CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-20 16:03:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into desktopyummv

Browse Source
This commit is contained in:
m0duspwnens
2023-08-04 11:25:06 -04:00
parent 15b8e1a753 9fe9256a0f
commit 433cde0f9e
19 changed files with 264 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
salt/common/tools/sbin_jinja/so-import-evtx
View File

@@ -27,6 +27,8 @@ Imports one or more evtx files into Security Onion. The evtx files will be analy
Options: Options:
--json Outputs summary in JSON format. Implies --quiet. --json Outputs summary in JSON format. Implies --quiet.
--quiet Silences progress information to stdout. --quiet Silences progress information to stdout.
--shift Adds a time shift. Accepts a single argument that is intended to be the date of the last record, and shifts the dates of the previous records accordingly.
Ex. sudo so-import-evtx --shift "2023-08-01 01:01:01" example.evtx
EOF EOF
} }
@@ -44,6 +46,10 @@ while [[ $# -gt 0 ]]; do
--quiet) --quiet)
quiet=1 quiet=1
;; ;;
--shift)
SHIFTDATE=$1
shift
;;
-*) -*)
echo "Encountered unexpected parameter: $param" echo "Encountered unexpected parameter: $param"
usage usage
@@ -68,8 +74,10 @@ function status {
function evtx2es() { function evtx2es() {
EVTX=$1 EVTX=$1
HASH=$2 HASH=$2
SHIFTDATE=$3
docker run --rm \ docker run --rm \
-e "SHIFTTS=$SHIFTDATE" \
-v "$EVTX:/tmp/data.evtx" \ -v "$EVTX:/tmp/data.evtx" \
-v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \ -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
-v "/nsm/import/evtx-end_newest:/tmp/newest" \ -v "/nsm/import/evtx-end_newest:/tmp/newest" \
@@ -113,7 +121,9 @@ echo $END_NEWEST > /nsm/import/evtx-end_newest
for EVTX in $INPUT_FILES; do for EVTX in $INPUT_FILES; do
EVTX=$(/usr/bin/realpath "$EVTX") EVTX=$(/usr/bin/realpath "$EVTX")
status "Processing Import: ${EVTX}" status "Processing Import: ${EVTX}"
if ! [ -z "$SHIFTDATE" ]; then
status "- timeshifting logs to end date of $SHIFTDATE"
fi
# generate a unique hash to assist with dedupe checks # generate a unique hash to assist with dedupe checks
HASH=$(md5sum "${EVTX}" | awk '{ print $1 }') HASH=$(md5sum "${EVTX}" | awk '{ print $1 }')
HASH_DIR=/nsm/import/${HASH} HASH_DIR=/nsm/import/${HASH}
@@ -136,7 +146,7 @@ for EVTX in $INPUT_FILES; do
# import evtx and write them to import ingest pipeline # import evtx and write them to import ingest pipeline
status "- importing logs to Elasticsearch..." status "- importing logs to Elasticsearch..."
evtx2es "${EVTX}" $HASH evtx2es "${EVTX}" $HASH "$SHIFTDATE"
if [[ $? -ne 0 ]]; then if [[ $? -ne 0 ]]; then
INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1)) INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1))
status "- WARNING: This evtx file may not have fully imported successfully" status "- WARNING: This evtx file may not have fully imported successfully"

