CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' into jertel/wip

Browse Source
This commit is contained in:
Jason Ertel
2024-11-11 10:06:44 -05:00
parent 31cf6a2ebc b3ce624fff
commit 57a9992a3d
34 changed files with 980 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pillar/top.sls
View File

@@ -16,6 +16,8 @@ base:
- sensoroni.adv_sensoroni
- telegraf.soc_telegraf
- telegraf.adv_telegraf
- versionlock.soc_versionlock
- versionlock.adv_versionlock
'* and not *_desktop':
- firewall.soc_firewall

1
salt/common/init.sls
View File

@@ -182,6 +182,7 @@ sostatus_log:
file.managed:
- name: /opt/so/log/sostatus/status.log
- mode: 644
- replace: False
# Install sostatus check cron. This is used to populate Grid.
so-status_check_cron:

17
salt/elasticfleet/config.sls
View File

@@ -63,6 +63,14 @@ eastatedir:
- group: 939
- makedirs: True
custommappingsdir:
file.directory:
- name: /nsm/custom-mappings
- user: 947
- group: 939
- makedirs: True
eapackageupgrade:
file.managed:
- name: /usr/sbin/so-elastic-fleet-package-upgrade
@@ -73,14 +81,7 @@ eapackageupgrade:
- template: jinja
{% if GLOBALS.role != "so-fleet" %}
soresourcesrepoconfig:
git.config_set:
- name: safe.directory
- value: /nsm/securityonion-resources
- global: True
- user: socore
{% if not GLOBALS.airgap %}
soresourcesrepoclone:
git.latest:

2
salt/elasticfleet/defaults.yaml
View File

@@ -110,6 +110,8 @@ elasticfleet:
- ti_otx
- ti_recordedfuture
- ti_threatq
- trendmicro
- trend_micro_vision_one
- udp
- vsphere
- windows

4
salt/elasticfleet/enabled.sls
View File

@@ -143,7 +143,9 @@ so-elastic-fleet-integrations:
so-elastic-agent-grid-upgrade:
cmd.run:
- name: /usr/sbin/so-elastic-agent-grid-upgrade
- retry: True
- retry:
attempts: 12
interval: 5
so-elastic-fleet-integration-upgrade:
cmd.run:

35
salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json Normal file
View File

@@ -0,0 +1,35 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "so-ip-mappings",
"namespace": "so",
"description": "IP Description mappings",
"policy_id": "so-grid-nodes_general",
"vars": {},
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [
"/nsm/custom-mappings/ip-descriptions.csv"
],
"data_stream.dataset": "hostnamemappings",
"tags": [
"so-ip-mappings"
],
"processors": "- decode_csv_fields:\n fields:\n message: decoded.csv\n separator: \",\"\n ignore_missing: false\n overwrite_keys: true\n trim_leading_space: true\n fail_on_error: true\n\n- extract_array:\n field: decoded.csv\n mappings:\n so.ip_address: '0'\n so.description: '1'\n\n- script:\n lang: javascript\n source: >\n function process(event) {\n var ip = event.Get('so.ip_address');\n var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n if (!validIpRegex.test(ip)) {\n event.Cancel();\n }\n }\n- fingerprint:\n fields: [\"so.ip_address\"]\n target_field: \"@metadata._id\"\n",
"custom": ""
}
}
}
}
},
"force": true
}

