diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common
index a89f93eea..61469a26b 100755
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -303,6 +303,7 @@ retry() {
cmd=$3
expectedOutput=$4
attempt=0
+ local exitcode=0
while [[ $attempt -lt $maxAttempts ]]; do
attempt=$((attempt+1))
echo "Executing command with retry support: $cmd"
@@ -322,7 +323,29 @@ retry() {
sleep $sleepDelay
done
echo "Command continues to fail; giving up."
- return 1
+ return $exitcode
+}
+
+run_check_net_err() {
+ local cmd=$1
+ local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable
+ local no_retry=$3
+
+ local exit_code
+ if [[ -z $no_retry ]]; then
+ retry 5 60 "$cmd"
+ exit_code=$?
+ else
+ eval "$cmd"
+ exit_code=$?
+ fi
+
+ if [[ $exit_code -ne 0 ]]; then
+ ERR_HANDLED=true
+ [[ -z $no_retry ]] || echo "Command failed with error $exit_code"
+ echo "$err_msg"
+ exit $exit_code
+ fi
}
set_os() {
diff --git a/salt/common/tools/sbin/so-docker-prune b/salt/common/tools/sbin/so-docker-prune
index f6c043ef3..b1c359b58 100755
--- a/salt/common/tools/sbin/so-docker-prune
+++ b/salt/common/tools/sbin/so-docker-prune
@@ -32,13 +32,15 @@ def get_image_version(string) -> str:
ver = string.split(':')[-1]
if ver == 'latest':
# Version doesn't like "latest", so use a high semver
- return '999999.9.9'
+ return '99999.9.9'
else:
try:
Version(ver)
except InvalidVersion:
- # Strip the last substring following a hyphen for automated branches
- ver = '-'.join(ver.split('-')[:-1])
+ # Also return a very high semver for any version
+ # with a dash in it since it will likely be a dev version of some kind
+ if '-' in ver:
+ return '999999.9.9'
return ver
@@ -73,8 +75,12 @@ def main(quiet):
for tag in group:
if not quiet: print(f'Removing image {tag}')
client.images.remove(tag)
- except InvalidVersion as e:
- print(f'so-{get_so_image_basename(t_list[0])}: {e.args[0]}', file=sys.stderr)
+ except (docker.errors.APIError, InvalidVersion) as e:
+ print(f'so-{get_so_image_basename(t_list[0])}: {e}', file=sys.stderr)
+ exit(1)
+ except Exception as e:
+ print('Unhandled exception occurred:')
+ print(f'so-{get_so_image_basename(t_list[0])}: {e}', file=sys.stderr)
exit(1)
if no_prunable and not quiet:
@@ -86,4 +92,4 @@ if __name__ == "__main__":
main_parser.add_argument('-q', '--quiet', action='store_const', const=True, required=False)
args = main_parser.parse_args(sys.argv[1:])
- main(args.quiet)
\ No newline at end of file
+ main(args.quiet)
diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common
index 47b04f241..9b6e2174a 100755
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -18,6 +18,7 @@
# NOTE: This script depends on so-common
IMAGEREPO=security-onion-solutions
+# shellcheck disable=SC2120
container_list() {
MANAGERCHECK=$1
@@ -128,13 +129,13 @@ update_docker_containers() {
mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1
# Let's make sure we have the public key
- retry 50 10 "curl -f -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1
+ run_check_net_err \
+ "curl --retry 5 --retry-delay 60 -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \
+ "Could not pull signature key file, please ensure connectivity to https://raw.gihubusercontent.com" \
+ noretry >> "$LOG_FILE" 2>&1
result=$?
if [[ $result -eq 0 ]]; then
cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1
- else
- echo "Failed to pull signature key file: $result"
- exit 1
fi
# Download the containers from the interwebs
@@ -148,14 +149,15 @@ update_docker_containers() {
# Pull down the trusted docker image
local image=$i:$VERSION$IMAGE_TAG_SUFFIX
- retry 50 10 "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" >> "$LOG_FILE" 2>&1
+ run_check_net_err \
+ "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \
+ "Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1
# Get signature
- retry 50 10 "curl -f -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" >> "$LOG_FILE" 2>&1
- if [[ $? -ne 0 ]]; then
- echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1
- exit 1
- fi
+ run_check_net_err \
+ "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \
+ "Could not pull signature file for $image, please ensure connectivity to https://sigs.securityonion.net " \
+ noretry >> "$LOG_FILE" 2>&1
# Dump our hash values
DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$image)
diff --git a/salt/common/tools/sbin/so-pcap-export b/salt/common/tools/sbin/so-pcap-export
new file mode 100644
index 000000000..076b4eae6
--- /dev/null
+++ b/salt/common/tools/sbin/so-pcap-export
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+if [ $# -lt 2 ]; then
+ echo "Usage: $0 Output-Filename"
+ exit 1
+fi
+
+docker exec -it so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap
+
+echo ""
+echo "If successful, the output was written to: /nsm/pcapout/$2.pcap"
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-suricata-testrule b/salt/common/tools/sbin/so-suricata-testrule
index ac4b81d3c..f9f23e70f 100755
--- a/salt/common/tools/sbin/so-suricata-testrule
+++ b/salt/common/tools/sbin/so-suricata-testrule
@@ -23,6 +23,11 @@ TESTPCAP=$2
. /usr/sbin/so-common
+if [ $# -lt 2 ]; then
+ echo "Usage: $0 "
+ exit 1
+fi
+
echo ""
echo "==============="
echo "Running all.rules and $TESTRULE against the following pcap: $TESTPCAP"
diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup
index 14e2148d0..229e24d72 100755
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -20,12 +20,79 @@
UPDATE_DIR=/tmp/sogh/securityonion
INSTALLEDVERSION=$(cat /etc/soversion)
POSTVERSION=$INSTALLEDVERSION
-INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'})
+INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}')
BATCHSIZE=5
SOUP_LOG=/root/soup.log
INFLUXDB_MIGRATION_LOG=/opt/so/log/influxdb/soup_migration.log
WHATWOULDYOUSAYYAHDOHERE=soup
+check_err() {
+ local exit_code=$1
+ local err_msg="Unhandled error occured, please check $SOUP_LOG for details."
+
+ [[ $ERR_HANDLED == true ]] && exit $exit_code
+ if [[ $exit_code -ne 0 ]]; then
+ printf '%s' "Soup failed with error $exit_code: "
+ case $exit_code in
+ 2)
+ echo 'No such file or directory'
+ ;;
+ 5)
+ echo 'Interrupted system call'
+ ;;
+ 12)
+ echo 'Out of memory'
+ ;;
+ 28)
+ echo 'No space left on device'
+ echo 'Likely ran out of space on disk, please review hardware requirements for Security Onion: https://docs.securityonion.net/en/2.3/hardware.html'
+ ;;
+ 30)
+ echo 'Read-only file system'
+ ;;
+ 35)
+ echo 'Resource temporarily unavailable'
+ ;;
+ 64)
+ echo 'Machine is not on the network'
+ ;;
+ 67)
+ echo 'Link has been severed'
+ ;;
+ 100)
+ echo 'Network is down'
+ ;;
+ 101)
+ echo 'Network is unreachable'
+ ;;
+ 102)
+ echo 'Network reset'
+ ;;
+ 110)
+ echo 'Connection timed out'
+ ;;
+ 111)
+ echo 'Connection refused'
+ ;;
+ 112)
+ echo 'Host is down'
+ ;;
+ 113)
+ echo 'No route to host'
+ ;;
+ *)
+ echo 'Unhandled error'
+ echo "$err_msg"
+ ;;
+ esac
+ if [[ $exit_code -ge 64 && $exit_code -le 113 ]]; then
+ echo "$err_msg"
+ fi
+ exit $exit_code
+ fi
+
+}
+
add_common() {
cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
@@ -47,8 +114,8 @@ airgap_mounted() {
echo "Example: /home/user/securityonion-2.X.0.iso"
echo "Example: /dev/sdx1"
echo ""
- read -p 'Enter the location of the iso: ' ISOLOC
- if [ -f $ISOLOC ]; then
+ read -rp 'Enter the location of the iso: ' ISOLOC
+ if [[ -f $ISOLOC ]]; then
# Mounting the ISO image
mkdir -p /tmp/soagupdate
mount -t iso9660 -o loop $ISOLOC /tmp/soagupdate
@@ -60,7 +127,7 @@ airgap_mounted() {
else
echo "ISO has been mounted!"