68
salt/common/tools/sbin_jinja/so-raid-status
View File

@@ -9,25 +9,26 @@
. /usr/sbin/so-common . /usr/sbin/so-common
appliance_check() {
{%- if salt['grains.get']('sosmodel', '') %} {%- if salt['grains.get']('sosmodel', '') %}
APPLIANCE=1 {%- set model = salt['grains.get']('sosmodel') %}
{%- if grains['sosmodel'] in ['SO2AMI01', 'SO2GCI01', 'SO2AZI01'] %} model={{ model }}
# Don't need cloud images to use this
if [[ $model =~ ^(SO2AMI01|SO2AZI01|SO2GCI01)$ ]]; then
exit 0 exit 0
{%- endif %}
DUDEYOUGOTADELL=$(dmidecode |grep Dell)
if [[ -n $DUDEYOUGOTADELL ]]; then
APPTYPE=dell
else
APPTYPE=sm
fi fi
mkdir -p /opt/so/log/raid
{%- else %} {%- else %}
echo "This is not an appliance" echo "This is not an appliance"
exit 0 exit 0
{%- endif %} {%- endif %}
} if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200|SOSSNNV|SOSMN)$ ]]; then
is_bossraid=true
fi
if [[ $model =~ ^(SOSSNNV|SOSMN)$ ]]; then
is_swraid=true
fi
if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200)$ ]]; then
is_hwraid=true
fi
check_nsm_raid() { check_nsm_raid() {
PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl) PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl)
@@ -49,61 +50,44 @@ check_nsm_raid() {
check_boss_raid() { check_boss_raid() {
MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional) MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
if [[ -n $DUDEYOUGOTADELL ]]; then
if [[ -n $MVCLI ]]; then if [[ -n $MVCLI ]]; then
BOSSRAID=0 BOSSRAID=0
else else
BOSSRAID=1 BOSSRAID=1
fi fi
fi
} }
check_software_raid() { check_software_raid() {
if [[ -n $DUDEYOUGOTADELL ]]; then
SWRC=$(grep "_" /proc/mdstat) SWRC=$(grep "_" /proc/mdstat)
if [[ -n $SWRC ]]; then if [[ -n $SWRC ]]; then
# RAID is failed in some way # RAID is failed in some way
SWRAID=1 SWRAID=1
else else
SWRAID=0 SWRAID=0
fi fi
fi
} }
# This script checks raid status if you use SO appliances # Set everything to 0
SWRAID=0
BOSSRAID=0
HWRAID=0
# See if this is an appliance if [[ $is_hwraid ]]; then
appliance_check
check_nsm_raid check_nsm_raid
fi
if [[ $is_bossraid ]]; then
check_boss_raid check_boss_raid
{%- if salt['grains.get']('sosmodel', '') %} fi
{%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %} if [[ $is_swraid ]]; then
check_software_raid check_software_raid
{%- endif %} fi
{%- endif %}
if [[ -n $SWRAID ]]; then sum=$(($SWRAID + $BOSSRAID + $HWRAID))
if [[ $SWRAID == '0' && $BOSSRAID == '0' ]]; then
if [[ $sum == "0" ]]; then
RAIDSTATUS=0 RAIDSTATUS=0
else else
RAIDSTATUS=1 RAIDSTATUS=1
fi fi
elif [[ -n $DUDEYOUGOTADELL ]]; then
if [[ $BOSSRAID == '0' && $HWRAID == '0' ]]; then
RAIDSTATUS=0
else
RAIDSTATUS=1
fi
elif [[ "$APPTYPE" == 'sm' ]]; then
if [[ -n "$HWRAID" ]]; then
RAIDSTATUS=0
else
RAIDSTATUS=1
fi
fi
echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log

2
salt/elasticfleet/defaults.yaml
View File

@@ -2,7 +2,7 @@ elasticfleet:
enabled: False enabled: False
config: config:
server: server:
custom_fqdn: '' custom_fqdn: []
enable_auto_configuration: True enable_auto_configuration: True
endpoints_enrollment: '' endpoints_enrollment: ''
es_token: '' es_token: ''

13
salt/elasticfleet/enabled.sls
View File

@@ -15,6 +15,7 @@
include: include:
- elasticfleet.config - elasticfleet.config
- elasticfleet.sostatus - elasticfleet.sostatus
- ssl
# If enabled, automatically update Fleet Logstash Outputs # If enabled, automatically update Fleet Logstash Outputs
{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %} {% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
@@ -61,11 +62,14 @@ so-elastic-fleet:
- {{ BINDING }} - {{ BINDING }}
{% endfor %} {% endfor %}
- binds: - binds:
- /etc/pki:/etc/pki:ro - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
- /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
{% if GLOBALS.os_family == 'Debian' %} {% if GLOBALS.os_family == 'Debian' %}
- /etc/ssl:/etc/ssl:ro - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro
- /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro
- /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro
{% endif %} {% endif %}
#- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
@@ -93,6 +97,9 @@ so-elastic-fleet:
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- watch:
- x509: etc_elasticfleet_key
- x509: etc_elasticfleet_crt
{% endif %} {% endif %}
{% if GLOBALS.role != "so-fleet" %} {% if GLOBALS.role != "so-fleet" %}

