CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into kilo

Browse Source
This commit is contained in:
Jason Ertel
2023-03-15 16:39:26 -04:00
parent fbefe229c1 b809b22566
commit 49a9affe2a
54 changed files with 1685 additions and 676 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
salt/common/tools/sbin/so-firewall
View File

@@ -97,6 +97,8 @@ echo "$IP" >> $local_salt_dir/hostgroups/$ROLE
if [ "$APPLY" = "true" ]; then if [ "$APPLY" = "true" ]; then
echo "Applying the firewall rules" echo "Applying the firewall rules"
salt-call state.apply firewall queue=True salt-call state.apply firewall queue=True
echo "Firewall rules have been applied... Review logs further if there were errors."
echo ""
else else
echo "Firewall rules will be applied next salt run" echo "Firewall rules will be applied next salt run"
fi fi

12
salt/common/tools/sbin/so-firewall-minion
View File

@@ -54,25 +54,25 @@ fi
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
so-firewall --role=manager --ip="$IP" so-firewall --role=manager --ip="$IP"
so-firewall --role=sensors --ip="$IP" so-firewall --role=sensors --ip="$IP"
so-firewall --apply --role=searchnodes --ip="$IP" so-firewall --apply=true --role=searchnodes --ip="$IP"
;; ;;
'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER') 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'IDH' | 'RECEIVER')
case "$ROLE" in case "$ROLE" in
'SENSOR') 'SENSOR')
so-firewall --apply --role=sensors --ip="$IP" so-firewall --apply=true --role=sensors --ip="$IP"
;; ;;
'SEARCHNODE') 'SEARCHNODE')
so-firewall --apply --role=searchnodes --ip="$IP" so-firewall --apply=true --role=searchnodes --ip="$IP"
;; ;;
'HEAVYNODE') 'HEAVYNODE')
so-firewall --role=sensors --ip="$IP" so-firewall --role=sensors --ip="$IP"
so-firewall --apply --role=heavynodes --ip="$IP" so-firewall --apply=true --role=heavynodes --ip="$IP"
;; ;;
'IDH') 'IDH')
so-firewall --apply --role=sensors --ip="$IP" so-firewall --apply=true --role=sensors --ip="$IP"
;; ;;
'RECEIVER') 'RECEIVER')
so-firewall --apply --role=receivers --ip="$IP" so-firewall --apply=true --role=receivers --ip="$IP"
;; ;;
esac esac
;; ;;

36
salt/curator/defaults.yaml
View File

@@ -15,6 +15,42 @@ elasticsearch:
logs-zeek-so: logs-zeek-so:
close: 30 close: 30
delete: 365 delete: 365
logs-elastic_agent-metricbeat-default:
close: 30
delete: 365
logs-elastic_agent-osquerybeat-default:
close: 30
delete: 365
logs-elastic_agent-fleet_server-default:
close: 30
delete: 365
logs-elastic_agent-filebeat-default:
close: 30
delete: 365
logs-elastic_agent-default:
close: 30
delete: 365
logs-system-auth-default:
close: 30
delete: 365
logs-system-application-default:
close: 30
delete: 365
logs-system-security-default:
close: 30
delete: 365
logs-system-system-default:
close: 30
delete: 365
logs-system-syslog-default:
close: 30
delete: 365
logs-windows-powershell-default:
close: 30
delete: 365
logs-windows-sysmon_operational-default:
close: 30
delete: 365
so-beats: so-beats:
close: 30 close: 30
delete: 365 delete: 365

27
salt/curator/files/action/logs-elastic_agent-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent default indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent default indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-filebeat-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-filebeat-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Filebeat indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-filebeat-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-filebeat-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Filebeat indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.filebeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-fleet_server-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-fleet_server-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Fleet Server indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-fleet_server-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-fleet_server-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete import indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.fleet_server-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-metricbeat-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-metricbeat-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Metricbeat indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.metricbeat-default-.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-metricbeat-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-metricbeat-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Metricbeat indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.metricbeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-osquerybeat-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Osquerybeat indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-elastic_agent-osquerybeat-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-elastic_agent-osquerybeat-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Osquerybeat indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-elastic_agent.osquerybeat-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-elastic_agent-osquerybeat-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-import-so'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete import indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-import-so.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-application-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-application-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system application indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.application-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-application-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-application-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system application indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.application-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-auth-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-auth-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system auth indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.auth-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-auth-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-auth-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system auth indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.auth-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-security-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-security-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system security indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.security-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-security-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-security-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system security indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.security-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-syslog-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-syslog-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system syslog indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.syslog-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-syslog-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-syslog-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system syslog indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.syslog-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-system-system-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-system-system-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent system system indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.system-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-system-system-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-system-system-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent system system indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-system.system-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-windows-powershell-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-windows-powershell-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Windows Powershell indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-windows.powershell-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-windows-powershell-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-windows-powershell-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Windows Powershell indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-windows.powershell-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

27
salt/curator/files/action/logs-windows-sysmon_operational-default-close.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set cur_close_days = CURATORMERGED['logs-windows-sysmon_operational-default'].close %}
actions:
1:
action: close
description: >-
Close Elastic Agent Windows Sysmon operational indices older than {{cur_close_days}} days.
options:
delete_aliases: False
timeout_override:
continue_if_exception: False
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{cur_close_days}}
exclude:

27
salt/curator/files/action/logs-windows-sysmon_operational-default-delete.yaml Normal file
View File

