From 352e30f9e1509a23a0f64b8ae6ee0608085c9d38 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Oct 2021 11:16:29 -0400 Subject: [PATCH 01/42] Add CUSTOM_FLEET_HOSTNAME to subjectAltName of fleet.key Resolves #4319 --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 5690691fc..9d4026b56 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -445,7 +445,7 @@ msslkeyperms: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - CN: {{ manager }} - - subjectAltName: DNS:{{ manager }},IP:{{ managerip }} + - subjectAltName: DNS:{{ manager }},IP:{{ managerip }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True From 62971d8c15ea29e58794d0c153e0d6fef2ced20c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Oct 2021 11:57:47 -0400 Subject: [PATCH 02/42] Add Fleet custom hostname to end summary --- setup/so-whiptail | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index ed4067da1..3e4bf6151 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -505,6 +505,8 @@ whiptail_end_settings() { [[ -n $WEBUSER ]] && __append_end_msg "Web User: $WEBUSER" [[ -n $FLEETNODEUSER ]] && __append_end_msg "Fleet User: $FLEETNODEUSER" + + [[ -n $FLEETCUSTOMHOSTNAME ]] && __append_end_msg "Fleet Custom Hostname: $FLEETCUSTOMHOSTNAME" if [[ $is_manager ]]; then __append_end_msg "Enabled Optional Components:" From 17af513692e8cf39e4206b485b67341c5ea96e85 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Oct 2021 15:28:37 -0400 Subject: [PATCH 03/42] Escape single quotes and allow for any character in node description --- salt/sensoroni/files/sensoroni.json | 2 +- setup/so-functions | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 1a6e6fc8c..743021a7d 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -17,7 +17,7 @@ "agent": { "nodeId": "{{ grains.host | lower }}", "role": "{{ grains.role }}", - "description": "{{ DESCRIPTION }}", + "description": {{ DESCRIPTION | tojson }}, "address": "{{ ADDRESS }}", "model": "{{ MODEL }}", "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, diff --git a/setup/so-functions b/setup/so-functions index 58fbca562..62d458911 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1509,7 +1509,7 @@ host_pillar() { " mainint: '$MNIC'"\ "sensoroni:"\ " node_address: '$MAINIP'"\ - " node_description: '$NODE_DESCRIPTION'"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'"\ "" > "$pillar_file" } From 38b16a507baa3c8cd2d00e16de768d7162c38471 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Oct 2021 15:29:32 -0400 Subject: [PATCH 04/42] Update ip for root user in mysql when running so-ip-update --- salt/common/tools/sbin/so-ip-update | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/salt/common/tools/sbin/so-ip-update b/salt/common/tools/sbin/so-ip-update index 9976a42e8..8ef99fadc 100755 --- a/salt/common/tools/sbin/so-ip-update +++ b/salt/common/tools/sbin/so-ip-update @@ -8,9 +8,9 @@ fi echo "This tool will update a manager's IP address to the new IP assigned to the management network interface." -echo +echo "" echo "WARNING: This tool is still undergoing testing, use at your own risk!" -echo +echo "" if [ -z "$OLD_IP" ]; then OLD_IP=$(lookup_pillar "managerip") @@ -27,7 +27,7 @@ if [ -z "$NEW_IP" ]; then NEW_IP=$(ip -4 addr list $iface | grep inet | cut -d' ' -f6 | cut -d/ -f1) if [ -z "$NEW_IP" ]; then - fail "Unable to detect new IP on interface $iface. " + fail "Unable to detect new IP on interface $iface." fi echo "Detected new IP $NEW_IP on interface $iface." @@ -39,15 +39,20 @@ fi echo "About to change old IP $OLD_IP to new IP $NEW_IP." -echo +echo "" read -n 1 -p "Would you like to continue? (y/N) " CONTINUE -echo +echo "" if [ "$CONTINUE" == "y" ]; then - for file in $(grep -rlI $OLD_IP /opt/so/saltstack /etc); do - echo "Updating file: $file" - sed -i "s|$OLD_IP|$NEW_IP|g" $file - done + for file in $(grep -rlI $OLD_IP /opt/so/saltstack /etc); do + echo "Updating file: $file" + sed -i "s|$OLD_IP|$NEW_IP|g" $file + done + + echo "Granting MySQL root user permissions on $NEW_IP" + docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'$NEW_IP' IDENTIFIED BY '$(lookup_pillar_secret 'mysql')' WITH GRANT OPTION;" &> /dev/null + echo "Removing MySQL root user from $OLD_IP" + docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "DROP USER 'root'@'$OLD_IP';" &> /dev/null echo "The IP has been changed from $OLD_IP to $NEW_IP." @@ -60,4 +65,4 @@ if [ "$CONTINUE" == "y" ]; then fi else echo "Exiting without changes." -fi \ No newline at end of file +fi From 9e9079f9cb76144658e15bf357488a8a248735c8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 Oct 2021 11:03:00 -0400 Subject: [PATCH 05/42] Reorder airgap prompt and add additional logic Setup should now only ask the user whether to setup as airgap on manager-type installs. For all distributed minions setup will now inherit the airgap boolean from the manager. --- setup/so-setup | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 119a0d2ff..982ce5f05 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -265,14 +265,6 @@ if [[ $is_manager || $is_import ]]; then fi if ! [[ -f $install_opt_file ]]; then - # Check if this is an airgap install - if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi - fi - if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then @@ -312,17 +304,6 @@ if ! [[ -f $install_opt_file ]]; then add_mngr_ip_to_hosts fi - reset_proxy - if [[ -z $is_airgap ]]; then - collect_net_method - [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 - fi - - if [[ $is_minion ]]; then - whiptail_ssh_key_copy_notice - copy_ssh_key >> $setup_log 2>&1 - fi - if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ @@ -331,17 +312,36 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ "MSRVIP=$MSRVIP" \ - "is_airgap=$is_airgap" \ "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" - [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" download_repo_tarball exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi - else rm -rf $install_opt_file >> "$setup_log" 2>&1 fi +# Check if this is an airgap install +if [[ ( $is_manager || $is_import) && $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi +el [[ $is_minion ]] + airgap_mngr_str=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}') >> $setup_log 2>&1 + [[ $airgap_mngr_str == "True" ]] && is_airgap=true >> $setup_log 2>&1 +fi + +reset_proxy +if [[ -z $is_airgap ]]; then + collect_net_method + [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 +fi + +if [[ $is_minion ]]; then + whiptail_ssh_key_copy_notice + copy_ssh_key >> $setup_log 2>&1 +fi + percentage=0 { installer_progress_loop & # Run progress bar to 98 in ~8 minutes while waiting for package installs From eee612e73da33b9028a0e34e21cc7323c3970fca Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 Oct 2021 11:43:09 -0400 Subject: [PATCH 06/42] Make folder/file states explicit Rather than using /nsm/zeek (max_depth: 1) create explicit states for /nsm/zeek/spool and /nsm/zeek/spool/state.db that set correct ownership --- salt/zeek/init.sls | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 5f5adfaa6..f83293742 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -90,11 +90,14 @@ zeekpolicysync: # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: file.directory: - - name: /nsm/zeek + - name: /nsm/zeek/spool - user: 937 - - max_depth: 1 - - recurse: - - user +zeekstatedbownership: + file.managed: + - name: /nsm/zeek/spool/state.db + - user: 937 + - replace: False + - create: False # Sync Intel zeekintelloadsync: @@ -247,4 +250,4 @@ delete_so-zeek_so-status.disabled: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 75490a253639c9685dc8cc85f67a3e7e94ce4d2f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 Oct 2021 14:59:24 -0400 Subject: [PATCH 07/42] Fix typo --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 982ce5f05..58059567c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -326,7 +326,7 @@ if [[ ( $is_manager || $is_import) && $is_iso ]]; then if [[ "$INTERWEBS" == 'AIRGAP' ]]; then is_airgap=true fi -el [[ $is_minion ]] +elif [[ $is_minion ]]; then airgap_mngr_str=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}') >> $setup_log 2>&1 [[ $airgap_mngr_str == "True" ]] && is_airgap=true >> $setup_log 2>&1 fi From d6eeb0b735aae8ef6c642e107893e038d65d2b34 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 28 Oct 2021 10:04:03 -0400 Subject: [PATCH 08/42] Gen ssh key sooner --- setup/so-setup | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 58059567c..e9d510270 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -304,6 +304,11 @@ if ! [[ -f $install_opt_file ]]; then add_mngr_ip_to_hosts fi + if [[ $is_minion ]]; then + whiptail_ssh_key_copy_notice + copy_ssh_key >> $setup_log 2>&1 + fi + if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ @@ -337,11 +342,6 @@ if [[ -z $is_airgap ]]; then [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi -if [[ $is_minion ]]; then - whiptail_ssh_key_copy_notice - copy_ssh_key >> $setup_log 2>&1 -fi - percentage=0 { installer_progress_loop & # Run progress bar to 98 in ~8 minutes while waiting for package installs From 6b480a5ba448569c7a024dbbb18afd13dab16441 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 28 Oct 2021 11:51:50 -0400 Subject: [PATCH 09/42] Change airgap check to something that doesn't require root --- setup/so-setup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index e9d510270..b423160c8 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -332,8 +332,9 @@ if [[ ( $is_manager || $is_import) && $is_iso ]]; then is_airgap=true fi elif [[ $is_minion ]]; then - airgap_mngr_str=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}') >> $setup_log 2>&1 - [[ $airgap_mngr_str == "True" ]] && is_airgap=true >> $setup_log 2>&1 + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 + airgap_check=$? + [[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1 fi reset_proxy From c2b18efdbbd1658b3a3ec1a1da77eafc32444cf6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 28 Oct 2021 11:59:42 -0400 Subject: [PATCH 10/42] Minions still need to be ISO installs to be airgap --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index b423160c8..a2ffdf339 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -331,7 +331,7 @@ if [[ ( $is_manager || $is_import) && $is_iso ]]; then if [[ "$INTERWEBS" == 'AIRGAP' ]]; then is_airgap=true fi -elif [[ $is_minion ]]; then +elif [[ $is_minion && $is_iso ]]; then $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 airgap_check=$? [[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1 From f081938be5195c741f577e42eaa68e59ffadf5e6 Mon Sep 17 00:00:00 2001 From: Burak-PLT <55863083+Burak-PLT@users.noreply.github.com> Date: Thu, 28 Oct 2021 16:00:58 -0400 Subject: [PATCH 11/42] Update auth.sls Change default password lengths to 72 characters from 20. --- salt/elasticsearch/auth.sls | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/elasticsearch/auth.sls b/salt/elasticsearch/auth.sls index 373f2fbed..35d669892 100644 --- a/salt/elasticsearch/auth.sls +++ b/salt/elasticsearch/auth.sls @@ -1,8 +1,8 @@ -{% set so_elastic_user_pass = salt['random.get_str'](20) %} -{% set so_kibana_user_pass = salt['random.get_str'](20) %} -{% set so_logstash_user_pass = salt['random.get_str'](20) %} -{% set so_beats_user_pass = salt['random.get_str'](20) %} -{% set so_monitor_user_pass = salt['random.get_str'](20) %} +{% set so_elastic_user_pass = salt['random.get_str'](72) %} +{% set so_kibana_user_pass = salt['random.get_str'](72) %} +{% set so_logstash_user_pass = salt['random.get_str'](72) %} +{% set so_beats_user_pass = salt['random.get_str'](72) %} +{% set so_monitor_user_pass = salt['random.get_str'](72) %} elastic_auth_pillar: file.managed: From d08149f728b27dcff5b1833465922ab9667b6629 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 29 Oct 2021 10:11:47 -0400 Subject: [PATCH 12/42] Don't set `INTERWEBS` variable on automated minions --- setup/automation/distributed-airgap-search | 1 - setup/automation/distributed-airgap-sensor | 1 - 2 files changed, 2 deletions(-) diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search