5
salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json
View File

@@ -9,13 +9,12 @@
}, },
"enabled": true, "enabled": true,
"policy_id": "endpoints-initial", "policy_id": "endpoints-initial",
"vars": {},
"inputs": [{ "inputs": [{
"type": "endpoint", "type": "ENDPOINT_INTEGRATION_CONFIG",
"enabled": true, "enabled": true,
"streams": [], "streams": [],
"config": { "config": {
"integration_config": { "_config": {
"value": { "value": {
"type": "endpoint", "type": "endpoint",
"endpointConfig": { "endpointConfig": {

3
salt/elasticfleet/soc_elasticfleet.yaml
View File

@@ -12,10 +12,11 @@ elasticfleet:
config: config:
server: server:
custom_fqdn: custom_fqdn:
description: Custom FQDN for Agents to connect to. description: Custom FQDN for Agents to connect to. One per line.
global: True global: True
helpLink: elastic-fleet.html helpLink: elastic-fleet.html
advanced: True advanced: True
forcedType: "[]string"
enable_auto_configuration: enable_auto_configuration:
description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs. description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
global: True global: True

6
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -11,6 +11,12 @@
. /usr/sbin/so-common . /usr/sbin/so-common
. /usr/sbin/so-elastic-fleet-common . /usr/sbin/so-elastic-fleet-common
LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log"
# Check to see if we are already running
NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers")
[ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0
for i in {1..30} for i in {1..30}
do do
ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key') ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')

15
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
View File

@@ -2,7 +2,7 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0. # this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
. /usr/sbin/so-common . /usr/sbin/so-common
@@ -41,9 +41,16 @@ else
NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055") NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
fi fi
{% if CUSTOMFQDN != "" %} # Query for FQDN entries & add them to the list
# Add Custom Hostname to list {% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
NEW_LIST+=("{{ CUSTOMFQDN }}:5055") CUSTOMFQDNLIST=({{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }})
if [ -n "$CUSTOMFQDNLIST" ]; then
readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST
for CUSTOMNAME in "${CUSTOMFQDN[@]}"
do
NEW_LIST+=("https://$CUSTOMNAME:8220")
done
fi
{% endif %} {% endif %}
# Query for the current Grid Nodes that are running Logstash # Query for the current Grid Nodes that are running Logstash

18
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update
View File

@@ -2,7 +2,7 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0. # this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
. /usr/sbin/so-common . /usr/sbin/so-common
@@ -41,9 +41,16 @@ else
NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220") NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220")
fi fi
{% if CUSTOMFQDN != "" %} # Query for FQDN entries & add them to the list
# Add Custom Hostname to list {% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
NEW_LIST+=("https://{{ CUSTOMFQDN }}:8220") CUSTOMFQDNLIST=({{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }})
if [ -n "$CUSTOMFQDNLIST" ]; then
readarray -t CUSTOMFQDN <<< $CUSTOMFQDNLIST
for CUSTOMNAME in "${CUSTOMFQDN[@]}"
do
NEW_LIST+=("https://$CUSTOMNAME:8220")
done
fi
{% endif %} {% endif %}
# Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes) # Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes)
@@ -62,7 +69,7 @@ fi
NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}") NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}') NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
# Compare the current & new list of URLs - if different, update the Fleet Server URLs # Compare the current & new list of URLs - if different, update the Fleet Server URLs & regenerate the agent installer
if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
printf "\nHashes match - no update needed.\n" printf "\nHashes match - no update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
@@ -71,4 +78,5 @@ else
printf "\nHashes don't match - update needed.\n" printf "\nHashes don't match - update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n" printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
update_fleet_urls update_fleet_urls
/sbin/so-elastic-agent-gen-installers >> /opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log &
fi fi

1
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
View File

@@ -78,6 +78,7 @@
{ "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } }, { "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } }, { "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } }, { "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
{"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
], ],
"on_failure": [ "on_failure": [

