CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-24 17:03:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

Move In Day

Browse Source
This commit is contained in:
Mike Reeves
2022-09-07 09:06:25 -04:00
parent dcb7b49dbe
commit 2bd9dd80e2
611 changed files with 8015 additions and 16211 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@@ -1,20 +1,14 @@
## Security Onion 2.3.140 ## Security Onion 2.3.120
Security Onion 2.3.140 is here! Security Onion 2.3.120 is here!
## Screenshots ## Screenshots
Alerts Alerts
![Alerts](./assets/images/screenshots/alerts.png) ![Alerts](./assets/images/screenshots/alerts-1.png)
Dashboards
![Dashboards](./assets/images/screenshots/dashboards.png)
Hunt Hunt
![Hunt](./assets/images/screenshots/hunt.png) ![Hunt](./assets/images/screenshots/hunt-1.png)
Cases
![Cases](./assets/images/screenshots/cases-comments.png)
### Release Notes ### Release Notes

22
VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.3.140-20220718 ISO image built on 2022/07/18 ### 2.3.120-20220425 ISO image built on 2022/04/25
### Download and Verify ### Download and Verify
2.3.140-20220718 ISO image: 2.3.120-20220425 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso https://download.securityonion.net/file/securityonion/securityonion-2.3.120-20220425.iso
MD5: 9570065548DBFA6230F28FF623A8B61A MD5: C99729E452B064C471BEF04532F28556
SHA1: D48B2CC81DF459C3EBBC0C54BD9AAFAB4327CB75 SHA1: 60BF07D5347C24568C7B793BFA9792E98479CFBF
SHA256: 0E31E15EDFD3392B9569FCCAF1E4518432ECB0D7A174CCA745F2F22CDAC4A034 SHA256: CD17D0D7CABE21D45FA45E1CF91C5F24EB9608C79FF88480134E5592AFDD696E
Signature for ISO image: Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.120-20220425.iso.sig
Signing key: Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma
Download the signature file for the ISO: Download the signature file for the ISO:
``` ```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.140-20220718.iso.sig wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.120-20220425.iso.sig
``` ```
Download the ISO image: Download the ISO image:
``` ```
wget https://download.securityonion.net/file/securityonion/securityonion-2.3.140-20220718.iso wget https://download.securityonion.net/file/securityonion/securityonion-2.3.120-20220425.iso
``` ```
Verify the downloaded ISO image using the signature file: Verify the downloaded ISO image using the signature file:
``` ```
gpg --verify securityonion-2.3.140-20220718.iso.sig securityonion-2.3.140-20220718.iso gpg --verify securityonion-2.3.120-20220425.iso.sig securityonion-2.3.120-20220425.iso
``` ```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below: The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
``` ```
gpg: Signature made Mon 18 Jul 2022 10:16:05 AM EDT using RSA key ID FE507013 gpg: Signature made Mon 25 Apr 2022 08:20:40 AM EDT using RSA key ID FE507013
gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>" gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
gpg: WARNING: This key is not certified with a trusted signature! gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. gpg: There is no indication that the signature belongs to the owner.

2
VERSION
View File

@@ -1 +1 @@
2.3.140 2.3.170

BIN
assets/images/screenshots/alerts-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 245 KiB

BIN
assets/images/screenshots/alerts.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 186 KiB

BIN
assets/images/screenshots/cases-comments.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 201 KiB

BIN
assets/images/screenshots/dashboards.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 386 KiB

BIN
assets/images/screenshots/hunt-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 168 KiB

BIN
assets/images/screenshots/hunt.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 191 KiB

22
files/firewall/hostgroups.local.yaml
View File

@@ -16,6 +16,10 @@ firewall:
ips: ips:
delete: delete:
insert: insert:
elastic_agent_endpoint:
ips:
delete:
insert:
endgame: endgame:
ips: ips:
delete: delete:
@@ -44,10 +48,6 @@ firewall:
ips: ips:
delete: delete:
insert: insert:
osquery_endpoint:
ips:
delete:
insert:
receiver: receiver:
ips: ips:
delete: delete:
@@ -67,16 +67,4 @@ firewall:
syslog: syslog:
ips: ips:
delete: delete:
insert: insert:
wazuh_agent:
ips:
delete:
insert:
wazuh_api:
ips:
delete:
insert:
wazuh_authd:
ips:
delete:
insert:

2
files/salt/master/master
View File

@@ -65,8 +65,6 @@ peer:
- x509.sign_remote_certificate - x509.sign_remote_certificate
reactor: reactor:
- 'so/fleet':
- salt://reactor/fleet.sls
- 'salt/beacon/*/watch_sqlite_db//opt/so/conf/kratos/db/sqlite.db': - 'salt/beacon/*/watch_sqlite_db//opt/so/conf/kratos/db/sqlite.db':
- salt://reactor/kratos.sls - salt://reactor/kratos.sls

1
pillar/logstash/init.sls
View File

@@ -3,6 +3,7 @@ logstash:
port_bindings: port_bindings:
- 0.0.0.0:3765:3765 - 0.0.0.0:3765:3765
- 0.0.0.0:5044:5044 - 0.0.0.0:5044:5044
- 0.0.0.0:5055:5055
- 0.0.0.0:5644:5644 - 0.0.0.0:5644:5644
- 0.0.0.0:6050:6050 - 0.0.0.0:6050:6050
- 0.0.0.0:6051:6051 - 0.0.0.0:6051:6051

1
pillar/logstash/manager.sls
View File

@@ -5,5 +5,6 @@ logstash:
- so/0009_input_beats.conf - so/0009_input_beats.conf
- so/0010_input_hhbeats.conf - so/0010_input_hhbeats.conf
- so/0011_input_endgame.conf - so/0011_input_endgame.conf
- so/0012_input_elastic_agent.conf
- so/9999_output_redis.conf.jinja - so/9999_output_redis.conf.jinja

2
pillar/logstash/nodes.sls
View File

@@ -2,7 +2,7 @@
{% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %} {% set cached_grains = salt.saltutil.runner('cache.grains', tgt='*') %}
{% for minionid, ip in salt.saltutil.runner( {% for minionid, ip in salt.saltutil.runner(
'mine.get', 'mine.get',
tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix', tgt='G@role:so-manager or G@role:so-managersearch or G@role:so-standalone or G@role:so-node or G@role:so-heavynode or G@role:so-receiver or G@role:so-helix ',
fun='network.ip_addrs', fun='network.ip_addrs',
tgt_type='compound') | dictsort() tgt_type='compound') | dictsort()
%} %}

2
pillar/logstash/search.sls
View File

@@ -14,5 +14,5 @@ logstash:
- so/9700_output_strelka.conf.jinja - so/9700_output_strelka.conf.jinja
- so/9800_output_logscan.conf.jinja - so/9800_output_logscan.conf.jinja
- so/9801_output_rita.conf.jinja - so/9801_output_rita.conf.jinja
- so/9802_output_kratos.conf.jinja - so/9805_output_elastic_agent.conf.jinja
- so/9900_output_endgame.conf.jinja - so/9900_output_endgame.conf.jinja

119
pillar/top.sls
View File

@@ -2,6 +2,10 @@ base:
'*': '*':
- patch.needs_restarting - patch.needs_restarting
- logrotate - logrotate
- docker.soc_docker
- docker.adv_docker
- sensoroni.soc_sensoroni
- sensoroni.adv_sensoroni
'* and not *_eval and not *_import': '* and not *_eval and not *_import':
- logstash.nodes - logstash.nodes
@@ -24,113 +28,124 @@ base:
'*_manager or *_managersearch': '*_manager or *_managersearch':
- match: compound - match: compound
- data.* {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
- elasticsearch.auth - elasticsearch.auth
{% endif %} {% endif %}
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
- kibana.secrets - kibana.secrets
{% endif %} {% endif %}
- secrets - secrets
- global - soc_global
- adv_global
- manager.soc_manager
- manager.adv_manager
- soc.soc_soc
- soc.adv_soc
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_sensor': '*_sensor':
- zeeklogs - zeek.zeeklogs
- healthcheck.sensor - healthcheck.sensor
- global - soc_global
- adv_global
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_eval': '*_eval':
- data.* - zeel.zeeklogs
- zeeklogs
- secrets - secrets
- healthcheck.eval - healthcheck.eval
- elasticsearch.index_templates - elasticsearch.index_templates
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
- elasticsearch.auth - elasticsearch.auth
{% endif %} {% endif %}
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
- kibana.secrets - kibana.secrets
{% endif %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
- global - soc_global
{% endif %}
- elasticsearch.soc_elasticsearch
- manager.soc_manager
- soc.soc_soc