@@ -0,0 +1,27 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{%- set DELETE_DAYS = CURATORMERGED['logs-windows-sysmon_operational-default'].delete %}
actions:
1:
action: delete_indices
description: >-
Delete Elastic Agent Windows Sysmon operational indices when older than {{ DELETE_DAYS }} days.
options:
ignore_empty_list: True
disable_action: False
filters:
- filtertype: pattern
kind: regex
value: '^(.ds-logs-windows.sysmon_operational-default.*)$'
- filtertype: age
source: name
direction: older
timestring: '%Y.%m.%d'
unit: days
unit_count: {{ DELETE_DAYS }}
exclude:

266
salt/elasticsearch/defaults.yaml
View File

@@ -84,14 +84,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.auditbeat: so-logs-elastic_agent.auditbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -119,14 +138,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.cloudbeat: so-logs-elastic_agent.cloudbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -154,14 +192,30 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.endpoint_security: so-logs-elastic_agent.endpoint_security:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -189,14 +243,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.filebeat: so-logs-elastic_agent.filebeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -224,14 +297,30 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.fleet_server: so-logs-elastic_agent.fleet_server:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -259,14 +348,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.heartbeat: so-logs-elastic_agent.heartbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -294,14 +402,30 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent: so-logs-elastic_agent:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -329,14 +453,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.metricbeat: so-logs-elastic_agent.metricbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -364,14 +507,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.osquerybeat: so-logs-elastic_agent.osquerybeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -399,14 +561,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-logs-elastic_agent.packetbeat: so-logs-elastic_agent.packetbeat:
index_sorting: False index_sorting: False
index_template: index_template:
@@ -434,14 +615,33 @@ elasticsearch:
- "so-fleet_globals-1" - "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1" - "so-fleet_agent_id_verification-1"
priority: 200 priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta: _meta:
package: package:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
data_stream:
hidden: false
allow_custom_routing: false
so-aws: so-aws:
warm: 7 warm: 7
close: 30 close: 30

2
salt/elasticsearch/files/ingest/common.nids
View File

@@ -11,7 +11,7 @@
{ "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } }, { "set": { "if": "ctx.rule.severity == 3", "field": "event.severity", "value": 1, "override": true } },
{ "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } }, { "set": { "if": "ctx.rule.severity == 2", "field": "event.severity", "value": 2, "override": true } },
{ "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } }, { "set": { "if": "ctx.rule.severity == 1", "field": "event.severity", "value": 3, "override": true } },
{ "remove": { "field": ["rule_type", "rest_of_rulename"], "ignore_failure": true } }, { "remove": { "field": ["rule_type", "rest_of_rulename", "host"], "ignore_failure": true } },
{ "pipeline": { "name": "common" } } { "pipeline": { "name": "common" } }
] ]
} }

43
salt/common/tools/sbin/so-yara-update → salt/manager/files/so-yara-update.jinja
View File

@@ -5,14 +5,15 @@
# Elastic License 2.0. # Elastic License 2.0.
{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %}
echo "Starting to check for yara rule updates at $(date)..." echo "Starting to check for yara rule updates at $(date)..."
output_dir="/opt/so/saltstack/default/salt/strelka/rules" output_dir="/opt/so/saltstack/local/salt/strelka/rules"
mkdir -p $output_dir mkdir -p $output_dir
repos="$output_dir/repos.txt" repos="/opt/so/conf/strelka/repos.txt"
newcounter=0 newcounter=0
excludedcounter=0
excluded_rules=({{ EXCLUDEDRULES | join(' ') }})
{% if ISAIRGAP is sameas true %} {% if ISAIRGAP is sameas true %}
@@ -20,22 +21,29 @@ echo "Airgap mode enabled."
clone_dir="/nsm/repo/rules/strelka" clone_dir="/nsm/repo/rules/strelka"
repo_name="signature-base" repo_name="signature-base"
mkdir -p /opt/so/saltstack/default/salt/strelka/rules/signature-base [ -d $output_dir/$repo_name ] && rm -rf $output_dir/$repo_name
mkdir -p mkdir -p $output_dir/$repo_name
# Ensure a copy of the license is available for the rules # Ensure a copy of the license is available for the rules
[ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name [ -f $clone_dir/LICENSE ] && cp $clone_dir/$repo_name/LICENSE $output_dir/$repo_name
# Copy over rules # Copy over rules
for i in $(find $clone_dir/yara -name "*.yar*"); do for i in $(find $clone_dir/yara -name "*.yar*"); do
rule_name=$(echo $i | awk -F '/' '{print $NF}') rule_name=$(echo $i | awk -F '/' '{print $NF}')
echo "Adding rule: $rule_name..." if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
cp $i $output_dir/$repo_name echo "Adding rule: $rule_name..."
((newcounter++)) cp $i $output_dir/$repo_name
((newcounter++))
else
echo "Excluding rule: $rule_name..."
((excludedcounter++))
fi
done done
echo "Done!" echo "Done!"
if [ "$newcounter" -gt 0 ];then if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
echo "$newcounter rules added." echo "$newcounter rules added."
echo "$excludedcounter rule(s) excluded."
fi fi
{% else %} {% else %}
@@ -60,9 +68,15 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then
# Copy over rules # Copy over rules
for i in $(find $clone_dir/$repo_name -name "*.yar*"); do for i in $(find $clone_dir/$repo_name -name "*.yar*"); do
rule_name=$(echo $i | awk -F '/' '{print $NF}') rule_name=$(echo $i | awk -F '/' '{print $NF}')
echo "Adding rule: $rule_name..."
cp $i $output_dir/$repo_name if [[ ! "${excluded_rules}" =~ ${rule_name} ]]; then
((newcounter++)) echo "Adding rule: $rule_name..."
cp $i $output_dir/$repo_name
((newcounter++))
else
echo "Excluding rule: $rule_name..."
((excludedcounter++))
fi
done done
rm -rf $clone_dir/$repo_name rm -rf $clone_dir/$repo_name
fi fi
@@ -70,8 +84,9 @@ if [ "$gh_status" == "200" ] || [ "$gh_status" == "301" ]; then
echo "Done!" echo "Done!"
if [ "$newcounter" -gt 0 ];then if [ "$newcounter" -gt 0 ] || [ "$excludedcounter" -gt 0 ];then
echo "$newcounter rules added." echo "$newcounter rule(s) added."
echo "$excludedcounter rule(s) excluded."
fi fi
else else

