CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #8722 from Security-Onion-Solutions/funstuff

Browse Source 
Add More Logging
This commit is contained in:
Mike Reeves
2022-09-12 16:50:28 -04:00
committed by GitHub
parent 94f47a847d a01fadd067
commit 440861998c
7 changed files with 278 additions and 558 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pillar/top.sls
View File

@@ -45,7 +45,6 @@ base:
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
'*_sensor': '*_sensor':
- zeek.zeeklogs
- healthcheck.sensor - healthcheck.sensor
- soc_global - soc_global
- adv_global - adv_global
@@ -53,7 +52,6 @@ base:
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
'*_eval': '*_eval':
- zeel.zeeklogs
- secrets - secrets
- healthcheck.eval - healthcheck.eval
- elasticsearch.index_templates - elasticsearch.index_templates
@@ -82,7 +80,6 @@ base:
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/kibana/secrets.sls') %}
- kibana.secrets - kibana.secrets
{% endif %} {% endif %}
- zeek.zeeklogs
- secrets - secrets
- healthcheck.standalone - healthcheck.standalone
- soc_global - soc_global
@@ -94,7 +91,6 @@ base:
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
'*_heavynode': '*_heavynode':
- zeek.zeeklogs
- elasticsearch.auth - elasticsearch.auth
- soc_global - soc_global
- minions.{{ grains.id }} - minions.{{ grains.id }}
@@ -131,7 +127,6 @@ base:
- minions.adv_{{ grains.id }} - minions.adv_{{ grains.id }}
'*_import': '*_import':
- zeek.zeeklogs
- secrets - secrets
- elasticsearch.index_templates - elasticsearch.index_templates
{% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %}

36
salt/filebeat/defaults.yaml Normal file
View File

@@ -0,0 +1,36 @@
filebeat:
config:
zeek_logs_enabled:
- conn
- dce_rpc
- dhcp
- dnp3
- dns
- dpd
- files
- ftp
- http
- intel
- irc
- kerberos
- modbus
- notice
- ntlm
- pe
- radius
- rfb
- rdp
- sip
- smb_files
- smb_mapping
- smtp
- snmp
- ssh
- ssl
- tunnel
- weird
- mysql
- socks
- x509

33
salt/zeek/defaults.yaml
View File

@@ -1,37 +1,4 @@
zeek: zeek:
logging:
enabled:
- conn
- dce_rpc
- dhcp
- dnp3
- dns
- dpd
- files
- ftp
- http
- intel
- irc
- kerberos
- modbus
- notice
- ntlm
- pe
- radius
- rfb
- rdp
- sip
- smb_files
- smb_mapping
- smtp
- snmp
- ssh
- ssl
- tunnel
- weird
- mysql
- socks
- x509
config: config:
node: node:
lb_procs: 1 lb_procs: 1

2
salt/zeek/soc_zeek.yaml
View File

@@ -10,7 +10,7 @@ zeek:
zeek_pins_enabled: zeek_pins_enabled:
description: description:
node: True node: True
zeeek_pins: zeek_pins:
description: List of CPUs you want to description: List of CPUs you want to
node: True node: True
zeekctl: zeekctl:

619
setup/so-functions
View File

File diff suppressed because it is too large Load Diff

137
setup/so-setup
View File

@@ -76,6 +76,7 @@ if [ "$setup_type" = 'analyst' ]; then
fi fi
# Make sure if ISO is specified that we are dealing with CentOS or Rocky # Make sure if ISO is specified that we are dealing with CentOS or Rocky
title "Detecting if this is an ISO install"
if [[ "$setup_type" == 'iso' ]]; then if [[ "$setup_type" == 'iso' ]]; then
if [[ $is_centos || $is_rocky ]]; then if [[ $is_centos || $is_rocky ]]; then
is_iso=true is_iso=true
@@ -87,10 +88,11 @@ fi
# Check to see if this is an analyst install. If it is let's run things differently # Check to see if this is an analyst install. If it is let's run things differently
if [[ $is_analyst ]]; then if [[ $is_analyst ]]; then
title "This is an analyst workstation install"
# Make sure it's CentOS or Rocky Linux # Make sure it's CentOS or Rocky Linux
if [[ ! $is_centos ]]; then if [[ ! $is_centos ]]; then
echo "Analyst Workstation is only supported on CentOS 7 or Rocky Linux 8" info "Analyst Workstation is only supported on CentOS 7 or Rocky Linux 8"
exit 1 exit 1
fi fi
@@ -100,7 +102,7 @@ if [[ $is_analyst ]]; then
# Remove setup from auto launching # Remove setup from auto launching
parse_install_username parse_install_username
sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
echo "Enabling graphical interface and setting it to load at boot" info "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target systemctl set-default graphical.target
startx startx
exit 0 exit 0
@@ -110,11 +112,11 @@ if [[ $is_analyst ]]; then
fi fi
else else
if whiptail_analyst_nongrid_network; then if whiptail_analyst_nongrid_network; then
echo "" info ""
echo "" info ""
echo "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection." info "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection."
echo "" info ""
echo "" info ""
analyst_salt_local analyst_salt_local
else else
# Abort! # Abort!
@@ -132,15 +134,16 @@ if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[
exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}"
fi fi
title "Checking to see if install has run before"
if [[ -f /root/accept_changes ]]; then if [[ -f /root/accept_changes ]]; then
is_reinstall=true is_reinstall=true
# Move last setup log to backup info "Old setup detected. Moving the last setup.log to setup.log.bak"
mv "$setup_log" "$setup_log.bak" mv "$setup_log" "$setup_log.bak"
[ -f "$error_log" ] && mv "$error_log" "$error_log.bak" [ -f "$error_log" ] && mv "$error_log" "$error_log.bak"
fi fi
# Figure out the user id that is running the install title "Parsing Username for Install"
parse_install_username parse_install_username
if ! [ -f $install_opt_file ]; then if ! [ -f $install_opt_file ]; then
@@ -176,7 +179,7 @@ progress() {
# If using automation let's do automation things. # If using automation let's do automation things.
if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then
echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 info "Preselecting variable values based on automated setup: $automation"
source automation/$automation source automation/$automation
automated=yes automated=yes
@@ -184,35 +187,27 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th
attempts=60 attempts=60
ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1
while [ $? -ne 0 ]; do while [ $? -ne 0 ]; do
ip a >> $setup_log 2>&1 logCmd "ip a"
if [ $attempt -gt $attempts ]; then if [ $attempt -gt $attempts ]; then
echo "Network unavailable - setup cannot continue" >> $setup_log 2>&1 error "Network unavailable - setup cannot continue"
exit 1 exit 1
fi fi
echo "Waiting for network to come up (attempt $attempt of $attempts)" >> $setup_log 2>&1 info "Waiting for network to come up (attempt $attempt of $attempts)"
attempt=$((attempt + 1)) attempt=$((attempt + 1))
info "Sleeping 10s to try again"
sleep 10; sleep 10;
ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 logCmd "ip a | grep '$MNIC:' | grep 'state UP'"
done done
echo "Network is up on $MNIC" >> $setup_log 2>&1 info "Network is up on $MNIC"
if [[ ! $is_iso ]]; then
echo "Installing sshpass for automated testing." >> $setup_log 2>&1
if [ "$OS" == ubuntu ]; then
retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1
else
yum -y install sshpass >> $setup_log 2>&1
fi
fi
fi fi
# Make sure the setup type is suppoted. # Make sure the setup type is suppoted.
case "$setup_type" in case "$setup_type" in
iso | network | analyst) # Accepted values iso | network | analyst) # Accepted values
echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 info "Beginning Security Onion $setup_type install"
;; ;;
*) *)
echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log error "Invalid install type, must be 'iso', 'network' or 'analyst'."
exit 1 exit 1
;; ;;
esac esac
@@ -232,15 +227,15 @@ dmesg -D
# https://github.com/Security-Onion-Solutions/securityonion/issues/1084 # https://github.com/Security-Onion-Solutions/securityonion/issues/1084
if [ "$automated" == no ]; then if [ "$automated" == no ]; then
TTY=$(tty) TTY=$(tty)
echo "Setup is running on TTY $TTY" >> $setup_log 2>&1 info "Setup is running on TTY $TTY"
if echo $TTY | grep -q "/dev/tty"; then if echo $TTY | grep -q "/dev/tty"; then
CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank)
echo "Kernel consoleblank value before: $CONSOLEBLANK" >> $setup_log 2>&1 info "Kernel consoleblank value before: $CONSOLEBLANK"
if [ $CONSOLEBLANK -gt 0 ]; then if [ $CONSOLEBLANK -gt 0 ]; then
echo "Running 'setterm -blank 0' for TTY $TTY" >> $setup_log 2>&1 info "Running 'setterm -blank 0' for TTY $TTY"
TERM=linux setterm -blank 0 >$TTY <$TTY TERM=linux setterm -blank 0 >$TTY <$TTY
CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank)
echo "Kernel consoleblank value after: $CONSOLEBLANK" >> $setup_log 2>&1 info "Kernel consoleblank value after: $CONSOLEBLANK"
fi fi
fi fi
fi fi
@@ -250,7 +245,7 @@ if ! [[ -f $install_opt_file ]]; then
if (whiptail_you_sure); then if (whiptail_you_sure); then
true true
else else
echo "User cancelled setup." | tee -a "$setup_log" error "User cancelled setup."
whiptail_cancel whiptail_cancel
fi fi
# If this is an analyst install lets streamline the process. # If this is an analyst install lets streamline the process.
@@ -328,7 +323,7 @@ if ! [[ -f $install_opt_file ]]; then
detect_cloud detect_cloud
set_minion_info set_minion_info
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf check_network_manager_conf
set_network_dev_status_list set_network_dev_status_list
whiptail_sensor_nics whiptail_sensor_nics
@@ -349,7 +344,7 @@ if ! [[ -f $install_opt_file ]]; then
detect_cloud detect_cloud
set_minion_info set_minion_info
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf check_network_manager_conf
set_network_dev_status_list set_network_dev_status_list
whiptail_sensor_nics whiptail_sensor_nics
@@ -367,7 +362,7 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_airgap whiptail_airgap
detect_cloud detect_cloud
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf check_network_manager_conf
set_network_dev_status_list set_network_dev_status_list
calculate_useable_cores calculate_useable_cores
@@ -384,7 +379,7 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_airgap whiptail_airgap
detect_cloud detect_cloud
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf check_network_manager_conf
set_network_dev_status_list set_network_dev_status_list
calculate_useable_cores calculate_useable_cores
@@ -466,15 +461,15 @@ if ! [[ -f $install_opt_file ]]; then
configure_network_sensor configure_network_sensor
fi fi
# Configure NTP # Configure NTP
echo "Configuring NTP" info "Configuring NTP"
[[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1
# Reserve the ports that SO needs # Reserve the ports that SO needs
echo "Reserving ports" info "Reserving ports"
reserve_ports reserve_ports
echo "Setting Paths" info "Setting Paths"
# Set the paths # Set the paths
set_path set_path
echo "Checking if this is a re-install" info "Checking if this is a re-install"
# Check to see if its a reinstall. THIS NEEDS REVIEW # Check to see if its a reinstall. THIS NEEDS REVIEW
if [[ $is_reinstall ]]; then if [[ $is_reinstall ]]; then
reinstall_init reinstall_init
@@ -482,19 +477,19 @@ if ! [[ -f $install_opt_file ]]; then
echo "Disable auto start of setup" echo "Disable auto start of setup"
# Disable the setup from prompting at login # Disable the setup from prompting at login
disable_auto_start disable_auto_start
echo "Setting the version" info "Setting the version"
# Set the version # Set the version
mark_version mark_version
echo "Clearing the old manager" info "Clearing the old manager"
# Remove old manager if re-install # Remove old manager if re-install
clear_manager clear_manager
echo "Generating Secrets" info "Generating Secrets"
# Generate passwords # Generate passwords
generate_passwords generate_passwords
echo "Populating the secrets pillar" info "Populating the secrets pillar"
# Create the secrets pillar # Create the secrets pillar
secrets_pillar secrets_pillar
echo "Add socore user" info "Add socore user"
# Add the socore user # Add the socore user
add_socore_user_manager add_socore_user_manager
@@ -502,7 +497,7 @@ if ! [[ -f $install_opt_file ]]; then
setup_salt_master_dirs setup_salt_master_dirs
create_manager_pillars create_manager_pillars
echo "Generating the minion pillar" info "Generating the minion pillar"