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_standalone': '*_standalone':
- logstash - logstash
- logstash.manager - logstash.manager
- logstash.search - logstash.search
- logstash.soc_logstash
- elasticsearch.index_templates - elasticsearch.index_templates
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
- elasticsearch.auth - elasticsearch.auth
{% endif %} {% endif %}
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
- kibana.secrets - kibana.secrets
{% endif %} {% endif %}
- data.* - zeek.zeeklogs
- zeeklogs
- secrets - secrets
- healthcheck.standalone - healthcheck.standalone
- global - soc_global
- minions.{{ grains.id }} - kratos.soc_kratos
- elasticsearch.soc_elasticsearch
'*_node': - manager.soc_manager
- global - soc.soc_soc
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_heavynode': '*_heavynode':
- zeeklogs - zeek.zeeklogs
- elasticsearch.auth - elasticsearch.auth
- global - soc_global
- minions.{{ grains.id }}
'*_helixsensor':
- fireeye
- zeeklogs
- logstash
- logstash.helix
- global
- minions.{{ grains.id }}
'*_fleet':
- data.*
- secrets
- global
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_idh': '*_idh':
- data.* - soc_global
- global - adv_global
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_searchnode': '*_searchnode':
- logstash - logstash
- logstash.search - logstash.search
- elasticsearch.index_templates - elasticsearch.index_templates
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
- elasticsearch.auth - elasticsearch.auth
- global {% endif %}
- soc_global
- adv_global
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
- data.nodestab - data.nodestab
'*_receiver': '*_receiver':
- logstash - logstash
- logstash.receiver - logstash.receiver
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
- elasticsearch.auth - elasticsearch.auth
- global {% endif %}
- soc_global
- adv_global
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_import': '*_import':
- zeeklogs - zeek.zeeklogs
- secrets - secrets
- elasticsearch.index_templates - elasticsearch.index_templates
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}
- elasticsearch.auth - elasticsearch.auth
{% endif %} {% endif %}
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
- kibana.secrets - kibana.secrets
{% endif %} {% endif %}
- global - soc_global
- adv_global
- manager.soc_manager
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}
'*_workstation': '*_workstation':
- minions.{{ grains.id }} - minions.{{ grains.id }}
- minions.adv_{{ grains.id }}

66
salt/allowed_states.map.jinja
View File

@@ -1,10 +1,11 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %} {% set ZEEKVER = salt['pillar.get']('global:mdengine', '') %}
{% set WAZUH = salt['pillar.get']('global:wazuh', '0') %}
{% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %} {% set PLAYBOOK = salt['pillar.get']('manager:playbook', '0') %}
{% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %}
{% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %}
{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %}
{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %}
{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %}
{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %}
{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %}
@@ -35,6 +36,7 @@
'grafana', 'grafana',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',
@@ -77,24 +79,10 @@
'tcpreplay', 'tcpreplay',
'docker_clean' 'docker_clean'
], ],
'so-fleet': [
'ssl',
'nginx',
'telegraf',
'firewall',
'mysql',
'redis',
'fleet',
'fleet.install_package',
'filebeat',
'schedule',
'docker_clean'
],
'so-idh': [ 'so-idh': [
'ssl', 'ssl',
'telegraf', 'telegraf',
'firewall', 'firewall',
'fleet.install_package',
'filebeat', 'filebeat',
'idh', 'idh',
'schedule', 'schedule',
@@ -133,6 +121,7 @@
'grafana', 'grafana',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',
@@ -153,6 +142,7 @@
'grafana', 'grafana',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet',
'firewall', 'firewall',
'manager', 'manager',
'idstools', 'idstools',
@@ -163,7 +153,7 @@
'docker_clean', 'docker_clean',
'learn' 'learn'
], ],
'so-node': [ 'so-searchnode': [
'ssl', 'ssl',
'nginx', 'nginx',
'telegraf', 'telegraf',
@@ -183,6 +173,7 @@
'grafana', 'grafana',
'soc', 'soc',
'kratos', 'kratos',
'elastic-fleet',
'firewall', 'firewall',
'idstools', 'idstools',
'suricata.manager', 'suricata.manager',
@@ -204,7 +195,6 @@
'pcap', 'pcap',
'suricata', 'suricata',
'healthcheck', 'healthcheck',
'wazuh',
'filebeat', 'filebeat',
'schedule', 'schedule',
'tcpreplay', 'tcpreplay',
@@ -221,26 +211,14 @@
], ],
}, grain='role') %} }, grain='role') %}
{% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %} {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %}
{% do allowed_states.append('filebeat') %} {% do allowed_states.append('filebeat') %}
{% endif %} {% endif %}
{% if ((FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %} {% if (PLAYBOOK != 0) and grains.role in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone'] %}
{% do allowed_states.append('mysql') %} {% do allowed_states.append('mysql') %}
{% endif %} {% endif %}
{% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-sensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
{% do allowed_states.append('fleet.install_package') %}
{% endif %}
{% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-heavynode'] %}
{% do allowed_states.append('fleet') %}
{% endif %}
{% if (FLEETMANAGER or FLEETNODE) and grains.role in ['so-eval'] %}
{% do allowed_states.append('redis') %}
{% endif %}
{%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %} {%- if ZEEKVER != 'SURICATA' and grains.role in ['so-sensor', 'so-eval', 'so-standalone', 'so-heavynode'] %}
{% do allowed_states.append('zeek') %} {% do allowed_states.append('zeek') %}
{%- endif %} {%- endif %}
@@ -249,11 +227,7 @@
{% do allowed_states.append('strelka') %} {% do allowed_states.append('strelka') %}
{% endif %} {% endif %}
{% if WAZUH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver','so-idh']%} {% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-import'] %}
{% do allowed_states.append('wazuh') %}
{% endif %}
{% if ELASTICSEARCH and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import'] %}
{% do allowed_states.append('elasticsearch') %} {% do allowed_states.append('elasticsearch') %}
{% endif %} {% endif %}
@@ -266,7 +240,7 @@
{% do allowed_states.append('kibana.secrets') %} {% do allowed_states.append('kibana.secrets') %}
{% endif %} {% endif %}
{% if grains.role in ['so-eval', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-manager'] %} {% if grains.role in ['so-eval', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-manager'] %}
{% do allowed_states.append('curator') %} {% do allowed_states.append('curator') %}
{% endif %} {% endif %}
@@ -282,15 +256,7 @@
{% do allowed_states.append('redis') %} {% do allowed_states.append('redis') %}
{% endif %} {% endif %}
{% if (FREQSERVER !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %} {% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-searchnode', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
{% do allowed_states.append('freqserver') %}
{% endif %}
{% if (DOMAINSTATS !=0) and grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch'] %}
{% do allowed_states.append('domainstats') %}
{% endif %}
{% if LOGSTASH and grains.role in ['so-helixsensor', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-receiver'] %}
{% do allowed_states.append('logstash') %} {% do allowed_states.append('logstash') %}
{% endif %} {% endif %}

10
salt/ca/init.sls
View File

@@ -1,10 +1,16 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
- ca.dirs - ca.dirs
{% set manager = salt['grains.get']('master') %}
/etc/salt/minion.d/signing_policies.conf: /etc/salt/minion.d/signing_policies.conf:
file.managed: file.managed:
- source: salt://ca/files/signing_policies.conf - source: salt://ca/files/signing_policies.conf
@@ -25,7 +31,7 @@ pki_public_ca_crt:
x509.certificate_managed: x509.certificate_managed:
- name: /etc/pki/ca.crt - name: /etc/pki/ca.crt