15
salt/manager/init.sls
View File

@@ -5,6 +5,9 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
include: include:
- salt.minion - salt.minion
- kibana.secrets - kibana.secrets
@@ -20,6 +23,18 @@ socore_own_saltstack:
- user - user
- group - group
yara_update_script:
file.managed:
- name: /usr/sbin/so-yara-update
- source: salt://manager/files/so-yara-update.jinja
- user: root
- group: root
- mode: 755
- template: jinja
- defaults:
ISAIRGAP: {{ GLOBALS.airgap }}
EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }}
strelka_yara_update: strelka_yara_update:
cron.present: cron.present:
- user: root - user: root

576
salt/strelka/defaults.yaml
View File

@@ -1,19 +1,559 @@
strelka: strelka:
ignore: config:
- apt_flame2_orchestrator.yar backend:
- apt_tetris.yar backend:
- gen_susp_js_obfuscatorio.yar logging_cfg: '/etc/strelka/logging.yaml'
- gen_webshells.yar limits:
- generic_anomalies.yar max_files: 0
- general_cloaking.yar time_to_live: 0
- thor_inverse_matches.yar max_depth: 15
- yara_mixed_ext_vars.yar distribution: 600
- apt_apt27_hyperbro.yar scanner: 150
- apt_turla_gazer.yar coordinator:
- gen_google_anomaly.yar addr: 'HOST:6380'
- gen_icon_anomalies.yar db: 0
- gen_nvidia_leaked_cert.yar tasting:
- gen_sign_anomalies.yar mime_db: '/usr/lib/file/magic.mgc'
- gen_susp_xor.yar yara_rules: '/etc/strelka/taste/'
- gen_webshells_ext_vars.yar scanners:
- configured_vulns_ext_vars.yar 'ScanBase64':
- positive:
filename: '^base64_'
priority: 5
'ScanBatch':
- positive:
flavors:
- 'text/x-msdos-batch'
- 'batch_file'
priority: 5
'ScanBzip2':
- positive:
flavors:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
'ScanDocx':
- positive:
flavors:
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
priority: 5
options:
extract_text: False
'ScanElf':
- positive:
flavors:
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
priority: 5
'ScanEmail':
- positive:
flavors:
- 'application/vnd.ms-outlook'
- 'message/rfc822'
- 'email_file'
priority: 5
'ScanEntropy':
- positive:
flavors:
- '*'
priority: 5
'ScanExiftool':
- positive:
flavors:
- 'application/msword'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'olecf_file'
- 'ooxml_file'
- 'audio/mpeg'
- 'mp3_file'
- 'mhtml_file'
- 'application/pdf'
- 'pdf_file'
- 'text/rtf'
- 'rtf_file'
- 'wordml_file'
- 'application/x-dosexec'
- 'mz_file'
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
- 'lnk_file'
- 'application/x-mach-binary'
- 'macho_file'
- 'image/gif'
- 'gif_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'application/x-shockwave-flash'
- 'fws_file'
- 'psd_file'
- 'video/mp4'
- 'video/quicktime'
- 'video/x-msvideo'
- 'avi_file'
- 'video/x-ms-wmv'
- 'wmv_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanGif':
- positive:
flavors:
- 'image/gif'
- 'gif_file'
priority: 5
'ScanGzip':
- positive:
flavors:
- 'application/gzip'
- 'application/x-gzip'
- 'gzip_file'
priority: 5
'ScanHash':
- positive:
flavors:
- '*'
priority: 5
'ScanHeader':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
'ScanHtml':
- positive:
flavors:
- 'hta_file'
- 'text/html'
- 'html_file'
priority: 5
options:
parser: "html5lib"
'ScanIni':
- positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors:
- 'ini_file'
priority: 5
'ScanJarManifest':
- positive:
flavors:
- 'jar_manifest_file'
priority: 5
'ScanJavascript':
- negative:
flavors:
- 'text/html'
- 'html_file'
positive:
flavors:
- 'javascript_file'
- 'text/javascript'
priority: 5
options:
beautify: True
'ScanJpeg':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
priority: 5
'ScanJson':
- positive:
flavors:
- 'application/json'
- 'json_file'
priority: 5
'ScanLibarchive':
- positive:
flavors:
- 'application/vnd.ms-cab-compressed'
- 'cab_file'
- 'application/x-7z-compressed'
- '_7zip_file'
- 'application/x-cpio'
- 'cpio_file'
- 'application/x-xar'
- 'xar_file'
- 'arj_file'
- 'iso_file'
- 'application/x-debian-package'
- 'debian_package_file'
priority: 5
options:
limit: 1000
'ScanLzma':
- positive:
flavors:
- 'application/x-lzma'
- 'lzma_file'
- 'application/x-xz'
- 'xz_file'
priority: 5
'ScanMacho':
- positive:
flavors:
- 'application/x-mach-binary'
- 'macho_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanOcr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
priority: 5
options:
extract_text: False
tmp_directory: '/dev/shm/'
'ScanOle':
- positive:
flavors:
- 'application/CDFV2'
- 'application/msword'
- 'olecf_file'
