CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix annotations and file locations

Browse Source
This commit is contained in:
Mike Reeves
2023-04-27 13:23:53 -04:00
parent e799edaf49
commit 3d7f2bc691
48 changed files with 491 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
salt/common/init.sls
View File

@@ -49,12 +49,11 @@ so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf
- unless: ls /opt/so/conf/so-status/so-status.conf
sosaltstackperms:
socore_opso_perms:
file.directory:
- name: /opt/so/saltstack
- name: /opt/so
- user: 939
- group: 939
- dir_mode: 770
so_log_perms:
file.directory:

27
salt/common/tools/sbin/so-helix-apikey
View File

@@ -1,27 +0,0 @@
#!/bin/bash
local_salt_dir=/opt/so/saltstack/local
got_root() {
# Make sure you are root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
got_root
if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then
echo "This is nto configured for Helix Mode. Please re-install."
exit
else
echo "Enter your Helix API Key: "
read APIKEY
sed -i "s/^ api_key.*/ api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls
docker stop so-logstash
docker rm so-logstash
echo "Restarting Logstash for updated key"
salt-call state.apply logstash queue=True
fi

0
salt/common/tools/sbin/so-curator-restart → salt/curator/files/bin/so-curator-restart Executable file → Normal file
View File

0
salt/common/tools/sbin/so-curator-start → salt/curator/files/bin/so-curator-start Executable file → Normal file
View File

0
salt/common/tools/sbin/so-curator-stop → salt/curator/files/bin/so-curator-stop Executable file → Normal file
View File

0
salt/common/tools/sbin/so-elastalert-create → salt/elastalert/bin/so-elastalert-create
View File

0
salt/common/tools/sbin/so-elastalert-restart → salt/elastalert/bin/so-elastalert-restart
View File

0
salt/common/tools/sbin/so-elastalert-start → salt/elastalert/bin/so-elastalert-start
View File

0
salt/common/tools/sbin/so-elastalert-stop → salt/elastalert/bin/so-elastalert-stop
View File

0
salt/common/tools/sbin/so-elastalert-test → salt/elastalert/bin/so-elastalert-test
View File

0
salt/common/tools/sbin/so-elasticsearch-cluster-space-total → salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-space-total
View File

0
salt/common/tools/sbin/so-elasticsearch-cluster-space-used → salt/elasticsearch/tools/sbin/so-elasticsearch-cluster-space-used
View File

0
salt/common/tools/sbin/so-elasticsearch-component-templates-list → salt/elasticsearch/tools/sbin/so-elasticsearch-component-templates-list
View File

0
salt/common/tools/sbin/so-elasticsearch-ilm-lifecycle-status → salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-lifecycle-status
View File

0
salt/common/tools/sbin/so-elasticsearch-ilm-policy-delete → salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-delete
View File

0
salt/common/tools/sbin/so-elasticsearch-ilm-policy-load → salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-load copy
View File

0
salt/common/tools/sbin/so-elasticsearch-ilm-policy-view → salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-policy-view
View File

0
salt/common/tools/sbin/so-elasticsearch-ilm-restart → salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-restart
View File

0
salt/common/tools/sbin/so-elasticsearch-ilm-start → salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-start
View File

0
salt/common/tools/sbin/so-elasticsearch-ilm-status → salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-status
View File

0
salt/common/tools/sbin/so-elasticsearch-ilm-stop → salt/elasticsearch/tools/sbin/so-elasticsearch-ilm-stop
View File

0
salt/common/tools/sbin/so-elasticsearch-index-templates-list → salt/elasticsearch/tools/sbin/so-elasticsearch-index-templates-list
View File

0
salt/common/tools/sbin/so-elasticsearch-indices-list → salt/elasticsearch/tools/sbin/so-elasticsearch-indices-list
View File

0
salt/common/tools/sbin/so-elasticsearch-indices-rw → salt/elasticsearch/tools/sbin/so-elasticsearch-indices-rw
View File

0
salt/common/tools/sbin/so-elasticsearch-pipeline-stats → salt/elasticsearch/tools/sbin/so-elasticsearch-pipeline-stats
View File

0
salt/common/tools/sbin/so-elasticsearch-pipeline-view → salt/elasticsearch/tools/sbin/so-elasticsearch-pipeline-view
View File

0
salt/common/tools/sbin/so-elasticsearch-pipelines-list → salt/elasticsearch/tools/sbin/so-elasticsearch-pipelines-list
View File

0
salt/common/tools/sbin/so-elasticsearch-query → salt/elasticsearch/tools/sbin/so-elasticsearch-query
View File

