.ip + - source.port + - destination.ip + - destination.port + - rule.level + - rule.category + - process.name + - user.name + - user.escalated + - location + - process.name + queryBaseFilter: event.dataset:alert + queryToggleFilters: + - name: acknowledged + filter: event.acknowledged:true + enabled: false + exclusive: true + - name: escalated + filter: event.escalated:true + enabled: false + exclusive: true + enablesToggles: + - acknowledged + queries: + - name: 'Group By Name, Module' + query: '* | groupby rule.name event.module event.severity_label' + - name: 'Group By Sensor, Source IP/Port, Destination IP/Port, Name' + query: '* | groupby observer.name source.ip source.port destination.ip destination.port rule.name network.community_id event.severity_label' + - name: 'Group By Source IP, Name' + query: '* | groupby source.ip rule.name event.severity_label' + - name: 'Group By Source Port, Name' + query: '* | groupby source.port rule.name event.severity_label' + - name: 'Group By Destination IP, Name' + query: '* | groupby destination.ip rule.name event.severity_label' + - name: 'Group By Destination Port, Name' + query: '* | groupby destination.port rule.name event.severity_label' + - name: Ungroup + query: '*' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + + cases: + advanced: false + groupItemsPerPage: 50 + groupFetchLimit: 100 + eventItemsPerPage: 50 + eventFetchLimit: 500 + relativeTimeValue: 12 + relativeTimeUnit: 60 + mostRecentlyUsedLimit: 5 + ackEnabled: false + escalateEnabled: false + escalateRelatedEventsEnabled: false + viewEnabled: true + createLink: /case/create + eventFields: + default: + - soc_timestamp + - so_case.title + - so_case.status + - so_case.severity + - so_case.assigneeId + - so_case.createTime + queryBaseFilter: '_index:\"*:so-case\" AND so_kind:case' + queryToggleFilters: [] + queries: + - name: Open Cases + query: 'NOT so_case.status:closed AND NOT so_case.category:template' + - name: Closed Cases + query: 'so_case.status:closed AND NOT so_case.category:template' + - name: My Open Cases + query: 'NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' + - name: My Closed Cases + query: 'so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}' + - name: Templates + query: 'so_case.category:template' + actions: + - name: actionHunt + description: actionHuntHelp + icon: fa-crosshairs + target: + links: + - '/#/hunt?q="{value|escape}" | groupby event.module event.dataset' + - name: actionCorrelate + description: actionCorrelateHelp + icon: fab fa-searchengin + target: + links: + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:log.id.uid}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.fuid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q=("{:log.id.uid}" OR "{:network.community_id}") | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.fuid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:log.id.uid}" | groupby event.module event.dataset' + - '/#/hunt?q="{:network.community_id}" | groupby event.module event.dataset' + - name: actionPcap + description: actionPcapHelp + icon: fa-stream + target: + links: + - '/joblookup?esid={:soc_id}&time={:@timestamp}' + - '/joblookup?ncid={:network.community_id}&time={:@timestamp}' + categories: + - hunt + - alerts + - name: actionCyberChef + description: actionCyberChefHelp + icon: fas fa-bread-slice + target: _blank + links: + - '/cyberchef/#input={value|base64}' + - name: actionGoogle + description: actionGoogleHelp + icon: fab fa-google + target: _blank + links: + - 'https://www.google.com/search?q={value}' + - name: actionVirusTotal + description: actionVirusTotalHelp + icon: fa-external-link-alt + target: _blank + links: + - 'https://www.virustotal.com/gui/search/{value}' + case: + mostRecentlyUsedLimit: 5 + renderAbbreviatedCount: 30 + presets: + artifactType: + labels: + - autonomous-system + - domain + - file + - filename + - fqdn + - hash + - ip + - mail + - mail_subject + - other + - regexp + - registry + - uri_path + - url + - user-agent + customEnabled: true + category: + labels: + - general + - template + customEnabled: true + pap: + labels: + - white + - green + - amber + - red + customEnabled: false + severity: + labels: + - low + - medium + - high + - critical + customEnabled: false + status: + labels: + - new + - in progress + - closed + customEnabled: false + tags: + labels: + - false-positive + - confirmed + - pending + customEnabled: true + tlp: + labels: + - white + - green + - amber + - red + customEnabled: false diff --git a/salt/soc/files/soc/default.annotation.yaml b/salt/soc/files/soc/default.annotation.yaml new file mode 100644 index 000000000..f78488035 --- /dev/null +++ b/salt/soc/files/soc/default.annotation.yaml @@ -0,0 +1,712 @@ +### Elasticsearch Nodes ### +elasticsearch.esheap: + default: 4192 + global: false + type: int + nodes: + - manager + - searchnode + +elasticsearch.config.node.attr.box_type: + default: hot + global: false + type: bool + options: + - hot + - warm + nodes: + - manager + - searchnode + +## Elasticsearch Global ## +elasticsearch.config.cluster.name: + default: securityonion + global: true + type: string + +elasticsearch.config.cluster.routing.allocation.disk.threshold_enabled: + default: true + global: true + type: bool + options: + - true + - false + +elasticsearch.config.cluster.routing.allocation.disk.watermark.low: +elasticsearch.config.cluster.routing.allocation.disk.watermark.high: +elasticsearch.config.cluster.routing.allocation.disk.watermark.flood_stage: + + + + + + + + + +elasticsearch:"\ + config:"\ + cluster:"\ + name: $ESCLUSTERNAME"\ + routing:"\ + allocation:"\ + " disk:"\ + " threshold_enabled: true"\ + " watermark:"\ + " low: 80%"\ + " high: 85%"\ + " flood_stage: 90%"\ + " script:"\ + " max_compilations_rate: 20000/1m"\ + " indices:"\ + " query:"\ + " bool:"\ + " max_clause_count: 3500"\ + " index_settings:"\ + " so-aws:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-azure:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-barracuda:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-beats:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-bluecoat:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-cef:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-checkpoint:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-cisco:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-cyberark:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-cylance:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-elasticsearch:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-endgame:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-f5:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-firewall:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-fortinet:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-gcp:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-google_workspace:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-ids:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-imperva:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-import:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-infoblox:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-juniper:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-kibana:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-logstash:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-microsoft:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-misp:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + + " so-netflow:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-netscout:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-o365:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-okta:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-osquery:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-proofpoint:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-radware:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-redis:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-snort:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-snyk:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-sonicwall:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-sophos:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-strelka:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-syslog:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-tomcat:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-zeek:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ + " so-zscaler:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365" + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0"\ \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json deleted file mode 100644 index e6ee71b51..000000000 --- a/salt/soc/files/soc/soc.json +++ /dev/null @@ -1,258 +0,0 @@ -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %} -{%- set THEHIVEKEY = salt['pillar.get']('global:hivekey', '') %} -{%- set THEHIVEURL = salt['pillar.get']('global:hiveurl', '') %} -{%- set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} -{%- set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{%- set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} -{%- set GRAFANA = salt['pillar.get']('manager:grafana', '0') %} -{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} -{%- set API_TIMEOUT = salt['pillar.get']('sensoroni:api_timeout_ms', 0) %} -{%- set WEBSOCKET_TIMEOUT = salt['pillar.get']('sensoroni:websocket_timeout_ms', 0) %} -{%- set TIP_TIMEOUT = salt['pillar.get']('sensoroni:tip_timeout_ms', 0) %} -{%- set CACHE_EXPIRATION = salt['pillar.get']('sensoroni:cache_expiration_ms', 0) %} -{%- set ES_FIELDCAPS_CACHE = salt['pillar.get']('sensoroni:es_fieldcaps_cache_ms', '300000') %} -{%- import_json "soc/files/soc/alerts.queries.json" as alerts_queries %} -{%- import_json "soc/files/soc/alerts.eventfields.json" as alerts_eventfields %} -{%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %} -{%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} -{%- import_json "soc/files/soc/dashboards.queries.json" as dashboards_queries %} -{%- import_json "soc/files/soc/cases.queries.json" as cases_queries %} -{%- import_json "soc/files/soc/cases.eventfields.json" as cases_eventfields %} -{%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} -{%- import_json "soc/files/soc/tools.json" as tools %} -{%- import_json "soc/files/soc/presets.artifacttype.json" as presets_artifacttype %} -{%- import_json "soc/files/soc/presets.category.json" as presets_category %} -{%- import_json "soc/files/soc/presets.pap.json" as presets_pap %} -{%- import_json "soc/files/soc/presets.severity.json" as presets_severity %} -{%- import_json "soc/files/soc/presets.status.json" as presets_status %} -{%- import_json "soc/files/soc/presets.tag.json" as presets_tag %} -{%- import_json "soc/files/soc/presets.tlp.json" as presets_tlp %} -{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} -{%- set ES_INDEX_PATTERNS = salt['pillar.get']('soc:es_index_patterns', '*:so-*') %} -{%- set CASE_MODULE = salt['pillar.get']('soc:case_module', 'soc') %} -{%- set HTTPCASE_CONFIG = salt['pillar.get']('soc:httpcase_config', '') %} -{ - "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", - "server": { - "bindAddress": "0.0.0.0:9822", - "baseUrl": "/", - "maxPacketCount": 5000, - "htmlDir": "html", - {%- if ISAIRGAP is sameas true %} - "airgapEnabled": true, - {%- else %} - "airgapEnabled": false, - {%- endif %} - "modules": { - "filedatastore": { - "jobDir": "jobs" - }, - "kratos": { - "hostUrl": "http://{{ MANAGERIP }}:4434/" - }, - "elastic": { - "hostUrl": "https://{{ MANAGERIP }}:9200", - {%- if salt['pillar.get']('nodestab', {}) %} - "remoteHostUrls": [ - {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} - "https://{{ SN.split('_')|first }}:9200"{{ "," if not loop.last else ""}} - {%- endfor %} - ], - {%- endif %} - "username": "{{ ES_USER }}", - "password": "{{ ES_PASS }}", - "index": "{{ ES_INDEX_PATTERNS }}", - "cacheMs": {{ ES_FIELDCAPS_CACHE }}, - "verifyCert": false, - "casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "timeoutMs": {{ API_TIMEOUT }} - }, - "influxdb": { -{%- if grains['role'] in ['so-import'] or (grains['role'] == 'so-eval' and GRAFANA == 0) %} - "hostUrl": "", -{%- else %} - "hostUrl": "https://{{ MANAGERIP }}:8086", -{%- endif %} - "token": "", - "org": "", - "bucket": "telegraf", - "verifyCert": false - }, - "sostatus": { - "refreshIntervalMs": 30000, - "offlineThresholdMs": 900000 - }, -{%- if CASE_MODULE == 'thehive' and THEHIVEKEY != '' %} - "thehive": { - "hostUrl": "http://{{ HIVEURL }}:9000/thehive", - "key": "{{ THEHIVEKEY }}", - "verifyCert": false - }, -{%- elif CASE_MODULE == 'elasticcases' %} - "elasticcases": { - "hostUrl": "https://{{ MANAGERIP }}:5601", - "username": "{{ ES_USER }}", - "password": "{{ ES_PASS }}", - }, -{%- elif CASE_MODULE == 'httpcase' %} - "httpcase": { - {{ HTTPCASE_CONFIG }} - }, -{%- endif %} - "statickeyauth": { - "anonymousCidr": "{{ DNET }}/24", - "apiKey": "{{ SENSORONIKEY }}" - }, - "staticrbac": { - "roleFiles": [ - "rbac/permissions", - "rbac/roles", - "rbac/custom_roles" - ], - "userFiles": [ - "rbac/users_roles" - ] - } - }, - "client": { - {%- if ISAIRGAP is sameas true %} - "docsUrl": "/docs/", - "cheatsheetUrl": "/docs/cheatsheet.pdf", - "releaseNotesUrl": "/docs/#release-notes", - {%- else %} - "docsUrl": "https://docs.securityonion.net/en/2.3/", - "cheatsheetUrl": "https://github.com/Security-Onion-Solutions/securityonion-docs/raw/2.3/images/cheat-sheet/Security-Onion-Cheat-Sheet.pdf", - "releaseNotesUrl": "https://docs.securityonion.net/en/2.3/release-notes", - {%- endif %} - "apiTimeoutMs": {{ API_TIMEOUT }}, - "webSocketTimeoutMs": {{ WEBSOCKET_TIMEOUT }}, - "tipTimeoutMs": {{ TIP_TIMEOUT }}, - "cacheExpirationMs": {{ CACHE_EXPIRATION }}, - "casesEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "inactiveTools": [ - {%- if PLAYBOOK == 0 %} - "toolPlaybook", - {%- endif %} - {%- if not FLEETMANAGER and not FLEETNODE %} - "toolFleet", - {%- endif %} - {%- if GRAFANA == 0 %} - "toolGrafana", - {%- endif %} - "toolUnused" - ], - "tools": {{ tools | json }}, - "hunt": { - "advanced": true, - "groupItemsPerPage": 10, - "groupFetchLimit": 10, - "eventItemsPerPage": 10, - "eventFetchLimit": 100, - "relativeTimeValue": 24, - "relativeTimeUnit": 30, - "mostRecentlyUsedLimit": 5, - "ackEnabled": false, - "escalateEnabled": true, - "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "aggregationActionsEnabled": true, - "eventFields": {{ hunt_eventfields | json }}, - "queryBaseFilter": "", - "queryToggleFilters": [ - { "name": "caseExcludeToggle", "filter": "NOT _index:\"*:so-case*\"", "enabled": true } - ], - "queries": {{ hunt_queries | json }}, - "actions": {{ menu_actions | json }} - }, - "dashboards": { - "advanced": true, - "groupItemsPerPage": 10, - "groupFetchLimit": 10, - "eventItemsPerPage": 10, - "eventFetchLimit": 100, - "relativeTimeValue": 24, - "relativeTimeUnit": 30, - "mostRecentlyUsedLimit": 0, - "ackEnabled": false, - "escalateEnabled": true, - "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "aggregationActionsEnabled": false, - "eventFields": {{ hunt_eventfields | json }}, - "queryBaseFilter": "", - "queryToggleFilters": [ - { "name": "caseExcludeToggle", "filter": "NOT _index:\"*:so-case*\"", "enabled": true } - ], - "queries": {{ dashboards_queries | json }}, - "actions": {{ menu_actions | json }} - }, - "job": { - "actions": {{ menu_actions | json }} - }, - "alerts": { - "advanced": false, - "groupItemsPerPage": 50, - "groupFetchLimit": 500, - "eventItemsPerPage": 50, - "eventFetchLimit": 500, - "relativeTimeValue": 24, - "relativeTimeUnit": 30, - "mostRecentlyUsedLimit": 5, - "ackEnabled": true, - "escalateEnabled": true, - "escalateRelatedEventsEnabled": {{ 'true' if CASE_MODULE == 'soc' else 'false' }}, - "aggregationActionsEnabled": true, - "eventFields": {{ alerts_eventfields | json }}, - "queryBaseFilter": "event.dataset:alert", - "queryToggleFilters": [ - { "name": "acknowledged", "filter": "event.acknowledged:true", "enabled": false, "exclusive": true }, - { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] } - ], - "queries": {{ alerts_queries | json }}, - "actions": {{ menu_actions | json }} - }, - "cases": { - "advanced": false, - "groupItemsPerPage": 50, - "groupFetchLimit": 100, - "eventItemsPerPage": 50, - "eventFetchLimit": 500, - "relativeTimeValue": 12, - "relativeTimeUnit": 60, - "mostRecentlyUsedLimit": 5, - "ackEnabled": false, - "escalateEnabled": false, - "escalateRelatedEventsEnabled": false, - "aggregationActionsEnabled": false, - "viewEnabled": true, - "createLink": "/case/create", - "eventFields": {{ cases_eventfields | json }}, - "queryBaseFilter": "_index:\"*:so-case\" AND so_kind:case", - "queryToggleFilters": [ - ], - "queries": {{ cases_queries | json }}, - "actions": {{ menu_actions | json }} - }, - "case": { - "mostRecentlyUsedLimit": 5, - "renderAbbreviatedCount": 30, - "analyzerNodeId": "{{ grains.host | lower }}", - "presets": { - "artifactType": {{ presets_artifacttype | json }}, - "category": {{ presets_category | json }}, - "pap": {{ presets_pap | json }}, - "severity": {{ presets_severity | json }}, - "status": {{ presets_status | json }}, - "tags": {{ presets_tag | json }}, - "tlp": {{ presets_tlp | json }} - } - } - } - } -} diff --git a/salt/soc/files/soc/soc.json.jinja b/salt/soc/files/soc/soc.json.jinja new file mode 100644 index 000000000..101959758 --- /dev/null +++ b/salt/soc/files/soc/soc.json.jinja @@ -0,0 +1,2 @@ +{% from 'soc/merged.map.jinja' import SOCMERGED -%} +{{ SOCMERGED | json(sort_keys=True, indent=4 * ' ') }} diff --git a/salt/soc/init.sls b/salt/soc/init.sls index bfb6ea4d9..151a817f6 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -29,6 +29,7 @@ soclogdir: - group: 939 - makedirs: True + socactions: file.managed: - name: /opt/so/conf/soc/menu.actions.json @@ -38,10 +39,11 @@ socactions: - mode: 600 - template: jinja + socconfig: file.managed: - name: /opt/so/conf/soc/soc.json - - source: salt://soc/files/soc/soc.json + - source: salt://soc/files/soc/soc.json.jinja - user: 939 - group: 939 - mode: 600 diff --git a/salt/soc/merged.map.jinja b/salt/soc/merged.map.jinja new file mode 100644 index 000000000..7a6754f11 --- /dev/null +++ b/salt/soc/merged.map.jinja @@ -0,0 +1,42 @@ +{% from 'vars/globals.map.jinja' import GLOBALS %} +{% from 'soc/defaults.map.jinja' import SOCDEFAULTS with context %} +{% set SOCMERGED = salt['pillar.get']('soc', SOCDEFAULTS, merge=true) %} + +{# if SOCMERGED.server.modules.cases == httpcase details come from the soc pillar #} +{% if SOCMERGED.server.modules.cases != 'soc' %} +{% do SOCMERGED.server.modules.elastic.update({'casesEnabled': false}) %} +{% do SOCMERGED.client.update({'casesEnabled': false}) %} +{% do SOCMERGED.client.hunt.update({'escalateRelatedEventsEnabled': false}) %} +{% do SOCMERGED.client.alerts.update({'escalateRelatedEventsEnabled': false}) %} +{% if SOCMERGED.server.modules.cases == 'elasticcases' %} +{% do SOCMERGED.server.modules.update({ + 'elasticcases': { + 'hostUrl': 'https://' ~ GLOBALS.manager_ip ~ ':5601', + 'username': GLOBALS.elasticsearch.auth.users.so_elastic_user.user, + 'password': GLOBALS.elasticsearch.auth.users.so_elastic_user.pass, + } + }) %} +{% endif %} +{% endif %} +{# since cases is not a valid soc config item and only used for the map files, remove it from being placed in the config #} +{% do SOCMERGED.server.modules.pop('cases') %} + +{# change some options if this is airgap #} +{% if GLOBALS.airgap %} +{% do SOCMERGED.client.update({ + 'docsUrl': '/docs/', + 'cheatsheetUrl': '/docs/cheatsheet.pdf', + 'releaseNotesUrl': '/docs/#release-notes' + }) +%} +{% endif %} + +{% if pillar.manager.playbook == 0 %} +{% do SOCMERGED.client.inactiveTools.append('toolPlaybook') %} +{% endif %} + +{% do SOCMERGED.client.inactiveTools.append('toolFleet') %} + +{% if pillar.manager.grafana == 0 %} +{% do SOCMERGED.client.inactiveTools.append('toolGrafana') %} +{% endif %} diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index b6b6825eb..b91b696f8 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,16 +1,11 @@ -{%- set MANAGER = salt['pillar.get']('manager:mainip', '') %} +{%- set MANAGER = salt['pillar.get']('global:managerip', '') %} {%- set URLBASE = salt['pillar.get']('global:url_base', '') %} {%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %} {%- set THEHIVEURL = salt['pillar.get']('global:hiveurl', '') %} {%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %} -{%- set PLAYBOOK_KEY = salt['pillar.get']('playbook:api_key', '') %} -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} -{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} -{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- else %} -{%- set ES_USER = '' %} -{%- set ES_PASS = '' %} -{%- endif %} +{%- set PLAYBOOK_KEY = salt['pillar.get']('secrets:playbook_automation_api_key', '') %} +{%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} +{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} [es] es_url = https://{{MANAGER}}:9200 diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 7ad2640ea..e2a505d2c 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,11 +1,11 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set MANAGER_URL = salt['pillar.get']('global:url_base', '') %} -{% set MANAGER_IP = salt['pillar.get']('global:managerip', '') %} +{% set MANAGER_URL = salt['pillar.get']('global:url_base') %} +{% set MANAGER_IP = salt['pillar.get']('global:managerip') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} include: @@ -66,7 +66,7 @@ so-soctopus: - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro - /opt/so/log/soctopus/:/var/log/SOCtopus/:rw - /opt/so/rules/elastalert/playbook:/etc/playbook-rules:rw - - /opt/so/conf/navigator/layers/:/etc/playbook/:rw + - /opt/so/conf/navigator/nav_layer_playbook.json:/etc/playbook/nav_layer_playbook.json:rw - /opt/so/conf/soctopus/sigma-import/:/SOCtopus/sigma-import/:rw {% if ISAIRGAP is sameas true %} - /nsm/repo/rules/sigma:/soctopus/sigma diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 533f347d8..1ef4a08ea 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,18 +1,19 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'vars/globals.map.jinja' import GLOBALS %} + -{% set manager = salt['grains.get']('master') %} -{% set managerip = salt['pillar.get']('global:managerip', '') %} -{% set HOSTNAME = salt['grains.get']('host') %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} -{% set MAININT = salt['pillar.get']('host:mainint') %} -{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} -{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('global:fleet_custom_hostname', None) %} {% if grains.role in ['so-heavynode'] %} - {% set COMMONNAME = salt['grains.get']('host') %} + {% set COMMONNAME = GLOBALS.hostname %} {% else %} - {% set COMMONNAME = manager %} + {% set COMMONNAME = GLOBALS.manager %} {% endif %} {% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import', 'helixsensor'] %} @@ -23,7 +24,7 @@ include: {% else %} include: - ca.dirs - {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} + {% set x509dict = salt['mine.get'](GLOBALS.manager | lower~'*', 'x509.get_pem_entries') %} {% for host in x509dict %} {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} @@ -53,25 +54,10 @@ m2cryptopkgs: {% endif %} {% endif %} -removefbcertdir: - file.absent: - - name: /etc/pki/filebeat.crt - - onlyif: "test -d /etc/pki/filebeat.crt" - -removefbp8dir: - file.absent: - - name: /etc/pki/filebeat.p8 - - onlyif: "test -d /etc/pki/filebeat.p8" - -removeesp12dir: - file.absent: - - name: /etc/pki/elasticsearch.p12 - - onlyif: "test -d /etc/pki/elasticsearch.p12" - influxdb_key: x509.private_key_managed: - name: /etc/pki/influxdb.key - - CN: {{ HOSTNAME }} + - CN: {{ GLOBALS.hostname }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -93,8 +79,8 @@ influxdb_crt: - ca_server: {{ ca_server }} - signing_policy: influxdb - public_key: /etc/pki/influxdb.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -121,7 +107,7 @@ influxkeyperms: redis_key: x509.private_key_managed: - name: /etc/pki/redis.key - - CN: {{ HOSTNAME }} + - CN: {{ GLOBALS.hostname }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -140,10 +126,10 @@ redis_crt: x509.certificate_managed: - name: /etc/pki/redis.crt - ca_server: {{ ca_server }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - signing_policy: registry - public_key: /etc/pki/redis.key - - CN: {{ HOSTNAME }} + - CN: {{ GLOBALS.hostname }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -192,8 +178,8 @@ etc_filebeat_crt: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /etc/pki/filebeat.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -251,7 +237,7 @@ fbcrtlink: registry_key: x509.private_key_managed: - name: /etc/pki/registry.key - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -271,10 +257,10 @@ registry_crt: x509.certificate_managed: - name: /etc/pki/registry.crt - ca_server: {{ ca_server }} - - subjectAltName: DNS:{{ manager }}, IP:{{ managerip }} + - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} - signing_policy: registry - public_key: /etc/pki/registry.key - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -319,8 +305,8 @@ regkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/elasticsearch.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -356,7 +342,7 @@ elasticp12perms: managerssl_key: x509.private_key_managed: - name: /etc/pki/managerssl.key - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -378,8 +364,8 @@ managerssl_crt: - ca_server: {{ ca_server }} - signing_policy: managerssl - public_key: /etc/pki/managerssl.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -401,53 +387,10 @@ msslkeyperms: {% endif %} -# Create a private key and cert for OSQuery -fleet_key: - x509.private_key_managed: - - name: /etc/pki/fleet.key - - CN: {{ HOSTNAME }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/fleet.key') -%} - - prereq: - - x509: /etc/pki/fleet.crt - {%- endif %} - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -fleet_crt: - x509.certificate_managed: - - name: /etc/pki/fleet.crt - - signing_private_key: /etc/pki/fleet.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }},IP:{{ MAINIP }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -fleetkeyperms: - file.managed: - - replace: False - - name: /etc/pki/fleet.key - - mode: 640 - - group: 939 {% endif %} -{% if grains['role'] in ['so-sensor', 'so-manager', 'so-node', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %} +{% if grains['role'] in ['so-sensor', 'so-manager', 'so-searchnode', 'so-eval', 'so-helix', 'so-managersearch', 'so-heavynode', 'so-fleet', 'so-standalone', 'so-idh', 'so-import', 'so-receiver'] %} fbcertdir: file.directory: @@ -479,8 +422,8 @@ conf_filebeat_crt: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -519,105 +462,11 @@ chownfilebeatp8: {% endif %} -{% if grains['role'] == 'so-fleet' %} - -managerssl_key: - x509.private_key_managed: - - name: /etc/pki/managerssl.key - - CN: {{ manager }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} - - prereq: - - x509: /etc/pki/managerssl.crt - {%- endif %} - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -# Create a cert for the reverse proxy -managerssl_crt: - x509.certificate_managed: - - name: /etc/pki/managerssl.crt - - ca_server: {{ ca_server }} - - signing_policy: managerssl - - public_key: /etc/pki/managerssl.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -msslkeyperms: - file.managed: - - replace: False - - name: /etc/pki/managerssl.key - - mode: 640 - - group: 939 - -# Create a private key and cert for Fleet -fleet_key: - x509.private_key_managed: - - name: /etc/pki/fleet.key - - CN: {{ manager }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 - - backup: True - - new: True - {% if salt['file.file_exists']('/etc/pki/fleet.key') -%} - - prereq: - - x509: /etc/pki/fleet.crt - {%- endif %} - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -fleet_crt: - x509.certificate_managed: - - name: /etc/pki/fleet.crt - - signing_private_key: /etc/pki/fleet.