index 1acee9b1a..7a0888fee 100644 --- a/setup/automation/distributed-airgap-search +++ b/setup/automation/distributed-airgap-search @@ -35,7 +35,6 @@ ADMINPASS2=onionuser HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit HOSTNAME=distributed-search -INTERWEBS=AIRGAP install_type=SEARCHNODE # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor index c8186bf8a..91b9c24a9 100644 --- a/setup/automation/distributed-airgap-sensor +++ b/setup/automation/distributed-airgap-sensor @@ -35,7 +35,6 @@ ZEEKVERSION=ZEEK HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit HOSTNAME=distributed-sensor -INTERWEBS=AIRGAP install_type=SENSOR # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= From b1c67f696e9a261e85e4c079cd4af3330931c0a1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 29 Oct 2021 10:47:05 -0400 Subject: [PATCH 13/42] Re-order logic to maintain backwards compatibility --- setup/so-setup | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index a2ffdf339..2cef6d876 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -309,6 +309,24 @@ if ! [[ -f $install_opt_file ]]; then copy_ssh_key >> $setup_log 2>&1 fi + # Check if this is an airgap install + if [[ ( $is_manager || $is_import) && $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi + elif [[ $is_minion && $is_iso ]]; then + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 + airgap_check=$? + [[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1 + fi + + reset_proxy + if [[ -z $is_airgap ]]; then + collect_net_method + [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 + fi + if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ @@ -317,7 +335,9 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ "MSRVIP=$MSRVIP" \ + "is_airgap=$is_airgap" \ "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" + [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" download_repo_tarball exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi @@ -325,24 +345,6 @@ else rm -rf $install_opt_file >> "$setup_log" 2>&1 fi -# Check if this is an airgap install -if [[ ( $is_manager || $is_import) && $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi -elif [[ $is_minion && $is_iso ]]; then - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 - airgap_check=$? - [[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1 -fi - -reset_proxy -if [[ -z $is_airgap ]]; then - collect_net_method - [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 -fi - percentage=0 { installer_progress_loop & # Run progress bar to 98 in ~8 minutes while waiting for package installs From f76a52b2ee1dc0cb26bed76b6564372abe70ed6b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 29 Oct 2021 13:34:23 -0400 Subject: [PATCH 14/42] Fix NIC string values for VLAN tagged interfaces --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 62d458911..37e9b5ba9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -846,7 +846,7 @@ check_requirements() { local req_cores local req_storage local nic_list - readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')" + readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g' | sed -r 's/(.*)(\.[0-9]+)@\1/\1\2/g')" local num_nics=${#nic_list[@]} if [[ "$standalone_or_dist" == 'standalone' ]]; then @@ -1374,7 +1374,7 @@ filter_unused_nics() { fi # Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use) - filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g') + filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g' | sed -r 's/(.*)(\.[0-9]+)@\1/\1\2/g') readarray -t filtered_nics <<< "$filtered_nics" nic_list=() From 2ba619144cc6a87a15a3d17e87e68337e0206748 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 Nov 2021 08:23:29 -0400 Subject: [PATCH 15/42] Support non-WEL Beats --- salt/elasticsearch/files/ingest/beats.common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/beats.common b/salt/elasticsearch/files/ingest/beats.common index 4e358582e..3cfa33521 100644 --- a/salt/elasticsearch/files/ingest/beats.common +++ b/salt/elasticsearch/files/ingest/beats.common @@ -2,7 +2,7 @@ "description" : "beats.common", "processors" : [ { "pipeline": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'", "name": "sysmon" } }, - { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational'", "name":"win.eventlogs" } }, + { "pipeline": { "if": "ctx.winlog?.channel != 'Microsoft-Windows-Sysmon/Operational' && ctx.containsKey('winlog')", "name":"win.eventlogs" } }, { "pipeline": { "name": "common" } } ] } \ No newline at end of file From b756c0cd38244f3eda728658710504eb6f54650c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 Nov 2021 08:57:11 -0400 Subject: [PATCH 16/42] Pull ES Creds at Runtime --- salt/common/tools/sbin/so-import-evtx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx index 9e640beaa..274a2835d 100755 --- a/salt/common/tools/sbin/so-import-evtx +++ b/salt/common/tools/sbin/so-import-evtx @@ -41,13 +41,16 @@ function evtx2es() { EVTX=$1 HASH=$2 + ES_PW=$(lookup_pillar "auth:users:so_elastic_user:pass" "elasticsearch") + ES_USER=$(lookup_pillar "auth:users:so_elastic_user:user" "elasticsearch") + docker run --rm \ -v "$EVTX:/tmp/$RUNID.evtx" \ --entrypoint evtx2es \ {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} \ --host {{ MANAGERIP }} --scheme https \ --index so-beats-$INDEX_DATE --pipeline import.wel \ - --login {{ES_USER}} --pwd {{ES_PW}} \ + --login $ES_USER --pwd $ES_PW \ "/tmp/$RUNID.evtx" 1>/dev/null 2>/dev/null docker run --rm \ From 35342565170b756e74e449c856b3061dea6f6174 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 Nov 2021 09:03:52 -0400 Subject: [PATCH 17/42] Add evtx import logging --- salt/common/tools/sbin/so-import-evtx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx index 274a2835d..d00e4b13d 100755 --- a/salt/common/tools/sbin/so-import-evtx +++ b/salt/common/tools/sbin/so-import-evtx @@ -25,6 +25,7 @@ INDEX_DATE=$(date +'%Y.%m.