Merge branch 'dev' into feature/setup-idempotency

2025-12-06 17:22:49 +01:00 · 2020-11-04 12:44:14 -05:00
parent b643363e82 8d5c29340e
commit 3ac9c43b7b
13 changed files with 86 additions and 43 deletions
--- a/.github/ISSUE_TEMPLATE
+++ b/.github/ISSUE_TEMPLATE
@@ -0,0 +1,12 @@
+PLEASE STOP AND READ THIS INFORMATION!
+
+If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum instead:
+https://securityonion.net/discuss
+
+If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum to start a conversation about it instead of creating an issue.
+
+If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following:
+- duplicated the issue on a fresh installation of the latest version
+- provide information about your system and how you installed Security Onion
+- include relevant log files
+- include reproduction steps
--- a/README.md
+++ b/README.md
@@ -2,6 +2,13 @@

 Security Onion 2.3.2 is here!

+## Screenshots
+
+Alerts
+![Alerts](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/alerts-1.png)
+
+Hunt
+![Hunt](https://raw.githubusercontent.com/security-onion-solutions/securityonion/master/screenshots/hunt-1.png)

 ### Release Notes

--- a/salt/elasticsearch/files/ingest/strelka.file
+++ b/salt/elasticsearch/files/ingest/strelka.file
@@ -6,16 +6,16 @@
    { "rename":         { "field": "message2.scan",        "target_field": "scan",          "ignore_missing": true  } },
    { "rename":         { "field": "message2.request",        "target_field": "request",          "ignore_missing": true  } },
    { "rename":         { "field": "scan.hash",        "target_field": "hash",          "ignore_missing": true  } },
-
+    { "rename":         { "field": "scan.exiftool",        "target_field": "exiftool",          "ignore_missing": true  } },
    { "grok":           { "if": "ctx.request?.attributes?.filename != null",   "field": "request.attributes.filename",       "patterns": ["-%{WORD:log.id.fuid}-"], "ignore_failure": true } },
    { "foreach":
      {
-        "if": "ctx.scan?.exiftool?.keys !=null",
-          "field": "scan.exiftool.keys",
+        "if": "ctx.exiftool?.keys !=null",
+          "field": "exiftool.keys",
          "processor":{
-            "set": {
-              "field": "scan.exiftool.{{_ingest._value.key}}",
-              "value": "{{_ingest._value.value}}"
+            "append": {
+              "field": "scan.exiftool",
+              "value": "{{_ingest._value.key}}={{_ingest._value.value}}"
            }
          }
      }
@@ -42,7 +42,8 @@
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89",   "field": "event.severity", "value": 3, "override": true }  },
    { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90",   "field": "event.severity", "value": 4, "override": true }  },
    { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
-    { "remove":         { "field": ["host", "path", "message", "scan.exiftool.keys", "scan.yara.meta"],                                         "ignore_missing": true  } },
+    { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
+    { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },
    { "pipeline":       { "name": "common"                                                                                   } }
  ]
 }
--- a/salt/elasticsearch/templates/so/so-common-template.json
+++ b/salt/elasticsearch/templates/so/so-common-template.json
@@ -381,7 +381,12 @@
        },
 	"scan":{
          "type":"object",
-          "dynamic": true
+          "dynamic": true,
+	  "properties":{
+            "exiftool":{
+              "type":"text"
+             }
+          }
        },
        "server":{
          "type":"object",
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -58,11 +58,12 @@ rulesdir:
    - makedirs: True

 synclocalnidsrules:
-  file.managed:
-    - name: /opt/so/rules/nids/local.rules
-    - source: salt://idstools/local.rules
+  file.recurse:
+    - name: /opt/so/rules/nids/
+    - source: salt://idstools/
    - user: 939
    - group: 939
+    - include_pat: 'E@.rules'

 so-idstools:
  docker_container.running:
--- a/salt/nginx/etc/nginx.conf
+++ b/salt/nginx/etc/nginx.conf
@@ -379,7 +379,7 @@ http {

 		location @error401 {
 			add_header    Set-Cookie "AUTH_REDIRECT=$request_uri;Path=/;Max-Age=14400";
-			return        302 /auth/self-service/browser/flows/login;
+			return        302 /auth/self-service/login/browser;
 		}

 		error_page 500 502 503 504 /50x.html;
--- a/salt/soc/files/kratos/kratos.yaml
+++ b/salt/soc/files/kratos/kratos.yaml
@@ -2,7 +2,7 @@
 {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%}

 selfservice:
-  strategies:
+  methods:
    password:
      enabled: true

--- a/salt/thehive/etc/cortex-application.conf
+++ b/salt/thehive/etc/cortex-application.conf
@@ -6,6 +6,7 @@
 # WARNING: If you deploy your application on several servers, make sure to use the same key.
 play.http.secret.key="{{ CORTEXPLAYSECRET }}"
 play.http.context=/cortex/
+pidfile.path = "/dev/null"
 search.uri = "http://{{ MANAGERIP }}:9400"

