CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into feature/setup-idempotency

Browse Source
This commit is contained in:
William Wernert
2020-11-04 12:44:14 -05:00
parent b643363e82 8d5c29340e
commit 3ac9c43b7b
13 changed files with 86 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.github/ISSUE_TEMPLATE vendored Normal file
View File

@@ -0,0 +1,12 @@
PLEASE STOP AND READ THIS INFORMATION!
If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum instead:
https://securityonion.net/discuss
If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum to start a conversation about it instead of creating an issue.
If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following:
- duplicated the issue on a fresh installation of the latest version
- provide information about your system and how you installed Security Onion
- include relevant log files
- include reproduction steps

7
README.md
View File

@@ -2,6 +2,13 @@
Security Onion 2.3.2 is here! Security Onion 2.3.2 is here!
## Screenshots
Alerts
![Alerts](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/alerts-1.png)
Hunt
![Hunt](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/hunt-1.png)
### Release Notes ### Release Notes

15
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -6,16 +6,16 @@
{ "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } }, { "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } },
{ "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } }, { "rename": { "field": "message2.request", "target_field": "request", "ignore_missing": true } },
{ "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } }, { "rename": { "field": "scan.hash", "target_field": "hash", "ignore_missing": true } },
{ "rename": { "field": "scan.exiftool", "target_field": "exiftool", "ignore_missing": true } },
{ "grok": { "if": "ctx.request?.attributes?.filename != null", "field": "request.attributes.filename", "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } }, { "grok": { "if": "ctx.request?.attributes?.filename != null", "field": "request.attributes.filename", "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } },
{ "foreach": { "foreach":
{ {
"if": "ctx.scan?.exiftool?.keys !=null", "if": "ctx.exiftool?.keys !=null",
"field": "scan.exiftool.keys", "field": "exiftool.keys",
"processor":{ "processor":{
"set": { "append": {
"field": "scan.exiftool.{{_ingest._value.key}}", "field": "scan.exiftool",
"value": "{{_ingest._value.value}}" "value": "{{_ingest._value.key}}={{_ingest._value.value}}"
} }
} }
} }
@@ -42,7 +42,8 @@
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } }, { "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" }}, { "set": { "field": "observer.name", "value": "{{agent.name}}" }},
{ "remove": { "field": ["host", "path", "message", "scan.exiftool.keys", "scan.yara.meta"], "ignore_missing": true } }, { "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
{ "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } },
{ "pipeline": { "name": "common" } } { "pipeline": { "name": "common" } }
] ]
} }

7
salt/elasticsearch/templates/so/so-common-template.json
View File

@@ -381,7 +381,12 @@
}, },
"scan":{ "scan":{
"type":"object", "type":"object",
"dynamic": true "dynamic": true,
"properties":{
"exiftool":{
"type":"text"
}
}
}, },
"server":{ "server":{
"type":"object", "type":"object",

7
salt/idstools/init.sls
View File

@@ -58,11 +58,12 @@ rulesdir:
- makedirs: True - makedirs: True
synclocalnidsrules: synclocalnidsrules:
file.managed: file.recurse:
- name: /opt/so/rules/nids/local.rules - name: /opt/so/rules/nids/
- source: salt://idstools/local.rules - source: salt://idstools/
- user: 939 - user: 939
- group: 939 - group: 939
- include_pat: 'E@.rules'
so-idstools: so-idstools:
docker_container.running: docker_container.running:

2
salt/nginx/etc/nginx.conf
View File

@@ -379,7 +379,7 @@ http {
location @error401 { location @error401 {
add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400"; add_header Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
return 302 /auth/self-service/browser/flows/login; return 302 /auth/self-service/login/browser;
} }
error_page 500 502 503 504 /50x.html; error_page 500 502 503 504 /50x.html;

2
salt/soc/files/kratos/kratos.yaml
View File

@@ -2,7 +2,7 @@
{%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}
selfservice: selfservice:
strategies: methods:
password: password:
enabled: true enabled: true

1
salt/thehive/etc/cortex-application.conf
View File

@@ -6,6 +6,7 @@
# WARNING: If you deploy your application on several servers, make sure to use the same key. # WARNING: If you deploy your application on several servers, make sure to use the same key.
play.http.secret.key="{{ CORTEXPLAYSECRET }}" play.http.secret.key="{{ CORTEXPLAYSECRET }}"
play.http.context=/cortex/ play.http.context=/cortex/
pidfile.path = "/dev/null"
search.uri = "http://{{ MANAGERIP }}:9400" search.uri = "http://{{ MANAGERIP }}:9400"
# Elasticsearch # Elasticsearch

