Merge branch 'dev' into feature/osquery-ingest

salt/filebeat/etc/filebeat.yml

@@ -164,9 +164,10 @@ filebeat.inputs:
 
   - type: log
     paths:
-      - /opt/so/log/strelka/strelka.log
+      - /nsm/strelka/log/strelka.log
     fields:
       module: strelka
+      category: file
       dataset: file
 
     processors:
@@ -197,6 +198,9 @@ output.elasticsearch:
     - index: "so-osquery-%{+yyyy.MM.dd}"
       when.contains:
         module: "osquery"
+    - index: "so-strelka-%{+yyyy.MM.dd}"
+      when.contains:
+        module: "strelka"
 
 #output.logstash:
   # Boolean flag to enable or disable the output module.

salt/fleet/files/osquery-packages.html

@@ -1,133 +0,0 @@
-{%- set PACKAGESTS = salt['pillar.get']('static:fleet_packages-timestamp:', 'N/A') -%}
-<!DOCTYPE html>
-<html lang="en">
-<head>
-<title>Security Onion - Hybrid Hunter</title>
-<meta charset="utf-8">
-<meta name="viewport" content="width=device-width, initial-scale=1">
-<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
-<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
-<style>
-* {
-	box-sizing: border-box;
-	font-family: Arial, Helvetica, sans-serif;
-	padding-left: 30px;
-	padding-right: 30px;
-}
-
-body {
-	font-family: Arial, Helvetica, sans-serif;
-	background-color: #2a2a2a;
-
-}
-a {
-	color: #f2f2f2;
-	text-align: left;
-	padding: 0px;
-}
-
-.center-content {
-	margin: 0 auto;
-}
-
-/* Style the top navigation bar */
-.topnav {
-	overflow: hidden;
-	background-color: #333;
-	width: 1080px;
-	display: flex;
-	align-content: center;
-}
-
-/* Style the topnav links */
-.topnav a {
-	margin: auto;
-	color: #f2f2f2;
-	text-align: center;
-	padding: 14px 16px;
-	text-decoration: none;
-}
-
-/* Change color on hover */
-.topnav a:hover {
-	background-color: #ddd;
-	color: black;
-}
-
-/* Style the content */
-.content {
-	background-color: #2a2a2a;
-	padding: 10px;
-	padding-top: 20px;
-	padding-left: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-
-/* Style the footer */
-.footer {
-	background-color: #2a2a2a;
-	padding: 60px;
-	color: #E3DBCC;
-	width: 1080px;
-}
-</style>
-</head>
-<body>
-	<div class="center-content">
-		<div class="topnav center-content">
-			<a href="/so-auth/loginpage/create-user" target="_blank">Create New User</a>
-			<a href="/kibana/" target="_blank">Kibana</a>
-			<a href="/grafana/" target="_blank">Grafana</a>
-			<a href="/sensoroni/" target="_blank">Sensoroni</a>
-	  		<a href="/playbook/" target="_blank">Playbook</a>
-			<a href="/fleet/" target="_blank">Fleet</a>
-			<a href="/thehive/" target="_blank">TheHive</a>
-			<a href="/packages/" target="_blank">Osquery Packages</a>
-			<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
-			<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
-			<a href="https://blog.securityonion.net" target="_blank">Blog</a>
-		</div>
-		  
-		<div class="content center-content">
-			<p>
-				<div style="text-align: center;">
-					<h1>Osquery Packages</h1>
-				</div>
-				<br/>
-				<h2>Notes</h2>
-				<ul>
-					<li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
-					<li>Packages are not signed.</li>
-				</ul>
-				<br/>
-				<h2>Downloads</h2>
-				<div>
-					Generated: {{ PACKAGESTS }}
-					<br/>
-					<br/>
-					Packages:
-					<ul>
-						<li><a href="/packages/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
-						<li><a href="/packages/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
-						<li><a href="/packages/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
-						<li><a href="/packages/launcher.pkg" download="pkg-launcher.pkg">PKG (MacOS)</a></li>
-					</ul>
-					<br/>
-					<br/>
-					Config Files:
-					<ul>
-						<li><a href="/packages/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
-						<li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
-					</ul>
-				</div>
-				<br/>
-				<h2>Known Issues</h2>
-				<ul>
-					<li>None</li>
-				</ul>
-			  </p>
-		  </div>
-	</div>
-</body>
-</html>

