CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 17:52:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/dev' into feature/auth

Browse Source 
# Conflicts:
#	salt/common/nginx/nginx.conf.so-eval
This commit is contained in:
William Wernert
2020-01-09 18:41:46 -05:00
parent 1bfb8bbea2 6ea941dfba
commit 5cb8bd61b6
67 changed files with 2534 additions and 311 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
pillar/thresholding/pillar.example Normal file
View File

@@ -0,0 +1,44 @@
thresholding:
sids:
8675309:
- threshold:
gen_id: 1
type: threshold
track: by_src
count: 10
seconds: 10
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 100
seconds: 30
- rate_filter:
gen_id: 1
track: by_rule
count: 50
seconds: 30
new_action: alert
timeout: 30
- suppress:
gen_id: 1
track: by_either
ip: 10.10.3.7
11223344:
- threshold:
gen_id: 1
type: limit
track: by_dst
count: 10
seconds: 10
- rate_filter:
gen_id: 1
track: by_src
count: 50
seconds: 20
new_action: pass
timeout: 60
- suppress:
gen_id: 1
track: by_src
ip: 10.10.3.0/24

20
pillar/thresholding/pillar.usage Normal file
View File

@@ -0,0 +1,20 @@
thresholding:
sids:
<signature id>:
- threshold:
gen_id: <generator id>
type: <threshold | limit | both>
track: <by_src | by_dst>
count: <count>
seconds: <seconds>
- rate_filter:
gen_id: <generator id>
track: <by_src | by_dst | by_rule | by_both>
count: <count>
seconds: <seconds>
new_action: <alert | pass>
timeout: <seconds>
- suppress:
gen_id: <generator id>
track: <by_src | by_dst | by_either>
ip: <ip | subnet>

11
pillar/top.sls
View File

@@ -3,20 +3,20 @@ base:
- patch.needs_restarting
'G@role:so-sensor':
- sensors.{{ grains.id }}
- minions.{{ grains.id }}
- static
- firewall.*
- brologs
'G@role:so-master':
- masters.{{ grains.id }}
- minions.{{ grains.id }}
- static
- firewall.*
- data.*
- auth
'G@role:so-eval':
- masters.{{ grains.id }}
- minions.{{ grains.id }}
- static
- firewall.*
- data.*
@@ -24,13 +24,12 @@ base:
- auth
'G@role:so-node':
- nodes.{{ grains.id }}
- minions.{{ grains.id }}
- static
- firewall.*
'G@role:so-helix':
- masters.{{ grains.id }}
- sensors.{{ grains.id }}
- minions.{{ grains.id }}
- static
- firewall.*
- fireeye

63
salt/bro/cron/zeek_clean Normal file
View File

@@ -0,0 +1,63 @@
#!/bin/bash
# Delete Zeek Logs based on defined CRIT_DISK_USAGE value
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
clean () {
SENSOR_DIR='/nsm'
CRIT_DISK_USAGE=90
CUR_USAGE=$(df -P $SENSOR_DIR | tail -1 | awk '{print $5}' | tr -d %)
LOG="/nsm/bro/logs/zeek_clean.log"
if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ];
do
TODAY=$(date -u "+%Y-%m-%d")
# find the oldest Zeek logs directory and exclude today
OLDEST_DIR=$(ls /nsm/bro/logs/ | grep -v "current" | grep -v "stats" | grep -v "packetloss" | grep -v "zeek_clean" | sort | grep -v $TODAY | head -n 1)
if [ -z "$OLDEST_DIR" -o "$OLDEST_DIR" == ".." -o "$OLDEST_DIR" == "." ]
then
echo "$(date) - No old Zeek logs available to clean up in /nsm/bro/logs/" >> $LOG
exit 0
else
echo "$(date) - Removing directory: /nsm/bro/logs/$OLDEST_DIR" >> $LOG
rm -rf /nsm/bro/logs/"$OLDEST_DIR"
fi
# find oldest files in extracted directory and exclude today
OLDEST_EXTRACT=$(find /nsm/bro/extracted -type f -printf '%T+ %p\n' 2>/dev/null | sort | grep -v $TODAY | head -n 1)
if [ -z "$OLDEST_EXTRACT" -o "$OLDEST_EXTRACT" == ".." -o "$OLDEST_EXTRACT" == "." ]
then
echo "$(date) - No old extracted files available to clean up in /nsm/bro/extracted/" >> $LOG
else
OLDEST_EXTRACT_DATE=`echo $OLDEST_EXTRACT | awk '{print $1}' | cut -d+ -f1`
OLDEST_EXTRACT_FILE=`echo $OLDEST_EXTRACT | awk '{print $2}'`
echo "$(date) - Removing extracted files for $OLDEST_EXTRACT_DATE" >> $LOG
find /nsm/bro/extracted -type f -printf '%T+ %p\n' | grep $OLDEST_EXTRACT_DATE | awk '{print $2}' |while read FILE
do
echo "$(date) - Removing extracted file: $FILE" >> $LOG
rm -f "$FILE"
done
fi
done
else
echo "$(date) - CRIT_DISK_USAGE value of $CRIT_DISK_USAGE not greater than current usage of $CUR_USAGE..." >> $LOG
fi
}
clean

