Merge branch 'dev' of github.com:Security-Onion-Solutions/securityonion-saltstack into dev

2025-12-06 09:12:45 +01:00 · 2020-06-23 17:57:19 -04:00
parent 0a0fe5914a c3651f1b45
commit 4404a4f312
8 changed files with 60 additions and 19 deletions
--- a/files/firewall/hostgroups.local.yaml
+++ b/files/firewall/hostgroups.local.yaml
@@ -44,6 +44,10 @@ firewall:
      ips:
        delete:
        insert:
+    strelka_frontend:
+      ips:
+        delete:
+        insert:
    syslog:
      ips:
        delete:
@@ -59,4 +63,4 @@ firewall:
    wazuh_authd:
      ips:
        delete:
-        insert:
+        insert:
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -38,6 +38,11 @@ do
            FULLROLE="beats_endpoint"
            SKIP=1
            ;;
+	f)
+	    FULLROLE="strelka_frontend"
+            SKIP=1
+            ;;
+
        i)  IP=$OPTARG
            ;;
        o)
@@ -72,6 +77,7 @@ if [ "$SKIP" -eq 0 ]; then
    echo ""
    echo "[a] - Analyst - ports 80/tcp and 443/tcp"
    echo "[b] - Logstash Beat - port 5044/tcp"
+    echo "[f] - Strelka frontend - port 57314/tcp"
    echo "[o] - Osquery endpoint - port 8090/tcp"
    echo "[s] - Syslog device - 514/tcp/udp"
    echo "[w] - Wazuh agent - port 1514/tcp/udp"
@@ -86,6 +92,8 @@ if [ "$SKIP" -eq 0 ]; then
        FULLROLE=analyst
    elif [ "$ROLE" == "b" ]; then
        FULLROLE=beats_endpoint
+    elif [ "$ROLE" == "f" ]; then
+        FULLROLE=strelka_frontend
    elif [ "$ROLE" == "o" ]; then
        FULLROLE=osquery_endpoint
    elif [ "$ROLE" == "w" ]; then
--- a/salt/elasticsearch/files/ingest/zeek.files
+++ b/salt/elasticsearch/files/ingest/zeek.files
@@ -30,6 +30,7 @@
    { "rename": 	{ "field": "message2.extracted",	"target_field": "file.extracted.filename",		"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.extracted_cutoff",	"target_field": "file.extracted.cutoff",	"ignore_missing": true 	} },
    { "rename": 	{ "field": "message2.extracted_size",	"target_field": "file.extracted.size",	"ignore_missing": true 	} },
+    { "set":            { "field": "dataset",                   "value": "file"                                                 } },
    { "pipeline":       { "name": "zeek.common"                                                                                   } }
  ]
 }
--- a/salt/firewall/assigned_hostgroups.map.yaml
+++ b/salt/firewall/assigned_hostgroups.map.yaml
@@ -52,6 +52,9 @@ role:
          osquery_endpoint:
            portgroups:
              - {{ portgroups.fleet_api }}
+          strelka_frontend:
+            portgroups:
+              - {{ portgroups.strelka_frontend }}
          syslog:
            portgroups:
              - {{ portgroups.syslog }}
@@ -466,4 +469,4 @@ role:
              - {{ portgroups.all }}
          localhost:
            portgroups:
-              - {{ portgroups.all }}
+              - {{ portgroups.all }}
--- a/salt/firewall/portgroups.yaml
+++ b/salt/firewall/portgroups.yaml
@@ -74,6 +74,9 @@ firewall:
      ssh:
        tcp:
          - 22
+      strelka_frontend:
+        tcp:
+          - 57314
      syslog:
        tcp:
          - 514
@@ -89,4 +92,4 @@ firewall:
          - 55000
      wazuh_authd:
        tcp:
-          - 1515
+          - 1515
--- a/salt/pcap/files/sensoroni.json
+++ b/salt/pcap/files/sensoroni.json
@@ -12,6 +12,7 @@
        "apiKey": "{{ SENSORONIKEY }}"
      },
      "stenoquery": {
+        "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
        "pcapInputPath": "/nsm/pcap",
        "pcapOutputPath": "/nsm/pcapout"
      }
--- a/salt/pcap/init.sls
+++ b/salt/pcap/init.sls
@@ -20,13 +20,11 @@