325
salt/elasticsearch/defaults.yaml
View File

@@ -599,6 +599,35 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-ip-mappings:
index_sorting: false
index_template:
composed_of:
- so-ip-mappings
ignore_missing_component_templates: []
index_patterns:
- so-ip*
priority: 500
template:
mappings:
date_detection: false
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
settings:
index:
mapping:
total_fields:
limit: 1500
number_of_replicas: 0
number_of_shards: 1
refresh_interval: 30s
sort:
field: '@timestamp'
order: desc
so-items:
index_sorting: false
index_template:
@@ -3580,28 +3609,70 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_falcon:
index_sorting: false
so-logs-crowdstrike_x_alert:
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.alert-*
template:
settings:
index:
number_of_replicas: 0
composed_of:
- logs-crowdstrike.alert@package
- logs-crowdstrike.alert@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.alert@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_falcon:
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.falcon-*
template:
settings:
index:
number_of_replicas: 0
composed_of:
- logs-crowdstrike.falcon@package
- logs-crowdstrike.falcon@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
allow_custom_routing: false
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.falcon@custom
index_patterns:
- logs-crowdstrike.falcon-*
priority: 501
template:
settings:
index:
lifecycle:
name: so-logs-crowdstrike.falcon-logs
number_of_replicas: 0
policy:
phases:
cold:
@@ -3627,27 +3698,69 @@ elasticsearch:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_fdr:
index_sorting: false
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.fdr-*
template:
settings:
index:
number_of_replicas: 0
composed_of:
- logs-crowdstrike.fdr@package
- logs-crowdstrike.fdr@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
allow_custom_routing: false
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.fdr@custom
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-crowdstrike_x_host:
index_sorting: False
index_template:
index_patterns:
- logs-crowdstrike.fdr-*
priority: 501
- logs-crowdstrike.host-*
template:
settings:
index:
lifecycle:
name: so-logs-crowdstrike.fdr-logs
number_of_replicas: 0
composed_of:
- logs-crowdstrike.host@package
- logs-crowdstrike.host@custom
- so-fleet_globals-1
- so-fleet_agent_id_verification-1
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
ignore_missing_component_templates:
- logs-crowdstrike.host@custom
policy:
phases:
cold:
@@ -10408,6 +10521,182 @@ elasticsearch:
set_priority:
priority: 50
min_age: 30d
so-logs-trend_micro_vision_one_x_alert:
index_sorting: False
index_template:
index_patterns:
- "logs-trend_micro_vision_one.alert-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-trend_micro_vision_one.alert@package"
- "logs-trend_micro_vision_one.alert@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
ignore_missing_component_templates:
- "logs-trend_micro_vision_one.alert@custom"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-trend_micro_vision_one_x_audit:
index_sorting: False
index_template:
index_patterns:
- "logs-trend_micro_vision_one.audit-*"
template:
settings:
index:
number_of_replicas: 0
ignore_missing_component_templates:
- "logs-trend_micro_vision_one.audit@custom"
composed_of:
- "logs-trend_micro_vision_one.audit@package"
- "logs-trend_micro_vision_one.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-trend_micro_vision_one_x_detection:
index_sorting: False
index_template:
index_patterns:
- "logs-trend_micro_vision_one.detection-*"
template:
settings:
index:
number_of_replicas: 0
ignore_missing_component_templates:
- "logs-trend_micro_vision_one.detection@custom"
composed_of:
- "logs-trend_micro_vision_one.detection@package"
- "logs-trend_micro_vision_one.detection@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-trendmicro_x_deep_security:
index_sorting: False
index_template:
index_patterns:
- "logs-trendmicro.deep_security-*"
template:
settings:
index:
number_of_replicas: 0
ignore_missing_component_templates:
- "logs-trendmicro.deep_security@custom"
composed_of:
- "logs-trendmicro.deep_security@package"
- "logs-trendmicro.deep_security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
cold:
actions:
set_priority:
priority: 0
min_age: 60d
delete:
actions:
delete: {}
min_age: 365d
hot:
actions:
rollover:
max_age: 30d
max_primary_shard_size: 50gb
set_priority:
priority: 100
min_age: 0ms
warm:
actions:
set_priority:
priority: 50
min_age: 30d
so-logs-vsphere_x_log:
index_sorting: false
index_template:

6
salt/elasticsearch/soc_elasticsearch.yaml
View File

@@ -396,8 +396,10 @@ elasticsearch:
so-logs-citrix_waf_x_log: *indexSettings
so-logs-cloudflare_x_audit: *indexSettings
so-logs-cloudflare_x_logpull: *indexSettings
so-logs-crowdstrike_x_alert: *indexSettings
so-logs-crowdstrike_x_falcon: *indexSettings
so-logs-crowdstrike_x_fdr: *indexSettings
so-logs-crowdstrike_x_host: *indexSettings
so-logs-darktrace_x_ai_analyst_alert: *indexSettings
so-logs-darktrace_x_model_breach_alert: *indexSettings
so-logs-darktrace_x_system_status_alert: *indexSettings
@@ -494,6 +496,10 @@ elasticsearch:
so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings
so-logs-ti_recordedfuture_x_threat: *indexSettings
so-logs-ti_threatq_x_threat: *indexSettings
so-logs-trend_micro_vision_one_x_alert: *indexSettings
so-logs-trend_micro_vision_one_x_audit: *indexSettings
so-logs-trend_micro_vision_one_x_detection: *indexSettings
so-logs-trendmicro_x_deep_security: *indexSettings
so-logs-zscaler_zia_x_alerts: *indexSettings
so-logs-zscaler_zia_x_dns: *indexSettings
so-logs-zscaler_zia_x_firewall: *indexSettings

36
salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

36
salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json Normal file
View File

@@ -0,0 +1,36 @@
{
"template": {
"mappings": {
"properties": {
"host": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"related": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"destination": {
"properties":{
"ip": {
"type": "ip"
}
}
},
"source": {
"properties":{
"ip": {
"type": "ip"
}
}
}
}
}
}
}

21
salt/elasticsearch/templates/component/so/detection-mappings.json
View File

@@ -21,10 +21,10 @@
"properties": {
"publicId": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword"
},
"title": {
"ignore_above": 1024,
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
@@ -38,15 +38,15 @@
"description": {
"type": "text"
},
"category": {
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"service": {
"service": {
"ignore_above": 1024,
"type": "keyword"
},
@@ -64,7 +64,7 @@
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
"type": "keyword"
},
"ruleset": {
"ignore_above": 1024,
@@ -82,6 +82,12 @@
"ignore_above": 1024,
"type": "keyword"
},
"sourceCreated": {
"type": "date"
},
"sourceUpdated": {
"type": "date"
},
"overrides": {
"properties": {
"type": {
@@ -97,6 +103,9 @@
"updatedAt": {
"type": "date"
},
"note": {
"type": "text"
},
"regex": {
"type": "text"
},

25
salt/elasticsearch/templates/component/so/so-ip-mappings.json Normal file
View File

@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"so": {
"properties": {
"ip_address": {
"type": "ip"
},
"description": {
"type": "text"
}
}
}
}
}
}
}

4
salt/logstash/map.jinja
View File

@@ -1,5 +1,5 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
@@ -42,4 +42,4 @@
{% do LOGSTASH_MERGED.update({'enabled': False}) %}
{% endif %}
{% endif %}
{% endif %}
{% endif %}

67
salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja
View File

@@ -1,18 +1,45 @@
output {
if "elastic-agent" in [tags] {
if [metadata][pipeline] {
if [metadata][_id] {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
document_id => "%{[metadata][_id]}"
pipeline => "%{[metadata][pipeline]}"
silence_errors_in_log => ["version_conflict_engine_exception"]
ssl => true
ssl_certificate_verification => false
if "elastic-agent" in [tags] and "so-ip-mappings" in [tags] {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
data_stream => false
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
document_id => "%{[metadata][_id]}"
index => "so-ip-mappings"
silence_errors_in_log => ["version_conflict_engine_exception"]
ssl => true
ssl_certificate_verification => false
}
}
else {
if "elastic-agent" in [tags] {
if [metadata][pipeline] {
if [metadata][_id] {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
document_id => "%{[metadata][_id]}"
pipeline => "%{[metadata][pipeline]}"
silence_errors_in_log => ["version_conflict_engine_exception"]
ssl => true
ssl_certificate_verification => false
}
}
else {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
pipeline => "%{[metadata][pipeline]}"
ssl => true
ssl_certificate_verification => false
}
}
}
else {
@@ -22,22 +49,10 @@ output {
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
pipeline => "%{[metadata][pipeline]}"
ssl => true
ssl_certificate_verification => false
}
}
}
else {
elasticsearch {
hosts => "{{ GLOBALS.hostname }}"
ecs_compatibility => v8
data_stream => true
user => "{{ ES_USER }}"
password => "{{ ES_PASS }}"
ssl => true
ssl_certificate_verification => false
}
}
}
}

