From 7875436efdf279f5b248b63cd4a3062a96df2af6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 25 Jan 2020 11:27:10 -0500 Subject: [PATCH 01/16] Steno BPF - cleanup & simplify --- salt/pcap/init.sls | 33 ++++++++++----------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 16d002250..6b5647d8e 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -14,6 +14,10 @@ # along with this program. If not, see . {% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} {% set MASTER = salt['grains.get']('master') %} +{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} +{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %} +{% set bpf_compiled = "" %} + # PCAP Section # Create the logstash group @@ -36,31 +40,18 @@ stenoconfdir: - group: 939 - makedirs: True -{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set bpf_global = salt['pillar.get']('static:steno:bpf', None) %} -{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %} - -{% if bpf_steno != None or bpf_global != None %} - {% if bpf_steno != None %} - {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %} - {% else %} - {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_global) %} - {% endif %} +# BPF compilation and configuration +{% if bpf_steno %} + {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %} {% if bpf_calc['stderr'] == "" %} - {% set bpf_compiled = bpf_calc['stdout'] %} + {% set bpf_compiled = ",\\\"--filter=" + bpf_calc['stdout'] + "\\\"" %} {% else %} - {% set bpf_compiled = None %} - bpfcompilationfailure: test.configurable_test_state: - - name: bpfcompfailure - changes: False - result: False - - comment: "BPF Compilation Failed - Discarding specified BPF" - + - comment: "BPF Compilation Failed - Discarding Specified BPF" {% endif %} -{% else %} - {% set bpf_compiled = None %} {% endif %} stenoconf: @@ -72,11 +63,7 @@ stenoconf: - mode: 644 - template: jinja - defaults: - bpf_compiled: "" -{% if bpf_compiled != None %} - - context: - bpf_compiled: ',"--filter={{ bpf_compiled }}"' -{% endif %} + bpf_compiled: "{{ bpf_compiled }}" sensoroniagentconf: file.managed: From 47f02389fc4c1f69691bde0707053e6ed60efc9d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 27 Jan 2020 15:23:35 -0500 Subject: [PATCH 02/16] Add so-auth to master and master/search --- salt/common/nginx/nginx.conf.so-master | 38 ++++++++++++++------ salt/common/nginx/nginx.conf.so-mastersearch | 38 ++++++++++++++------ 2 files changed, 54 insertions(+), 22 deletions(-) diff --git a/salt/common/nginx/nginx.conf.so-master b/salt/common/nginx/nginx.conf.so-master index 0a0c31d6a..3cac44155 100644 --- a/salt/common/nginx/nginx.conf.so-master +++ b/salt/common/nginx/nginx.conf.so-master @@ -88,7 +88,7 @@ http { # } location /grafana/ { - rewrite /grafana/(.*) /$1 break; + rewrite /grafana/(.*) /$1 break; proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -100,9 +100,8 @@ http { } location /kibana/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; - rewrite /kibana/(.*) /$1 break; + auth_request /so-auth/api/auth/; + rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ masterip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -125,8 +124,7 @@ http { } location /navigator/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + auth_request /so-auth/api/auth/; proxy_pass http://{{ masterip }}:4200/navigator/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -151,9 +149,8 @@ http { } location /fleet/ { - rewrite /fleet/(.*) /$1 break; - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + rewrite /fleet/(.*) /$1 break; + auth_request /so-auth/api/auth/; proxy_pass https://{{ masterip }}:8080/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -200,8 +197,7 @@ http { } location /sensoroni/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + auth_request /so-auth/api/auth/; proxy_pass http://{{ masterip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -238,6 +234,26 @@ http { } + + location /so-auth/loginpage/ { + proxy_pass http://{{ masterip }}:4242/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /so-auth/api/ { + proxy_pass http://{{ masterip }}:5656/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + } + + error_page 401 = @error401; + + location @error401 { + add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/"; + return 302 http://{{ masterip }}/so-auth/loginpage/; + } + error_page 404 /404.html; location = /40x.html { } diff --git a/salt/common/nginx/nginx.conf.so-mastersearch b/salt/common/nginx/nginx.conf.so-mastersearch index 265413fa2..6fa080f5b 100644 --- a/salt/common/nginx/nginx.conf.so-mastersearch +++ b/salt/common/nginx/nginx.conf.so-mastersearch @@ -88,7 +88,7 @@ http { # } location /grafana/ { - rewrite /grafana/(.