fi
- elif [ -f $ISOLOC/SecurityOnion/VERSION ]; then
+ elif [[ -f $ISOLOC/SecurityOnion/VERSION ]]; then
ln -s $ISOLOC /tmp/soagupdate
echo "Found the update content"
else
@@ -78,9 +145,9 @@ airgap_mounted() {
}
airgap_update_dockers() {
- if [ $is_airgap -eq 0 ]; then
+ if [[ $is_airgap -eq 0 ]]; then
# Let's copy the tarball
- if [ ! -f $AGDOCKER/registry.tar ]; then
+ if [[ ! -f $AGDOCKER/registry.tar ]]; then
echo "Unable to locate registry. Exiting"
exit 1
else
@@ -88,9 +155,9 @@ airgap_update_dockers() {
docker stop so-dockerregistry
docker rm so-dockerregistry
echo "Copying the new dockers over"
- tar xvf $AGDOCKER/registry.tar -C /nsm/docker-registry/docker
+ tar xvf "$AGDOCKER/registry.tar" -C /nsm/docker-registry/docker
echo "Add Registry back"
- docker load -i $AGDOCKER/registry_image.tar
+ docker load -i "$AGDOCKER/registry_image.tar"
fi
fi
}
@@ -102,9 +169,9 @@ update_registry() {
}
check_sudoers() {
- if grep -q "so-setup" /etc/sudoers; then
- echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"."
- fi
+ if grep -q "so-setup" /etc/sudoers; then
+ echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"."
+ fi
}
check_log_size_limit() {
@@ -178,7 +245,9 @@ check_os_updates() {
echo "Continuing without updating packages"
elif [[ "$confirm" == [uU] ]]; then
echo "Applying Grid Updates"
- salt \* -b 5 state.apply patch.os queue=True
+ set +e
+ run_check_net_err "salt '*' -b 5 state.apply patch.os queue=True" 'Could not apply OS updates, please check your network connection.'
+ set -e
else
echo "Exiting soup"
exit 0
@@ -206,7 +275,9 @@ clone_to_tmp() {
if [ -n "$BRANCH" ]; then
SOUP_BRANCH="-b $BRANCH"
fi
- git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git
+ set +e
+ run_check_net_err "git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git" "Could not clone repo, please ensure network access to https://github.com"
+ set -e
cd /tmp
if [ ! -f $UPDATE_DIR/VERSION ]; then
echo "Update was unable to pull from github. Please check your internet."
@@ -253,6 +324,7 @@ preupgrade_changes_2.3.50_repo() {
echo "Checking to see if 2.3.50 repo changes are needed."
[[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50_repo
+ true
}
preupgrade_changes() {
@@ -265,6 +337,7 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.3.0 || "$INSTALLEDVERSION" == 2.3.1 || "$INSTALLEDVERSION" == 2.3.2 || "$INSTALLEDVERSION" == 2.3.10 ]] && up_2.3.0_to_2.3.20
[[ "$INSTALLEDVERSION" == 2.3.20 || "$INSTALLEDVERSION" == 2.3.21 ]] && up_2.3.2X_to_2.3.30
[[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50
+ true
}
postupgrade_changes() {
@@ -275,6 +348,7 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30
[[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40
[[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60
+ true
}
post_rc1_to_2.3.21() {
@@ -432,7 +506,7 @@ up_2.3.2X_to_2.3.30() {
sed -i "/ imagerepo: securityonion/c\ imagerepo: 'security-onion-solutions'" /opt/so/saltstack/local/pillar/global.sls
# Strelka rule repo pillar addition
- if [ $is_airgap -eq 0 ]; then
+ if [[ $is_airgap -eq 0 ]]; then
# Add manager as default Strelka YARA rule repo
sed -i "/^strelka:/a \\ repos: \n - https://$HOSTNAME/repo/rules/strelka" /opt/so/saltstack/local/pillar/global.sls;
else
@@ -459,7 +533,7 @@ up_2.3.3X_to_2.3.50_repo() {
rm -f "/etc/yum.repos.d/$DELREPO.repo"
fi
done
- if [ $is_airgap -eq 1 ]; then
+ if [[ $is_airgap -eq 1 ]]; then
# Copy the new repo file if not airgap
cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
yum clean all
@@ -575,7 +649,7 @@ upgrade_check() {
# Let's make sure we actually need to update.
NEWVERSION=$(cat $UPDATE_DIR/VERSION)
HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX)
- CURRENTHOTFIX=$(cat /etc/sohotfix 2>/dev/null)
+ [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix)
if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then
echo "Checking to see if there are hotfixes needed"
if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then
@@ -592,13 +666,14 @@ upgrade_check() {
}
upgrade_check_salt() {
- NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk {'print $2'})
+ NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk '{print $2}')
if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then
echo "You are already running the correct version of Salt for Security Onion."
else
UPGRADESALT=1
fi
}
+
upgrade_salt() {
SALTUPGRADED=True
echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
@@ -610,7 +685,11 @@ upgrade_salt() {
yum versionlock delete "salt-*"
echo "Updating Salt packages and restarting services."
echo ""
- sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION"
+ set +e
+ run_check_net_err \
+ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \
+ "Could not update salt, please check $SOUP_LOG for details."
+ set -e
echo "Applying yum versionlock for Salt."
echo ""
yum versionlock add "salt-*"
@@ -623,7 +702,11 @@ upgrade_salt() {
apt-mark unhold "salt-minion"
echo "Updating Salt packages and restarting services."
echo ""
- sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION"
+ set +e
+ run_check_net_err \
+ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \
+ "Could not update salt, please check $SOUP_LOG for details."
+ set -e
echo "Applying apt hold for Salt."
echo ""
apt-mark hold "salt-common"
@@ -648,234 +731,244 @@ verify_latest_update_script() {
cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/
cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/
- salt-call state.apply common queue=True
+ salt-call state.apply -l info common queue=True
echo ""
echo "soup has been updated. Please run soup again."
exit 0
fi
}
-main () {
-echo "### Preparing soup at `date` ###"
-while getopts ":b" opt; do
- case "$opt" in
- b ) # process option b
- shift
- BATCHSIZE=$1
- if ! [[ "$BATCHSIZE" =~ ^[0-9]+$ ]]; then
- echo "Batch size must be a number greater than 0."
- exit 1
- fi
- ;;
- \? )
- echo "Usage: cmd [-b]"
- ;;
- esac
-done
-
-echo "Checking to see if this is a manager."
-echo ""
-require_manager
-set_minionid
-echo "Checking to see if this is an airgap install"
-echo ""
-check_airgap
-echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
-echo ""
-set_os
-set_palette
-check_elastic_license
-echo ""
-if [ $is_airgap -eq 0 ]; then
- # Let's mount the ISO since this is airgap
- airgap_mounted
-else
- echo "Cloning Security Onion github repo into $UPDATE_DIR."
- echo "Removing previous upgrade sources."
- rm -rf $UPDATE_DIR
- clone_to_tmp
-fi
-check_os_updates
-echo ""
-echo "Verifying we have the latest soup script."