salt/fleet/files/scripts/so-fleet-packages

@@ -30,4 +30,4 @@ cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packag
 
 #Update timestamp on packages webpage
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
-sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/files/dedicated-index.html

salt/fleet/init.sls

@@ -76,11 +76,7 @@ fleetsetupscripts:
 osquerypackageswebpage:
   file.managed:
     - name: /opt/so/conf/fleet/packages/index.html
-{% if FLEETARCH == "so-fleet" %}
     - source: salt://fleet/files/dedicated-index.html
-{% else %}
-    - source: salt://fleet/files/osquery-packages.html
-{% endif %}
     - template: jinja
 
 fleetdb:

salt/logstash/pipelines/templates/so/so-common-template.json

@@ -252,6 +252,10 @@
           "type":"object",
           "dynamic": true
         },
+	"request":{
+          "type":"object",
+          "dynamic": true
+        },
         "rfb":{
           "type":"object",
           "dynamic": true
@@ -260,6 +264,10 @@
           "type":"object",
           "dynamic": true
         },
+	"scan":{
+          "type":"object",
+          "dynamic": true
+        },
         "server":{
           "type":"object",
           "dynamic": true

salt/strelka/init.sls

@@ -23,14 +23,6 @@ strelkaconfdir:
     - group: 939
     - makedirs: True
 
-# Strelka logs 
-strelkalogdir:
-  file.directory:
-    - name: /opt/so/log/strelka
-    - user: 939
-    - group: 939
-    - makedirs: True
-
 # Sync dynamic config to conf dir
 strelkasync:
   file.recurse:
@@ -47,6 +39,13 @@ strelkadatadir:
     - group: 939
     - makedirs: True
 
+strelkalogdir:
+  file.directory:
+    - name: /nsm/strelka/log
+    - user: 939
+    - group: 939
+    - makedirs: True
+
 strelkastagedir:
    file.directory:
     - name: /nsm/strelka/processed
@@ -75,7 +74,7 @@ strelka_frontend:
     - image: soshybridhunter/so-strelka-frontend:HH1.2.1
     - binds:
       - /opt/so/conf/strelka/frontend/:/etc/strelka/:ro
-      - /opt/so/log/strelka/:/var/log/strelka/:rw
+      - /nsm/strelka/log/:/var/log/strelka/:rw
     - privileged: True
     - name: so-strelka-frontend
     - command: strelka-frontend

setup/so-functions

@@ -843,6 +843,7 @@ master_pillar() {
   echo "  wazuh: $WAZUH" >> $PILLARFILE
   echo "  thehive: $THEHIVE" >> $PILLARFILE
   echo "  playbook: $PLAYBOOK" >> $PILLARFILE
+  echo "  strelka: $STRELKA" >> $PILLARFILE
   echo "" >> $PILLARFILE
   echo "kratos:" >> $PILLARFILE
   if [[ $REDIRECTINFO == 'OTHER' ]]; then
@@ -993,6 +994,7 @@ process_components() {
 	WAZUH=0
 	THEHIVE=0
 	PLAYBOOK=0
+	STRELKA=0
 
 	IFS=$' '
 	for item in $(echo "$CLEAN"); do

setup/so-setup

@@ -716,6 +716,10 @@ if (whiptail_you_sure) ; then
         echo -e "XXX\n93\nInstalling Playbook... \nXXX"
         salt-call state.apply playbook >> $SETUPLOG 2>&1
       fi
+      if [[ $STRELKA == '1' ]]; then
+        echo -e "XXX\n95\nInstalling Strelka... \nXXX"
+        salt-call state.apply strelka >> $SETUPLOG 2>&1
+      fi
       echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
       checkin_at_boot >> $SETUPLOG 2>&1
       echo -e "XX\n97\nFinishing touches... \nXXX"

setup/so-whiptail

@@ -214,7 +214,8 @@ whiptail_enable_components() {
   "OSQUERY" "Enable Fleet with osquery" ON \
   "WAZUH" "Enable Wazuh" ON \
   "THEHIVE" "Enable TheHive" ON \
-  "PLAYBOOK" "Enable Playbook" ON 3>&1 1>&2 2>&3 )
+  "PLAYBOOK" "Enable Playbook" ON \
+  "STRELKA" "Enable Strelka" ON 3>&1 1>&2 2>&3 )
 
   local exitstatus=$?
   whiptail_check_exitstatus $exitstatus