87
salt/firewall/defaults.yaml
View File

@@ -26,6 +26,7 @@ firewall:
standalone: [] standalone: []
strelka_frontend: [] strelka_frontend: []
syslog: [] syslog: []
workstation: []
customhostgroup0: [] customhostgroup0: []
customhostgroup1: [] customhostgroup1: []
customhostgroup2: [] customhostgroup2: []
@@ -370,6 +371,7 @@ firewall:
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- localrules - localrules
- sensoroni
fleet: fleet:
portgroups: portgroups:
- elasticsearch_rest - elasticsearch_rest
@@ -383,6 +385,17 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
idh:
portgroups:
- docker_registry
- influxdb
- sensoroni
- yum
- beats_5044
- beats_5644
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
sensor: sensor:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -393,6 +406,7 @@ firewall:
- yum - yum
- docker_registry - docker_registry
- influxdb - influxdb
- sensoroni
searchnode: searchnode:
portgroups: portgroups:
- redis - redis
@@ -405,6 +419,7 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni
heavynode: heavynode:
portgroups: portgroups:
- redis - redis
@@ -417,6 +432,7 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni
receiver: receiver:
portgroups: portgroups:
- yum - yum
@@ -425,6 +441,10 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni
analyst:
portgroups:
- nginx
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -442,9 +462,9 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
analyst: workstation:
portgroups: portgroups:
- nginx - yum
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -476,6 +496,9 @@ firewall:
fleet: fleet:
portgroups: portgroups:
- salt_manager - salt_manager
idh:
portgroups:
- salt_manager
localhost: localhost:
portgroups: portgroups:
- all - all
@@ -491,6 +514,9 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
workstation:
portgroups:
- salt_manager
self: self:
portgroups: portgroups:
- syslog - syslog
@@ -535,6 +561,7 @@ firewall:
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- localrules - localrules
- sensoroni
fleet: fleet:
portgroups: portgroups:
- elasticsearch_rest - elasticsearch_rest
@@ -548,6 +575,17 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
idh:
portgroups:
- docker_registry
- influxdb
- sensoroni
- yum
- beats_5044
- beats_5644
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
sensor: sensor:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -558,6 +596,7 @@ firewall:
- yum - yum
- docker_registry - docker_registry
- influxdb - influxdb
- sensoroni
searchnode: searchnode:
portgroups: portgroups:
- redis - redis
@@ -569,6 +608,7 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni
heavynode: heavynode:
portgroups: portgroups:
- redis - redis
@@ -580,6 +620,7 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni
receiver: receiver:
portgroups: portgroups:
- yum - yum
@@ -588,6 +629,10 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni
analyst:
portgroups:
- nginx
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -605,9 +650,9 @@ firewall:
endgame: endgame:
portgroups: portgroups:
- endgame - endgame
analyst: workstation:
portgroups: portgroups:
- nginx - yum
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -639,6 +684,9 @@ firewall:
fleet: fleet:
portgroups: portgroups:
- salt_manager - salt_manager
idh:
portgroups:
- salt_manager
localhost: localhost:
portgroups: portgroups:
- all - all
@@ -654,6 +702,9 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
workstation:
portgroups:
- salt_manager
self: self:
portgroups: portgroups:
- syslog - syslog
@@ -723,6 +774,17 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
idh:
portgroups:
- docker_registry
- influxdb
- sensoroni
- yum
- beats_5044
- beats_5644
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
sensor: sensor:
portgroups: portgroups:
- docker_registry - docker_registry
@@ -760,6 +822,10 @@ firewall:
- elastic_agent_control - elastic_agent_control
- elastic_agent_data - elastic_agent_data
- elastic_agent_update - elastic_agent_update
- sensoroni
analyst:
portgroups:
- nginx
beats_endpoint: beats_endpoint:
portgroups: portgroups:
- beats_5044 - beats_5044
@@ -780,9 +846,9 @@ firewall:
strelka_frontend: strelka_frontend:
portgroups: portgroups:
- strelka_frontend - strelka_frontend
analyst: workstation:
portgroups: portgroups:
- nginx - yum
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:
@@ -814,6 +880,9 @@ firewall:
fleet: fleet:
portgroups: portgroups:
- salt_manager - salt_manager
idh:
portgroups:
- salt_manager
localhost: localhost:
portgroups: portgroups:
- all - all
@@ -832,6 +901,9 @@ firewall:
receiver: receiver:
portgroups: portgroups:
- salt_manager - salt_manager
workstation:
portgroups:
- salt_manager
self: self:
portgroups: portgroups:
- syslog - syslog
@@ -1128,6 +1200,9 @@ firewall:
analyst: analyst:
portgroups: portgroups:
- nginx - nginx
workstation:
portgroups:
- yum
customhostgroup0: customhostgroup0:
portgroups: [] portgroups: []
customhostgroup1: customhostgroup1:

