CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Raid refactor + yara and rule proxy

Browse Source
This commit is contained in:
Mike Reeves
2023-08-03 17:11:43 -04:00
parent 13c3e7f5ff
commit 2caca92082
3 changed files with 62 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
salt/common/tools/sbin_jinja/so-raid-status
View File

@@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
@@ -9,25 +9,26 @@
. /usr/sbin/so-common . /usr/sbin/so-common
appliance_check() { {%- if salt['grains.get']('sosmodel', '') %}
{%- if salt['grains.get']('sosmodel', '') %} {%- set model = salt['grains.get']('sosmodel') %}
APPLIANCE=1 model={{ model }}
{%- if grains['sosmodel'] in ['SO2AMI01', 'SO2GCI01', 'SO2AZI01'] %} # Don't need cloud images to use this
exit 0 if [[ $model =~ ^(SO2AMI01|SO2AZI01|SO2GCI01)$ ]]; then
{%- endif %} exit 0
DUDEYOUGOTADELL=$(dmidecode |grep Dell) fi
if [[ -n $DUDEYOUGOTADELL ]]; then {%- else %}
APPTYPE=dell echo "This is not an appliance"
else exit 0
APPTYPE=sm {%- endif %}
fi if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200|SOSSNNV|SOSMN)$ ]]; then
mkdir -p /opt/so/log/raid is_bossraid=true
fi
{%- else %} if [[ $model =~ ^(SOSSNNV|SOSMN)$ ]]; then
echo "This is not an appliance" is_swraid=true
exit 0 fi
{%- endif %} if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200)$ ]]; then
} is_hwraid=true
fi
check_nsm_raid() { check_nsm_raid() {
PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl) PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl)
@@ -49,61 +50,44 @@ check_nsm_raid() {
check_boss_raid() { check_boss_raid() {
MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional) MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
if [[ -n $DUDEYOUGOTADELL ]]; then if [[ -n $MVCLI ]]; then
if [[ -n $MVCLI ]]; then BOSSRAID=0
BOSSRAID=0 else
else BOSSRAID=1
BOSSRAID=1
fi
fi fi
} }
check_software_raid() { check_software_raid() {
if [[ -n $DUDEYOUGOTADELL ]]; then SWRC=$(grep "_" /proc/mdstat)
SWRC=$(grep "_" /proc/mdstat) if [[ -n $SWRC ]]; then
# RAID is failed in some way
if [[ -n $SWRC ]]; then SWRAID=1
# RAID is failed in some way else
SWRAID=1 SWRAID=0
else
SWRAID=0
fi
fi fi
} }
# This script checks raid status if you use SO appliances # Set everything to 0
SWRAID=0
BOSSRAID=0
HWRAID=0
# See if this is an appliance if [[ $is_hwraid ]]; then
check_nsm_raid
appliance_check fi
check_nsm_raid if [[ $is_bossraid ]]; then
check_boss_raid check_boss_raid
{%- if salt['grains.get']('sosmodel', '') %} fi
{%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %} if [[ $is_swraid ]]; then
check_software_raid check_software_raid
{%- endif %}
{%- endif %}
if [[ -n $SWRAID ]]; then
if [[ $SWRAID == '0' && $BOSSRAID == '0' ]]; then
RAIDSTATUS=0
else
RAIDSTATUS=1
fi
elif [[ -n $DUDEYOUGOTADELL ]]; then
if [[ $BOSSRAID == '0' && $HWRAID == '0' ]]; then
RAIDSTATUS=0
else
RAIDSTATUS=1
fi
elif [[ "$APPTYPE" == 'sm' ]]; then
if [[ -n "$HWRAID" ]]; then
RAIDSTATUS=0
else
RAIDSTATUS=1
fi
fi fi
echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log sum=$(($SWRAID + $BOSSRAID + $HWRAID))
if [[ $sum == "0" ]]; then
RAIDSTATUS=0
else
RAIDSTATUS=1
fi
echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log

16
salt/idstools/tools/sbin_jinja/so-rule-update
View File

@@ -3,17 +3,21 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
{%- set proxy = salt['pillar.get']('manager:proxy') %}
{%- set proxy = salt['pillar.get']('manager:proxy') %}
{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %}
# Download the rules from the internet
{%- if proxy %}
export http_proxy={{ proxy }}
export https_proxy={{ proxy }}
export no_proxy="{{ noproxy }}"
{%- endif %}
mkdir -p /nsm/rules/suricata mkdir -p /nsm/rules/suricata
chown -R socore:socore /nsm/rules/suricata chown -R socore:socore /nsm/rules/suricata
# Download the rules from the internet # Download the rules from the internet
{%- if GLOBALS.airgap != 'True' %} {%- if GLOBALS.airgap != 'True' %}
{%- if proxy %}
export http_proxy={{ proxy }}
export https_proxy={{ proxy }}
export no_proxy=salt['pillar.get']('manager:no_proxy')
{%- endif %}
{%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} {%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %}
docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
{%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} {%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}

3
salt/manager/tools/sbin_jinja/so-yara-download
View File

@@ -3,12 +3,13 @@ NOROOT=1
. /usr/sbin/so-common . /usr/sbin/so-common
{%- set proxy = salt['pillar.get']('manager:proxy') %} {%- set proxy = salt['pillar.get']('manager:proxy') %}
{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %}
# Download the rules from the internet # Download the rules from the internet
{%- if proxy %} {%- if proxy %}
export http_proxy={{ proxy }} export http_proxy={{ proxy }}
export https_proxy={{ proxy }} export https_proxy={{ proxy }}
export no_proxy=salt['pillar.get']('manager:no_proxy') export no_proxy="{{ noproxy }}"
{%- endif %} {%- endif %}
repos="/opt/so/conf/strelka/repos.txt" repos="/opt/so/conf/strelka/repos.txt"