priority: 5
'ScanPdf':
- positive:
flavors:
- 'application/pdf'
- 'pdf_file'
priority: 5
options:
extract_text: False
limit: 2000
'ScanPe':
- positive:
flavors:
- 'application/x-dosexec'
- 'mz_file'
priority: 5
'ScanPgp':
- positive:
flavors:
- 'application/pgp-keys'
- 'pgp_file'
priority: 5
'ScanPhp':
- positive:
flavors:
- 'text/x-php'
- 'php_file'
priority: 5
'ScanPkcs7':
- positive:
flavors:
- 'pkcs7_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanPlist':
- positive:
flavors:
- 'bplist_file'
- 'plist_file'
priority: 5
options:
keys:
- 'KeepAlive'
- 'Label'
- 'NetworkState'
- 'Program'
- 'ProgramArguments'
- 'RunAtLoad'
- 'StartInterval'
'ScanRar':
- positive:
flavors:
- 'application/x-rar'
- 'rar_file'
priority: 5
options:
limit: 1000
'ScanRpm':
- positive:
flavors:
- 'application/x-rpm'
- 'rpm_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanRtf':
- positive:
flavors:
- 'text/rtf'
- 'rtf_file'
priority: 5
options:
limit: 1000
'ScanRuby':
- positive:
flavors:
- 'text/x-ruby'
priority: 5
'ScanSwf':
- positive:
flavors:
- 'application/x-shockwave-flash'
- 'fws_file'
- 'cws_file'
- 'zws_file'
priority: 5
'ScanTar':
- positive:
flavors:
- 'application/x-tar'
- 'tar_file'
priority: 5
options:
limit: 1000
'ScanTnef':
- positive:
flavors:
- 'application/vnd.ms-tnef'
- 'tnef_file'
priority: 5
'ScanUpx':
- positive:
flavors:
- 'upx_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanUrl':
- negative:
flavors:
- 'javascript_file'
positive:
flavors:
- 'text/plain'
priority: 5
'ScanVb':
- positive:
flavors:
- 'vb_file'
- 'vbscript'
priority: 5
'ScanVba':
- positive:
flavors:
- 'mhtml_file'
- 'application/msword'
- 'olecf_file'
- 'wordml_file'
priority: 5
options:
analyze_macros: True
'ScanX509':
- positive:
flavors:
- 'x509_der_file'
priority: 5
options:
type: 'der'
- positive:
flavors:
- 'x509_pem_file'
priority: 5
options:
type: 'pem'
'ScanXml':
- positive:
flavors:
- 'application/xml'
- 'text/xml'
- 'xml_file'
- 'mso_file'
- 'soap_file'
priority: 5
'ScanYara':
- positive:
flavors:
- '*'
priority: 5
options:
location: '/etc/yara/'
'ScanZip':
- positive:
flavors:
- 'application/java-archive'
- 'application/zip'
- 'zip_file'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'ooxml_file'
priority: 5
options:
limit: 1000
password_file: '/etc/strelka/passwords.dat'
'ScanZlib':
- positive:
flavors:
- 'application/zlib'
- 'zlib_file'
priority: 5
logging:
version: 1
formatters:
simple:
format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s'
datefmt: '%Y-%m-%d %H:%M:%S'
handlers:
console:
class: logging.StreamHandler
formatter: simple
stream: ext://sys.stdout
root:
level: DEBUG
handlers: [console]
loggers:
OpenSSL:
propagate: 0
bs4:
propagate: 0
bz2:
propagate: 0
chardet:
propagate: 0
docx:
propagate: 0
elftools:
propagate: 0
email:
propagate: 0
entropy:
propagate: 0
esprima:
propagate: 0
gzip:
propagate: 0
hashlib:
propagate: 0
json:
propagate: 0
libarchive:
propagate: 0
lxml:
propagate: 0
lzma:
propagate: 0
macholibre:
propagate: 0
olefile:
propagate: 0
oletools:
propagate: 0
pdfminer:
propagate: 0
pefile:
propagate: 0
pgpdump:
propagate: 0
pygments:
propagate: 0
pylzma:
propagate: 0
rarfile:
propagate: 0
requests:
propagate: 0
rpmfile:
propagate: 0
ssdeep:
propagate: 0
tarfile:
propagate: 0
tnefparse:
propagate: 0
yara:
propagate: 0
zipfile:
propagate: 0
zlib:
propagate: 0
passwords:
- infected
- password
filestream:
conn:
server: 'HOST:57314'
cert: ''
timeout:
dial: 5s
file: 1m
throughput:
concurrency: 8
chunk: 32768
delay: 0s
files:
patterns:
- '/nsm/strelka/unprocessed/*'
delete: false
gatekeeper: true
processed: '/nsm/strelka/processed'
response:
report: 5s
delta: 5s
staging: '/nsm/strelka/staging'
frontend:
server: ":57314"
coordinator:
addr: 'HOST:6380'
db: 0
gatekeeper:
addr: 'HOST:6381'
db: 0
ttl: 1h
response:
log: "/var/log/strelka/strelka.log"
manager:
coordinator:
addr: 'HOST:6380'
db: 0
rules:
enabled: True
repos:
- https://github.com/Neo23x0/signature-base
excluded:
- apt_flame2_orchestrator.yar
- apt_tetris.yar
- gen_susp_js_obfuscatorio.yar
- gen_webshells.yar
- generic_anomalies.yar
- general_cloaking.yar
- thor_inverse_matches.yar
- yara_mixed_ext_vars.yar
- apt_apt27_hyperbro.yar
- apt_turla_gazer.yar
- gen_google_anomaly.yar
- gen_icon_anomalies.yar
- gen_nvidia_leaked_cert.yar
- gen_sign_anomalies.yar
- gen_susp_xor.yar
- gen_webshells_ext_vars.yar
- configured_vulns_ext_vars.yar