29
salt/firewall/soc_firewall.yaml
View File

@@ -45,6 +45,7 @@ firewall:
standalone: *hostgroupsettings standalone: *hostgroupsettings
strelka_frontend: *hostgroupsettings strelka_frontend: *hostgroupsettings
syslog: *hostgroupsettings syslog: *hostgroupsettings
workstation: *hostgroupsettings
customhostgroup0: &customhostgroupsettings customhostgroup0: &customhostgroupsettings
description: List of IP or CIDR blocks to allow to this hostgroup. description: List of IP or CIDR blocks to allow to this hostgroup.
forcedType: "[]string" forcedType: "[]string"
@@ -215,6 +216,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation:
portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup1: customhostgroup1:
@@ -339,6 +342,8 @@ firewall:
hostgroups: hostgroups:
manager: manager:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
idh:
portgroups: *portgroupsdocker
sensor: sensor:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
searchnode: searchnode:
@@ -361,6 +366,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation:
portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup1: customhostgroup1:
@@ -389,12 +396,16 @@ firewall:
portgroups: *portgroupshost portgroups: *portgroupshost
localhost: localhost:
portgroups: *portgroupshost portgroups: *portgroupshost
idh:
portgroups: *portgroupshost
sensor: sensor:
portgroups: *portgroupshost portgroups: *portgroupshost
searchnode: searchnode:
portgroups: *portgroupshost portgroups: *portgroupshost
heavynode: heavynode:
portgroups: *portgroupshost portgroups: *portgroupshost
workstation:
portgroups: *portgroupshost
customhostgroup0: customhostgroup0:
portgroups: *portgroupshost portgroups: *portgroupshost
customhostgroup1: customhostgroup1:
@@ -422,6 +433,8 @@ firewall:
hostgroups: hostgroups:
managersearch: managersearch:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
idh:
portgroups: *portgroupsdocker
sensor: sensor:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
searchnode: searchnode:
@@ -444,6 +457,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation:
portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup1: customhostgroup1:
@@ -472,12 +487,16 @@ firewall:
portgroups: *portgroupshost portgroups: *portgroupshost
localhost: localhost:
portgroups: *portgroupshost portgroups: *portgroupshost
idh:
portgroups: *portgroupshost
sensor: sensor:
portgroups: *portgroupshost portgroups: *portgroupshost
searchnode: searchnode:
portgroups: *portgroupshost portgroups: *portgroupshost
heavynode: heavynode:
portgroups: *portgroupshost portgroups: *portgroupshost
workstation:
portgroups: *portgroupshost
customhostgroup0: customhostgroup0:
portgroups: *portgroupshost portgroups: *portgroupshost
customhostgroup1: customhostgroup1:
@@ -509,6 +528,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
fleet: fleet:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
idh:
portgroups: *portgroupsdocker
sensor: sensor:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
searchnode: searchnode:
@@ -533,6 +554,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation:
portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup1: customhostgroup1:
@@ -565,12 +588,16 @@ firewall:
portgroups: *portgroupshost portgroups: *portgroupshost
standalone: standalone:
portgroups: *portgroupshost portgroups: *portgroupshost
idh:
portgroups: *portgroupshost
sensor: sensor:
portgroups: *portgroupshost portgroups: *portgroupshost
searchnode: searchnode:
portgroups: *portgroupshost portgroups: *portgroupshost
heavynode: heavynode:
portgroups: *portgroupshost portgroups: *portgroupshost
workstation:
portgroups: *portgroupshost
customhostgroup0: customhostgroup0:
portgroups: *portgroupshost portgroups: *portgroupshost
customhostgroup1: customhostgroup1:
@@ -795,6 +822,8 @@ firewall:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
analyst: analyst:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
workstation:
portgroups: *portgroupsdocker
customhostgroup0: customhostgroup0:
portgroups: *portgroupsdocker portgroups: *portgroupsdocker
customhostgroup1: customhostgroup1:

14
salt/idstools/tools/sbin_jinja/so-rule-update
View File

@@ -3,17 +3,21 @@
{%- from 'vars/globals.map.jinja' import GLOBALS %} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- from 'idstools/map.jinja' import IDSTOOLSMERGED %} {%- from 'idstools/map.jinja' import IDSTOOLSMERGED %}
{%- set proxy = salt['pillar.get']('manager:proxy') %} {%- set proxy = salt['pillar.get']('manager:proxy') %}
{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %}
# Download the rules from the internet
{%- if proxy %}
export http_proxy={{ proxy }}
export https_proxy={{ proxy }}
export no_proxy="{{ noproxy }}"
{%- endif %}
mkdir -p /nsm/rules/suricata mkdir -p /nsm/rules/suricata
chown -R socore:socore /nsm/rules/suricata chown -R socore:socore /nsm/rules/suricata
# Download the rules from the internet # Download the rules from the internet
{%- if GLOBALS.airgap != 'True' %} {%- if GLOBALS.airgap != 'True' %}
{%- if proxy %}
export http_proxy={{ proxy }}
export https_proxy={{ proxy }}
export no_proxy=salt['pillar.get']('manager:no_proxy')
{%- endif %}
{%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} {%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %}
docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force docker exec so-idstools idstools-rulecat -v --suricata-version 6.0 -o /nsm/rules/suricata/ --merged=/nsm/rules/suricata/emerging-all.rules --force
{%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} {%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}

5
salt/logstash/enabled.sls
View File

@@ -22,6 +22,7 @@ include:
{% endif %} {% endif %}
- logstash.config - logstash.config
- logstash.sostatus - logstash.sostatus
- ssl
so-logstash: so-logstash:
docker_container.running: docker_container.running:
@@ -90,6 +91,10 @@ so-logstash:
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- watch: - watch:
{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-fleet', 'so-receiver'] %}
- x509: etc_elasticfleet_logstash_key
- x509: etc_elasticfleet_logstash_crt
{% endif %}
- file: lsetcsync - file: lsetcsync
{% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %} {% for assigned_pipeline in LOGSTASH_MERGED.assigned_pipelines.roles[GLOBALS.role.split('-')[1]] %}
- file: ls_pipeline_{{assigned_pipeline}} - file: ls_pipeline_{{assigned_pipeline}}

5
salt/manager/tools/sbin/so-firewall-minion
View File

@@ -74,9 +74,12 @@ fi
so-firewall includehost heavynode "$IP" --apply so-firewall includehost heavynode "$IP" --apply
;; ;;
'IDH') 'IDH')
so-firewall includehost sensor "$IP" --apply so-firewall includehost idh "$IP" --apply
;; ;;
'RECEIVER') 'RECEIVER')
so-firewall includehost receiver "$IP" --apply so-firewall includehost receiver "$IP" --apply
;; ;;
'WORKSTATION')
so-firewall includehost workstation "$IP" --apply
;;
esac esac

