CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14966 from Security-Onion-Solutions/vlb2

Browse Source 
managerhype
This commit is contained in:
Josh Patterson
2025-08-26 15:07:36 -04:00
committed by GitHub
parent 97100cdfdd a8a01b8191
commit 45f25ca62d
23 changed files with 181833 additions and 161882 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
salt/elasticfleet/artifact_registry.sls
View File

@@ -9,3 +9,6 @@ fleetartifactdir:
- user: 947 - user: 947
- group: 939 - group: 939
- makedirs: True - makedirs: True
- recurse:
- user
- group

3
salt/elasticfleet/config.sls
View File

@@ -9,6 +9,9 @@
{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %} {% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
{% set node_data = salt['pillar.get']('node_data') %} {% set node_data = salt['pillar.get']('node_data') %}
include:
- elasticfleet.artifact_registry
# Add EA Group # Add EA Group
elasticfleetgroup: elasticfleetgroup:
group.present: group.present:

2
salt/elasticfleet/enabled.sls
View File

@@ -67,6 +67,8 @@ so-elastic-fleet-auto-configure-artifact-urls:
elasticagent_syncartifacts: elasticagent_syncartifacts:
file.recurse: file.recurse:
- name: /nsm/elastic-fleet/artifacts/beats - name: /nsm/elastic-fleet/artifacts/beats
- user: 947
- group: 947
- source: salt://beats - source: salt://beats
{% endif %} {% endif %}

11
salt/libvirt/bridge.sls
View File

@@ -3,8 +3,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% from 'libvirt/map.jinja' import LIBVIRTMERGED %} # We do not import GLOBALS in this state because it is called during setup
{% from 'salt/map.jinja' import SYSTEMD_UNIT_FILE %}
down_original_mgmt_interface: down_original_mgmt_interface:
cmd.run: cmd.run:
@@ -30,6 +29,8 @@ wait_for_br0_ip:
- onchanges: - onchanges:
- cmd: down_original_mgmt_interface - cmd: down_original_mgmt_interface
{% if grains.role == 'so-hypervisor' %}
update_mine_functions: update_mine_functions:
file.managed: file.managed:
- name: /etc/salt/minion.d/mine_functions.conf - name: /etc/salt/minion.d/mine_functions.conf
@@ -38,6 +39,10 @@ update_mine_functions:
mine_functions: mine_functions:
network.ip_addrs: network.ip_addrs:
- interface: br0 - interface: br0
{%- if role in ['so-eval','so-import','so-manager','so-managerhype','so-managersearch','so-standalone'] %}
x509.get_pem_entries:
- glob_path: '/etc/pki/ca.crt'
{% endif %}
- onchanges: - onchanges:
- cmd: wait_for_br0_ip - cmd: wait_for_br0_ip
@@ -47,3 +52,5 @@ restart_salt_minion_service:
- enable: True - enable: True
- listen: - listen:
- file: update_mine_functions - file: update_mine_functions
{% endif %}