21
salt/manager/init.sls
View File

@@ -6,10 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
{% from 'manager/map.jinja' import MANAGERMERGED %}
include:
- salt.minion
@@ -45,6 +42,12 @@ yara_log_dir:
- user
- group
{% if GLOBALS.os_family == 'RedHat' %}
install_createrepo:
pkg.installed:
- name: createrepo_c
{% endif %}
repo_conf_dir:
file.directory:
- name: /opt/so/conf/reposync
@@ -135,6 +138,16 @@ rules_dir:
- group: socore
- makedirs: True
git_config_set_safe_dirs:
git.config_set:
- name: safe.directory
- global: True
- user: socore
- multivar:
- /nsm/rules/custom-local-repos/local-sigma
- /nsm/rules/custom-local-repos/local-yara
- /nsm/securityonion-resources
- /opt/so/conf/soc/ai_summary_repos/securityonion-resources
{% else %}
{{sls}}_state_not_allowed:

6
salt/manager/map.jinja
View File

@@ -4,4 +4,8 @@
Elastic License 2.0. #}
{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %}
{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %}
{% if grains.os != 'OEL' %}
{% do MANAGERMERGED.reposync.update({'enabled': False}) %}
{% endif %}

13
salt/manager/tools/sbin/soup
View File

@@ -701,11 +701,13 @@ up_to_2.4.90() {
INSTALLEDVERSION=2.4.90
}
up_to_2.4.100() {
# Elastic Update for this release, so download Elastic Agent files
determine_elastic_agent_upgrade
INSTALLEDVERSION=2.4.100
}
up_to_2.4.110() {
echo "Nothing to do for 2.4.110"
@@ -713,10 +715,15 @@ up_to_2.4.110() {
}
up_to_2.4.120() {
echo "Nothing to do for 2.4.120"
add_hydra_pillars
# this is needed for the new versionlock state
mkdir /opt/so/saltstack/local/pillar/versionlock
touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls
# New Grid Integration added this release
rm -f /opt/so/state/eaintegrations.txt
INSTALLEDVERSION=2.4.120
}
@@ -949,7 +956,7 @@ update_airgap_repo() {
echo "Syncing new updates to /nsm/repo"
rsync -av $AGREPO/* /nsm/repo/
echo "Creating repo"
dnf -y install yum-utils createrepo
dnf -y install yum-utils createrepo_c
createrepo /nsm/repo
}

43
salt/soc/config.sls
View File

@@ -204,6 +204,49 @@ socsensoronirepos:
- mode: 775
- makedirs: True
create_custom_local_yara_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-yara
- bare: False
- force: True
add_readme_custom_local_yara_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-yara/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "yara"
create_custom_local_sigma_repo_template:
git.present:
- name: /nsm/rules/custom-local-repos/local-sigma
- bare: False
- force: True
add_readme_custom_local_sigma_repo_template:
file.managed:
- name: /nsm/rules/custom-local-repos/local-sigma/README
- source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja
- user: 939
- group: 939
- template: jinja
- context:
repo_type: "sigma"
socore_own_custom_repos:
file.directory:
- name: /nsm/rules/custom-local-repos/
- user: socore
- group: socore
- recurse:
- user
- group
{% else %}
{{sls}}_state_not_allowed:

26
salt/soc/defaults.yaml
View File

@@ -1351,11 +1351,17 @@ soc:
license: Elastic-2.0
folder: sigma/stable
community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
airgap:
- repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources
license: Elastic-2.0
folder: sigma/stable
community: true
- repo: file:///nsm/rules/custom-local-repos/local-sigma
license: Elastic-2.0
community: false
sigmaRulePackages:
- core
- emerging_threats_addon
@@ -1422,10 +1428,16 @@ soc:
- repo: https://github.com/Security-Onion-Solutions/securityonion-yara
license: DRL
community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
airgap:
- repo: file:///nsm/rules/detect-yara/repos/securityonion-yara
license: DRL
community: true
- repo: file:///nsm/rules/custom-local-repos/local-yara
license: Elastic-2.0
community: false
yaraRulesFolder: /opt/sensoroni/yara/rules
stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state
integrityCheckFrequencySeconds: 1200
@@ -1445,6 +1457,8 @@ soc:
rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint
stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state
integrityCheckFrequencySeconds: 1200
ignoredSidRanges:
- '1100000-1101000'
client:
enableReverseLookup: false
docsUrl: /docs/
@@ -2254,7 +2268,7 @@ soc:
description: Show all custom detections
- name: "All Detections - Enabled"
query: "so_detection.isEnabled:true | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
description: Show all enalbed Detections
description: Show all enabled Detections
- name: "All Detections - Disabled"
query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity"
description: Show all disabled Detections
@@ -2273,6 +2287,16 @@ soc:
- name: "Detections with Overrides"
query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled"
description: Show Detections that have Overrides
detectionEngineStatusQueries: |
suricata:
default: 'tags:so-soc AND suricata | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
elastalert:
default: 'tags:so-soc AND elastalert | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
strelka:
default: 'tags:so-soc AND strelka | groupby log.level | groupby event.action | groupby soc.fields.error'
IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId'
detection:
showUnreviewedAiSummaries: false
presets:

94
salt/soc/files/soc/detections_custom_repo_template_readme.jinja Normal file
View File

@@ -0,0 +1,94 @@
{% if repo_type == 'yara' %}
# YARA Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any YARA rule files found here.
Just add your rule file and commit it.
For example:
** Note: If this is your first time making changes to this repo, you may run into the following error:
fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-yara'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-yara
This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.
Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```
Run these commands, ommitting the `--global`.
With that out of the way:
First, create the rule file with a .yar extension:
`vi my_custom_rule.yar`
Next, use git to stage the new rule to be committed:
`git add my_custom_rule.yar`
Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.yar"`
The next time the Strelka / YARA engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% elif repo_type == 'sigma' %}
# Sigma Local Custom Rules Repository
This folder has already been initialized as a git repo
and your Security Onion grid is configured to import any Sigma rule files found here.
Just add your rule file and commit it.
For example:
** Note: If this is your first time making changes to this repo, you may run into the following error:
fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-sigma'
To add an exception for this directory, call:
git config --global --add safe.directory /nsm/rules/custom-local-repos/local-sigma
This means that the user you are running commands as does not match the user that is used for this git repo (socore).
You will need to make sure your rule files are accessible to the socore user, so either su to socore
or add the exception and then chown the rule files later.
Also, you will be asked to set some configuration:
```
Author identity unknown
*** Please tell me who you are.
Run
git config --global user.email "you@example.com"
git config --global user.name "Your Name"
to set your account's default identity.
Omit --global to set the identity only in this repository.
```
Run these commands, ommitting the `--global`.
With that out of the way:
First, create the rule file with a .yml or .yaml extension:
`vi my_custom_rule.yml`
Next, use git to stage the new rule to be committed:
`git add my_custom_rule.yml`
Finally, commit it:
`git commit -m "Initial commit of my_custom_rule.yml"`
The next time the Elastalert / Sigma engine syncs, the new rule should be imported
If there are errors, review the sync log to troubleshoot further.
{% endif %}

20
salt/soc/files/soc/sigma_so_pipeline.yaml
View File

@@ -106,3 +106,23 @@ transformations:
- type: include_fields
fields:
- event.code
# Maps process_creation rules to endpoint process creation logs
# This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_process_create_windows_add-fields
type: add_condition
conditions:
event.category: 'process'
event.type: 'start'
rule_conditions:
- type: logsource
category: process_creation
# Maps file_event rules to endpoint file creation logs
# This is an OS-agnostic mapping, to account for logs that don't specify source OS
- id: endpoint_file_create_add-fields
type: add_condition
conditions:
event.category: 'file'
event.type: 'creation'
rule_conditions:
- type: logsource
category: file_event

