From 100601c4520a53b073e041bd01f158f6dfef892c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 12 Feb 2021 16:03:45 -0500 Subject: [PATCH 01/14] only laod templates if they change https://github.com/Security-Onion-Solutions/securityonion/issues/1237 --- salt/elasticsearch/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 82fc7c77d..9791d8b94 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -168,6 +168,8 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: {% endif %} - user: 930 - group: 939 + - onchanges_in: + - cmd: so-elasticsearch-templates {% endfor %} nsmesdir: From 0bef8b66620918bc01f5843b8c2211d1f0f9ee0b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 09:26:11 -0500 Subject: [PATCH 02/14] limit number of eve.json files for suricata https://github.com/Security-Onion-Solutions/securityonion/issues/2989 --- salt/suricata/cron/so-suricata-eve-clean | 35 ++++++++++++++++++++++++ salt/suricata/init.sls | 20 ++++++++++++++ 2 files changed, 55 insertions(+) create mode 100644 salt/suricata/cron/so-suricata-eve-clean diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean new file mode 100644 index 000000000..b931eeea2 --- /dev/null +++ b/salt/suricata/cron/so-suricata-eve-clean @@ -0,0 +1,35 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see .. /usr/sbin/so-common + +APP=so-suricata-eve-clean +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + +MAXEVES={% salt['pillar.get']('suricata:cleanup:eve_json', 20) %} + +# Find eve files and remove them +NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l) +while [ "$NUMEVES" -gt "$MAXEVES" ]; do + OLDESTEVE=$(find /nsm/suricata/ -type f -name "eve-*.json" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}') + rm -f $OLDESTEVE + NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l) +done \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 3de6e3568..708976cd9 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -177,6 +177,26 @@ disable_so-suricata_so-status.conf: - month: '*' - dayweek: '*' +so-suricata-eve-clean: + file.managed: + - name: /usr/sbin/so-suricata-eve-clean + - user: root + - group: root + - file_mode: 755 + - template: jinja + - source: salt://suricata/cron/so-suricata-eve-clean + +# Add eve clean cron +clean_suricata_eve_files: + cron.present: + - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 + - user: root + - minute: '*/5' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + {% else %} {{sls}}_state_not_allowed: From 041d193f2d52a1655f6f1b12ec54b696b68c48fe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 09:37:37 -0500 Subject: [PATCH 03/14] fix brackets --- salt/suricata/cron/so-suricata-eve-clean | 2 +- salt/suricata/init.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean index b931eeea2..dcaef3109 100644 --- a/salt/suricata/cron/so-suricata-eve-clean +++ b/salt/suricata/cron/so-suricata-eve-clean @@ -24,7 +24,7 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -MAXEVES={% salt['pillar.get']('suricata:cleanup:eve_json', 20) %} +MAXEVES={{ salt['pillar.get']('suricata:cleanup:eve_json', 20) }} # Find eve files and remove them NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 708976cd9..a77248ce1 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -182,7 +182,7 @@ so-suricata-eve-clean: - name: /usr/sbin/so-suricata-eve-clean - user: root - group: root - - file_mode: 755 + - mode: 755 - template: jinja - source: salt://suricata/cron/so-suricata-eve-clean From 4b07d5e457b2bb559922d044acdcdaaa27bb5059 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 09:39:54 -0500 Subject: [PATCH 04/14] add identifier to eve clean cron --- salt/suricata/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index a77248ce1..1a01d5e3a 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -190,6 +190,7 @@ so-suricata-eve-clean: clean_suricata_eve_files: cron.present: - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 + - identifier: clean_suricata_eve_files - user: root - minute: '*/5' - hour: '*' From 74ca4487de3698cab7b4338571a7bc042d0e0e64 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 09:51:40 -0500 Subject: [PATCH 05/14] ensure at