CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into 2.4/FleetEnhancments

Browse Source
This commit is contained in:
Josh Brower
2023-08-02 17:58:48 -04:00
parent 1c8a8c460c 5a3c1f0373
commit 399758cd5f
17 changed files with 119 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/common/packages.sls
View File

@@ -17,6 +17,7 @@ commonpkgs:
- netcat-openbsd - netcat-openbsd
- sqlite3 - sqlite3
- libssl-dev - libssl-dev
- procps
- python3-dateutil - python3-dateutil
- python3-docker - python3-docker
- python3-packaging - python3-packaging
@@ -70,6 +71,7 @@ commonpkgs:
- net-tools - net-tools
- nmap-ncat - nmap-ncat
- openssl - openssl
- procps-ng
- python3-dnf-plugin-versionlock - python3-dnf-plugin-versionlock
- python3-docker - python3-docker
- python3-m2crypto - python3-m2crypto

2
salt/common/tools/sbin/so-status
View File

@@ -103,7 +103,7 @@ def output(options, console, code, data):
def check_container_status(options, console): def check_container_status(options, console):
code = 0 code = 0
cli = "docker" cli = "docker"
proc = subprocess.run([cli, 'ps', '--format', '{{json .}}'], stdout=subprocess.PIPE, encoding="utf-8") proc = subprocess.run([cli, 'ps', '--format', 'json'], stdout=subprocess.PIPE, encoding="utf-8")
if proc.returncode != 0: if proc.returncode != 0:
fail("Container system error; unable to obtain container process statuses") fail("Container system error; unable to obtain container process statuses")

2
salt/desktop/packages.sls
View File

@@ -181,6 +181,7 @@ desktop_packages:
- gstreamer1-plugins-good-gtk - gstreamer1-plugins-good-gtk
- gstreamer1-plugins-ugly-free - gstreamer1-plugins-ugly-free
- gtk-update-icon-cache - gtk-update-icon-cache
- gtk2
- gtk3 - gtk3
- gtk4 - gtk4
- gtkmm30 - gtkmm30
@@ -295,6 +296,7 @@ desktop_packages:
- mesa-vulkan-drivers - mesa-vulkan-drivers
- microcode_ctl - microcode_ctl
- mobile-broadband-provider-info - mobile-broadband-provider-info
- mono-devel
- mpfr - mpfr
- mpg123-libs - mpg123-libs
- mtdev - mtdev

7
salt/elasticagent/config.sls
View File

@@ -28,6 +28,13 @@ elasticagentconfdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
elasticagentlogdir:
file.directory:
- name: /opt/so/log/elasticagent
- user: 949
- group: 939
- makedirs: True
elasticagent_sbin_jinja: elasticagent_sbin_jinja:
file.recurse: file.recurse:
- name: /usr/sbin - name: /usr/sbin

2
salt/elasticagent/enabled.sls
View File

@@ -33,6 +33,7 @@ so-elastic-agent:
{% endif %} {% endif %}
- binds: - binds:
- /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
- /opt/so/log/elasticagent:/usr/share/elastic-agent/logs
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro - /nsm:/nsm:ro
- /opt/so/log:/opt/so/log:ro - /opt/so/log:/opt/so/log:ro
@@ -43,6 +44,7 @@ so-elastic-agent:
{% endif %} {% endif %}
- environment: - environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_CA=/etc/pki/tls/certs/intca.crt
- LOGS_PATH=logs
{% if DOCKER.containers['so-elastic-agent'].extra_env %} {% if DOCKER.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}

2
salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
View File

@@ -5,7 +5,7 @@
"package": { "package": {
"name": "endpoint", "name": "endpoint",
"title": "Elastic Defend", "title": "Elastic Defend",
"version": "" "version": "8.8.0"
}, },
"enabled": true, "enabled": true,
"policy_id": "endpoints-initial", "policy_id": "endpoints-initial",

2
salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
View File

@@ -15,10 +15,8 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n" printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION" elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
if [ -n "$INTEGRATION_ID" ]; then if [ -n "$INTEGRATION_ID" ]; then
if [ "$NAME" != "elastic-defend-endpoints" ]; then
printf "\n\nIntegration $NAME exists - Updating integration\n" printf "\n\nIntegration $NAME exists - Updating integration\n"
elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION" elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
fi
else else
printf "\n\nIntegration does not exist - Creating integration\n" printf "\n\nIntegration does not exist - Creating integration\n"
elastic_fleet_integration_create "@$INTEGRATION" elastic_fleet_integration_create "@$INTEGRATION"

15
salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list Executable file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
# Let's snag a cookie from Kibana
SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
# List configured package policies
curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq
echo

5
salt/elasticsearch/files/ingest/filterlog
View File

@@ -49,11 +49,10 @@
"on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}] "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
} }
}, },
{ "set": { "field": "_index", "value": "so-firewall", "override": true } },
{ "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } }, { "set": { "if": "ctx.network?.transport_id == '0'", "field": "network.transport", "value": "icmp", "override": true } },
{ "community_id": {} }, { "community_id": {} },
{ "set": { "field": "module", "value": "pfsense", "override": true } }, { "set": { "field": "event.module", "value": "pfsense", "override": true } },
{ "set": { "field": "dataset", "value": "firewall", "override": true } }, { "set": { "field": "event.dataset", "value": "firewall", "override": true } },
{ "set": { "field": "category", "value": "network", "override": true } }, { "set": { "field": "category", "value": "network", "override": true } },
{ "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } } { "remove": { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"], "ignore_failure": true } }
] ]

79
salt/firewall/defaults.yaml
View File

@@ -198,9 +198,6 @@ firewall:
portgroups: portgroups:
- redis - redis
- elasticsearch_node - elasticsearch_node
self:
portgroups:
- syslog
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -218,9 +215,6 @@ firewall:
strelka_frontend: strelka_frontend:
portgroups: portgroups:
- strelka_frontend - strelka_frontend
syslog:
portgroups:
- syslog
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
@@ -255,6 +249,12 @@ firewall:
localhost: localhost:
portgroups: portgroups:
- all - all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -425,12 +425,6 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -497,6 +491,12 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -588,9 +588,6 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
self:
portgroups:
- syslog
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -608,9 +605,6 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
syslog:
portgroups:
- syslog
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
@@ -660,6 +654,12 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -760,9 +760,6 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
self:
portgroups:
- syslog
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -783,9 +780,6 @@ firewall:
strelka_frontend: strelka_frontend:
portgroups: portgroups:
- strelka_frontend - strelka_frontend
syslog:
portgroups:
- syslog
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
@@ -838,6 +832,12 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -884,9 +884,6 @@ firewall:
searchnode: searchnode:
portgroups: portgroups:
- elasticsearch_node - elasticsearch_node
self:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -918,6 +915,12 @@ firewall:
localhost: localhost:
portgroups: portgroups:
- all - all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -942,9 +945,6 @@ firewall:
chain: chain:
DOCKER-USER: DOCKER-USER:
hostgroups: hostgroups:
self:
portgroups:
- syslog
strelka_frontend: strelka_frontend:
portgroups: portgroups:
- strelka_frontend - strelka_frontend
@@ -979,6 +979,12 @@ firewall:
localhost: localhost:
portgroups: portgroups:
- all - all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -1030,6 +1036,9 @@ firewall:
strelka_frontend: strelka_frontend:
portgroups: portgroups:
- strelka_frontend - strelka_frontend
syslog:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -1189,11 +1198,7 @@ firewall:
self: self:
portgroups: portgroups:
- redis - redis
- syslog
- beats_5644 - beats_5644
syslog:
portgroups:
- syslog
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -1234,6 +1239,12 @@ firewall:
localhost: localhost:
portgroups: portgroups:
- all - all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:

2
salt/firewall/soc_firewall.yaml
View File

@@ -191,6 +191,7 @@ firewall:
description: Portgroups to add access to the docker containers for this role. description: Portgroups to add access to the docker containers for this role.
advanced: True advanced: True
multiline: True multiline: True
forcedType: "[]string"
helpLink: firewall.html helpLink: firewall.html
sensor: sensor:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
@@ -241,6 +242,7 @@ firewall:
description: Portgroups to add access to the host. description: Portgroups to add access to the host.
advanced: True advanced: True
multiline: True multiline: True
forcedType: "[]string"
helpLink: firewall.html helpLink: firewall.html
dockernet: dockernet:
portgroups: *portgroupshost portgroups: *portgroupshost

20
salt/logrotate/defaults.yaml
View File

@@ -90,6 +90,26 @@ logrotate:
- extension .log - extension .log
- dateext - dateext
- dateyesterday - dateyesterday
/opt/so/log/elasticagent/*_x_log:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .log
- dateext
- dateyesterday
/opt/so/log/elasticagent/*_x_ndjson:
- daily
- rotate 14
- missingok
- copytruncate
- compress
- create
- extension .ndjson
- dateext
- dateyesterday
/opt/so/log/elasticfleet/*_x_log: /opt/so/log/elasticfleet/*_x_log:
- daily - daily
- rotate 14 - rotate 14