%d') RUNID=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1) +LOG_FILE=/nsm/import/evtx-import.log . /usr/sbin/so-common @@ -51,7 +52,7 @@ function evtx2es() { --host {{ MANAGERIP }} --scheme https \ --index so-beats-$INDEX_DATE --pipeline import.wel \ --login $ES_USER --pwd $ES_PW \ - "/tmp/$RUNID.evtx" 1>/dev/null 2>/dev/null + "/tmp/$RUNID.evtx" 1>/dev/null > $LOG_FILE 2>&1 docker run --rm \ -v "$EVTX:/tmp/import.evtx" \ From a6f399acf45f5706bf4e147057846ede4e1a0374 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 Nov 2021 09:19:32 -0400 Subject: [PATCH 18/42] Fix evtx import logging --- salt/common/tools/sbin/so-import-evtx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-import-evtx b/salt/common/tools/sbin/so-import-evtx index d00e4b13d..83815eecd 100755 --- a/salt/common/tools/sbin/so-import-evtx +++ b/salt/common/tools/sbin/so-import-evtx @@ -52,7 +52,7 @@ function evtx2es() { --host {{ MANAGERIP }} --scheme https \ --index so-beats-$INDEX_DATE --pipeline import.wel \ --login $ES_USER --pwd $ES_PW \ - "/tmp/$RUNID.evtx" 1>/dev/null > $LOG_FILE 2>&1 + "/tmp/$RUNID.evtx" >> $LOG_FILE 2>&1 docker run --rm \ -v "$EVTX:/tmp/import.evtx" \ From 9a9d1480de89eab71cd2ba2f9a21073955dd6741 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Nov 2021 10:41:36 -0400 Subject: [PATCH 19/42] Manage docker group's gid to prevent gid overlap --- salt/common/init.sls | 5 +++++ salt/salt/minion.sls | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 05dd7023f..17cea3480 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -9,6 +9,11 @@ rmvariablesfile: file.absent: - name: /tmp/variables.txt +dockergroup: + group.present: + - name: docker + - gid: 920 + # Add socore Group socoregroup: group.present: diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 3db257d1b..04fc1769c 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -87,4 +87,4 @@ salt_minion_service: patch_pkg: pkg.installed: - - name: patch \ No newline at end of file + - name: patch From e6adb46364db153c66b51a4bde00bb172e8a5de1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Nov 2021 11:18:23 -0400 Subject: [PATCH 20/42] Run so-preflight during setup --- setup/so-functions | 3 ++- setup/so-preflight | 40 +++++++++++++++++++++++++++++++++------- setup/so-setup | 17 ++++++++++++++++- setup/so-whiptail | 16 +++++++++++++++- 4 files changed, 66 insertions(+), 10 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 37e9b5ba9..6d46b4bb4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1124,9 +1124,10 @@ detect_os() { installer_progress_loop() { local i=0 + local msg="${1:-Performing background actions...}" while true; do [[ $i -lt 98 ]] && ((i++)) - set_progress_str "$i" 'Checking that all required packages are installed and enabled...' nolog + set_progress_str "$i" "$msg" nolog [[ $i -gt 0 ]] && sleep 5s done } diff --git a/setup/so-preflight b/setup/so-preflight index 2943191eb..e30b7872d 100644 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -18,7 +18,13 @@ source ../salt/common/tools/sbin/so-common source ./so-functions -preflight_log='/root/preflight.log' +script_run="$1" + +if [[ $script_run == true ]]; then + preflight_log="${2:-'/root/preflight.log'}" +else + preflight_log='/root/preflight.log' +fi check_default_repos() { local ret_code=0 @@ -72,7 +78,8 @@ check_new_repos() { check_misc_urls() { printf ' Checking various other URLs used by setup.' | tee -a "$preflight_log" - local so_version=$(cat ../VERSION) + local so_version + so_version=$(cat ../VERSION) local url_arr=( "https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" "https://github.com/Neo23x0/signature-base" @@ -112,10 +119,18 @@ __check_url_arr() { } main() { + local intro_str="Beginning pre-flight checks." + local success_str="Pre-flight checks completed successfully!" + local fail_str="Pre-flight checks could not complete." + detect_os "$preflight_log" [[ -f $preflight_log ]] || touch "$preflight_log" - echo "Beginning pre-flight checks." | tee "$preflight_log" + if [[ $script_run == true ]]; then + echo "$intro_str" + else + echo "$intro_str" | tee "$preflight_log" + fi check_default_repos &&\ check_new_repos &&\ check_misc_urls @@ -124,12 +139,23 @@ main() { echo "" if [[ $success == 0 ]]; then - echo -e "Pre-flight checks completed successfully!\n" | tee -a "$preflight_log" + if [[ $script_run == true ]]; then + echo "$success_str" + else + echo "$success_str" | tee -a "$preflight_log" + echo "" + fi else - echo -e "Pre-flight checks could not complete." | tee -a "$preflight_log" - echo -e " Check $preflight_log for details.\n" - exit 1 + if [[ $script_run == true ]]; then + echo "$fail_str" + else + echo "$fail_str" | tee -a "$preflight_log" + echo "Check $preflight_log for details." + echo "" + fi fi + + exit $success } main diff --git a/setup/so-setup b/setup/so-setup index 2cef6d876..2dbf9935e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -345,9 +345,24 @@ else rm -rf $install_opt_file >> "$setup_log" 2>&1 fi +if [[ -z $is_airgap ]]; then + percentage=0 + { + installer_progress_loop 'Running preflight checks...' & + progress_bg_proc=$! + ./so-preflight true "$setup_log" >> $setup_log 2>&1 + preflight_ret=$? + kill -9 "$progress_bg_proc" + wait "$progress_bg_proc" &> /dev/null + if [[ $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then + whiptail_cancel + fi + } | progress '...' +fi + percentage=0 { - installer_progress_loop & # Run progress bar to 98 in ~8 minutes while waiting for package installs + installer_progress_loop 'Checking that all required packages are installed and enabled...' & # Run progress bar to 98 in ~8 minutes while waiting for package installs progress_bg_proc=$! installer_prereq_packages install_success=$? diff --git a/setup/so-whiptail b/setup/so-whiptail index 130ae96bb..371897eb8 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -95,7 +95,7 @@ whiptail_cancel() { title "User cancelled setup." - exit + exit 1 } whiptail_check_exitstatus() { @@ -1489,6 +1489,20 @@ whiptail_patch_schedule_select_hours() { } +whiptail_preflight_err() { + [ -n "$TESTING" ] && return + + read -r -d '' message <<- EOM + The so-preflight script failed checking one or more