-verify_latest_update_script
-echo ""
-
-echo "Generating new repo archive"
-generate_and_clean_tarballs
-if [ -f /usr/sbin/so-image-common ]; then
- . /usr/sbin/so-image-common
-else
-add_common
-fi
-
-echo "Let's see if we need to update Security Onion."
-upgrade_check
-upgrade_space
-
-echo "Checking for Salt Master and Minion updates."
-upgrade_check_salt
-
-
-if [ "$is_hotfix" == "true" ]; then
- echo "Applying $HOTFIXVERSION"
- copy_new_files
- echo ""
- update_version
- salt-call state.highstate -l info queue=True
+main() {
+ set -e
+ trap 'check_err $?' EXIT
-else
- echo ""
- echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
- echo ""
-
- echo "Updating dockers to $NEWVERSION."
- if [ $is_airgap -eq 0 ]; then
- airgap_update_dockers
- update_centos_repo
- yum clean all
- check_os_updates
- else
- update_registry
- update_docker_containers "soup"
- fi
-
- echo ""
- echo "Stopping Salt Minion service."
- systemctl stop salt-minion
- echo "Killing any remaining Salt Minion processes."
- pkill -9 -ef /usr/bin/salt-minion
- echo ""
- echo "Stopping Salt Master service."
- systemctl stop salt-master
- echo ""
-
- preupgrade_changes_2.3.50_repo
-
- # Does salt need upgraded. If so update it.
- if [ "$UPGRADESALT" == "1" ]; then
- echo "Upgrading Salt"
- # Update the repo files so it can actually upgrade
- upgrade_salt
- fi
-
- echo "Checking if Salt was upgraded."
- echo ""
- # Check that Salt was upgraded
- SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'})
- if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
- echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
- echo "Once the issue is resolved, run soup again."
- echo "Exiting."
- echo ""
- exit 1
- else
- echo "Salt upgrade success."
- echo ""
- fi
-
- preupgrade_changes
- echo ""
-
- if [ $is_airgap -eq 0 ]; then
- echo "Updating Rule Files to the Latest."
- update_airgap_rules
- fi
-
- # Only update the repo if its airgap
- if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then
- update_centos_repo
- fi
-
- echo ""
- echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
- copy_new_files
- echo ""
- update_version
-
- echo ""
- echo "Locking down Salt Master for upgrade"
- masterlock
-
- echo ""
- echo "Starting Salt Master service."
- systemctl start salt-master
-
- # Testing that that salt-master is up by checking that is it connected to itself
- retry 50 10 "salt-call state.show_top -l error" || exit 1
-
- echo ""
- echo "Ensuring python modules for Salt are installed and patched."
- salt-call state.apply salt.python3-influxdb -l info queue=True
- echo ""
-
- # Only regenerate osquery packages if Fleet is enabled
- FLEET_MANAGER=$(lookup_pillar fleet_manager)
- FLEET_NODE=$(lookup_pillar fleet_node)
- if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then
- echo ""
- echo "Regenerating Osquery Packages.... This will take several minutes."
- salt-call state.apply fleet.event_gen-packages -l info queue=True
- echo ""
- fi
-
- echo ""
- echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
- salt-call state.highstate -l info queue=True
- echo ""
- echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
-
- echo ""
- echo "Stopping Salt Master to remove ACL"
- systemctl stop salt-master
-
- masterunlock
-
- echo ""
- echo "Starting Salt Master service."
- systemctl start salt-master
-
- # Testing that that salt-master is up by checking that is it connected to itself
- retry 50 10 "salt-call state.show_top -l error" || exit 1
-
- echo "Running a highstate. This could take several minutes."
- salt-call state.highstate -l info queue=True
- postupgrade_changes
- unmount_update
- thehive_maint
-
- if [ "$UPGRADESALT" == "1" ]; then
- if [ $is_airgap -eq 0 ]; then
- echo ""
- echo "Cleaning repos on remote Security Onion nodes."
- salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
- echo ""
- fi
- fi
-
- check_sudoers
-
- if [[ -n $lsl_msg ]]; then
- case $lsl_msg in
- 'distributed')
- echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect."
- echo " -> We recommend checking and adjusting the values as necessary."
- echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/"
+ echo "### Preparing soup at $(date) ###"
+ while getopts ":b" opt; do
+ case "$opt" in
+ b ) # process option b
+ shift
+ BATCHSIZE=$1
+ if ! [[ "$BATCHSIZE" =~ ^[0-9]+$ ]]; then
+ echo "Batch size must be a number greater than 0."
+ exit 1
+ fi
;;
- 'single-node')
- # We can assume the lsl_details array has been set if lsl_msg has this value
- echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}."
- echo " -> We recommend checking and adjusting the value as necessary."
- echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls"
+ \? )
+ echo "Usage: cmd [-b]"
;;
esac
+ done
+
+ echo "Checking to see if this is a manager."
+ echo ""
+ require_manager
+ set_minionid
+ echo "Checking to see if this is an airgap install"
+ echo ""
+ check_airgap
+ echo "Found that Security Onion $INSTALLEDVERSION is currently installed."
+ echo ""
+ set_os
+ set_palette
+ check_elastic_license
+ echo ""
+ if [[ $is_airgap -eq 0 ]]; then
+ # Let's mount the ISO since this is airgap
+ airgap_mounted
+ else
+ echo "Cloning Security Onion github repo into $UPDATE_DIR."
+ echo "Removing previous upgrade sources."
+ rm -rf $UPDATE_DIR
+ clone_to_tmp
+ fi
+ check_os_updates
+ echo ""
+ echo "Verifying we have the latest soup script."
+ verify_latest_update_script
+ echo ""
+
+ echo "Generating new repo archive"
+ generate_and_clean_tarballs
+ if [ -f /usr/sbin/so-image-common ]; then
+ . /usr/sbin/so-image-common
+ else
+ add_common
fi
- NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l)
+ echo "Let's see if we need to update Security Onion."
+ upgrade_check
+ upgrade_space
- if [ $NUM_MINIONS -gt 1 ]; then
+ echo "Checking for Salt Master and Minion updates."
+ upgrade_check_salt
- cat << EOF
+
+ if [ "$is_hotfix" == "true" ]; then
+ echo "Applying $HOTFIXVERSION"
+ copy_new_files
+ echo ""
+ update_version
+ salt-call state.highstate -l info queue=True
+ else
+ echo ""
+ echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION."
+ echo ""
+
+ echo "Updating dockers to $NEWVERSION."
+ if [[ $is_airgap -eq 0 ]]; then
+ airgap_update_dockers
+ update_centos_repo
+ yum clean all
+ check_os_updates
+ else
+ update_registry
+ set +e
+ update_docker_containers "soup"
+ set -e
+ fi
+
+ echo ""
+ echo "Stopping Salt Minion service."
+ systemctl stop salt-minion
+ echo "Killing any remaining Salt Minion processes."
+ set +e
+ pkill -9 -ef /usr/bin/salt-minion
+ set -e
+ echo ""
+ echo "Stopping Salt Master service."
+ systemctl stop salt-master
+ echo ""
+
+ preupgrade_changes_2.3.50_repo
+
+ # Does salt need upgraded. If so update it.
+ if [[ $UPGRADESALT -eq 1 ]]; then
+ echo "Upgrading Salt"
+ # Update the repo files so it can actually upgrade
+ upgrade_salt
+ fi
+
+ echo "Checking if Salt was upgraded."
+ echo ""
+ # Check that Salt was upgraded
+ SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}')
+ if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then
+ echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG."
+ echo "Once the issue is resolved, run soup again."
+ echo "Exiting."
+ echo ""
+ exit 1
+ else
+ echo "Salt upgrade success."
+ echo ""
+ fi
+
+ preupgrade_changes
+ echo ""
+
+ if [[ $is_airgap -eq 0 ]]; then
+ echo "Updating Rule Files to the Latest."