*) /$1 break; + rewrite /grafana/(.*) /$1 break; proxy_pass http://{{ masterip }}:3000/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -100,9 +100,8 @@ http { } location /kibana/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; - rewrite /kibana/(.*) /$1 break; + auth_request /so-auth/api/auth/; + rewrite /kibana/(.*) /$1 break; proxy_pass http://{{ masterip }}:5601/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -125,8 +124,7 @@ http { } location /navigator/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + auth_request /so-auth/api/auth/; proxy_pass http://{{ masterip }}:4200/navigator/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -151,9 +149,8 @@ http { } location /fleet/ { - rewrite /fleet/(.*) /$1 break; - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + rewrite /fleet/(.*) /$1 break; + auth_request /so-auth/api/auth/; proxy_pass https://{{ masterip }}:8080/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -212,8 +209,7 @@ http { } location /sensoroni/ { - auth_basic "Security Onion"; - auth_basic_user_file /opt/so/conf/nginx/.htpasswd; + auth_request /so-auth/api/auth/; proxy_pass http://{{ masterip }}:9822/; proxy_read_timeout 90; proxy_connect_timeout 90; @@ -250,6 +246,26 @@ http { } + + location /so-auth/loginpage/ { + proxy_pass http://{{ masterip }}:4242/; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /so-auth/api/ { + proxy_pass http://{{ masterip }}:5656/; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $host; + } + + error_page 401 = @error401; + + location @error401 { + add_header Set-Cookie "NSREDIRECT=http://{{ masterip }}$request_uri;Domain={{ masterip }};Path=/"; + return 302 http://{{ masterip }}/so-auth/loginpage/; + } + error_page 404 /404.html; location = /40x.html { } From c38569d8a6abbf57d1e56fe7595da2e76d666d3a Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 28 Jan 2020 13:07:37 +0000 Subject: [PATCH 03/16] Add script for CVE-2020-0601 --- salt/zeek/files/local.zeek | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/zeek/files/local.zeek b/salt/zeek/files/local.zeek index aed6bb59b..92104dbf0 100644 --- a/salt/zeek/files/local.zeek +++ b/salt/zeek/files/local.zeek @@ -118,3 +118,6 @@ # Write logs in JSON redef LogAscii::use_json = T; redef LogAscii::json_timestamps = JSON::TS_ISO8601; + +# CVE-2020-0601 +@load cve-2020-0601 From b754c88ab145b28de933c4642d38a17713b55620 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 28 Jan 2020 13:08:10 +0000 Subject: [PATCH 04/16] Add script for CVE-2020-0601 --- salt/zeek/policy/cve-2020-0601/COPYING | 27 ++++++++++++ salt/zeek/policy/cve-2020-0601/__load__.zeek | 1 + .../policy/cve-2020-0601/cve-2020-0601.zeek | 41 +++++++++++++++++++ 3 files changed, 69 insertions(+) create mode 100644 salt/zeek/policy/cve-2020-0601/COPYING create mode 100644 salt/zeek/policy/cve-2020-0601/__load__.zeek create mode 100644 salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek diff --git a/salt/zeek/policy/cve-2020-0601/COPYING b/salt/zeek/policy/cve-2020-0601/COPYING new file mode 100644 index 000000000..ab2a4ef38 --- /dev/null +++ b/salt/zeek/policy/cve-2020-0601/COPYING @@ -0,0 +1,27 @@ +Copyright (c) 2019, Johanna Amann. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +(1) Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + +(2) Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +Note that some files in the distribution may carry their own copyright +notices. + diff --git a/salt/zeek/policy/cve-2020-0601/__load__.zeek b/salt/zeek/policy/cve-2020-0601/__load__.zeek new file mode 100644 index 000000000..911b1404a --- /dev/null +++ b/salt/zeek/policy/cve-2020-0601/__load__.zeek @@ -0,0 +1 @@ +@load ./cve-2020-0601 diff --git a/salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek b/salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek new file mode 100644 index 000000000..32fa67739 --- /dev/null +++ b/salt/zeek/policy/cve-2020-0601/cve-2020-0601.zeek @@ -0,0 +1,41 @@ +module CVE_2020_0601; + +export { + ## set to yes, to log suspicious certificates. + option log_certs = F; + + ## The logging stream identifier. + redef enum Log::ID += { LOG }; + + ## The record type which contains column fields of the certificate log. + type Info: record { + ## Timestamp when this record is written. + ts: time &log; + ## File-id of the cerfificate + fuid: string &log; + ## Certificate encoded as base64 + certificate: string &log; + }; + + redef enum Notice::Type += { + ## An ECC certificate with an unknown curve was encountered + Unknown_X509_Curve + }; +} + +event zeek_init() + { + Log::create_stream(CVE_2020_0601::LOG, [$columns=Info, $path="cve-2020-0601-certs"]); + } + +event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) + { + if ( cert?