CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-13 19:51:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

merge in dev

Browse Source
This commit is contained in:
Josh Brower
2022-02-21 16:52:53 -05:00
parent eea2b9ccfd 5b46d19b13
commit 3610b0cd30
102 changed files with 18699 additions and 5104 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
salt/common/tools/sbin/so-elasticsearch-component-templates-list Executable file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
#
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common
if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template | jq '.component_templates[] |.name'| sort
else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_component_template/$1 | jq
fi

23
salt/common/tools/sbin/so-elasticsearch-index-templates-list Executable file
View File

@@ -0,0 +1,23 @@
#!/bin/bash
#
# Copyright 2014-2022 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%}
. /usr/sbin/so-common
if [ "$1" == "" ]; then
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template | jq '.index_templates[] |.name'| sort
else
{{ ELASTICCURL }} -s -k -L https://{{ NODEIP }}:9200/_index_template/$1 | jq
fi

4
salt/common/tools/sbin/so-ip-update
View File

@@ -53,7 +53,9 @@ if [ "$CONTINUE" == "y" ]; then
docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'$NEW_IP' IDENTIFIED BY '$(lookup_pillar_secret 'mysql')' WITH GRANT OPTION;" &> /dev/null
echo "Removing MySQL root user from $OLD_IP"
docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "DROP USER 'root'@'$OLD_IP';" &> /dev/null
echo "Updating Kibana dashboards"
salt-call state.apply kibana.so_savedobjects_defaults -l info queue=True
echo "The IP has been changed from $OLD_IP to $NEW_IP."
echo