15
salt/bro/init.sls
View File

@@ -79,6 +79,21 @@ plcronscript:
- source: salt://bro/cron/packetloss.sh
- mode: 755
zeekcleanscript:
file.managed:
- name: /usr/local/bin/zeek_clean
- source: salt://bro/cron/zeek_clean
- mode: 755
/usr/local/bin/zeek_clean:
cron.present:
- user: root
- minute: '*'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
/usr/local/bin/packetloss.sh:
cron.present:
- user: root

3
salt/common/nginx/nginx.conf.so-eval
View File

@@ -184,6 +184,7 @@ http {
}
<<<<<<< HEAD
location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90;
@@ -196,6 +197,8 @@ http {
}
=======
>>>>>>> origin/dev
location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90;

12
salt/common/nginx/nginx.conf.so-master
View File

@@ -188,18 +188,6 @@ http {
}
location /cyberchef/ {
proxy_pass http://{{ masterip }}:9080/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_http_version 1.1; # this is essential for chunked responses to work
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /soctopus/ {
proxy_pass http://{{ masterip }}:7000/;
proxy_read_timeout 90;

18
salt/common/tools/sbin/so-allow
View File

@@ -40,3 +40,21 @@ fi
echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP
# Check if Wazuh enabled
if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then
# If analyst, add to Wazuh AR whitelist
if [ "$FULLROLE" == "analyst" ]; then
WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
DATE=`date`
sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
echo -e "<!--Address $IP added by /usr/sbin/so-allow on "$DATE"-->\n <global>\n <white_list>$IP</white_list>\n </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
echo
echo "Restarting OSSEC Server..."
/usr/sbin/so-wazuh-restart
fi
fi
fi

20
salt/common/tools/sbin/so-cortex-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start cortex $1

20
salt/common/tools/sbin/so-cortex-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop cortex $1

20
salt/common/tools/sbin/so-curator-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart curator $1

20
salt/common/tools/sbin/so-curator-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start curator $1

20
salt/common/tools/sbin/so-curator-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop curator $1

1000
salt/common/tools/sbin/so-elastalert-create Normal file
View File

File diff suppressed because it is too large Load Diff

20
salt/common/tools/sbin/so-elastalert-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart elastalert $1

20
salt/common/tools/sbin/so-elastalert-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start elastalert $1

20
salt/common/tools/sbin/so-elastalert-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop elastalert $1