URLs required by setup. Check $setup_log for more details. + + Would you like to exit setup? + EOM + + whiptail --title "$whiptail_title" \ + --yesno "$message" 11 75 \ + --yes-button "Continue" --no-button "Exit" --defaultno +} + whiptail_proxy_ask() { [ -n "$TESTING" ] && return From 9671dab2a3a5d9bf7ba21ed7b9d2efd90772c16e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Nov 2021 11:48:24 -0400 Subject: [PATCH 21/42] Make so-preflight executable --- setup/so-preflight | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 setup/so-preflight diff --git a/setup/so-preflight b/setup/so-preflight old mode 100644 new mode 100755 From e4a77acfe6b490ef43c0d0924b7b1199e7db7914 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Nov 2021 12:03:42 -0400 Subject: [PATCH 22/42] Move whiptail menus outside of progress func --- setup/so-setup | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 2dbf9935e..b4e469ced 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -352,12 +352,15 @@ if [[ -z $is_airgap ]]; then progress_bg_proc=$! ./so-preflight true "$setup_log" >> $setup_log 2>&1 preflight_ret=$? + echo "$preflight_ret" > /tmp/preflight_ret kill -9 "$progress_bg_proc" wait "$progress_bg_proc" &> /dev/null - if [[ $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then - whiptail_cancel - fi } | progress '...' + [[ -f /tmp/setup_tmp_var ]] && preflight_ret=$(cat /tmp/preflight_ret) + rm /tmp/preflight_ret + if [[ -n $preflight_ret && $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then + whiptail_cancel + fi fi percentage=0 From 7c7c225a415695fd854643e674e369c43e61f673 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Nov 2021 14:01:21 -0400 Subject: [PATCH 23/42] Fix tmp file check --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index b4e469ced..d71511971 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -356,7 +356,7 @@ if [[ -z $is_airgap ]]; then kill -9 "$progress_bg_proc" wait "$progress_bg_proc" &> /dev/null } | progress '...' - [[ -f /tmp/setup_tmp_var ]] && preflight_ret=$(cat /tmp/preflight_ret) + [[ -f /tmp/preflight_ret ]] && preflight_ret=$(cat /tmp/preflight_ret) rm /tmp/preflight_ret if [[ -n $preflight_ret && $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then whiptail_cancel From 8670aa6cd84e4b8d5ab8118567228d289eb6a492 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Nov 2021 14:29:58 -0400 Subject: [PATCH 24/42] Run check-update in preflight instead of update --- setup/so-preflight | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-preflight b/setup/so-preflight index e30b7872d..fd6b5f736 100755 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -33,7 +33,7 @@ check_default_repos() { if [[ $OS == 'centos' ]]; then printf '%s' 'yum update.' | tee -a "$preflight_log" echo "" >> "$preflight_log" - yum -y update >> $preflight_log 2>&1 + yum -y check-update >> $preflight_log 2>&1 ret_code=$? else printf '%s' 'apt update.' | tee -a "$preflight_log" From d927e79154ce318cad8513385d56077ff1c5b7b2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Nov 2021 16:17:08 -0400 Subject: [PATCH 25/42] Exit on failed preflight check during testing --- setup/so-whiptail | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 371897eb8..cbfa5a886 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -84,6 +84,8 @@ whiptail_bond_nics_mtu() { whiptail_cancel() { + [ -n "$TESTING" ] && exit 1 + whiptail --title "$whiptail_title" --msgbox "Cancelling Setup." 8 75 if [ -d "/root/installtmp" ]; then { @@ -1490,7 +1492,7 @@ whiptail_patch_schedule_select_hours() { } whiptail_preflight_err() { - [ -n "$TESTING" ] && return + [ -n "$TESTING" ] && return 1 read -r -d '' message <<- EOM The so-preflight script failed checking one or more URLs required by setup. Check $setup_log for more details. From fb35ff40b49451b1ce3e27cd296b2e4f2e3eb971 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 3 Nov 2021 09:19:41 -0400 Subject: [PATCH 26/42] Just hide whiptail cancel message on test installs --- setup/so-whiptail | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index cbfa5a886..95650415c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -83,10 +83,8 @@ whiptail_bond_nics_mtu() { } whiptail_cancel() { - - [ -n "$TESTING" ] && exit 1 - - whiptail --title "$whiptail_title" --msgbox "Cancelling Setup." 8 75 + [ -z "$TESTING" ] && whiptail --title "$whiptail_title" --msgbox "Cancelling Setup." 8 75 + if [ -d "/root/installtmp" ]; then { echo "/root/installtmp exists"; From 747f14d60e558059468665b01126fcc20d996e18 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 3 Nov 2021 13:11:38 -0400 Subject: [PATCH 27/42] Make common template honor replicas --- .../templates/so/so-common-template.json.jinja | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja index 4394ebb65..3ffae5c84 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json.jinja +++ b/salt/elasticsearch/templates/so/so-common-template.json.jinja @@ -1,12 +1,14 @@ {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %} +{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %} { "index_patterns": ["so-*"], "version":50001, "order":10, "settings":{ - "number_of_replicas":0, + "number_of_replicas":{{ REPLICAS }}, "number_of_shards":1, - "index.refresh_interval":"30s", + "index.refresh_interval":"{{ REFRESH }}", "index.routing.allocation.require.box_type":"hot", "index.mapping.total_fields.limit": "1500", {%- if INDEX_SORTING is sameas true %} From dc07aba63dd3c73f91740aacc07257f0a75a97d2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 3 Nov 2021 13:50:31 -0400 Subject: [PATCH 28/42] Update so-common-template.json.jinja --- salt/elasticsearch/templates/so/so-common-template.json.