+ update_airgap_rules
+ fi
+
+ # Only update the repo if its airgap
+ if [[ $is_airgap -eq 0 && $UPGRADESALT -ne 1 ]]; then
+ update_centos_repo
+ fi
+
+ echo ""
+ echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR."
+ copy_new_files
+ echo ""
+ update_version
+
+ echo ""
+ echo "Locking down Salt Master for upgrade"
+ masterlock
+
+ echo ""
+ echo "Starting Salt Master service."
+ systemctl start salt-master
+
+ # Testing that salt-master is up by checking that is it connected to itself
+ set +e
+ retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check $SOUP_LOG for details."
+ set -e
+
+ echo ""
+ echo "Ensuring python modules for Salt are installed and patched."
+ salt-call state.apply salt.python3-influxdb -l info queue=True
+ echo ""
+
+ # Only regenerate osquery packages if Fleet is enabled
+ FLEET_MANAGER=$(lookup_pillar fleet_manager)
+ FLEET_NODE=$(lookup_pillar fleet_node)
+ if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then
+ echo ""
+ echo "Regenerating Osquery Packages.... This will take several minutes."
+ salt-call state.apply fleet.event_gen-packages -l info queue=True
+ echo ""
+ fi
+
+ echo ""
+ echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes."
+ salt-call state.highstate -l info queue=True
+ echo ""
+ echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete."
+
+ echo ""
+ echo "Stopping Salt Master to remove ACL"
+ systemctl stop salt-master
+
+ masterunlock
+
+ echo ""
+ echo "Starting Salt Master service."
+ systemctl start salt-master
+
+ # Testing that salt-master is up by checking that is it connected to itself
+ set +e
+ retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check $SOUP_LOG for details."
+ set -e
+
+ echo "Running a highstate. This could take several minutes."
+ salt-call state.highstate -l info queue=True
+ postupgrade_changes
+ [[ $is_airgap -eq 0 ]] && unmount_update
+ thehive_maint
+
+ if [[ $UPGRADESALT -eq 1 ]]; then
+ if [[ $is_airgap -eq 0 ]]; then
+ echo ""
+ echo "Cleaning repos on remote Security Onion nodes."
+ salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
+ echo ""
+ fi
+ fi
+
+ check_sudoers
+
+ if [[ -n $lsl_msg ]]; then
+ case $lsl_msg in
+ 'distributed')
+ echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect."
+ echo " -> We recommend checking and adjusting the values as necessary."
+ echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/"
+ ;;
+ 'single-node')
+ # We can assume the lsl_details array has been set if lsl_msg has this value
+ echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}."
+ echo " -> We recommend checking and adjusting the value as necessary."
+ echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls"
+ ;;
+ esac
+ fi
+
+ NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l)
+
+ if [[ $NUM_MINIONS -gt 1 ]]; then
+
+ cat << EOF
@@ -889,10 +982,10 @@ For more information, please see https://docs.securityonion.net/en/2.3/soup.html
EOF
+ fi
fi
-fi
-echo "### soup has been served at `date` ###"
+ echo "### soup has been served at $(date) ###"
}
cat << EOF
@@ -907,6 +1000,7 @@ Press Enter to continue or Ctrl-C to cancel.
EOF
-read input
+read -r input
main "$@" | tee -a $SOUP_LOG
+
\ No newline at end of file
diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson
index 863209d48..21ef5a94a 100644
--- a/salt/kibana/files/saved_objects.ndjson
+++ b/salt/kibana/files/saved_objects.ndjson
@@ -460,7 +460,7 @@
{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQyLDRd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQzLDRd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ0LDRd"}
-{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.12.1","id":"7.12.1","migrationVersion":{"config":"7.12.0"},"references":[],"type":"config","updated_at":"2021-04-29T21:42:52.430Z","version":"WzY3NTUsM10="}
+{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.13.0","id":"7.13.0","migrationVersion":{"config":"7.12.0"},"references":[],"type":"config","updated_at":"2021-04-29T21:42:52.430Z","version":"WzY3NTUsM10="}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ2LDRd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ3LDRd"}
{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ4LDRd"}
@@ -730,4 +730,4 @@
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Syslog - Severity (Donut)\"}"},"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDExLDRd"}
{"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"fd8b4640-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDEyLDRd"}
{"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Strelka","version":1},"id":"ff689c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_4","type":"visualization"},{"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDEzLDRd"}
-{"exportedCount":732,"missingRefCount":0,"missingReferences":[]}
\ No newline at end of file
+{"exportedCount":732,"missingRefCount":0,"missingReferences":[]}
diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json
index 558d10a36..1addf23c6 100644
--- a/salt/soc/files/soc/alerts.actions.json
+++ b/salt/soc/files/soc/alerts.actions.json
@@ -1,33 +1 @@
-[
- { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "",
- "links": [
- "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset"
- ]},
- { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
- "links": [
- "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
- "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset",
- "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
- "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
- "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset",
- "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset",
- "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset"
- ]},
- { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "",
- "links": [
- "/joblookup?esid={:soc_id}",
- "/joblookup?ncid={:network.community_id}"
- ]},
- { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank",
- "links": [
- "/cyberchef/#input={value|base64}"
- ]},
- { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank",
- "links": [
- "https://www.google.com/search?q={value}"
- ]},
- { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank",
- "links": [
- "https://www.virustotal.com/gui/search/{value}"
- ]}
-]
+This file is no longer used. Please use menu.actions.json instead.
diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json
index 558d10a36..1addf23c6 100644
--- a/salt/soc/files/soc/hunt.actions.json
+++ b/salt/soc/files/soc/hunt.actions.json
@@ -1,33 +1 @@
-[
- { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "",
- "links": [
- "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset"
- ]},
- { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
- "links": [
- "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
- "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset",
- "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
- "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
- "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset",
- "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset",
- "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset"
- ]},
- { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "",
- "links": [
- "/joblookup?esid={:soc_id}",
- "/joblookup?ncid={:network.community_id}"
- ]},
- { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank",
- "links": [
- "/cyberchef/#input={value|base64}"
- ]},
- { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank",
- "links": [
- "https://www.google.com/search?q={value}"
- ]},
- { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank",
- "links": [
- "https://www.virustotal.com/gui/search/{value}"
- ]}
-]
+This file is no longer used. Please use menu.actions.json instead.
diff --git a/salt/soc/files/soc/menu.actions.json b/salt/soc/files/soc/menu.actions.json
new file mode 100644
index 000000000..558d10a36
--- /dev/null
+++ b/salt/soc/files/soc/menu.actions.json
@@ -0,0 +1,33 @@
+[
+ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "",
+ "links": [
+ "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset"
+ ]},
+ { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "",
+ "links": [
+ "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
+ "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset",
+ "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
+ "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset",
+ "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset",
+ "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset",
+ "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset"
+ ]},
+ { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "",
+ "links": [
+ "/joblookup?esid={:soc_id}",
+ "/joblookup?ncid={:network.community_id}"
+ ]},
+ { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank",
+ "links": [
+ "/cyberchef/#input={value|base64}"
+ ]},
+ { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank",
+ "links": [
+ "https://www.google.com/search?q={value}"
+ ]},
+ { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank",
+ "links": [
+ "https://www.virustotal.com/gui/search/{value}"
+ ]}
+]
diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json
index 5dfd364d2..8048970f3 100644
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -12,11 +12,10 @@
{%- set CACHE_EXPIRATION = salt['pillar.get']('sensoroni:cache_expiration_ms', 0) %}
{%- set ES_FIELDCAPS_CACHE = salt['pillar.get']('sensoroni:es_fieldcaps_cache_ms', '300000') %}
{%- import_json "soc/files/soc/alerts.queries.json" as alerts_queries %}
-{%- import_json "soc/files/soc/alerts.actions.json" as alerts_actions %}
{%- import_json "soc/files/soc/alerts.eventfields.json" as alerts_eventfields %}
{%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %}
-{%- import_json "soc/files/soc/hunt.actions.json" as hunt_actions %}
{%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %}
+{%- import_json "soc/files/soc/menu.actions.json" as menu_actions %}
{%- import_json "soc/files/soc/tools.json" as tools %}
{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %}
@@ -123,8 +122,11 @@
"queryBaseFilter": "",
"queryToggleFilters": [],
"queries": {{ hunt_queries | json }},
- "actions": {{ hunt_actions | json }}
+ "actions": {{ menu_actions | json }}
},
+ "job": {
+ "actions": {{ menu_actions | json }}
+ },
"alerts": {
"advanced": false,
"groupItemsPerPage": 50,
@@ -143,7 +145,7 @@
{ "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] }
],
"queries": {{ alerts_queries | json }},
- "actions": {{ alerts_actions | json }}
+ "actions": {{ menu_actions | json }}
}
}
}
diff --git a/salt/top.sls b/salt/top.sls
index 8a12aaa26..f3ccc9dda 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -38,7 +38,6 @@ base:
- patch.os.schedule
- motd
- salt.minion-check
- - sensoroni
- salt.lasthighstate
'*_helixsensor and G@saltversion:{{saltversion}}':
@@ -47,6 +46,7 @@ base:
- ca
- ssl
- registry
+ - sensoroni
- telegraf
- firewall
- idstools
@@ -66,6 +66,7 @@ base:
- match: compound
- ca
- ssl
+ - sensoroni
- telegraf
- firewall
- nginx
@@ -92,6 +93,7 @@ base:
- ca
- ssl
- registry
+ - sensoroni
- manager
- nginx
- telegraf
@@ -160,6 +162,7 @@ base:
- ca
- ssl
- registry
+ - sensoroni
- nginx
- telegraf
- influxdb
@@ -220,6 +223,7 @@ base:
- ca
- ssl
- registry
+ - sensoroni
- manager
- nginx
- telegraf
@@ -290,6 +294,7 @@ base:
- match: compound
- ca
- ssl
+ - sensoroni
- nginx
- telegraf
- firewall
@@ -320,6 +325,7 @@ base:
- ca
- ssl
- registry
+ - sensoroni
- nginx
- telegraf
- influxdb
@@ -382,6 +388,7 @@ base:
- match: compound
- ca
- ssl
+ - sensoroni
- nginx
- telegraf
- firewall
@@ -424,6 +431,7 @@ base:
- match: compound
- ca
- ssl
+ - sensoroni
- nginx
- telegraf
- firewall
@@ -441,6 +449,7 @@ base:
- ca
- ssl
- registry
+ - sensoroni
- manager
- nginx
- soc
diff --git a/setup/so-whiptail b/setup/so-whiptail
index 5eca2d39a..09792459d 100755
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -22,7 +22,7 @@ whiptail_airgap() {
local node_str='node'
[[ $is_manager || $is_import ]] && node_str='manager'
- INTERWEBS=$(whiptail --title "Security Onion Setup" --menu \
+ INTERWEBS=$(whiptail --title "Security Onion Setup - $SOVERSION" --menu \
"How should this $node_str be installed?" 10 60 2 \
"Standard " "This $node_str has internet accesss" \
"Airgap " "This $node_str does not have internet access" 3>&1 1>&2 2>&3 )
@@ -42,7 +42,7 @@ whiptail_avoid_default_hostname() {
You can choose to use this default hostname anyway, or change it to a new hostname.
EOM
- whiptail --title "Security Onion Setup" \
+ whiptail --title "Security Onion Setup - $SOVERSION" \
--yesno "$message" 11 75 \
--yes-button "Use Anyway" --no-button "Change" --defaultno
}
@@ -51,7 +51,7 @@ whiptail_basic_suri() {
[ -n "$TESTING" ] && return
- BASICSURI=$(whiptail --title "Security Onion Setup" --inputbox \
+ BASICSURI=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter the number of Suricata processes:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -63,8 +63,8 @@ whiptail_basic_zeek() {
[ -n "$TESTING" ] && return
- BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \
- "Enter the number of zeek processes:" 10 75 "$1" 3>&1 1>&2 2>&3)
+ BASICZEEK=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
+ "Enter the number of Zeek processes:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -75,7 +75,7 @@ whiptail_bond_nics_mtu() {
[ -n "$TESTING" ] && return
# Set the MTU on the monitor interface
- MTU=$(whiptail --title "Security Onion Setup" --inputbox \
+ MTU=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter the MTU for the monitor NICs:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -84,7 +84,7 @@ whiptail_bond_nics_mtu() {
whiptail_cancel() {
- whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Cancelling Setup." 8 75
if [ -d "/root/installtmp" ]; then
{
echo "/root/installtmp exists";
@@ -104,7 +104,7 @@ whiptail_check_exitstatus() {
whiptail_cancel
;;
255)
- whiptail --title "Security Onion Setup" --msgbox "Whiptail error occured, exiting. Check log for details." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Whiptail error occured, exiting. Check log for details." 8 75
exit
;;
esac
@@ -114,7 +114,7 @@ whiptail_components_adv_warning() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 75
}
whiptail_create_admin_user() {
@@ -187,7 +187,7 @@ whiptail_create_soremote_user() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --msgbox "Set a password for the soremote user. This account is used for adding sensors remotely." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Set a password for the soremote user. This account is used for adding sensors remotely." 8 75
}
@@ -258,11 +258,11 @@ whiptail_requirements_error() {
[ -n "$TESTING" ] && return
if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') == 'nics' ]]; then
- whiptail --title "Security Onion Setup" \
+ whiptail --title "Security Onion Setup - $SOVERSION" \
--msgbox "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select OK to exit setup and reconfigure the machine." 10 75
# Same as whiptail_cancel, but changed the wording to exit instead of cancel.
- whiptail --title "Security Onion Setup" --msgbox "Exiting Setup. No changes have been made." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Exiting Setup. No changes have been made." 8 75
if [ -d "/root/installtmp" ]; then
{
echo "/root/installtmp exists";
@@ -272,7 +272,7 @@ whiptail_requirements_error() {
fi
exit
else
- whiptail --title "Security Onion Setup" \
+ whiptail --title "Security Onion Setup - $SOVERSION" \
--yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select YES to continue anyway, or select NO to cancel." 10 75
local exitstatus=$?
@@ -298,7 +298,7 @@ whiptail_storage_requirements() {
EOM
whiptail \
- --title "Security Onion Setup" \
+ --title "Security Onion Setup - $SOVERSION" \
--yesno "$message" \
14 75
@@ -310,7 +310,7 @@ whiptail_cur_close_days() {
[ -n "$TESTING" ] && return
- CURCLOSEDAYS=$(whiptail --title "Security Onion Setup" --inputbox \
+ CURCLOSEDAYS=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Please specify the threshold (in days) at which Elasticsearch indices will be closed:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -322,7 +322,7 @@ whiptail_dhcp_or_static() {
[ -n "$TESTING" ] && return
- address_type=$(whiptail --title "Security Onion Setup" --radiolist \
+ address_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose how to set up your management interface:" 20 78 4 \
"STATIC" "Set a static IPv4 address" ON \
"DHCP" "Use DHCP to configure the Management Interface" OFF 3>&1 1>&2 2>&3 )
@@ -355,7 +355,7 @@ whiptail_dhcp_warn() {
EOM
whiptail \
- --title "Security Onion Setup" \
+ --title "Security Onion Setup - $SOVERSION" \
--"$window_type" "$dhcp_message" \
14 75
@@ -366,7 +366,7 @@ whiptail_dhcp_warn() {
whiptail_dhcp_or_static
;;
255)
- whiptail --title "Security Onion Setup" --msgbox "Whiptail error occured, exiting. Check log for details." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Whiptail error occured, exiting. Check log for details." 8 75
exit
;;
esac
@@ -380,7 +380,7 @@ whiptail_dockernet_check(){
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --yesno \
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno \
"Do you want to keep the default Docker IP range?\n\nIf you are unsure, please accept the default option of Yes." 10 75
}
@@ -389,7 +389,7 @@ whiptail_dockernet_net() {
[ -n "$TESTING" ] && return
- DOCKERNET=$(whiptail --title "Security Onion Setup" --inputbox \
+ DOCKERNET=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"\nEnter a /24 size network range for docker to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -409,7 +409,7 @@ whiptail_enable_components() {
STRELKA=0
if [[ $is_eval ]]; then
- COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
+ COMPONENTS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist \
"Select Components to install:" 20 75 8 \
GRAFANA "Enable Grafana for system monitoring" ON \
OSQUERY "Enable Fleet with osquery" ON \
@@ -418,7 +418,7 @@ if [[ $is_eval ]]; then
PLAYBOOK "Enable Playbook" ON \
STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3)
else
- COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
+ COMPONENTS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist \
"Select Components to install:" 20 75 7 \
OSQUERY "Enable Fleet with osquery" ON \
WAZUH "Enable Wazuh" ON \
@@ -447,6 +447,7 @@ whiptail_end_settings() {
# BASIC INFO (NETWORK, HOSTNAME, DESCRIPTION, ETC)
read -r -d '' end_msg <<- EOM
+ Security Onion Version: $SOVERSION
Node Type: $install_type
Hostname: $HOSTNAME
EOM
@@ -657,7 +658,7 @@ whiptail_eval_adv() {
[ -n "$TESTING" ] && return
- EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \
+ EVALADVANCED=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose your eval install:" 20 75 4 \
"BASIC" "Install basic components for evaluation" ON \
"ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 )
@@ -684,7 +685,7 @@ whiptail_gauge_post_setup() {
else
local msg=$1
- whiptail --title "Security Onion Setup" --gauge "$msg" 6 60 96
+ whiptail --title "Security Onion Setup - $SOVERSION" --gauge "$msg" 6 60 96
fi
}
@@ -692,7 +693,7 @@ whiptail_helix_apikey() {
[ -n "$TESTING" ] && return
- HELIXAPIKEY=$(whiptail --title "Security Onion Setup" --inputbox \
+ HELIXAPIKEY=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your Helix API Key: \n \nThis can be set later using so-helix-apikey" 10 75 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -706,7 +707,7 @@ whiptail_homenet_manager() {
[ -n "$TESTING" ] && return
- HNMANAGER=$(whiptail --title "Security Onion Setup" --inputbox \
+ HNMANAGER=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -718,13 +719,13 @@ whiptail_homenet_sensor_inherit() {
[ -n "$TESTING" ] && return
# Ask to inherit from manager
- whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Manager?" 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Do you want to inherit the HOME_NET from the Manager?" 8 75
}
whiptail_homenet_sensor() {
[ -n "$TESTING" ] && return
- HNSENSOR=$(whiptail --title "Security Onion Setup" --inputbox \
+ HNSENSOR=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -737,7 +738,7 @@ whiptail_install_type() {
[ -n "$TESTING" ] && return
# What kind of install are we doing?
- install_type=$(whiptail --title "Security Onion Setup" --radiolist \
+ install_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose install type:" 12 65 5 \
"EVAL" "Evaluation mode (not for production) " ON \
"STANDALONE" "Standalone production install " OFF \
@@ -763,7 +764,7 @@ whiptail_install_type_dist() {
[ -n "$TESTING" ] && return
- install_type=$(whiptail --title "Security Onion Setup" --radiolist \
+ install_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose distributed node type:" 13 60 6 \
"MANAGER" "Start a new grid " ON \
"SENSOR" "Create a forward only sensor " OFF \
@@ -791,14 +792,14 @@ whiptail_install_type_other() {
# so-analyst-install will only work with a working network connection
# so only show it on network installs for now
if [[ $setup_type == 'network' ]]; then
- install_type=$(whiptail --title "Security Onion Setup" --radiolist \
+ install_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose distributed node type:" 9 65 2 \
"ANALYST" "Quit setup and run so-analyst-install " ON \
"HELIXSENSOR" "Create a Helix sensor " OFF \
3>&1 1>&2 2>&3
)
else
- install_type=$(whiptail --title "Security Onion Setup" --radiolist \
+ install_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose distributed node type:" 8 65 1 \
"HELIXSENSOR" "Create a Helix sensor " ON \
3>&1 1>&2 2>&3
@@ -814,7 +815,7 @@ whiptail_install_type_other() {
whiptail_invalid_input() { # TODO: This should accept a list of arguments to specify what general pattern the input should follow
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --msgbox " Invalid input, please try again." 7 40
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox " Invalid input, please try again." 7 40
}
@@ -828,13 +829,13 @@ whiptail_invalid_proxy() {
Error was: ${proxy_test_err}
EOM
- whiptail --title "Security Onion Setup" --yesno "$message" --yes-button "Enter Again" --no-button "Skip" 11 60
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "$message" --yes-button "Enter Again" --no-button "Skip" 11 60
}
whiptail_invalid_string() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --msgbox "Invalid input, please try again.\n\nThe $1 cannot contain spaces." 9 45
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Invalid input, please try again.\n\nThe $1 cannot contain spaces." 9 45
}
@@ -842,21 +843,21 @@ whiptail_invalid_pass_characters_warning() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75
}
whiptail_invalid_pass_warning() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Please choose a more secure password." 8 75
}
whiptail_invalid_user_warning() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --msgbox "Please enter a valid email address." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Please enter a valid email address." 8 75
}
whiptail_invalid_hostname() {
@@ -867,7 +868,7 @@ whiptail_invalid_hostname() {
the ASCII letters 'A-Z' and 'a-z' (case-sensitive), the digits '0' through '9', \
and hyphen ('-')" | tr -d '\t')
- whiptail --title "Security Onion Setup" \
+ whiptail --title "Security Onion Setup - $SOVERSION" \
--msgbox "$error_message" 10 75
}
@@ -890,7 +891,7 @@ whiptail_log_size_limit() {
By default, this is set to ${percentage}% of the disk space allotted for /nsm.