$key_alg && cert$key_alg == "id-ecPublicKey" && ! cert?$curve ) + { + NOTICE([$note=Unknown_X509_Curve, $f=f, $msg="ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt"]); + + if ( log_certs ) + Log::write(CVE_2020_0601::LOG, Info($ts=network_time(), $fuid=f$id, $certificate=encode_base64(x509_get_certificate_string(cert_ref, F)))); + } + } + From a9ccd17d89034791fbf0de55352f889eb03b2fcb Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 28 Jan 2020 14:34:19 +0000 Subject: [PATCH 05/16] Update Wazuh scripts --- salt/common/tools/sbin/so-wazuh-restart | 6 ++++-- salt/common/tools/sbin/so-wazuh-start | 7 +++++-- salt/common/tools/sbin/so-wazuh-stop | 7 +++++-- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/salt/common/tools/sbin/so-wazuh-restart b/salt/common/tools/sbin/so-wazuh-restart index 3183479c4..34e2eee9a 100644 --- a/salt/common/tools/sbin/so-wazuh-restart +++ b/salt/common/tools/sbin/so-wazuh-restart @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -14,4 +14,6 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -docker stop so-wazuh && sudo docker rm so-wazuh && salt-call state.apply wazuh +. /usr/sbin/so-common + +/usr/sbin/so-restart wazuh $1 diff --git a/salt/common/tools/sbin/so-wazuh-start b/salt/common/tools/sbin/so-wazuh-start index dd64354c7..607f59ae7 100644 --- a/salt/common/tools/sbin/so-wazuh-start +++ b/salt/common/tools/sbin/so-wazuh-start @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -14,4 +14,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -docker stop so-wazuh +. /usr/sbin/so-common + +/usr/sbin/so-start wazuh $1 + diff --git a/salt/common/tools/sbin/so-wazuh-stop b/salt/common/tools/sbin/so-wazuh-stop index dd64354c7..399d14567 100644 --- a/salt/common/tools/sbin/so-wazuh-stop +++ b/salt/common/tools/sbin/so-wazuh-stop @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -14,4 +14,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -docker stop so-wazuh +. /usr/sbin/so-common + +/usr/sbin/so-stop wazuh $1 + From 1de8902eef5c83a8ced2f7b77e5e2c9d33fa83b9 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 28 Jan 2020 14:45:29 +0000 Subject: [PATCH 06/16] Add default to setup --- setup/functions.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/functions.sh b/setup/functions.sh index f23da15ba..5e1ef125b 100644 --- a/setup/functions.sh +++ b/setup/functions.sh @@ -714,7 +714,7 @@ master_static() { touch /opt/so/saltstack/pillar/static.sls echo "static:" > /opt/so/saltstack/pillar/static.sls - echo " soversion: 1.1.4" >> /opt/so/saltstack/pillar/static.sls + echo " soversion: HH1.1.4" >> /opt/so/saltstack/pillar/static.sls echo " hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls echo " ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls echo " proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls @@ -732,6 +732,8 @@ master_static() { echo " cortexorguserkey: $CORTEXORGUSERKEY" >> /opt/so/saltstack/pillar/static.sls echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls echo " sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls + echo "elastic:" >> /opt/so/saltstack/pillar/static.sls + echo " features: False" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else From fbb9f099f9c42153db47133cf7409019bb628ca1 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 28 Jan 2020 14:49:58 +0000 Subject: [PATCH 07/16] Update Elastic state files --- salt/elasticsearch/init.sls | 13 ++++++++++--- salt/filebeat/init.sls | 10 ++++++++-- salt/kibana/init.sls | 10 ++++++++-- salt/logstash/init.sls | 11 +++++++++-- 4 files changed, 35 insertions(+), 9 deletions(-) diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 3d60f2925..a2493091a 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -12,8 +12,15 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} +{% set FEATURES = salt['pillar.get']('elastic:features', False) %} +{% if FEATURES %} + {% set FEATURES = "-features" %} +{% else %} + {% set FEATURES = '' %} +{% endif %} + {% if grains['role'] == 'so-master' %} {% set esclustername = salt['pillar.get']('master:esclustername', '') %} @@ -102,7 +109,7 @@ eslogdir: so-elasticsearch: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-elasticsearch:{{ VERSION }}{{ FEATURES }} - hostname: elasticsearch - name: so-elasticsearch - user: elasticsearch @@ -135,4 +142,4 @@ so-elasticsearch-pipelines-file: so-elasticsearch-pipelines: cmd.run: - - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }} \ No newline at end of file + - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ esclustername }} diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 1a59446b3..44cc7c65c 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -12,9 +12,15 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{% set FEATURES = salt['pillar.get']('elastic:features', False) %} +{% if FEATURES %} + {% set FEATURES = "-features" %} +{% else %} + {% set FEATURES = '' %} +{% endif %} # Filebeat Setup filebeatetcdir: @@ -49,7 +55,7 @@ filebeatconfsync: so-filebeat: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-filebeat:{{ VERSION }}{{ FEATURES }} - hostname: so-filebeat - user: root - extra_hosts: {{ MASTER }}:{{ MASTERIP }} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 58eb6a32d..d2cf30c1a 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -1,5 +1,11 @@ -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} +{% set FEATURES = salt['pillar.get']('elastic:features', False) %} +{% if FEATURES %} + {% set FEATURES = "-features" %} +{% else %} + {% set FEATURES = '' %} +{% endif %} # Add ES Group kibanasearchgroup: @@ -56,7 +62,7 @@ synckibanacustom: # Start the kibana docker so-kibana: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-kibana:{{ VERSION }}{{ FEATURES }} - hostname: kibana - user: kibana - environment: diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 388019abf..2d94c5354 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -12,8 +12,15 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} +{% set FEATURES = salt['pillar.get']('elastic:features', False) %} +{% if FEATURES %} + {% set FEATURES = "-features" %} +{% else %} + {% set FEATURES = '' %} +{% endif %} + # Logstash Section - Decide which pillar to use {% if grains['role'] == 'so-sensor' %} @@ -200,7 +207,7 @@ lslogdir: so-logstash: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-logstash:{{ VERSION }}{{ FEATURES }} - hostname: so-logstash - name: so-logstash - user: logstash From b995b09d52ec96648a5833fdfdd229c3195b99f7 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 28 Jan 2020 14:59:53 +0000 Subject: [PATCH 08/16] Update version in all state files --- salt/common/init.sls | 10 +++++----- salt/curator/init.sls | 4 ++-- salt/elastalert/init.sls | 4 ++-- salt/fleet/init.sls | 4 ++-- salt/hive/init.sls | 8 ++++---- salt/idstools/init.sls | 4 ++-- salt/master/init.sls | 4 ++-- salt/mysql/init.sls | 4 ++-- salt/pcap/init.sls | 4 ++-- salt/playbook/init.sls | 6 +++--- salt/redis/init.sls | 4 ++-- salt/sensoroni/init.sls | 4 ++-- salt/soctopus/init.sls | 4 ++-- salt/suricata/init.sls | 4 ++-- salt/tcpreplay/init.sls | 4 ++-- salt/wazuh/init.sls | 4 ++-- salt/zeek/init.sls | 4 ++-- 17 files changed, 40 insertions(+), 40 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index de7048c51..7ed59efa1 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -1,4 +1,4 @@ -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} {%- set GRAFANA = salt['pillar.get']('master:grafana', '0') %} # Add socore Group @@ -118,7 +118,7 @@ nginxtmp: so-core: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-core:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-core:{{ VERSION }} - hostname: so-core - user: socore - binds: @@ -172,7 +172,7 @@ tgrafconf: so-telegraf: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-telegraf:{{ VERSION }} - environment: - HOST_PROC=/host/proc - HOST_ETC=/host/etc @@ -227,7 +227,7 @@ influxdbconf: so-influxdb: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-influxdb:{{ VERSION }} - hostname: influxdb - environment: - INFLUXDB_HTTP_LOG_ENABLED=false @@ -385,7 +385,7 @@ dashboard-{{ SN }}: so-grafana: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-grafana:{{ VERSION }} - hostname: grafana - user: socore - binds: diff --git a/salt/curator/init.sls b/salt/curator/init.sls index f846ff8ae..e1cd4829a 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -1,4 +1,4 @@ -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} {% if grains['role'] == 'so-node' or grains['role'] == 'so-eval' %} # Curator @@ -116,7 +116,7 @@ curdel: so-curator: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-curator:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-curator:{{ VERSION }} - hostname: curator - name: so-curator - user: curator diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 0e93ed885..599043d58 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -12,7 +12,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} {% if grains['role'] == 'so-master' %} @@ -112,7 +112,7 @@ elastaconf: so-elastalert: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-elastalert:{{ VERSION }} - hostname: elastalert - name: so-elastalert - user: elastalert diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 85370d20d..a27ad9eb6 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -1,7 +1,7 @@ {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %} {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') -%} {%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} # Fleet Setup @@ -63,7 +63,7 @@ fleetdbpriv: so-fleet: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-fleet:{{ VERSION }} - hostname: so-fleet - port_bindings: - 0.0.0.0:8080:8080 diff --git a/salt/hive/init.sls b/salt/hive/init.sls index c5cf72d39..01484e365 100644 --- a/salt/hive/init.sls +++ b/salt/hive/init.sls @@ -1,5 +1,5 @@ {% set MASTERIP = salt['pillar.get']('master:mainip', '') %} -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} hiveconfdir: file.directory: @@ -57,7 +57,7 @@ hiveesdata: so-thehive-es: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-es:{{ VERSION }} - hostname: so-thehive-es - name: so-thehive-es - user: 939 @@ -85,7 +85,7 @@ so-thehive-es: # Install Cortex so-cortex: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-thehive-cortex:{{ VERSION }} - hostname: so-cortex - name: so-cortex - user: 939 @@ -102,7 +102,7 @@ cortexscript: so-thehive: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-thehive:{{ VERSION }} - environment: - ELASTICSEARCH_HOST={{ MASTERIP }} - hostname: so-thehive diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index c18814243..969215559 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -12,7 +12,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} # IDSTools Setup idstoolsdir: @@ -64,7 +64,7 @@ ruleslink: so-idstools: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:{{ VERSION }} - hostname: so-idstools - user: socore - binds: diff --git a/salt/master/init.sls b/salt/master/init.sls index e01d19b58..44ae2d75f 100644 --- a/salt/master/init.sls +++ b/salt/master/init.sls @@ -12,7 +12,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} {% set masterproxy = salt['pillar.get']('static:masterupdate', '0') %} @@ -59,7 +59,7 @@ acngcopyconf: # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-acng:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-acng:{{ VERSION }} - hostname: so-acng - port_bindings: - 0.0.0.0:3142:3142 diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index b964d7d37..ac49953f1 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -1,7 +1,7 @@ {%- set MYSQLPASS = salt['pillar.get']('auth:mysql', 'iwonttellyou') %} {%- set FLEETPASS = salt['pillar.get']('auth:fleet', 'bazinga') %} {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} # MySQL Setup mysqlpkgs: @@ -52,7 +52,7 @@ mysqldatadir: so-mysql: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-mysql:{{ VERSION }} - hostname: so-mysql - user: socore - port_bindings: diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 16d002250..33d660c3c 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -12,7 +12,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} # PCAP Section @@ -130,7 +130,7 @@ stenolog: so-steno: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }} - network_mode: host - privileged: True - port_bindings: diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 907e4825c..049c5fab9 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -1,5 +1,5 @@ {% set MASTERIP = salt['pillar.get']('master:mainip', '') %} -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} playbookdb: @@ -28,7 +28,7 @@ navigatorconfig: so-playbook: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-playbook:{{ VERSION }} - hostname: playbook - name: so-playbook - binds: @@ -38,7 +38,7 @@ so-playbook: so-navigator: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-navigator:{{ VERSION }} - hostname: navigator - name: so-navigator - binds: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 690f2a7c9..2e6bd030c 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -13,7 +13,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . {% set lsaccessip = salt['pillar.get']('master:lsaccessip', '') %} -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} # Redis Setup @@ -48,7 +48,7 @@ redisconfsync: so-redis: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-redis:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-redis:{{ VERSION }} - hostname: so-redis - user: socore - port_bindings: diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls index 44f29ef4f..b8d0b4e06 100644 --- a/salt/sensoroni/init.sls +++ b/salt/sensoroni/init.sls @@ -1,4 +1,4 @@ -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} sensoronidir: @@ -32,7 +32,7 @@ sensoronisync: so-sensoroni: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:{{ VERSION }} - hostname: sensoroni - name: so-sensoroni - binds: diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index d03ed9f04..8a9506ba5 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -1,4 +1,4 @@ -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} soctopusdir: @@ -49,7 +49,7 @@ navigatordefaultlayer: so-soctopus: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-soctopus:{{ VERSION }} - hostname: soctopus - name: so-soctopus - binds: diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 6f08c2704..a8f15d268 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -15,7 +15,7 @@ {% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} {% set BROVER = salt['pillar.get']('static:broversion', '') %} -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} # Suricata @@ -82,7 +82,7 @@ surithresholding: so-suricata: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-suricata:{{ VERSION }} - privileged: True - environment: - INTERFACE={{ interface }} diff --git a/salt/tcpreplay/init.sls b/salt/tcpreplay/init.sls index fa320836e..bf80d9a10 100644 --- a/salt/tcpreplay/init.sls +++ b/salt/tcpreplay/init.sls @@ -1,11 +1,11 @@ {% if grains['role'] == 'so-sensor' or grains['role'] == 'so-eval' %} -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} so-tcpreplay: docker_container.running: - network_mode: "host" - - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-tcpreplay:{{ VERSION }} - name: so-tcpreplay - user: root - interactive: True diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 9623c29ac..42cf3f4b7 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -1,5 +1,5 @@ {%- set HOSTNAME = salt['grains.get']('host', '') %} -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} # Add ossec group ossecgroup: @@ -74,7 +74,7 @@ wazuhmgrwhitelist: so-wazuh: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }} - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh - detach: True diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 90c07c7ea..e0f1f8c9b 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -1,4 +1,4 @@ -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} # Zeek Salt State # Add Zeek group @@ -100,7 +100,7 @@ localzeeksync: so-zeek: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-zeek:{{ VERSION }} - privileged: True - binds: - /nsm/zeek/logs:/nsm/zeek/logs:rw From 38f42eafa57f6b2a9cb211e2d9ffeb2c924f126b Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 28 Jan 2020 15:02:50 +0000 Subject: [PATCH 09/16] Add Features enable script --- salt/common/tools/sbin/so-features-enable | 42 +++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 salt/common/tools/sbin/so-features-enable diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable new file mode 100644 index 000000000..a37743960 --- /dev/null +++ b/salt/common/tools/sbin/so-features-enable @@ -0,0 +1,42 @@ +#!