- signing_private_key: /etc/pki/ca.key - signing_private_key: /etc/pki/ca.key
- CN: {{ manager }} - CN: {{ GLOBALS.manager }}
- C: US - C: US
- ST: Utah - ST: Utah
- L: Salt Lake City - L: Salt Lake City

125
salt/common/init.sls
View File

@@ -2,10 +2,10 @@
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% set role = grains.id.split('_') | last %} {% set role = grains.id.split('_') | last %}
{% from 'elasticsearch/auth.map.jinja' import ELASTICAUTH with context %}
include: include:
- common.soup_scripts - common.soup_scripts
- common.packages
{% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %} {% if grains.role in ['so-eval', 'so-manager', 'so-standalone', 'so-managersearch', 'so-import'] %}
- manager.elasticsearch # needed for elastic_curl_config state - manager.elasticsearch # needed for elastic_curl_config state
{% endif %} {% endif %}
@@ -15,11 +15,6 @@ rmvariablesfile:
file.absent: file.absent:
- name: /tmp/variables.txt - name: /tmp/variables.txt
dockergroup:
group.present:
- name: docker
- gid: 920
# Add socore Group # Add socore Group
socoregroup: socoregroup:
group.present: group.present:
@@ -88,92 +83,6 @@ vimconfig:
- source: salt://common/files/vimrc - source: salt://common/files/vimrc
- replace: False - replace: False
# Install common packages
{% if grains['os'] != 'CentOS' %}
commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- apache2-utils
- wget
- ntpdate
- jq
- python3-docker
- curl
- ca-certificates
- software-properties-common
- apt-transport-https
- openssl
- netcat
- python3-mysqldb
- sqlite3
- libssl-dev
- python3-dateutil
- python3-m2crypto
- python3-mysqldb
- python3-packaging
- python3-lxml
- git
- vim
heldpackages:
pkg.installed:
- pkgs:
{% if grains['oscodename'] == 'bionic' %}
- containerd.io: 1.4.4-1
- docker-ce: 5:20.10.5~3-0~ubuntu-bionic
- docker-ce-cli: 5:20.10.5~3-0~ubuntu-bionic
- docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-bionic
{% elif grains['oscodename'] == 'focal' %}
- containerd.io: 1.4.9-1
- docker-ce: 5:20.10.8~3-0~ubuntu-focal
- docker-ce-cli: 5:20.10.5~3-0~ubuntu-focal
- docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
{% endif %}
- hold: True
- update_holds: True
{% else %}
commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- wget
- ntpdate
- bind-utils
- jq
- tcpdump
- httpd-tools
- net-tools
- curl
- sqlite
- mariadb-devel
- nmap-ncat
- python3
- python36-docker
- python36-dateutil
- python36-m2crypto
- python36-mysql
- python36-packaging
- python36-lxml
- yum-utils
- device-mapper-persistent-data
- lvm2
- openssl
- git
- vim-enhanced
heldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.4.4-3.1.el7
- docker-ce: 3:20.10.5-3.el7
- docker-ce-cli: 1:20.10.5-3.el7
- docker-ce-rootless-extras: 20.10.5-3.el7
- hold: True
- update_holds: True
{% endif %}
# Always keep these packages up to date # Always keep these packages up to date
alwaysupdated: alwaysupdated:
@@ -188,7 +97,6 @@ alwaysupdated:
Etc/UTC: Etc/UTC:
timezone.system timezone.system
{% if salt['pillar.get']('elasticsearch:auth:enabled', False) %}
elastic_curl_config: elastic_curl_config:
file.managed: file.managed:
- name: /opt/so/conf/elasticsearch/curl.config - name: /opt/so/conf/elasticsearch/curl.config
@@ -200,7 +108,6 @@ elastic_curl_config:
- require: - require:
- file: elastic_curl_config_distributed - file: elastic_curl_config_distributed
{% endif %} {% endif %}
{% endif %}
# Sync some Utilities # Sync some Utilities
utilsyncscripts: utilsyncscripts:
@@ -211,10 +118,6 @@ utilsyncscripts:
- file_mode: 755 - file_mode: 755
- template: jinja - template: jinja
- source: salt://common/tools/sbin - source: salt://common/tools/sbin
- defaults:
ELASTICCURL: 'curl'
- context:
ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
- exclude_pat: - exclude_pat:
- so-common - so-common
- so-firewall - so-firewall
@@ -339,32 +242,6 @@ soversionfile:
{% endif %} {% endif %}
# Manager daemon.json
docker_daemon:
file.managed:
- source: salt://common/files/daemon.json
- name: /etc/docker/daemon.json
- template: jinja
# Make sure Docker is always running
docker:
service.running:
- enable: True
- watch:
- file: docker_daemon
# Reserve OS ports for Docker proxy in case boot settings are not already applied/present
# 55000 = Wazuh, 57314 = Strelka, 47760-47860 = Zeek
dockerapplyports:
cmd.run:
- name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760-47860"; fi
# Reserve OS ports for Docker proxy
dockerreserveports:
file.managed:
- source: salt://common/files/99-reserved-ports.conf
- name: /etc/sysctl.d/99-reserved-ports.conf
{% if salt['grains.get']('sosmodel', '') %} {% if salt['grains.get']('sosmodel', '') %}
{% if grains['os'] == 'CentOS' %} {% if grains['os'] == 'CentOS' %}
# Install Raid tools # Install Raid tools

61
salt/common/packages.sls Normal file
View File

@@ -0,0 +1,61 @@
{% if grains['os'] != 'CentOS' %}
commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- wget
- jq
- tcpdump
- httpd-tools
- net-tools
- curl
- sqlite
- mariadb-devel
- python3-dnf-plugin-versionlock
- nmap-ncat
- createrepo
- python3-lxml
- python3-packaging
- yum-utils
- device-mapper-persistent-data
- lvm2
- openssl
- git
- vim-enhanced
- python3-docker
{% else %}
commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- wget
- ntpdate
- bind-utils
- jq
- tcpdump
- httpd-tools
- net-tools
- curl
- sqlite
- mariadb-devel
- nmap-ncat
- python3
- python36-packaging
- python36-lxml
- python36-docker
- python36-dateutil
- python36-m2crypto
- python36-mysql
- python36-packaging
- python36-lxml
- yum-utils
- device-mapper-persistent-data
- lvm2
- openssl
- git
- vim-enhanced
- yum-plugin-versionlock
{% endif %}

81
salt/common/tools/sbin/so-allow
View File

@@ -1,19 +1,11 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import ipaddress import ipaddress
import textwrap import textwrap
@@ -28,17 +20,13 @@ from datetime import timezone as tz
LOCAL_SALT_DIR='/opt/so/saltstack/local' LOCAL_SALT_DIR='/opt/so/saltstack/local'
WAZUH_CONF='/nsm/wazuh/etc/ossec.conf'
VALID_ROLES = { VALID_ROLES = {
'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' },
'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' },
'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' },
'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' },
'o': { 'role': 'osquery_endpoint', 'desc': 'Osquery endpoint - 8090/tcp' },
's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' },
'w': { 'role': 'wazuh_agent', 'desc': 'Wazuh agent - 1514/tcp/udp' }, 't': { 'role': 'elastic_agent_endpoint', 'desc': 'Elastic Agent endpoint - 8220/tcp,5055/tcp' }
'p': { 'role': 'wazuh_api', 'desc': 'Wazuh API - 55000/tcp' },
'r': { 'role': 'wazuh_authd', 'desc': 'Wazuh registration service - 1515/tcp' }
} }
@@ -77,65 +65,15 @@ def ip_prompt() -> str:
sys.exit(1) sys.exit(1)
def wazuh_enabled() -> bool:
file = f'{LOCAL_SALT_DIR}/pillar/global.sls'
with open(file, 'r') as pillar:
if 'wazuh: 1' in pillar.read():
return True
return False
def root_to_str(root: ET.ElementTree) -> str:
return ET.tostring(root, encoding='unicode', method='xml', xml_declaration=False, pretty_print=True)
def add_wl(ip):
parser = ET.XMLParser(remove_blank_text=True)
with open(WAZUH_CONF, 'rb') as wazuh_conf:
tree = ET.parse(wazuh_conf, parser)
root = tree.getroot()
source_comment = ET.Comment(f'Address {ip} added by /usr/sbin/so-allow on {dt.utcnow().replace(tzinfo=tz.utc).strftime("%a %b %e %H:%M:%S %Z %Y")}')
new_global = ET.Element("global")
new_wl = ET.SubElement(new_global, 'white_list')
new_wl.text = ip
root.append(source_comment)
root.append(new_global)
with open(WAZUH_CONF, 'w') as add_out:
add_out.write(root_to_str(root))
def apply(role: str, ip: str) -> int: def apply(role: str, ip: str) -> int:
firewall_cmd = ['so-firewall', 'includehost', role, ip] firewall_cmd = ['so-firewall', 'includehost', role, ip]
salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True'] salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True']
restart_wazuh_cmd = ['so-wazuh-restart']
print(f'Adding {ip} to the {role} role. This can take a few seconds...') print(f'Adding {ip} to the {role} role. This can take a few seconds...')