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja index 3ffae5c84..4a41cba8a 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json.jinja +++ b/salt/elasticsearch/templates/so/so-common-template.json.jinja @@ -1,6 +1,6 @@ {%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %} {%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %} -{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-cisco:refresh', '30s') %} +{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %} { "index_patterns": ["so-*"], "version":50001, From 988932293f41f5cad5571b1dfd3f70be6d187cee Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 5 Nov 2021 15:54:17 -0400 Subject: [PATCH 29/42] Whiptail changes * Ask whether to join to or create new dist install * Also add links to architecture on install type prompts --- setup/so-whiptail | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 95650415c..8e137b8f5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -735,7 +735,7 @@ whiptail_install_type() { # What kind of install are we doing? install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose install type:" 12 65 5 \ + "Choose install type. See https://docs.securityonion.net/architecture for details." 12 65 5 \ "EVAL" "Evaluation mode (not for production) " ON \ "STANDALONE" "Standalone production install " OFF \ "DISTRIBUTED" "Distributed install submenu " OFF \ @@ -749,6 +749,11 @@ whiptail_install_type() { if [[ $install_type == "DISTRIBUTED" ]]; then whiptail_install_type_dist + if [[ $dist_option == "NEWDEPLOYMENT" ]]; then + whiptail_install_type_dist_new + else + whiptail_install_type_dist_existing + fi elif [[ $install_type == "OTHER" ]]; then whiptail_install_type_other fi @@ -759,13 +764,39 @@ whiptail_install_type() { whiptail_install_type_dist() { [ -n "$TESTING" ] && return + + dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to an existing deployment?" 10 75 2 \ + "New Deployment " "Create a new Security Onion deployment" \ + "Existing Deployment " "Join to an exisiting Security Onion deployment " \ + 3>&1 1>&2 2>&3 + ) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + dist_option=$(echo "${option^^}" | tr -d ' ') +} + +whiptail_install_type_dist_new() { + [ -n "$TESTING" ] && return install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose distributed node type:" 13 60 6 \ - "MANAGER" "Start a new grid " ON \ + "Choose distributed manager type. See https://docs.securityonion.net/architecture for details." 24 60 6 \ + "MANAGER" "Start a new grid - requires separate search node(s) " ON \ + "MANAGERSEARCH" "Start a new grid - separate search node(s) are optional " OFF \ + 3>&1 1>&2 2>&3 + ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + +whiptail_install_type_dist_existing() { + [ -n "$TESTING" ] && return + + install_type=$(whiptail --title "$whiptail_title" --radiolist \ + "Choose distributed node type. See https://docs.securityonion.net/architecture for details." 13 60 6 \ "SENSOR" "Create a forward only sensor " OFF \ "SEARCHNODE" "Add a search node with parsing " OFF \ - "MANAGERSEARCH" "Manager + search node " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \ 3>&1 1>&2 2>&3 @@ -777,8 +808,6 @@ whiptail_install_type_dist() { local exitstatus=$? whiptail_check_exitstatus $exitstatus - - export install_type } whiptail_install_type_other() { @@ -907,6 +936,7 @@ whiptail_first_menu_iso() { option=$(echo "${option^^}" | tr -d ' ') } + whiptail_make_changes() { [ -n "$TESTING" ] && return From 246d41c55270292454f7121914cbcbdeb6f904d1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 5 Nov 2021 15:56:08 -0400 Subject: [PATCH 30/42] Add additional checks for manager hostname + ip Check for current hostname, ip, and localhost (ip + string) when setting the manager ip and hostname --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 6d46b4bb4..410cc5970 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -470,7 +470,7 @@ collect_int_ip_mask() { collect_mngr_hostname() { whiptail_management_server - while ! valid_hostname "$MSRV"; do + while ! valid_hostname "$MSRV" || [[ $MSRV == "$HOSTNAME" || $MSRVIP == "localhost" ]]; do whiptail_invalid_hostname whiptail_management_server "$MSRV" done @@ -478,7 +478,7 @@ collect_mngr_hostname() { if ! getent hosts "$MSRV"; then whiptail_manager_ip - while ! valid_ip4 "$MSRVIP"; do + while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do whiptail_invalid_input whiptail_manager_ip "$MSRVIP" done From dcf6dfb676f7572c176983b517072b9d3a69860b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Mon, 8 Nov 2021 06:38:16 -0500 Subject: [PATCH 31/42] Improve clarity --- CONTRIBUTING.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 02ab437fb..aeb33ad8f 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -15,7 +15,7 @@ ### Contributing code -* **All commits must be signed** with a valid key that has been added to your GitHub account. The commits should have all the "**Verified**" tag when viewed on GitHub as shown below: +* **All commits must be signed** with a valid key that has been added to your GitHub account. Each commit should have the "**Verified**" tag when viewed on GitHub as shown below: From 9c4bba9ac95a0d039967eae4568fd5248a32ccfb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 10:08:23 -0500 Subject: [PATCH 32/42] Fix variable reference --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 8e137b8f5..08a1d369e 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -773,7 +773,7 @@ whiptail_install_type_dist() { local exitstatus=$? whiptail_check_exitstatus $exitstatus - dist_option=$(echo "${option^^}" | tr -d ' ') + dist_option=$(echo "${dist_option^^}" | tr -d ' ') } whiptail_install_type_dist_new() { From dbe4a7de6342ccce451454446808c0e82449d542 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 10:19:38 -0500 Subject: [PATCH 33/42] Fix new whiptail layouts --- setup/so-whiptail | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 08a1d369e..8d7782272 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -780,9 +780,9 @@ whiptail_install_type_dist_new() { [ -n "$TESTING" ] && return install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose distributed manager type. See https://docs.securityonion.net/architecture for details." 24 60 6 \ - "MANAGER" "Start a new grid - requires separate search node(s) " ON \ - "MANAGERSEARCH" "Start a new grid - separate search node(s) are optional " OFF \ + "Choose distributed manager type to start a new grid. See https://docs.securityonion.net/architecture for details." 