4
salt/strelka/filecheck/defaults.yaml Normal file
View File

@@ -0,0 +1,4 @@
filecheck:
historypath: '/nsm/strelka/history/'
strelkapath: '/nsm/strelka/unprocessed/'
logfile: '/opt/so/log/strelka/filecheck.log'

10
salt/strelka/filecheck/filecheck.yaml
View File

@@ -1,10 +0,0 @@
{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %}
filecheck:
{%- if ENGINE == "SURICATA" %}
extract_path: '/nsm/suricata/extracted'
{%- else %}
extract_path: '/nsm/zeek/extracted/complete'
{%- endif %}
historypath: '/nsm/strelka/history/'
strelkapath: '/nsm/strelka/unprocessed/'
logfile: '/opt/so/log/strelka/filecheck.log'

1
salt/strelka/filecheck/filecheck.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ FILECHECKCONFIG | yaml(false) }}

12
salt/strelka/filecheck/map.jinja Normal file
View File

@@ -0,0 +1,12 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'strelka/filecheck/defaults.yaml' as FILECHECKDEFAULTS %}
{% if GLOBALS.md_engine == "SURICATA" %}
{% set extract_path = '/nsm/suricata/extracted' %}
{% set filecheck_runas = 'suricata' %}
{% else %}
{% set extract_path = '/nsm/zeek/extracted/complete' %}
{% set filecheck_runas = 'socore' %}
{% endif %}
{% do FILECHECKDEFAULTS.filecheck.update({'extract_path': extract_path}) %}