131
salt/common/tools/sbin/so-status
View File

@@ -15,10 +15,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
if ! [ "$(id -u)" = 0 ]; then
echo "This command must be run as root"
exit 1
fi
display_help() {
cat <<HELP_USAGE
@@ -100,10 +96,15 @@ create_expected_container_list() {
}
# {% raw %}
populate_container_lists() {
# TODO: check exit code directly, not with $?
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
# TODO: look into using docker templates instead of curl and jq
# Ex docker ps --format "{{.Names}}\t{{.State}}"
# TODO: convert the output to an associtive array
mapfile -t docker_raw_list < <(curl -s --unix-socket /var/run/docker.sock http:/v1.40/containers/json?all=1 \
| jq -c '.[] | { Name: .Names[0], State: .State }' \
| tr -d '/{"}')
@@ -167,60 +168,55 @@ parse_status() {
fi
}
# {% raw %}
print_line() {
local service_name=${1}
local service_state="$( parse_status ${1} ${2} )"
local columns=$(tput cols)
local state_color="\e[0m"
local service_name="${1}"
local service_state="" ; service_state="$( parse_status "${1}" "${2}" )"
# XXX: What will we do if tput isn't avalable?
local line=""
local PADDING_CONSTANT=""
local columns=35 # value used if not printing to a tty
local PADDING_CONSTANT=15
if (( __tty == 1 )); then
local reset_attr; reset_attr="$(tput sgr0)" # reset all attributes
local bold; bold="$(tput bold)"
local red; red="$(tput setaf 1)"
local green; green="$(tput setaf 2)"
local yellow; yellow="$(tput setaf 3)"
PADDING_CONSTANT=15 # whitespace + brackets + 1
if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
state_color="\e[1;31m"
if [[ "$EXITCODE" -eq 0 ]]; then
EXITCODE=1
fi
columns=$(tput cols)
fi
# construct a line of '------' so that the names and states are all aligned
linewidth=$(( columns - PADDING_CONSTANT - ${#service_name} - ${#service_state} ))
for i in $(seq 0 "${linewidth}"); do
line="${line}-"
done
if [[ $service_state = "$ERROR_STRING" ]] \
|| [[ $service_state = "$MISSING_STRING" ]]; then
state_color="${red:-}"
if [[ "$EXITCODE" -eq 0 ]]; then
EXITCODE=1
fi
elif [[ $service_state = "$SUCCESS_STRING" ]]; then
state_color="\e[1;32m"
elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then
state_color="\e[1;33m"
EXITCODE=2
state_color="${green:-}"
elif [[ $service_state = "$PENDING_STRING" ]] \
|| [[ $service_state = "$DISABLED_STRING" ]] \
|| [[ $service_state = "$STARTING_STRING" ]] \
|| [[ $service_state = "$WAIT_START_STRING" ]]; then
state_color="${yellow:-}"
EXITCODE=2
fi
printf " $service_name "
for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do
printf "${state_color}%b\e[0m" "-"
done
printf " [ "
printf "${state_color}%b\e[0m" "$service_state"
printf "%s \n" " ]"
}
non_term_print_line() {
local service_name=${1}
local service_state="$( parse_status ${1} ${2} )"
if [[ $service_state = "$ERROR_STRING" ]] || [[ $service_state = "$MISSING_STRING" ]]; then
if [[ "$EXITCODE" -eq 0 ]]; then
EXITCODE=1
fi
elif [[ $service_state = "$PENDING_STRING" ]] || [[ $service_state = "$DISABLED_STRING" ]] || [[ $service_state = "$STARTING_STRING" ]] || [[ $service_state = "$WAIT_START_STRING" ]]; then
EXITCODE=2
fi
printf " $service_name "
for i in $(seq 0 $(( 35 - ${#service_name} - ${#service_state} ))); do
printf "-"
done
printf " [ "
printf "$service_state"
printf "%s \n" " ]"
service_state="${bold:-}${state_color:-}${service_state}${reset_attr:-}"
line="${bold:-}${state_color:-}${line:-}${reset_attr:-}"
printf " %s %s [ %s ] \n" "${service_name}" "${line:-}" "${service_state}"
}
main() {
is_tty
# if running from salt
if [ "$CALLER" == 'salt-call' ] || [ "$CALLER" == 'salt-minion' ]; then
printf "\n"
@@ -228,20 +224,19 @@ main() {
systemctl is-active --quiet docker
if [[ $? = 0 ]]; then
non_term_print_line "Docker" "running"
print_line "Docker" "running"
else
non_term_print_line "Docker" "exited"
print_line "Docker" "exited"
fi
populate_container_lists
printf "\n"
printf "Checking container statuses\n\n"
printf "\nChecking container statuses\n\n"
local num_containers=${#container_name_list[@]}
for i in $(seq 0 $(($num_containers - 1 ))); do
non_term_print_line ${container_name_list[$i]} ${container_state_list[$i]}
print_line ${container_name_list[$i]} ${container_state_list[$i]}
done
printf "\n"
@@ -257,9 +252,12 @@ main() {
else
print_or_parse="print_line"
local focus_color="\e[1;34m"
printf "\n"
printf "${focus_color}%b\e[0m" "Checking Docker status\n\n"
if (( __tty == 1 )) ; then
local bold; bold="$(tput bold)"
local focus_color; focus_color="$(tput setaf 4)"
local reset_attr; reset_attr="$(tput sgr0)" # reset all attributes
fi
printf "\n${bold}${focus_color:-}%s${reset_attr:-}\n\n" "Checking Docker status"
fi
systemctl is-active --quiet docker
@@ -272,8 +270,7 @@ main() {
populate_container_lists
if [ "$QUIET" = false ]; then
printf "\n"
printf "${focus_color}%b\e[0m" "Checking container statuses\n\n"
printf "\n${bold}${focus_color:-}%s${reset_attr:-}\n\n" "Checking container statuses"
fi
local num_containers=${#container_name_list[@]}
@@ -288,20 +285,30 @@ main() {
fi
}
is_tty() {
__tty=0
[ -t 1 ] && __tty=1
# don't print colors if NO_COLOR is set to anything
[ "${#NO_COLOR}" -ne 0 ] && __tty=0
}
# {% endraw %}
if ! [ "$(id -u)" = 0 ]; then
echo "${0}: This command must be run as root"
exit 1
fi
while getopts ':hq' OPTION; do
case "$OPTION" in
h)
display_help
exit 0
;;
q)
QUIET=true
;;
q) QUIET=true ;;
\?)
display_help
exit 0
exit 1
;;
esac
done