 # PCAP Section

-# Create the logstash group
 stenographergroup:
  group.present:
    - name: stenographer
    - gid: 941

-# Add the logstash user for the jog4j settings
 stenographer:
  user.present:
    - uid: 941
@@ -40,6 +38,13 @@ stenoconfdir:
    - group: 939
    - makedirs: True

+sensoroniconfdir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 {% if BPF_STENO %}
   {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
   {% if BPF_CALC['stderr'] == "" %}
@@ -58,8 +63,8 @@ stenoconf:
  file.managed:
    - name: /opt/so/conf/steno/config
    - source: salt://pcap/files/config
-    - user: root
-    - group: root
+    - user: stenographer
+    - group: stenographer
    - mode: 644
    - template: jinja
    - defaults:
@@ -67,10 +72,10 @@ stenoconf:

 sensoroniagentconf:
  file.managed:
-    - name: /opt/so/conf/steno/sensoroni.json
+    - name: /opt/so/conf/sensoroni/sensoroni.json
    - source: salt://pcap/files/sensoroni.json
-    - user: stenographer
-    - group: stenographer
+    - user: 939
+    - group: 939
    - mode: 600
    - template: jinja

@@ -78,7 +83,7 @@ stenoca:
  file.directory:
    - name: /opt/so/conf/steno/certs
    - user: 941
-    - group: 941
+    - group: 939

 pcapdir:
  file.directory:
@@ -97,8 +102,8 @@ pcaptmpdir:
 pcapoutdir:
  file.directory:
    - name: /nsm/pcapout
-    - user: 941
-    - group: 941
+    - user: 939
+    - group: 939
    - makedirs: True

 pcapindexdir:
@@ -115,6 +120,13 @@ stenolog:
    - group: 941
    - makedirs: True

+sensoronilog:
+  file.directory:
+    - name: /opt/so/log/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 so-steno:
  docker_container.running:
    - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }}
@@ -128,10 +140,19 @@ so-steno:
      - /nsm/pcap:/nsm/pcap:rw
      - /nsm/pcapindex:/nsm/pcapindex:rw
      - /nsm/pcaptmp:/tmp:rw
-      - /nsm/pcapout:/nsm/pcapout:rw
      - /opt/so/log/stenographer:/var/log/stenographer:rw
-      - /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/log/stenographer:/opt/sensoroni/logs:rw
    - watch:
      - file: /opt/so/conf/steno/config
-      - file: /opt/so/conf/steno/sensoroni.json
+
+so-sensoroni:
+  docker_container.running:
+    - image: {{ MASTER }}:5000/soshybridhunter/so-soc:{{ VERSION }}
+    - network_mode: host
+    - binds:
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /nsm/pcap:/nsm/pcap:rw
+      - /nsm/pcapout:/nsm/pcapout:rw
+      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
+    - watch:
+      - file: /opt/so/conf/sensoroni/sensoroni.json
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -107,8 +107,8 @@
          { "name": "DNS", "description": "DNS queries grouped by response code", "query": "event.dataset:dns | groupby dns.response.code_name destination.port"},
          { "name": "DNS", "description": "DNS highest registered domain", "query": "event.dataset:dns | groupby dns.highest_registered_domain.keyword destination.port"},
          { "name": "DNS", "description": "DNS grouped by parent domain", "query": "event.dataset:dns | groupby dns.parent_domain.keyword destination.port"},
-          { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:files | groupby file.mime_type source.ip"},
-          { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:files | groupby file.source source.ip"},
+          { "name": "Files", "description": "Files grouped by mimetype", "query": "event.dataset:file | groupby file.mime_type source.ip"},
+          { "name": "Files", "description": "Files grouped by source", "query": "event.dataset:file | groupby file.source source.ip"},
          { "name": "FTP", "description": "FTP grouped by argument", "query": "event.dataset:ftp | groupby ftp.argument"},
          { "name": "FTP", "description": "FTP grouped by command", "query": "event.dataset:ftp | groupby ftp.command"},
          { "name": "FTP", "description": "FTP grouped by username", "query": "event.dataset:ftp | groupby ftp.user"},