10 75 2 \ + "MANAGER" "New grid, requires separate search node(s) " ON \ + "MANAGERSEARCH" "New grid, separate search node(s) are optional " OFF \ 3>&1 1>&2 2>&3 ) @@ -794,8 +794,8 @@ whiptail_install_type_dist_existing() { [ -n "$TESTING" ] && return install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose distributed node type. See https://docs.securityonion.net/architecture for details." 13 60 6 \ - "SENSOR" "Create a forward only sensor " OFF \ + "Choose distributed node type to join to an existing grid. See https://docs.securityonion.net/architecture for details." 14 57 4 \ + "SENSOR" "Create a forward only sensor " ON \ "SEARCHNODE" "Add a search node with parsing " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \ From 8b2cccdf4ab367319010e29fa1b70c8e2e4e13ac Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 10:21:17 -0500 Subject: [PATCH 34/42] More whiptail formatting --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 8d7782272..2f3b54215 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -765,7 +765,7 @@ whiptail_install_type_dist() { [ -n "$TESTING" ] && return - dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to an existing deployment?" 10 75 2 \ + dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 10 75 2 \ "New Deployment " "Create a new Security Onion deployment" \ "Existing Deployment " "Join to an exisiting Security Onion deployment " \ 3>&1 1>&2 2>&3 From ad71485361d13accc6fd70fc70756ed685a0e740 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 10:21:55 -0500 Subject: [PATCH 35/42] Fix whiptail height --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2f3b54215..877daf966 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -765,7 +765,7 @@ whiptail_install_type_dist() { [ -n "$TESTING" ] && return - dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 10 75 2 \ + dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \ "New Deployment " "Create a new Security Onion deployment" \ "Existing Deployment " "Join to an exisiting Security Onion deployment " \ 3>&1 1>&2 2>&3 From 50b7779d6e15d1608dafc665f2cb7a691031086e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 10:35:28 -0500 Subject: [PATCH 36/42] Make manager hostname error more specific --- setup/so-functions | 7 ++++++- setup/so-whiptail | 18 ++++++++++++++---- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 410cc5970..0ac5df697 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -470,11 +470,16 @@ collect_int_ip_mask() { collect_mngr_hostname() { whiptail_management_server - while ! valid_hostname "$MSRV" || [[ $MSRV == "$HOSTNAME" || $MSRVIP == "localhost" ]]; do + while ! valid_hostname "$MSRV"; do whiptail_invalid_hostname whiptail_management_server "$MSRV" done + while [[ $MSRV == "$HOSTNAME" || $MSRVIP == "localhost" ]]; do + whiptail_invalid_hostname 0 + whiptail_management_server "$MSRV" + done + if ! getent hosts "$MSRV"; then whiptail_manager_ip diff --git a/setup/so-whiptail b/setup/so-whiptail index 877daf966..db5e36516 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -841,7 +841,6 @@ whiptail_invalid_input() { # TODO: This should accept a list of arguments to spe [ -n "$TESTING" ] && return whiptail --title "$whiptail_title" --msgbox " Invalid input, please try again." 7 40 - } whiptail_invalid_proxy() { @@ -888,10 +887,21 @@ whiptail_invalid_user_warning() { whiptail_invalid_hostname() { [ -n "$TESTING" ] && return + local is_manager_hostname + is_manager_hostname="$1" + local error_message - error_message=$(echo "Please choose a valid hostname. It cannot be localhost; and must contain only \ - the ASCII letters 'A-Z' and 'a-z' (case-sensitive), the digits '0' through '9', \ - and hyphen ('-')" | tr -d '\t') + read -r -d '' error_message <<- EOM + Please choose a valid hostname. It cannot be localhost; and must contain only the ASCII letters 'A-Z' and 'a-z' (case-sensitive), the digits '0' through '9', and hyphen ('-') + EOM + + if [[ $is_manager_hostname = 0 ]]; then + local error_message + read -r -d '' error_message <<- EOM + Please enter a valid hostname. The manager hostname cannot be localhost or the chosen hostname for this machine. + EOM + + fi whiptail --title "$whiptail_title" \ --msgbox "$error_message" 10 75 From ee2dd75dfd7c7394e3f9b5255e001b38d9bc3864 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 10:36:36 -0500 Subject: [PATCH 37/42] Fix variable ref --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 0ac5df697..2a8a6ff88 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -475,7 +475,7 @@ collect_mngr_hostname() { whiptail_management_server "$MSRV" done - while [[ $MSRV == "$HOSTNAME" || $MSRVIP == "localhost" ]]; do + while [[ $MSRV == "$HOSTNAME" || $MSRV == "localhost" ]]; do whiptail_invalid_hostname 0 whiptail_management_server "$MSRV" done From f66d915f5df06dc82976b971b14a9728bf1a6435 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 10:38:30 -0500 Subject: [PATCH 38/42] Normal hostname check already checks for localhost --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 2a8a6ff88..a9925c80d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -475,7 +475,7 @@ collect_mngr_hostname() { whiptail_management_server "$MSRV" done - while [[ $MSRV == "$HOSTNAME" || $MSRV == "localhost" ]]; do + while [[ $MSRV == "$HOSTNAME" ]]; do whiptail_invalid_hostname 0 whiptail_management_server "$MSRV" done From acba82d1948b298f3a9721abede8b7575440b90a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 11:04:51 -0500 Subject: [PATCH 39/42] Update dist install menus' top text --- setup/so-whiptail | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index db5e36516..3f8628a30 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -778,9 +778,17 @@ whiptail_install_type_dist() { whiptail_install_type_dist_new() { [ -n "$TESTING" ] && return + + local mngr_msg + read -r -d '' mngr_msg <<- EOM + Choose a distributed manager type to start a new grid. - install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose distributed manager type to start a new grid. See https://docs.securityonion.net/architecture for details." 