420
salt/strelka/files/backend/backend.yaml
View File

@@ -1,420 +0,0 @@
{%- if grains.role in ['so-sensor', 'so-heavynode'] -%}
{%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
{%- else %}
{%- set ip = salt['pillar.get']('global:managerip') %}
{%- endif -%}
logging_cfg: '/etc/strelka/logging.yaml'
limits:
max_files: 0
time_to_live: 0
max_depth: 15
distribution: 600
scanner: 150
coordinator:
addr: '{{ ip }}:6380'
db: 0
tasting:
mime_db: null
yara_rules: '/etc/strelka/taste/'
scanners:
'ScanBase64':
- positive:
filename: '^base64_'
priority: 5
'ScanBatch':
- positive:
flavors:
- 'text/x-msdos-batch'
- 'batch_file'
priority: 5
'ScanBzip2':
- positive:
flavors:
- 'application/x-bzip2'
- 'bzip2_file'
priority: 5
'ScanDocx':
- positive:
flavors:
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
priority: 5
options:
extract_text: False
'ScanElf':
- positive:
flavors:
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
priority: 5
'ScanEmail':
- positive:
flavors:
- 'application/vnd.ms-outlook'
- 'message/rfc822'
- 'email_file'
priority: 5
'ScanEntropy':
- positive:
flavors:
- '*'
priority: 5
'ScanExiftool':
- positive:
flavors:
- 'application/msword'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'olecf_file'
- 'ooxml_file'
- 'audio/mpeg'
- 'mp3_file'
- 'mhtml_file'
- 'application/pdf'
- 'pdf_file'
- 'text/rtf'
- 'rtf_file'
- 'wordml_file'
- 'application/x-dosexec'
- 'mz_file'
- 'application/x-object'
- 'application/x-executable'
- 'application/x-sharedlib'
- 'application/x-coredump'
- 'elf_file'
- 'lnk_file'
- 'application/x-mach-binary'
- 'macho_file'
- 'image/gif'
- 'gif_file'
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
- 'application/x-shockwave-flash'
- 'fws_file'
- 'psd_file'
- 'video/mp4'
- 'video/quicktime'
- 'video/x-msvideo'
- 'avi_file'
- 'video/x-ms-wmv'
- 'wmv_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanGif':
- positive:
flavors:
- 'image/gif'
- 'gif_file'
priority: 5
'ScanGzip':
- positive:
flavors:
- 'application/gzip'
- 'application/x-gzip'
- 'gzip_file'
priority: 5
'ScanHash':
- positive:
flavors:
- '*'
priority: 5
'ScanHeader':
- positive:
flavors:
- '*'
priority: 5
options:
length: 50
'ScanHtml':
- positive:
flavors:
- 'hta_file'
- 'text/html'
- 'html_file'
priority: 5
options:
parser: "html5lib"
'ScanIni':
- positive:
filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$'
flavors:
- 'ini_file'
priority: 5
'ScanJarManifest':
- positive:
flavors:
- 'jar_manifest_file'
priority: 5
'ScanJavascript':
- negative:
flavors:
- 'text/html'
- 'html_file'
positive:
flavors:
- 'javascript_file'
- 'text/javascript'
priority: 5
options:
beautify: True
'ScanJpeg':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
priority: 5
'ScanJson':
- positive:
flavors:
- 'application/json'
- 'json_file'
priority: 5
'ScanLibarchive':
- positive:
flavors:
- 'application/vnd.ms-cab-compressed'
- 'cab_file'
- 'application/x-7z-compressed'
- '_7zip_file'
- 'application/x-cpio'
- 'cpio_file'
- 'application/x-xar'
- 'xar_file'
- 'arj_file'
- 'iso_file'
- 'application/x-debian-package'
- 'debian_package_file'
priority: 5
options:
limit: 1000
'ScanLzma':
- positive:
flavors:
- 'application/x-lzma'
- 'lzma_file'
- 'application/x-xz'
- 'xz_file'
priority: 5
'ScanMacho':
- positive:
flavors:
- 'application/x-mach-binary'
- 'macho_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanOcr':
- positive:
flavors:
- 'image/jpeg'
- 'jpeg_file'
- 'image/png'
- 'png_file'
- 'image/tiff'
- 'type_is_tiff'
- 'image/x-ms-bmp'
- 'bmp_file'
priority: 5
options:
extract_text: False
tmp_directory: '/dev/shm/'
'ScanOle':
- positive:
flavors:
- 'application/CDFV2'
- 'application/msword'
- 'olecf_file'
priority: 5
'ScanPdf':
- positive:
flavors:
- 'application/pdf'
- 'pdf_file'
priority: 5
options:
extract_text: False
limit: 2000
'ScanPe':
- positive:
flavors:
- 'application/x-dosexec'
- 'mz_file'
priority: 5
'ScanPgp':
- positive:
flavors:
- 'application/pgp-keys'
- 'pgp_file'
priority: 5
'ScanPhp':
- positive:
flavors:
- 'text/x-php'
- 'php_file'
priority: 5
'ScanPkcs7':
- positive:
flavors:
- 'pkcs7_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanPlist':
- positive:
flavors:
- 'bplist_file'
- 'plist_file'
priority: 5
options:
keys:
- 'KeepAlive'
- 'Label'
- 'NetworkState'
- 'Program'
- 'ProgramArguments'
- 'RunAtLoad'
- 'StartInterval'
'ScanRar':
- positive:
flavors:
- 'application/x-rar'
- 'rar_file'
priority: 5
options:
limit: 1000
'ScanRpm':
- positive:
flavors:
- 'application/x-rpm'
- 'rpm_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanRtf':
- positive:
flavors:
- 'text/rtf'
- 'rtf_file'
priority: 5
options:
limit: 1000
'ScanRuby':
- positive:
flavors:
- 'text/x-ruby'
priority: 5
'ScanSwf':
- positive:
flavors:
- 'application/x-shockwave-flash'
- 'fws_file'
- 'cws_file'
- 'zws_file'
priority: 5
'ScanTar':
- positive:
flavors:
- 'application/x-tar'
- 'tar_file'
priority: 5
options:
limit: 1000
'ScanTnef':
- positive:
flavors:
- 'application/vnd.ms-tnef'
- 'tnef_file'
priority: 5
'ScanUpx':
- positive:
flavors:
- 'upx_file'
priority: 5
options:
tmp_directory: '/dev/shm/'
'ScanUrl':
- negative:
flavors:
- 'javascript_file'
positive:
flavors:
- 'text/plain'
priority: 5
'ScanVb':
- positive:
flavors:
- 'vb_file'
- 'vbscript'
priority: 5
'ScanVba':
- positive:
flavors:
- 'mhtml_file'
- 'application/msword'
- 'olecf_file'
- 'wordml_file'
priority: 5
options:
analyze_macros: True
'ScanX509':
- positive:
flavors:
- 'x509_der_file'
priority: 5
options:
type: 'der'
- positive:
flavors:
- 'x509_pem_file'
priority: 5
options:
type: 'pem'
'ScanXml':
- positive:
flavors:
- 'application/xml'
- 'text/xml'
- 'xml_file'
- 'mso_file'
- 'soap_file'
priority: 5
'ScanYara':
- positive:
flavors:
- '*'
priority: 5
options:
location: '/etc/yara/'
'ScanZip':
- positive:
flavors:
- 'application/java-archive'
- 'application/zip'
- 'zip_file'
- 'application/vnd.openxmlformats-officedocument'
- 'application/vnd.openxmlformats-officedocument.presentationml.presentation'
- 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
- 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'
- 'ooxml_file'
priority: 5
options:
limit: 1000
password_file: '/etc/strelka/passwords.dat'
'ScanZlib':
- positive:
flavors:
- 'application/zlib'
- 'zlib_file'
priority: 5

1
salt/strelka/files/backend/backend.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ BACKENDCONFIG | yaml(false) }}

78
salt/strelka/files/backend/logging.yaml
View File

@@ -1,78 +0,0 @@
version: 1
formatters:
simple:
format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s'
datefmt: '%Y-%m-%d %H:%M:%S'
handlers:
console:
class: logging.StreamHandler
formatter: simple
stream: ext://sys.stdout
root:
level: DEBUG
handlers: [console]
loggers:
OpenSSL:
propagate: 0
bs4:
propagate: 0
bz2:
propagate: 0
chardet:
propagate: 0
docx:
propagate: 0
elftools:
propagate: 0
email:
propagate: 0
entropy:
propagate: 0
esprima:
propagate: 0
gzip:
propagate: 0
hashlib:
propagate: 0
json:
propagate: 0
libarchive:
propagate: 0
lxml:
propagate: 0
lzma:
propagate: 0
macholibre:
propagate: 0
olefile:
propagate: 0
oletools:
propagate: 0
pdfminer:
propagate: 0
pefile:
propagate: 0
pgpdump:
propagate: 0
pygments:
propagate: 0
pylzma:
propagate: 0
rarfile:
propagate: 0
requests:
propagate: 0
rpmfile:
propagate: 0
ssdeep:
propagate: 0
tarfile:
propagate: 0
tnefparse:
propagate: 0
yara:
propagate: 0
zipfile:
propagate: 0
zlib:
propagate: 0