13
salt/manager/tools/sbin/soup
View File

@@ -419,6 +419,7 @@ preupgrade_changes() {
[[ "$INSTALLEDVERSION" == 2.4.141 ]] && up_to_2.4.150 [[ "$INSTALLEDVERSION" == 2.4.141 ]] && up_to_2.4.150
[[ "$INSTALLEDVERSION" == 2.4.150 ]] && up_to_2.4.160 [[ "$INSTALLEDVERSION" == 2.4.150 ]] && up_to_2.4.160
[[ "$INSTALLEDVERSION" == 2.4.160 ]] && up_to_2.4.170 [[ "$INSTALLEDVERSION" == 2.4.160 ]] && up_to_2.4.170
[[ "$INSTALLEDVERSION" == 2.4.170 ]] && up_to_2.4.180
true true
} }
@@ -448,6 +449,7 @@ postupgrade_changes() {
[[ "$POSTVERSION" == 2.4.141 ]] && post_to_2.4.150 [[ "$POSTVERSION" == 2.4.141 ]] && post_to_2.4.150
[[ "$POSTVERSION" == 2.4.150 ]] && post_to_2.4.160 [[ "$POSTVERSION" == 2.4.150 ]] && post_to_2.4.160
[[ "$POSTVERSION" == 2.4.160 ]] && post_to_2.4.170 [[ "$POSTVERSION" == 2.4.160 ]] && post_to_2.4.170
[[ "$POSTVERSION" == 2.4.170 ]] && post_to_2.4.180
true true
} }
@@ -599,6 +601,11 @@ post_to_2.4.170() {
POSTVERSION=2.4.170 POSTVERSION=2.4.170
} }
post_to_2.4.180() {
echo "Nothing to apply"
POSTVERSION=2.4.180
}
repo_sync() { repo_sync() {
echo "Sync the local repo." echo "Sync the local repo."
su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync."
@@ -856,6 +863,12 @@ up_to_2.4.170() {
INSTALLEDVERSION=2.4.170 INSTALLEDVERSION=2.4.170
} }
up_to_2.4.180() {
echo "Nothing to do for 2.4.180"
INSTALLEDVERSION=2.4.180
}
add_hydra_pillars() { add_hydra_pillars() {
mkdir -p /opt/so/saltstack/local/pillar/hydra mkdir -p /opt/so/saltstack/local/pillar/hydra
touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls

4
salt/ntp/chrony.conf
View File

@@ -1,7 +1,7 @@
# NTP server list # NTP server list
{%- for SERVER in NTPCONFIG.servers %} {%- for SERVER in NTPCONFIG.servers %}
server {{ SERVER }} iburst server {{ SERVER }} iburst maxpoll 10
{%- endfor %} {%- endfor %}
# Config options # Config options
@@ -9,3 +9,5 @@ driftfile /var/lib/chrony/drift
makestep 1.0 3 makestep 1.0 3
rtcsync rtcsync
logdir /var/log/chrony logdir /var/log/chrony
port 0
cmdport 0

12
salt/pcap/init.sls
View File

@@ -18,11 +18,19 @@ include:
# This directory needs to exist regardless of whether STENO is enabled or not, in order for # This directory needs to exist regardless of whether STENO is enabled or not, in order for
# Sensoroni to be able to look at old steno PCAP data # Sensoroni to be able to look at old steno PCAP data
# if stenographer has never run as the pcap engine no 941 user is created, so we use socore as a placeholder.
# /nsm/pcap is empty until stenographer is used as pcap engine
{% set pcap_id = 941 %}
{% set user_list = salt['user.list_users']() %}
{% if GLOBALS.pcap_engine == "SURICATA" and 'stenographer' not in user_list %}
{% set pcap_id = 939 %}
{% endif %}
pcapdir: pcapdir:
file.directory: file.directory:
- name: /nsm/pcap - name: /nsm/pcap
- user: 941 - user: {{ pcap_id }}
- group: 941 - group: {{ pcap_id }}
- makedirs: True - makedirs: True
pcapoutdir: pcapoutdir:

2
salt/salt/minion.sls
View File

@@ -95,7 +95,7 @@ enable_startup_states:
- unless: pgrep so-setup - unless: pgrep so-setup
# prior to 2.4.30 this managed file would restart the salt-minion service when updated # prior to 2.4.30 this managed file would restart the salt-minion service when updated
# since this file is currently only adding a sleep timer on service start # since this file is currently only adding a delay service start
# it is not required to restart the service # it is not required to restart the service
salt_minion_service_unit_file: salt_minion_service_unit_file:
file.managed: file.managed:

16
salt/sensoroni/config.sls
View File

@@ -43,6 +43,22 @@ analyzerscripts:
- source: salt://sensoroni/files/analyzers - source: salt://sensoroni/files/analyzers
- show_changes: False - show_changes: False
templatesdir:
file.directory:
- name: /opt/so/conf/sensoroni/templates
- user: 939
- group: 939
- makedirs: True
sensoronitemplates:
file.recurse:
- name: /opt/so/conf/sensoroni/templates
- source: salt://sensoroni/files/templates
- user: 939
- group: 939
- file_mode: 664
- show_changes: False
sensoroni_sbin: sensoroni_sbin:
file.recurse: file.recurse:
- name: /usr/sbin - name: /usr/sbin