least 2 eve files are kept https://github.com/Security-Onion-Solutions/securityonion/issues/2989 --- salt/suricata/cron/so-suricata-eve-clean | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean index dcaef3109..a3cd6bc79 100644 --- a/salt/suricata/cron/so-suricata-eve-clean +++ b/salt/suricata/cron/so-suricata-eve-clean @@ -25,6 +25,9 @@ read lastPID < $lf echo $$ > $lf MAXEVES={{ salt['pillar.get']('suricata:cleanup:eve_json', 20) }} +if [ "$MAXEVES" -lt 2 ]; then + MAXEVES=2 +fi # Find eve files and remove them NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l) From a4d5f5825647b785d2f29ec78607ffdaab580dc1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 10:33:47 -0500 Subject: [PATCH 06/14] fix surilogcompress --- salt/suricata/cron/surilogcompress | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/cron/surilogcompress b/salt/suricata/cron/surilogcompress index b77c4d635..4fe43bbee 100644 --- a/salt/suricata/cron/surilogcompress +++ b/salt/suricata/cron/surilogcompress @@ -1,6 +1,6 @@ #!/bin/bash # Gzip the eve logs -find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n -1 | cut -d $'\t' -f 2- | xargs nice gzip +find /nsm/suricata/eve*.json -type f -printf '%T@\t%p\n' | sort -t $'\t' -g | head -n -1 | cut -d $'\t' -f 2 | xargs nice gzip # TODO Add stats log \ No newline at end of file From 95df18c545f8ffe603e68ee0b716ca456a355084 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 10:45:20 -0500 Subject: [PATCH 07/14] limit eve logs and gz files based on days --- salt/suricata/cron/so-suricata-eve-clean | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/salt/suricata/cron/so-suricata-eve-clean b/salt/suricata/cron/so-suricata-eve-clean index a3cd6bc79..71bfbd95c 100644 --- a/salt/suricata/cron/so-suricata-eve-clean +++ b/salt/suricata/cron/so-suricata-eve-clean @@ -24,15 +24,9 @@ read lastPID < $lf [ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit echo $$ > $lf -MAXEVES={{ salt['pillar.get']('suricata:cleanup:eve_json', 20) }} -if [ "$MAXEVES" -lt 2 ]; then - MAXEVES=2 +MAXDAYS={{ salt['pillar.get']('suricata:cleanup:eve_json', 7) }} +if [ "$MAXDAYS" -lt 1 ]; then + MAXDAYS=1 fi -# Find eve files and remove them -NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l) -while [ "$NUMEVES" -gt "$MAXEVES" ]; do - OLDESTEVE=$(find /nsm/suricata/ -type f -name "eve-*.json" -type f -printf '%T+ %p\n' | sort | head -n 1 | awk -F" " '{print $2}') - rm -f $OLDESTEVE - NUMEVES=$(find /nsm/suricata/ -type f -name "eve-*.json" | wc -l) -done \ No newline at end of file +find /nsm/suricata/ -type f -mtime +$MAXDAYS -name 'eve-*.json*' -execdir rm -- '{}' \; \ No newline at end of file From 6f7bc650a0e3e7ffffa29eafb133c2f7702f475e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 18 Feb 2021 11:20:13 -0500 Subject: [PATCH 08/14] Apply reserved ports if the existing file is 0 bytes --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 870ae177f..5537aaef6 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -268,7 +268,7 @@ docker: # Reserve OS ports for Docker proxy in case boot settings are not already applied/present dockerapplyports: cmd.run: - - name: if [ ! -f /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi + - name: [ ! -s /etc/sysctl.d/99-reserved-ports.conf ] && sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314" # Reserve OS ports for Docker proxy dockerreserveports: From 069997a65ce68042aae979c4ad419bb0ede410ed Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 11:56:25 -0500 Subject: [PATCH 09/14] Don't show changes because all.rules can be large --- salt/idstools/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 56f15a93d..db67ca08d 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -55,12 +55,14 @@ rulesdir: - group: 939 - makedirs: True +# Don't show changes because all.rules can be large synclocalnidsrules: file.recurse: - name: /opt/so/rules/nids/ - source: salt://idstools/ - user: 939 - group: 939 + - show_changes: False - include_pat: 'E@.rules' so-idstools: From e730efb4ecacbbc3d3ae5d857b42e3353c6f5535 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 12:12:18 -0500 Subject: [PATCH 10/14] load templates all the time --- salt/elasticsearch/init.