1
salt/strelka/files/backend/logging.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ LOGGINGCONFIG | yaml(false) }}

2
salt/strelka/files/backend/passwords.dat
View File

@@ -1,2 +0,0 @@
infected
password

1
salt/strelka/files/backend/passwords.dat.jinja Normal file
View File

@@ -0,0 +1 @@
{{ PASSWORDS | join('\n') }}

26
salt/strelka/files/filestream/filestream.yaml
View File

@@ -1,26 +0,0 @@
{%- if grains.role in ['so-sensor', 'so-heavynode'] -%}
{%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
{%- else %}
{%- set ip = salt['pillar.get']('global:managerip') %}
{%- endif -%}
conn:
server: '{{ ip }}:57314'
cert: ''
timeout:
dial: 5s
file: 1m
throughput:
concurrency: 8
chunk: 32768
delay: 0s
files:
patterns:
- '/nsm/strelka/unprocessed/*'
delete: false
gatekeeper: true
processed: '/nsm/strelka/processed'
response:
report: 5s
delta: 5s
staging: '/nsm/strelka/staging'

1
salt/strelka/files/filestream/filestream.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ FILESTREAMCONFIG | yaml(false) }}

16
salt/strelka/files/frontend/frontend.yaml
View File

@@ -1,16 +0,0 @@
{%- if grains.role in ['so-sensor', 'so-heavynode'] -%}
{%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
{%- else %}
{%- set ip = salt['pillar.get']('global:managerip') %}
{%- endif -%}
server: ":57314"
coordinator:
addr: '{{ ip }}:6380'
db: 0
gatekeeper:
addr: '{{ ip }}:6381'
db: 0
ttl: 1h
response:
log: "/var/log/strelka/strelka.log"

1
salt/strelka/files/frontend/frontend.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ FRONTENDCONFIG | yaml(false) }}

9
salt/strelka/files/manager/manager.yaml
View File

@@ -1,9 +0,0 @@
{%- if grains.role in ['so-sensor', 'so-heavynode'] -%}
{%- set mainint = salt['pillar.get']('host:mainint') %}
{%- set ip = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %}
{%- else %}
{%- set ip = salt['pillar.get']('global:managerip') %}
{%- endif -%}
coordinator:
addr: '{{ ip }}:6380'
db: 0