EOM
- log_size_limit=$(whiptail --title "Security Onion Setup" --inputbox "$message" 11 75 "$1" 3>&1 1>&2 2>&3)
+ log_size_limit=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox "$message" 11 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -900,7 +901,7 @@ whiptail_log_size_limit() {
whiptail_first_menu_iso() {
[ -n "$TESTING" ] && return
- option=$(whiptail --title "Security Onion Setup" --menu "Select an option" 10 75 2 \
+ option=$(whiptail --title "Security Onion Setup - $SOVERSION" --menu "Select an option" 10 75 2 \
"Install " "Run the standard Security Onion installation " \
"Configure Network " "Configure networking only " \
3>&1 1>&2 2>&3
@@ -914,7 +915,7 @@ whiptail_make_changes() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $install_type. Please press YES to make changes or NO to cancel." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "We are going to set this machine up as a $install_type. Please press YES to make changes or NO to cancel." 8 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -925,7 +926,7 @@ whiptail_management_interface_dns() {
[ -n "$TESTING" ] && return
- MDNS=$(whiptail --title "Security Onion Setup" --inputbox \
+ MDNS=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your DNS servers separated by commas:" 10 60 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -937,7 +938,7 @@ whiptail_management_interface_dns_search() {
[ -n "$TESTING" ] && return
- MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \
+ MSEARCH=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your DNS search domain:" 10 60 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -948,7 +949,7 @@ whiptail_management_interface_gateway() {
[ -n "$TESTING" ] && return
- MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \
+ MGATEWAY=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your gateway's IPv4 address:" 10 60 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -958,7 +959,7 @@ whiptail_management_interface_gateway() {
whiptail_management_interface_ip_mask() {
[ -n "$TESTING" ] && return
- manager_ip_mask=$(whiptail --title "Security Onion Setup" --inputbox \
+ manager_ip_mask=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your IPv4 address with CIDR mask (e.g. 192.168.1.2/24):" 10 60 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -969,7 +970,7 @@ whiptail_management_interface_ip() {
[ -n "$TESTING" ] && return
- MIP=$(whiptail --title "Security Onion Setup" --inputbox \
+ MIP=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your IP address:" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -980,7 +981,7 @@ whiptail_management_interface_mask() {
[ -n "$TESTING" ] && return
- MMASK=$(whiptail --title "Security Onion Setup" --inputbox \
+ MMASK=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter the bit mask for your subnet:" 10 60 24 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1059,7 +1060,7 @@ whiptail_net_method() {
local option_count=$(( ${#options[@]} / 2 ))
- network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3)
+ network_traffic=$(whiptail --title "Security Onion Setup - $SOVERSION" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -1070,7 +1071,7 @@ whiptail_net_method() {
whiptail_net_setup_complete() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" \
+ whiptail --title "Security Onion Setup - $SOVERSION" \
--msgbox "Successfully set up networking, setup will now exit." 7 75
exit 0
}
@@ -1084,7 +1085,7 @@ whiptail_network_init_notice() {
Select OK to continue.
EOM
- whiptail --title "Security Onion Setup" --msgbox "$message" 9 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "$message" 9 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
@@ -1093,7 +1094,7 @@ whiptail_management_server() {
[ -n "$TESTING" ] && return
- MSRV=$(whiptail --title "Security Onion Setup" --inputbox \
+ MSRV=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your Manager Server hostname: \nIt is CASE SENSITIVE!" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1104,7 +1105,7 @@ whiptail_management_server() {
whiptail_manager_ip() {
[ -n "$TESTING" ] && return
- MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
+ MSRVIP=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your Manager Server IP Address:" 10 60 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1116,7 +1117,7 @@ whiptail_manager_adv() {
[ -n "$TESTING" ] && return
- MANAGERADV=$(whiptail --title "Security Onion Setup" --radiolist \
+ MANAGERADV=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose which type of manager to install:" 20 75 4 \
"BASIC" "Install manager with recommended settings" ON \
"ADVANCED" "Do additional configuration to the manager" OFF 3>&1 1>&2 2>&3 )
@@ -1131,7 +1132,7 @@ whiptail_manager_adv_escluster(){
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --yesno \
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno \
"Do you want to set up a traditional ES cluster for using replicas and/or Hot-Warm indices? Recommended only for those who have experience with ES clustering! " 12 75
}
@@ -1141,7 +1142,7 @@ whiptail_manager_adv_escluster_name(){
[ -n "$TESTING" ] && return
- ESCLUSTERNAME=$(whiptail --title "Security Onion Setup" --inputbox \
+ ESCLUSTERNAME=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter a name for your ES cluster!" 10 75 "$1" 3>&1 1>&2 2>&3)
}
@@ -1150,7 +1151,7 @@ whiptail_manager_adv_service_zeeklogs() {
[ -n "$TESTING" ] && return
- BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please select logs to send:" 24 75 12 \
+ BLOGS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist "Please select logs to send:" 24 75 12 \
"conn" "Connection Logging" ON \
"dce_rpc" "RPC Logs" ON \
"dhcp" "DHCP Logs" ON \
@@ -1212,13 +1213,13 @@ whiptail_manager_error() {
Would you like to continue anyway?
EOM
- whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1
}
whiptail_manager_updates_warning() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup"\
+ whiptail --title "Security Onion Setup - $SOVERSION"\
--msgbox "Updating through the manager node requires the manager to have internet access, press ENTER to continue."\
8 75
@@ -1229,7 +1230,7 @@ whiptail_manager_updates_warning() {
whiptail_manager_unreachable() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --msgbox "Setup cannot determine if $1 is listening on port 22. Please check the address entered and try again." 7 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Setup cannot determine if $1 is listening on port 22. Please check the address entered and try again." 7 75
}
whiptail_metadata_tool() {
@@ -1247,7 +1248,7 @@ whiptail_metadata_tool() {
EOM
# Legacy variable naming
- ZEEKVERSION=$(whiptail --title "Security Onion Setup" --menu "$message" 20 75 2 \
+ ZEEKVERSION=$(whiptail --title "Security Onion Setup - $SOVERSION" --menu "$message" 20 75 2 \
"Zeek " "Use Zeek (Bro) for metadata and Suricata for NIDS alerts" \
"Suricata " "Use Suricata for both metadata and NIDS alerts" 3>&1 1>&2 2>&3)
@@ -1261,7 +1262,7 @@ whiptail_nids() {
[ -n "$TESTING" ] && return
- NIDS=$(whiptail --title "Security Onion Setup" --radiolist \
+ NIDS=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose which IDS to run: \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \
"Suricata" "Suricata" ON \
"Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 )
@@ -1275,7 +1276,7 @@ whiptail_network_notice() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Select YES to continue." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Select YES to continue." 8 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -1285,14 +1286,14 @@ whiptail_network_notice() {
whiptail_net_reinit() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --yesno "The management interface has already been configured. Do you want to reconfigure it?" 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "The management interface has already been configured. Do you want to reconfigure it?" 8 75
}
whiptail_node_advanced() {
[ -n "$TESTING" ] && return
- NODESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
+ NODESETUP=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"What type of config would you like to use?:" 20 75 4 \
"NODEBASIC" "Install Search Node with recommended settings" ON \
"NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 )
@@ -1305,7 +1306,7 @@ whiptail_node_advanced() {
whiptail_node_description() {
[ -n "$TESTING" ] && return
- NODE_DESCRIPTION=$(whiptail --title "Security Onion Setup" \
+ NODE_DESCRIPTION=$(whiptail --title "Security Onion Setup - $SOVERSION" \
--inputbox "Enter a short description for the node or press ENTER to leave blank:" 10 75 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1316,7 +1317,7 @@ whiptail_node_es_heap() {
[ -n "$TESTING" ] && return
- NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
+ NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter ES heap size:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1328,7 +1329,7 @@ whiptail_node_ls_heap() {
[ -n "$TESTING" ] && return
- NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \
+ NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter Logstash heap size:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1340,7 +1341,7 @@ whiptail_node_ls_input_threads() {
[ -n "$TESTING" ] && return
- LSINPUTTHREADS=$(whiptail --title "Security Onion Setup" --inputbox \
+ LSINPUTTHREADS=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter number of Logstash input threads:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1353,7 +1354,7 @@ whiptail_node_ls_pipline_batchsize() {
[ -n "$TESTING" ] && return
- LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup" --inputbox \
+ LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter Logstash pipeline batch size:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1365,7 +1366,7 @@ whiptail_node_ls_pipeline_worker() {
[ -n "$TESTING" ] && return
- LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup" --inputbox \
+ LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter number of Logstash pipeline workers:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1376,13 +1377,13 @@ whiptail_node_ls_pipeline_worker() {
whiptail_ntp_ask() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --yesno "Would you like to configure ntp servers?" 7 44
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Would you like to configure ntp servers?" 7 44
}
whiptail_ntp_servers() {
[ -n "$TESTING" ] && return
- ntp_string=$(whiptail --title "Security Onion Setup" \
+ ntp_string=$(whiptail --title "Security Onion Setup - $SOVERSION" \
--inputbox "Input the NTP server(s) you would like to use, separated by commas:" 8 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1393,7 +1394,7 @@ whiptail_oinkcode() {
[ -n "$TESTING" ] && return
- OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \
+ OINKCODE=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter your ET Pro or oinkcode:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1406,7 +1407,7 @@ whiptail_oinkcode() {
whiptail_passwords_dont_match() {
- whiptail --title "Security Onion Setup" --msgbox "Passwords don't match. Please re-enter." 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Passwords don't match. Please re-enter." 8 75
}
@@ -1414,7 +1415,7 @@ whiptail_patch_name_new_schedule() {
[ -n "$TESTING" ] && return
- PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
+ PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1425,7 +1426,7 @@ whiptail_patch_schedule() {
[ -n "$TESTING" ] && return
- patch_schedule=$(whiptail --title "Security Onion Setup" --radiolist \
+ patch_schedule=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Choose OS patch schedule.\n\nThis schedule will update the operating system packages but will NOT update Security Onion related tools such as Zeek, Elasticsearch, Kibana, SaltStack, etc." 20 75 5 \
"Automatic" "Updates installed every 8 hours if available" ON \
"Manual" "Updates will be installed manually" OFF \
@@ -1441,7 +1442,7 @@ whiptail_patch_schedule_import() {
[ -n "$TESTING" ] && return
unset PATCHSCHEDULENAME
- PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \
+ PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter the name of the OS patch schedule you want to inherit. \nAvailable schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1453,7 +1454,7 @@ whiptail_patch_schedule_select_days() {
[ -n "$TESTING" ] && return
# Select the days to patch
- PATCHSCHEDULEDAYS=$(whiptail --title "Security Onion Setup" --checklist \
+ PATCHSCHEDULEDAYS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist \
"Which days do you want to apply OS patches?" 15 75 8 \
Monday "" OFF \
Tuesday "" ON \
@@ -1477,7 +1478,7 @@ whiptail_patch_schedule_select_hours() {
[ -n "$TESTING" ] && return
# Select the hours to patch
- PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup" --checklist \
+ PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist \
"At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \
00:00 "" OFF \
01:00 "" OFF \
@@ -1518,7 +1519,7 @@ whiptail_proxy_ask() {
local pkg_mngr
if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
- whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
}
whiptail_proxy_addr() {
@@ -1531,7 +1532,7 @@ whiptail_proxy_addr() {
If your proxy requires a username and password do not include them in your input. Setup will ask for those values next.
EOM
- proxy_addr=$(whiptail --title "Security Onion Setup" --inputbox "$message" 13 60 "$1" 3>&1 1>&2 2>&3)
+ proxy_addr=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox "$message" 13 60 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -1540,13 +1541,13 @@ whiptail_proxy_addr() {
whiptail_proxy_auth_ask() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --yesno "Does your proxy require authentication?" 7 60
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Does your proxy require authentication?" 7 60
}
whiptail_proxy_auth_user() {
[ -n "$TESTING" ] && return
- proxy_user=$(whiptail --title "Security Onion Setup" --inputbox "Please input the proxy user:" 8 60 "$1" 3>&1 1>&2 2>&3)
+ proxy_user=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox "Please input the proxy user:" 8 60 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -1557,7 +1558,7 @@ whiptail_proxy_auth_pass() {
[ -n "$TESTING" ] && return
- proxy_pass=$(whiptail --title "Security Onion Setup" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3)
+ proxy_pass=$(whiptail --title "Security Onion Setup - $SOVERSION" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -1571,7 +1572,7 @@ whiptail_requirements_error() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" \
+ whiptail --title "Security Onion Setup - $SOVERSION" \
--yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75
local exitstatus=$?
@@ -1583,7 +1584,7 @@ whiptail_rule_setup() {
[ -n "$TESTING" ] && return
# Get pulled pork info
- RULESETUP=$(whiptail --title "Security Onion Setup" --radiolist \
+ RULESETUP=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \
"ETOPEN" "Emerging Threats Open" ON \
"ETPRO" "Emerging Threats PRO" OFF \
@@ -1599,7 +1600,7 @@ whiptail_sensor_config() {
[ -n "$TESTING" ] && return
- NSMSETUP=$(whiptail --title "Security Onion Setup" --radiolist \
+ NSMSETUP=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"What type of configuration would you like to use?" 20 75 4 \
"BASIC" "Install NSM components with recommended settings" ON \
"ADVANCED" "Configure each component individually" OFF 3>&1 1>&2 2>&3 )
@@ -1641,7 +1642,7 @@ whiptail_sensor_nics() {
for bond_nic in "${BNICS[@]}"; do
if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then
whiptail \
- --title "Security Onion Setup" \
+ --title "Security Onion Setup - $SOVERSION" \
--msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \
8 75
exit
@@ -1653,7 +1654,7 @@ whiptail_set_hostname() {
[ -n "$TESTING" ] && return
- HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \
+ HOSTNAME=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter the hostname (not FQDN) you would like to set:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1664,7 +1665,7 @@ whiptail_set_redirect() {
[ -n "$TESTING" ] && return
- REDIRECTINFO=$(whiptail --title "Security Onion Setup" --radiolist \
+ REDIRECTINFO=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"How would you like to access the web interface?\n\nSecurity Onion uses strict cookie enforcement, so whatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \
"IP" "Use IP address to access the web interface" ON \
"HOSTNAME" "Use hostname to access the web interface" OFF \
@@ -1677,7 +1678,7 @@ whiptail_set_redirect_host() {
[ -n "$TESTING" ] && return
- REDIRECTHOST=$(whiptail --title "Security Onion Setup" --inputbox \
+ REDIRECTHOST=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \
"Enter the Hostname, IP, or FQDN you would like to use for the web interface:" 10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -1705,7 +1706,7 @@ whiptail_setup_complete() {
Press ENTER to reboot.
EOM
- whiptail --title "Security Onion Setup" --msgbox "$message" 12 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "$message" 12 75
}
whiptail_setup_failed() {
@@ -1725,13 +1726,13 @@ whiptail_setup_failed() {
Press Ok to exit.
EOM
- whiptail --title "Security Onion Setup" --msgbox "$message" $height 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "$message" $height 75
}
whiptail_so_allow_yesno() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" \
+ whiptail --title "Security Onion Setup - $SOVERSION" \
--yesno "Do you want to run so-allow to allow access to the web tools?" \
8 75
}
@@ -1740,7 +1741,7 @@ whiptail_so_allow() {
[ -n "$TESTING" ] && return
- ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \
+ ALLOW_CIDR=$(whiptail --title "Security Onion Setup - $SOVERSION" \
--inputbox "Enter a single IP address or an IP range, in CIDR notation, to allow:" \
10 75 "$1" 3>&1 1>&2 2>&3)
local exitstatus=$?
@@ -1760,7 +1761,7 @@ whiptail_ssh_key_copy_notice() {
Select OK to continue.
EOM
- whiptail --title "Security Onion Setup" --msgbox "$message" 11 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "$message" 11 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
@@ -1799,7 +1800,7 @@ whiptail_storage_requirements() {
EOM
whiptail \
- --title "Security Onion Setup" \
+ --title "Security Onion Setup - $SOVERSION" \
--yesno "$message" \
14 75
@@ -1811,7 +1812,7 @@ whiptail_strelka_rules() {
[ -n "$TESTING" ] && return
- whiptail --title "Security Onion Setup" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75
+ whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75
local exitstatus=$?
@@ -1851,7 +1852,7 @@ whiptail_node_updates() {
[ -n "$TESTING" ] && return
- NODEUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \
+ NODEUPDATES=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \
"How would you like to download OS package updates for your grid?" 20 75 4 \
"MANAGER" "Manager node is proxy for updates." ON \
"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
@@ -1876,7 +1877,7 @@ whiptail_you_sure() {
EOM
whiptail \
- --title "Security Onion Setup" \
+ --title "Security Onion Setup - $SOVERSION" \
--yesno "$you_sure_text" \
20 75