cmd = subprocess.run(firewall_cmd) cmd = subprocess.run(firewall_cmd)
if cmd.returncode == 0: if cmd.returncode == 0:
cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL) cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL)
else: else:
return cmd.returncode return cmd.returncode
if cmd.returncode == 0:
if wazuh_enabled() and role=='analyst':
try:
add_wl(ip)
print(f'Added whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr)
except Exception as e:
print(f'Failed to add whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr)
print(e)
return 1
print('Restarting OSSEC Server...')
cmd = subprocess.run(restart_wazuh_cmd)
else:
return cmd.returncode
else:
print(f'Commmand \'{" ".join(salt_cmd)}\' failed.', file=sys.stderr)
return cmd.returncode
if cmd.returncode != 0:
print('Failed to restart OSSEC server.')
return cmd.returncode
def main(): def main():
@@ -156,11 +94,8 @@ def main():
group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp")
group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp")
group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp")
group.add_argument('-o', dest='roles', action='append_const', const=VALID_ROLES['o']['role'], help="Osquery endpoint - 8090/tcp")
group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp")
group.add_argument('-w', dest='roles', action='append_const', const=VALID_ROLES['w']['role'], help="Wazuh agent - 1514/tcp/udp") group.add_argument('-t', dest='roles', action='append_const', const=VALID_ROLES['t']['role'], help="Elastic Agent endpoint - 8220/tcp,5055/tcp")
group.add_argument('-p', dest='roles', action='append_const', const=VALID_ROLES['p']['role'], help="Wazuh API - 55000/tcp")
group.add_argument('-r', dest='roles', action='append_const', const=VALID_ROLES['r']['role'], help="Wazuh registration service - 1515/tcp")
ip_g = main_parser.add_argument_group(title='allow') ip_g = main_parser.add_argument_group(title='allow')
ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip') ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip')

20
salt/common/tools/sbin/so-allow-view
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

17
salt/common/tools/sbin/so-analyst-install
View File

@@ -1,19 +1,10 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html" doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html"
{# we only want the script to install the workstation if it is CentOS -#} {# we only want the script to install the workstation if it is CentOS -#}

20
salt/common/tools/sbin/so-checkin
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

31
salt/common/tools/sbin/so-common
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
DEFAULT_SALT_DIR=/opt/so/saltstack/default DEFAULT_SALT_DIR=/opt/so/saltstack/default
@@ -162,15 +154,12 @@ elastic_license() {
read -r -d '' message <<- EOM read -r -d '' message <<- EOM
\n \n
Starting in Elastic Stack version 7.11, the Elastic Stack binaries are only available under the Elastic License: Elastic Stack binaries and Security Onion components are only available under the Elastic License version 2 (ELv2):
https://securityonion.net/elastic-license
Please review the Elastic License:
https://www.elastic.co/licensing/elastic-license https://www.elastic.co/licensing/elastic-license
Do you agree to the terms of the Elastic License? Do you agree to the terms of ELv2?
If so, type AGREE to accept the Elastic License and continue. Otherwise, press Enter to exit this program without making any changes. If so, type AGREE to accept ELv2 and continue. Otherwise, press Enter to exit this program without making any changes.
EOM EOM
AGREED=$(whiptail --title "$whiptail_title" --inputbox \ AGREED=$(whiptail --title "$whiptail_title" --inputbox \
@@ -206,7 +195,7 @@ gpg_rpm_import() {
local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/centos/keys" local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/centos/keys"
fi fi
RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'GPG-KEY-WAZUH' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub')
for RPMKEY in "${RPMKEYS[@]}"; do for RPMKEY in "${RPMKEYS[@]}"; do
rpm --import $RPMKEYSLOC/$RPMKEY rpm --import $RPMKEYSLOC/$RPMKEY

20
salt/common/tools/sbin/so-config-backup
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version. . /usr/sbin/so-common
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.. /usr/sbin/so-common
{% set BACKUPLOCATIONS = salt['pillar.get']('backup:locations', {}) %} {% set BACKUPLOCATIONS = salt['pillar.get']('backup:locations', {}) %}
TODAY=$(date '+%Y_%m_%d') TODAY=$(date '+%Y_%m_%d')

20
salt/common/tools/sbin/so-cortex-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-cortex-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-cortex-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-cortex-user-add
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-cortex-user-enable
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-curator-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-curator-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-curator-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

87
salt/common/tools/sbin/so-deny
View File

@@ -1,19 +1,11 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import ipaddress import ipaddress
import textwrap import textwrap
@@ -27,17 +19,12 @@ from xml.dom import minidom
LOCAL_SALT_DIR='/opt/so/saltstack/local' LOCAL_SALT_DIR='/opt/so/saltstack/local'
WAZUH_CONF='/nsm/wazuh/etc/ossec.conf'
VALID_ROLES = { VALID_ROLES = {
'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' }, 'a': { 'role': 'analyst','desc': 'Analyst - 80/tcp, 443/tcp' },
'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' }, 'b': { 'role': 'beats_endpoint', 'desc': 'Logstash Beat - 5044/tcp' },
'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' }, 'e': { 'role': 'elasticsearch_rest', 'desc': 'Elasticsearch REST API - 9200/tcp' },
'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' }, 'f': { 'role': 'strelka_frontend', 'desc': 'Strelka frontend - 57314/tcp' },
'o': { 'role': 'osquery_endpoint', 'desc': 'Osquery endpoint - 8090/tcp' },
's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' }, 's': { 'role': 'syslog', 'desc': 'Syslog device - 514/tcp/udp' },
'w': { 'role': 'wazuh_agent', 'desc': 'Wazuh agent - 1514/tcp/udp' },
'p': { 'role': 'wazuh_api', 'desc': 'Wazuh API - 55000/tcp' },
'r': { 'role': 'wazuh_authd', 'desc': 'Wazuh registration service - 1515/tcp' }
} }
@@ -76,73 +63,15 @@ def ip_prompt() -> str:
sys.exit(1) sys.exit(1)
def wazuh_enabled() -> bool:
for file in os.listdir(f'{LOCAL_SALT_DIR}/pillar'):
with open(file, 'r') as pillar:
if 'wazuh: 1' in pillar.read():
return True
return False
def root_to_str(root: ET.ElementTree) -> str:
xml_str = ET.tostring(root, encoding='unicode', method='xml').replace('\n', '')
xml_str = re.sub(r'(?:(?<=>) *)', '', xml_str)
# Remove specific substrings to better format comments on intial parse/write
xml_str = re.sub(r' -', '', xml_str)
xml_str = re.sub(r' -->', ' -->', xml_str)
dom = minidom.parseString(xml_str)
return dom.toprettyxml(indent=" ")
def rem_wl(ip):
parser = ET.XMLParser(remove_blank_text=True)
with open(WAZUH_CONF, 'rb') as wazuh_conf:
tree = ET.parse(wazuh_conf, parser)
root = tree.getroot()
global_elems = root.findall(f"global/white_list[. = '{ip}']/..")
if len(global_elems) > 0:
for g_elem in global_elems:
ge_index = list(root).index(g_elem)
if ge_index > 0 and root[list(root).index(g_elem) - 1].tag == ET.Comment:
root.remove(root[ge_index - 1])
root.remove(g_elem)
with open(WAZUH_CONF, 'w') as out:
out.write(root_to_str(root))
def apply(role: str, ip: str) -> int: def apply(role: str, ip: str) -> int:
firewall_cmd = ['so-firewall', 'excludehost', role, ip] firewall_cmd = ['so-firewall', 'excludehost', role, ip]
salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True'] salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', 'firewall', 'queue=True']
restart_wazuh_cmd = ['so-wazuh-restart']
print(f'Removing {ip} from the {role} role. This can take a few seconds...') print(f'Removing {ip} from the {role} role. This can take a few seconds...')
cmd = subprocess.run(firewall_cmd) cmd = subprocess.run(firewall_cmd)
if cmd.returncode == 0: if cmd.returncode == 0:
cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL) cmd = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL)
else: else:
return cmd.returncode return cmd.returncode
if cmd.returncode == 0:
if wazuh_enabled and role=='analyst':
try:
rem_wl(ip)
print(f'Removed whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr)
except Exception as e:
print(f'Failed to remove whitelist entry for {ip} from {WAZUH_CONF}', file=sys.stderr)
print(e)
return 1
print('Restarting OSSEC Server...')
cmd = subprocess.run(restart_wazuh_cmd)
else:
return cmd.returncode
else:
print(f'Commmand \'{" ".join(salt_cmd)}\' failed.', file=sys.stderr)
return cmd.returncode
if cmd.returncode != 0:
print('Failed to restart OSSEC server.')
