Merge remote-tracking branch 'remotes/origin/2.4/dev' into 2.4/heavynode

2026-01-03 14:53:34 +01:00 · 2023-06-23 15:50:14 -04:00
parent bb0cfc5253 106aaa9c3e
commit 336a40d646
3 changed files with 20 additions and 4 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1117,6 +1117,9 @@ soc:
            - name: caseExcludeToggle
              filter: 'NOT _index:"*:so-case*"'
              enabled: true
+            - name: socExcludeToggle
+              filter: 'NOT event.module:"soc"'
+              enabled: true
          queries:
            - name: Default Query
              description: Show all events grouped by the observer host
@@ -1384,6 +1387,9 @@ soc:
            - name: caseExcludeToggle
              filter: 'NOT _index:"*:so-case*"'
              enabled: true
+            - name: socExcludeToggle
+              filter: 'NOT event.module:"soc"'
+              enabled: true
          queries:
            - name: Overview
              description: Overview of all events
--- a/salt/soc/files/bin/salt-relay.sh
+++ b/salt/soc/files/bin/salt-relay.sh
@@ -4,6 +4,8 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.

+. /usr/sbin/so-common
+
 PIPE_OWNER=${PIPE_OWNER:-socore}
 PIPE_GROUP=${PIPE_GROUP:-socore}
 SOC_PIPE=${SOC_PIPE:-/opt/so/conf/soc/salt/pipe}
@@ -185,7 +187,8 @@ function send_file() {
  log "Cleanup: $cleanup"

  log "encrypting..."
-  response=$(gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from")
+  password=$(lookup_pillar_secret import_pass)
+  response=$(gpg --passphrase "$password" --batch --symmetric --cipher-algo AES256 "$from")
  log Response:$'\n'"$response"

  fromgpg="$from.gpg"
@@ -229,18 +232,23 @@ function import_file() {
  filegpg="$file.gpg"

  log "decrypting..."
-  $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'"
+  password=$(lookup_pillar_secret import_pass)
+  decrypt_cmd="gpg --passphrase $password -o $file.tmp --batch --decrypt $filegpg"
+  $CMD_PREFIX salt "$node" cmd.run "\"$decrypt_cmd\""
  decrypt_code=$?

  if [[ $decrypt_code -eq 0 ]]; then
+    mv "$file.tmp" "$file"
    log "importing..."
    case $importer in
      pcap)
-        response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
+        import_cmd="so-import-pcap $file --json"
+        response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
        exit_code=$?
        ;;
      evtx)
-        response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
+        import_cmd="so-import-evtx $file --json"
+        response=$($CMD_PREFIX salt "$node" cmd.run "\"$import_cmd\"")
        exit_code=$?
        ;;
      *)
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1296,6 +1296,7 @@ generate_passwords(){
  KRATOSKEY=$(get_random_value)
  REDISPASS=$(get_random_value)
  SOCSRVKEY=$(get_random_value 64)
+  IMPORTPASS=$(get_random_value)
 }

 generate_interface_vars() {
@@ -2102,6 +2103,7 @@ secrets_pillar(){
 		"  playbook_admin: $PLAYBOOKADMINPASS"\
 		"  playbook_automation: $PLAYBOOKAUTOMATIONPASS"\
 		"  playbook_automation_api_key: "\
+		"  import_pass: $IMPORTPASS"\
 		"  influx_pass: $INFLUXPASS" > $local_salt_dir/pillar/secrets.sls
  fi
 }