 # Elasticsearch
--- a/salt/wazuh/files/agent/wazuh-register-agent
+++ b/salt/wazuh/files/agent/wazuh-register-agent
@@ -47,6 +47,10 @@ cat <<HELP_USAGE
 HELP_USAGE
 }

+cleanup_creds() {
+  /usr/sbin/so-wazuh-user-remove $USER
+}
+
 register_agent() {
  # Adding agent and getting Id from manager
  echo ""
@@ -57,8 +61,7 @@ register_agent() {

  if [ "$?" != "0" ]; then
    echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
-    exit 0
-  fi
+  else
    # Get agent id and agent key
    AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
    AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
@@ -76,8 +79,7 @@ register_agent() {
    echo "Restarting:"
    echo ""
    /var/ossec/bin/ossec-control restart
-
-  exit 0
+  fi
 }

 remove_agent() {
@@ -135,11 +137,15 @@ shift $(($OPTIND - 1))
 #  fi

 # Default action -> try to register the agent
+echo "Waiting before registering agent..."
 sleep 30s
-STATUS=$(curl -s -k -u $USER:$PASSWORD -L $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
-if [[ $STATUS == "Active" ]]; then
+if [ -f /opt/so/conf/wazuh/initial_agent_registration.log ]; then
  echo "Agent $AGENT_ID already registered!"
+  exit 0
 else
  register_agent
+  cleanup_creds
+  echo "Initial agent $AGENT_ID with IP $AGENT_IP registered on $DATE." > /opt/so/conf/wazuh/initial_agent_registration.log
+  exit 0
 fi
 #remove_agent
--- a/salt/zeek/policy/intel/intel.dat
+++ b/salt/zeek/policy/intel/intel.dat
@@ -0,0 +1,5 @@
+#fields	indicator	indicator_type	meta.source	meta.do_notice
+# EXAMPLES:
+#66.32.119.38	Intel::ADDR	Test Address	T
+#www.honeynet.org	Intel::DOMAIN	Test Domain	T
+#4285358dd748ef74cb8161108e11cb73	Intel::FILE_HASH	Test MD5	T
--- a/screenshots/alerts-1.png
+++ b/screenshots/alerts-1.png
--- a/screenshots/hunt-1.png
+++ b/screenshots/hunt-1.png
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -431,8 +431,6 @@ configure_minion() {

 	{
 		systemctl restart salt-minion;
-		printf '%s\n'  '----';
-		cat "$minion_config";
 	} >> "$setup_log" 2>&1
 }

@@ -748,7 +746,7 @@ detect_os() {

 disable_auto_start() {
 	
-	if crontab -l 2>&1 | grep so-setup > /dev/null 2>&1; then
+	if crontab -l -u $INSTALLUSERNAME 2>&1 | grep so-setup > /dev/null 2>&1; then
 		# Remove the automated setup script from crontab, if it exists
 		logCmd "crontab -u $INSTALLUSERNAME -r"
 	fi
@@ -1664,12 +1662,17 @@ salt_checkin() {
 				done

 				echo " Confirming existence of the CA certificate"
-				cat /etc/pki/ca.crt
+				openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
 				echo " Applyng a mine hack";
 				salt "$MINION_ID" mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
 				salt "$MINION_ID" mine.update;
-				echo " Confirming salt mine now contain the certificate";
-				salt "$MINION_ID" mine.get '*' x509.get_pem_entries;
+				echo "Confirming salt mine now contains the certificate";
+				salt "$MINION_ID" mine.get '*' x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE';
+				if [ $? -eq 0 ]; then
+					echo "CA in mine"
+				else
+					echo "CA not in mine"
+				fi
 				echo " Applying SSL state";
 				salt-call state.apply ssl;
 			} >> "$setup_log" 2>&1
@@ -1722,10 +1725,12 @@ setup_salt_master_dirs() {
 	if [ "$setup_type" = 'iso' ]; then
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
 		cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	else
 		cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
 		cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
 		cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	fi