20
salt/common/tools/sbin/so-user
View File

@@ -29,7 +29,7 @@ if [[ $# -lt 1 || $# -gt 3 ]]; then
echo " add: Adds a new user to the identity system; requires 'email' parameter, while 'role' parameter is optional and defaults to $DEFAULT_ROLE"
echo " addrole: Grants a role to an existing user; requires 'email' and 'role' parameters"
echo " delrole: Removes a role from an existing user; requires 'email' and 'role' parameters"
echo " update: Updates a user's password; requires 'email' parameter"
echo " update: Updates a user's password and disables MFA; requires 'email' parameter"
echo " enable: Enables a user; requires 'email' parameter"
echo " disable: Disables a user; requires 'email' parameter"
echo " validate: Validates that the given email address and password are acceptable; requires 'email' parameter"
@@ -98,7 +98,7 @@ function validatePassword() {
password=$1
len=$(expr length "$password")
if [[ $len -lt 6 ]]; then
if [[ $len -lt 8 ]]; then
fail "Password does not meet the minimum requirements"
fi
if [[ $len -gt 72 ]]; then
@@ -147,7 +147,10 @@ function updatePassword() {
# Generate password hash
passwordHash=$(hashPassword "$password")
# Update DB with new hash
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}';" | sqlite3 "$databasePath"
echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 "$databasePath"
# Deactivate MFA
echo "delete from identity_credential_identifiers where identity_credential_id=(select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp'));" | sqlite3 "$databasePath"
echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='totp');" | sqlite3 "$databasePath"
[[ $? != 0 ]] && fail "Unable to update password"
fi
}
@@ -244,10 +247,12 @@ function syncElastic() {
if [[ -f "$databasePath" && -f "$socRolesFile" ]]; then
# Append the SOC users
echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \
"from identity_credential_identifiers ici, identity_credentials ic, identities i " \
"from identity_credential_identifiers ici, identity_credentials ic, identities i, identity_credential_types ict " \
"where " \
" ici.identity_credential_id=ic.id " \
" and ic.identity_id=i.id " \
" and ict.id=ic.identity_credential_type_id " \
" and ict.name='password' " \
" and instr(ic.config, 'hashed_password') " \
" and i.state == 'active' " \
"order by ici.identifier;" | \
@@ -261,8 +266,11 @@ function syncElastic() {
userId=$(echo "$rolePair" | cut -d: -f2)
role=$(echo "$rolePair" | cut -d: -f1)
echo "select '$role:' || ici.identifier " \
"from identity_credential_identifiers ici, identity_credentials ic " \
"where ici.identity_credential_id=ic.id and ic.identity_id = '$userId';" | \
"from identity_credential_identifiers ici, identity_credentials ic, identity_credential_types ict " \
"where ici.identity_credential_id=ic.id " \
" and ict.id=ic.identity_credential_type_id " \
" and ict.name='password' " \
" and ic.identity_id = '$userId';" | \
sqlite3 "$databasePath" >> "$rolesTmpFile"
done < "$socRolesFile"

8
salt/common/tools/sbin/soup
View File

@@ -403,6 +403,7 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.3.50 || "$INSTALLEDVERSION" == 2.3.51 || "$INSTALLEDVERSION" == 2.3.52 || "$INSTALLEDVERSION" == 2.3.60 || "$INSTALLEDVERSION" == 2.3.61 || "$INSTALLEDVERSION" == 2.3.70 ]] && up_to_2.3.80
[[ "$INSTALLEDVERSION" == 2.3.80 ]] && up_to_2.3.90
[[ "$INSTALLEDVERSION" == 2.3.90 || "$INSTALLEDVERSION" == 2.3.91 ]] && up_to_2.3.100
[[ "$INSTALLEDVERSION" == 2.3.100 ]] && up_to_2.3.110
true
}
@@ -704,7 +705,6 @@ up_to_2.3.90() {
}
up_to_2.3.100() {
echo "Updating to Security Onion 2.3.100"
fix_wazuh
echo "Removing /opt/so/state files for patched Salt InfluxDB module and state. This is due to Salt being upgraded and needing to patch the files again."
@@ -721,6 +721,12 @@ up_to_2.3.100() {
grep -qxF " receiver:" /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml || sed -i -e '$a\ receiver:' /opt/so/saltstack/local/salt/firewall/assigned_hostgroups.local.map.yaml
}
up_to_2.3.110() {
echo "Updating to Security Onion 2.3.110"
echo "Updating shard settings for Elasticsearch index templates"
sed -i 's|shards|index_template:\n template:\n settings:\n index:\n number_of_shards|g' /opt/so/saltstack/local/pillar/global.sls
}
verify_upgradespace() {
CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
if [ "$CURRENTSPACE" -lt "10" ]; then