# Create the minion defaults # Create the minion defaults
export NODETYPE=$install_type export NODETYPE=$install_type
@@ -516,7 +511,7 @@ if ! [[ -f $install_opt_file ]]; then
export PATCHSCHEDULENAME=$PATCHSCHEDULENAME export PATCHSCHEDULENAME=$PATCHSCHEDULENAME
export INTERFACE="bond0" export INTERFACE="bond0"
so-minion -o=setup so-minion -o=setup
echo "Creating Global SLS" title "Creating Global SLS"
if [[ $is_airgap ]]; then if [[ $is_airgap ]]; then
# Airgap Rules # Airgap Rules
@@ -525,7 +520,6 @@ if ! [[ -f $install_opt_file ]]; then
manager_pillar manager_pillar
zeek_logs_enabled
# Set up the repo to point to local file https://access.redhat.com/solutions/1355683 # Set up the repo to point to local file https://access.redhat.com/solutions/1355683
# reposync down the files is network and createrepo if CentOS # reposync down the files is network and createrepo if CentOS
# Import the GPG keys # Import the GPG keys
@@ -540,38 +534,40 @@ if ! [[ -f $install_opt_file ]]; then
copy_salt_master_config copy_salt_master_config
configure_minion "$minion_type" configure_minion "$minion_type"
salt-key -yd "$MINION_ID" #delete the minion key if it already exists logCmd "salt-key -yd $MINION_ID"
salt-call state.show_top >> /dev/null 2>&1 #talk to the salt-master so the minion key is created on the salt-master logCmd "salt-call state.show_top"
salt-key -ya "$MINION_ID" #accept the key logCmd "salt-key -ya $MINION_ID"
salt-call state.apply salt.helper-packages logCmd "salt-call state.apply salt.helper-packages"
salt-call state.apply common.packages logCmd "salt-call state.apply common.packages"
salt-call state.apply common logCmd "salt-call state.apply common"
salt-call state.apply docker logCmd "salt-call state.apply docker"
# Set the initial firewall policy firewall_generate_templates
firewall_generate_templates;
set_initial_firewall_policy set_initial_firewall_policy
generate_ca generate_ca
generate_ssl generate_ssl
# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
mkdir -p /opt/so/conf/so-status/ logCmd "mkdir -p /opt/so/conf/so-status/ "
touch /opt/so/conf/so-status/so-status.conf logCmd "touch /opt/so/conf/so-status/so-status.conf"
echo "Importing Registry Docker" title "Importing Registry Docker"
import_registry_docker import_registry_docker
echo "Applying the registry state" title "Applying the registry state"
salt-call state.apply -l info registry logCmd "salt-call state.apply -l info registry"
echo "Seeding the docker registry" title "Seeding the docker registry"
docker_seed_registry docker_seed_registry
echo "Applying the manager state" title "Applying the manager state"
salt-call state.apply -l info manager logCmd "salt-call state.apply -l info manager"
salt-call state.apply -l info firewall logCmd "salt-call state.apply -l info firewall"
salt-call state.highstate -l info logCmd "salt-call state.highstate -l info"
add_web_user add_web_user
so-elastic-fleet-setup info "Restarting SOC to pick up initial user"
echo "Setting up Playbook" logCmd "so-soc-restart"
so-playbook-reset logCmd "so-elastic-fleet-setup"
title "Setting up Playbook"
logCmd "so-playbook-reset"
checkin_at_boot
whiptail_setup_complete whiptail_setup_complete
else else
es_heapsize es_heapsize
@@ -583,7 +579,7 @@ if ! [[ -f $install_opt_file ]]; then
reserve_ports reserve_ports
# Set the version # Set the version
mark_version mark_version
echo "Clearing the old manager" info "Clearing the old manager"
# Remove old manager if re-install # Remove old manager if re-install
clear_manager clear_manager
gpg_rpm_import gpg_rpm_import
@@ -592,6 +588,7 @@ if ! [[ -f $install_opt_file ]]; then
saltify saltify
configure_minion "$minion_type" configure_minion "$minion_type"
drop_install_options drop_install_options
checkin_at_boot
whiptail_setup_complete whiptail_setup_complete
fi fi

4
setup/so-whiptail
View File

@@ -1224,7 +1224,7 @@ whiptail_setup_complete() {
if [[ -n $ALLOW_CIDR ]]; then if [[ -n $ALLOW_CIDR ]]; then
local sentence_prefix="Access" local sentence_prefix="Access"
else else
local sentence_prefix="Run so-allow after reboot to access" local sentence_prefix="Run so-allow to access"
fi fi
local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n" local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n"
elif [[ $is_idh ]]; then elif [[ $is_idh ]]; then
@@ -1237,7 +1237,7 @@ whiptail_setup_complete() {
read -r -d '' message <<- EOM read -r -d '' message <<- EOM
Finished ${install_type} installation. Finished ${install_type} installation.
$accessMessage $accessMessage
Press ENTER to reboot. Press ENTER to exit setup.
EOM EOM
whiptail --title "$whiptail_title" --msgbox "$message" 12 75 whiptail --title "$whiptail_title" --msgbox "$message" 12 75