1
salt/sensoroni/enabled.sls
View File

@@ -22,6 +22,7 @@ so-sensoroni:
- /nsm/pcapout:/nsm/pcapout:rw - /nsm/pcapout:/nsm/pcapout:rw
- /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw - /opt/so/conf/sensoroni/analyzers:/opt/sensoroni/analyzers:rw
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/log/sensoroni:/opt/sensoroni/logs:rw - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
- /nsm/suripcap/:/nsm/suripcap:rw - /nsm/suripcap/:/nsm/suripcap:rw
{% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %} {% if DOCKER.containers['so-sensoroni'].custom_bind_mounts %}

1
salt/sensoroni/files/sensoroni.json
View File

@@ -21,6 +21,7 @@
}, },
{%- endif %} {%- endif %}
"importer": {}, "importer": {},
"export": {},
"statickeyauth": { "statickeyauth": {
"apiKey": "{{ GLOBALS.sensoroni_key }}" "apiKey": "{{ GLOBALS.sensoroni_key }}"
{% if GLOBALS.is_sensor %} {% if GLOBALS.is_sensor %}

39
salt/sensoroni/files/templates/reports/custom/generic_report1.md Normal file
View File

@@ -0,0 +1,39 @@
{{- /* query.myDocEvents.Oql = metadata.type: _doc | groupby event.module, event.dataset | sortby @timestamp desc */ -}}
{{- /* query.myDocEvents.MetricLimit = 10 */ -}}
{{- /* query.myDocEvents.EventLimit = 100 */ -}}
Security Onion Custom Report
============================
{{ if .Error }}
**NOTE: This report encountered a problem extracting the relevant data and may not be complete.**
**Error:** {{.Error}}
{{ end }}
Records must have been created or updated during the following time frame in order to be reflected in this report.
**Report Start Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .BeginDate}}
**Report End Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .EndDate}}
## Sample Doc Events
**Total Events:** {{ formatNumber "%d" "en" .Results.myDocEvents.TotalEvents}}
### Event Counts By Module and Dataset
| Count | Proportion | Module | Dataset |
| ----- | ---------- | ------ | ------- |
{{ range sortMetrics "Value" "desc" .Results.myDocEvents.Metrics.groupby_0_event_module_event_dataset -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} | {{index .Keys 1}} |
{{end}}
### Individual Events (Limited to first {{.Results.myDocEvents.Criteria.EventLimit}})
| Event Time | Module | Dataset | Category |
| ---------- | ------ | ------- | -------- |
{{ range .Results.myDocEvents.Events -}}
| {{.Timestamp}} | {{.Payload.event_module}} | {{.Payload.event_dataset}} | {{.Payload.event_category}} |
{{end}}

133
salt/sensoroni/files/templates/reports/standard/case_report.md Normal file
View File