return cmd.returncode
def main(): def main():
@@ -163,11 +92,7 @@ def main():
group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp") group.add_argument('-b', dest='roles', action='append_const', const=VALID_ROLES['b']['role'], help="Logstash Beat - 5044/tcp")
group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp") group.add_argument('-e', dest='roles', action='append_const', const=VALID_ROLES['e']['role'], help="Elasticsearch REST API - 9200/tcp")
group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp") group.add_argument('-f', dest='roles', action='append_const', const=VALID_ROLES['f']['role'], help="Strelka frontend - 57314/tcp")
group.add_argument('-o', dest='roles', action='append_const', const=VALID_ROLES['o']['role'], help="Osquery endpoint - 8090/tcp")
group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp") group.add_argument('-s', dest='roles', action='append_const', const=VALID_ROLES['s']['role'], help="Syslog device - 514/tcp/udp")
group.add_argument('-w', dest='roles', action='append_const', const=VALID_ROLES['w']['role'], help="Wazuh agent - 1514/tcp/udp")
group.add_argument('-p', dest='roles', action='append_const', const=VALID_ROLES['p']['role'], help="Wazuh API - 55000/tcp")
group.add_argument('-r', dest='roles', action='append_const', const=VALID_ROLES['r']['role'], help="Wazuh registration service - 1515/tcp")
ip_g = main_parser.add_argument_group(title='allow') ip_g = main_parser.add_argument_group(title='allow')
ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip') ip_g.add_argument('-i', help="IP or CIDR block to disallow connections from, requires at least one role argument", metavar='', dest='ip')

20
salt/common/tools/sbin/so-docker-prune
View File

@@ -1,19 +1,11 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import sys, argparse, re, docker import sys, argparse, re, docker
from packaging.version import Version, InvalidVersion from packaging.version import Version, InvalidVersion

20
salt/common/tools/sbin/so-docker-refresh
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common
. /usr/sbin/so-image-common . /usr/sbin/so-image-common

20
salt/common/tools/sbin/so-elastalert-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-elastalert-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-elastalert-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

32
salt/common/tools/sbin/so-elastic-agent-gen-installers Normal file
View File

@@ -0,0 +1,32 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
#so-elastic-agent-gen-installers $FleetHost $EnrollmentToken
. /usr/sbin/so-common
ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key')
FLEETHOST=$(lookup_pillar "server:url" "elasticfleet")
#FLEETHOST=$1
#ENROLLMENTOKEN=$2
CONTAINERGOOS=( "linux" "darwin" "windows" )
rm -rf /tmp/elastic-agent-workspace
mkdir -p /tmp/elastic-agent-workspace
for OS in "${CONTAINERGOOS[@]}"
do
printf "\n\nGenerating $OS Installer..."
cp /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz
docker run -e CGO_ENABLED=0 -e GOOS=$OS \
--mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \
--mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \
--mount type=bind,source=/opt/so/conf/elastic-fleet/so_agent-installers/,target=/output/ \
so-elastic-agent-builder go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS
printf "\n $OS Installer Generated..."
done

67
salt/common/tools/sbin/so-elastic-auth
View File

@@ -1,67 +0,0 @@
#!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if [ -f "/usr/sbin/so-common" ]; then
. /usr/sbin/so-common
fi
ES_AUTH_PILLAR=${ELASTIC_AUTH_PILLAR:-/opt/so/saltstack/local/pillar/elasticsearch/auth.sls}
ES_USERS_FILE=${ELASTIC_USERS_FILE:-/opt/so/saltstack/local/salt/elasticsearch/files/users}
authEnable=$1
if ! grep -q "enabled: " "$ES_AUTH_PILLAR"; then
echo "Elastic auth pillar file is invalid. Unable to proceed."
exit 1
fi
function restart() {
if [[ -z "$ELASTIC_AUTH_SKIP_HIGHSTATE" ]]; then
echo "Elasticsearch on all affected minions will now be stopped and then restarted..."
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' cmd.run so-elastic-stop queue=True
echo "Applying highstate to all affected minions..."
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.highstate queue=True
fi
}
if [[ "$authEnable" == "true" ]]; then
if grep -q "enabled: False" "$ES_AUTH_PILLAR"; then
sed -i 's/enabled: False/enabled: True/g' "$ES_AUTH_PILLAR"
restart
echo "Elastic auth is now enabled."
if grep -q "argon" "$ES_USERS_FILE"; then
echo ""
echo "IMPORTANT: The following users will need to change their password, after logging into SOC, in order to access Kibana:"
grep argon "$ES_USERS_FILE" | cut -d ":" -f 1
fi
else
echo "Auth is already enabled."
fi
elif [[ "$authEnable" == "false" ]]; then
if grep -q "enabled: True" "$ES_AUTH_PILLAR"; then
sed -i 's/enabled: True/enabled: False/g' "$ES_AUTH_PILLAR"
restart
echo "Elastic auth is now disabled."
else
echo "Auth is already disabled."
fi
else
echo "Usage: $0 <true|false>"
echo ""
echo "Toggles Elastic authentication. Elasticsearch will be restarted on each affected minion."
echo ""
fi

27
salt/common/tools/sbin/so-elastic-auth-password-reset
View File

@@ -1,19 +1,10 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
source $(dirname $0)/so-common source $(dirname $0)/so-common
require_manager require_manager
@@ -98,18 +89,18 @@ function killAllSaltJobs() {
function soUserSync() { function soUserSync() {
# apply this state to update /opt/so/saltstack/local/salt/elasticsearch/curl.config on the manager # apply this state to update /opt/so/saltstack/local/salt/elasticsearch/curl.config on the manager
salt-call state.sls_id elastic_curl_config_distributed manager queue=True salt-call state.sls_id elastic_curl_config_distributed manager queue=True
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' saltutil.kill_all_jobs salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' saltutil.kill_all_jobs
# apply this state to get the curl.config # apply this state to get the curl.config
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.sls_id elastic_curl_config common queue=True salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.sls_id elastic_curl_config common queue=True
$(dirname $0)/so-user sync $(dirname $0)/so-user sync
printf "\nApplying logstash state to the appropriate nodes.\n\n" printf "\nApplying logstash state to the appropriate nodes.\n\n"
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply logstash queue=True salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply logstash queue=True
printf "\nApplying filebeat state to the appropriate nodes.\n\n" printf "\nApplying filebeat state to the appropriate nodes.\n\n"
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode or G@role:so-sensor or G@role:so-fleet' state.apply filebeat queue=True salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode or G@role:so-sensor or G@role:so-fleet' state.apply filebeat queue=True
printf "\nApplying kibana state to the appropriate nodes.\n\n" printf "\nApplying kibana state to the appropriate nodes.\n\n"
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch' state.apply kibana queue=True salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch' state.apply kibana queue=True
printf "\nApplying curator state to the appropriate nodes.\n\n" printf "\nApplying curator state to the appropriate nodes.\n\n"
salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply curator queue=True salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-searchnode or G@role:so-heavynode' state.apply curator queue=True
} }
function highstateManager() { function highstateManager() {

28
salt/common/tools/sbin/so-elastic-clear
View File

@@ -1,20 +1,12 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
SKIP=0 SKIP=0
@@ -50,7 +42,7 @@ done
if [ $SKIP -ne 1 ]; then if [ $SKIP -ne 1 ]; then
# List indices # List indices
echo echo
{{ ELASTICCURL }} -k -L https://{{ NODEIP }}:9200/_cat/indices?v curl -K /opt/so/conf/elasticsearch/curl.config -k -L https://{{ NODEIP }}:9200/_cat/indices?v
echo echo
# Inform user we are about to delete all data # Inform user we are about to delete all data
echo echo
@@ -89,10 +81,10 @@ fi
# Delete data # Delete data
echo "Deleting data..." echo "Deleting data..."