15
salt/soc/soc_soc.yaml
View File

@@ -390,6 +390,12 @@ soc:
advanced: True
forcedType: "[]{}"
helpLink: suricata.html
ignoredSidRanges:
description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.'
global: True
advanced: True
forcedType: "[]string"
helpLink: detections.html#rule-engine-status
client:
enableReverseLookup:
description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI.
@@ -461,7 +467,14 @@ soc:
alerts: *appSettings
cases: *appSettings
dashboards: *appSettings
detections: *appSettings
detections:
<<: *appSettings
detectionEngineStatusQueries:
description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified.
global: True
syntax: yaml
multiline: True
forcedType: "string"
detection:
showUnreviewedAiSummaries:
description: Show AI summaries in detections even if they have not yet been reviewed by a human.

2
salt/strelka/filestream/config.sls
View File

@@ -99,12 +99,14 @@ filecheck.log:
- name: /opt/so/log/strelka/filecheck.log
- user: {{ filecheck_runas }}
- group: {{ filecheck_runas }}
- replace: False
filecheck_stdout.log:
file.managed:
- name: /opt/so/log/strelka/filecheck_stdout.log
- user: {{ filecheck_runas }}
- group: {{ filecheck_runas }}
- replace: False
{% if GLOBALS.md_engine == 'ZEEK' %}

1
salt/top.sls
View File

@@ -12,6 +12,7 @@ base:
'*':
- cron.running
- repo.client
- versionlock
- ntp
- schedule
- logrotate

2
salt/versionlock/defaults.yaml Normal file
View File

@@ -0,0 +1,2 @@
versionlock:
hold: []

19
salt/versionlock/init.sls Normal file
View File

@@ -0,0 +1,19 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% if grains.os_family == 'Debian' or (grains.os_family == 'RedHat' and salt['pkg.version']('python3-dnf-plugin-versionlock') != "") %}
{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %}
{% for pkg in VERSIONLOCKMERGED.hold %}
{{pkg}}_held:
pkg.held:
- name: {{pkg}}
{% endfor %}
{% for pkg in VERSIONLOCKMERGED.UNHOLD %}
{{pkg}}_unheld:
pkg.unheld:
- name: {{pkg}}
{% endfor %}
{% endif %}

38
salt/versionlock/map.jinja Normal file
View File

@@ -0,0 +1,38 @@
{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
https://securityonion.net/license; you may not use this file except in compliance with the
Elastic License 2.0. #}
{% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %}
{% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %}
{% if grains.os_family == 'RedHat' %}
{% set HELD = salt['pkg.list_holds']() %}
{% else %}
{% set HELD = salt['pkg.get_selections'](state='hold')['hold'] %}
{% endif %}
{# these are packages held / versionlock in other states #}
{% set PACKAGES_HELD_IN_OTHER_STATES = [
'salt',
'salt-master',
'salt-minion',
'containerd.io',
'docker-ce',
'docker-ce-cli',
'docker-ce-rootless-extras'
] %}
{# remove packages held in other states from hold list #}
{% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %}
{# initiate VERSIONLOCKMERGED.UNHOLD #}
{% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %}
{# if a package is currently held but not set to be held, unhold it #}
{% for item in HELD %}
{% set base_name = item.rsplit('-', 2)[0] %}
{% if base_name not in VERSIONLOCKMERGED['hold'] and base_name not in PACKAGES_HELD_IN_OTHER_STATES and base_name not in VERSIONLOCKMERGED['UNHOLD'] %}
{% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %}
{% endif %}
{% endfor %}

7
salt/versionlock/soc_versionlock.yaml Normal file
View File

@@ -0,0 +1,7 @@
versionlock:
hold:
description: List of packages to prevent from upgrading. To reduce the frequency of required reboots, add 'kernel' to this list for RedHat based OS families. For Debian, please see the documentation.
global: True
forcedType: "[]string"
multiline: True
helpLink: versionlock.html

36
setup/so-functions
View File

@@ -44,17 +44,17 @@ logCmd() {
airgap_rules() {
# Copy the rules for detections if using Airgap
mkdir -p /nsm/rules
rsync -av /root/SecurityOnion/agrules/ /nsm/rules/
logCmd "rsync -av /root/SecurityOnion/agrules/ /nsm/rules/"
# Copy over the securityonion-resources repo
rsync -av /root/SecurityOnion/agrules/securityonion-resources /nsm/
logCmd "rsync -av /root/SecurityOnion/agrules/securityonion-resources /nsm/"
}
airgap_detection_summaries() {
# Copy summaries over to SOC and checkout the correct branch
rsync -av --chown=socore:socore /nsm/securityonion-resources /opt/so/conf/soc/ai_summary_repos
git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources
git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published
logCmd "rsync -av --chown=socore:socore /nsm/securityonion-resources /opt/so/conf/soc/ai_summary_repos"
logCmd "git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources"
logCmd "git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published"
}
add_admin_user() {
@@ -804,7 +804,7 @@ create_manager_pillars() {
create_repo() {
title "Create the repo directory"
logCmd "dnf -y install yum-utils createrepo"
logCmd "dnf -y install yum-utils createrepo_c"
logCmd "createrepo /nsm/repo"
}
@@ -1425,7 +1425,7 @@ make_some_dirs() {
mkdir -p $local_salt_dir/salt/firewall/portgroups
mkdir -p $local_salt_dir/salt/firewall/ports
for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idstools idh elastalert stig global kafka;do
for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idstools idh elastalert stig global kafka versionlock; do
mkdir -p $local_salt_dir/pillar/$THEDIR
touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls
touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls
@@ -1850,7 +1850,6 @@ repo_sync_local() {
# After the download is complete run createrepo
create_repo
fi
else
# Add the proper repos for unsupported stuff
echo "Adding Repos"
@@ -1866,9 +1865,9 @@ repo_sync_local() {
fi
dnf install -y yum-utils device-mapper-persistent-data lvm2
curl -fsSL https://repo.securityonion.net/file/so-repo/prod/2.4/so/so.repo | tee /etc/yum.repos.d/so.repo
rpm --import https://repo.saltproject.io/salt/py3/redhat/9/x86_64/SALT-PROJECT-GPG-PUBKEY-2023.pub
rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
curl -fsSL "https://repo.saltproject.io/salt/py3/redhat/9/x86_64/minor/$SALTVERSION.repo" | tee /etc/yum.repos.d/salt.repo
curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo
dnf repolist
curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
else
@@ -1901,27 +1900,22 @@ saltify() {
logCmd "mkdir -vp /etc/apt/keyrings"
logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
# Download public key
logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public"
# Create apt repo target configuration
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.pgp arch=amd64] https://packages.broadcom.com/artifactory/saltproject-deb/ stable main" | sudo tee /etc/apt/sources.list.d/salt.list
if [[ $is_ubuntu ]]; then
# Add Salt Repo
logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/ubuntu/$UBVER/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg"
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/ubuntu/$UBVER/amd64/minor/$SALTVERSION/ $OSVER main" | sudo tee /etc/apt/sources.list.d/salt.list
# Add Docker Repo
add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
else
# Add Salt Repo *NOTE* You have to use debian 11 since it isn't out for 12
logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/debian/11/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg"
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/debian/11/amd64/minor/$SALTVERSION/ bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list
# Add Docker Repo
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list
fi
logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg"
logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.pgp"
#logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub"
logCmd "apt-key add /etc/apt/keyrings/docker.pub"

6
setup/so-setup
View File

@@ -692,8 +692,10 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "so-minion -o=setup"
title "Creating Global SLS"
# Airgap Rules
airgap_rules
if [[ $is_airgap ]]; then
# Airgap Rules
airgap_rules
fi
manager_pillar