From 6ea1a83afe9199c9337c508fff10b54d797d3063 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 11 Jan 2021 14:10:08 -0500 Subject: [PATCH 1/6] resolve some issues with the zeekloss script https://github.com/Security-Onion-Solutions/securityonion/issues/2590 --- salt/telegraf/scripts/zeekloss.sh | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 9a64ef4dd..0cdef896c 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -29,15 +29,22 @@ echo $$ > $lf ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2) declare RESULT=($ZEEKLOG) CURRENTDROP=${RESULT[3]} -PASTDROP=${RESULT[9]} -DROPPED=$((CURRENTDROP - PASTDROP)) -if [ $DROPPED == 0 ]; then +# zeek likely not running if this is true +if [[ $CURRENTDROP == "rcvd:" ]]; then + CURRENTDROP=0 + PASTDROP=0 + DROPPED=0 +else + PASTDROP=${RESULT[9]} + DROPPED=$((CURRENTDROP - PASTDROP)) +fi +if [[ "$DROPPED" -le 0 ]]; then LOSS=0 echo "zeekdrop drop=0" else CURRENTPACKETS=${RESULT[5]} PASTPACKETS=${RESULT[11]} TOTAL=$((CURRENTPACKETS - PASTPACKETS)) - LOSS=$(echo $DROPPED $TOTAL / p | dc) + LOSS=$(echo 4k $DROPPED $TOTAL / p | dc) echo "zeekdrop drop=$LOSS" -fi +fi \ No newline at end of file From dbb9f90f0060592c44cffc86a30e88aaca7a349a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 12 Jan 2021 14:07:04 -0500 Subject: [PATCH 2/6] fix quotes --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 94f6b394d..e731da3b9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1982,9 +1982,9 @@ set_ssh_cmds() { local automated=$1 if [ $automated == yes ]; then - sshcmd='sshpass -p "$SOREMOTEPASS1" ssh -o StrictHostKeyChecking=no' - sshcopyidcmd='sshpass -p "$SOREMOTEPASS1" ssh-copy-id -o StrictHostKeyChecking=no' - scpcmd='sshpass -p "$SOREMOTEPASS1" scp -o StrictHostKeyChecking=no' + sshcmd="sshpass -p $SOREMOTEPASS1 ssh -o StrictHostKeyChecking=no" + sshcopyidcmd="sshpass -p $SOREMOTEPASS1 ssh-copy-id -o StrictHostKeyChecking=no" + scpcmd="sshpass -p $SOREMOTEPASS1 scp -o StrictHostKeyChecking=no" else sshcmd='ssh' sshcopyidcmd='ssh-copy-id' From 225ed1c14a739325cb3754886d04007d86e0a54c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 12 Jan 2021 16:39:19 -0500 Subject: [PATCH 3/6] change suriloss and zeekloss to be more similar code style --- salt/telegraf/scripts/suriloss.sh | 10 +++++----- salt/telegraf/scripts/zeekloss.sh | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index 7ef8de2ee..9f8ad8cc6 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -33,20 +33,20 @@ if [ $CHECKIT == 2 ]; then CURRENTDROP=${RESULT[4]} PASTDROP=${RESULT[14]} - DROPPED=$(($CURRENTDROP - $PASTDROP)) + DROPPED=$((CURRENTDROP - PASTDROP)) if [ $DROPPED == 0 ]; then LOSS=0 echo "suridrop drop=0" else CURRENTPACKETS=${RESULT[9]} PASTPACKETS=${RESULT[19]} - TOTALCURRENT=$(($CURRENTPACKETS + $CURRENTDROP)) - TOTALPAST=$(($PASTPACKETS + $PASTDROP)) - TOTAL=$(($TOTALCURRENT - $TOTALPAST)) + TOTALCURRENT=$((CURRENTPACKETS + CURRENTDROP)) + TOTALPAST=$((PASTPACKETS + PASTDROP)) + TOTAL=$((TOTALCURRENT - TOTALPAST)) LOSS=$(echo 4 k $DROPPED $TOTAL / p | dc) echo "suridrop drop=$LOSS" fi else echo "suridrop drop=0" -fi +fi \ No newline at end of file diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 0cdef896c..966de8e4d 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -45,6 +45,6 @@ else CURRENTPACKETS=${RESULT[5]} PASTPACKETS=${RESULT[11]} TOTAL=$((CURRENTPACKETS - PASTPACKETS)) - LOSS=$(echo 4k $DROPPED $TOTAL / p | dc) + LOSS=$(echo 4 k $DROPPED $TOTAL / p | dc) echo "zeekdrop drop=$LOSS" fi \ No newline at end of file From 2950779d9159c39412ed7fc83fceca68402df406 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 13 Jan 2021 09:57:12 -0500 Subject: [PATCH 4/6] Fix stralka rule update --- salt/strelka/init.sls | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index c4b5346ae..1bd9e3aad 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -1,4 +1,4 @@ -# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -17,8 +17,8 @@ {% if 'strelka' in top_states %} -{%- set MANAGER = salt['grains.get']('master') %} -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} +{% set MANAGER = salt['grains.get']('master') %} +{% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} @@ -47,7 +47,7 @@ strelkasync: - group: 939 - template: jinja -{%- if STRELKA_RULES == 1 %} +{% if STRELKA_RULES == 1 %} strelkarules: file.recurse: @@ -56,13 +56,15 @@ strelkarules: - user: 939 - group: 939 +{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} strelkarepos: file.managed: - name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt - source: salt://strelka/rules/repos.txt.jinja - template: jinja - -{%- endif %} + +{% endif %} +{% endif %} strelkadatadir: file.directory: From bb386f9935a6a946be43085c023319a6b57b5442 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 12 Jan 2021 17:04:49 -0500 Subject: [PATCH 5/6] Allow passwordless sudo during tests for all nodes, not just manager; Only run so-test on sensor nodes during test runs --- setup/so-setup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index e62dc434f..b4b0fd6ed 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -594,6 +594,8 @@ set_redirect >> $setup_log 2>&1 set_progress_str 8 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 + update_sudoers_for_testing >> $setup_log 2>&1 + if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 9 'Configuring Salt master' { @@ -606,7 +608,6 @@ set_redirect >> $setup_log 2>&1 set_progress_str 10 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 - update_sudoers_for_testing >> $setup_log 2>&1 set_progress_str 11 'Generating manager global pillar' #minio_generate_keys @@ -851,7 +852,7 @@ if [[ -n $SO_ERROR ]]; then else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { - [ -n "$TESTING" ] && logCmd so-test + [[ -n "$TESTING" && $is_sensor ]] && logCmd so-test export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then From 9b060fb2d118798a1b70aa62feaf68feb5a19006 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 10:21:12 -0500 Subject: [PATCH 6/6] Adjust automation defaults for sensors and search nodes --- setup/automation/distributed-ami-forwardnode | 14 +++++++------- setup/automation/distributed-ami-manager | 4 ++-- setup/automation/distributed-ami-searchnode | 10 +++++----- setup/automation/distributed-iso-search | 8 ++++---- setup/automation/distributed-iso-sensor | 14 +++++++------- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/setup/automation/distributed-ami-forwardnode b/setup/automation/distributed-ami-forwardnode index 99d8f21be..a3cd2cccb 100644 --- a/setup/automation/distributed-ami-forwardnode +++ b/setup/automation/distributed-ami-forwardnode @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser #ALLOW_CIDR=0.0.0.0/0 #ALLOW_ROLE=a -BASICZEEK=1 -BASICSURI=1 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=ens6 ZEEKVERSION=ZEEK @@ -70,9 +70,9 @@ PATCHSCHEDULENAME=auto SKIP_REBOOT=0 SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser -STRELKA=1 +#STRELKA=1 #THEHIVE=1 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r +#WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-ami-manager b/setup/automation/distributed-ami-manager index 2ca5c2a04..b1effcf7a 100644 --- a/setup/automation/distributed-ami-manager +++ b/setup/automation/distributed-ami-manager @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=ens6 ZEEKVERSION=ZEEK diff --git a/setup/automation/distributed-ami-searchnode b/setup/automation/distributed-ami-searchnode index 3c2ff4df5..e50e18475 100644 --- a/setup/automation/distributed-ami-searchnode +++ b/setup/automation/distributed-ami-searchnode @@ -22,7 +22,7 @@ ADMINUSER=onionuser ADMINPASS1=onionuser ADMINPASS2=onionuser #ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a +#ALLOW_ROLE=a #BASICZEEK=7 #BASICSURI=7 # BLOGS= @@ -72,7 +72,7 @@ SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser #STRELKA=1 #THEHIVE=1 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r +#WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search index d37a7d935..aec7afd31 100644 --- a/setup/automation/distributed-iso-search +++ b/setup/automation/distributed-iso-search @@ -72,7 +72,7 @@ SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser # STRELKA=1 # THEHIVE=1 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index 402049be9..4cc3f6a75 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser # ALLOW_CIDR=0.0.0.0/0 # ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK @@ -70,9 +70,9 @@ PATCHSCHEDULENAME=auto # SKIP_REBOOT= SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser -STRELKA=1 +# STRELKA=1 # THEHIVE=1 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r