18
salt/wazuh/files/agent/wazuh-register-agent
View File

@@ -47,6 +47,10 @@ cat <<HELP_USAGE
HELP_USAGE HELP_USAGE
} }
cleanup_creds() {
/usr/sbin/so-wazuh-user-remove $USER
}
register_agent() { register_agent() {
# Adding agent and getting Id from manager # Adding agent and getting Id from manager
echo "" echo ""
@@ -57,8 +61,7 @@ register_agent() {
if [ "$?" != "0" ]; then if [ "$?" != "0" ]; then
echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p' echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
exit 0 else
fi
# Get agent id and agent key # Get agent id and agent key
AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1) AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1) AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
@@ -76,8 +79,7 @@ register_agent() {
echo "Restarting:" echo "Restarting:"
echo "" echo ""
/var/ossec/bin/ossec-control restart /var/ossec/bin/ossec-control restart
fi
exit 0
} }
remove_agent() { remove_agent() {
@@ -135,11 +137,15 @@ shift $(($OPTIND - 1))
# fi # fi
# Default action -> try to register the agent # Default action -> try to register the agent
echo "Waiting before registering agent..."
sleep 30s sleep 30s
STATUS=$(curl -s -k -u $USER:$PASSWORD -L $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g') if [ -f /opt/so/conf/wazuh/initial_agent_registration.log ]; then
if [[ $STATUS == "Active" ]]; then
echo "Agent $AGENT_ID already registered!" echo "Agent $AGENT_ID already registered!"
exit 0
else else
register_agent register_agent
cleanup_creds
echo "Initial agent $AGENT_ID with IP $AGENT_IP registered on $DATE." > /opt/so/conf/wazuh/initial_agent_registration.log
exit 0
fi fi
#remove_agent #remove_agent

5
salt/zeek/policy/intel/intel.dat Normal file
View File

@@ -0,0 +1,5 @@
#fields indicator indicator_type meta.source meta.do_notice
# EXAMPLES:
#66.32.119.38 Intel::ADDR Test Address T
#www.honeynet.org Intel::DOMAIN Test Domain T
#4285358dd748ef74cb8161108e11cb73 Intel::FILE_HASH Test MD5 T

BIN
screenshots/alerts-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 188 KiB

BIN
screenshots/hunt-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 138 KiB

17
setup/so-functions
View File

@@ -431,8 +431,6 @@ configure_minion() {
{ {
systemctl restart salt-minion; systemctl restart salt-minion;
printf '%s\n' '----';
cat "$minion_config";
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
} }
@@ -748,7 +746,7 @@ detect_os() {
disable_auto_start() { disable_auto_start() {
if crontab -l 2>&1 | grep so-setup > /dev/null 2>&1; then if crontab -l -u $INSTALLUSERNAME 2>&1 | grep so-setup > /dev/null 2>&1; then
# Remove the automated setup script from crontab, if it exists # Remove the automated setup script from crontab, if it exists
logCmd "crontab -u $INSTALLUSERNAME -r" logCmd "crontab -u $INSTALLUSERNAME -r"
fi fi
@@ -1664,12 +1662,17 @@ salt_checkin() {
done done
echo " Confirming existence of the CA certificate" echo " Confirming existence of the CA certificate"
cat /etc/pki/ca.crt openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
echo " Applyng a mine hack"; echo " Applyng a mine hack";
salt "$MINION_ID" mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt; salt "$MINION_ID" mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
salt "$MINION_ID" mine.update; salt "$MINION_ID" mine.update;
echo " Confirming salt mine now contain the certificate"; echo "Confirming salt mine now contains the certificate";
salt "$MINION_ID" mine.get '*' x509.get_pem_entries; salt "$MINION_ID" mine.get '*' x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE';
if [ $? -eq 0 ]; then
echo "CA in mine"
else
echo "CA not in mine"
fi
echo " Applying SSL state"; echo " Applying SSL state";
salt-call state.apply ssl; salt-call state.apply ssl;
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
@@ -1722,10 +1725,12 @@ setup_salt_master_dirs() {
if [ "$setup_type" = 'iso' ]; then if [ "$setup_type" = 'iso' ]; then
rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
else else
cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
fi fi