1
salt/strelka/files/manager/manager.yaml.jinja Normal file
View File

@@ -0,0 +1 @@
{{ MANAGERCONFIG | yaml(false) }}

119
salt/strelka/init.sls
View File

@@ -7,16 +7,10 @@
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
{% import_yaml 'strelka/defaults.yaml' as strelka_config with context %}
{% set IGNORELIST = salt['pillar.get']('strelka:ignore', strelka_config.strelka.ignore, merge=True, merge_nested_lists=True) %}
{% set ENGINE = salt['pillar.get']('global:mdengine', '') %}
{% if ENGINE == "SURICATA" %} {% from 'strelka/map.jinja' import STRELKAMERGED %}
{% set filecheck_runas = 'suricata' %} {% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %}
{% else %} {% from 'strelka/filecheck/map.jinja' import filecheck_runas %}
{% set filecheck_runas = 'socore' %}
{% endif %}
# Strelka config # Strelka config
strelkaconfdir: strelkaconfdir:
@@ -33,16 +27,79 @@ strelkarulesdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
# Sync dynamic config to conf dir backend_backend_config:
strelkasync: file.managed:
file.recurse: - name: /opt/so/conf/strelka/backend/backend.yaml
- name: /opt/so/conf/strelka/ - source: salt://strelka/files/backend/backend.yaml.jinja
- source: salt://strelka/files - template: jinja
- user: 939 - user: 939
- group: 939 - group: 939
- template: jinja - makedirs: True
- defaults:
BACKENDCONFIG: {{ STRELKAMERGED.config.backend.backend }}
{% if STRELKA_RULES == 1 %} backend_logging_config:
file.managed:
- name: /opt/so/conf/strelka/backend/logging.yaml
- source: salt://strelka/files/backend/logging.yaml.jinja
- template: jinja
- user: 939
- group: 939
- defaults:
LOGGINGCONFIG: {{ STRELKAMERGED.config.backend.logging }}
backend_passwords:
file.managed:
- name: /opt/so/conf/strelka/backend/passwords.dat
- source: salt://strelka/files/backend/passwords.dat.jinja
- template: jinja
- user: 939
- group: 939
- defaults:
PASSWORDS: {{ STRELKAMERGED.config.backend.passwords }}
backend_taste:
file.managed:
- name: /opt/so/conf/strelka/backend/taste/taste.yara
- source: salt://strelka/files/backend/taste/taste.yara
- makedirs: True
- user: 939
- group: 939
filestream_config:
file.managed:
- name: /opt/so/conf/strelka/filestream/filestream.yaml
- source: salt://strelka/files/filestream/filestream.yaml.jinja
- template: jinja
- user: 939
- group: 939
- makedirs: True
- defaults:
FILESTREAMCONFIG: {{ STRELKAMERGED.config.filestream }}
frontend_config:
file.managed:
- name: /opt/so/conf/strelka/frontend/frontend.yaml
- source: salt://strelka/files/frontend/frontend.yaml.jinja
- template: jinja
- user: 939
- group: 939
- makedirs: True
- defaults:
FRONTENDCONFIG: {{ STRELKAMERGED.config.frontend }}
manager_config:
file.managed:
- name: /opt/so/conf/strelka/manager/manager.yaml
- source: salt://strelka/files/manager/manager.yaml.jinja
- template: jinja
- user: 939
- group: 939
- makedirs: True
- defaults:
MANAGERCONFIG: {{ STRELKAMERGED.config.manager }}
{% if STRELKAMERGED.rules.enabled %}
strelkarules: strelkarules:
file.recurse: file.recurse:
@@ -51,23 +108,15 @@ strelkarules:
- user: 939 - user: 939
- group: 939 - group: 939
- clean: True - clean: True
- exclude_pat:
{% for IGNOREDRULE in IGNORELIST %}
- {{ IGNOREDRULE }}
{% endfor %}
{% for IGNOREDRULE in IGNORELIST %}
remove_rule_{{ IGNOREDRULE }}:
file.absent:
- name: /opt/so/conf/strelka/rules/signature-base/{{ IGNOREDRULE }}
{% endfor %}
{% if grains['role'] in GLOBALS.manager_roles %} {% if grains['role'] in GLOBALS.manager_roles %}
strelkarepos: strelkarepos:
file.managed: file.managed:
- name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt - name: /opt/so/conf/strelka/repos.txt
- source: salt://strelka/rules/repos.txt.jinja - source: salt://strelka/rules/repos.txt.jinja
- template: jinja - template: jinja
- defaults:
STRELKAREPOS: {{ STRELKAMERGED.rules.repos }}
{% endif %} {% endif %}
{% endif %} {% endif %}
@@ -133,8 +182,10 @@ filecheck_history:
filecheck_conf: filecheck_conf:
file.managed: file.managed:
- name: /opt/so/conf/strelka/filecheck.yaml - name: /opt/so/conf/strelka/filecheck.yaml
- source: salt://strelka/filecheck/filecheck.yaml - source: salt://strelka/filecheck/filecheck.yaml.jinja
- template: jinja - template: jinja
- defaults:
FILECHECKCONFIG: {{ FILECHECKDEFAULTS }}
filecheck_script: filecheck_script:
file.managed: file.managed:
@@ -173,7 +224,7 @@ strelka_coordinator:
- ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
- entrypoint: redis-server --save "" --appendonly no - entrypoint: redis-server --save "" --appendonly no
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
@@ -193,7 +244,7 @@ strelka_gatekeeper:
- ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
- entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
@@ -217,7 +268,7 @@ strelka_frontend:
- ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
- command: strelka-frontend - command: strelka-frontend
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- port_bindings: - port_bindings:
{% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
- {{ BINDING }} - {{ BINDING }}
@@ -240,7 +291,7 @@ strelka_backend:
- ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }}
- command: strelka-backend - command: strelka-backend
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
- restart_policy: on-failure - restart_policy: on-failure
append_so-strelka-backend_so-status.conf: append_so-strelka-backend_so-status.conf:
@@ -259,7 +310,7 @@ strelka_manager:
- ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }}
- command: strelka-manager - command: strelka-manager
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
append_so-strelka-manager_so-status.conf: append_so-strelka-manager_so-status.conf:
file.append: file.append:
@@ -278,7 +329,7 @@ strelka_filestream:
- ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }}
- command: strelka-filestream - command: strelka-filestream
- extra_hosts: - extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
append_so-strelka-filestream_so-status.conf: append_so-strelka-filestream_so-status.conf:
file.append: file.append:

20
salt/strelka/map.jinja Normal file
View File

@@ -0,0 +1,20 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'strelka/defaults.yaml' as STRELKADEFAULTS %}
{% set HOST = GLOBALS.hostname %}
{% set backend_coordinator_port = STRELKADEFAULTS.strelka.config.backend.backend.coordinator.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.backend.backend.coordinator.update({'addr': HOST ~ ':' ~ backend_coordinator_port}) %}
{% set filestream_conn_port = STRELKADEFAULTS.strelka.config.filestream.conn.server.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.filestream.conn.update({'server': HOST ~ ':' ~ filestream_conn_port}) %}
{% set frontend_coordinator_port = STRELKADEFAULTS.strelka.config.frontend.coordinator.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.frontend.coordinator.update({'addr': HOST ~ ':' ~ frontend_coordinator_port}) %}
{% set frontend_gatekeeper_port = STRELKADEFAULTS.strelka.config.frontend.gatekeeper.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.frontend.gatekeeper.update({'addr': HOST ~ ':' ~ frontend_gatekeeper_port}) %}
{% set manager_coordinator_port = STRELKADEFAULTS.strelka.config.manager.coordinator.addr.split(':')[1] %}
{% do STRELKADEFAULTS.strelka.config.manager.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %}
{% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %}

4
salt/strelka/rules/ignore.txt
View File

@@ -1,4 +0,0 @@
generic_anomalies.yar
general_cloaking.yar
thor_inverse_matches.yar
yara_mixed_ext_vars.yar

1
salt/strelka/rules/repos.txt
View File

@@ -1 +0,0 @@
https://github.com/Neo23x0/signature-base

6
salt/strelka/rules/repos.txt.jinja
View File

@@ -1,4 +1,2 @@
# DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka.repos pillar section # DO NOT EDIT THIS FILE! Strelka YARA rule repos are stored here from the strelka:rules:repos pillar section
{%- for repo in salt['pillar.get']('strelka:repos', {}) %} {{ STRELKAREPOS | join('\n') }}
{{ repo }}
{%- endfor %}