0
salt/common/tools/sbin/so-elasticsearch-restart → salt/elasticsearch/tools/sbin/so-elasticsearch-restart
View File

0
salt/common/tools/sbin/so-elasticsearch-shards-list → salt/elasticsearch/tools/sbin/so-elasticsearch-shards-list
View File

0
salt/common/tools/sbin/so-elasticsearch-start → salt/elasticsearch/tools/sbin/so-elasticsearch-start
View File

0
salt/common/tools/sbin/so-elasticsearch-stop → salt/elasticsearch/tools/sbin/so-elasticsearch-stop
View File

0
salt/common/tools/sbin/so-elasticsearch-template-remove → salt/elasticsearch/tools/sbin/so-elasticsearch-template-remove
View File

0
salt/common/tools/sbin/so-elasticsearch-template-view → salt/elasticsearch/tools/sbin/so-elasticsearch-template-view
View File

0
salt/common/tools/sbin/so-elasticsearch-templates-list → salt/elasticsearch/tools/sbin/so-elasticsearch-templates-list
View File

0
salt/common/tools/sbin/so-elasticsearch-wait → salt/elasticsearch/tools/sbin/so-elasticsearch-wait
View File

413
salt/firewall/soc_firewall.yaml Normal file
View File

@@ -0,0 +1,413 @@
firewall:
hostgroups:
analyst: &hostgroupsettings
description: List of IP or CIDR blocks to allow access to for this hostgroup.
helplink: firewall.html
multiline: True
regex: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$
regexFailureMessage: You must enter a properly formatted IP address or CIDR.
anywhere: *hostgroupsettings
beats_endpoint: *hostgroupsettings
beats_endpoint_ssl: *hostgroupsettings
dockernet: *hostgroupsettings
elastic_agent_endpoint: *hostgroupsettings
elasticsearch_rest: *hostgroupsettings
endgame: *hostgroupsettings
eval: *hostgroupsettings
fleet: *hostgroupsettings
heavynodes: *hostgroupsettings
idh: *hostgroupsettings
localhost: *hostgroupsettings
manager: *hostgroupsettings
receivers: *hostgroupsettings
searchnodes: *hostgroupsettings
securityonion_desktops: *hostgroupsettings
self: *hostgroupsettings
sensors: *hostgroupsettings
standalone: *hostgroupsettings
strelka_frontend: *hostgroupsettings
syslog: *hostgroupsettings
portgroups:
all:
tcp:
udp:
agrules:
tcp:
udp:
beats_5044:
tcp:
udp:
beats_5644:
tcp:
udp:
beats_5066:
tcp:
udp:
beats_5056:
tcp:
udp:
docker_registry:
tcp:
udp:
elasticsearch_node:
tcp:
udp:
elasticsearch_rest:
tcp:
udp:
elastic_agent_control:
tcp:
udp:
elastic_agent_data:
tcp:
udp:
endgame:
tcp:
udp:
influxdb:
tcp:
udp:
kibana:
tcp:
udp:
mysql:
tcp:
udp:
nginx:
tcp:
udp:
playbook:
tcp:
udp:
redis:
tcp:
udp:
salt_manager:
tcp:
udp:
sensoroni:
tcp:
udp:
ssh:
tcp:
udp:
strelka_frontend:
tcp:
udp:
syslog:
tcp:
udp:
yum:
tcp:
udp:
role:
eval:
chain:
DOCKER-USER:
hostgroups:
eval:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
heavynodes:
portgroups:
self:
portgroups:
beats_endpoint:
portgroups:
beats_endpoint_ssl:
portgroups:
elasticsearch_rest:
portgroups:
elastic_agent_endpoint:
portgroups:
strelka_frontend:
portgroups:
syslog:
portgroups:
analyst:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:
fleet:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
elastic_agent_endpoint:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:
standalone:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
heavynodes:
portgroups:
manager:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
heavynodes:
portgroups:
self:
portgroups:
syslog:
portgroups:
beats_endpoint:
portgroups:
beats_endpoint_ssl:
portgroups:
elasticsearch_rest:
portgroups:
elastic_agent_endpoint:
portgroups:
endgame:
portgroups:
analyst:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
heavynodes:
portgroups:
managersearch:
chain:
DOCKER-USER:
hostgroups:
managersearch:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
heavynodes:
portgroups:
self:
portgroups:
beats_endpoint:
portgroups:
beats_endpoint_ssl:
portgroups:
elasticsearch_rest:
portgroups:
elastic_agent_endpoint:
portgroups:
endgame:
portgroups:
syslog:
portgroups:
analyst:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
heavynodes:
portgroups:
standalone:
chain:
DOCKER-USER:
hostgroups:
localhost:
portgroups:
standalone:
portgroups:
fleet:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
heavynodes:
portgroups:
self:
portgroups:
beats_endpoint:
portgroups:
beats_endpoint_ssl:
portgroups:
elasticsearch_rest:
portgroups:
elastic_agent_endpoint:
portgroups:
endgame:
portgroups:
strelka_frontend:
portgroups:
syslog:
portgroups:
analyst:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
fleet:
portgroups:
localhost:
portgroups:
standalone:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
heavynodes:
portgroups:
searchnode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
dockernet:
portgroups:
elasticsearch_rest:
portgroups:
searchnodes:
portgroups:
self:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:
sensor:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
strelka_frontend:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:
heavynode:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
dockernet:
portgroups:
elasticsearch_rest:
portgroups:
self:
portgroups:
strelka_frontend:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:
import:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
sensors:
portgroups:
searchnodes:
portgroups:
beats_endpoint:
portgroups:
beats_endpoint_ssl:
portgroups:
elasticsearch_rest:
portgroups:
elastic_agent_endpoint:
portgroups:
analyst:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:
receiver:
chain:
DOCKER-USER:
hostgroups:
sensors:
portgroups:
searchnodes:
portgroups:
self:
portgroups:
syslog:
portgroups:
beats_endpoint:
portgroups:
beats_endpoint_ssl:
portgroups:
endgame:
portgroups:
INPUT:
hostgroups:
anywhere:
portgroups:
dockernet:
portgroups:
localhost:
portgroups:

0
salt/common/tools/sbin/so-idstools-restart → salt/idstools/bin/so-idstools-restart
View File

0
salt/common/tools/sbin/so-idstools-start → salt/idstools/bin/so-idstools-start
View File

0
salt/common/tools/sbin/so-idstools-stop → salt/idstools/bin/so-idstools-stop
View File

0
salt/manager/files/so-repo-sync → salt/manager/sbin/so-repo-sync
View File

53
salt/manager/sbin/so-saltstack-update Executable file
View File

@@ -0,0 +1,53 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
default_salt_dir=/opt/so/saltstack/default
clone_to_tmp() {
# Make a temp location for the files
mkdir /tmp/sogh
cd /tmp/sogh
git clone https://github.com/Security-Onion-Solutions/securityonion.git
cd /tmp
}
copy_new_files() {
# Copy new files over to the salt dir
cd /tmp/sogh/securityonion
git checkout $BRANCH
VERSION=$(cat VERSION)
# We need to overwrite if there is a repo file
if [ -d /opt/so/repo ]; then
tar -czf /opt/so/repo/"$VERSION".tar.gz -C "$(pwd)/.." .
fi
rsync -a salt $default_salt_dir/
rsync -a pillar $default_salt_dir/
chown -R socore:socore $default_salt_dir/salt
chown -R socore:socore $default_salt_dir/pillar
chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
rm -rf /tmp/sogh
}
got_root(){
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
got_root
if [ $# -ne 1 ] ; then
BRANCH=2.4/main
else
BRANCH=$1
fi
clone_to_tmp
copy_new_files

0
salt/common/tools/sbin/so-zeek-restart → salt/zeek/bin/so-zeek-restart
View File

0
salt/common/tools/sbin/so-zeek-start → salt/zeek/bin/so-zeek-start
View File

0
salt/common/tools/sbin/so-zeek-stats → salt/zeek/bin/so-zeek-stats
View File

0
salt/common/tools/sbin/so-zeek-stop → salt/zeek/bin/so-zeek-stop
View File

10
setup/so-functions
View File

@@ -1341,6 +1341,16 @@ kibana_pillar() {
touch $kibana_pillar_file
}
logrotate_pillar() {
touch $adv_logrotate_pillar_file
touch $logrotate_pillar_file
}
patch_pillar() {
touch $adv_patch_pillar_file
touch $patch_pillar_file
}
logstash_pillar() {
# Create the logstash advanced pillar
touch $adv_logstash_pillar_file

12
setup/so-variables
View File

@@ -201,3 +201,15 @@ export influxdb_pillar_file
adv_influxdb_pillar_file="$local_salt_dir/pillar/influxdb/adv_influxdb.sls"
export adv_influxdb_pillar_file
logrotate_pillar_file="$local_salt_dir/pillar/logrotate/soc_logrotate.sls"
export logrotate_pillar_file
adv_logrotate_pillar_file="$local_salt_dir/pillar/logrotate/adv_logrotate.sls"
export adv_logrotate_pillar_file
patch_pillar_file="$local_salt_dir/pillar/patch/soc_patch.sls"
export patch_pillar_file
adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls"
export adv_patch_pillar_file