/bin/bash +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g') +# Modify static.sls to enable Features +sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls +SUFFIX="-features" +TRUSTED_CONTAINERS=( \ + "so-elasticsearch:$VERSION$SUFFIX" \ + "so-filebeat:$VERSION$SUFFIX" \ + "so-kibana:$VERSION$SUFFIX" \ + "so-logstash:$VERSION$SUFFIX" ) + +for i in "${TRUSTED_CONTAINERS[@]}" +do + # Pull down the trusted docker image + echo "Downloading $i" + docker pull --disable-content-trust=false docker.io/soshybridhunter/$i + # Tag it with the new registry destination + docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i + docker push $HOSTNAME:5000/soshybridhunter/$i +done +for i in "${TRUSTED_CONTAINERS[@]}" +do + echo "Removing $i locally" + docker rmi soshybridhunter/$i +done From 5403dab027f47a9e00f54766dff52dcf801f3e9f Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 28 Jan 2020 15:48:40 -0500 Subject: [PATCH 10/16] Suricata - Initial bpf support --- salt/common/tools/sbin/so-bpf-compile | 37 +++++++++++++++++++++++++++ salt/suricata/init.sls | 29 +++++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 salt/common/tools/sbin/so-bpf-compile diff --git a/salt/common/tools/sbin/so-bpf-compile b/salt/common/tools/sbin/so-bpf-compile new file mode 100644 index 000000000..44c5b8249 --- /dev/null +++ b/salt/common/tools/sbin/so-bpf-compile @@ -0,0 +1,37 @@ +#!/bin/bash + +# Copyright 2014 Google Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +if [ "$#" -lt 2 ]; then + cat 1>&2 < Date: Tue, 28 Jan 2020 15:51:13 -0500 Subject: [PATCH 11/16] Suricata bpf - docker bind bpf file --- salt/suricata/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 81df5b150..5802e2b38 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -120,8 +120,10 @@ so-suricata: - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw + - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - network_mode: host - watch: - file: /opt/so/conf/suricata/suricata.yaml - file: surithresholding - file: /opt/so/conf/suricata/rules/ + - file: /opt/so/conf/suricata/bpf From f536e89064984b94bc3f8cea358fe02d567b7ca9 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 28 Jan 2020 16:12:46 -0500 Subject: [PATCH 12/16] Suricata bpf cleanup --- salt/suricata/init.sls | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 5802e2b38..65b80c9ae 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -18,7 +18,6 @@ {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} {% set BPF_NIDS = salt['pillar.get']('nids:bpf') %} -{% set BPF_STATUS = 0 %} # Suricata @@ -86,9 +85,7 @@ surithresholding: # BPF compilation and configuration {% if BPF_NIDS %} {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" ") ) %} - {% if BPF_CALC['stderr'] == "" %} - {% set BPF_STATUS = 1 %} - {% else %} + {% if BPF_CALC['stderr'] != "" %} suribpfcompilationfailure: test.configurable_test_state: - changes: False @@ -102,7 +99,7 @@ suribpf: - name: /opt/so/conf/suricata/bpf - user: 940 - group: 940 - {% if BPF_STATUS %} + {% if BPF_CALC['stderr'] == "" %} - contents_pillar: nids:bpf {% else %} - contents: From ae087c55525e19553343a0084e9e695292cbbf4a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 28 Jan 2020 16:53:19 -0500 Subject: [PATCH 13/16] Steno BPF tweaks --- salt/pcap/files/compile_bpf.sh | 37 ---------------------------------- salt/pcap/files/config | 2 +- salt/pcap/init.sls | 34 ++++++++++--------------------- 3 files changed, 12 insertions(+), 61 deletions(-) delete mode 100644 salt/pcap/files/compile_bpf.sh diff --git a/salt/pcap/files/compile_bpf.sh b/salt/pcap/files/compile_bpf.sh deleted file mode 100644 index 44c5b8249..000000000 --- a/salt/pcap/files/compile_bpf.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash - -# Copyright 2014 Google Inc. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -if [ "$#" -lt 2 ]; then - cat 1>&2 <. -{% set VERSION = salt['pillar.get']('static:soversion', '1.1.4') %} +{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.1.4') %} {% set MASTER = salt['grains.get']('master') %} +{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %} +{% set BPF_STENO = salt['pillar.get']('steno:bpf', None) %} +{% set BPF_COMPILED = "" %} + # PCAP Section # Create the logstash group @@ -36,31 +40,19 @@ stenoconfdir: - group: 939 - makedirs: True -{% set interface = salt['pillar.get']('sensor:interface', 'bond0') %} -{% set bpf_global = salt['pillar.get']('static:steno:bpf', None) %} -{% set bpf_steno = salt['pillar.get']('steno:bpf', None) %} - -{% if bpf_steno != None or bpf_global != None %} - {% if bpf_steno != None %} - {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_steno) %} - {% else %} - {% set bpf_calc = salt['cmd.script']('salt://pcap/files/compile_bpf.sh', interface + ' ' + bpf_global) %} - {% endif %} - {% if bpf_calc['stderr'] == "" %} - {% set bpf_compiled = bpf_calc['stdout'] %} +{% if BPF_STENO %} + {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" ") ) %} + {% if BPF_CALC['stderr'] == "" %} + {% set BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %} {% else %} - {% set bpf_compiled = None %} bpfcompilationfailure: test.configurable_test_state: - - name: bpfcompfailure - changes: False - result: False - comment: "BPF Compilation Failed - Discarding specified BPF" {% endif %} -{% else %} - {% set bpf_compiled = None %} {% endif %} stenoconf: @@ -72,11 +64,7 @@ stenoconf: - mode: 644 - template: jinja - defaults: - bpf_compiled: "" -{% if bpf_compiled != None %} - - context: - bpf_compiled: ',"--filter={{ bpf_compiled }}"' -{% endif %} + BPF_COMPILED: "{{ BPF_COMPILED }}" sensoroniagentconf: file.managed: @@ -130,7 +118,7 @@ stenolog: so-steno: docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-steno:HH{{ VERSION }} + - image: {{ MASTER }}:5000/soshybridhunter/so-steno:{{ VERSION }} - network_mode: host - privileged: True - port_bindings: From 41e5c6ae90db10d0046512b9087eb9c96fb9dc0d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 29 Jan 2020 00:57:58 +0000 Subject: [PATCH 14/16] Add data deletion scripts --- salt/common/tools/sbin/so-elastic-clear | 79 +++++++++++++++++++++++++ salt/common/tools/sbin/so-nsm-clear | 76 ++++++++++++++++++++++++ 2 files changed, 155 insertions(+) create mode 100644 salt/common/tools/sbin/so-elastic-clear create mode 100644 salt/common/tools/sbin/so-nsm-clear diff --git a/salt/common/tools/sbin/so-elastic-clear b/salt/common/tools/sbin/so-elastic-clear new file mode 100644 index 000000000..79c7e99ad --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-clear @@ -0,0 +1,79 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +. /usr/sbin/so-common + +SKIP=0 +######################################### +# Options +######################################### +usage() +{ +cat < /dev/null 2>&1 +done + +/usr/sbin/so-logstash-start +/usr/sbin/so-filebeat-start + diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear new file mode 100644 index 000000000..e45c10511 --- /dev/null +++ b/salt/common/tools/sbin/so-nsm-clear @@ -0,0 +1,76 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +. /usr/sbin/so-common + +SKIP=0 +######################################### +# Options +######################################### +usage() +{ +cat < Date: Wed, 29 Jan 2020 01:11:22 +0000 Subject: [PATCH 15/16] Add PCAP stop|start|restart scripts --- salt/common/tools/sbin/so-pcap-restart | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-pcap-start | 20 ++++++++++++++++++++ salt/common/tools/sbin/so-pcap-stop | 20 ++++++++++++++++++++ 3 files changed, 60 insertions(+) create mode 100644 salt/common/tools/sbin/so-pcap-restart create mode 100644 salt/common/tools/sbin/so-pcap-start create mode 100644 salt/common/tools/sbin/so-pcap-stop diff --git a/salt/common/tools/sbin/so-pcap-restart b/salt/common/tools/sbin/so-pcap-restart new file mode 100644 index 000000000..6095dc357 --- /dev/null +++ b/salt/common/tools/sbin/so-pcap-restart @@ -0,0 +1,20 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-restart steno $1 diff --git a/salt/common/tools/sbin/so-pcap-start b/salt/common/tools/sbin/so-pcap-start new file mode 100644 index 000000000..595fd54bb --- /dev/null +++ b/salt/common/tools/sbin/so-pcap-start @@ -0,0 +1,20 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start steno $1 diff --git a/salt/common/tools/sbin/so-pcap-stop b/salt/common/tools/sbin/so-pcap-stop new file mode 100644 index 000000000..d539d2f98 --- /dev/null +++ b/salt/common/tools/sbin/so-pcap-stop @@ -0,0 +1,20 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop steno $1 From 48ebc5e2e3b1b06ccf8327873c46c8003777c4d5 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 29 Jan 2020 01:13:40 +0000 Subject: [PATCH 16/16] Fix data checks --- salt/common/tools/sbin/so-nsm-clear | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-nsm-clear b/salt/common/tools/sbin/so-nsm-clear index e45c10511..95ded5a4b 100644 --- a/salt/common/tools/sbin/so-nsm-clear +++ b/salt/common/tools/sbin/so-nsm-clear @@ -59,7 +59,7 @@ fi delete_pcap() { PCAP_DATA="/nsm/pcap/" - [ -f $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start + [ -d $PCAP_DATA ] && so-pcap-stop && rm -rf $PCAP_DATA/* && so-pcap-start } delete_suricata() { SURI_LOG="/opt/so/log/suricata/eve.json" @@ -67,7 +67,7 @@ delete_suricata() { } delete_zeek() { ZEEK_LOG="/nsm/zeek/logs/" - [ -f $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start + [ -d $ZEEK_LOG ] && so-zeek-stop && rm -rf $ZEEK_LOG/* && so-zeek-start } delete_pcap