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -fleetkeyperms: - file.managed: - - replace: False - - name: /etc/pki/fleet.key - - mode: 640 - - group: 939 - -{% endif %} - -{% if grains['role'] == 'so-node' %} +{% if grains['role'] == 'so-searchnode' %} # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: - - CN: {{ manager }} + - CN: {{ GLOBALS.manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -637,8 +486,8 @@ fleetkeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/elasticsearch.key - - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - CN: {{ GLOBALS.hostname }} + - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 - days_valid: 820 - backup: True diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 56a5b9dcc..6bdd1b1d1 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -16,8 +16,8 @@ {% if sls in allowed_states %} {% set MANAGER = salt['grains.get']('master') %} -{% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set MANAGERIP = salt['pillar.get']('global:managerip') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% set ENGINE = salt['pillar.get']('global:mdengine', '') %} diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean index 1e58eeeac..57d44e705 100644 --- a/salt/suricata/cron/so-suricata-eve-clean +++ b/salt/suricata/cron/so-suricata-eve-clean @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see .. /usr/sbin/so-common +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +. /usr/sbin/so-common APP=so-suricata-eve-clean lf=/tmp/$APP-pidLockFile diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 84b45b369..3d87eca9f 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -20,21 +20,18 @@ suricata: port-groups: HTTP_PORTS: "80" SHELLCODE_PORTS: "!80" - ORACLE_PORTS: 1521 - SSH_PORTS: 22 - DNP3_PORTS: 20000 - MODBUS_PORTS: 502 + ORACLE_PORTS: "1521" + SSH_PORTS: "22" + DNP3_PORTS: "20000" + MODBUS_PORTS: "502" FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" - FTP_PORTS: 21 - VXLAN_PORTS: 4789 - TEREDO_PORTS: 3544 + FTP_PORTS: "21" + VXLAN_PORTS: "4789" + TEREDO_PORTS: "3544" default-log-dir: /var/log/suricata/ stats: enabled: "yes" interval: 30 - #decoder-events: true - #decoder-events-prefix: "decoder.event" - #stream-events: false outputs: - fast: enabled: "no" @@ -45,20 +42,6 @@ suricata: filetype: regular filename: /nsm/eve-%Y-%m-%d-%H:%M.json rotate-interval: hour - #prefix: "@cee: " - #identity: "suricata" - #facility: local5 - #level: Info - #redis: - # server: 127.0.0.1 - # port: 6379 - # async: true - # mode: list - # key: suricata - # pipelining: - # enabled: "yes" - # batch-size: 10 - #metadata: "no" pcap-file: false community-id: true community-id-seed: 0 @@ -79,8 +62,6 @@ suricata: rule: metadata: true raw: true - # http-body: "yes" - # http-body-printable: "yes" tagged-packets: "no" - unified2-alert: enabled: "no" @@ -88,41 +69,26 @@ suricata: enabled: "no" filename: http.log append: "yes" - #extended: "yes" - #custom: "yes" - #customformat: "" - #filetype: regular - tls-log: enabled: "no" filename: tls.log append: "yes" - #extended: "yes" - #custom: "yes" - #customformat: "" - #filetype: regular - #session-resumption: "no" - tls-store: enabled: "no" - #certs-log-dir: certs - pcap-log: enabled: "no" filename: log.pcap limit: 1000mb max-files: 2000 compression: none - #lz4-checksum: "no" - #lz4-level: 0 - + mode: normal - #dir: /nsm_data/ - #ts-format: usec use-stream-depth: "no" honor-pass-rules: "no" - alert-debug: enabled: "no" filename: alert-debug.log append: "yes" - #filetype: regular - alert-prelude: enabled: "no" profile: suricata @@ -137,20 +103,12 @@ suricata: null-values: "yes" - syslog: enabled: "no" - #identity: "suricata" facility: local5 - #level: Info - drop: enabled: "no" - file-store: version: 2 enabled: "no" - #dir: filestore - #write-fileinfo: "yes" - #force-filestore: "yes" - #stream-depth: 0 - #max-open-files: 1000 - #force-hash: [sha1, md5] xff: enabled: "no" mode: extra-data @@ -166,36 +124,23 @@ suricata: filename: http-data.log - lua: enabled: "no" - #scripts-dir: /etc/suricata/lua-output/ scripts: - # - script1.lua logging: default-log-level: notice - #default-log-format: "[%i] %t - (%f:%l) <%d> (%n) -- " outputs: - console: enabled: "yes" - # type: json - file: enabled: "yes" level: info filename: suricata.log - # type: json - syslog: enabled: "no" facility: local5 format: "[%i] <%d> -- " - # type: json pcap: - interface: eth0 - #buffer-size: 16777216 - #bpf-filter: "tcp and port 25" - #checksum-checks: auto - #threads: 16 - #promisc: "no" - #snaplen: 1518 - interface: default - #checksum-checks: auto pcap-file: checksum-checks: auto app-layer: @@ -210,13 +155,10 @@ suricata: enabled: "yes" detection-ports: dp: 443 - #ja3-fingerprints: auto - #encryption-handling: default dcerpc: enabled: "yes" ftp: enabled: "yes" - # memcap: 64mb rdp: enabled: "yes" ssh: @@ -241,16 +183,14 @@ suricata: enabled: "yes" detection-ports: dp: 139, 445 - #stream-depth: 0 - nfs: enabled: "yes" tftp: enabled: "yes" dns: - #global-memcap: 16mb - #state-memcap: 512kb - #request-flood: 500 + global-memcap: 16mb + state-memcap: 512kb + request-flood: 500 tcp: enabled: "yes" detection-ports: @@ -261,14 +201,6 @@ suricata: dp: 53 http: enabled: "yes" - # memcap: - # default-config: - # personality: - # request-body-limit: - # response-body-limit: - # server-config: - # address: - # personalitiy: libhtp: default-config: personality: IDS @@ -280,49 +212,25 @@ suricata: response-body-inspect-window: 16kb response-body-decompress-layer-limit: 2 http-body-inline: auto - # compress-depth: - # decompress-depth: swf-decompression: enabled: "yes" type: both compress-depth: 0 decompress-depth: 0 - #randomize-inspection-sizes: "yes" - #randomize-inspection-range: 10 double-decode-path: "no" double-decode-query: "no" - #lzma-enabled: "yes" - #lzma-memlimit: 1mb - #compression-bomb-limit: 1mb server-config: - #- apache: - # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] - # personality: Apache_2 - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: "no" - # double-decode-query: "no" - #- iis7: - # address: - # - 192.168.0.0/24 - # - 192.168.10.0/24 - # personality: IIS_7_0 - # request-body-limit: 4096 - # response-body-limit: 4096 - # double-decode-path: "no" - # double-decode-query: "no" modbus: - #request-flood: 500 - enabled: "no" + enabled: "yes" detection-ports: dp: 502 stream-depth: 0 dnp3: - enabled: "no" + enabled: "yes" detection-ports: dp: 20000 enip: - enabled: "no" + enabled: "yes" detection-ports: dp: 44818 sp: 44818 @@ -332,42 +240,20 @@ suricata: enabled: "yes" sip: enabled: "yes" - rfb: - enabled: "yes" - detection-ports: - dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909 - mqtt: - enabled: "no" - http2: - enabled: "no" - asn1-max-frames: 256 run-as: user: suricata group: suricata - #sensor-name: suricata - #pid-file: /var/run/suricata.pid - #daemon-directory: "/" - #umask: 022 coredump: max-dump: unlimited host-mode: auto max-pending-packets: 5000 runmode: workers - #autofp-scheduler: hash - default-packet-size: 1500 + default-packet-size: 9014 unix-command: enabled: auto - #filename: custom.socket - #magic-file: /usr/share/file/magic - #magic-file: - #geoip-database: /usr/local/share/GeoLite2/GeoLite2-Country.mmdb legacy: uricontent: enabled - #reputation-categories-file: /etc/suricata/iprep/categories.txt - #default-reputation-path: /etc/suricata/iprep - #reputation-files: - # - reputation.list engine-analysis: rules-fast-pattern: "yes" rules: "yes" @@ -400,8 +286,6 @@ suricata: hash-size: 65536 prealloc: 10000 emergency-recovery: 30 - #managers: 1 - #recyclers: 1 vlan: use-for-tracking: true flow-timeouts: @@ -447,18 +331,10 @@ suricata: toserver-chunk-size: 2560 toclient-chunk-size: 2560 randomize-chunk-size: "yes" - #randomize-chunk-range: 10 - #raw: "yes" - #segment-prealloc: 2048 - #check-overlap-different-data: true host: hash-size: 4096 prealloc: 1000 memcap: 32mb - #ippair: - # hash-size: 4096 - # prealloc: 1000 - # memcap: 32mb decoder: teredo: enabled: true @@ -467,6 +343,7 @@ suricata: enabled: true ports: $VXLAN_PORTS erspan: + enabled: true detect: profile: medium custom-values: @@ -474,15 +351,10 @@ suricata: toserver-groups: 25 sgh-mpm-context: auto inspection-recursion-limit: 3000 - #delayed-detect: "yes" prefilter: default: mpm grouping: - #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080 - #udp-whitelist: 53, 135, 5060 - profiling: - #inspect-logging-threshold: 200 grouping: dump-to-disk: false include-rules: false @@ -496,12 +368,10 @@ suricata: states: 128 profiling: - #sample-rate: 1000 rules: enabled: "yes" filename: rule_perf.log append: "yes" - #sort: avgticks limit: 10 json: "yes" keywords: @@ -534,14 +404,6 @@ suricata: filename: pcaplog_stats.log append: "yes" nfq: - # mode: accept - # repeat-mark: 1 - # repeat-mask: 1 - # bypass-mark: 1 - # bypass-mask: 1 - # route-queue: 2 - # batchcount: 20 - # fail-open: "yes" nflog: - group: 2 buffer-size: 18432 @@ -550,178 +412,13 @@ suricata: qtimeout: 100 max-size: 20000 capture: - #checksum-validation: none netmap: - interface: eth2 - #threads: auto - #copy-mode: tap - #copy-iface: eth3 - # disable-promisc: "no" - #checksum-checks: auto - #bpf-filter: port 80 or udp - #- interface: eth3 - #threads: auto - #copy-mode: tap - #copy-iface: eth2 - interface: default - pfring: - - interface: eth0 - threads: auto - cluster-id: 99 - cluster-type: cluster_flow - #bpf-filter: tcp - #bypass: "yes" - #checksum-checks: auto - #- interface: eth1 - # threads: 3 - # cluster-id: 93 - # cluster-type: cluster_flow - - interface: default - #threads: 2 ipfw: - # ipfw-reinjection-rule-number: 5500 - napatech: - #hba: -1 - #use-all-streams: "no" - streams: ["0-3"] - auto-config: "yes" - ports: [all] - hashmode: hash5tuplesorted default-rule-path: /etc/suricata/rules rule-files: - all.rules classification-file: /etc/suricata/classification.config reference-config-file: /etc/suricata/reference.config - threshold-file: /etc/suricata/threshold.conf - #include: include1.yaml - #include: include2.yaml - classification: - attempted-admin: - description: Attempted Administrator Privilege Gain - priority: 1 - attempted-dos: - description: Attempted Denial of Service - priority: 2 - attempted-recon: - description: Attempted Information Leak - priority: 2 - attempted-user: - description: Attempted User Privilege Gain - priority: 1 - bad-unknown: - description: Potentially Bad Traffic - priority: 2 - coin-mining: - description: Crypto Currency Mining Activity Detected - priority: 2 - command-and-control: - description: Malware Command and Control Activity Detected - priority: 1 - credential-theft: - description: Successful Credential Theft Detected - priority: 1 - default-login-attempt: - description: Attempt to login by a default username and password - priority: 2 - denial-of-service: - description: Detection of a Denial of Service Attack - priority: 2 - domain-c2: - description: Domain Observed Used for C2 Detected - priority: 1 - exploit-kit: - description: Exploit Kit Activity Detected - priority: 1 - external-ip-check: - description: Device Retrieving External IP Address Detected - priority: 2 - icmp-event: - description: Generic ICMP event - priority: 3 - inappropriate-content: - description: Inappropriate Content was Detected - priority: 1 - misc-activity: - description: Misc activity - priority: 3 - misc-attack: - description: Misc Attack - priority: 2 - network-scan: - description: Detection of a Network Scan - priority: 3 - non-standard-protocol: - description: Detection of a non-standard protocol or event - priority: 2 - not-suspicious: - description: Not Suspicious Traffic - priority: 3 - policy-violation: - description: Potential Corporate Privacy Violation - priority: 1 - protocol-command-decode: - description: Generic Protocol Command Decode - priority: 3 - pup-activity: - description: Possibly Unwanted Program Detected - priority: 2 - rpc-portmap-decode: - description: Decode of an RPC Query - priority: 2 - shellcode-detect: - description: Executable code was detected - priority: 1 - social-engineering: - description: Possible Social Engineering Attempted - priority: 2 - string-detect: - description: A suspicious string was detected - priority: 3 - successful-admin: - description: Successful Administrator Privilege Gain - priority: 1 - successful-dos: - description: Denial of Service - priority: 2 - successful-recon-largescale: - description: Large Scale Information Leak - priority: 2 - successful-recon-limited: - description: Information Leak - priority: 2 - successful-user: - description: Successful User Privilege Gain - priority: 1 - suspicious-filename-detect: - description: A suspicious filename was detected - priority: 2 - suspicious-login: - description: An attempted login using a suspicious username was detected - priority: 2 - system-call-detect: - description: A system call was detected - priority: 2 - targeted-activity: - description: Targeted Malicious Activity was Detected - priority: 1 - tcp-connection: - description: A TCP connection was detected - priority: 4 - trojan-activity: - description: A Network Trojan was detected - priority: 1 - unknown: - description: Unknown Traffic - priority: 3 - unsuccessful-user: - description: Unsuccessful User Privilege Gain - priority: 1 - unusual-client-port-connection: - description: A client was using an unusual port - priority: 2 - web-application-activity: - description: access to a potentially vulnerable web application - priority: 2 - web-application-attack: - description: Web Application Attack - priority: 1 + threshold-file: /etc/suricata/threshold.conf \ No newline at end of file diff --git a/salt/suricata/files/classification.config.jinja b/salt/suricata/files/classification.config.jinja deleted file mode 100644 index 122cf4baf..000000000 --- a/salt/suricata/files/classification.config.jinja +++ /dev/null @@ -1,11 +0,0 @@ -{% import_yaml 'suricata/defaults.yaml' as suricata_defaults with context -%} -{% do salt['defaults.merge'](suricata_defaults.suricata.classification, salt['pillar.get']('suricata:classification', {}), in_place=True) -%} -# -# config classification:shortname,short description,priority -# -{% for sn, details in suricata_defaults.suricata.classification.items() -%} -{% if not details -%} -{% set details = {'description': 'The description is not set', 'priority': '1'} -%} -{% endif -%} -config classification: {{sn}}, {{details.get('description', 'The description is not set')}}, {{details.get('priority', '1')}} -{% endfor -%} diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index db09e310b..a46f7425b 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -1,24 +1,15 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states and grains.role not in ['so-manager', 'so-managersearch'] %} {% from "suricata/map.jinja" import SURICATAOPTIONS with context %} {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} @@ -111,14 +102,6 @@ surithresholding: - group: 940 - template: jinja -classification_config: - file.managed: - - name: /opt/so/conf/suricata/classification.config - - source: salt://suricata/files/classification.config.jinja - - user: 940 - - group: 940 - - template: jinja - # BPF compilation and configuration {% if BPF_NIDS %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %} @@ -156,7 +139,6 @@ so-suricata: - binds: - /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro - - /opt/so/conf/suricata/classification.config:/etc/suricata/classification.config:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - /nsm/suricata/:/nsm/:rw @@ -168,12 +150,10 @@ so-suricata: - file: surithresholding - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf - - file: classification_config - require: - file: suriconfig - file: surithresholding - file: suribpf - - file: classification_config {% else %} {# if Suricata isn't enabled, then stop and remove the container #} - force: True diff --git a/salt/suricata/soc_suricata.yaml b/salt/suricata/soc_suricata.yaml new file mode 100644 index 000000000..65cb69a35 --- /dev/null +++ b/salt/suricata/soc_suricata.yaml @@ -0,0 +1,123 @@ +suricata: + config: + vars: + address-groups: + HOME_NET: + description: List of hosts or netowrks. + EXTERNAL_NET: + description: List of hosts or netowrks. + HTTP_SERVERS: + description: List of hosts or netowrks. + SMTP_SERVERS: + description: List of hosts or netowrks. + SQL_SERVERS: + description: List of hosts or netowrks. + DNS_SERVERS: + description: List of hosts or netowrks. + TELNET_SERVERS: + description: List of hosts or netowrks. + AIM_SERVERS: + description: List of hosts or netowrks. + DC_SERVERS: + description: List of hosts or netowrks. + DNP3_SERVER: + description: List of hosts or netowrks. + DNP3_CLIENT: + description: List of hosts or netowrks. + MODBUS_CLIENT: + description: List of hosts or netowrks. + MODBUS_SERVER: + description: List of hosts or netowrks. + ENIP_CLIENT: + description: List of hosts or netowrks. + ENIP_SERVER: + description: List of hosts or netowrks. + port-groups: + HTTP_PORTS: + description: List of HTTP ports to look for HTTP traffic on. + SHELLCODE_PORTS: + description: List of SHELLCODE ports to look for SHELLCODE traffic on. + ORACLE_PORTS: + description: List of ORACLE ports to look for ORACLE traffic on. + SSH_PORTS: + description: List of SSH ports to look for SSH traffic on. + DNP3_PORTS: + description: List of DNP3 ports to look for DNP3 traffic on. + MODBUS_PORTS: + description: List of MODBUS ports to look for MODBUS traffic on. + FILE_DATA_PORTS: + description: List of FILE_DATA ports to look for FILE_DATA traffic on. + FTP_PORTS: + description: List of FTP ports to look for FTP traffic on. + VXLAN_PORTS: + description: List of VXLAN ports to look for VXLAN traffic on. + TEREDO_PORTS: + description: List of TEREDO ports to look for TEREDO traffic on. + outputs: + eve-log: + xff: + enabled: + description: Enable X-Forward-For support. + mode: + description: Operation mode. This should always be extra-data if you use PCAP. + deployment: + description: forward would use the first IP address and reverse would use the last. + header: + description: Header name where the actual IP address will be reported. + asn1-max-frames: + description: Maximum nuber of asn1 frames to decode. + max-pending-packets: + description: Number of packets preallocated per thread. + default-packet-size: + description: Preallocated size for each packet. + pcre: + match-limit: + description: Match limit for PCRE. + match-limit-recursion: + description: Recursion limit for PCRE. + defrag: + memcap: + description: Max memory to use for defrag. You should only change this if you know what you are doing. + hash-size: + description: Hash size + trackers: + description: Number of defragmented flows to follow. + max-frags: + description: Max number of fragments to keep + prealloc: + description: Preallocate memory. + timeout: + description: Timeout value. + flow: + memcap: + description: Reserverd memory for flows. + hash-size: + description: Determines the size of the hash used to identify flows inside the engine. + prealloc: + description: Number of preallocated flows. + stream: + memcap: + description: Can be specified in kb,mb,gb. + checksum-validation: + description: Validate checksum of packets. + reassembly: + memcap: + description: Can be specified in kb,mb,gb. + host: + hash-size: + description: Hash size in bytes. + prealloc: + description: How many streams to preallocate. + memcap: + description: Memory settings for host. + decoder: + teredo: + enabled: + description: Enable TEREDO capabilities + ports: + description: Ports to listen for. This should be a variable. + vxlan: + enabled: + description: Enable VXLAN capabilities. + ports: + description: Ports to listen for. This should be a variable. \ No newline at end of file diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index 0fa853d22..c638b98fc 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,7 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index cc494f252..de9bf6120 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -16,7 +16,7 @@ {%- set MANAGER = salt['grains.get']('master') %} {%- set ES_USER = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:user', '') %} {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %} -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} +{%- set NODEIP = salt['pillar.get']('host:mainip', '') %} {%- set HELIX_API_KEY = salt['pillar.get']('fireeye:helix:api_key', '') %} {%- set UNIQUEID = salt['pillar.get']('sensor:uniqueid', '') %} {%- set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} @@ -628,19 +628,15 @@ [[inputs.elasticsearch]] servers = ["https://{{ MANAGER }}:9200"] cluster_stats = true -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" -{%- endif %} insecure_skip_verify = true -{%- elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} +{%- elif grains['role'] in ['so-searchnode', 'so-hotnode', 'so-warmnode', 'so-heavynode'] %} [[inputs.elasticsearch]] servers = ["https://{{ NODEIP }}:9200"] cluster_stats = true -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ ES_USER }}" password = "{{ ES_PASS }}" -{%- endif %} insecure_skip_verify = true {%- endif %} @@ -677,14 +673,12 @@ # ## Use TLS but skip chain & host verification # # insecure_skip_verify = false -{% if grains.role in ['so-node','so-standalone','so-manager', 'so-managersearch', 'so-heavynode', 'so-receiver'] -%} +{% if grains.role in ['so-searchnode','so-standalone','so-manager', 'so-managersearch', 'so-heavynode', 'so-receiver'] -%} [[inputs.logstash]] url = "http://localhost:9600" collect = ["pipelines"] -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:user') }}" password = "{{ salt['pillar.get']('elasticsearch:auth:users:so_logstash_user:pass') }}" -{%- endif %} {%- endif %} {# if grains.role in ['so-eval','so-standalone','so-manager', 'so-managersearch', 'so-heavynode', 'so-receiver'] -%} @@ -692,14 +686,12 @@ servers = ["tcp://localhost:6379"] {%- endif #} -{%- if grains.role in ['so-node', 'so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} +{%- if grains.role in ['so-searchnode', 'so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %} [[inputs.beat]] url = "http://127.0.0.1:5066" include = ["filebeat", "libbeat"] -{%- if salt['pillar.get']('elasticsearch:auth:enabled') is sameas true %} username = "{{ salt['pillar.get']('elasticsearch:auth:users:so_beats_user:user') }}" password = "{{ salt['pillar.get']('elasticsearch:auth:users:so_beats_user:pass') }}" -{%- endif %} {%- endif %} # # Read metrics from one or more commands that can output to stdout @@ -735,7 +727,7 @@ data_format = "influx" ## Timeout for each command to complete. timeout = "15s" -{% elif grains['role'] in ['so-node', 'so-receiver'] %} +{% elif grains['role'] in ['so-searchnode', 'so-receiver'] %} [[inputs.exec]] commands = [ "/scripts/eps.sh", diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 3c46b4956..a95690455 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -2,7 +2,7 @@ {% if sls in allowed_states %} {% set MANAGER = salt['grains.get']('master') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} include: diff --git a/salt/telegraf/scripts/beatseps.sh b/salt/telegraf/scripts/beatseps.sh index aea1cc2f2..5f3db53f8 100644 --- a/salt/telegraf/scripts/beatseps.sh +++ b/salt/telegraf/scripts/beatseps.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/checkfiles.sh b/salt/telegraf/scripts/checkfiles.sh index 3696c6b5b..6b2f1333d 100644 --- a/salt/telegraf/scripts/checkfiles.sh +++ b/salt/telegraf/scripts/checkfiles.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/eps.sh b/salt/telegraf/scripts/eps.sh index 903e11646..10193cc38 100644 --- a/salt/telegraf/scripts/eps.sh +++ b/salt/telegraf/scripts/eps.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/helixeps.sh b/salt/telegraf/scripts/helixeps.sh index 47f1121d9..b85db2a8c 100644 --- a/salt/telegraf/scripts/helixeps.sh +++ b/salt/telegraf/scripts/helixeps.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/influxdbsize.sh b/salt/telegraf/scripts/influxdbsize.sh index bf4431a10..b41f73485 100644 --- a/salt/telegraf/scripts/influxdbsize.sh +++ b/salt/telegraf/scripts/influxdbsize.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index 4c90dd986..bb1be457f 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/raid.sh b/salt/telegraf/scripts/raid.sh index a483151a2..89c35ae05 100644 --- a/salt/telegraf/scripts/raid.sh +++ b/salt/telegraf/scripts/raid.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index f98a36045..f0c361037 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/sostatus.sh b/salt/telegraf/scripts/sostatus.sh index 0d49d9b7e..567e6b027 100644 --- a/salt/telegraf/scripts/sostatus.sh +++ b/salt/telegraf/scripts/sostatus.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/stenoloss.sh b/salt/telegraf/scripts/stenoloss.sh index 298272bb4..5c27ee7a5 100644 --- a/salt/telegraf/scripts/stenoloss.sh +++ b/salt/telegraf/scripts/stenoloss.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index 4e43cd00c..78b2aee08 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # if this script isn't already running diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index 03dd243e1..e0c8758f2 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 2a59096e9..72f6a7c7d 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + # This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage diff --git a/salt/top.sls b/salt/top.sls index 87f96143f..6dc1f7dc2 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,10 +1,11 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} -{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %} {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} -{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} -{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} @@ -38,33 +39,12 @@ base: - motd - salt.minion-check - salt.lasthighstate + - docker 'not *_workstation and G@saltversion:{{saltversion}}': - match: compound - common - '*_helixsensor and G@saltversion:{{saltversion}}': - - match: compound - - salt.master - - ca - - ssl - - registry - - sensoroni - - telegraf - - firewall - - idstools - - suricata.manager - - pcap - - suricata - - zeek - - redis - - elasticsearch - - logstash - {%- if FILEBEAT %} - - filebeat - {%- endif %} - - schedule - '*_sensor and G@saltversion:{{saltversion}}': - match: compound - ssl @@ -78,16 +58,10 @@ base: {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if STRELKA %} - strelka {%- endif %} - filebeat - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - schedule - docker_clean @@ -109,12 +83,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql - {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -136,11 +105,6 @@ base: {%- if ELASTALERT %} - elastalert {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - redis - - fleet - - fleet.install_package - {%- endif %} - utility - schedule - soctopus @@ -148,12 +112,6 @@ base: - playbook - redis {%- endif %} - {%- if FREQSERVER != 0 %} - - freqserver - {%- endif %} - {%- if DOMAINSTATS != 0 %} - - domainstats - {%- endif %} - docker_clean - pipeline.load - learn @@ -175,12 +133,7 @@ base: - manager - idstools - suricata.manager - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql - {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -203,20 +156,8 @@ base: - curator - utility - schedule - {%- if FLEETMANAGER or FLEETNODE %} - - fleet - - fleet.install_package - {%- endif %} - soctopus - {%- if PLAYBOOK != 0 %} - playbook - {%- endif %} - {%- if FREQSERVER != 0 %} - - freqserver - {%- endif %} - {%- if DOMAINSTATS != 0 %} - - domainstats - {%- endif %} - docker_clean - pipeline.load - learn @@ -239,12 +180,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql - {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -272,23 +208,12 @@ base: {%- if ELASTALERT %} - elastalert {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet - - fleet.install_package - {%- endif %} - utility - schedule - soctopus - {%- if PLAYBOOK != 0 %} - playbook - {%- endif %} - {%- if FREQSERVER != 0 %} - - freqserver - {%- endif %} - {%- if DOMAINSTATS != 0 %} - - domainstats - {%- endif %} - docker_clean + - elastic-fleet - pipeline.load - learn @@ -299,9 +224,6 @@ base: - nginx - telegraf - firewall - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -312,9 +234,6 @@ base: {%- if FILEBEAT %} - filebeat {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - schedule - docker_clean - pipeline.load @@ -336,12 +255,7 @@ base: - manager - idstools - suricata.manager - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql - {%- endif %} - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -363,20 +277,8 @@ base: {%- endif %} - utility - schedule - {%- if FLEETMANAGER or FLEETNODE %} - - fleet - - fleet.install_package - {%- endif %} - soctopus - {%- if PLAYBOOK != 0 %} - playbook - {%- endif %} - {%- if FREQSERVER != 0 %} - - freqserver - {%- endif %} - {%- if DOMAINSTATS != 0 %} - - domainstats - {%- endif %} - docker_clean - pipeline.load - learn @@ -388,9 +290,6 @@ base: - nginx - telegraf - firewall - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if ELASTICSEARCH %} - elasticsearch {%- endif %} @@ -407,9 +306,6 @@ base: {%- if STRELKA %} - strelka {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - pcap - suricata {%- if ZEEKVER != 'SURICATA' %} @@ -422,21 +318,6 @@ base: - docker_clean - pipeline.load - '*_fleet and G@saltversion:{{saltversion}}': - - match: compound - - ssl - - sensoroni - - nginx - - telegraf - - firewall - - mysql - - redis - - fleet - - fleet.install_package - - filebeat - - schedule - - docker_clean - '*_import and G@saltversion:{{saltversion}}': - match: compound - salt.master @@ -475,9 +356,6 @@ base: - sensoroni - telegraf - firewall - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} {%- if LOGSTASH %} - logstash {%- endif %} @@ -487,9 +365,6 @@ base: {%- if FILEBEAT %} - filebeat {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - schedule - docker_clean @@ -499,12 +374,6 @@ base: - sensoroni - telegraf - firewall - {%- if WAZUH != 0 %} - - wazuh - {%- endif %} - {%- if FLEETMANAGER or FLEETNODE %} - - fleet.install_package - {%- endif %} - schedule - docker_clean - filebeat diff --git a/salt/utility/bin/crossthestreams b/salt/utility/bin/crossthestreams index 38222bbec..38b7ab09c 100644 --- a/salt/utility/bin/crossthestreams +++ b/salt/utility/bin/crossthestreams @@ -1,5 +1,5 @@ #!/bin/bash -{% set ES = salt['pillar.get']('manager:mainip', '') %} +{% set ES = salt['pillar.get']('global:managerip', '') %} {% set MANAGER = salt['grains.get']('master') %} {% set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} @@ -8,7 +8,7 @@ echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 30 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -28,15 +28,15 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Applying cross cluster search config..." - {{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ MANAGER }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" # Add all the search nodes to cross cluster searching. {%- if TRUECLUSTER is sameas false %} {%- if salt['pillar.get']('nodestab', {}) %} {%- for SN, SNDATA in salt['pillar.get']('nodestab', {}).items() %} -{{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"cluster": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' +curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"{{ SN }}": {"skip_unavailable": "true", "seeds": ["{{ SN.split('_')|first }}:9300"]}}}}}' {%- endfor %} {%- endif %} {%- endif %} diff --git a/salt/utility/bin/eval b/salt/utility/bin/eval index e96fc9a78..4b595fc0f 100644 --- a/salt/utility/bin/eval +++ b/salt/utility/bin/eval @@ -1,12 +1,12 @@ #!/bin/bash -{% set ES = salt['pillar.get']('manager:mainip', '') %} +{% set ES = salt['pillar.get']('global:managerip', '') %} # Wait for ElasticSearch to come up, so that we can query for version infromation echo -n "Waiting for ElasticSearch..." COUNT=0 ELASTICSEARCH_CONNECTED="no" while [[ "$COUNT" -le 30 ]]; do - {{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 + curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://{{ ES }}:9200 if [ $? -eq 0 ]; then ELASTICSEARCH_CONNECTED="yes" echo "connected!" @@ -26,6 +26,6 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then fi echo "Applying cross cluster search config..." - {{ ELASTICCURL }} -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ + curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -L https://{{ ES }}:9200/_cluster/settings \ -H 'Content-Type: application/json' \ - -d "{\"persistent\": {\"cluster\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" + -d "{\"persistent\": {\"search\": {\"remote\": {\"{{ grains.host }}\": {\"seeds\": [\"127.0.0.1:9300\"]}}}}}" diff --git a/salt/utility/init.sls b/salt/utility/init.sls index 1ff69ae71..a131f0f54 100644 --- a/salt/utility/init.sls +++ b/salt/utility/init.sls @@ -1,8 +1,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} - {% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %} - + # This state is for checking things {% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %} # Make sure Cross Cluster is good. Will need some logic once we have hot/warm @@ -12,9 +11,7 @@ crossclusterson: - cwd: /opt/so - source: salt://utility/bin/crossthestreams - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} - + {% endif %} {% if grains['role'] in ['so-eval', 'so-import'] %} fixsearch: @@ -23,8 +20,6 @@ fixsearch: - cwd: /opt/so - source: salt://utility/bin/eval - template: jinja - - defaults: - ELASTICCURL: {{ ELASTICAUTH.elasticcurl }} {% endif %} {% else %} diff --git a/salt/vars/elasticsearch.map.jinja b/salt/vars/elasticsearch.map.jinja new file mode 100644 index 000000000..f7a39ee61 --- /dev/null +++ b/salt/vars/elasticsearch.map.jinja @@ -0,0 +1,14 @@ +{% import 'vars/init.map.jinja' as INIT %} + +{% + + set ELASTICSEARCH_GLOBALS = { + 'elasticsearch': { + 'auth': INIT.PILLAR.elasticsearch.auth, + 'es_cluster_name': INIT.PILLAR.elasticsearch.config.cluster.name, + 'es_heap': INIT.PILLAR.elasticsearch.esheap + } + } + + +%} diff --git a/salt/vars/globals.map.jinja b/salt/vars/globals.map.jinja new file mode 100644 index 000000000..9a6dd7f33 --- /dev/null +++ b/salt/vars/globals.map.jinja @@ -0,0 +1,50 @@ +{% import 'vars/init.map.jinja' as INIT %} + +{% from 'vars/' ~ INIT.GRAINS.role.split('-')[1] ~ '.map.jinja' import ROLE_GLOBALS %} {# role is so-role so we have to split off the 'so' #} + +{% + set GLOBALS = { + 'hostname': INIT.GRAINS.nodename, + 'is_manager': false, + 'manager': INIT.GRAINS.master, + 'minion_id': INIT.GRAINS.id, + 'node_ip': INIT.GRAINS.ip_interfaces.get(INIT.PILLAR.host.mainint)[0], + 'role': INIT.GRAINS.role, + 'airgap': INIT.PILLAR.global.airgap, + 'ids': INIT.PILLAR.global.ids, + 'image_repo': INIT.PILLAR.global.imagerepo, + 'repo_host': INIT.PILLAR.global.repo_host, + 'registry_host': INIT.PILLAR.global.registry_host, + 'manager_ip': INIT.PILLAR.global.managerip, + 'md_engine': INIT.PILLAR.global.mdengine, + 'pipeline': INIT.PILLAR.global.pipeline, + 'so_version': INIT.PILLAR.global.soversion, + 'url_base': INIT.PILLAR.global.url_base, + 'docker_range': INIT.PILLAR.docker.range, + 'application_urls': {}, + 'manager_roles': [ + 'so-eval', + 'so-import', + 'so-manager', + 'so-managersearch', + 'so-standalone' + ] + } +%} + +{% + do GLOBALS.update({ + 'application_urls': { + 'kratos': 'http://' ~ GLOBALS.manager_ip ~ ':4434/', + 'elastic': 'https://' ~ GLOBALS.manager_ip ~ ':9200/', + 'influxdb': 'https://' ~ GLOBALS.manager_ip ~ ':8086/' + } + }) +%} + +{% if GLOBALS.role in GLOBALS.manager_roles %} +{% do GLOBALS.update({'is_manager': true}) %} +{% endif %} + + +{% do salt['defaults.merge'](GLOBALS, ROLE_GLOBALS, merge_lists=False, in_place=True) %} diff --git a/salt/vars/init.map.jinja b/salt/vars/init.map.jinja new file mode 100644 index 000000000..2540b7916 --- /dev/null +++ b/salt/vars/init.map.jinja @@ -0,0 +1,2 @@ +{% set PILLAR = pillar %} {# store the in-memory pillar data #} +{% set GRAINS = grains %} {# store the in-memory grain data #} diff --git a/salt/vars/logstash.map.jinja b/salt/vars/logstash.map.jinja new file mode 100644 index 000000000..5a6f2df35 --- /dev/null +++ b/salt/vars/logstash.map.jinja @@ -0,0 +1,11 @@ +{% import 'vars/init.map.jinja' as INIT %} + +{% + + set LOGSTASH_GLOBALS = { + 'logstash': { + 'nodes': INIT.PILLAR.logstash.get('nodes', {}) + } + } + +%} diff --git a/salt/vars/sensor.map.jinja b/salt/vars/sensor.map.jinja new file mode 100644 index 000000000..477761d7c --- /dev/null +++ b/salt/vars/sensor.map.jinja @@ -0,0 +1,8 @@ +{% set ROLE_GLOBALS = {} %} + +{% set SENSOR_GLOBALS = [] +%} + +{% for sg in SENSOR_GLOBALS %} +{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} +{% endfor %} diff --git a/salt/vars/standalone.map.jinja b/salt/vars/standalone.map.jinja new file mode 100644 index 000000000..2efabefed --- /dev/null +++ b/salt/vars/standalone.map.jinja @@ -0,0 +1,15 @@ +{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %} +{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %} + +{% set ROLE_GLOBALS = {} %} + +{% set STANDALONE_GLOBALS = + [ + ELASTICSEARCH_GLOBALS, + LOGSTASH_GLOBALS + ] +%} + +{% for sg in STANDALONE_GLOBALS %} +{% do salt['defaults.merge'](ROLE_GLOBALS, sg, merge_lists=False, in_place=True) %} +{% endfor %} diff --git a/salt/wazuh/files/agent/ossec.conf b/salt/wazuh/files/agent/ossec.conf deleted file mode 100644 index 136b998b1..000000000 --- a/salt/wazuh/files/agent/ossec.conf +++ /dev/null @@ -1,204 +0,0 @@ -{% set mainint = salt['pillar.get']('host:mainint') -%} -{% set ip = salt['grains.get']('ip_interfaces').get(mainint)[0] -%} - - - - - - -
{{ip}}
- 1514 - udp - -{%- if grains['os'] == 'Ubuntu' %} - ubuntu, ubuntu16, ubuntu16.04 -{%- else %} - centos, centos7 -{%- endif %} - 10 - 60 - yes - aes - - - - - no - 5000 - 500 - - - - - no - yes - yes - yes - yes - yes - yes - yes - yes - - - 43200 - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt - - yes - - - - yes - 1800 - 1d - yes - - - - yes - 1800 - 1d - yes - - wodles/java - wodles/ciscat - - - - - yes - yes - /var/log/osquery/osqueryd.results.log - /etc/osquery/osquery.conf - yes - - - - - no - 1h - yes - yes - yes - yes - yes - yes - yes - - - - - no - - - 43200 - - yes - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - /sys/kernel/security - /sys/kernel/debug - - - /etc/ssl/private.key - - yes - - - yes - - - yes - - - - - command - df -P - 360 - - - - full_command - netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - netstat listening ports - 360 - - - - full_command - last -n 20 - 360 - - - - - no - /var/ossec/etc/wpk_root.pem - yes - - - - - plain - - - - - - - syslog - /var/ossec/logs/active-responses.log - -{%- if grains['os'] == 'Ubuntu' %} - - syslog - /var/log/auth.log - -{%- else %} - - syslog - /var/log/secure - -{%- endif %} - - syslog - /var/log/syslog - - - - syslog - /var/log/dpkg.log - - - - syslog - /var/log/kern.log - - - diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent deleted file mode 100755 index 21c3c2f05..000000000 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ /dev/null @@ -1,184 +0,0 @@ -{% set mainint = salt['pillar.get']('host:mainint') -%} -{% set ip = salt['grains.get']('ip_interfaces').get(mainint)[0] -%} - -#!/bin/bash - -### -# Shell script for registering agents automatically with the API -# Copyright (C) 2017 Wazuh, Inc. All rights reserved. -# Wazuh.com -# -# This program is a free software; you can redistribute it -# and/or modify it under the terms of the GNU General Public -# License (version 2) as published by the FSF - Free Software -# Foundation. -### -# -# 12/11/2018 -# This script has been modified by Security Onion Solutions -# - Added Agent IP variable and option -### - -# Connection variables -API_IP="{{ ip }}" -API_PORT="55000" -PROTOCOL="https" -USER="foo" -PASSWORD="bar" -AGENT_NAME=$(hostname) -AGENT_IP="{{ip}}" -AGENT_ID=001 - -display_help() { -cat < agent is not registered -# if ! [ "$AGENT_ID" -eq "$AGENT_ID" ] 2> /dev/null ; then -# echo "Starting registration process ..." -# : -# elif [[ "$FORCE" = true && "$SILENT" = "true" ]] ; then -# remove_agent > /dev/null 2>&1 -# else -# if [[ "$FORCE" = true ]] ; then -# remove_agent -# fi -# fi - -if [ -f /opt/so/conf/wazuh/initial_agent_registration.log ]; then - echo "Agent $AGENT_ID already registered!" - exit 0 -else - retries=20 - if wait_for_manager $retries; then - if register_agent; then - cleanup_creds - echo "Initial agent $AGENT_ID with IP $AGENT_IP registered on $DATE." > /opt/so/conf/wazuh/initial_agent_registration.log - exit 0 - else - echo "ERROR: Failed to register agent" - fi - else - echo "ERROR: Wazuh manager did not become ready after $retries attempts; unable to proceed with registration" - fi -fi - -exit 1 diff --git a/salt/wazuh/files/server/ossec.conf b/salt/wazuh/files/server/ossec.conf deleted file mode 100644 index 7077f48ce..000000000 --- a/salt/wazuh/files/server/ossec.conf +++ /dev/null @@ -1,220 +0,0 @@ - - - - - yes - no - no - yes - no - smtp.example.wazuh.com - ossecm@example.wazuh.com - recipient@example.wazuh.com - 12 - - - - 1 - 7 - - - - secure - 1514 - udp - - - - - no - yes - yes - yes - yes - yes - yes - yes - yes - - - 43200 - - /var/ossec/etc/shared/rootkit_files.txt - /var/ossec/etc/shared/rootkit_trojans.txt - - /var/ossec/etc/shared/system_audit_rcl.txt - /var/ossec/etc/shared/system_audit_ssh.txt - /var/ossec/etc/shared/cis_rhel7_linux_rcl.txt - - yes - - - - yes - 1800 - 1d - yes - - - xccdf_org.ssgproject.content_profile_pci-dss - xccdf_org.ssgproject.content_profile_common - - - - - - no - - - 43200 - - yes - - - yes - - - no - - - /etc,/usr/bin,/usr/sbin - /bin,/sbin,/boot - - - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - - - ^/proc - .log$|.swp$ - - - /etc/ssl/private.key - - yes - - - - - 127.0.0.1 - ^localhost.localdomain$ - 10.0.0.2 - - - - disable-account - disable-account.sh - user - yes - - - - restart-ossec - restart-ossec.sh - - - - - firewall-drop - firewall-drop.sh - srcip - yes - - - - host-deny - host-deny.sh - srcip - yes - - - - route-null - route-null.sh - srcip - yes - - - - win_route-null - route-null.cmd - srcip - yes - - - - - - host-deny - local - 6 - 600 - - - - - firewall-drop - local - 6 - 600 - - - - - command - df -P - 360 - - - - full_command - netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d - netstat listening ports - 360 - - - - full_command - last -n 20 - 360 - - - - syslog - /var/ossec/logs/active-responses.log - - - - - ruleset/decoders - ruleset/rules - 0215-policy_rules.xml - etc/lists/audit-keys - - - etc/decoders - etc/rules - - - diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist deleted file mode 100755 index 73cb00da7..000000000 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ /dev/null @@ -1,32 +0,0 @@ -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} -{%- set WAZUH_ENABLED = salt['pillar.get']('global:wazuh', '0') %} -#!/bin/bash -local_salt_dir=/opt/so/saltstack/local - -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# Check if Wazuh enabled -if [ {{ WAZUH_ENABLED }} ]; then - WAZUH_MGR_CFG="/nsm/wazuh/etc/ossec.conf" - if ! grep -q "{{ MANAGERIP }}" $WAZUH_MGR_CFG ; then - DATE=`date` - sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG - sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG - echo -e "\n \n {{ MANAGERIP }}\n \n" >> $WAZUH_MGR_CFG - echo "Added whitelist entry for {{ MANAGERIP }} in $WAZUH_MGR_CFG." - echo - fi -fi diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls deleted file mode 100644 index 66250b9cb..000000000 --- a/salt/wazuh/init.sls +++ /dev/null @@ -1,164 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{%- set HOSTNAME = salt['grains.get']('host', '') %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} -{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} -{% set MANAGER = salt['grains.get']('master') %} -# Add ossec group -ossecgroup: - group.present: - - name: ossec - - gid: 945 - -# Add ossecm user -ossecm: - user.present: - - uid: 943 - - gid: 945 - - home: /nsm/wazuh - - createhome: False - - allow_uid_change: True - - allow_gid_change: True - -# Add ossecr user -ossecr: - user.present: - - uid: 944 - - gid: 945 - - home: /nsm/wazuh - - createhome: False - - allow_uid_change: True - - allow_gid_change: True - -# Add ossec user -ossec: - user.present: - - uid: 945 - - gid: 945 - - home: /nsm/wazuh - - createhome: False - - allow_uid_change: True - - allow_gid_change: True - -wazuhpkgs: - pkg.installed: - - skip_suggestions: False - - pkgs: - - wazuh-agent: 3.13.1-1 - - hold: True - - update_holds: True - -wazuhvarossecdir: - file.directory: - - name: /var/ossec - - user: ossec - - group: ossec - - recurse: - - user - - group - -# Add Wazuh agent conf -wazuhagentconf: - file.managed: - - name: /var/ossec/etc/ossec.conf - - source: salt://wazuh/files/agent/ossec.conf - - user: root - - group: 945 - - template: jinja - -wazuhdir: - file.directory: - - name: /nsm/wazuh - - user: 945 - - group: 945 - - makedirs: True - -# Wazuh agent registration script -wazuhagentregister: - file.managed: - - name: /usr/sbin/wazuh-register-agent - - source: salt://wazuh/files/agent/wazuh-register-agent - - user: root - - group: root - - mode: 755 - - template: jinja - -# Whitelist script -wazuhmgrwhitelist: - file.managed: - - name: /usr/sbin/wazuh-manager-whitelist - - source: salt://wazuh/files/wazuh-manager-whitelist - - user: root - - group: root - - mode: 755 - - template: jinja - -# Check to see if Wazuh API port is available -wazuhportavailable: - cmd.run: - - name: netstat -utanp | grep ":55000" | grep "LISTEN" | grep -qv docker && PROCESS=$(netstat -utanp | grep ":55000" | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 - -so-wazuh: - docker_container.running: - - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }} - - hostname: {{HOSTNAME}}-wazuh-manager - - name: so-wazuh - - detach: True - - port_bindings: - - 0.0.0.0:1514:1514/udp - - 0.0.0.0:1514:1514/tcp - - 0.0.0.0:1515:1515/tcp - - 0.0.0.0:55000:55000 - - binds: - - /nsm/wazuh:/var/ossec/data:rw - -append_so-wazuh_so-status.conf: - file.append: - - name: /opt/so/conf/so-status/so-status.conf - - text: so-wazuh - -/opt/so/conf/wazuh: - file.symlink: - - target: /nsm/wazuh/etc - -# Register the agent -registertheagent: - cmd.run: - - name: /usr/sbin/wazuh-register-agent - - cwd: / - - unless: ls /opt/so/conf/wazuh/initial_agent_registration.log - -# Whitelist manager IP -whitelistmanager: - cmd.run: - - name: /usr/sbin/wazuh-manager-whitelist - - cwd: / - -wazuhagentservice: - service.running: - - name: wazuh-agent - - enable: True - -hidsruledir: - file.directory: - - name: /opt/so/rules/hids - - user: 939 - - group: 939 - - makedirs: True - -/opt/so/rules/hids/local_rules.xml: - file.symlink: - - target: /nsm/wazuh/etc/rules/local_rules.xml - -/opt/so/rules/hids/ruleset: - file.symlink: - - target: /nsm/wazuh/ruleset - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} diff --git a/salt/zeek/cron/zeek_clean b/salt/zeek/cron/zeek_clean index adeaa8740..90304e24f 100644 --- a/salt/zeek/cron/zeek_clean +++ b/salt/zeek/cron/zeek_clean @@ -2,20 +2,11 @@ # Delete Zeek Logs based on defined CRIT_DISK_USAGE value -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . clean () { diff --git a/salt/zeek/defaults.yaml b/salt/zeek/defaults.yaml new file mode 100644 index 000000000..f9c606645 --- /dev/null +++ b/salt/zeek/defaults.yaml @@ -0,0 +1,120 @@ +zeek: + logging: + enabled: + - conn + - dce_rpc + - dhcp + - dnp3 + - dns + - dpd + - files + - ftp + - http + - intel + - irc + - kerberos + - modbus + - notice + - ntlm + - pe + - radius + - rfb + - rdp + - sip + - smb_files + - smb_mapping + - smtp + - snmp + - ssh + - ssl + - tunnel + - weird + - mysql + - socks + - x509 + config: + node: + lb_procs: 1 + zeek_pins_enabled: False + zeek_pins: [] + zeekctl: + MailTo: root@localhost + MailConnectionSummary: 1 + MinDiskSpace: 5 + MailHostUpDown: 1 + LogRotationInterval: 3600 + LogExpireInterval: 0 + StatsLogEnable: 1 + StatsLogExpireInterval: 0 + StatusCmdShowAll: 0 + CrashExpireInterval: 0 + SitePolicyScripts: local.zeek + LogDir: /nsm/zeek/logs + SpoolDir: /nsm/zeek/spool + CfgDir: /opt/zeek/etc + CompressLogs: 1 + policy: + file_extraction: + - application/x-dosexec: exe + - application/pdf: pdf + - application/msword: doc + - application/vnd.ms-powerpoint: doc + - application/rtf: doc + - application/vnd.ms-word.document.macroenabled.12: doc + - application/vnd.ms-word.template.macroenabled.12: doc + - application/vnd.ms-powerpoint.template.macroenabled.12: doc + - application/vnd.ms-excel: doc + - application/vnd.ms-excel.addin.macroenabled.12: doc + - application/vnd.ms-excel.sheet.binary.macroenabled.12: doc + - application/vnd.ms-excel.template.macroenabled.12: doc + - application/vnd.ms-excel.sheet.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument.presentationml.presentation: doc + - application/vnd.openxmlformats-officedocument.presentationml.slide: doc + - application/vnd.openxmlformats-officedocument.presentationml.slideshow: doc + - application/vnd.openxmlformats-officedocument.presentationml.template: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet: doc + - application/vnd.openxmlformats-officedocument.spreadsheetml.template: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.document: doc + - application/vnd.openxmlformats-officedocument.wordprocessingml.template: doc + - application/vnd.ms-powerpoint.addin.macroenabled.12: doc + - application/vnd.ms-powerpoint.slide.macroenabled.12: doc + - application/vnd.ms-powerpoint.presentation.macroenabled.12: doc + - application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc + - application/vnd.openxmlformats-officedocument: doc + load: + - misc/loaded-scripts + - tuning/defaults + - misc/capture-loss + - misc/stats + - frameworks/software/vulnerable + - frameworks/software/version-changes + - protocols/ftp/software + - protocols/smtp/software + - protocols/ssh/software + - protocols/http/software + - protocols/dns/detect-external-names + - protocols/ftp/detect + - protocols/conn/known-hosts + - protocols/conn/known-services + - protocols/ssl/known-certs + - protocols/ssl/validate-certs + - protocols/ssl/log-hostcerts-only + - protocols/ssh/geo-data + - protocols/ssh/detect-bruteforcing + - protocols/ssh/interesting-hostnames + - protocols/http/detect-sqli + - frameworks/files/hash-all-files + - frameworks/files/detect-MHR + - policy/frameworks/notice/extend-email/hostnames + - ja3 + - hassh + - intel + - cve-2020-0601 + - securityonion/bpfconf + - securityonion/communityid + - securityonion/file-extraction + load-sigs: + - frameworks/signatures/detect-windows-shells + redef: + - LogAscii::use_json = T; + - CaptureLoss::watch_interval = 5 mins; \ No newline at end of file diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index ff91762f5..6185308ac 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,28 +1,19 @@ -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from "zeek/map.jinja" import ZEEKOPTIONS with context %} -{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} +{% set VERSION = salt['pillar.get']('global:soversion') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} {% set BPF_ZEEK = salt['pillar.get']('zeek:bpf', {}) %} {% set BPF_STATUS = 0 %} -{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} +{% set INTERFACE = salt['pillar.get']('sensor:interface') %} {% set ZEEK = salt['pillar.get']('zeek', {}) %} diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml new file mode 100644 index 000000000..bcb3af346 --- /dev/null +++ b/salt/zeek/soc_zeek.yaml @@ -0,0 +1,26 @@ +zeek: + logging: + enabled: + description: This is a list of zeek logs that will be shipped through the pipeline. If you remove a log from this list it will still persist on the sensor. + config: + node: + lb_procs: + description: This is the amount of CPUs to use for Zeek. This setting is ignored if you are using pins. + node: True + zeek_pins_enabled: + description: + node: True + zeeek_pins: + description: List of CPUs you want to + node: True + zeekctl: + CompressLogs: + description: Enable compression of zeek logs. If you are seeing packet loss at the top of the hour in zeek or pcap you might need to set this to 0. This will use more disk space but save IO and CPU. + policy: + file_extraction: + description: This is a list of mime types Zeek will extract from the network streams. + load: + description: List of Zeek policies to load + load-sigs: + description: List of Zeek signatures to load + \ No newline at end of file diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index b5d30ae33..ee55c5317 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search index 3afc48d3b..a3b7ffc3b 100644 --- a/setup/automation/distributed-airgap-search +++ b/setup/automation/distributed-airgap-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor index a96cbeb7d..3e6e46c6d 100644 --- a/setup/automation/distributed-airgap-sensor +++ b/setup/automation/distributed-airgap-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-cloud-manager b/setup/automation/distributed-cloud-manager index 8e298e4c2..721fb7e13 100644 --- a/setup/automation/distributed-cloud-manager +++ b/setup/automation/distributed-cloud-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-cloud-search b/setup/automation/distributed-cloud-search index aabf24a7f..dc6c2f97f 100644 --- a/setup/automation/distributed-cloud-search +++ b/setup/automation/distributed-cloud-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-cloud-sensor b/setup/automation/distributed-cloud-sensor index 0ba42769c..56156e516 100644 --- a/setup/automation/distributed-cloud-sensor +++ b/setup/automation/distributed-cloud-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-iso-manager b/setup/automation/distributed-iso-manager index bd1aec7b4..32de661e7 100644 --- a/setup/automation/distributed-iso-manager +++ b/setup/automation/distributed-iso-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search index 9bdeaaa34..095436788 100644 --- a/setup/automation/distributed-iso-search +++ b/setup/automation/distributed-iso-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index 90f17ffb5..11a78b9c8 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-centos-manager b/setup/automation/distributed-net-centos-manager index bd1aec7b4..32de661e7 100644 --- a/setup/automation/distributed-net-centos-manager +++ b/setup/automation/distributed-net-centos-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-centos-search b/setup/automation/distributed-net-centos-search index 98c0af7c8..ab67e11d8 100644 --- a/setup/automation/distributed-net-centos-search +++ b/setup/automation/distributed-net-centos-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-centos-sensor b/setup/automation/distributed-net-centos-sensor index f8230152e..b3f0d01d4 100644 --- a/setup/automation/distributed-net-centos-sensor +++ b/setup/automation/distributed-net-centos-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-manager b/setup/automation/distributed-net-ubuntu-manager index c7ffd9ebe..339f651ae 100644 --- a/setup/automation/distributed-net-ubuntu-manager +++ b/setup/automation/distributed-net-ubuntu-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-search b/setup/automation/distributed-net-ubuntu-search index 5285f97e3..398432647 100644 --- a/setup/automation/distributed-net-ubuntu-search +++ b/setup/automation/distributed-net-ubuntu-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-sensor b/setup/automation/distributed-net-ubuntu-sensor index 294b68480..d25bf0080 100644 --- a/setup/automation/distributed-net-ubuntu-sensor +++ b/setup/automation/distributed-net-ubuntu-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-suricata-manager b/setup/automation/distributed-net-ubuntu-suricata-manager index e5c0c137f..614d12c6f 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-manager +++ b/setup/automation/distributed-net-ubuntu-suricata-manager @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-suricata-search b/setup/automation/distributed-net-ubuntu-suricata-search index 585de54af..138b273c4 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-search +++ b/setup/automation/distributed-net-ubuntu-suricata-search @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/distributed-net-ubuntu-suricata-sensor b/setup/automation/distributed-net-ubuntu-suricata-sensor index ee8eba5e0..58fb922a3 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-sensor +++ b/setup/automation/distributed-net-ubuntu-suricata-sensor @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap index 7e1df4dfc..595d21a32 100644 --- a/setup/automation/eval-airgap +++ b/setup/automation/eval-airgap @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-cloud b/setup/automation/eval-cloud index cb8b0b1ae..997d7e53b 100644 --- a/setup/automation/eval-cloud +++ b/setup/automation/eval-cloud @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-cloud-logscan b/setup/automation/eval-cloud-logscan deleted file mode 100644 index 564df40f0..000000000 --- a/setup/automation/eval-cloud-logscan +++ /dev/null @@ -1,77 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=ZEEK -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -GRAFANA=1 -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=eval -install_type=EVAL -LEARN_LOGSCAN_ENABLE=true -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -REDIRECTHOST=$(cat /root/public_ip) -REDIRECTINFO=OTHER -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/eval-iso b/setup/automation/eval-iso index e1461d95f..5c41e1b12 100644 --- a/setup/automation/eval-iso +++ b/setup/automation/eval-iso @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-net-centos b/setup/automation/eval-net-centos index c86357a21..b56b45a52 100644 --- a/setup/automation/eval-net-centos +++ b/setup/automation/eval-net-centos @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/eval-net-ubuntu b/setup/automation/eval-net-ubuntu index 5d1cfb500..24c68896a 100644 --- a/setup/automation/eval-net-ubuntu +++ b/setup/automation/eval-net-ubuntu @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index 78cd42096..d1d153177 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-cloud b/setup/automation/import-cloud index eb8b23905..684e487fd 100644 --- a/setup/automation/import-cloud +++ b/setup/automation/import-cloud @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-iso b/setup/automation/import-iso index 8c8357f0f..7ad671b37 100644 --- a/setup/automation/import-iso +++ b/setup/automation/import-iso @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-net-centos b/setup/automation/import-net-centos index e565b22e2..cfeef5cb4 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net-centos @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/import-net-ubuntu b/setup/automation/import-net-ubuntu index e115232aa..e6fcc2b6b 100644 --- a/setup/automation/import-net-ubuntu +++ b/setup/automation/import-net-ubuntu @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap index a17d006c7..44be7b270 100644 --- a/setup/automation/standalone-airgap +++ b/setup/automation/standalone-airgap @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-cloud b/setup/automation/standalone-cloud index 77686b862..66c123362 100644 --- a/setup/automation/standalone-cloud +++ b/setup/automation/standalone-cloud @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-cloud-suricata b/setup/automation/standalone-cloud-suricata deleted file mode 100644 index e3e21f756..000000000 --- a/setup/automation/standalone-cloud-suricata +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/bash - -# Copyright 2014-2022 Security Onion Solutions, LLC - -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -TESTING=true - -address_type=DHCP -ADMINUSER=onionuser -ADMINPASS1=onionuser -ADMINPASS2=onionuser -ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a -BASICZEEK=2 -BASICSURI=2 -# BLOGS= -BNICS=eth1 -ZEEKVERSION=SURICATA -# CURCLOSEDAYS= -# EVALADVANCED=BASIC -GRAFANA=1 -# HELIXAPIKEY= -HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 -HNSENSOR=inherit -HOSTNAME=standalone -install_type=STANDALONE -# LSINPUTBATCHCOUNT= -# LSINPUTTHREADS= -# LSPIPELINEBATCH= -# LSPIPELINEWORKERS= -MANAGERADV=BASIC -# MDNS= -# MGATEWAY= -# MIP= -# MMASK= -MNIC=eth0 -# MSEARCH= -# MSRV= -# MTU= -NIDS=Suricata -# NODE_ES_HEAP_SIZE= -# NODE_LS_HEAP_SIZE= -NODESETUP=NODEBASIC -NSMSETUP=BASIC -NODEUPDATES=MANAGER -# OINKCODE= -OSQUERY=1 -# PATCHSCHEDULEDAYS= -# PATCHSCHEDULEHOURS= -PATCHSCHEDULENAME=auto -PLAYBOOK=1 -REDIRECTHOST=$(cat /root/public_ip) -REDIRECTINFO=OTHER -RULESETUP=ETOPEN -# SHARDCOUNT= -# SKIP_REBOOT= -SOREMOTEPASS1=onionuser -SOREMOTEPASS2=onionuser -STRELKA=1 -THEHIVE=0 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-iso b/setup/automation/standalone-iso index fa47dd66d..11eac77b9 100644 --- a/setup/automation/standalone-iso +++ b/setup/automation/standalone-iso @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-iso-logscan b/setup/automation/standalone-iso-logscan index 4038735d0..9249fa4ed 100644 --- a/setup/automation/standalone-iso-logscan +++ b/setup/automation/standalone-iso-logscan @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-iso-suricata b/setup/automation/standalone-iso-suricata index 078190043..e14049a34 100644 --- a/setup/automation/standalone-iso-suricata +++ b/setup/automation/standalone-iso-suricata @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-net-centos b/setup/automation/standalone-net-centos index 050bdde51..0b36e600a 100644 --- a/setup/automation/standalone-net-centos +++ b/setup/automation/standalone-net-centos @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-net-centos-proxy b/setup/automation/standalone-net-centos-proxy index 9f8e1b6b6..b22fc4b74 100644 --- a/setup/automation/standalone-net-centos-proxy +++ b/setup/automation/standalone-net-centos-proxy @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/automation/standalone-net-ubuntu b/setup/automation/standalone-net-ubuntu index 2aad4ea0e..9c62dda04 100644 --- a/setup/automation/standalone-net-ubuntu +++ b/setup/automation/standalone-net-ubuntu @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . TESTING=true diff --git a/setup/install_scripts/99-so-checksum-offload-disable b/setup/install_scripts/99-so-checksum-offload-disable index b2d8ffc3b..fdce54f5e 100755 --- a/setup/install_scripts/99-so-checksum-offload-disable +++ b/setup/install_scripts/99-so-checksum-offload-disable @@ -1,19 +1,11 @@ #!/bin/bash # -# Copyright 2014-2022 Security Onion Solutions, LLC -# -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + . /usr/sbin/so-common diff --git a/setup/so-functions b/setup/so-functions index c92b643cc..7b1ae477f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . # README - DO NOT DEFINE GLOBAL VARIABLES IN THIS FILE. Instead use so-variables. @@ -44,21 +35,6 @@ logCmd() { } ### End Logging Section ### -airgap_repo() { - # Remove all the repo files - rm -rf /etc/yum.repos.d/* - echo "[airgap_repo]" > /etc/yum.repos.d/airgap_repo.repo - if $is_manager; then - echo "baseurl=https://$HOSTNAME/repo" >> /etc/yum.repos.d/airgap_repo.repo - else - echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/airgap_repo.repo - fi - echo "gpgcheck=1" >> /etc/yum.repos.d/airgap_repo.repo - echo "sslverify=0" >> /etc/yum.repos.d/airgap_repo.repo - echo "name=Airgap Repo" >> /etc/yum.repos.d/airgap_repo.repo - echo "enabled=1" >> /etc/yum.repos.d/airgap_repo.repo -} - airgap_rules() { # Copy the rules for suricata if using Airgap mkdir -p /nsm/repo/rules @@ -71,16 +47,6 @@ airgap_rules() { cp -Rv /root/SecurityOnion/agrules/strelka /nsm/repo/rules/ } -accept_salt_key_remote() { - systemctl restart salt-minion - - echo "Accept the key remotely on the manager" >> "$setup_log" 2>&1 - # Delete the key just in case. - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y - salt-call state.show_top >> /dev/null 2>&1 - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -a "$MINION_ID" -y -} - add_admin_user() { # Add an admin user with full sudo rights if this is an ISO install. { @@ -113,10 +79,6 @@ add_socore_user_manager() { so_add_user "socore" "939" "939" "/opt/so" >> "$setup_log" 2>&1 } -add_soremote_user_manager() { - so_add_user "soremote" "947" "947" "/home/soremote" "$SOREMOTEPASS1" >> "$setup_log" 2>&1 -} - add_web_user() { wait_for_file /opt/so/conf/kratos/db/db.sqlite 30 5 { @@ -145,7 +107,7 @@ analyst_salt_local() { securityonion_repo gpg_rpm_import # Install salt - logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile @@ -161,10 +123,9 @@ analyst_salt_local() { } - analyst_workstation_pillar() { - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls + local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls # Create the analyst workstation pillar printf '%s\n'\ @@ -197,6 +158,19 @@ check_manager_state() { retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1 } +check_manager_connection() { + # See if you can curl the manager. If not you can either try again or continue + echo "Checking manager connectivity" + man_test_err=$(curl -k -L -sS https://$MSRVIP/repo --connect-timeout 5 2>&1) + + local ret=$? + + if [[ $ret != 0 ]]; then + error "Could not reach $MSRV" + whiptail_manager_unreachable + fi +} + __check_so_status() { local so_status_output so_status_output=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/log/sostatus/status.log) @@ -256,14 +230,6 @@ check_service_status() { } -check_soremote_pass() { - check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH" -} - -check_fleet_node_pass() { - check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "FPMATCH" -} - check_web_pass() { check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH" } @@ -328,17 +294,6 @@ collect_dockernet() { fi } -collect_es_cluster_name() { - if whiptail_manager_adv_escluster; then - whiptail_manager_adv_escluster_name "securityonion" - - while ! valid_string "$ESCLUSTERNAME"; do - whiptail_invalid_string "ES cluster name" - whiptail_manager_adv_escluster_name "$ESCLUSTERNAME" - done - fi -} - collect_es_space_limit() { whiptail_log_size_limit "$log_size_limit" @@ -348,36 +303,6 @@ collect_es_space_limit() { done } -collect_fleet_custom_hostname_inputs() { - whiptail_fleet_custom_hostname - - while [[ -n $FLEETCUSTOMHOSTNAME ]] && ! valid_fqdn "$FLEETCUSTOMHOSTNAME"; do - whiptail_invalid_input - whiptail_fleet_custom_hostname "$FLEETCUSTOMHOSTNAME" - done -} - -# Get a username & password for the Fleet admin user -collect_fleetuser_inputs() { - whiptail_create_fleet_node_user - - while ! so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; do - whiptail_invalid_user_warning - whiptail_create_fleet_node_user "$FLEETNODEUSER" - done - - FPMATCH=no - while [[ $FPMATCH != yes ]]; do - whiptail_create_fleet_node_user_password1 - while ! check_password "$FLEETNODEPASSWD1"; do - whiptail_invalid_pass_characters_warning - whiptail_create_fleet_node_user_password1 - done - whiptail_create_fleet_node_user_password2 - check_fleet_node_pass - done -} - collect_gateway() { whiptail_management_interface_gateway @@ -444,32 +369,6 @@ collect_hostname_validate() { done } -collect_idh_preferences() { - IDHMGTRESTRICT='False' - whiptail_idh_preferences - - if [[ "$idh_preferences" != "" ]]; then IDHMGTRESTRICT='True'; fi -} - -collect_idh_services() { - whiptail_idh_services - - case "$idh_services" in - 'Linux Webserver (NAS Skin)') - idh_services=("HTTP" "FTP" "SSH") - ;; - 'MySQL Server') - idh_services=("MYSQL" "SSH") - ;; - 'MSSQL Server') - idh_services=("MSSQL" "VNC") - ;; - 'Custom') - whiptail_idh_services_custom - ;; - esac -} - collect_int_ip_mask() { whiptail_management_interface_ip_mask @@ -514,15 +413,6 @@ collect_mngr_hostname() { fi } -collect_mtu() { - whiptail_bond_nics_mtu "1500" - - while ! valid_int "$MTU" "68" "10000"; do - whiptail_invalid_input - whiptail_bond_nics_mtu "$MTU" - done -} - collect_net_method() { whiptail_net_method @@ -536,41 +426,6 @@ collect_net_method() { fi } -collect_node_es_heap() { - whiptail_node_es_heap "$ES_HEAP_SIZE" -} - -collect_node_ls_heap() { - whiptail_node_ls_heap "$LS_HEAP_SIZE" -} - -collect_node_ls_input() { - whiptail_node_ls_input_threads "1" - - while ! valid_int "$LSINPUTTHREADS"; do - whiptail_invalid_input - whiptail_node_ls_input_threads "$LSINPUTTHREADS" - done -} - -collect_node_ls_pipeline_batch_size() { - whiptail_node_ls_pipline_batchsize "125" - - while ! valid_int "$LSPIPELINEBATCH"; do - whiptail_invalid_input - whiptail_node_ls_pipline_batchsize "$LSPIPELINEBATCH" - done -} - -collect_node_ls_pipeline_worker_count() { - whiptail_node_ls_pipeline_worker "$num_cpu_cores" - - while ! valid_int "$LSPIPELINEWORKERS"; do - whiptail_invalid_input - whiptail_node_ls_pipeline_worker "$LSPIPELINEWORKERS" - done -} - collect_ntp_servers() { if whiptail_ntp_ask; then [[ $is_airgap ]] && ntp_string="" @@ -726,26 +581,6 @@ collect_so_allow() { fi } -collect_soremote_inputs() { - whiptail_create_soremote_user - SCMATCH=no - - while [[ $SCMATCH != yes ]]; do - whiptail_create_soremote_user_password1 - whiptail_create_soremote_user_password2 - check_soremote_pass - done -} - -collect_suri() { - whiptail_basic_suri "$PROCS" - - while ! valid_int "$BASICSURI"; do - whiptail_invalid_input - whiptail_basic_suri "$BASICSURI" - done -} - # Get an email & password for the web admin user collect_webuser_inputs() { whiptail_create_web_user @@ -771,15 +606,6 @@ collect_webuser_inputs() { done } -collect_zeek() { - whiptail_basic_zeek "$PROCS" - - while ! valid_int "$BASICZEEK"; do - whiptail_invalid_input - whiptail_basic_zeek "$BASICZEEK" - done -} - configure_minion() { local minion_type=$1 if [[ $is_analyst ]]; then @@ -787,7 +613,7 @@ configure_minion() { fi echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 echo "role: so-$minion_type" > /etc/salt/grains - + local minion_config=/etc/salt/minion echo "id: '$MINION_ID'" > "$minion_config" @@ -796,10 +622,6 @@ configure_minion() { 'workstation') echo "master: '$MSRV'" >> "$minion_config" ;; - 'helix') - cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf - echo "master: '$HOSTNAME'" >> "$minion_config" - ;; 'manager' | 'eval' | 'managersearch' | 'standalone' | 'import') cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf printf '%s\n'\ @@ -826,6 +648,9 @@ configure_minion() { "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config" + cp -f ../salt/salt/etc/minion.d/mine_functions.conf /etc/salt/minion.d/mine_functions.conf + sed -i "s/{{ pillar.host.mainint }}/$MAININT/" /etc/salt/minion.d/mine_functions.conf + { systemctl restart salt-minion; } >> "$setup_log" 2>&1 @@ -1079,22 +904,6 @@ copy_minion_tmp_files() { salt-call saltutil.sync_modules >> "$setup_log" 2>&1 } -copy_ssh_key() { - - echo "Generating SSH key" - # Generate SSH key - mkdir -p /root/.ssh - ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero - chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh - - echo "Removing old entry for manager from known_hosts if it exists" - grep -q "$MSRV" /root/.ssh/known_hosts && sed -i "/${MSRV}/d" /root/.ssh/known_hosts - - echo "Copying the SSH key to the manager" - #Copy the key over to the manager - $sshcopyidcmd -f -i /root/.ssh/so.key soremote@"$MSRV" -} - create_local_directories() { echo "Creating local pillar and salt directories" PILLARSALTDIR=${SCRIPTDIR::-5} @@ -1117,6 +926,24 @@ create_local_nids_rules() { salt-run fileserver.clear_file_list_cache } +create_manager_pillars() { + elasticsearch_pillar + logstash_pillar + manager_pillar + create_global + create_sensoroni_pillar + #create_strelka_pillar + backup_pillar + soctopus_pillar + docker_pillar + redis_pillar + idstools_pillar + kratos_pillar + soc_pillar + idh_pillar + +} + create_repo() { # Create the repo for airgap createrepo /nsm/repo @@ -1133,14 +960,17 @@ detect_os() { # Detect Base OS echo "Detecting Base OS" >> "$log" 2>&1 if [ -f /etc/redhat-release ]; then - OS=centos - is_centos=true if grep -q "CentOS Linux release 7" /etc/redhat-release; then + OS=centos OSVER=7 - elif grep -q "CentOS Linux release 8" /etc/redhat-release; then + is_centos=true + pkgman="yum" + elif grep -q "Rocky Linux release 8" /etc/redhat-release; then + OS=rocky OSVER=8 - echo "We currently do not support CentOS $OSVER but we are working on it!" - exit 1 + is_rocky=true + pkgman="dnf" + echo "We currently do not support Rocky Linux $OSVER but we are working on it!" else echo "We do not support the version of CentOS you are trying to use." exit 1 @@ -1232,49 +1062,6 @@ disable_ipv6() { } >> /etc/sysctl.conf } -docker_install() { - - if [[ $is_centos ]]; then - logCmd "yum clean expire-cache" - if [[ ! $is_iso ]]; then - logCmd "yum -y install docker-ce-20.10.5-3.el7 docker-ce-cli-20.10.5-3.el7 docker-ce-rootless-extras-20.10.5-3.el7 containerd.io-1.4.4-3.1.el7" - fi - logCmd "yum versionlock docker-ce-20.10.5-3.el7" - logCmd "yum versionlock docker-ce-cli-20.10.5-3.el7" - logCmd "yum versionlock docker-ce-rootless-extras-20.10.5-3.el7" - logCmd "yum versionlock containerd.io-1.4.4-3.1.el7" - - else - case "$install_type" in - 'MANAGER' | 'EVAL' | 'STANDALONE' | 'MANAGERSEARCH' | 'IMPORT') - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 - ;; - *) - retry 50 10 "apt-key add $temp_install_dir/gpg/docker.pub" >> "$setup_log" 2>&1 || exit 1 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$setup_log" 2>&1 - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 - ;; - esac - if [ $OSVER == "bionic" ]; then - service docker stop - apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras - retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.5~3-0~ubuntu-bionic docker-ce-cli=5:20.10.5~3-0~ubuntu-bionic docker-ce-rootless-extras=5:20.10.5~3-0~ubuntu-bionic python3-docker" >> "$setup_log" 2>&1 || exit 1 - apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras - elif [ $OSVER == "focal" ]; then - service docker stop - apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras - retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.8~3-0~ubuntu-focal docker-ce-cli=5:20.10.8~3-0~ubuntu-focal docker-ce-rootless-extras=5:20.10.8~3-0~ubuntu-focal python3-docker" >> "$setup_log" 2>&1 || exit 1 - apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras - fi - fi - docker_registry - { - echo "Restarting Docker"; - systemctl restart docker; - systemctl enable docker; - } >> "$setup_log" 2>&1 -} - docker_registry() { echo "Setting up Docker Registry" >> "$setup_log" 2>&1 @@ -1358,28 +1145,48 @@ download_repo_tarball() { } elasticsearch_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - - # Create the node pillar + # Create Advanced File + touch $adv_elasticsearch_pillar_file + # Create the Elasticsearch pillar printf '%s\n'\ "elasticsearch:"\ - " mainip: '$MAINIP'"\ - " mainint: '$MNIC'"\ - " esheap: '$NODE_ES_HEAP_SIZE'" >> "$pillar_file" - if [ -n "$ESCLUSTERNAME" ]; then - printf '%s\n'\ - " esclustername: $ESCLUSTERNAME" >> "$pillar_file" - else - printf '%s\n'\ - " esclustername: '{{ grains.host }}'" >> "$pillar_file" - fi - printf '%s\n'\ - " node_type: '$NODETYPE'"\ - " es_port: $node_es_port"\ - " log_size_limit: $log_size_limit"\ - " node_route_type: 'hot'"\ - "" >> "$pillar_file" + " config:"\ + " cluster:"\ + " name: securityonion"\ + " routing:"\ + " allocation:"\ + " disk:"\ + " threshold_enabled: true"\ + " watermark:"\ + " low: 80%"\ + " high: 85%"\ + " flood_stage: 90%"\ + " script:"\ + " max_compilations_rate: 20000/1m"\ + " indices:"\ + " query:"\ + " bool:"\ + " max_clause_count: 3500"\ + " index_settings:"\ > $elasticsearch_pillar_file + for INDEX in aws azure barracuda beats bluecoat cef checkpoint cisco cyberark cylance elasticsearch endgame f5 firewall fortinet gcp google_workspace ids imperva import infoblox juniper kibana logstash microsoft misp netflow netscout o365 okta osquery proofpoint radware redis snort snyk sonicwall sophos strelka syslog tomcat zeek zscaler + do + printf '%s\n'\ + " so-$INDEX:"\ + " warm: 7"\ + " close: 30"\ + " delete: 365"\ + " index_sorting: True"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " mapping:"\ + " total_fields:"\ + " limit: 5000"\ + " refresh_interval: 30s"\ + " number_of_shards: 1"\ + " number_of_replicas: 0" >> $elasticsearch_pillar_file + done } es_heapsize() { @@ -1464,24 +1271,12 @@ firewall_generate_templates() { cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1 - for i in analyst beats_endpoint endgame sensor manager minion osquery_endpoint search_node wazuh_endpoint; do + for i in analyst beats_endpoint endgame sensor manager minion elastic_agent_endpoint search_node; do $default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1 done } -fleet_pillar() { - - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls - - # Create the fleet pillar - printf '%s\n'\ - "fleet:"\ - " mainip: '$MAINIP'"\ - " manager: '$MSRV'"\ - "" > "$pillar_file" -} - generate_ca() { { echo "Building Certificate Authority"; @@ -1510,23 +1305,15 @@ generate_passwords(){ PLAYBOOKDBPASS=$(get_random_value) PLAYBOOKADMINPASS=$(get_random_value) PLAYBOOKAUTOMATIONPASS=$(get_random_value) - FLEETPASS=$(get_random_value) - FLEETSAPASS=$(get_random_value) - FLEETJWT=$(get_random_value) GRAFANAPASS=$(get_random_value) SENSORONIKEY=$(get_random_value) KRATOSKEY=$(get_random_value) } -generate_repo_tarball() { - mkdir -p /opt/so/repo - tar -czf /opt/so/repo/"$SOVERSION".tar.gz -C "$(pwd)/.." . -} - -generate_sensor_vars() { +generate_interface_vars() { # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then - if [[ $is_cloud ]]; then MTU=1575; else MTU=1500; fi + if [[ $is_cloud ]]; then MTU=1575; else MTU=9000; fi fi export MTU @@ -1549,33 +1336,13 @@ get_redirect() { get_minion_type() { local minion_type case "$install_type" in - 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER') + 'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'SEARCHNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER') minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]') ;; - 'HELIXSENSOR') - minion_type='helix' - ;; - *'NODE') - minion_type='node' - ;; esac echo "$minion_type" } -host_pillar() { - - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls - - # Create the host pillar - printf '%s\n'\ - "host:"\ - " mainint: '$MNIC'"\ - "sensoroni:"\ - " node_address: '$MAINIP'"\ - " node_description: '${NODE_DESCRIPTION//\'/''}'"\ - "" > "$pillar_file" -} - install_cleanup() { if [ -f "$temp_install_dir" ]; then echo "Installer removing the following files:" @@ -1613,18 +1380,34 @@ import_registry_docker() { fi } +idh_pillar() { + touch $adv_idh_pillar_file + # Create the IDH Pillar + printf '%s\n'\ + "idh:"\ + " listen_on_mgnt_int: True"\ + " services:"\ + " - HTTP"\ + " - FTP"\ + " - MYSQL"\ + " - MSSQL"\ + " - VNC"\ + " - SSH" > "$idh_pillar_file" + +} + logstash_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - + # Create the logstash advanced pillar + touch $adv_logstash_pillar_file # Create the logstash pillar printf '%s\n'\ "logstash_settings:"\ - " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ - " ls_input_threads: $LSINPUTTHREADS"\ + " ls_host: '$HOSTNAME'"\ + " ls_pipeline_batch_size: 125"\ + " ls_input_threads: 1"\ " lsheap: $NODE_LS_HEAP_SIZE"\ " ls_pipeline_workers: $num_cpu_cores"\ - "" >> "$pillar_file" + "" > "$logstash_pillar_file" } # Set Logstash heap size based on total memory @@ -1654,81 +1437,60 @@ ls_heapsize() { fi } -manager_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - - # Create the manager pillar +idstools_pillar() { + touch $adv_idstools_pillar_file printf '%s\n'\ - "manager:"\ - " mainip: '$MAINIP'"\ - " mainint: '$MNIC'"\ - " proxy: '$so_proxy'"\ - " no_proxy: '$no_proxy_string'"\ - " esheap: '$ES_HEAP_SIZE'"\ - " esclustername: '{{ grains.host }}'"\ - " freq: 0"\ - " domainstats: 0" >> "$pillar_file" - - - if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MANAGERSEARCH' ] || [ "$install_type" = 'STANDALONE' ]; then - printf '%s\n'\ - " mtu: $MTU" >> "$pillar_file" - fi - - printf '%s\n'\ - " elastalert: 1"\ - " es_port: $node_es_port"\ - " grafana: $GRAFANA"\ - " osquery: $OSQUERY"\ - " playbook: $PLAYBOOK"\ - ""\ - "elasticsearch:"\ - " mainip: '$MAINIP'"\ - " mainint: '$MNIC'"\ - " esheap: '$NODE_ES_HEAP_SIZE'"\ - " esclustername: '{{ grains.host }}'"\ - " node_type: '$NODETYPE'"\ - " es_port: $node_es_port"\ - " log_size_limit: $log_size_limit"\ - " node_route_type: 'hot'"\ - ""\ - "logstash_settings:"\ - " ls_pipeline_batch_size: 125"\ - " ls_input_threads: 1"\ - " lsheap: $LS_HEAP_SIZE"\ - " ls_pipeline_workers: $num_cpu_cores"\ - ""\ "idstools:"\ " config:"\ " ruleset: '$RULESETUP'"\ " oinkcode: '$OINKCODE'"\ - " urls:"\ + " urls: []"\ " sids:"\ - " enabled:"\ - " disabled:"\ - " modify:"\ - ""\ - "kratos:" >> "$pillar_file" - + " enabled: []"\ + " disabled: []"\ + " modify: []"\ + "" > "$idstools_pillar_file" - printf '%s\n'\ - " kratoskey: '$KRATOSKEY'"\ - "" >> "$pillar_file" +} + +soc_pillar() { + touch $adv_soc_pillar_file printf '%s\n'\ "soc:"\ " es_index_patterns: '*:so-*,*:endgame-*'"\ - "" >> "$pillar_file" + "" > "$soc_pillar_file" if [[ -n $ENDGAMEHOST ]]; then printf '%s\n'\ " endgamehost: '$ENDGAMEHOST'"\ - "" >> "$pillar_file" + "" >> "$soc_pillar_file" fi } -manager_global() { - local global_pillar="$local_salt_dir/pillar/global.sls" +manager_pillar() { + touch $adv_manager_pillar_file + # Create the manager pillar + printf '%s\n'\ + "manager:"\ + " proxy: '$so_proxy'"\ + " no_proxy: '$no_proxy_string'"\ + " elastalert: 1"\ + " grafana: $GRAFANA"\ + " playbook: $PLAYBOOK"\ + "" > "$manager_pillar_file" +} +kratos_pillar() { + touch $adv_kratos_pillar_file + printf '%s\n'\ + "kratos:"\ + " kratoskey: '$KRATOSKEY'"\ + " sessiontimeout: '24h'"\ + " mfa_issuer: 'Security Onion'"\ + "" > "$kratos_pillar_file" +} + +create_global() { + touch $adv_global_pillar_file if [ -z "$NODE_CHECKIN_INTERVAL_MS" ]; then NODE_CHECKIN_INTERVAL_MS=10000 if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ] || [ "$install_type" = 'IMPORT' ]; then @@ -1743,205 +1505,91 @@ manager_global() { DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 fi + if [ -f "$global_pillar_file" ]; then + rm $global_pillar_file + fi + # Create a global file for global values - printf '%s\n'\ - "global:"\ - " soversion: '$SOVERSION'"\ - " hnmanager: '$HNMANAGER'"\ - " dockernet: '$DOCKERNET'"\ - " mdengine: '$ZEEKVERSION'"\ - " ids: '$NIDS'"\ - " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'" > "$global_pillar" - + echo "global:" >> $global_pillar_file + echo " soversion: '$SOVERSION'" >> $global_pillar_file + echo " managerip: '$MAINIP'" >> $global_pillar_file + echo " mdengine: 'ZEEK'" >> $global_pillar_file + echo " ids: 'Suricata'" >> $global_pillar_file + echo " url_base: '$REDIRECTIT'" >> $global_pillar_file if [[ $HIGHLANDER == 'True' ]]; then - printf '%s\n'\ - " highlander: True"\ >> "$global_pillar" + echo " highlander: True" >> $global_pillar_file fi if [[ $is_airgap ]]; then - printf '%s\n'\ - " airgap: True"\ >> "$global_pillar" + echo " airgap: True" >> $global_pillar_file else - printf '%s\n'\ - " airgap: False"\ >> "$global_pillar" + echo " airgap: False" >> $global_pillar_file fi # Continue adding other details + echo " imagerepo: '$IMAGEREPO'" >> $global_pillar_file + echo " pipeline: 'redis'" >> $global_pillar_file + echo " repo_host: '$MAINIP'" >> $global_pillar_file + echo " registry_host: '$MAINIP'" >> $global_pillar_file +} + +create_sensoroni_pillar() { + touch $adv_sensoroni_pillar_file + printf '%s\n'\ - " fleet_custom_hostname: "\ - " fleet_manager: False"\ - " fleet_node: False"\ - " fleet_packages-timestamp: 'N/A'"\ - " fleet_packages-version: 1"\ - " fleet_hostname: 'N/A'"\ - " fleet_ip: 'N/A'"\ - " sensoronikey: '$SENSORONIKEY'"\ - " wazuh: $WAZUH"\ - " imagerepo: '$IMAGEREPO'"\ - " pipeline: 'redis'"\ "sensoroni:"\ " node_checkin_interval_ms: $NODE_CHECKIN_INTERVAL_MS"\ + " sensoronikey: '$SENSORONIKEY'"\ + " soc_host: '$REDIRECTIT'" > $sensoroni_pillar_file + +} + +create_strelka_pillar() { + touch $adv_strelka_pillar_file + printf '%s\n'\ "strelka:"\ " enabled: $STRELKA"\ - " rules: 1" >> "$global_pillar" + " rules: 1" > "$strelka_pillar_file" if [[ $is_airgap ]]; then printf '%s\n'\ " repos:"\ - " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" + " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$strelka_pillar_file" else printf '%s\n'\ " repos:"\ - " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" + " - 'https://github.com/Neo23x0/signature-base'" >> "$strelka_pillar_file" fi +} +backup_pillar() { + touch $adv_backup_pillar_file printf '%s\n'\ - "curator:"\ - " hot_warm: False"\ - "elastic:"\ - " features: False"\ - "elasticsearch:"\ >> "$global_pillar" - if [ -n "$ESCLUSTERNAME" ]; then - printf '%s\n'\ - " true_cluster: True"\ - " config:"\ - " cluster:"\ - " name: '$ESCLUSTERNAME'" >> "$global_pillar" - else - printf '%s\n'\ - " true_cluster: False" >> "$global_pillar" - fi - - printf '%s\n'\ - " replicas: 0"\ - " discovery_nodes: 1"\ - " hot_warm_enabled: False"\ - " cluster_routing_allocation_disk.threshold_enabled: true"\ - " cluster_routing_allocation_disk_watermark_low: '95%'"\ - " cluster_routing_allocation_disk_watermark_high: '98%'"\ - " cluster_routing_allocation_disk_watermark_flood_stage: '98%'"\ - " index_settings:"\ - " so-beats:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-endgame:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-firewall:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-flow:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-ids:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-import:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 73000"\ - " delete: 73001"\ - " so-osquery:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-ossec:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-strelka:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-syslog:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " so-zeek:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 2"\ - " warm: 7"\ - " close: 45"\ - " delete: 365"\ - "minio:"\ - " access_key: '$ACCESS_KEY'"\ - " access_secret: '$ACCESS_SECRET'"\ - "s3_settings:"\ - " size_file: 2048"\ - " time_file: 1"\ - " upload_queue_size: 4"\ - " encoding: 'gzip'"\ - " interval: 5"\ "backup:"\ " locations:"\ - " - /opt/so/saltstack/local"\ + " - /opt/so/saltstack/local" > "$backup_pillar_file" +} + +soctopus_pillar() { + touch $adv_soctopus_pillar_file + printf '%s\n'\ "soctopus:"\ " playbook:"\ " rulesets:"\ - " - windows"\ + " - windows" > "$soctopus_pillar_file" +} + +docker_pillar() { + touch $adv_docker_pillar_file + printf '%s\n'\ "docker:"\ " range: '$DOCKERNET/24'"\ - " bip: '$DOCKERBIP'"\ + " bip: '$DOCKERBIP'" > $docker_pillar_file +} + +redis_pillar() { + touch $adv_redis_pillar_file + printf '%s\n'\ "redis_settings:"\ - " redis_maxmemory: 812" >> "$global_pillar" - - printf '%s\n' '----' >> "$setup_log" 2>&1 + " redis_maxmemory: 812" > "$redis_pillar_file" } mark_version() { @@ -1949,15 +1597,6 @@ mark_version() { echo "$SOVERSION" > /etc/soversion } -minio_generate_keys() { - - local charSet="[:graph:]" - - ACCESS_KEY=$(get_random_value) - ACCESS_SECRET=$(get_random_value 40) - -} - network_init() { disable_ipv6 set_hostname @@ -1987,6 +1626,26 @@ network_init_whiptail() { esac } +networking_needful() { + [[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + collect_hostname + fi + [[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + network_init_whiptail + else + source "$net_init_file" + fi + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + whiptail_network_init_notice + network_init + fi + set_main_ip + compare_main_nic_ip +} + network_setup() { { echo "Finishing up network setup"; @@ -1999,13 +1658,15 @@ network_setup() { } >> "$setup_log" 2>&1 } -ntp_pillar() { - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls +ntp_pillar_entries() { + local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls + + if [[ ${#ntp_servers[@]} -gt 0 ]]; then printf '%s\n'\ "ntp:"\ - " servers:" >> "$pillar_file" + " servers:" > "$pillar_file" for addr in "${ntp_servers[@]}"; do printf '%s\n' " - '$addr'" >> "$pillar_file" done @@ -2019,7 +1680,8 @@ parse_install_username() { patch_pillar() { - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls + local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls + if [[ $MANAGERUPDATES == 1 ]]; then local source="manager" @@ -2034,7 +1696,7 @@ patch_pillar() { " schedule_name: '$PATCHSCHEDULENAME'"\ " enabled: True"\ " splay: 300"\ - "" >> "$pillar_file" + "" > "$pillar_file" } @@ -2066,6 +1728,38 @@ print_salt_state_apply() { echo "Applying $state Salt state" } +process_installtype() { + if [ "$install_type" = 'EVAL' ]; then + is_eval=true + STRELKARULES=1 + elif [ "$install_type" = 'STANDALONE' ]; then + is_standalone=true + elif [ "$install_type" = 'MANAGERSEARCH' ]; then + is_managersearch=true + elif [ "$install_type" = 'MANAGER' ]; then + is_manager=true + elif [ "$install_type" = 'SENSOR' ]; then + is_sensor=true + elif [ "$install_type" = 'SEARCHNODE' ]; then + is_searchnode=true + elif [ "$install_type" = 'HEAVYNODE' ]; then + is_heavy=true + elif [ "$install_type" = 'FLEET' ]; then + is_fleet=true + elif [ "$install_type" = 'IDH' ]; then + is_idh=true + elif [ "$install_type" = 'IMPORT' ]; then + is_import=true + elif [ "$install_type" = 'RECEIVER' ]; then + is_receiver=true + elif [ "$install_type" = 'ANALYST' ]; then + if [ "$setup_type" != 'analyst' ]; then + exec bash so-setup analyst + fi + fi + +} + proxy_validate() { echo "Testing proxy..." local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" @@ -2180,7 +1874,6 @@ reinstall_init() { # Backup directories in /nsm to prevent app errors backup_dir /nsm/mysql "$date_string" - backup_dir /nsm/wazuh "$date_string" # Remove the old launcher package in case the config changes remove_package launcher-final @@ -2232,6 +1925,19 @@ backup_dir() { fi } +drop_install_options() { + # Drop the install Variable + echo "MAINIP=$MAINIP" > /opt/so/install.txt + echo "MNIC=$MNIC" >> /opt/so/install.txt + echo "NODE_DESCRIPTION=$NODE_DESCRIPTION" >> /opt/so/install.txt + echo "ES_HEAP_SIZE=$ES_HEAP_SIZE" >> /opt/so/install.txt + echo "PATCHSCHEDULENAME=$PATCHSCHEDULENAME" >> /opt/so/install.txt + echo "INTERFACE=$INTERFACE" >> /opt/so/install.txt + NODETYPE=${install_type^^} + echo "NODETYPE=$NODETYPE" >> /opt/so/install.txt + echo "CORECOUNT=$lb_procs" >> /opt/so/install.txt +} + remove_package() { local package_name=$1 if [[ $is_centos ]]; then @@ -2252,129 +1958,108 @@ remove_package() { # - securityonion-builds/iso-resources/packages.lst # - securityonion/salt/salt/master.defaults.yaml # - securityonion/salt/salt/minion.defaults.yaml -saltify() { - # Install updates and Salt +securityonion_repo() { + # Remove all the current repos if [[ $is_centos ]]; then - set_progress_str 6 'Installing various dependencies' - if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install wget nmap-ncat" + if [[ $waitforstate ]]; then + # Build the repo locally so we can use it + echo "Syncing Repo" + repo_sync_local + fi + logCmd "yum -v clean all" + logCmd "mkdir -vp /root/oldrepos" + logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" + logCmd "ls -la /etc/yum.repos.d/" + if [[ ! $waitforstate ]]; then + echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo + echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo + echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo + echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo + echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo + echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo + else + echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo + echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo + echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo + echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo + echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo fi - if [[ ! $is_analyst ]]; then - case "$install_type" in - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') - reserve_group_ids - if [[ ! $is_iso ]]; then - logCmd "yum -y install sqlite curl mariadb-devel" - fi - # Download Ubuntu Keys in case manager updates = 1 - logCmd "mkdir -vp /opt/so/gpg" - if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub" - logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" - fi - set_progress_str 7 'Installing salt-master' - if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004.2" - fi - logCmd "systemctl enable salt-master" - ;; - *) - ;; - esac - fi - if [[ ! $is_airgap ]]; then - logCmd "yum clean expire-cache" - fi - set_progress_str 8 'Installing salt-minion & python modules' - if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004.2 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" - logCmd "yum -y update --exclude=salt*" - fi - logCmd "systemctl enable salt-minion" - logCmd "yum versionlock salt*" - else - DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1 - - if [ $OSVER == "bionic" ]; then - # Switch to Python 3 as default for bionic - update-alternatives --install /usr/bin/python python /usr/bin/python3.6 10 >> "$setup_log" 2>&1 - elif [ $OSVER == "focal" ]; then - # Switch to Python 3 as default for focal - update-alternatives --install /usr/bin/python python /usr/bin/python3.8 10 >> "$setup_log" 2>&1 - fi - - local pkg_arr=( - 'apache2-utils' - 'ca-certificates' - 'curl' - 'software-properties-common' - 'apt-transport-https' - 'openssl' - 'netcat' - 'jq' - ) - retry 50 10 "apt-get -y install ${pkg_arr[*]}" >> "$setup_log" 2>&1 || exit 1 - - # Grab the version from the os-release file - local ubuntu_version - ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') - - case "$install_type" in - 'FLEET') - retry 50 10 "apt-get -y install python3-mysqldb" >> "$setup_log" 2>&1 || exit 1 - ;; - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') - - # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" - - # Add Docker repo - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$setup_log" 2>&1 - - # Get gpg keys - mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - - # Get key and install wazuh - curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - >> "$setup_log" 2>&1 - # Add repo - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" - - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 - set_progress_str 6 'Installing various dependencies' - retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 - set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 - ;; - *) - # Copy down the gpg keys and install them from the manager - mkdir "$temp_install_dir"/gpg >> "$setup_log" 2>&1 - echo "scp the gpg keys and install them from the manager" >> "$setup_log" 2>&1 - $scpcmd -v -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/gpg/* "$temp_install_dir"/gpg >> "$setup_log" 2>&1 - echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 - apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt3004.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" - echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" - ;; - esac - - retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 - set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004.2+ds-1 salt-common=3004.2+ds-1" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 + # need to yum clean all before repo conf files are removed or clean,cleans nothing + logCmd "yum repolist all" + # update this package because the repo config files get added back + # if the package is updated when the update_packages function is called + logCmd "yum -v -y update centos-release" + echo "Backing up the .repo files that were added by the centos-release package." + logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/" + logCmd "yum repolist all" fi } +repo_sync_local() { + # Sync the repo from the the SO repo locally. + # Check for reposync + REPOSYNC=$(rpm -qa | grep createrepo | wc -l) + if [[ ! "$REPOSYNC" -gt 0 ]]; then + # Install reposync + echo "Installing createrepo" + logCmd "yum -y install yum-utils createrepo" + else + echo "We have what we need to sync" + fi + echo "Backing up old repos" + mkdir -p /nsm/repo + mkdir -p /root/reposync_cache + echo "[main]" > /root/repodownload.conf + echo "cachedir=/root/reposync_cache" >> /root/repodownload.conf + echo "keepcache=0" >> /root/repodownload.conf + echo "debuglevel=2" >> /root/repodownload.conf + echo "logfile=/var/log/yum.log" >> /root/repodownload.conf + echo "exactarch=1" >> /root/repodownload.conf + echo "obsoletes=1" >> /root/repodownload.conf + echo "gpgcheck=1" >> /root/repodownload.conf + echo "plugins=1" >> /root/repodownload.conf + echo "installonly_limit=2" >> /root/repodownload.conf + echo "bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum" >> /root/repodownload.conf + echo "distroverpkg=centos-release" >> /root/repodownload.conf + echo "clean_requirements_on_remove=1" >> /root/repodownload.conf + echo "[securityonionsync]" >> /root/repodownload.conf + echo "name=Security Onion Repo repo" >> /root/repodownload.conf + echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/c7so/" >> /root/repodownload.conf + echo "enabled=1" >> /root/repodownload.conf + echo "gpgcheck=1" >> /root/repodownload.conf + echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf + + reposync --norepopath -n -g -l -d -m -c /root/repodownload.conf -r securityonionsync --download-metadata -p /nsm/repo/ + + + # After the download is complete run createrepo + create_repo + +} + +saltify() { + if [[ $is_centos ]]; then + RUSALTY=$(rpm -qa | grep salt-minion | wc -l) + if [[ "$RUSALTY" -gt 0 ]]; then + # Salt is already installed. + echo "salt is installed" + else + # Install salt + if [[ $waitforstate ]]; then + # Since this is a salt master so let's install it + logCmd "yum -y install salt-minion salt-master" + else + # We just need the minion + logCmd "yum -y install salt-minion" + fi + fi + fi + +} + + # Run a salt command to generate the minion key salt_firstcheckin() { salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput @@ -2391,45 +2076,11 @@ secrets_pillar(){ " playbook_db: $PLAYBOOKDBPASS"\ " playbook_admin: $PLAYBOOKADMINPASS"\ " playbook_automation: $PLAYBOOKAUTOMATIONPASS"\ - " grafana_admin: $GRAFANAPASS"\ - " fleet: $FLEETPASS"\ - " fleet_sa_email: service.account@securityonion.invalid"\ - " fleet_sa_password: $FLEETSAPASS"\ - " fleet_jwt: $FLEETJWT"\ - " fleet_enroll-secret: False" > $local_salt_dir/pillar/secrets.sls + " playbook_automation_api_key: "\ + " grafana_admin: $GRAFANAPASS" > $local_salt_dir/pillar/secrets.sls fi } -securityonion_repo() { - # Remove all the current repos - if [[ $is_centos ]]; then - if [[ "$INTERWEBS" == "AIRGAP" ]]; then - echo "This is airgap I don't need to add this repo" - else - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - local repo_conf_file="../salt/repo/client/files/centos/securityonioncache.repo" - else - local repo_conf_file="../salt/repo/client/files/centos/securityonion.repo" - fi - # need to yum clean all before repo conf files are removed or clean,cleans nothing - logCmd "yum -v clean all" - logCmd "mkdir -vp /root/oldrepos" - logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/" - logCmd "ls -la /etc/yum.repos.d/" - logCmd "cp -f $repo_conf_file /etc/yum.repos.d/" - logCmd "yum repolist all" - # update this package because the repo config files get added back - # if the package is updated when the update_packages function is called - logCmd "yum -v -y update centos-release" - echo "Backing up the .repo files that were added by the centos-release package." - logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/" - logCmd "yum repolist all" - fi - else - echo "This is Ubuntu" - fi -} - set_network_dev_status_list() { readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)" export nmcli_dev_status_list @@ -2465,6 +2116,22 @@ set_path() { echo "complete -cf sudo" >> /etc/profile.d/securityonion.sh } +set_minion_info() { + short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') + + if [[ $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') + fi + if [[ ! $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') + fi + export MINION_ID + + echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 + + minion_type=$(get_minion_type) +} + set_proxy() { # Don't proxy localhost, local ip, and management ip @@ -2590,45 +2257,6 @@ set_ssh_cmds() { fi } -sensor_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - - # Create the sensor pillar - printf '%s\n'\ - "sensor:"\ - " interface: '$INTERFACE'"\ - " mainip: '$MAINIP'"\ - " mainint: '$MNIC'" >> "$pillar_file" - - if [ "$NSMSETUP" = 'ADVANCED' ]; then - echo " zeek_pins:" >> "$pillar_file" - for PIN in "${ZEEKPINS[@]}"; do - PIN=$(echo "$PIN" | cut -d\" -f2) - echo " - $PIN" >> "$pillar_file" - done - echo " suripins:" >> "$pillar_file" - for SPIN in "${SURIPINS[@]}"; do - SPIN=$(echo "$SPIN" | cut -d\" -f2) - echo " - $SPIN" >> "$pillar_file" - done - elif [ "$install_type" = 'HELIXSENSOR' ]; then - echo " zeek_lbprocs: $lb_procs" >> "$pillar_file" - echo " suriprocs: $lb_procs" >> "$pillar_file" - else - echo " zeek_lbprocs: $BASICZEEK" >> "$pillar_file" - echo " suriprocs: $BASICSURI" >> "$pillar_file" - fi - printf '%s\n'\ - " manager: '$MSRV'"\ - " mtu: $MTU"\ - " uniqueid: $(date '+%s')" >> "$pillar_file" - if [ "$HNSENSOR" != 'inherit' ]; then - echo " hnsensor: $HNSENSOR" >> "$pillar_file" - fi - -} - set_default_log_size() { local percentage @@ -2672,31 +2300,18 @@ set_hostname() { set_initial_firewall_policy() { - if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi case "$install_type" in 'MANAGER') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP" - $default_salt_dir/pillar/data/addtotab.sh managertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - case "$install_type" in - 'EVAL') - $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" True - ;; - 'MANAGERSEARCH') - $default_salt_dir/pillar/data/addtotab.sh managersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" - ;; - 'STANDALONE') - $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" - ;; - esac ;; 'HELIXSENSOR') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" @@ -2708,17 +2323,13 @@ set_initial_firewall_policy() { case "$install_type" in 'SENSOR') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" ;; 'SEARCHNODE') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'HEAVYNODE') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost heavy_node "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'FLEET') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" @@ -2728,7 +2339,6 @@ set_initial_firewall_policy() { ;; 'RECEIVER') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receiverstab "$MINION_ID" "$MAINIP" esac ;; 'PARSINGNODE') @@ -2768,21 +2378,6 @@ set_management_interface() { fi } -set_node_type() { - - case "$install_type" in - 'SEARCHNODE' | 'EVAL' | 'MANAGERSEARCH' | 'HEAVYNODE' | 'STANDALONE') - NODETYPE='search' - ;; - 'HOTNODE') - NODETYPE='hot' - ;; - 'WARMNODE') - NODETYPE='warm' - ;; - esac -} - set_redirect() { case $REDIRECTINFO in 'IP') @@ -2834,17 +2429,6 @@ so_add_user() { fi } -steno_pillar() { - - local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls - - # Create the stenographer pillar - printf '%s\n'\ - "steno:"\ - " enabled: True" >> "$pillar_file" - -} - update_sudoers_for_testing() { if [ -n "$TESTING" ]; then info "Ensuring $INSTALLUSERNAME has password-less sudo access for automated testing purposes." @@ -2869,6 +2453,7 @@ update_packages() { if [[ $is_centos ]]; then logCmd "yum repolist" logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "yum -y install yum-utils" else retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 @@ -2920,23 +2505,11 @@ wait_for_salt_minion() { retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1 } -write_out_idh_services() { - local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls - - printf '%s\n'\ - "idh:"\ - " restrict_management_ip: $IDHMGTRESTRICT"\ - " services:" >> "$pillar_file" - for service in ${idh_services[@]}; do - echo " - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file" - done -} - # Enable Zeek Logs zeek_logs_enabled() { echo "Enabling Zeek Logs" >> "$setup_log" 2>&1 - local zeeklogs_pillar=$local_salt_dir/pillar/zeeklogs.sls + local zeeklogs_pillar=$local_salt_dir/pillar/zeek/zeeklogs.sls printf '%s\n'\ "zeeklogs:"\ diff --git a/setup/so-preflight b/setup/so-preflight index d1fd89b6e..59c78c70b 100755 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . cd "$(dirname "$0")" || exit 255 @@ -87,8 +78,6 @@ check_new_repos() { "https://download.docker.com/linux/centos/docker-ce.repo" "https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub" "https://download.docker.com/linux/ubuntu/gpg" - "https://packages.wazuh.com/key/GPG-KEY-WAZUH" - "https://packages.wazuh.com/3.x/yum/" ) else local ubuntu_version @@ -97,8 +86,6 @@ check_new_repos() { "https://download.docker.com/linux/ubuntu/gpg" "https://download.docker.com/linux/ubuntu" "https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub" - "https://packages.wazuh.com/key/GPG-KEY-WAZUH" - "https://packages.wazuh.com" ) fi diff --git a/setup/so-setup b/setup/so-setup index 12209f2ad..84d22c0fa 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . # Make sure you are root before doing anything uid="$(id -u)" @@ -49,6 +40,7 @@ setup_type=$1 automation=$2 WHATWOULDYOUSAYYAHDOHERE=setup +# This is for automation while [[ $# -gt 0 ]]; do arg="$1" shift @@ -70,32 +62,35 @@ while [[ $# -gt 0 ]]; do esac done +# Let's see what OS we are dealing with here detect_os + +# Check to see if this is the setup type of "analyst". is_analyst= if [ "$setup_type" = 'analyst' ]; then - is_analyst=true - # Check to see if this is an ISO - if [ -d /root/SecurityOnion ]; then - is_analyst_iso=true - fi + is_analyst=true + # Check to see if this is an ISO. Usually this dir on exists on ISO installs. + if [ -d /root/SecurityOnion ]; then + is_analyst_iso=true + fi fi +# Make sure if ISO is specified that we are dealing with CentOS or Rocky if [[ "$setup_type" == 'iso' ]]; then - if [[ $is_centos ]]; then + if [[ $is_centos || $is_rocky ]]; then is_iso=true else - echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." + echo "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead." exit 1 fi fi # Check to see if this is an analyst install. If it is let's run things differently - if [[ $is_analyst ]]; then - # Make sure it's CentOS + # Make sure it's CentOS or Rocky Linux if [[ ! $is_centos ]]; then - echo "Analyst Workstation is only supported on CentOS 7" + echo "Analyst Workstation is only supported on CentOS 7 or Rocky Linux 8" exit 1 fi @@ -132,8 +127,6 @@ if [[ $is_analyst ]]; then is_minion=true fi - - if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" @@ -147,6 +140,7 @@ if [[ -f /root/accept_changes ]]; then [ -f "$error_log" ] && mv "$error_log" "$error_log.bak" fi +# Figure out the user id that is running the install parse_install_username if ! [ -f $install_opt_file ]; then @@ -166,7 +160,10 @@ catch() { whiptail_setup_failed exit 1 } + automated=no + +# Add the progress function for manager node type installs progress() { local msg=${1:-'Please wait while installing...'} @@ -177,6 +174,7 @@ progress() { fi } +# If using automation let's do automation things. if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 source automation/$automation @@ -208,6 +206,7 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th fi fi +# Make sure the setup type is suppoted. case "$setup_type" in iso | network | analyst) # Accepted values echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 @@ -218,13 +217,11 @@ case "$setup_type" in ;; esac -#set ssh commands that will be used based on if this is an automated test install or not -set_ssh_cmds $automated - # Allow execution of SO tools during setup local_sbin="$(pwd)/../salt/common/tools/sbin" export PATH=$PATH:$local_sbin +# Ubuntu whiptail pallete to make it look the same as CentOS and Rocky. set_palette >> $setup_log 2>&1 # Kernel messages can overwrite whiptail screen #812 @@ -248,6 +245,7 @@ if [ "$automated" == no ]; then fi fi +# Begin prompting the user with whiptail. if ! [[ -f $install_opt_file ]]; then if (whiptail_you_sure); then true @@ -255,7 +253,9 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi + # If this is an analyst install lets streamline the process. if [[ $is_analyst ]]; then + # Prompt for hostname collect_hostname if [[ $is_analyst_iso ]]; then # Prompt Network Setup @@ -273,10 +273,12 @@ if ! [[ -f $install_opt_file ]]; then if [[ ! $is_analyst_iso ]]; then # This should be a network install whiptail_network_notice + # Warn about the dangers of DHCP whiptail_dhcp_warn whiptail_management_nic fi whiptail_network_init_notice + # Initializing the network based on the previous information network_init printf '%s\n' \ "MNIC=$MNIC" \ @@ -285,8 +287,7 @@ if ! [[ -f $install_opt_file ]]; then compare_main_nic_ip fi - - if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso if [[ $option == "CONFIGURENETWORK" ]]; then collect_hostname @@ -310,846 +311,291 @@ else source $install_opt_file fi -if [ "$install_type" = 'EVAL' ]; then - is_node=true - is_manager=true - is_sensor=true - is_eval=true - STRELKARULES=1 -elif [ "$install_type" = 'STANDALONE' ]; then - is_manager=true - is_distmanager=true - is_node=true - is_sensor=true -elif [ "$install_type" = 'MANAGERSEARCH' ]; then - is_manager=true - is_distmanager=true - is_node=true -elif [ "$install_type" = 'MANAGER' ]; then - is_manager=true - is_distmanager=true -elif [ "$install_type" = 'SENSOR' ]; then - is_sensor=true - is_minion=true -elif [[ "$install_type" =~ ^('SEARCHNODE'|'HOTNODE'|'WARMNODE')$ ]]; then - is_node=true - is_minion=true -elif [ "$install_type" = 'HEAVYNODE' ]; then - is_node=true - is_minion=true - is_sensor=true -elif [ "$install_type" = 'FLEET' ]; then - is_minion=true - is_fleet_standalone=true - OSQUERY=1 -elif [ "$install_type" = 'IDH' ]; then - is_minion=true - is_idh=true - IDH=1 -elif [ "$install_type" = 'HELIXSENSOR' ]; then - is_helix=true -elif [ "$install_type" = 'IMPORT' ]; then - is_import=true -elif [ "$install_type" = 'RECEIVER' ]; then - is_minion=true - is_receiver=true -elif [ "$install_type" = 'ANALYST' ]; then - if [ "$setup_type" != 'analyst' ]; then - exec bash so-setup analyst - fi -fi - -if [[ $is_manager || $is_import ]]; then - check_elastic_license -fi +# Process the install type +process_installtype +# If this is not an automated install prompt if ! [[ -f $install_opt_file ]]; then - if [[ $is_manager && $is_sensor ]]; then - check_requirements "standalone" - elif [[ $is_fleet_standalone ]]; then - check_requirements "dist" "fleet" - elif [[ $is_idh ]]; then - check_requirements "dist" "idh" - elif [[ $is_sensor && ! $is_eval ]]; then - check_requirements "dist" "sensor" - elif [[ $is_distmanager || $is_minion ]] && [[ ! ( $is_import || $is_analyst ) ]]; then - check_requirements "dist" - elif [[ $is_import ]]; then - check_requirements "import" - fi - [[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - collect_hostname - fi - - [[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - network_init_whiptail - else - source "$net_init_file" - fi - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - whiptail_network_init_notice - network_init - fi - - set_main_ip - compare_main_nic_ip - - if [[ $is_minion ]]; then + # If you are a manager ask ALL the manager things here. I know there is code re-use but this makes it easier to add new roles. + if [[ $is_eval ]]; then + waitforstate=true + monints=true + check_elastic_license + check_requirements "manager" + networking_needful + whiptail_airgap + detect_cloud + set_minion_info + set_default_log_size >> $setup_log 2>&1 + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + whiptail_sensor_nics + calculate_useable_cores + collect_webuser_inputs + get_redirect + collect_ntp_servers + collect_so_allow + whiptail_end_settings + # Start the install + elif [[ $is_standalone ]]; then + waitforstate=true + monints=true + check_elastic_license + check_requirements "manager" + networking_needful + whiptail_airgap + detect_cloud + set_minion_info + set_default_log_size >> $setup_log 2>&1 + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + whiptail_sensor_nics + calculate_useable_cores + collect_webuser_inputs + get_redirect + collect_ntp_servers + collect_so_allow + whiptail_end_settings + elif [[ $is_manager ]]; then + check_elastic_license + waitforstate=true + check_requirements "manager" + networking_needful + whiptail_airgap + detect_cloud + set_default_log_size >> $setup_log 2>&1 + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + calculate_useable_cores + collect_webuser_inputs + get_redirect + collect_ntp_servers + collect_so_allow + whiptail_end_settings + elif [[ $is_managersearch ]]; then + check_elastic_license + waitforstate=true + check_requirements "manager" + networking_needful + whiptail_airgap + detect_cloud + set_default_log_size >> $setup_log 2>&1 + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + calculate_useable_cores + collect_webuser_inputs + get_redirect + collect_ntp_servers + collect_so_allow + whiptail_end_settings + elif [[ $is_sensor ]]; then + monints=true + check_requirements "sensor" + calculate_useable_cores + networking_needful + check_network_manager_conf + set_network_dev_status_list collect_mngr_hostname add_mngr_ip_to_hosts - whiptail_ssh_key_copy_notice - copy_ssh_key >> $setup_log 2>&1 - fi - - if [[ $is_idh ]]; then - collect_idh_services - collect_idh_preferences - fi - - # Check if this is an airgap install - if [[ ( $is_manager || $is_import) && $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi - elif [[ $is_minion && ( $is_iso || $is_analyst ) ]]; then - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 - airgap_check=$? - [[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1 - fi - - reset_proxy - if [[ -z $is_airgap ]]; then - collect_net_method - [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 - fi - - if [[ $is_minion ]] && ! (compare_versions); then - info "Installer version mismatch, downloading correct version from manager" - printf '%s\n' \ - "install_type=$install_type" \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" \ - "MSRV=$MSRV" \ - "MSRVIP=$MSRVIP" \ - "is_airgap=$is_airgap" \ - "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" - [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" - download_repo_tarball - exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" - fi -else - rm -rf $install_opt_file >> "$setup_log" 2>&1 -fi - -if [[ -z $is_airgap ]]; then - percentage=0 - { - installer_progress_loop 'Running preflight checks...' & - progress_bg_proc=$! - ./so-preflight true "$setup_log" >> $setup_log 2>&1 - preflight_ret=$? - echo "$preflight_ret" > /tmp/preflight_ret - kill -9 "$progress_bg_proc" - wait "$progress_bg_proc" &> /dev/null - } | progress '...' - [[ -f /tmp/preflight_ret ]] && preflight_ret=$(cat /tmp/preflight_ret) - rm /tmp/preflight_ret - if [[ -n $preflight_ret && $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then - whiptail_cancel - fi -fi - -percentage=0 -{ - installer_progress_loop 'Checking that all required packages are installed and enabled...' & # Run progress bar to 98 in ~8 minutes while waiting for package installs - progress_bg_proc=$! - installer_prereq_packages - install_success=$? - kill -9 "$progress_bg_proc" - wait "$progress_bg_proc" &> /dev/null # Kill just sends signal, redirect output of wait to catch stdout - if [[ $install_success -gt 0 ]]; then - echo "Could not install packages required for setup, exiting now." >> "$setup_log" 2>&1 - kill -SIGUSR1 "$setup_proc"; exit 1 - fi -} | progress '...' - -detect_cloud - -short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') - -if [[ $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') -fi -if [[ ! $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') -fi -export MINION_ID - -echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 - -minion_type=$(get_minion_type) - -# Set any variables needed -set_default_log_size >> $setup_log 2>&1 - -if [[ $is_helix ]]; then - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} - HNSENSOR=${HNSENSOR:-inherit} - MANAGERUPDATES=${MANAGERUPDATES:-0} -fi - -if [[ $is_helix || ( $is_manager && $is_node ) ]]; then - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} -fi - -if [[ $is_manager && $is_node ]]; then - LSPIPELINEWORKERS=${LSPIPELINEWORKERS:-1} - LSPIPELINEBATCH=${LSPIPELINEBATCH:-125} - LSINPUTTHREADS=${LSINPUTTHREADS:-1} - LSPIPELINEWORKERS=${LSPIPELINEBATCH:-125} - NIDS=${NIDS:-Suricata} - ZEEKVERSION=${ZEEKVERSION:-ZEEK} -fi - -if [[ $is_import ]]; then - PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-auto} - MTU=${MTU:-1500} - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} - HNSENSOR=${HNSENSOR:-inherit} - MANAGERUPDATES=${MANAGERUPDATES:-0} - MANAGERADV=${MANAGERADV:-BASIC} - INTERFACE=${INTERFACE:-bond0} - ZEEKVERSION=${ZEEKVERSION:-ZEEK} - NIDS=${NIDS:-Suricata} - RULESETUP=${RULESETUP:-ETOPEN} - GRAFANA=${GRAFANA:-0} - OSQUERY=${OSQUERY:-0} - WAZUH=${WAZUH:-0} - PLAYBOOK=${PLAYBOOK:-0} -fi - -if [[ $is_airgap ]]; then - PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual} - [[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1} -fi - -# Start user prompts - -if [[ $is_helix ]]; then - collect_helix_key -fi - -if [[ $is_helix || $is_sensor ]]; then - echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 - check_network_manager_conf - set_network_dev_status_list - whiptail_sensor_nics -fi - -if [[ $is_helix || $is_sensor || $is_import ]]; then - calculate_useable_cores -fi - -if [[ ! $is_airgap && ! $is_import ]]; then - collect_patch_schedule -fi - -if [[ $is_helix || $is_manager || $is_import ]]; then - collect_homenet_mngr -fi - -#set base elasticsearch heap size -if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then - es_heapsize -fi - -#set base logstash heap size -if [[ $is_helix || $is_manager || $is_node || $is_import || $is_receiver ]]; then - ls_heapsize -fi - -if [[ $is_manager && ! $is_eval ]]; then - whiptail_manager_adv - if [ "$MANAGERADV" = 'ADVANCED' ]; then - if [ "$install_type" = 'MANAGER' ] || [ "$install_type" = 'MANAGERSEARCH' ]; then - collect_es_cluster_name - fi - fi - - whiptail_metadata_tool - - [[ $MANAGERADV == "ADVANCED" ]] && [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_manager_adv_service_zeeklogs - - # Don't run this function for now since Snort is not yet supported - # whiptail_nids - NIDS=Suricata - whiptail_rule_setup - - if [ "$RULESETUP" != 'ETOPEN' ]; then - collect_oinkcode - fi -fi - -if [[ $is_manager ]]; then - whiptail_enable_components - - if [[ "$STRELKA" = 1 ]]; then - info "Enabling Strelka rules" - STRELKARULES=1 - else - info "Disabling Strelka rules: STRELKA='$STRELKA'" - fi - - collect_dockernet -fi - -if [[ $is_manager || $is_import ]]; then - collect_webuser_inputs - get_redirect -fi - -if [[ $is_distmanager ]]; then - collect_soremote_inputs -fi - -if [[ $is_sensor && ! $is_eval ]]; then - [[ $is_manager ]] || collect_homenet_snsr - whiptail_sensor_config - if [ $NSMSETUP == 'ADVANCED' ]; then - if [[ $is_manager ]]; then - [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_zeek_pins - else - whiptail_zeek_pins - fi + check_manager_connection + detect_cloud + whiptail_sensor_nics + set_minion_info + whiptail_end_settings - whiptail_suricata_pins - collect_mtu - else - if [[ $is_node && $is_sensor && ! $is_eval ]]; then - PROCS=$(( lb_procs / 2 )) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi - else - PROCS=$lb_procs + elif [[ $is_searchnode ]]; then + check_requirements "elasticsearch" + networking_needful + check_network_manager_conf + set_network_dev_status_list + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + detect_cloud + set_minion_info + whiptail_end_settings + + elif [[ $is_heavynode ]]; then + monints=true + check_requirements "heavynode" + calculate_useable_cores + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + whiptail_end_settings + + elif [[ $is_idh ]]; then + check_requirements "idh" + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + whiptail_end_settings + + elif [[ $is_import ]]; then + check_requirements "import" + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + whiptail_end_settings + + elif [[ $is_receiver ]]; then + check_requirements "receiver" + networking_needful + collect_mngr_hostname + add_mngr_ip_to_hosts + check_manager_connection + whiptail_end_settings + fi + + if [[ $waitforstate ]]; then + percentage=0 + es_heapsize + ls_heapsize + set_redirect + # Generate Interface Vars + generate_interface_vars + if [[ $monints ]]; then + configure_network_sensor fi - - if [[ $is_manager ]]; then - [[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek - else - collect_zeek + # Configure NTP + echo "Configuring NTP" + [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + # Reserve the ports that SO needs + echo "Reserving ports" + reserve_ports + echo "Setting Paths" + # Set the paths + set_path + echo "Checking if this is a re-install" + # Check to see if its a reinstall. THIS NEEDS REVIEW + if [[ $is_reinstall ]]; then + reinstall_init fi - - collect_suri - fi -fi - -[[ ( $is_iso || $is_analyst ) ]] && collect_ntp_servers - -if [[ ($is_node || $is_receiver) && ! $is_eval ]]; then - whiptail_node_advanced - if [ "$NODESETUP" == 'NODEADVANCED' ]; then - if [[ ! $is_receiver ]]; then - collect_node_es_heap - collect_es_space_limit - fi - collect_node_ls_heap - collect_node_ls_pipeline_worker_count - collect_node_ls_pipeline_batch_size - collect_node_ls_input - else - if [[ ! $is_receiver ]]; then - NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE - fi - NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE - LSPIPELINEWORKERS=$num_cpu_cores - LSPIPELINEBATCH=125 - LSINPUTTHREADS=1 - fi -fi - -if [ "$install_type" == 'FLEET' ]; then - collect_fleetuser_inputs - collect_fleet_custom_hostname_inputs -else - FLEETNODEUSER=$WEBUSER - FLEETNODEPASSWD1=$WEBPASSWD1 -fi - -if [[ $is_manager || $is_import ]]; then collect_so_allow; fi - -# This block sets REDIRECTIT which is used by a function outside the below subshell -set_redirect >> $setup_log 2>&1 - -if [[ $is_minion ]] && ! check_manager_state; then - echo "Manager was not in a good state" >> "$setup_log" 2>&1 - whiptail_manager_error -fi - -whiptail_end_settings - -# From here on changes will be made. -echo "1" > /root/accept_changes - - -# Begin install -{ - # Set initial percentage to 0 - export percentage=0 - - # Show initial progress message - set_progress_str 0 'Running initial configuration steps' - - [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - - if [[ ! $is_analyst ]]; then - reserve_ports - fi - - set_path - - if [[ $is_reinstall ]]; then - reinstall_init - fi - - disable_auto_start - - { - mark_version; - clear_manager; - } >> $setup_log 2>&1 - - - if [[ $is_manager || $is_import ]]; then - { - generate_passwords; - secrets_pillar; - } >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import || $is_helix ]]; then - add_socore_user_manager >> $setup_log 2>&1 - fi - - if [[ $is_manager && ! $is_eval ]]; then - add_soremote_user_manager >> $setup_log 2>&1 - fi - if [[ ! $is_analyst ]]; then - host_pillar >> $setup_log 2>&1 - fi - if [[ $is_analyst ]]; then - analyst_workstation_pillar - fi - ntp_pillar >> $setup_log 2>&1 - - - if [[ $is_minion || $is_import ]]; then - set_updates >> $setup_log 2>&1 - fi - - if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then - info "Creating airgap repo" - create_repo >> $setup_log 2>&1 - airgap_rules >> $setup_log 2>&1 - fi - - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi - - set_progress_str 2 'Updating packages' - # Import the gpg keys - gpg_rpm_import >> $setup_log 2>&1 - info "Disabling fastestmirror" - [[ $is_centos ]] && disable_fastestmirror - if [[ ! $is_airgap ]]; then - securityonion_repo >> $setup_log 2>&1 - update_packages >> $setup_log 2>&1 - else - airgap_repo >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_helix || $is_import ]]; then - set_progress_str 3 'Generating sensor pillar' - generate_sensor_vars - sensor_pillar >> $setup_log 2>&1 - if [[ $is_sensor || $is_helix ]]; then - steno_pillar >> $setup_log - fi - fi - - if [[ $is_sensor || $is_helix ]]; then - set_progress_str 4 'Configuring sensor interface' - configure_network_sensor >> $setup_log 2>&1 - fi - - set_progress_str 5 'Installing Salt and dependencies' - saltify 2>> $setup_log - - if [[ ! $is_analyst ]]; then - set_progress_str 6 'Installing Docker and dependencies' - docker_install >> $setup_log 2>&1 - fi - - set_progress_str 7 'Generating patch pillar' - patch_pillar >> $setup_log 2>&1 - - set_progress_str 8 'Initializing Salt minion' - configure_minion "$minion_type" >> $setup_log 2>&1 - - if [[ ! $is_analyst ]]; then - check_sos_appliance >> $setup_log 2>&1 - fi - - update_sudoers_for_testing >> $setup_log 2>&1 - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 9 'Configuring Salt master' - { - create_local_directories; - addtotab_generate_templates; - copy_salt_master_config; - setup_salt_master_dirs; - firewall_generate_templates; - } >> $setup_log 2>&1 + echo "Disable auto start of setup" + # Disable the setup from prompting at login + disable_auto_start + echo "Setting the version" + # Set the version + mark_version + echo "Clearing the old manager" + # Remove old manager if re-install + clear_manager + echo "Generating Secrets" + # Generate passwords + generate_passwords + echo "Populating the secrets pillar" + # Create the secrets pillar + secrets_pillar + echo "Add socore user" + # Add the socore user + add_socore_user_manager - set_progress_str 10 'Updating sudoers file for soremote user' - update_sudoers >> $setup_log 2>&1 - - set_progress_str 11 'Generating manager global pillar' - #minio_generate_keys - manager_global >> $setup_log 2>&1 - - set_progress_str 12 'Generating manager pillar' - manager_pillar >> $setup_log 2>&1 - zeek_logs_enabled >> $setup_log 2>&1 - fi - - set_progress_str 16 'Running first Salt checkin' - salt_firstcheckin >> $setup_log 2>&1 + create_local_directories + setup_salt_master_dirs + create_manager_pillars - if [[ $is_helix ]]; then - set_progress_str 17 'Generating the FireEye pillar' - fireeye_pillar >> $setup_log 2>&1 - fi - - if [[ $is_node ]]; then - set_progress_str 18 'Setting node type' - set_node_type >> $setup_log 2>&1 + echo "Generating the minion pillar" + # Create the minion defaults - if ! [[ $is_manager || $is_helix ]]; then - set_progress_str 19 'Generating search node pillar' - elasticsearch_pillar >> $setup_log 2>&1 + export NODETYPE=$install_type + export MINION_ID=$MINION_ID + export ES_HEAP_SIZE=$ES_HEAP_SIZE + export IDHMGTRESTRICT=$IDHMGTRESTRICT + export idh_services=$idh_services + export MNIC=$MNIC + export NODE_DESCRIPTION=$NODE_DESCRIPTION + export MAINIP=$MAINIP + export PATCHSCHEDULENAME=$PATCHSCHEDULENAME + export INTERFACE="bond0" + so-minion -o=setup + echo "Creating Global SLS" + + if [[ $is_airgap ]]; then + # Airgap Rules + airgap_rules fi - fi - if [[ ($is_node || $is_receiver) && !($is_manager || $is_helix) ]]; then - set_progress_str 19 'Generating logstash pillar' - logstash_pillar >> $setup_log 2>&1 - fi + manager_pillar - if [[ $is_idh ]]; then - # Write out services to minion pillar file - set_progress_str 19 'Generating IDH services pillar' - write_out_idh_services - fi + zeek_logs_enabled + # Set up the repo to point to local file https://access.redhat.com/solutions/1355683 + # reposync down the files is network and createrepo if CentOS + # Import the GPG keys + gpg_rpm_import + # Create the local repo and point the box to use the local repo + securityonion_repo + # Update existing packages + update_packages + # Install salt + saltify + # Start the master service + copy_salt_master_config + configure_minion "$minion_type" + salt-key -yd "$MINION_ID" #delete the minion key if it already exists + salt-call state.show_top >> /dev/null 2>&1 #talk to the salt-master so the minion key is created on the salt-master + salt-key -ya "$MINION_ID" #accept the key - if [[ $is_minion ]]; then - set_progress_str 20 'Accepting Salt key on manager' - retry 20 10 accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1 - fi + salt-call state.apply salt.helper-packages + salt-call state.apply common.packages + salt-call state.apply common + salt-call state.apply docker + # Set the initial firewall policy + firewall_generate_templates; + set_initial_firewall_policy - if [[ $is_manager || $is_import || $is_helix ]]; then - set_progress_str 20 'Accepting Salt key' - retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1 - fi + generate_ca + generate_ssl - set_progress_str 21 'Copying minion pillars to manager' - copy_minion_tmp_files >> $setup_log 2>&1 - - if [[ $is_minion ]]; then - set_progress_str 22 'Checking if the Salt Minion needs to be updated' - salt-call state.apply -l info salt.minion >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 23 'Generating CA' - generate_ca >> $setup_log 2>&1 - fi - - if [[ ! $is_analyst ]]; then - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 25 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf - mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1 - touch /opt/so/conf/so-status/so-status.conf >> $setup_log 2>&1 - - if [[ "$setup_type" == 'iso' ]]; then - set_progress_str 26 'Copying containers from iso' - else - set_progress_str 26 'Downloading containers from the internet' + mkdir -p /opt/so/conf/so-status/ + touch /opt/so/conf/so-status/so-status.conf + echo "Importing Registry Docker" + import_registry_docker + echo "Applying the registry state" + salt-call state.apply -l info registry + echo "Seeding the docker registry" + docker_seed_registry + echo "Applying the manager state" + salt-call state.apply -l info manager + salt-call state.apply -l info firewall + salt-call state.highstate -l info + add_web_user + so-elastic-fleet-setup + echo "Setting up Playbook" + so-playbook-reset + whiptail_setup_complete + else + es_heapsize + ls_heapsize + generate_interface_vars + if [[ $monints ]]; then + configure_network_sensor fi - import_registry_docker >> $setup_log 2>&1 - salt-call state.apply -l info registry >> $setup_log 2>&1 - docker_seed_registry # ~ 60% when finished - - set_progress_str 60 "$(print_salt_state_apply 'manager')" - salt-call state.apply -l info manager >> $setup_log 2>&1 - - echo "Executing so-elastic-auth..." >> $setup_log 2>&1 - ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth true >> $setup_log 2>&1 - echo "Finished so-elastic-auth..." >> $setup_log 2>&1 + reserve_ports + # Set the version + mark_version + echo "Clearing the old manager" + # Remove old manager if re-install + clear_manager + gpg_rpm_import + securityonion_repo + update_packages + saltify + configure_minion "$minion_type" + drop_install_options + whiptail_setup_complete fi - if [[ ! $is_analyst ]]; then - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 - fi + # Need to make sure the latest install is located on the web server of the manager to check the versions and donwload the code if required - if [[ $is_centos ]]; then - set_progress_str 61 'Installing Yum utilities' - salt-call state.apply -l info yum.packages >> $setup_log 2>&1 - fi - if [[ ! $is_analyst ]]; then - set_progress_str 62 "$(print_salt_state_apply 'common')" - salt-call state.apply -l info common >> $setup_log 2>&1 - fi - - if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then - set_progress_str 62 "$(print_salt_state_apply 'nginx')" - salt-call state.apply -l info nginx >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 63 "$(print_salt_state_apply 'idstools')" - create_local_nids_rules >> $setup_log 2>&1 - salt-call state.apply -l info idstools >> $setup_log 2>&1 - - set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')" - salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then - set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" - salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_import ]]; then - set_progress_str 65 "$(print_salt_state_apply 'pcap')" - salt-call state.apply -l info pcap >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_import || $is_helix ]]; then - set_progress_str 66 "$(print_salt_state_apply 'suricata')" - salt-call state.apply -l info suricata >> $setup_log 2>&1 - - if [[ $(lookup_pillar "mdengine") == 'ZEEK' ]]; then - set_progress_str 67 "$(print_salt_state_apply 'zeek')" - salt-call state.apply -l info zeek >> $setup_log 2>&1 - fi - fi - - if [[ $is_node ]]; then - set_progress_str 68 "$(print_salt_state_apply 'curator')" - salt-call state.apply -l info curator >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 69 "$(print_salt_state_apply 'soc')" - salt-call state.apply -l info soc >> $setup_log 2>&1 - - set_progress_str 70 "$(print_salt_state_apply 'kibana')" - salt-call state.apply -l info kibana.so_config_load >> $setup_log 2>&1 - salt-call state.apply -l info kibana.so_securitySolution_load >> $setup_log 2>&1 - salt-call state.apply -l info kibana.so_dashboard_load >> $setup_log 2>&1 - - set_progress_str 70 "Setting up default Space in Kibana" - so-kibana-space-defaults >> $setup_log 2>&1 - fi - - if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 71 "$(print_salt_state_apply 'playbook.db_init')" - salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1 - - set_progress_str 71 "$(print_salt_state_apply 'playbook')" - salt-call state.apply -l info playbook >> $setup_log 2>&1 - - set_progress_str 71 "$(print_salt_state_apply 'playbook.automation_user_create')" - salt-call state.apply -l info playbook.automation_user_create >> $setup_log 2>&1 - fi - - if [[ $is_manager ]]; then - set_progress_str 72 "$(print_salt_state_apply 'elastalert')" - salt-call state.apply -l info elastalert >> $setup_log 2>&1 - - set_progress_str 73 "$(print_salt_state_apply 'soctopus')" - salt-call state.apply -l info soctopus >> $setup_log 2>&1 - - if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 73 "Update playbook rules" - so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & - fi - - if [[ "$GRAFANA" = 1 ]]; then - set_progress_str 74 "Installing InfluxDB and Grafana" - salt-call state.apply -l info influxdb >> $setup_log 2>&1 - salt-call state.apply -l info grafana >> $setup_log 2>&1 - fi - - fi - - if [[ "$OSQUERY" = 1 ]]; then - - set_progress_str 75 "$(print_salt_state_apply 'fleet.event_enable-fleet')" - salt-call state.apply -l info fleet.event_enable-fleet >> $setup_log 2>&1 - - set_progress_str 75 "$(print_salt_state_apply 'fleet')" - salt-call state.apply -l info fleet >> $setup_log 2>&1 - - set_progress_str 76 "$(print_salt_state_apply 'redis')" - salt-call state.apply -l info redis >> $setup_log 2>&1 - - if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then - set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" - pillar_override="{\"global\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}" - salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 - rm -f /etc/pki/managerssl.crt - salt-call state.apply -l info ssl >> $setup_log 2>&1 - fi - - set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 - - fi - - if [[ $is_idh ]]; then - set_progress_str 79 "$(print_salt_state_apply 'idh')" - salt-call state.apply -l info idh >> $setup_log 2>&1 - - fi - - if [[ "$WAZUH" = 1 ]]; then - set_progress_str 79 "$(print_salt_state_apply 'wazuh')" - salt-call state.apply -l info wazuh >> $setup_log 2>&1 - fi - - if [[ "$STRELKA" = 1 ]]; then - if [[ $is_sensor ]]; then - set_progress_str 81 "$(print_salt_state_apply 'strelka')" - salt-call state.apply -l info strelka >> $setup_log 2>&1 - fi - if [[ "$STRELKARULES" = 1 ]]; then - logCmd /usr/sbin/so-yara-update - else - info "Skipping running yara update: STRELKARULES='$STRELKARULES'" - fi - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 82 "$(print_salt_state_apply 'utility')" - salt-call state.apply -l info utility >> $setup_log 2>&1 - fi - - if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then - set_progress_str 83 "$(print_salt_state_apply 'logstash')" - salt-call state.apply -l info logstash >> $setup_log 2>&1 - - set_progress_str 84 "$(print_salt_state_apply 'filebeat')" - salt-call state.apply -l info filebeat >> $setup_log 2>&1 - fi - - if [[ ! $is_analyst ]]; then - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 87 'Adding user to SOC' - add_web_user >> $setup_log 2>&1 - fi - - if [[ $is_analyst ]]; then - # Remove access to the manager from the analyst workstation - rm -rf /root/.ssh/so.key* - fi - - set_progress_str 90 'Enabling checkin at boot' - checkin_at_boot >> $setup_log 2>&1 - - set_progress_str 95 'Verifying setup' - salt-call -l info state.highstate queue=True >> $setup_log 2>&1 - -} | progress - -success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') -if [[ $success != 0 ]]; then SO_ERROR=1; fi - -# Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox -# Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry -# Uncaught exception, closing connection|Exception in callback None - this is seen during influxdb / http.wait_for_successful_query state for ubuntu reinstall -if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then - SO_ERROR=1 - grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR|code: 100|Running scope as unit" > "$error_log" fi - -if [[ -n $SO_ERROR ]]; then - echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 - - SKIP_REBOOT=1 - whiptail_setup_failed -else - echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 - { - export percentage=95 # set to last percentage used in previous subshell - if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" - so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot - - set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" - IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 - fi - - if [[ $is_manager ]]; then - set_progress_str 98 "Generating archive for setup directory" - generate_repo_tarball >> "$setup_log" 2>&1 - fi - - if [[ -n $LEARN_LOGSCAN_ENABLE ]]; then - set_progress_str 99 'Enabling logscan' - so-learn enable logscan --apply >> $setup_log 2>&1 - fi - - if [[ -n $ENDGAMEHOST ]]; then - set_progress_str 99 'Configuring firewall for Endgame SMP' - so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 - fi - - } | whiptail_gauge_post_setup "Running post-installation steps..." - - echo "Post-installation steps have completed. Awaiting user input to clean up installer." >> $setup_log 2>&1 - whiptail_setup_complete - [[ $setup_type != 'iso' && ! $is_idh ]] && whiptail_ssh_warning -fi - -install_cleanup >> "$setup_log" 2>&1 - -if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi diff --git a/setup/so-setup.old b/setup/so-setup.old new file mode 100755 index 000000000..d916777fd --- /dev/null +++ b/setup/so-setup.old @@ -0,0 +1,1146 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + + +# Make sure you are root before doing anything +uid="$(id -u)" +if [ "$uid" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 +fi + +# Save the original argument array since we modify it +original_args=("$@") + +cd "$(dirname "$0")" || exit 255 + +echo "Getting started..." + +# Source the generic function libraries that are also used by the product after +# setup. These functions are intended to be reusable outside of the setup process. +source ../salt/common/tools/sbin/so-common +source ../salt/common/tools/sbin/so-image-common + +# Setup bash functionality is divided into functions and user-facing prompts. +# Do not attempt to re-use any of this functionality outside of setup. Instead, +# if needed, migrated generic functions into so-common. +source ./so-functions +source ./so-whiptail + +# Finally, source the default variable definitions, which require availability of +# functions sourced above. +source ./so-variables + +# Parse command line arguments +setup_type=$1 +automation=$2 +WHATWOULDYOUSAYYAHDOHERE=setup + +while [[ $# -gt 0 ]]; do + arg="$1" + shift + case "$arg" in + "--turbo="* ) + export TURBO="http://${arg#*=}";; + "--proxy="* ) + export {http,https,ftp,rsync,all}_proxy="${arg#*=}";; + "--allow-role="* ) + export ALLOW_ROLE="${arg#*=}";; + "--allow-cidr="* ) + export ALLOW_CIDR="${arg#*=}";; + "--skip-reboot" ) + export SKIP_REBOOT=1;; + * ) + if [[ "$arg" == "--"* ]]; then + echo "Invalid option" + fi + esac +done + +detect_os +is_analyst= +if [ "$setup_type" = 'analyst' ]; then + is_analyst=true + # Check to see if this is an ISO + if [ -d /root/SecurityOnion ]; then + is_analyst_iso=true + fi +fi + +if [[ "$setup_type" == 'iso' ]]; then + if [[ $is_centos ]]; then + is_iso=true + else + echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." + exit 1 + fi +fi + +# Check to see if this is an analyst install. If it is let's run things differently + +if [[ $is_analyst ]]; then + + # Make sure it's CentOS + if [[ ! $is_centos ]]; then + echo "Analyst Workstation is only supported on CentOS 7" + exit 1 + fi + + if ! whiptail_analyst_install; then + if [[ $is_analyst_iso ]]; then + if whiptail_analyst_nongrid_iso; then + # Remove setup from auto launching + parse_install_username + sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 + echo "Enabling graphical interface and setting it to load at boot" + systemctl set-default graphical.target + startx + exit 0 + else + # Abort! + exit 0 + fi + else + if whiptail_analyst_nongrid_network; then + echo "" + echo "" + echo "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection." + echo "" + echo "" + analyst_salt_local + else + # Abort! + exit 0 + fi + fi + fi + + # If you got this far then you want to join the grid + is_minion=true + +fi + + + +if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then + exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" +fi + +if [[ -f /root/accept_changes ]]; then + is_reinstall=true + + # Move last setup log to backup + mv "$setup_log" "$setup_log.bak" + [ -f "$error_log" ] && mv "$error_log" "$error_log.bak" +fi + +parse_install_username + +if ! [ -f $install_opt_file ]; then + # Begin Installation pre-processing + title "Initializing Setup" + info "Installing as the $INSTALLUSERNAME user" + + analyze_system +fi + +# Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts) +trap 'catch $LINENO' SIGUSR1 +setup_proc="$$" +catch() { + info "Fatal error occurred at $1 in so-setup, failing setup." + grep --color=never "ERROR" "$setup_log" > "$error_log" + whiptail_setup_failed + exit 1 +} +automated=no +progress() { + local msg=${1:-'Please wait while installing...'} + + if [ $automated == no ]; then + whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text + else + cat >> $setup_log 2>&1 + fi +} + +if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then + echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 + source automation/$automation + automated=yes + + attempt=1 + attempts=60 + ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 + while [ $? -ne 0 ]; do + ip a >> $setup_log 2>&1 + if [ $attempt -gt $attempts ]; then + echo "Network unavailable - setup cannot continue" >> $setup_log 2>&1 + exit 1 + fi + echo "Waiting for network to come up (attempt $attempt of $attempts)" >> $setup_log 2>&1 + attempt=$((attempt + 1)) + sleep 10; + ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 + done + echo "Network is up on $MNIC" >> $setup_log 2>&1 + + if [[ ! $is_iso ]]; then + echo "Installing sshpass for automated testing." >> $setup_log 2>&1 + if [ "$OS" == ubuntu ]; then + retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1 + else + yum -y install sshpass >> $setup_log 2>&1 + fi + fi +fi + +case "$setup_type" in + iso | network | analyst) # Accepted values + echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 + ;; + *) + echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log + exit 1 + ;; +esac + +#set ssh commands that will be used based on if this is an automated test install or not +set_ssh_cmds $automated + +# Allow execution of SO tools during setup +local_sbin="$(pwd)/../salt/common/tools/sbin" +export PATH=$PATH:$local_sbin + +set_palette >> $setup_log 2>&1 + +# Kernel messages can overwrite whiptail screen #812 +# https://github.com/Security-Onion-Solutions/securityonion/issues/812 +dmesg -D + +# Kernel consoleblank is causing whiptail progress screen to appear to hang #1084 +# https://github.com/Security-Onion-Solutions/securityonion/issues/1084 +if [ "$automated" == no ]; then + TTY=$(tty) + echo "Setup is running on TTY $TTY" >> $setup_log 2>&1 + if echo $TTY | grep -q "/dev/tty"; then + CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) + echo "Kernel consoleblank value before: $CONSOLEBLANK" >> $setup_log 2>&1 + if [ $CONSOLEBLANK -gt 0 ]; then + echo "Running 'setterm -blank 0' for TTY $TTY" >> $setup_log 2>&1 + TERM=linux setterm -blank 0 >$TTY <$TTY + CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) + echo "Kernel consoleblank value after: $CONSOLEBLANK" >> $setup_log 2>&1 + fi + fi +fi + +if ! [[ -f $install_opt_file ]]; then + if (whiptail_you_sure); then + true + else + echo "User cancelled setup." | tee -a "$setup_log" + whiptail_cancel + fi + if [[ $is_analyst ]]; then + collect_hostname + if [[ $is_analyst_iso ]]; then + # Prompt Network Setup + whiptail_management_nic + whiptail_dhcp_or_static + + if [ "$address_type" != 'DHCP' ]; then + collect_int_ip_mask + collect_gateway + collect_dns + collect_dns_domain + fi + + fi + if [[ ! $is_analyst_iso ]]; then + # This should be a network install + whiptail_network_notice + whiptail_dhcp_warn + whiptail_management_nic + fi + whiptail_network_init_notice + network_init + printf '%s\n' \ + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" + set_main_ip + compare_main_nic_ip + + fi + + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then + whiptail_first_menu_iso + if [[ $option == "CONFIGURENETWORK" ]]; then + collect_hostname + network_init_whiptail + whiptail_network_init_notice + network_init + printf '%s\n' \ + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" + set_main_ip + compare_main_nic_ip + whiptail_net_setup_complete + else + true + fi + fi + if [[ ! $is_analyst ]]; then + whiptail_install_type + fi +else + source $install_opt_file +fi + +if [ "$install_type" = 'EVAL' ]; then + is_node=true + is_manager=true + is_sensor=true + is_eval=true + STRELKARULES=1 +elif [ "$install_type" = 'STANDALONE' ]; then + is_manager=true + is_distmanager=true + is_node=true + is_sensor=true +elif [ "$install_type" = 'MANAGERSEARCH' ]; then + is_manager=true + is_distmanager=true + is_node=true +elif [ "$install_type" = 'MANAGER' ]; then + is_manager=true + is_distmanager=true +elif [ "$install_type" = 'SENSOR' ]; then + is_sensor=true + is_minion=true +elif [[ "$install_type" =~ ^('SEARCHNODE'|'HOTNODE'|'WARMNODE')$ ]]; then + is_node=true + is_minion=true +elif [ "$install_type" = 'HEAVYNODE' ]; then + is_node=true + is_minion=true + is_sensor=true +elif [ "$install_type" = 'FLEET' ]; then + is_minion=true + is_fleet_standalone=true + OSQUERY=1 +elif [ "$install_type" = 'IDH' ]; then + is_minion=true + is_idh=true + IDH=1 +elif [ "$install_type" = 'HELIXSENSOR' ]; then + is_helix=true +elif [ "$install_type" = 'IMPORT' ]; then + is_import=true +elif [ "$install_type" = 'RECEIVER' ]; then + is_minion=true + is_receiver=true +elif [ "$install_type" = 'ANALYST' ]; then + if [ "$setup_type" != 'analyst' ]; then + exec bash so-setup analyst + fi +fi + +if [[ $is_manager || $is_import ]]; then + check_elastic_license +fi + +if ! [[ -f $install_opt_file ]]; then + if [[ $is_manager && $is_sensor ]]; then + check_requirements "standalone" + elif [[ $is_fleet_standalone ]]; then + check_requirements "dist" "fleet" + elif [[ $is_idh ]]; then + check_requirements "dist" "idh" + elif [[ $is_sensor && ! $is_eval ]]; then + check_requirements "dist" "sensor" + elif [[ $is_distmanager || $is_minion ]] && [[ ! ( $is_import || $is_analyst ) ]]; then + check_requirements "dist" + elif [[ $is_import ]]; then + check_requirements "import" + fi + + [[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + collect_hostname + fi + + [[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + network_init_whiptail + else + source "$net_init_file" + fi + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + whiptail_network_init_notice + network_init + fi + + set_main_ip + compare_main_nic_ip + + if [[ $is_minion ]]; then + collect_mngr_hostname + add_mngr_ip_to_hosts + whiptail_ssh_key_copy_notice + copy_ssh_key >> $setup_log 2>&1 + fi + + if [[ $is_idh ]]; then + collect_idh_services + collect_idh_preferences + fi + + # Check if this is an airgap install + if [[ ( $is_manager || $is_import) && $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi + elif [[ $is_minion && ( $is_iso || $is_analyst ) ]]; then + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 + airgap_check=$? + [[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1 + fi + + reset_proxy + if [[ -z $is_airgap ]]; then + collect_net_method + [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 + fi + + if [[ $is_minion ]] && ! (compare_versions); then + info "Installer version mismatch, downloading correct version from manager" + printf '%s\n' \ + "install_type=$install_type" \ + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" \ + "MSRV=$MSRV" \ + "MSRVIP=$MSRVIP" \ + "is_airgap=$is_airgap" \ + "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" + [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" + download_repo_tarball + exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" + fi +else + rm -rf $install_opt_file >> "$setup_log" 2>&1 +fi + +if [[ -z $is_airgap ]]; then + percentage=0 + { + installer_progress_loop 'Running preflight checks...' & + progress_bg_proc=$! + ./so-preflight true "$setup_log" >> $setup_log 2>&1 + preflight_ret=$? + echo "$preflight_ret" > /tmp/preflight_ret + kill -9 "$progress_bg_proc" + wait "$progress_bg_proc" &> /dev/null + } | progress '...' + [[ -f /tmp/preflight_ret ]] && preflight_ret=$(cat /tmp/preflight_ret) + rm /tmp/preflight_ret + if [[ -n $preflight_ret && $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then + whiptail_cancel + fi +fi + +percentage=0 +{ + installer_progress_loop 'Checking that all required packages are installed and enabled...' & # Run progress bar to 98 in ~8 minutes while waiting for package installs + progress_bg_proc=$! + installer_prereq_packages + install_success=$? + kill -9 "$progress_bg_proc" + wait "$progress_bg_proc" &> /dev/null # Kill just sends signal, redirect output of wait to catch stdout + if [[ $install_success -gt 0 ]]; then + echo "Could not install packages required for setup, exiting now." >> "$setup_log" 2>&1 + kill -SIGUSR1 "$setup_proc"; exit 1 + fi +} | progress '...' + +detect_cloud + +short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') + +if [[ $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') +fi +if [[ ! $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') +fi +export MINION_ID + +echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 + +minion_type=$(get_minion_type) + +# Set any variables needed +set_default_log_size >> $setup_log 2>&1 + +if [[ $is_helix ]]; then + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} + HNSENSOR=${HNSENSOR:-inherit} + MANAGERUPDATES=${MANAGERUPDATES:-0} +fi + +if [[ $is_helix || ( $is_manager && $is_node ) ]]; then + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} +fi + +if [[ $is_manager && $is_node ]]; then + LSPIPELINEWORKERS=${LSPIPELINEWORKERS:-1} + LSPIPELINEBATCH=${LSPIPELINEBATCH:-125} + LSINPUTTHREADS=${LSINPUTTHREADS:-1} + LSPIPELINEWORKERS=${LSPIPELINEBATCH:-125} + NIDS=${NIDS:-Suricata} + ZEEKVERSION=${ZEEKVERSION:-ZEEK} +fi + +if [[ $is_import ]]; then + PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-auto} + MTU=${MTU:-1500} + RULESETUP=${RULESETUP:-ETOPEN} + NSMSETUP=${NSMSETUP:-BASIC} + HNSENSOR=${HNSENSOR:-inherit} + MANAGERUPDATES=${MANAGERUPDATES:-0} + MANAGERADV=${MANAGERADV:-BASIC} + INTERFACE=${INTERFACE:-bond0} + ZEEKVERSION=${ZEEKVERSION:-ZEEK} + NIDS=${NIDS:-Suricata} + RULESETUP=${RULESETUP:-ETOPEN} + GRAFANA=${GRAFANA:-0} + OSQUERY=${OSQUERY:-0} + WAZUH=${WAZUH:-0} + PLAYBOOK=${PLAYBOOK:-0} +fi + +if [[ $is_airgap ]]; then + PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual} + [[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1} +fi + +# Start user prompts + +if [[ $is_helix ]]; then + collect_helix_key +fi + +if [[ $is_helix || $is_sensor ]]; then + echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 + check_network_manager_conf + set_network_dev_status_list + whiptail_sensor_nics +fi + +if [[ $is_helix || $is_sensor || $is_import ]]; then + calculate_useable_cores +fi + +if [[ ! $is_airgap && ! $is_import ]]; then + collect_patch_schedule +fi + +if [[ $is_helix || $is_manager || $is_import ]]; then + collect_homenet_mngr +fi + +#set base elasticsearch heap size +if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then + es_heapsize +fi + +#set base logstash heap size +if [[ $is_helix || $is_manager || $is_node || $is_import || $is_receiver ]]; then + ls_heapsize +fi + +if [[ $is_manager && ! $is_eval ]]; then + whiptail_manager_adv + if [ "$MANAGERADV" = 'ADVANCED' ]; then + if [ "$install_type" = 'MANAGER' ] || [ "$install_type" = 'MANAGERSEARCH' ]; then + collect_es_cluster_name + fi + fi + + whiptail_metadata_tool + + [[ $MANAGERADV == "ADVANCED" ]] && [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_manager_adv_service_zeeklogs + + # Don't run this function for now since Snort is not yet supported + # whiptail_nids + NIDS=Suricata + whiptail_rule_setup + + if [ "$RULESETUP" != 'ETOPEN' ]; then + collect_oinkcode + fi +fi + +if [[ $is_manager ]]; then + whiptail_enable_components + + if [[ "$STRELKA" = 1 ]]; then + info "Enabling Strelka rules" + STRELKARULES=1 + else + info "Disabling Strelka rules: STRELKA='$STRELKA'" + fi + + collect_dockernet +fi + +if [[ $is_manager || $is_import ]]; then + collect_webuser_inputs + get_redirect +fi + +if [[ $is_distmanager ]]; then + collect_soremote_inputs +fi + +if [[ $is_sensor && ! $is_eval ]]; then + [[ $is_manager ]] || collect_homenet_snsr + whiptail_sensor_config + if [ $NSMSETUP == 'ADVANCED' ]; then + if [[ $is_manager ]]; then + [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_zeek_pins + else + whiptail_zeek_pins + fi + + whiptail_suricata_pins + collect_mtu + else + if [[ $is_node && $is_sensor && ! $is_eval ]]; then + PROCS=$(( lb_procs / 2 )) + if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi + else + PROCS=$lb_procs + fi + + if [[ $is_manager ]]; then + [[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek + else + collect_zeek + fi + + collect_suri + fi +fi + +[[ ( $is_iso || $is_analyst ) ]] && collect_ntp_servers + +if [[ ($is_node || $is_receiver) && ! $is_eval ]]; then + whiptail_node_advanced + if [ "$NODESETUP" == 'NODEADVANCED' ]; then + if [[ ! $is_receiver ]]; then + collect_node_es_heap + collect_es_space_limit + fi + collect_node_ls_heap + collect_node_ls_pipeline_worker_count + collect_node_ls_pipeline_batch_size + collect_node_ls_input + else + if [[ ! $is_receiver ]]; then + NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE + fi + NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE + LSPIPELINEWORKERS=$num_cpu_cores + LSPIPELINEBATCH=125 + LSINPUTTHREADS=1 + fi +fi + +if [ "$install_type" == 'FLEET' ]; then + collect_fleetuser_inputs + collect_fleet_custom_hostname_inputs +else + FLEETNODEUSER=$WEBUSER + FLEETNODEPASSWD1=$WEBPASSWD1 +fi + +if [[ $is_manager || $is_import ]]; then collect_so_allow; fi + +# This block sets REDIRECTIT which is used by a function outside the below subshell +set_redirect >> $setup_log 2>&1 + +if [[ $is_minion ]] && ! check_manager_state; then + echo "Manager was not in a good state" >> "$setup_log" 2>&1 + whiptail_manager_error +fi + +whiptail_end_settings + +# From here on changes will be made. +echo "1" > /root/accept_changes + + +# Begin install +{ + # Set initial percentage to 0 + export percentage=0 + + # Show initial progress message + set_progress_str 0 'Running initial configuration steps' + + [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + + if [[ ! $is_analyst ]]; then + reserve_ports + fi + + set_path + + if [[ $is_reinstall ]]; then + reinstall_init + fi + + disable_auto_start + + { + mark_version; + clear_manager; + } >> $setup_log 2>&1 + + + if [[ $is_manager || $is_import ]]; then + { + generate_passwords; + secrets_pillar; + } >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_import || $is_helix ]]; then + add_socore_user_manager >> $setup_log 2>&1 + fi + + if [[ $is_manager && ! $is_eval ]]; then + add_soremote_user_manager >> $setup_log 2>&1 + fi + if [[ ! $is_analyst ]]; then + host_pillar >> $setup_log 2>&1 + fi + if [[ $is_analyst ]]; then + analyst_workstation_pillar + fi + ntp_pillar >> $setup_log 2>&1 + + + if [[ $is_minion || $is_import ]]; then + set_updates >> $setup_log 2>&1 + fi + + if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then + info "Creating airgap repo" + create_repo >> $setup_log 2>&1 + airgap_rules >> $setup_log 2>&1 + fi + + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi + + set_progress_str 2 'Updating packages' + # Import the gpg keys + gpg_rpm_import >> $setup_log 2>&1 + info "Disabling fastestmirror" + [[ $is_centos ]] && disable_fastestmirror + if [[ ! $is_airgap ]]; then + securityonion_repo >> $setup_log 2>&1 + update_packages >> $setup_log 2>&1 + else + airgap_repo >> $setup_log 2>&1 + fi + + if [[ $is_sensor || $is_helix || $is_import ]]; then + set_progress_str 3 'Generating sensor pillar' + generate_sensor_vars + sensor_pillar >> $setup_log 2>&1 + if [[ $is_sensor || $is_helix ]]; then + steno_pillar >> $setup_log + fi + fi + + if [[ $is_sensor || $is_helix ]]; then + set_progress_str 4 'Configuring sensor interface' + configure_network_sensor >> $setup_log 2>&1 + fi + + set_progress_str 5 'Installing Salt and dependencies' + saltify 2>> $setup_log + + if [[ ! $is_analyst ]]; then + set_progress_str 6 'Installing Docker and dependencies' + docker_install >> $setup_log 2>&1 + fi + + set_progress_str 7 'Generating patch pillar' + patch_pillar >> $setup_log 2>&1 + + set_progress_str 8 'Initializing Salt minion' + configure_minion "$minion_type" >> $setup_log 2>&1 + + if [[ ! $is_analyst ]]; then + check_sos_appliance >> $setup_log 2>&1 + fi + + update_sudoers_for_testing >> $setup_log 2>&1 + + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 9 'Configuring Salt master' + { + create_local_directories; + addtotab_generate_templates; + copy_salt_master_config; + setup_salt_master_dirs; + firewall_generate_templates; + } >> $setup_log 2>&1 + + set_progress_str 10 'Updating sudoers file for soremote user' + update_sudoers >> $setup_log 2>&1 + + set_progress_str 11 'Generating manager global pillar' + #minio_generate_keys + manager_global >> $setup_log 2>&1 + + set_progress_str 12 'Generating manager pillar' + manager_pillar >> $setup_log 2>&1 + zeek_logs_enabled >> $setup_log 2>&1 + fi + + set_progress_str 16 'Running first Salt checkin' + salt_firstcheckin >> $setup_log 2>&1 + + if [[ $is_helix ]]; then + set_progress_str 17 'Generating the FireEye pillar' + fireeye_pillar >> $setup_log 2>&1 + fi + + if [[ $is_node ]]; then + set_progress_str 18 'Setting node type' + set_node_type >> $setup_log 2>&1 + + if ! [[ $is_manager || $is_helix ]]; then + set_progress_str 19 'Generating search node pillar' + elasticsearch_pillar >> $setup_log 2>&1 + fi + fi + + if [[ ($is_node || $is_receiver) && !($is_manager || $is_helix) ]]; then + set_progress_str 19 'Generating logstash pillar' + logstash_pillar >> $setup_log 2>&1 + fi + + if [[ $is_idh ]]; then + # Write out services to minion pillar file + set_progress_str 19 'Generating IDH services pillar' + write_out_idh_services + fi + + + if [[ $is_minion ]]; then + set_progress_str 20 'Accepting Salt key on manager' + retry 20 10 accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_import || $is_helix ]]; then + set_progress_str 20 'Accepting Salt key' + retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1 + fi + + set_progress_str 21 'Copying minion pillars to manager' + copy_minion_tmp_files >> $setup_log 2>&1 + + if [[ $is_minion ]]; then + set_progress_str 22 'Checking if the Salt Minion needs to be updated' + salt-call state.apply -l info salt.minion >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 23 'Generating CA' + generate_ca >> $setup_log 2>&1 + fi + + if [[ ! $is_analyst ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 25 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + + # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf + mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1 + touch /opt/so/conf/so-status/so-status.conf >> $setup_log 2>&1 + + if [[ "$setup_type" == 'iso' ]]; then + set_progress_str 26 'Copying containers from iso' + else + set_progress_str 26 'Downloading containers from the internet' + fi + import_registry_docker >> $setup_log 2>&1 + salt-call state.apply -l info registry >> $setup_log 2>&1 + docker_seed_registry # ~ 60% when finished + + set_progress_str 60 "$(print_salt_state_apply 'manager')" + salt-call state.apply -l info manager >> $setup_log 2>&1 + + echo "Executing so-elastic-auth..." >> $setup_log 2>&1 + ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth true >> $setup_log 2>&1 + echo "Finished so-elastic-auth..." >> $setup_log 2>&1 + fi + + if [[ ! $is_analyst ]]; then + set_progress_str 61 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 + fi + + if [[ $is_centos ]]; then + set_progress_str 61 'Installing Yum utilities' + salt-call state.apply -l info yum.packages >> $setup_log 2>&1 + fi + + if [[ ! $is_analyst ]]; then + set_progress_str 62 "$(print_salt_state_apply 'common')" + salt-call state.apply -l info common >> $setup_log 2>&1 + fi + + if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then + set_progress_str 62 "$(print_salt_state_apply 'nginx')" + salt-call state.apply -l info nginx >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 63 "$(print_salt_state_apply 'idstools')" + create_local_nids_rules >> $setup_log 2>&1 + salt-call state.apply -l info idstools >> $setup_log 2>&1 + + set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')" + salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then + set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" + salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 + fi + + if [[ $is_sensor || $is_import ]]; then + set_progress_str 65 "$(print_salt_state_apply 'pcap')" + salt-call state.apply -l info pcap >> $setup_log 2>&1 + fi + + if [[ $is_sensor || $is_import || $is_helix ]]; then + set_progress_str 66 "$(print_salt_state_apply 'suricata')" + salt-call state.apply -l info suricata >> $setup_log 2>&1 + + if [[ $(lookup_pillar "mdengine") == 'ZEEK' ]]; then + set_progress_str 67 "$(print_salt_state_apply 'zeek')" + salt-call state.apply -l info zeek >> $setup_log 2>&1 + fi + fi + + if [[ $is_node ]]; then + set_progress_str 68 "$(print_salt_state_apply 'curator')" + salt-call state.apply -l info curator >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_import ]]; then + set_progress_str 69 "$(print_salt_state_apply 'soc')" + salt-call state.apply -l info soc >> $setup_log 2>&1 + + set_progress_str 70 "$(print_salt_state_apply 'kibana')" + salt-call state.apply -l info kibana.so_config_load >> $setup_log 2>&1 + salt-call state.apply -l info kibana.so_securitySolution_load >> $setup_log 2>&1 + salt-call state.apply -l info kibana.so_dashboard_load >> $setup_log 2>&1 + + set_progress_str 70 "Setting up default Space in Kibana" + so-kibana-space-defaults >> $setup_log 2>&1 + fi + + if [[ "$PLAYBOOK" = 1 ]]; then + set_progress_str 71 "$(print_salt_state_apply 'playbook.db_init')" + salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1 + + set_progress_str 71 "$(print_salt_state_apply 'playbook')" + salt-call state.apply -l info playbook >> $setup_log 2>&1 + + set_progress_str 71 "$(print_salt_state_apply 'playbook.automation_user_create')" + salt-call state.apply -l info playbook.automation_user_create >> $setup_log 2>&1 + fi + + if [[ $is_manager ]]; then + set_progress_str 72 "$(print_salt_state_apply 'elastalert')" + salt-call state.apply -l info elastalert >> $setup_log 2>&1 + + set_progress_str 73 "$(print_salt_state_apply 'soctopus')" + salt-call state.apply -l info soctopus >> $setup_log 2>&1 + + if [[ "$PLAYBOOK" = 1 ]]; then + set_progress_str 73 "Update playbook rules" + so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & + fi + + if [[ "$GRAFANA" = 1 ]]; then + set_progress_str 74 "Installing InfluxDB and Grafana" + salt-call state.apply -l info influxdb >> $setup_log 2>&1 + salt-call state.apply -l info grafana >> $setup_log 2>&1 + fi + + fi + + if [[ "$OSQUERY" = 1 ]]; then + + set_progress_str 75 "$(print_salt_state_apply 'fleet.event_enable-fleet')" + salt-call state.apply -l info fleet.event_enable-fleet >> $setup_log 2>&1 + + set_progress_str 75 "$(print_salt_state_apply 'fleet')" + salt-call state.apply -l info fleet >> $setup_log 2>&1 + + set_progress_str 76 "$(print_salt_state_apply 'redis')" + salt-call state.apply -l info redis >> $setup_log 2>&1 + + if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then + set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" + pillar_override="{\"global\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}" + salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 + rm -f /etc/pki/managerssl.crt + salt-call state.apply -l info ssl >> $setup_log 2>&1 + fi + + set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')" + so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 + + fi + + if [[ $is_idh ]]; then + set_progress_str 79 "$(print_salt_state_apply 'idh')" + salt-call state.apply -l info idh >> $setup_log 2>&1 + + fi + + if [[ "$WAZUH" = 1 ]]; then + set_progress_str 79 "$(print_salt_state_apply 'wazuh')" + salt-call state.apply -l info wazuh >> $setup_log 2>&1 + fi + + if [[ "$STRELKA" = 1 ]]; then + if [[ $is_sensor ]]; then + set_progress_str 81 "$(print_salt_state_apply 'strelka')" + salt-call state.apply -l info strelka >> $setup_log 2>&1 + fi + if [[ "$STRELKARULES" = 1 ]]; then + logCmd /usr/sbin/so-yara-update + else + info "Skipping running yara update: STRELKARULES='$STRELKARULES'" + fi + fi + + if [[ $is_manager || $is_import ]]; then + set_progress_str 82 "$(print_salt_state_apply 'utility')" + salt-call state.apply -l info utility >> $setup_log 2>&1 + fi + + if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then + set_progress_str 83 "$(print_salt_state_apply 'logstash')" + salt-call state.apply -l info logstash >> $setup_log 2>&1 + + set_progress_str 84 "$(print_salt_state_apply 'filebeat')" + salt-call state.apply -l info filebeat >> $setup_log 2>&1 + fi + + if [[ ! $is_analyst ]]; then + set_progress_str 85 'Applying finishing touches' + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 + fi + + if [[ $is_manager || $is_import ]]; then + set_progress_str 87 'Adding user to SOC' + add_web_user >> $setup_log 2>&1 + fi + + if [[ $is_analyst ]]; then + # Remove access to the manager from the analyst workstation + rm -rf /root/.ssh/so.key* + fi + + set_progress_str 90 'Enabling checkin at boot' + checkin_at_boot >> $setup_log 2>&1 + + set_progress_str 95 'Verifying setup' + salt-call -l info state.highstate queue=True >> $setup_log 2>&1 + +} | progress + +success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') +if [[ $success != 0 ]]; then SO_ERROR=1; fi + +# Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox +# Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry +# Uncaught exception, closing connection|Exception in callback None - this is seen during influxdb / http.wait_for_successful_query state for ubuntu reinstall +if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then + SO_ERROR=1 + grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None" > "$error_log" +fi + +if [[ -n $SO_ERROR ]]; then + echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 + + SKIP_REBOOT=1 + whiptail_setup_failed +else + echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 + { + export percentage=95 # set to last percentage used in previous subshell + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" + so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot + + set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" + IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 + fi + + if [[ $is_manager ]]; then + set_progress_str 98 "Generating archive for setup directory" + generate_repo_tarball >> "$setup_log" 2>&1 + fi + + if [[ -n $LEARN_LOGSCAN_ENABLE ]]; then + set_progress_str 99 'Enabling logscan' + so-learn enable logscan --apply >> $setup_log 2>&1 + fi + + if [[ -n $ENDGAMEHOST ]]; then + set_progress_str 99 'Configuring firewall for Endgame SMP' + so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 + fi + + } | whiptail_gauge_post_setup "Running post-installation steps..." + + echo "Post-installation steps have completed. Awaiting user input to clean up installer." >> $setup_log 2>&1 + whiptail_setup_complete + [[ $setup_type != 'iso' && ! $is_idh ]] && whiptail_ssh_warning +fi + +install_cleanup >> "$setup_log" 2>&1 + +if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi diff --git a/setup/so-variables b/setup/so-variables index a69ef9e1b..a24f70e3c 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -78,3 +78,125 @@ export ntp_string whiptail_title="Security Onion Setup - $SOVERSION" export whiptail_title + +mkdir -p $local_salt_dir/pillar/minions + +for THEDIR in elasticsearch redis backup strelka sensoroni curator soctopus docker zeek suricata nginx filebeat logstash soc manager kratos idstools idh +do + mkdir -p $local_salt_dir/pillar/$THEDIR + touch $local_salt_dir/pillar/$THEDIR adv.$THEDIR.sls +done + +global_pillar_file="$local_salt_dir/pillar/soc_global.sls" +export global_pillar_file + +adv_global_pillar_file="$local_salt_dir/pillar/adv_global.sls" +export adv_global_pillar_file + +elasticsearch_pillar_file="$local_salt_dir/pillar/elasticsearch/soc_elasticsearch.sls" +export elasticsearch_pillar_file + +adv_elasticsearch_pillar_file="$local_salt_dir/pillar/elasticsearch/adv_elasticsearch.sls" +export adv_elasticsearch_pillar_file + +backup_pillar_file="$local_salt_dir/pillar/backup/soc_backup.sls" +export backup_pillar_file + +adv_backup_pillar_file="$local_salt_dir/pillar/backup/adv_backup.sls" +export adv_backup_pillar_file + +strelka_pillar_file="$local_salt_dir/pillar/strelka/soc_strelka.sls" +export strelka_pillar_file + +adv_strelka_pillar_file="$local_salt_dir/pillar/strelka/adv_strelka.sls" +export adv_strelka_pillar_file + +sensoroni_pillar_file="$local_salt_dir/pillar/sensoroni/soc_sensoroni.sls" +export sensoroni_pillar_file + +adv_sensoroni_pillar_file="$local_salt_dir/pillar/sensoroni/adv_sensoroni.sls" +export adv_sensoroni_pillar_file + +curator_pillar_file="$local_salt_dir/pillar/curator/soc_curator.sls" +export curator_pillar_file + +adv_curator_pillar_file="$local_salt_dir/pillar/curator/adv_curator.sls" +export adv_curator_pillar_file + +soctopus_pillar_file="$local_salt_dir/pillar/soctopus/soc_soctopus.sls" +export soctopus_pillar_file + +adv_soctopus_pillar_file="$local_salt_dir/pillar/soctopus/adv_soctopus.sls" +export adv_soctopus_pillar_file + +docker_pillar_file="$local_salt_dir/pillar/docker/soc_docker.sls" +export docker_pillar + +adv_docker_pillar_file="$local_salt_dir/pillar/docker/adv_docker.sls" +export adv_docker_pillar + +zeek_pillar_file="$local_salt_dir/pillar/zeek/soc_zeek.sls" +export zeek_pillar_file + +adv_zeek_pillar_file="$local_salt_dir/pillar/zeek/adv_zeek.sls" +export adv_zeek_pillar_file + +suricata_pillar_file="$local_salt_dir/pillar/suricata/soc_suricata.sls" +export suricata_pillar_file + +adv_suricata_pillar_file="$local_salt_dir/pillar/suricata/adv_suricata.sls" +export adv_suricata_pillar_file + +filebeat_pillar_file="$local_salt_dir/pillar/filebeat/soc_filebeat.sls" +export filebeat_pillar_file + +adv_filebeat_pillar_file="$local_salt_dir/pillar/filebeat/adv_filebeat.sls" +export adv_filebeat_pillar_file + +logstash_pillar_file="$local_salt_dir/pillar/logstash/soc_logstash.sls" +export logstash_pillar_file + +adv_logstash_pillar_file="$local_salt_dir/pillar/logstash/adv_logstash.sls" +export adv_logstash_pillar_file + +soc_pillar_file="$local_salt_dir/pillar/soc/soc_soc.sls" +export soc_pillar_file + +adv_soc_pillar_file="$local_salt_dir/pillar/soc/adv_soc.sls" +export adv_soc_pillar_file + +manager_pillar_file="$local_salt_dir/pillar/manager/soc_manager.sls" +export manager_pillar_file + +adv_manager_pillar_file="$local_salt_dir/pillar/manager/adv_manager.sls" +export adv_manager_pillar_file + +kratos_pillar_file="$local_salt_dir/pillar/kratos/soc_kratos.sls" +export kratos_pillar_file + +adv_kratos_pillar_file="$local_salt_dir/pillar/kratos/adv_kratos.sls" +export adv_kratos_pillar_file + +idstools_pillar_file="$local_salt_dir/pillar/idstools/soc_idstools.sls" +export idstools_pillar_file + +adv_idstools_pillar_file="$local_salt_dir/pillar/idstools/adv_idstools.sls" +export adv_idstools_pillar_file + +nginx_pillar_file="$local_salt_dir/pillar/nginx/soc_nginx.sls" +export nginx_pillar_file + +adv_nginx_pillar_file="$local_salt_dir/pillar/nginx/adv_nginx.sls" +export adv_nginx_pillar_file + +redis_pillar_file="$local_salt_dir/pillar/redis/soc_redis.sls" +export redis_pillar_file + +adv_redis_pillar_file="$local_salt_dir/pillar/redis/adv_redis.sls" +export adv_redis_pillar_file + +idh_pillar_file="$local_salt_dir/pillar/idh/soc_idh.sls" +export idh_pillar_file + +adv_idh_pillar_file="$local_salt_dir/pillar/idh/adv_idh.sls" +export adv_idh_pillar_file \ No newline at end of file diff --git a/setup/so-whiptail b/setup/so-whiptail index 2c60b7e3e..55059e5f0 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . whiptail_airgap() { @@ -31,6 +22,9 @@ whiptail_airgap() { whiptail_check_exitstatus $exitstatus INTERWEBS=$(echo "${INTERWEBS^^}" | tr -d ' ') + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi } whiptail_analyst_install() { @@ -99,29 +93,6 @@ whiptail_avoid_default_hostname() { --yes-button "Use Anyway" --no-button "Change" --defaultno } -whiptail_basic_suri() { - - [ -n "$TESTING" ] && return - - BASICSURI=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter the number of Suricata processes:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_basic_zeek() { - - [ -n "$TESTING" ] && return - - BASICZEEK=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter the number of Zeek processes:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_bond_nics_mtu() { [ -n "$TESTING" ] && return @@ -196,70 +167,6 @@ whiptail_create_admin_user_password2() { } -whiptail_create_fleet_node_user() { - - [ -n "$TESTING" ] && return - - FLEETNODEUSER=$(whiptail --title "$whiptail_title" --inputbox \ - "Please enter an email for use as the username for the Fleet admin user:" 10 60 "$1" 3>&1 1>&2 2>&3) - -} - -whiptail_create_fleet_node_user_password1() { - - [ -n "$TESTING" ] && return - - FLEETNODEPASSWD1=$(whiptail --title "$whiptail_title" --passwordbox \ - "Enter a password for $FLEETNODEUSER:" 10 60 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_create_fleet_node_user_password2() { - - [ -n "$TESTING" ] && return - - FLEETNODEPASSWD2=$(whiptail --title "$whiptail_title" --passwordbox \ - "Re-enter a password for $FLEETNODEUSER:" 10 60 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_create_soremote_user() { - - [ -n "$TESTING" ] && return - - whiptail --title "$whiptail_title" --msgbox "Set a password for the soremote user. This account is used for adding sensors remotely." 