10 75 2 \ + See https://docs.securityonion.net/architecture for details. + + Note: MANAGER is the recommended option for most users. MANAGERSEARCH should only be used in very specific situations. + EOM + + install_type=$(whiptail --title "$whiptail_title" --radiolist "$mngr_msg" 15 75 2 \ "MANAGER" "New grid, requires separate search node(s) " ON \ "MANAGERSEARCH" "New grid, separate search node(s) are optional " OFF \ 3>&1 1>&2 2>&3 @@ -792,9 +800,17 @@ whiptail_install_type_dist_new() { whiptail_install_type_dist_existing() { [ -n "$TESTING" ] && return + + local node_msg + read -r -d '' node_msg <<- EOM + Choose a distributed node type to join to an existing grid. - install_type=$(whiptail --title "$whiptail_title" --radiolist \ - "Choose distributed node type to join to an existing grid. See https://docs.securityonion.net/architecture for details." 14 57 4 \ + See https://docs.securityonion.net/architecture for details. + + Note: Heavy nodes (HEAVYNODE) are NOT recommended for most users. + EOM + + install_type=$(whiptail --title "$whiptail_title" --radiolist "$node_msg" 17 57 4 \ "SENSOR" "Create a forward only sensor " ON \ "SEARCHNODE" "Add a search node with parsing " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \ From 6c16d6d2223578a171f4309a809c91d810db91c1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 8 Nov 2021 11:15:28 -0500 Subject: [PATCH 40/42] Update invalid hostname message --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 3f8628a30..13bfa82b4 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -908,7 +908,7 @@ whiptail_invalid_hostname() { local error_message read -r -d '' error_message <<- EOM - Please choose a valid hostname. It cannot be localhost; and must contain only the ASCII letters 'A-Z' and 'a-z' (case-sensitive), the digits '0' through '9', and hyphen ('-') + Please choose a valid hostname. It cannot be localhost. It must contain only the ASCII letters 'A-Z' and 'a-z' (case-sensitive), the digits '0' through '9', and hyphen ('-'). EOM if [[ $is_manager_hostname = 0 ]]; then From 46d3eb452d8026866a97155c7efdd3f1a9f82e9b Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 8 Nov 2021 20:08:56 +0000 Subject: [PATCH 41/42] Add ECS testing pipeline --- salt/elasticsearch/files/ingest/ecs | 155 ++++++++++++++++++++++++++++ 1 file changed, 155 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/ecs diff --git a/salt/elasticsearch/files/ingest/ecs b/salt/elasticsearch/files/ingest/ecs new file mode 100644 index 000000000..e52ab6e71 --- /dev/null +++ b/salt/elasticsearch/files/ingest/ecs @@ -0,0 +1,155 @@ +{ + "description" : "ECS Testing Pipeline", + "processors": [ + { + "append": { + "field": "event.category", + "value": [ + "process" + ], + "if": "ctx?.wazuh?.data?.type == 'process'", + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "event.type", + "value": [ + "start" + ], + "if": "ctx?.wazuh?.data?.type == 'process'", + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "event.type", + "value": "end", + "if": "ctx?.wazuh?.data?.type == 'process_end'", + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "user.name", + "copy_from": "process.user", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "host.os.type", + "copy_from": "wazuh.data.os.sysname", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "host.os.platform", + "copy_from": "wazuh.data.os.platform", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "host.os.name", + "copy_from": "wazuh.data.os.name", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "host.os.version", + "copy_from": "wazuh.data.os.version", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "signal.rule.name", + "copy_from": "rule.name", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "signal.rule.type", + "copy_from": "rule.category", + "ignore_empty_value": true, + "ignore_failure": true + } + }, + { + "set": { + "field": "signal.rule.threat.tactic.name", + "copy_from": "rule.mitre.tactic", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true + } + }, + { + "append": { + "field": "event.category", + "value": [ + "authentication" + ], + "if": "if(ctx?.rule?.groups != null) {\n if(ctx?.rule?.groups?.contains('authentication_success')) {\n return true\n }\n if(ctx?.rule?.groups?.contains('authentication_failed')) {\n return true\n }\n return false\n}", + "ignore_failure": true + } + }, + { + "set": { + "field": "event.outcome", + "value": "success", + "ignore_empty_value": true, + "if": "ctx?.rule?.groups != null && ctx?.rule?.groups.contains('authentication_success')", + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "event.outcome", + "value": "failure", + "ignore_empty_value": true, + "if": "ctx?.rule?.groups != null && ctx?.rule?.groups.contains('authentication_failed')", + "tag": "test", + "ignore_failure": true + } + }, + { + "set": { + "field": "url.path", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true, + "copy_from": "url.original" + } + }, + { + "set": { + "field": "url.domain", + "ignore_empty_value": true, + "tag": "test", + "ignore_failure": true, + "copy_from": "kibana.log.meta.req.headers.origin" + } + } + ] +} From a8c02252dce77203458d6d882e1c20b04e6126e7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 8 Nov 2021 15:16:05 -0500 Subject: [PATCH 42/42] Update acng.conf --- salt/manager/files/acng/acng.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf index 993452b57..1b7f05e04 100644 --- a/salt/manager/files/acng/acng.conf +++ b/salt/manager/files/acng/acng.conf @@ -77,7 +77,7 @@ FreshIndexMaxAge: 300 # AllowUserPorts: 80 RedirMax: 6 # VfileUseRangeOps is set for fedora volatile files on mirrors that dont to range -VfileUseRangeOps: 0 +VfileUseRangeOps: -1 # PassThroughPattern: private-ppa\.launchpad\.net:443$ # PassThroughPattern: .* # this would allow CONNECT to everything PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/