INDXS=$({{ ELASTICCURL }} -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }') INDXS=$(curl -K /opt/so/conf/elasticsearch/curl.config -s -XGET -k -L https://{{ NODEIP }}:9200/_cat/indices?v | egrep 'logstash|elastalert|so-' | awk '{ print $3 }')
for INDX in ${INDXS} for INDX in ${INDXS}
do do
{{ ELASTICCURL }} -XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1 curl -K /opt/so/conf/elasticsearch/curl.config-XDELETE -k -L https://"{{ NODEIP }}:9200/${INDX}" > /dev/null 2>&1
done done
#Start Logstash/Filebeat #Start Logstash/Filebeat

20
salt/common/tools/sbin/so-elastic-diagnose
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Source common settings # Source common settings
. /usr/sbin/so-common . /usr/sbin/so-common

81
salt/common/tools/sbin/so-elastic-fleet-setup Normal file
View File

@@ -0,0 +1,81 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
. /usr/sbin/so-common
# Create ES Token
ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/service_tokens" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq -r .value)
printf "ESTOKEN = $ESTOKEN \n"
# Add SO-Manager Fleet URL
## This array replaces whatever URLs are currently configured
printf "\n"
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220"]}'
printf "\n\n"
# Create Logstash Output payload
cp /etc/ssl/certs/intca.crt /opt/so/conf/filebeat/etc/pki/
LOGSTASHCRT=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt)
LOGSTASHKEY=$(openssl rsa -in /opt/so/conf/filebeat/etc/pki/filebeat.key)
LOGSTASHCA=$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/intca.crt)
JSON_STRING=$( jq -n \
--arg LOGSTASHCRT "$LOGSTASHCRT" \
--arg LOGSTASHKEY "$LOGSTASHKEY" \
--arg LOGSTASHCA "$LOGSTASHCA" \
'{"name":"so-manager_logstash","id":"so-manager_logstash","type":"logstash","hosts":["{{ GLOBALS.manager_ip }}:5055"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate": $LOGSTASHCRT,"key": $LOGSTASHKEY,"certificate_authorities":[ $LOGSTASHCA ]}}'
)
# Add SO-Manager Logstash Ouput
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/outputs" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
printf "\n\n"
# Add Elastic Fleet Integrations
# Add Elastic Fleet Server Agent Policy
#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \
#-X POST "localhost:5601/api/fleet/agent_policies" \
#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
#-d '{"name":"SO-Manager","id":"so-manager","description":"SO Manager Fleet Server Policy","namespace":"default","monitoring_enabled":["logs"],"has_fleet_server":true}'
# Add Agent Policy - SOS Grid Nodes
#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \
#-X POST "localhost:5601/api/fleet/agent_policies" \
#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
#-d '{"name":"SO-Grid","id":"so-grid","description":"SO Grid Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}'
# Add Agent Policy - Default endpoints
#curl -vv -K /opt/so/conf/elasticsearch/curl.config -L \
#-X POST "localhost:5601/api/fleet/agent_policies" \
#-H 'kbn-xsrf: true' -H 'Content-Type: application/json' \
#-d '{"name":"Endpoints-Initalization","id":"endpoints","description":"Initial Endpoint Policy","namespace":"default","monitoring_enabled":["logs"]}'
# Store needed data in minion pillar
pillar_file=/opt/so/saltstack/local/pillar/minions/{{ GLOBALS.minion_id }}.sls
printf '%s\n'\
"elasticfleet:"\
" server:"\
" es_token: '$ESTOKEN'"\
" url: '{{ GLOBALS.manager_ip }}'"\
"" >> "$pillar_file"
# Call Elastic-Fleet Salt State
salt-call state.apply elastic-fleet
# Temp
wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz
wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz
wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz
git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git
cd securityonion-image/so-elastic-agent-builder
docker build -t so-elastic-agent-builder .
so-elastic-agent-gen-installers
/opt/so/conf/elastic-fleet/so_agent-installers/so-elastic-agent_linux

28
salt/common/tools/sbin/so-elastic-restart
View File

@@ -1,24 +1,16 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common
{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} {%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
/usr/sbin/so-restart elasticsearch $1 /usr/sbin/so-restart elasticsearch $1
{%- endif %} {%- endif %}
@@ -26,15 +18,15 @@
/usr/sbin/so-restart kibana $1 /usr/sbin/so-restart kibana $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
/usr/sbin/so-restart logstash $1 /usr/sbin/so-restart logstash $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%}
/usr/sbin/so-restart filebeat $1 /usr/sbin/so-restart filebeat $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
/usr/sbin/so-restart curator $1 /usr/sbin/so-restart curator $1
{%- endif %} {%- endif %}

28
salt/common/tools/sbin/so-elastic-start
View File

@@ -1,24 +1,16 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common
{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} {%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
/usr/sbin/so-start elasticsearch $1 /usr/sbin/so-start elasticsearch $1
{%- endif %} {%- endif %}
@@ -26,15 +18,15 @@
/usr/sbin/so-start kibana $1 /usr/sbin/so-start kibana $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
/usr/sbin/so-start logstash $1 /usr/sbin/so-start logstash $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%}
/usr/sbin/so-start filebeat $1 /usr/sbin/so-start filebeat $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
/usr/sbin/so-start curator $1 /usr/sbin/so-start curator $1
{%- endif %} {%- endif %}

28
salt/common/tools/sbin/so-elastic-stop
View File

@@ -1,24 +1,16 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common
{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} {%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-import']%}
/usr/sbin/so-stop elasticsearch $1 /usr/sbin/so-stop elasticsearch $1
{%- endif %} {%- endif %}
@@ -26,15 +18,15 @@
/usr/sbin/so-stop kibana $1 /usr/sbin/so-stop kibana $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
/usr/sbin/so-stop logstash $1 /usr/sbin/so-stop logstash $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode', 'so-sensor']%}
/usr/sbin/so-stop filebeat $1 /usr/sbin/so-stop filebeat $1
{%- endif %} {%- endif %}
{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} {%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-searchnode']%}
/usr/sbin/so-stop curator $1 /usr/sbin/so-stop curator $1
{%- endif %} {%- endif %}

26
salt/common/tools/sbin/so-elasticsearch-component-templates-list
View File

@@ -1,23 +1,15 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
if [ "$1" == "" ]; then if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
else else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq
fi fi

26
salt/common/tools/sbin/so-elasticsearch-index-templates-list
View File

@@ -1,23 +1,15 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
if [ "$1" == "" ]; then if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
else else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq
fi fi

4
salt/common/tools/sbin/so-elasticsearch-indices-list
View File

@@ -14,8 +14,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
{{ ELASTICCURL }} -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index" curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L "https://{{ NODEIP }}:9200/_cat/indices?pretty&v&s=index"

22
salt/common/tools/sbin/so-elasticsearch-indices-rw
View File

@@ -1,23 +1,15 @@
#!/bin/bash #!/bin/bash
# #
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }} IP={{ salt['grains.get']('ip_interfaces').get(salt['pillar.get']('sensor:mainint', salt['pillar.get']('manager:mainint', salt['pillar.get']('elasticsearch:mainint', salt['pillar.get']('host:mainint')))))[0] }}
ESPORT=9200 ESPORT=9200
echo "Removing read only attributes for indices..." echo "Removing read only attributes for indices..."
echo echo
{{ ELASTICCURL }} -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi; curl -K /opt/so/conf/elasticsearch/curl.config -s -k -XPUT -H "Content-Type: application/json" -L https://$IP:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}' 2>&1 | if grep -q ack; then echo "Index settings updated..."; else echo "There was any issue updating the read-only attribute. Please ensure Elasticsearch is running.";fi;

6
salt/common/tools/sbin/so-elasticsearch-pipeline-stats
View File

@@ -14,12 +14,12 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
if [ "$1" == "" ]; then if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines" curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines"
else else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\"" curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_nodes/stats | jq .nodes | jq ".[] | .ingest.pipelines.\"$1\""
fi fi

6
salt/common/tools/sbin/so-elasticsearch-pipeline-view
View File

@@ -14,12 +14,12 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
if [ "$1" == "" ]; then if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq .
else else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[] curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq .[]
fi fi

26
salt/common/tools/sbin/so-elasticsearch-pipelines-list
View File

@@ -1,23 +1,15 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
if [ "$1" == "" ]; then if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys' curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq 'keys'
else else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq
fi fi

2
salt/common/tools/sbin/so-elasticsearch-query
View File

@@ -34,4 +34,4 @@ fi
QUERYPATH=$1 QUERYPATH=$1
shift shift
{{ ELASTICCURL }} -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${QUERYPATH}" "$@" curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -H "Content-Type: application/json" "https://localhost:9200/${QUERYPATH}" "$@"

20
salt/common/tools/sbin/so-elasticsearch-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

4
salt/common/tools/sbin/so-elasticsearch-shards-list
View File

@@ -14,8 +14,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty

20
salt/common/tools/sbin/so-elasticsearch-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-elasticsearch-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

4
salt/common/tools/sbin/so-elasticsearch-template-remove
View File

@@ -14,8 +14,8 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
{{ ELASTICCURL }} -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1 curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1

6
salt/common/tools/sbin/so-elasticsearch-template-view
View File

@@ -14,12 +14,12 @@
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/> # along with this program. If not, see <http://www.gnu.org/licenses/>
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
if [ "$1" == "" ]; then if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq . curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq .
else else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq . curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq .
fi fi

26
salt/common/tools/sbin/so-elasticsearch-templates-list
View File

@@ -1,23 +1,15 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
# {%- set NODEIP = salt['pillar.get']('host:mainip', '') -%}
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common . /usr/sbin/so-common
if [ "$1" == "" ]; then if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys' curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/* | jq 'keys'
else else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq curl -K /opt/so/conf/elasticsearch/curl.config -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq
fi fi

2
salt/common/tools/sbin/so-elasticsearch-wait
View File

@@ -2,4 +2,4 @@
. /usr/sbin/so-common . /usr/sbin/so-common
wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "{{ ELASTICCURL }}" wait_for_web_response "https://localhost:9200/_cat/indices/.kibana*" "green open" 300 "curl -K /opt/so/conf/elasticsearch/curl.config"

26
salt/common/tools/sbin/so-filebeat-module-setup
View File

@@ -1,18 +1,10 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set mainint = salt['pillar.get']('host:mainint') %} {%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
@@ -31,7 +23,7 @@ echo -n "Waiting for ElasticSearch..."
COUNT=0 COUNT=0
ELASTICSEARCH_CONNECTED="no" ELASTICSEARCH_CONNECTED="no"
while [[ "$COUNT" -le 240 ]]; do while [[ "$COUNT" -le 240 ]]; do
{{ ELASTICCURL }} -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" curl -K /opt/so/conf/elasticsearch/curl.config -k --output /dev/null --silent --head --fail -L https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
ELASTICSEARCH_CONNECTED="yes" ELASTICSEARCH_CONNECTED="yes"
echo "connected!" echo "connected!"
@@ -48,8 +40,8 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
echo echo
fi fi
echo "Testing to see if the pipelines are already applied" echo "Testing to see if the pipelines are already applied"
ESVER=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \") ESVER=$(curl -K /opt/so/conf/elasticsearch/curl.config -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT" |jq .version.number |tr -d \")
PIPELINES=$({{ ELASTICCURL }} -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c) PIPELINES=$(curl -K /opt/so/conf/elasticsearch/curl.config -sk https://"$ELASTICSEARCH_HOST":"$ELASTICSEARCH_PORT"/_ingest/pipeline/filebeat-$ESVER-elasticsearch-server-pipeline | jq . | wc -c)
if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then if [[ "$PIPELINES" -lt 5 ]] || [ "$2" != "--force" ]; then
echo "Setting up ingest pipeline(s)" echo "Setting up ingest pipeline(s)"

20
salt/common/tools/sbin/so-filebeat-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-filebeat-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-filebeat-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

19
salt/common/tools/sbin/so-firewall
View File

@@ -1,19 +1,10 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os import os
import re import re

82
salt/common/tools/sbin/so-firewall-minion Normal file
View File

@@ -0,0 +1,82 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
if [[ $# -lt 1 ]]; then
echo "Usage: $0 --role=<ROLE> --ip=<IP ADDRESS>"
echo ""
echo " Example: so-firewall-minion --role=manager --ip=192.168.254.100"
echo ""
exit 1
fi
for i in "$@"; do
case $i in
-r=*|--role=*)
ROLE="${i#*=}"
shift
;;
-i=*|--ip=*)
IP="${i#*=}"
shift
;;
-*|--*)
echo "Unknown option $i"
exit 1
;;
*)
;;
esac
done
ROLE=${ROLE^^}
if [ -z "$ROLE" ]; then
echo "Please specify a role with --role="
exit 1
fi
if [ -z "$IP" ]; then
echo "Please specify an IP address with --ip="
exit 1
fi
case "$ROLE" in
'MANAGER')
so-firewall includehost manager "$IP"
so-firewall --apply includehost minion "$IP"
;;
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
so-firewall includehost manager "$IP"
so-firewall includehost minion "$IP"
so-firewall includehost sensor "$IP"
so-firewall --apply includehost search_node "$IP"
;;
'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER')
so-firewall includehost minion "$IP"
case "$ROLE" in
'SENSOR')
so-firewall --apply includehost sensor "$IP"
;;
'SEARCHNODE')
so-firewall --apply includehost search_node "$IP"
;;
'HEAVYNODE')
so-firewall includehost sensor "$IP"
so-firewall --apply includehost heavy_node "$IP"
;;
'IDH')
so-firewall --apply includehost beats_endpoint_ssl "$IP"
;;
'RECEIVER')
so-firewall --apply includehost receiver "$IP"
;;
esac
;;
esac

20
salt/common/tools/sbin/so-fleet-restart
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart fleet $1

58
salt/common/tools/sbin/so-fleet-setup
View File

@@ -1,58 +0,0 @@
#!/bin/bash
#so-fleet-setup $FleetEmail $FleetPassword
. /usr/sbin/so-common
if [[ $# -ne 2 ]] ; then
echo "Username or Password was not set - exiting now."
exit 1
fi
USER_EMAIL=$1
USER_PW=$2
# Checking to see if required containers are started...
if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
echo "Starting Docker Containers..."
salt-call state.apply mysql queue=True >> /root/fleet-setup.log
salt-call state.apply fleet queue=True >> /root/fleet-setup.log
salt-call state.apply redis queue=True >> /root/fleet-setup.log
fi
docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet
docker exec so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done'
# Create Security Onion Fleet Service Account + Setup Fleet
FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email)
FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password)
docker exec so-fleet fleetctl setup --email $FLEET_SA_EMAIL --password $FLEET_SA_PW --name SO_ServiceAccount --org-name SO
# Create User Account
echo "$USER_PW" | so-fleet-user-add "$USER_EMAIL"
# Import Packs & Configs
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml
docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf
# Update the Enroll Secret
echo "Updating the Enroll Secret..."
salt-call state.apply fleet.event_update-enroll-secret queue=True >> /root/fleet-setup.log
salt-call state.apply nginx queue=True >> /root/fleet-setup.log
# Generate osquery install packages
echo "Generating osquery install packages - this will take some time..."
salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
sleep 120
echo "Installing launcher via salt..."
salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
docker stop so-nginx
salt-call state.apply nginx queue=True >> /root/fleet-setup.log
echo "Fleet Setup Complete - Login with the username and password you ran the script with."

20
salt/common/tools/sbin/so-fleet-start
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start fleet $1

20
salt/common/tools/sbin/so-fleet-stop
View File

@@ -1,20 +0,0 @@
#!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop fleet $1

69
salt/common/tools/sbin/so-fleet-user-add
View File

@@ -1,69 +0,0 @@
#!/bin/bash
#
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <new-user-email>"
echo ""
echo "Adds a new user to Fleet. The new password will be read from STDIN."