19
salt/manager/tools/sbin/soup
View File

@@ -184,7 +184,7 @@ check_airgap() {
is_airgap=0 is_airgap=0
UPDATE_DIR=/tmp/soagupdate/SecurityOnion UPDATE_DIR=/tmp/soagupdate/SecurityOnion
AGDOCKER=/tmp/soagupdate/docker AGDOCKER=/tmp/soagupdate/docker
AGREPO=/tmp/soagupdate/Packages AGREPO=/tmp/soagupdate/minimal/Packages
else else
is_airgap=1 is_airgap=1
fi fi
@@ -403,8 +403,6 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3 [[ "$POSTVERSION" == 2.4.2 ]] && post_to_2.4.3
[[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4 [[ "$POSTVERSION" == 2.4.3 ]] && post_to_2.4.4
[[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5 [[ "$POSTVERSION" == 2.4.4 ]] && post_to_2.4.5
true true
} }
@@ -479,11 +477,23 @@ up_to_2.4.4() {
} }
up_to_2.4.5() { up_to_2.4.5() {
update_elastic_agent determine_elastic_agent_upgrade
INSTALLEDVERSION=2.4.5 INSTALLEDVERSION=2.4.5
} }
determine_elastic_agent_upgrade() {
if [[ $is_airgap -eq 0 ]]; then
update_elastic_agent_airgap
else
update_elastic_agent
fi
}
update_elastic_agent_airgap() {
rsync -av /tmp/soagupdate/fleet/* /nsm/elastic-fleet/artifacts/
}
verify_upgradespace() { verify_upgradespace() {
CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//') CURRENTSPACE=$(df -BG / | grep -v Avail | awk '{print $4}' | sed 's/.$//')
if [ "$CURRENTSPACE" -lt "10" ]; then if [ "$CURRENTSPACE" -lt "10" ]; then
@@ -521,6 +531,7 @@ update_centos_repo() {
echo "Syncing new updates to /nsm/repo" echo "Syncing new updates to /nsm/repo"
rsync -av $AGREPO/* /nsm/repo/ rsync -av $AGREPO/* /nsm/repo/
echo "Creating repo" echo "Creating repo"
dnf -y install yum-utils createrepo
createrepo /nsm/repo createrepo /nsm/repo
} }

3
salt/manager/tools/sbin_jinja/so-yara-download
View File

@@ -3,12 +3,13 @@ NOROOT=1
. /usr/sbin/so-common . /usr/sbin/so-common
{%- set proxy = salt['pillar.get']('manager:proxy') %} {%- set proxy = salt['pillar.get']('manager:proxy') %}
{%- set noproxy = salt['pillar.get']('manager:no_proxy', '') %}
# Download the rules from the internet # Download the rules from the internet
{%- if proxy %} {%- if proxy %}
export http_proxy={{ proxy }} export http_proxy={{ proxy }}
export https_proxy={{ proxy }} export https_proxy={{ proxy }}
export no_proxy=salt['pillar.get']('manager:no_proxy') export no_proxy="{{ noproxy }}"
{%- endif %} {%- endif %}
repos="/opt/so/conf/strelka/repos.txt" repos="/opt/so/conf/strelka/repos.txt"

6
salt/ssl/init.sls
View File

@@ -7,7 +7,7 @@
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
{% set global_ca_text = [] %} {% set global_ca_text = [] %}
{% set global_ca_server = [] %} {% set global_ca_server = [] %}
@@ -154,7 +154,7 @@ etc_elasticfleet_crt:
- signing_policy: elasticfleet - signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-server.key - private_key: /etc/pki/elasticfleet-server.key
- CN: {{ GLOBALS.url_base }} - CN: {{ GLOBALS.url_base }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %} - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True
@@ -211,7 +211,7 @@ etc_elasticfleet_logstash_crt:
- signing_policy: elasticfleet - signing_policy: elasticfleet
- private_key: /etc/pki/elasticfleet-logstash.key - private_key: /etc/pki/elasticfleet-logstash.key
- CN: {{ GLOBALS.url_base }} - CN: {{ GLOBALS.url_base }}
- subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %} - subjectAltName: DNS:{{ GLOBALS.hostname }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %}
- days_remaining: 0 - days_remaining: 0
- days_valid: 820 - days_valid: 820
- backup: True - backup: True

4
setup/so-whiptail
View File

@@ -1012,9 +1012,9 @@ whiptail_manager_unreachable() {
local msg local msg
read -r -d '' msg <<- EOM read -r -d '' msg <<- EOM
Setup is unable to access the manager at this time. Setup is unable to access the manager. This most likely means that you need to allow this machine to connect through the manager's firewall.
Run the following on the manager: You can either go to SOC --> Administration --> Configuration and choose the correct firewall option from the list OR you can run the following command on the manager:
sudo so-firewall-minion --role=$install_type --ip=$MAINIP sudo so-firewall-minion --role=$install_type --ip=$MAINIP