8 75 - -} - -whiptail_create_soremote_user_password1() { - - [ -n "$TESTING" ] && return - - SOREMOTEPASS1=$(whiptail --title "$whiptail_title" --passwordbox \ - "Enter a password for user soremote:" 10 75 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_create_soremote_user_password2() { - - [ -n "$TESTING" ] && return - - SOREMOTEPASS2=$(whiptail --title "$whiptail_title" --passwordbox \ - "Re-enter a password for user soremote:" 10 75 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_create_web_user() { [ -n "$TESTING" ] && return @@ -430,49 +337,6 @@ whiptail_dockernet_net() { } -whiptail_enable_components() { - - [ -n "$TESTING" ] && return - - GRAFANA=0 - OSQUERY=0 - WAZUH=0 - THEHIVE=0 - PLAYBOOK=0 - STRELKA=0 - -description="Choose optional services to be enabled for this installation. Be aware that the more services you enable the more RAM that is required." -if [[ $is_eval ]]; then - COMPONENTS=$(whiptail --title "$whiptail_title" --checklist \ - "$description" 20 75 8 \ - GRAFANA "Enable Grafana for system monitoring" ON \ - OSQUERY "Enable Fleet with osquery" ON \ - WAZUH "Enable Wazuh" ON \ - PLAYBOOK "Enable Playbook" ON \ - STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) -else - COMPONENTS=$(whiptail --title "$whiptail_title" --checklist \ - "$description" 20 75 7 \ - OSQUERY "Enable Fleet with osquery" ON \ - WAZUH "Enable Wazuh" ON \ - PLAYBOOK "Enable Playbook" ON \ - STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) - export "GRAFANA=1" -fi - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - COMPONENTS=$(echo "$COMPONENTS" | tr -d '"') - - IFS=' ' read -ra COMPONENTS <<< "$COMPONENTS" - - # Set any variables to 1 if they exist in COMPONENTS - for component in "${COMPONENTS[@]}"; do - export "$component=1" - done -} - whiptail_end_settings() { [ -n "$TESTING" ] && return @@ -483,15 +347,6 @@ whiptail_end_settings() { Node Type: $install_type Hostname: $HOSTNAME EOM - - if [[ $is_idh ]]; then - __append_end_msg "IDH Services Enabled:" - for service in ${idh_services[@]}; do - __append_end_msg "- $service" - done - - fi - [[ -n $NODE_DESCRIPTION ]] && __append_end_msg "Description: $NODE_DESCRIPTION" [[ $is_airgap ]] && __append_end_msg "Airgap: True" @@ -501,7 +356,6 @@ whiptail_end_settings() { __append_end_msg "Manager IP: $MSRVIP" fi - [[ $is_iso ]] && __append_end_msg "Network: $address_type" __append_end_msg "Management NIC: $MNIC" @@ -536,12 +390,6 @@ whiptail_end_settings() { for net in "${homenet_arr[@]}"; do __append_end_msg " - $net" done - elif [[ -n $HNSENSOR ]]; then - __append_end_msg "Home Network(s):" - IFS="," read -r -a homenet_arr <<< "$HNSENSOR" - for net in "${homenet_arr[@]}"; do - __append_end_msg " - $net" - done fi [[ -n $REDIRECTIT ]] && __append_end_msg "Access URL: https://${REDIRECTIT}" @@ -550,61 +398,7 @@ whiptail_end_settings() { [[ -n $WEBUSER ]] && __append_end_msg "Web User: $WEBUSER" - [[ -n $FLEETNODEUSER ]] && __append_end_msg "Fleet User: $FLEETNODEUSER" - - [[ -n $FLEETCUSTOMHOSTNAME ]] && __append_end_msg "Fleet Custom Hostname: $FLEETCUSTOMHOSTNAME" - - if [[ $is_manager ]]; then - __append_end_msg "Enabled Optional Components:" - for component in "${COMPONENTS[@]}"; do - __append_end_msg " - $component" - done - fi - - # METADATA / IDS - - if [[ -n $ZEEKVERSION ]]; then - local md_tool_string=${ZEEKVERSION,;} - md_tool_string=${md_tool_string^} - - __append_end_msg "Metadata Tool: $md_tool_string" - fi - - [[ -n $RULESETUP ]] && __append_end_msg "IDS Ruleset: $RULESETUP" - [[ -n $OINKCODE ]] && __append_end_msg "Oinkcode: $OINKCODE" - - # PATCH SCHEDULE - - if [[ -n $PATCHSCHEDULENAME ]]; then - __append_end_msg "Patch Schedule:" - if [[ $PATCHSCHEDULENAME == 'auto'|| $PATCHSCHEDULENAME == 'manual' ]]; then - __append_end_msg " Type: $PATCHSCHEDULENAME" - else - __append_end_msg " Name: $PATCHSCHEDULENAME" - fi - if [[ ${#PATCHSCHEDULEDAYS[@]} -gt 0 ]]; then - __append_end_msg " Day(s):" - for day in "${PATCHSCHEDULEDAYS[@]}"; do - __append_end_msg " - $day" - done - fi - if [[ ${#PATCHSCHEDULEHOURS[@]} -gt 0 ]]; then - __append_end_msg " Hours(s):" - for hour in "${PATCHSCHEDULEHOURS[@]}"; do - __append_end_msg " - $hour" - done - fi - fi - - # MISC - - [[ $is_helix ]] && __append_end_msg "Helix API key: $HELIXAPIKEY" [[ -n $DOCKERNET ]] && __append_end_msg "Docker network: $DOCKERNET" - if [[ -n $MANAGERUPDATES ]]; then - __append_end_msg "OS Package Updates: Manager" - else - __append_end_msg "OS Package Updates: Open" - fi if [[ ${#ntp_servers[@]} -gt 0 ]]; then __append_end_msg "NTP Servers:" for server in "${ntp_servers[@]}"; do @@ -612,37 +406,6 @@ whiptail_end_settings() { done fi - if [[ $NSMSETUP != 'ADVANCED' ]]; then - [[ -n $BASICZEEK ]] && __append_end_msg "Zeek Processes: $BASICZEEK" - [[ -n $BASICSURI ]] && __append_end_msg "Suricata Processes: $BASICSURI" - fi - - # ADVANCED OR REGULAR - - if [[ $NODESETUP == 'NODEADVANCED' ]]; then - __append_end_msg "Advanced Node Settings:" - if [[ ! $is_receiver ]]; then - __append_end_msg " Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE" - __append_end_msg " Elasticsearch Storage Space: ${log_size_limit}GB" - fi - __append_end_msg " Logstash Heap Size: $NODE_LS_HEAP_SIZE" - __append_end_msg " Logstash Worker Count: $LSPIPELINEWORKERS" - __append_end_msg " Logstash Batch Size: $LSPIPELINEBATCH" - __append_end_msg " Logstash Input Threads: $LSINPUTTHREADS" - else - if [[ ! $is_analyst ]]; then - if [[ ! $is_receiver ]]; then - __append_end_msg "Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE" - __append_end_msg "Elasticsearch Storage Space: ${log_size_limit}GB" - fi - __append_end_msg "Logstash Heap Size: $NODE_LS_HEAP_SIZE" - __append_end_msg "Logstash Worker Count: $LSPIPELINEWORKERS" - __append_end_msg "Logstash Batch Size: $LSPIPELINEBATCH" - __append_end_msg "Logstash Input Threads: $LSINPUTTHREADS" - fi - fi - - # ADVANCED if [[ $MANAGERADV == 'ADVANCED' ]]; then __append_end_msg "Advanced Manager Settings:" @@ -655,26 +418,6 @@ whiptail_end_settings() { fi fi - if [[ $NSMSETUP == 'ADVANCED' ]]; then - __append_end_msg "Advanced NSM Settings:" - if [[ ${#ZEEKPINS[@]} -gt 0 ]]; then - local zeek_pin_str - for core in "${ZEEKPINS[@]}"; do - zeek_pin_str="${zeek_pin_str}${core}," - done - zeek_pin_str=${zeek_pin_str%,} - __append_end_msg " Zeek Pinned Cores: ${zeek_pin_str}" - fi - if [[ ${#SURIPINS[@]} -gt 0 ]]; then - local suri_pin_str - for core in "${SURIPINS[@]}"; do - suri_pin_str="${suri_pin_str}${core}," - done - suri_pin_str=${suri_pin_str%,} - __append_end_msg " Suricata Pinned Cores: ${suri_pin_str}" - fi - fi - local msg read -r -d '' msg <<-EOM $end_msg @@ -700,30 +443,6 @@ __append_end_msg() { EOM } -whiptail_eval_adv() { - - [ -n "$TESTING" ] && return - - EVALADVANCED=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose your eval install:" 20 75 4 \ - "BASIC" "Install basic components for evaluation" ON \ - "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_fleet_custom_hostname() { - - [ -n "$TESTING" ] && return - - FLEETCUSTOMHOSTNAME=$(whiptail --title "$whiptail_title" --inputbox \ - "What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_gauge_post_setup() { if [ -n "$TESTING" ]; then @@ -735,102 +454,6 @@ whiptail_gauge_post_setup() { fi } -whiptail_helix_apikey() { - - [ -n "$TESTING" ] && return - - HELIXAPIKEY=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter your Helix API Key: \n \nThis can be set later using so-helix-apikey" 10 75 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus - -} - -#TODO: Combine these two functions - -whiptail_homenet_manager() { - - [ -n "$TESTING" ] && return - - HNMANAGER=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - export HNMANAGER -} - -whiptail_homenet_sensor_inherit() { - [ -n "$TESTING" ] && return - - # Ask to inherit from manager - whiptail --title "$whiptail_title" --yesno "Do you want to inherit the HOME_NET from the Manager?" 8 75 -} - -whiptail_homenet_sensor() { - [ -n "$TESTING" ] && return - - HNSENSOR=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - export HNSENSOR -} - - whiptail_idh_preferences() { - - [ -n "$TESTING" ] && return - - idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \ - "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces and IP addresses on this system.\n\nIf you would like to prevent IDH services from being published on this system's management IP, you can select the option below." 20 75 5 \ - "$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_idh_services() { - - [ -n "$TESTING" ] && return - - idh_services=$(whiptail --title "$whiptail_title" --radiolist \ - "\nThe IDH node can mimic many different services.\n\nChoose one of the common options along with their default ports (TCP) or select the Custom option to build a customized set of services." 20 75 5 \ - "Linux Webserver (NAS Skin)" "Apache (80), FTP (21), SSH (22)" ON \ - "MySQL Server" "MySQL (3306), SSH (22)" OFF \ - "MSSQL Server" "Microsoft SQL (1433), VNC (5900)" OFF \ - "Custom" "Select a custom set of services" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - - -whiptail_idh_services_custom() { - - [ -n "$TESTING" ] && return - - idh_services=$(whiptail --title "$whiptail_title" --checklist \ - "\nThe IDH node can mimic many different services.\n\nChoose one or more of the following services along with their default ports. Some services have additional configuration options, please consult the documentation for further information." 25 75 8 \ - "FTP" " TCP/21, Additional Configuration Available " OFF \ - "Git" " TCP/9418 " OFF \ - "HTTP" " TCP/80, Additional Configuration Available " OFF \ - "HTTPPROXY" " TCP/8080, Additional Configuration Available " OFF \ - "MSSQL" " TCP/1433 " OFF \ - "MySQL" " TCP/3306, Additional Configuration Available " OFF \ - "NTP" " UDP/123 " OFF \ - "REDIS" " TCP/6379 " OFF \ - "SNMP" " UDP/161 " OFF \ - "SSH" " TCP/22, Additional Configuration Available " OFF \ - "TELNET" " TCP/23, Additional Configuration Available " OFF \ - "TFTP" " UDP/69 " OFF \ - "VNC" " TCP/5900 " OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_install_type() { [ -n "$TESTING" ] && return @@ -868,8 +491,8 @@ whiptail_install_type_dist() { [ -n "$TESTING" ] && return dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \ - "New Deployment " "Create a new Security Onion deployment" \ "Existing Deployment " "Join to an existing Security Onion deployment " \ + "New Deployment " "Create a new Security Onion deployment" \ 3>&1 1>&2 2>&3 ) local exitstatus=$? @@ -923,11 +546,41 @@ whiptail_install_type_dist_existing() { # "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO # "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO ) + if [ "$install_type" = 'EVAL' ]; then + is_eval=true + STRELKARULES=1 + elif [ "$install_type" = 'STANDALONE' ]; then + is_sensor=true + elif [ "$install_type" = 'MANAGERSEARCH' ]; then + is_standalone=true + is_elasticsearch=true + elif [ "$install_type" = 'MANAGER' ]; then + is_manager=true + elif [ "$install_type" = 'SENSOR' ]; then + is_sensor=true + elif [[ "$install_type" =~ ^('SEARCHNODE'|'HOTNODE'|'WARMNODE')$ ]]; then + is_elasticsearch=true + elif [ "$install_type" = 'HEAVYNODE' ]; then + is_heavy=true + elif [ "$install_type" = 'FLEET' ]; then + is_fleet=true + elif [ "$install_type" = 'IDH' ]; then + is_idh=true + elif [ "$install_type" = 'IMPORT' ]; then + is_import=true + elif [ "$install_type" = 'RECEIVER' ]; then + is_receiver=true + elif [ "$install_type" = 'ANALYST' ]; then + if [ "$setup_type" != 'analyst' ]; then + exec bash so-setup analyst + fi + fi local exitstatus=$? whiptail_check_exitstatus $exitstatus } + whiptail_install_type_other() { [ -n "$TESTING" ] && return @@ -1256,73 +909,6 @@ whiptail_manager_adv() { } -# Ask if you want to do true clustering -whiptail_manager_adv_escluster(){ - - [ -n "$TESTING" ] && return - - whiptail --title "$whiptail_title" --yesno \ - "Do you want to set up a traditional ES cluster for using replicas and/or Hot-Warm indices? Recommended only for those who have experience with ES clustering! " 12 75 - -} - -# Get a cluster name -whiptail_manager_adv_escluster_name(){ - - [ -n "$TESTING" ] && return - - ESCLUSTERNAME=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter a name for your ES cluster!" 10 75 "$1" 3>&1 1>&2 2>&3) -} - -# Ask which additional components to install -whiptail_manager_adv_service_zeeklogs() { - - [ -n "$TESTING" ] && return - - BLOGS=$(whiptail --title "$whiptail_title" --checklist "Please select logs to send:" 24 75 12 \ - "conn" "Connection Logging" ON \ - "dce_rpc" "RPC Logs" ON \ - "dhcp" "DHCP Logs" ON \ - "dnp3" "DNP3 Logs" ON \ - "dns" "DNS Logs" ON \ - "dpd" "DPD Logs" ON \ - "files" "Files Logs" ON \ - "ftp" "FTP Logs" ON \ - "http" "HTTP Logs" ON \ - "intel" "Intel Hits Logs" ON \ - "irc" "IRC Chat Logs" ON \ - "kerberos" "Kerberos Logs" ON \ - "modbus" "MODBUS Logs" ON \ - "notice" "Zeek Notice Logs" ON \ - "ntlm" "NTLM Logs" ON \ - "pe" "PE Logs" ON \ - "radius" "Radius Logs" ON \ - "rfb" "RFB Logs" ON \ - "rdp" "RDP Logs" ON \ - "sip" "SIP Logs" ON \ - "smb_files" "SMB Files Logs" ON \ - "smb_mapping" "SMB Mapping Logs" ON \ - "smtp" "SMTP Logs" ON \ - "snmp" "SNMP Logs" ON \ - "ssh" "SSH Logs" ON \ - "ssl" "SSL Logs" ON \ - "syslog" "Syslog Logs" ON \ - "tunnel" "Tunnel Logs" ON \ - "weird" "Zeek Weird Logs" ON \ - "mysql" "MySQL Logs" ON \ - "socks" "SOCKS Logs" ON \ - "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - BLOGS=$(echo "$BLOGS" | tr -d '"') - - IFS=' ' read -ra BLOGS <<< "$BLOGS" - -} - whiptail_manager_error() { [ -n "$TESTING" ] && return @@ -1352,8 +938,23 @@ whiptail_manager_updates_warning() { whiptail_manager_unreachable() { [ -n "$TESTING" ] && return + + local msg + read -r -d '' msg <<- EOM + Setup is unable to access the manager at this time. + + Run the following on the manger: - whiptail --title "$whiptail_title" --msgbox "Setup cannot determine if $1 is listening on port 22. Please check the address entered and try again." 7 75 + so-firewall-minion --role=$install_type --ip=$MAINIP + Would you like to retry? + EOM + whiptail --title "$whiptail_title" --yesno "$msg" 20 75 + local status=$? + if [[ "$status" == 1 ]]; then + whiptail_cancel + else + check_manager_connection + fi } whiptail_metadata_tool() { @@ -1381,20 +982,6 @@ whiptail_metadata_tool() { ZEEKVERSION=$(echo "${ZEEKVERSION^^}" | tr -d ' ') } -whiptail_nids() { - - [ -n "$TESTING" ] && return - - NIDS=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose which IDS to run: \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \ - "Suricata" "Suricata" ON \ - "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_network_notice() { [ -n "$TESTING" ] && return @@ -1412,20 +999,6 @@ whiptail_net_reinit() { whiptail --title "$whiptail_title" --yesno "The management interface has already been configured. Do you want to reconfigure it?" 8 75 } -whiptail_node_advanced() { - - [ -n "$TESTING" ] && return - - NODESETUP=$(whiptail --title "$whiptail_title" --radiolist \ - "What type of config would you like to use?:" 20 75 4 \ - "NODEBASIC" "Install Search Node with recommended settings" ON \ - "NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_node_description() { [ -n "$TESTING" ] && return @@ -1436,67 +1009,6 @@ whiptail_node_description() { whiptail_check_exitstatus $exitstatus } -whiptail_node_es_heap() { - - [ -n "$TESTING" ] && return - - NODE_ES_HEAP_SIZE=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter ES heap size:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_node_ls_heap() { - - [ -n "$TESTING" ] && return - - NODE_LS_HEAP_SIZE=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter Logstash heap size:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_node_ls_input_threads() { - - [ -n "$TESTING" ] && return - - LSINPUTTHREADS=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter number of Logstash input threads:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - - -whiptail_node_ls_pipline_batchsize() { - - [ -n "$TESTING" ] && return - - LSPIPELINEBATCH=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter Logstash pipeline batch size:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_node_ls_pipeline_worker() { - - [ -n "$TESTING" ] && return - - LSPIPELINEWORKERS=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter number of Logstash pipeline workers:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_ntp_ask() { [ -n "$TESTING" ] && return @@ -1513,18 +1025,6 @@ whiptail_ntp_servers() { whiptail_check_exitstatus $exitstatus } -whiptail_oinkcode() { - - [ -n "$TESTING" ] && return - - OINKCODE=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter your ET Pro or oinkcode:" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - #TODO: helper function to display error message or exit if batch mode # exit_if_batch <"Error string"> @@ -1542,106 +1042,6 @@ whiptail_passwords_dont_match() { } -whiptail_patch_name_new_schedule() { - - [ -n "$TESTING" ] && return - - PATCHSCHEDULENAME=$(whiptail --title "$whiptail_title" --inputbox \ - "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_patch_schedule() { - - [ -n "$TESTING" ] && return - - patch_schedule=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose OS patch schedule.\n\nThis schedule will update the operating system packages but will NOT update Security Onion related tools such as Zeek, Elasticsearch, Kibana, SaltStack, etc." 20 75 5 \ - "Automatic" "Updates installed every 8 hours if available" ON \ - "Manual" "Updates will be installed manually" OFF \ - "Import Schedule" "Import named schedule on following screen" OFF \ - "New Schedule" "Configure and name new schedule on next screen" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_patch_schedule_import() { - - [ -n "$TESTING" ] && return - - unset PATCHSCHEDULENAME - PATCHSCHEDULENAME=$(whiptail --title "$whiptail_title" --inputbox \ - "Enter the name of the OS patch schedule you want to inherit. \nAvailable schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 "$1" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_patch_schedule_select_days() { - - [ -n "$TESTING" ] && return - - # Select the days to patch - PATCHSCHEDULEDAYS=$(whiptail --title "$whiptail_title" --checklist \ - "Which days do you want to apply OS patches?" 15 75 8 \ - Monday "" OFF \ - Tuesday "" ON \ - Wednesday "" OFF \ - Thursday "" OFF \ - Friday "" OFF \ - Saturday "" OFF \ - Sunday "" OFF 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - PATCHSCHEDULEDAYS=$(echo "$PATCHSCHEDULEDAYS" | tr -d '"') - - IFS=' ' read -ra PATCHSCHEDULEDAYS <<< "$PATCHSCHEDULEDAYS" - -} - -whiptail_patch_schedule_select_hours() { - - [ -n "$TESTING" ] && return - - # Select the hours to patch - PATCHSCHEDULEHOURS=$(whiptail --title "$whiptail_title" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ - 00:00 "" OFF \ - 01:00 "" OFF \ - 02:00 "" ON \ - 03:00 "" OFF \ - 04:00 "" OFF \ - 05:00 "" OFF \ - 06:00 "" OFF \ - 07:00 "" OFF \ - 08:00 "" OFF \ - 09:00 "" OFF \ - 10:00 "" OFF \ - 11:00 "" OFF \ - 12:00 "" OFF \ - 13:00 "" OFF \ - 14:00 "" OFF \ - 15:00 "" OFF \ - 16:00 "" OFF \ - 17:00 "" OFF \ - 18:00 "" OFF \ - 19:00 "" OFF \ - 20:00 "" OFF \ - 21:00 "" OFF \ - 22:00 "" OFF \ - 23:00 "" OFF 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" - -} - whiptail_preflight_err() { [ -n "$TESTING" ] && return 1 @@ -1721,23 +1121,6 @@ whiptail_requirements_error() { whiptail_check_exitstatus $exitstatus } -whiptail_rule_setup() { - - [ -n "$TESTING" ] && return - - # Get pulled pork info - RULESETUP=$(whiptail --title "$whiptail_title" --radiolist \ - "Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ - "ETOPEN" "Emerging Threats Open" ON \ - "ETPRO" "Emerging Threats PRO" OFF \ - "TALOS" "Snort Subscriber ruleset - Experimental" OFF \ - 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_sensor_config() { [ -n "$TESTING" ] && return @@ -1903,36 +1286,6 @@ whiptail_so_allow() { whiptail_check_exitstatus $exitstatus } -whiptail_ssh_key_copy_notice() { - [ -n "$TESTING" ] && return - - read -r -d '' message <<- EOM - Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ED25519 certificate and enter the password for soremote. - - Select OK to continue. - EOM - - whiptail --title "$whiptail_title" --msgbox "$message" 11 75 - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_ssh_warning() { - [ -n "$TESTING" ] && return - - local msg - - read -r -d '' msg <<- EOM - NOTE: You will receive a warning upon SSH reconnect that the host key has changed. - - This is expected due to hardening of the OpenSSH server config. - - The host key algorithm will now be ED25519, follow the instructions given by your SSH client to remove the old key fingerprint then retry the connection. - EOM - - whiptail --msgbox "$msg" 14 75 -} - whiptail_storage_requirements() { local mount=$1 local current_val=$2 @@ -1959,47 +1312,6 @@ whiptail_storage_requirements() { whiptail_check_exitstatus $exitstatus } -whiptail_strelka_rules() { - - [ -n "$TESTING" ] && return - - whiptail --title "$whiptail_title" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75 - - local exitstatus=$? - - if [[ $exitstatus == 0 ]]; then export STRELKARULES=1; fi -} - -whiptail_suricata_pins() { - - [ -n "$TESTING" ] && return - - local filtered_core_list - readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${ZEEKPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" - - local filtered_core_str=() - for item in "${filtered_core_list[@]}"; do - filtered_core_str+=("$item" "") - done - - if [[ $is_node && $is_sensor && ! $is_eval ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi - else - local PROCS=$lb_procs - fi - - SURIPINS=$(whiptail --noitem --title "$whiptail_title" --checklist "Please select $PROCS cores to pin Suricata to:" 20 75 12 "${filtered_core_str[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - SURIPINS=$(echo "$SURIPINS" | tr -d '"') - - IFS=' ' read -ra SURIPINS <<< "$SURIPINS" - -} - -# shellcheck disable=2120 whiptail_uppercase_warning() { [ -n "$TESTING" ] && return @@ -2055,28 +1367,3 @@ whiptail_you_sure() { return $exitstatus } - -whiptail_zeek_pins() { - - [ -n "$TESTING" ] && return - - local cpu_core_list_whiptail=() - for item in "${cpu_core_list[@]}"; do - cpu_core_list_whiptail+=("$item" "OFF") - done - - if [[ $is_smooshed ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi - else - local PROCS=$lb_procs - fi - - ZEEKPINS=$(whiptail --noitem --title "$whiptail_title" --checklist "Please select $PROCS cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"') - - IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" -} diff --git a/sigs/securityonion-2.0.2-rc1.iso.sig b/sigs/securityonion-2.0.2-rc1.iso.sig deleted file mode 100644 index c51d7e1e4..000000000 Binary files a/sigs/securityonion-2.0.2-rc1.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.0.3-rc1.iso.sig b/sigs/securityonion-2.0.3-rc1.iso.sig deleted file mode 100644 index 65a45c7d7..000000000 Binary files a/sigs/securityonion-2.0.3-rc1.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.1.0-rc2.iso.sig b/sigs/securityonion-2.1.0-rc2.iso.sig deleted file mode 100644 index cc03c894d..000000000 Binary files a/sigs/securityonion-2.1.0-rc2.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.2.0-rc3.iso.sig b/sigs/securityonion-2.2.0-rc3.iso.sig deleted file mode 100644 index 283f56c49..000000000 Binary files a/sigs/securityonion-2.2.0-rc3.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.0.iso.sig b/sigs/securityonion-2.3.0.iso.sig deleted file mode 100644 index 0a6c3a7d6..000000000 Binary files a/sigs/securityonion-2.3.0.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.1.iso.sig b/sigs/securityonion-2.3.1.iso.sig deleted file mode 100644 index 751cb380a..000000000 Binary files a/sigs/securityonion-2.3.1.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.10.iso.sig b/sigs/securityonion-2.3.10.iso.sig deleted file mode 100644 index f1c9093fd..000000000 Binary files a/sigs/securityonion-2.3.10.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.100-20220131.iso.sig b/sigs/securityonion-2.3.100-20220131.iso.sig deleted file mode 100644 index cd13420e4..000000000 Binary files a/sigs/securityonion-2.3.100-20220131.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.100-20220202.iso.sig b/sigs/securityonion-2.3.100-20220202.iso.sig deleted file mode 100644 index 228dafb16..000000000 Binary files a/sigs/securityonion-2.3.100-20220202.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.100-20220203.iso.sig b/sigs/securityonion-2.3.100-20220203.iso.sig deleted file mode 100644 index 296efd987..000000000 Binary files a/sigs/securityonion-2.3.100-20220203.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.100-20220301.iso.sig b/sigs/securityonion-2.3.100-20220301.iso.sig deleted file mode 100644 index d4f6b021c..000000000 Binary files a/sigs/securityonion-2.3.100-20220301.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.110-20220309.iso.sig b/sigs/securityonion-2.3.110-20220309.iso.sig deleted file mode 100644 index 0750f4b4b..000000000 Binary files a/sigs/securityonion-2.3.110-20220309.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.110-20220404.iso.sig b/sigs/securityonion-2.3.110-20220404.iso.sig deleted file mode 100644 index bd8215953..000000000 Binary files a/sigs/securityonion-2.3.110-20220404.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.110-20220405.iso.sig b/sigs/securityonion-2.3.110-20220405.iso.sig deleted file mode 100644 index bc4648f17..000000000 Binary files a/sigs/securityonion-2.3.110-20220405.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.110-20220407.iso.sig b/sigs/securityonion-2.3.110-20220407.iso.sig deleted file mode 100644 index 2ea694428..000000000 Binary files a/sigs/securityonion-2.3.110-20220407.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.120-20220425.iso.sig b/sigs/securityonion-2.3.120-20220425.iso.sig deleted file mode 100644 index ba8743ad3..000000000 Binary files a/sigs/securityonion-2.3.120-20220425.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.130-20220607.iso.sig b/sigs/securityonion-2.3.130-20220607.iso.sig deleted file mode 100644 index e3f97a43a..000000000 Binary files a/sigs/securityonion-2.3.130-20220607.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.140-20220718.iso.sig b/sigs/securityonion-2.3.140-20220718.iso.sig deleted file mode 100644 index 5628c323f..000000000 Binary files a/sigs/securityonion-2.3.140-20220718.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.2.iso.sig b/sigs/securityonion-2.3.2.iso.sig deleted file mode 100644 index 53bfe4569..000000000 Binary files a/sigs/securityonion-2.3.2.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.20.iso.sig b/sigs/securityonion-2.3.20.iso.sig deleted file mode 100644 index 4f24d5839..000000000 Binary files a/sigs/securityonion-2.3.20.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.21.iso.sig b/sigs/securityonion-2.3.21.iso.sig deleted file mode 100644 index 6c49a9391..000000000 Binary files a/sigs/securityonion-2.3.21.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.30.iso.sig b/sigs/securityonion-2.3.30.iso.sig deleted file mode 100644 index b89b2364a..000000000 Binary files a/sigs/securityonion-2.3.30.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.40.iso.sig b/sigs/securityonion-2.3.40.iso.sig deleted file mode 100644 index ea7c04fb2..000000000 Binary files a/sigs/securityonion-2.3.40.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.50.iso.sig b/sigs/securityonion-2.3.50.iso.sig deleted file mode 100644 index d8405a042..000000000 Binary files a/sigs/securityonion-2.3.50.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.51.iso.sig b/sigs/securityonion-2.3.51.iso.sig deleted file mode 100644 index 80137a352..000000000 Binary files a/sigs/securityonion-2.3.51.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.52.iso.sig b/sigs/securityonion-2.3.52.iso.sig deleted file mode 100644 index bd18b5eea..000000000 Binary files a/sigs/securityonion-2.3.52.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig b/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig deleted file mode 100644 index b6213a63d..000000000 Binary files a/sigs/securityonion-2.3.60-CURATORAUTH.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.60-ECSFIX.iso.sig b/sigs/securityonion-2.3.60-ECSFIX.iso.sig deleted file mode 100644 index cc55927fa..000000000 Binary files a/sigs/securityonion-2.3.60-ECSFIX.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig b/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig deleted file mode 100644 index 56418a152..000000000 Binary files a/sigs/securityonion-2.3.60-FBPIPELINE.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.60.iso.sig b/sigs/securityonion-2.3.60.iso.sig deleted file mode 100644 index c00a5c664..000000000 Binary files a/sigs/securityonion-2.3.60.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.61-MSEARCH.iso.sig b/sigs/securityonion-2.3.61-MSEARCH.iso.sig deleted file mode 100644 index 52b3b7645..000000000 Binary files a/sigs/securityonion-2.3.61-MSEARCH.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.61-STENODOCKER.iso.sig b/sigs/securityonion-2.3.61-STENODOCKER.iso.sig deleted file mode 100644 index aad56a116..000000000 Binary files a/sigs/securityonion-2.3.61-STENODOCKER.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.61.iso.sig b/sigs/securityonion-2.3.61.iso.sig deleted file mode 100644 index 4e191e92e..000000000 Binary files a/sigs/securityonion-2.3.61.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.70-CURATOR.iso.sig b/sigs/securityonion-2.3.70-CURATOR.iso.sig deleted file mode 100644 index a9dfc3d1d..000000000 Binary files a/sigs/securityonion-2.3.70-CURATOR.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.70-GRAFANA.iso.sig b/sigs/securityonion-2.3.70-GRAFANA.iso.sig deleted file mode 100644 index 8abec2097..000000000 Binary files a/sigs/securityonion-2.3.70-GRAFANA.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.70-WAZUH.iso.sig b/sigs/securityonion-2.3.70-WAZUH.iso.sig deleted file mode 100644 index 43ce74d15..000000000 Binary files a/sigs/securityonion-2.3.70-WAZUH.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.70.iso.sig b/sigs/securityonion-2.3.70.iso.sig deleted file mode 100644 index 68cedd6be..000000000 Binary files a/sigs/securityonion-2.3.70.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.80.iso.sig b/sigs/securityonion-2.3.80.iso.sig deleted file mode 100644 index 4fa76de2e..000000000 Binary files a/sigs/securityonion-2.3.80.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.90-20211206.iso.sig b/sigs/securityonion-2.3.90-20211206.iso.sig deleted file mode 100644 index 5afc243dd..000000000 Binary files a/sigs/securityonion-2.3.90-20211206.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.90-20211210.iso.sig b/sigs/securityonion-2.3.90-20211210.iso.sig deleted file mode 100644 index 4fb061626..000000000 Binary files a/sigs/securityonion-2.3.90-20211210.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.90-20211213.iso.sig b/sigs/securityonion-2.3.90-20211213.iso.sig deleted file mode 100644 index cbf5489f2..000000000 Binary files a/sigs/securityonion-2.3.90-20211213.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.90-AIRGAPFIX.iso.sig b/sigs/securityonion-2.3.90-AIRGAPFIX.iso.sig deleted file mode 100644 index 05b411eac..000000000 Binary files a/sigs/securityonion-2.3.90-AIRGAPFIX.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.90-WAZUH.iso.sig b/sigs/securityonion-2.3.90-WAZUH.iso.sig deleted file mode 100644 index aa9539e05..000000000 Binary files a/sigs/securityonion-2.3.90-WAZUH.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.90.iso.sig b/sigs/securityonion-2.3.90.iso.sig deleted file mode 100644 index 00f11ea5b..000000000 Binary files a/sigs/securityonion-2.3.90.iso.sig and /dev/null differ diff --git a/sigs/securityonion-2.3.91.iso.sig b/sigs/securityonion-2.3.91.iso.sig deleted file mode 100644 index de428774a..000000000 Binary files a/sigs/securityonion-2.3.91.iso.sig and /dev/null differ diff --git a/so-analyst-install b/so-analyst-install index ac92afd77..2e0e4fb34 100755 --- a/so-analyst-install +++ b/so-analyst-install @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . cd "$(dirname "$0")/setup" || exit 255 diff --git a/so-setup-network b/so-setup-network index c78756c98..ca86d249e 100755 --- a/so-setup-network +++ b/so-setup-network @@ -1,19 +1,10 @@ #!/bin/bash -# Copyright 2014-2022 Security Onion Solutions, LLC +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. -# This program is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . cd "$(dirname "$0")/setup" || exit 255