12
salt/manager/tools/sbin/soup
View File

@@ -419,7 +419,8 @@ post_to_2.4.4() {
} }
post_to_2.4.5() { post_to_2.4.5() {
echo "Nothing to apply" echo "Regenerating Elastic Agent Installers"
/sbin/so-elastic-agent-gen-installers
POSTVERSION=2.4.5 POSTVERSION=2.4.5
} }
@@ -436,7 +437,7 @@ stop_salt_master() {
echo "" echo ""
echo "Storing salt-master pid." echo "Storing salt-master pid."
MASTERPID=$(pgrep salt-master | head -1) MASTERPID=$(pgrep -f '/opt/saltstack/salt/bin/python3.10 /usr/bin/salt-master MainProcess')
echo "Found salt-master PID $MASTERPID" echo "Found salt-master PID $MASTERPID"
systemctl_func "stop" "salt-master" systemctl_func "stop" "salt-master"
timeout 30 tail --pid=$MASTERPID -f /dev/null || echo "salt-master still running at $(date +"%T.%6N") after waiting 30s. We cannot kill due to systemd restart option." timeout 30 tail --pid=$MASTERPID -f /dev/null || echo "salt-master still running at $(date +"%T.%6N") after waiting 30s. We cannot kill due to systemd restart option."
@@ -455,7 +456,7 @@ stop_salt_minion() {
set -e set -e
echo "Storing salt-minion pid." echo "Storing salt-minion pid."
MINIONPID=$(pgrep salt-minion | head -1) MINIONPID=$(pgrep -f '/opt/saltstack/salt/bin/python3.10 /usr/bin/salt-minion' | head -1)
echo "Found salt-minion PID $MINIONPID" echo "Found salt-minion PID $MINIONPID"
systemctl_func "stop" "salt-minion" systemctl_func "stop" "salt-minion"
@@ -859,7 +860,7 @@ main() {
set +e set +e
echo "Checking the number of minions." echo "Checking the number of minions."
NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | grep -v adv_ | wc -l)
if [[ $UPGRADESALT -eq 1 ]] && [[ $NUM_MINIONS -gt 1 ]]; then if [[ $UPGRADESALT -eq 1 ]] && [[ $NUM_MINIONS -gt 1 ]]; then
if [[ $is_airgap -eq 0 ]]; then if [[ $is_airgap -eq 0 ]]; then
echo "" echo ""
@@ -875,9 +876,6 @@ main() {
echo "Checking sudoers file." echo "Checking sudoers file."
check_sudoers check_sudoers
echo "Checking for necessary user migrations."
so-user migrate
systemctl_func "start" "$cron_service_name" systemctl_func "start" "$cron_service_name"
if [[ -n $lsl_msg ]]; then if [[ -n $lsl_msg ]]; then

2
salt/nginx/etc/nginx.conf
View File

@@ -296,7 +296,9 @@ http {
error_page 429 = @error429; error_page 429 = @error429;
location @error401 { location @error401 {
if ($request_uri ~* ^/(?!(^/api/.*))) {
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
}
return 302 /auth/self-service/login/browser; return 302 /auth/self-service/login/browser;
} }

6
salt/sensor/soc_sensor.yaml
View File

@@ -1,9 +1,9 @@
sensor: sensor:
interface: interface:
description: Main sensor monitoring interface. description: Main sensor monitoring interface.
helpLink: sensor.html helpLink: network.html
readonly: True readonly: True
mtu: mtu:
description: Main IP address of the grid host. description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
helpLink: host.html helpLink: network.html
readonly: True readonly: True

5
setup/so-setup
View File

@@ -661,6 +661,7 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "salt-call state.show_top" logCmd "salt-call state.show_top"
sleep 2 # Debug RSA Key format errors sleep 2 # Debug RSA Key format errors
logCmd "salt-key -ya $MINION_ID" logCmd "salt-key -ya $MINION_ID"
logCmd "salt-call saltutil.sync_all"
logCmd "salt-call state.apply common.packages" logCmd "salt-call state.apply common.packages"
logCmd "salt-call state.apply common" logCmd "salt-call state.apply common"
@@ -694,9 +695,11 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "so-rule-update" logCmd "so-rule-update"
title "Downloading YARA rules" title "Downloading YARA rules"
logCmd "su socore -c '/usr/sbin/so-yara-download'" logCmd "su socore -c '/usr/sbin/so-yara-download'"
if [[ $monints ]]; then if [[ $monints || $is_import ]]; then
title "Restarting Suricata to pick up the new rules" title "Restarting Suricata to pick up the new rules"
logCmd "so-suricata-restart" logCmd "so-suricata-restart"
fi
if [[ $monints ]]; then
title "Restarting Strelka to use new rules" title "Restarting Strelka to use new rules"
logCmd "so-strelka-restart" logCmd "so-strelka-restart"
fi fi

1
setup/so-verify
View File

@@ -51,6 +51,7 @@ log_has_errors() {
grep -vE "/nsm/rules/sigma*" | \ grep -vE "/nsm/rules/sigma*" | \
grep -vE "/nsm/rules/yara*" | \ grep -vE "/nsm/rules/yara*" | \
grep -vE "Failed to restart snapd" | \ grep -vE "Failed to restart snapd" | \
grep -vE "Login Failed Details" | \
grep -vE "Running scope as unit" &> "$error_log" grep -vE "Running scope as unit" &> "$error_log"
if [[ $? -eq 0 ]]; then if [[ $? -eq 0 ]]; then