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 9791d8b94..82fc7c77d 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -168,8 +168,6 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: {% endif %} - user: 930 - group: 939 - - onchanges_in: - - cmd: so-elasticsearch-templates {% endfor %} nsmesdir: From bf100a23108b9d54e72de7579590cdff03b3ea98 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 12:23:22 -0500 Subject: [PATCH 11/14] dont show changes since file can be large --- salt/suricata/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 3de6e3568..d8b57e2ef 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -74,6 +74,7 @@ surirulesync: - source: salt://suricata/rules/ - user: 940 - group: 940 + - show_changes: False surilogscript: file.managed: From e912b2fd9647ce2aaf45b799bba0dbcb60145d79 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 18 Feb 2021 12:49:54 -0500 Subject: [PATCH 12/14] Move idstools to run after nginx runs --- setup/so-setup | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 548d9e7f4..614adaf3b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -708,32 +708,33 @@ set_redirect >> $setup_log 2>&1 set_progress_str 60 "$(print_salt_state_apply 'manager')" salt-call state.apply -l info manager >> $setup_log 2>&1 - - set_progress_str 61 "$(print_salt_state_apply 'idstools')" - create_local_nids_rules >> $setup_log 2>&1 - salt-call state.apply -l info idstools >> $setup_log 2>&1 - - set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')" - salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 - fi - set_progress_str 62 "$(print_salt_state_apply 'firewall')" + set_progress_str 61 "$(print_salt_state_apply 'firewall')" salt-call state.apply -l info firewall >> $setup_log 2>&1 if [ $OS = 'centos' ]; then - set_progress_str 63 'Installing Yum utilities' + set_progress_str 62 'Installing Yum utilities' salt-call state.apply -l info yum.packages >> $setup_log 2>&1 fi - set_progress_str 63 "$(print_salt_state_apply 'common')" + set_progress_str 62 "$(print_salt_state_apply 'common')" salt-call state.apply -l info common >> $setup_log 2>&1 if [[ ! $is_helix ]]; then - set_progress_str 64 "$(print_salt_state_apply 'nginx')" + set_progress_str 62 "$(print_salt_state_apply 'nginx')" salt-call state.apply -l info nginx >> $setup_log 2>&1 fi + if [[ $is_manager || $is_helix || $is_import ]]; then + set_progress_str 63 "$(print_salt_state_apply 'idstools')" + create_local_nids_rules >> $setup_log 2>&1 + salt-call state.apply -l info idstools >> $setup_log 2>&1 + + set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')" + salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 + fi + if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 From 03487c2a3145ae110dbfe9ee6ec6b1543e91d474 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 Feb 2021 14:06:45 -0500 Subject: [PATCH 13/14] change suricata clean cron to run once a day --- salt/suricata/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 1a01d5e3a..d994b7393 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -192,8 +192,8 @@ clean_suricata_eve_files: - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 - identifier: clean_suricata_eve_files - user: root - - minute: '*/5' - - hour: '*' + - minute: '10' + - hour: '0' - daymonth: '*' - month: '*' - dayweek: '*' From faa78c0e26f312447980ae100466388ffa82d43a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 18 Feb 2021 14:51:05 -0500 Subject: [PATCH 14/14] Salt doesn't like a name starting with a non alpha-numeric char. Switch back to long if/then format --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 5537aaef6..16cba3c1a 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -268,7 +268,7 @@ docker: # Reserve OS ports for Docker proxy in case boot settings are not already applied/present dockerapplyports: cmd.run: - - name: [ ! -s /etc/sysctl.d/99-reserved-ports.conf ] && sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314" + - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi # Reserve OS ports for Docker proxy dockerreserveports: