Merge branch 'dev' into feature/setup-idempotency

2026-01-03 06:43:20 +01:00 · 2020-11-04 12:44:14 -05:00
parent b643363e82 8d5c29340e
commit 3ac9c43b7b
13 changed files with 86 additions and 43 deletions
--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -6,16 +6,16 @@
    { "rename":         { "field": "message2.scan",        "target_field": "scan",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.request",        "target_field": "request",          "ignore_missing": true  } },
    { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
-
+    { "rename":         { "field": "scan.exiftool",        "target_field": "exiftool",          "ignore_missing": true  } },
    { "grok":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } },
    { "foreach":
      {
-        "if": "ctx.scan?.exiftool?.keys !=null",
-          "field": "scan.exiftool.keys",
+        "if": "ctx.exiftool?.keys !=null",
+          "field": "exiftool.keys",
          "processor":{
-            "set": {
-              "field": "scan.exiftool.{{_ingest._value.key}}",
-              "value": "{{_ingest._value.value}}"
+            "append": {
+              "field": "scan.exiftool",
+              "value": "{{_ingest._value.key}}={{_ingest._value.value}}"
            }
          }
      }
@@ -42,7 +42,8 @@
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89",   "field": "event.severity", "value": 3, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90",   "field": "event.severity", "value": 4, "override": true }  },
    { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
-    { "remove":         { "field": ["host", "path", "message", "scan.exiftool.keys", "scan.yara.meta"],                                         "ignore_missing": true  } },
+    { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
+    { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
    { "pipeline":       { "name": "common"                                                                                   } }
  ]
 }
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -379,9 +379,14 @@
            }
          }
        },
-	      "scan":{
+	"scan":{
          "type":"object",
-          "dynamic": true
+          "dynamic": true,
+	  "properties":{
+            "exiftool":{
+              "type":"text"
+             }
+          }
        },
        "server":{
          "type":"object",
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -58,11 +58,12 @@ rulesdir:
    - makedirs: True

 synclocalnidsrules:
-  file.managed:
-    - name: /opt/so/rules/nids/local.rules
-    - source: salt://idstools/local.rules
+  file.recurse:
+    - name: /opt/so/rules/nids/
+    - source: salt://idstools/
    - user: 939
    - group: 939
+    - include_pat: 'E@.rules'

 so-idstools:
  docker_container.running:
@@ -81,4 +82,4 @@ idstools_state_not_allowed:
  test.fail_without_changes:
    - name: idstools_state_not_allowed

-{% endif%}
+{% endif%}
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -379,7 +379,7 @@ http {

 		location @error401 {
 			add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
-			return        302 /auth/self-service/browser/flows/login;
+			return        302 /auth/self-service/login/browser;
 		}

 		error_page 500 502 503 504 /50x.html;
--- a/salt/soc/files/kratos/kratos.yaml
+++ b/salt/soc/files/kratos/kratos.yaml
@@ -2,7 +2,7 @@
 {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}

 selfservice:
-  strategies:
+  methods:
    password:
      enabled: true

--- a/salt/thehive/etc/cortex-application.conf
+++ b/salt/thehive/etc/cortex-application.conf
@@ -6,6 +6,7 @@
 # WARNING: If you deploy your application on several servers, make sure to use the same key.
 play.http.secret.key="{{ CORTEXPLAYSECRET }}"
 play.http.context=/cortex/
+pidfile.path = "/dev/null"
 search.uri = "http://{{ MANAGERIP }}:9400"

 # Elasticsearch
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -47,6 +47,10 @@ cat <<HELP_USAGE
 HELP_USAGE
 }

+cleanup_creds() {
+  /usr/sbin/so-wazuh-user-remove $USER
+}
+
 register_agent() {
  # Adding agent and getting Id from manager
  echo ""
@@ -57,27 +61,25 @@ register_agent() {

  if [ "$?" != "0" ]; then
    echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
-    exit 0
+  else
+    # Get agent id and agent key
+    AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
+    AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
+
+    echo "Agent '$AGENT_NAME' with ID '$AGENT_ID' added."
+    echo "Key for agent '$AGENT_ID' received."
+
+    # Importing key
+    echo ""
+    echo "Importing authentication key:"
+    echo "y" | /var/ossec/bin/manage_agents -i $AGENT_KEY
+
+    # Restarting agent
+    echo ""
+    echo "Restarting:"
+    echo ""
+    /var/ossec/bin/ossec-control restart
  fi
-  # Get agent id and agent key
-  AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
-  AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
-
-  echo "Agent '$AGENT_NAME' with ID '$AGENT_ID' added."
-  echo "Key for agent '$AGENT_ID' received."
-
-  # Importing key
-  echo ""
-  echo "Importing authentication key:"
-  echo "y" | /var/ossec/bin/manage_agents -i $AGENT_KEY
-
-  # Restarting agent
-  echo ""
-  echo "Restarting:"
-  echo ""
-  /var/ossec/bin/ossec-control restart
-
-  exit 0
 }

 remove_agent() {
@@ -135,11 +137,15 @@ shift $(($OPTIND - 1))
 #  fi

 # Default action -> try to register the agent
+echo "Waiting before registering agent..."
 sleep 30s
-STATUS=$(curl -s -k -u $USER:$PASSWORD -L $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
-if [[ $STATUS == "Active" ]]; then
+if [ -f /opt/so/conf/wazuh/initial_agent_registration.log ]; then
  echo "Agent $AGENT_ID already registered!"
+  exit 0
 else
  register_agent
+  cleanup_creds
+  echo "Initial agent $AGENT_ID with IP $AGENT_IP registered on $DATE." > /opt/so/conf/wazuh/initial_agent_registration.log
+  exit 0
 fi
 #remove_agent
--- a/salt/zeek/policy/intel/intel.dat
+++ b/salt/zeek/policy/intel/intel.dat
@@ -0,0 +1,5 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# EXAMPLES:
+#66.32.119.38	Intel::ADDR	Test Address	T
+#www.honeynet.org	Intel::DOMAIN	Test Domain	T
+#4285358dd748ef74cb8161108e11cb73	Intel::FILE_HASH	Test MD5	T