@@ -0,0 +1,133 @@
Security Onion Case Report
==========================
## Case Details
**Case ID:** {{.Case.Id}}
**Title:** {{.Case.Title}}
## Description
{{.Case.Description}}
## Details
**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Case.CreateTime}}
**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .Case.UpdateTime}}
**Author:** {{getUserDetail "email" .Case.UserId}}
**Status:** {{.Case.Status}}
**TLP:** {{.Case.Tlp}}
**PAP:** {{.Case.Pap}}
**Severity:** {{.Case.Severity}}
**Priority:** {{.Case.Priority}}
**Category:** {{.Case.Category}}
**Tags:** {{join .Case.Tags ", " }}
**Assignee:** {{getUserDetail "email" .Case.AssigneeId}}
**Hours Logged:** {{ formatNumber "%.2f" "en" .TotalHours}}
## Comments
{{ range sortComments "CreateTime" "asc" .Comments }}
**Created:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}}
**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .UpdateTime}}
**Author:** {{getUserDetail "email" .UserId}}
**Hours Logged:** {{ formatNumber "%.2f" "en" .Hours}}
{{.Description}}
---
{{end}}
## Detections
{{ range sortDetections "Title" "asc" .Detections }}
**Title:** {{.Title}}
**Description:** {{.Description}}
**Severity:** {{.Severity}}
**Rule Engine:** {{.Engine}}
**Rule Set:** {{.Ruleset}}
**Community Rule:** {{.IsCommunity}}
**Tags:** {{.Tags}}
{{.Content}}
---
{{end}}
## Attachments
{{ range sortArtifacts "CreateTime" "asc" .Attachments }}
**Added:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}}
**Updated:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .UpdateTime}}
**Added By:** {{getUserDetail "email" .UserId}}
**TLP:** {{.Tlp}}
**Filename:** {{.Value}}
**Size:** {{ formatNumber "%.0d" "en" .StreamLen}} bytes
**SHA256:** {{.Sha256}}
**SHA1:** {{.Sha1}}
**MD5:** {{.Md5}}
**Tags:** {{.Tags}}
**Protected (Zipped):** {{.Protected}}
{{.Description}}
---
{{end}}
## Observables
| Date Added | Tlp | Type | IOC | Value | Description |
| ---------- | --- | ---- | --- | ----- | ----------- |
{{ range sortArtifacts "CreateTime" "asc" .Observables -}}
| {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{.Tlp}} | {{.ArtifactType}} | {{.Ioc}} | {{.Value}} | {{.Description}} |
{{end}}
## Related Events
| Event Time | Log ID | Source IP | Destination IP |
| ---------- | ------ | --------- | -------------- |
{{ range sortRelatedEvents "fields:soc_timestamp" "asc" .RelatedEvents -}}
| {{.Fields.soc_timestamp}} | {{.Fields.log_id_uid}} | {{.Fields.source_ip}} | {{.Fields.destination_ip}} |
{{end}}
## Case History
| Date | User | Object | Operation |
| ---- | ---- | ------ | --------- |
{{ range sortHistory "CreateTime" "asc" .History -}}
| {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .CreateTime}} | {{getUserDetail "email" .UserId}} | {{.Kind}} | {{.Operation}} |
{{end}}

189
salt/sensoroni/files/templates/reports/standard/productivity_report.md Normal file
View File

@@ -0,0 +1,189 @@
Security Onion Productivity Report
==================================
{{ if .Error }}
**NOTE: This report encountered a problem extracting the relevant data and may not be complete.**
**Error:** {{.Error}}
{{ end }}
Records must have been created or updated during the following time frame in order to be reflected in this report.
**Report Start Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .BeginDate}}
**Report End Date:** {{formatDateTime "Mon Jan 02 15:04:05 -0700 2006" .EndDate}}
## Ingested Events
**Total Events:** {{ formatNumber "%d" "en" .TotalEvents}}
### Events By Module
| Count | Proportion | Module |
| ----- | ---------- | ------ |
{{ range sortMetrics "Value" "desc" .TotalEventsByModule -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Events By Module and Severity Label
| Count | Proportion | Module | Severity |
| ----- | ---------- | ------ | -------- |
{{ range sortMetrics "Value" "desc" .TotalEventsByModuleDataset -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} | {{index .Keys 1}} |
{{end}}
## Alerts
**Total Alerts:** {{ formatNumber "%d" "en" .TotalAlerts}}
{{ range sortMetrics "Value" "desc" .TotalAlertsByAcknowledged -}}
{{ if index .Keys 0 | eq "true" }}
**Acknowledged Alerts:** {{ formatNumber "%.0f" "en" .Value}} ({{ formatNumber "%.1f" "en" .Percentage}}%)
{{ end }}
{{end}}
{{ range sortMetrics "Value" "desc" .TotalAlertsByEscalated -}}
{{ if index .Keys 0 | eq "true" }}
**Escalated Alerts:** {{ formatNumber "%.0f" "en" .Value}} ({{ formatNumber "%.1f" "en" .Percentage}}%)
{{ end }}
{{end}}
### Alerts By Severity
| Count | Proportion | Severity |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalAlertsBySeverityLabel -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Alerts By Module
| Count | Proportion | Module |
| ----- | ---------- | ------ |
{{ range sortMetrics "Value" "desc" .TotalAlertsByModule -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Alerts By Module and Severity Label
| Count | Proportion | Module | Severity |
| ----- | ---------- | ------ | -------- |
{{ range sortMetrics "Value" "desc" .TotalAlertsByModuleSeverityLabel -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} | {{index .Keys 1}} |
{{end}}
### Alerts By Ruleset
| Count | Proportion | Ruleset |
| ----- | ---------- | ------- |
{{ range sortMetrics "Value" "desc" .TotalAlertsByRuleset -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Alerts By Rule Category
| Count | Proportion | Category |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalAlertsByCategory -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
## Cases
**Total Cases:** {{ formatNumber "%d" "en" .TotalCases}}
**Average Elapsed Time To Complete:** {{ formatNumber "%.1f" "en" .AverageHoursToComplete }} hours
### Cases By Status
| Count | Proportion | Status |
| ----- | ---------- | ------ |
{{ range sortMetrics "Value" "desc" .TotalCasesByStatus -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Assignee
| Count | Proportion | Assignee |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesByAssignee -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0 | getUserDetail "email"}} |
{{end}}
### Cases By Status and Assignee
| Count | Proportion | Status | Assignee |
| ----- | ---------- | ------ | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesByStatusAssignee -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} | {{index .Keys 1 | getUserDetail "email"}} |
{{end}}
### Cases By Severity
| Count | Proportion | Severity |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesBySeverity -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Priority
| Count | Proportion | Priority |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesByPriority -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Traffic Light Protocol (TLP)
| Count | Proportion | TLP |
| ----- | ---------- | ----|
{{ range sortMetrics "Value" "desc" .TotalCasesByTlp -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Permissible Actions Protocol (PAP)
| Count | Proportion | PAP |
| ----- | ---------- | --- |
{{ range sortMetrics "Value" "desc" .TotalCasesByPap -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Category
| Count | Proportion | Category |
| ----- | ---------- | -------- |
{{ range sortMetrics "Value" "desc" .TotalCasesByCategory -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Cases By Tags
| Count | Proportion | Tags |
| ----- | ---------- | ---- |
{{ range sortMetrics "Value" "desc" .TotalCasesByTags -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0}} |
{{end}}
### Comments By User
| Count | Proportion | User |
| ----- | ---------- | ---- |
{{ range sortMetrics "Value" "desc" .TotalCommentsByUserId -}}
| {{ formatNumber "%.0f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0 | getUserDetail "email"}} |
{{end}}
## Time Tracking
**Total Hours:** {{ formatNumber "%.2f" "en" .TotalHours}}
### Hours By User
| Hours | Proportion | User |
| ----- | ---------- | ---- |
{{ range sortMetrics "Value" "desc" .TotalHoursByUserId -}}
| {{ formatNumber "%.2f" "en" .Value}} | {{ formatNumber "%.1f" "en" .Percentage}}% | {{index .Keys 0 | getUserDetail "email"}} |
{{end}}

91
salt/sensoroni/soc_sensoroni.yaml
View File

@@ -306,3 +306,94 @@ sensoroni:
sensitive: False sensitive: False
advanced: True advanced: True
forcedType: string forcedType: string
files:
templates:
reports:
standard:
case_report__md:
title: Case report Template
description: The template used when generating a case report. Supports markdown format.
file: True
global: True
syntax: md
helpLink: reports.html
productivity_report__md:
title: Productivity Report Template
description: The template used when generating a comprehensive productivity report. Supports markdown format.
file: True
global: True
syntax: md
helpLink: reports.html
custom:
generic_report1__md:
title: Custom Report 1
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report2__md:
title: Custom Report 2
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report3__md:
title: Custom Report 3
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report4__md:
title: Custom Report 4
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report5__md:
title: Custom Report 5
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report6__md:
title: Custom Report 6
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report7__md:
title: Custom Report 7
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report8__md:
title: Custom Report 8
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
generic_report9__md:
title: Custom Report 9
description: A custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI.
file: True
global: True
syntax: md
helpLink: reports.html
addl_generic_report__md:
title: Additional Custom Report
description: A duplicatable custom, user-defined report. Supports markdown format. The report title inside the file, typically near the top, will be shown in the SOC reporting UI. This is an unsupported feature due to the inability to edit duplicated reports via the SOC app.
advanced: True
file: True
global: True
syntax: md
duplicates: True
helpLink: reports.html

1
salt/soc/defaults.map.jinja
View File

@@ -35,5 +35,6 @@
{% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %} {% do SOCDEFAULTS.soc.config.server.modules.statickeyauth.update({'anonymousCidr': DOCKER.range, 'apiKey': pillar.sensoroni.config.sensoronikey}) %}
{% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %} {% do SOCDEFAULTS.soc.config.server.client.case.update({'analyzerNodeId': GLOBALS.hostname}) %}
{% do SOCDEFAULTS.soc.config.server.client.update({'exportNodeId': GLOBALS.hostname}) %}
{% set SOCDEFAULTS = SOCDEFAULTS.soc %} {% set SOCDEFAULTS = SOCDEFAULTS.soc %}

2
salt/soc/defaults.yaml
View File

@@ -1358,6 +1358,7 @@ soc:
htmlDir: html htmlDir: html
importUploadDir: /nsm/soc/uploads importUploadDir: /nsm/soc/uploads
forceUserOtp: false forceUserOtp: false
customReportsPath: /opt/sensoroni/templates/reports/custom
modules: modules:
cases: soc cases: soc
filedatastore: filedatastore:
@@ -1576,6 +1577,7 @@ soc:
casesEnabled: true casesEnabled: true
detectionsEnabled: true detectionsEnabled: true
inactiveTools: ['toolUnused'] inactiveTools: ['toolUnused']
exportNodeId:
tools: tools:
- name: toolKibana - name: toolKibana
description: toolKibanaHelp description: toolKibanaHelp

1
salt/soc/enabled.sls
View File

@@ -48,6 +48,7 @@ so-soc:
- /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro - /opt/so/conf/soc/custom_roles:/opt/sensoroni/rbac/custom_roles:ro
- /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw - /opt/so/conf/soc/soc_users_roles:/opt/sensoroni/rbac/users_roles:rw
- /opt/so/conf/soc/soc_clients_roles:/opt/sensoroni/rbac/clients_roles:rw - /opt/so/conf/soc/soc_clients_roles:/opt/sensoroni/rbac/clients_roles:rw
- /opt/so/conf/sensoroni/templates:/opt/sensoroni/templates:ro
- /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw - /opt/so/conf/soc/queue:/opt/sensoroni/queue:rw
- /opt/so/saltstack:/opt/so/saltstack:rw - /opt/so/saltstack:/opt/so/saltstack:rw
- /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw - /opt/so/conf/soc/migrations:/opt/so/conf/soc/migrations:rw

11
salt/soc/soc_soc.yaml
View File

@@ -138,6 +138,11 @@ soc:
title: Require TOTP title: Require TOTP
description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC. description: Require all users to enable Time-based One Time Passwords (MFA) upon login to SOC.
global: True global: True
customReportsPath:
title: Custom Reports Path
description: Path to custom markdown templates for PDF report generation. All markdown files in this directory will be available as custom reports in the SOC Reports interface.
global: True
advanced: True
subgrids: subgrids:
title: Subordinate Grids title: Subordinate Grids
description: | description: |
@@ -561,6 +566,8 @@ soc:
forcedType: "[]{}" forcedType: "[]{}"
syntax: json syntax: json
uiElements: uiElements:
- field: rulesetName
label: Playbook Source Name
- field: repo - field: repo
label: Repo URL label: Repo URL
required: True required: True
@@ -606,6 +613,10 @@ soc:
global: True global: True
advanced: True advanced: True
forcedType: "[]{}" forcedType: "[]{}"
exportNodeId:
description: The node ID on which export jobs will be executed.
global: True
advanced: True
hunt: &appSettings hunt: &appSettings
groupItemsPerPage: groupItemsPerPage:
description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI.

8
salt/stig/enabled.sls
View File

@@ -13,7 +13,11 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %} {% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
{% if 'stg' in salt['pillar.get']('features', []) %} {% if 'stg' in salt['pillar.get']('features', []) %}
{% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %} {% if GLOBALS.role != 'so-desktop' %}
{% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
{% else %}
{% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig_gui' %}
{% endif %}
{% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %} {% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %}
{% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %} {% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %}
oscap_packages: oscap_packages:
@@ -49,7 +53,7 @@ update_stig_profile:
{% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %} {% if not salt['file.file_exists'](OSCAP_OUTPUT_DIR ~ '/pre-oscap-report.html') %}
run_initial_scan: run_initial_scan:
cmd.run: cmd.run:
- name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html {{ OSCAP_PROFILE_LOCATION }}' - name: 'oscap xccdf eval --profile {{ OSCAP_PROFILE_NAME }} --results {{ OSCAP_OUTPUT_DIR }}/pre-oscap-results.xml --report {{ OSCAP_OUTPUT_DIR }}/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml'
- success_retcodes: - success_retcodes:
- 2 - 2
{% endif %} {% endif %}

343146
salt/stig/files/sos-oscap.xml
View File

File diff suppressed because one or more lines are too long

3
salt/zeek/config.sls
View File

@@ -22,7 +22,8 @@ zeek:
user.present: user.present:
- uid: 937 - uid: 937
- gid: 937 - gid: 937
- home: /home/zeek - home: /opt/so/conf/zeek
- createhome: False
# Create some directories # Create some directories
zeekpolicydir: zeekpolicydir:

23
setup/so-functions
View File

@@ -1225,15 +1225,18 @@ get_minion_type() {
} }
hypervisor_local_states() { hypervisor_local_states() {
# these states need to run before the first highstate so that we dont deal with the salt-minion restarting # these states need to run before the first highstate so that we dont deal with the salt-minion restarting
# and we need these setup prior to the highstate # and we need these setup prior to the highstate
info "Check if hypervisor or managerhype" info "Check if hypervisor or managerhype"
if [ $is_hypervisor ] || [ $is_managerhype ]; then if [ $is_hypervisor ] || [ $is_managerhype ]; then
info "Running libvirt states for hypervisor" info "Running libvirt states for hypervisor"
logCmd "salt-call state.apply libvirt.64962 --local --file-root=../salt/ -l info" logCmd "salt-call state.apply libvirt.64962 --local --file-root=../salt/ -l info queue=True"
info "Setting up bridge for $MNIC" info "Setting up bridge for $MNIC"
salt-call state.apply libvirt.bridge --local --file-root=../salt/ -l info pillar="{\"host\": {\"mainint\": \"$MNIC\"}}" salt-call state.apply libvirt.bridge --local --file-root=../salt/ -l info pillar="{\"host\": {\"mainint\": \"$MNIC\"}} queue=True"
fi if [ $is_managerhype ]; then
logCmd "salt-call state.apply salt.minion queue=True"
fi
fi
} }
install_cleanup() { install_cleanup() {
@@ -1680,7 +1683,7 @@ reserve_ports() {
reinstall_init() { reinstall_init() {
info "Putting system in state to run setup again" info "Putting system in state to run setup again"
if [[ $install_type =~ ^(MANAGER|EVAL|MANAGERSEARCH|STANDALONE|FLEET|IMPORT)$ ]]; then if [[ $install_type =~ ^(MANAGER|EVAL|MANAGERSEARCH|MANAGERHYPE|STANDALONE|FLEET|IMPORT)$ ]]; then
local salt_services=( "salt-master" "salt-minion" ) local salt_services=( "salt-master" "salt-minion" )
else else
local salt_services=( "salt-minion" ) local salt_services=( "salt-minion" )