exit 1
}
if [ $# -ne 1 ]; then
usage
fi
USER_EMAIL=$1
FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email)
FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password)
MYSQL_PW=$(lookup_pillar_secret mysql)
# Read password for new user from stdin
test -t 0
if [[ $? == 0 ]]; then
echo "Enter new password:"
fi
read -rs USER_PASS
check_password_and_exit "$USER_PASS"
# Config fleetctl & login with the SO Service Account
CONFIG_OUTPUT=$(docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet 2>&1 )
SALOGIN_OUTPUT=$(docker exec so-fleet fleetctl login --email $FLEET_SA_EMAIL --password $FLEET_SA_PW 2>&1)
if [[ $? -ne 0 ]]; then
echo "Unable to add user to Fleet; Fleet Service account login failed"
echo "$SALOGIN_OUTPUT"
exit 2
fi
# Create New User
CREATE_OUTPUT=$(docker exec so-fleet fleetctl user create --email $USER_EMAIL --name $USER_EMAIL --password $USER_PASS --global-role admin 2>&1)
if [[ $? -eq 0 ]]; then
echo "Successfully added user to Fleet"
else
echo "Unable to add user to Fleet; user might already exist"
echo "$CREATE_OUTPUT"
exit 2
fi
# Disable forced password reset
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PW fleet -e \
"UPDATE users SET admin_forced_password_reset = 0 WHERE email = '$USER_EMAIL'" 2>&1)

56
salt/common/tools/sbin/so-fleet-user-delete
View File

@@ -1,56 +0,0 @@
#!/bin/bash
#
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <user-email>"
echo ""
echo "Deletes a user in Fleet"
exit 1
}
if [ $# -ne 1 ]; then
usage
fi
USER_EMAIL=$1
FLEET_SA_EMAIL=$(lookup_pillar_secret fleet_sa_email)
FLEET_SA_PW=$(lookup_pillar_secret fleet_sa_password)
# Config fleetctl & login with the SO Service Account
CONFIG_OUTPUT=$(docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet 2>&1 )
SALOGIN_OUTPUT=$(docker exec so-fleet fleetctl login --email $FLEET_SA_EMAIL --password $FLEET_SA_PW 2>&1)
if [[ $? -ne 0 ]]; then
echo "Unable to delete user from Fleet; Fleet Service account login failed"
echo "$SALOGIN_OUTPUT"
exit 2
fi
# Delete User
DELETE_OUTPUT=$(docker exec so-fleet fleetctl user delete --email $USER_EMAIL 2>&1)
if [[ $? -eq 0 ]]; then
echo "Successfully deleted user from Fleet"
else
echo "Unable to delete user from Fleet"
echo "$DELETE_OUTPUT"
exit 2
fi

75
salt/common/tools/sbin/so-fleet-user-update
View File

@@ -1,75 +0,0 @@
#!/bin/bash
#
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
usage() {
echo "Usage: $0 <user-name>"
echo ""
echo "Update password for an existing Fleet user. The new password will be read from STDIN."
exit 1
}
if [ $# -ne 1 ]; then
usage
fi
USER=$1
MYSQL_PASS=$(lookup_pillar_secret mysql)
FLEET_IP=$(lookup_pillar fleet_ip)
FLEET_USER=$USER
# test existence of user
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
"SELECT count(1) FROM users WHERE email='$FLEET_USER'" 2>/dev/null | tail -1)
if [[ $? -ne 0 ]] || [[ $MYSQL_OUTPUT -ne 1 ]] ; then
echo "Test for email [${FLEET_USER}] failed"
echo " expect 1 hit in users database, return $MYSQL_OUTPUT hit(s)."
echo "Unable to update Fleet user password."
exit 2
fi
# Read password for new user from stdin
test -t 0
if [[ $? == 0 ]]; then
echo "Enter new password:"
fi
read -rs FLEET_PASS
if ! check_password "$FLEET_PASS"; then
echo "Password is invalid. Please exclude single quotes, double quotes, dollar signs, and backslashes from the password."
exit 2
fi
FLEET_HASH=$(docker exec so-soctopus python -c "import bcrypt; print(bcrypt.hashpw('$FLEET_PASS'.encode('utf-8'), bcrypt.gensalt()).decode('utf-8'));" 2>&1)
if [[ $? -ne 0 ]]; then
echo "Failed to generate Fleet password hash"
exit 2
fi
MYSQL_OUTPUT=$(docker exec so-mysql mysql -u root --password=$MYSQL_PASS fleet -e \
"UPDATE users SET password='$FLEET_HASH', salt='' where email='$FLEET_USER'" 2>&1)
if [[ $? -eq 0 ]]; then
echo "Successfully updated Fleet user password"
else
echo "Unable to update Fleet user password"
echo "$MYSQL_OUTPUT"
exit 2
fi

20
salt/common/tools/sbin/so-grafana-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-grafana-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-grafana-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-idh-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-idh-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-idh-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-idstools-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-idstools-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-idstools-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

25
salt/common/tools/sbin/so-image-common
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# NOTE: This script depends on so-common # NOTE: This script depends on so-common
IMAGEREPO=security-onion-solutions IMAGEREPO=security-onion-solutions
@@ -32,7 +24,6 @@ container_list() {
if [ $MANAGERCHECK == 'so-import' ]; then if [ $MANAGERCHECK == 'so-import' ]; then
TRUSTED_CONTAINERS=( TRUSTED_CONTAINERS=(
"so-acng"
"so-elasticsearch" "so-elasticsearch"
"so-filebeat" "so-filebeat"
"so-idstools" "so-idstools"
@@ -47,13 +38,10 @@ container_list() {
) )
elif [ $MANAGERCHECK != 'so-helix' ]; then elif [ $MANAGERCHECK != 'so-helix' ]; then
TRUSTED_CONTAINERS=( TRUSTED_CONTAINERS=(
"so-acng"
"so-curator" "so-curator"
"so-elastalert" "so-elastalert"
"so-elasticsearch" "so-elasticsearch"
"so-filebeat" "so-filebeat"
"so-fleet"
"so-fleet-launcher"
"so-grafana" "so-grafana"
"so-idh" "so-idh"
"so-idstools" "so-idstools"
@@ -75,7 +63,6 @@ container_list() {
"so-strelka-manager" "so-strelka-manager"
"so-suricata" "so-suricata"
"so-telegraf" "so-telegraf"
"so-wazuh"
"so-zeek" "so-zeek"
) )
else else

20
salt/common/tools/sbin/so-image-pull
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common
. /usr/sbin/so-image-common . /usr/sbin/so-image-common

20
salt/common/tools/sbin/so-import-evtx
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set MANAGER = salt['grains.get']('master') %} {%- set MANAGER = salt['grains.get']('master') %}
{%- set VERSION = salt['pillar.get']('global:soversion') %} {%- set VERSION = salt['pillar.get']('global:soversion') %}

20
salt/common/tools/sbin/so-import-pcap
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set MANAGER = salt['grains.get']('master') %} {%- set MANAGER = salt['grains.get']('master') %}
{%- set VERSION = salt['pillar.get']('global:soversion') %} {%- set VERSION = salt['pillar.get']('global:soversion') %}

22
salt/common/tools/sbin/so-index-list
View File

@@ -1,18 +1,10 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{{ ELASTICCURL }} -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index"
curl -K /opt/so/conf/elasticsearch/curl.config-X GET -k -L "https://localhost:9200/_cat/indices?v&s=index"

20
salt/common/tools/sbin/so-influxdb-clean
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-influxdb-downsample
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set role = grains.id.split('_') | last %} {%- set role = grains.id.split('_') | last %}
{%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %} {%- if role in ['manager', 'managersearch', 'eval', 'standalone'] %}
{%- import_yaml 'influxdb/defaults.yaml' as default_settings %} {%- import_yaml 'influxdb/defaults.yaml' as default_settings %}

20
salt/common/tools/sbin/so-influxdb-drop-autogen
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-influxdb-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-influxdb-start
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

20
salt/common/tools/sbin/so-influxdb-stop
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

24
salt/common/tools/sbin/so-kibana-config-export
View File

@@ -5,27 +5,19 @@
# {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %} # {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', '') %}
# {%- set MANAGER = salt['pillar.get']('global:url_base', '') %} # {%- set MANAGER = salt['pillar.get']('global:url_base', '') %}
# #
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
KIBANA_HOST={{ MANAGER }} KIBANA_HOST={{ MANAGER }}
KSO_PORT=5601 KSO_PORT=5601
OUTFILE="saved_objects.ndjson" OUTFILE="saved_objects.ndjson"
SESSIONCOOKIE=$({{ ELASTICCURL }} -c - -X GET http://$KIBANA_HOST:$KSO_PORT/ | grep sid | awk '{print $7}') SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://$KIBANA_HOST:$KSO_PORT/ | grep sid | awk '{print $7}')
{{ ELASTICCURL }} -b "sid=$SESSIONCOOKIE" -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -s -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -XPOST -L $KIBANA_HOST:$KSO_PORT/api/saved_objects/_export -d '{ "type": [ "index-pattern", "config", "visualization", "dashboard", "search" ], "excludeExportDetails": false }' > $OUTFILE
# Clean up using PLACEHOLDER # Clean up using PLACEHOLDER
sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE sed -i "s/$KIBANA_HOST/PLACEHOLDER/g" $OUTFILE

20
salt/common/tools/sbin/so-kibana-restart
View File

@@ -1,19 +1,11 @@
#!/bin/bash #!/bin/bash
# Copyright 2014-2022 Security Onion Solutions, LLC # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# This program is free software: you can redistribute it and/or modify # https://securityonion.net/license; you may not use this file except in compliance with the
# it under the terms of the GNU General Public License as published by # Elastic License 2.0.
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common . /usr/sbin/so-common

Some files were not shown because too many files have changed in this diff Show More