142
salt/common/tools/sbin/so-elastalert-test Normal file
View File

@@ -0,0 +1,142 @@
#!/bin/bash
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
# Originally written by Bryant Treacle
# https://raw.githubusercontent.com/bryant-treacle/so-elastalert-test-rule/master/so-elastalert-test
# Modified by Doug Burks and Wes Lambert
#
# Purpose: This script will allow you to test your elastalert rule without entering the Docker container.
. /usr/sbin/so-elastic-common
OPTIONS=""
SKIP=0
RESULTS_TO_LOG="n"
RULE_NAME=""
FILE_SAVE_LOCATION=""
usage()
{
cat <<EOF
Test Elastalert Rule
Options:
-h This message
-a Trigger real alerts instead of the debug alert
-l <path_to_file> Write results to specified log file
-o '<options>' Specify Elastalert options ( Ex. --schema-only , --count-only, --days N )
-r <rule_name> Specify path/name of rule to test
EOF
}
while getopts "hal:o:r:" OPTION
do
case $OPTION in
h)
usage
exit 0
;;
a)
OPTIONS="--alert"
;;
l)
RESULTS_TO_LOG="y"
FILE_SAVE_LOCATION=$OPTARG
;;
o)
OPTIONS=$OPTARG
;;
r)
RULE_NAME=$OPTARG
SKIP=1
;;
*)
usage
exit 0
;;
esac
done
docker_exec(){
if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS" > $FILE_SAVE_LOCATION
else
docker exec -it so-elastalert bash -c "elastalert-test-rule $RULE_NAME $OPTIONS"
fi
}
rule_prompt(){
CURRENT_RULES=$(find /opt/so/rules/elastalert -name "*.yaml")
echo
echo "This script will allow you to test an Elastalert rule."
echo
echo "Below is a list of active Elastalert rules:"
echo
echo "-----------------------------------"
echo
echo "$CURRENT_RULES"
echo
echo "-----------------------------------"
echo
echo "Note: To test a rule it must be accessible by the Elastalert Docker container."
echo
echo "Make sure to swap the local path (/opt/so/rules/elastalert/) for the docker path (/etc/elastalert/rules/)"
echo "Example: /opt/so/rules/elastalert/nids2hive.yaml would be /etc/elastalert/rules/nids2hive.yaml"
echo
while [ -z $RULE_NAME ]; do
echo "Please enter the file path and rule name you want to test."
read -e RULE_NAME
done
}
log_save_prompt(){
RESULTS_TO_LOG=""
while [ -z $RESULTS_TO_LOG ]; do
echo "The results can be rather long. Would you like to write the results to a file? (Y/N)"
read RESULTS_TO_LOG
done
}
log_path_prompt(){
while [ -z $FILE_SAVE_LOCATION ]; do
echo "Please enter the file path and file name."
read -e FILE_SAVE_LOCATION
done
echo "Depending on the rule this may take a while."
}
if [ $SKIP -eq 0 ]; then
rule_prompt
log_save_prompt
if [ ${RESULTS_TO_LOG,,} = "y" ] ; then
log_path_prompt
fi
fi
docker_exec
if [ $? -eq 0 ]; then
echo "Test completed successfully!"
else
echo "Something went wrong..."
fi
echo

33
salt/common/tools/sbin/so-elastic-diagnose Normal file
View File

@@ -0,0 +1,33 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Source common settings
. /usr/sbin/so-common
# Check for log files
for FILE in /opt/so/log/elasticsearch/*.log /opt/so/log/logstash/*.log /opt/so/log/kibana/*.log /opt/so/log/elastalert/*.log /opt/so/log/curator/*.log /opt/so/log/freqserver/*.log /opt/so/log/nginx/*.log; do
# If file exists, then look for errors or warnings
if [ -f $FILE ]; then
MESSAGE=`grep -i 'ERROR\|FAIL\|WARN' $FILE`
if [ ! -z "$MESSAGE" ]; then
header $FILE
echo $MESSAGE | sed 's/WARN/\nWARN/g' | sed 's/WARNING/\nWARNING/g' | sed 's/ERROR/\nERROR/g' | sort | uniq -c | sort -nr
echo
fi
fi
done

20
salt/common/tools/sbin/so-elasticsearch-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart elasticsearch $1

20
salt/common/tools/sbin/so-elasticsearch-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start elasticsearch $1

20
salt/common/tools/sbin/so-elasticsearch-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop elasticsearch $1

31
salt/common/tools/sbin/so-filebeat-start
View File

@@ -1,17 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker rm so-filebeat && salt-call state.apply filebeat
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start filebeat $1

31
salt/common/tools/sbin/so-filebeat-stop
View File

@@ -1,17 +1,20 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018, 2019 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker stop so-filebeat
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop filebeat $1

20
salt/common/tools/sbin/so-fleet-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart fleet $1

20
salt/common/tools/sbin/so-fleet-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start fleet $1

20
salt/common/tools/sbin/so-fleet-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop fleet $1

20
salt/common/tools/sbin/so-grafana-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart grafana $1

20
salt/common/tools/sbin/so-grafana-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start grafana $1

20
salt/common/tools/sbin/so-grafana-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop grafana $1

20
salt/common/tools/sbin/so-kibana-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart kibana $1

20
salt/common/tools/sbin/so-kibana-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start kibana $1

20
salt/common/tools/sbin/so-kibana-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop kibana $1

20
salt/common/tools/sbin/so-logstash-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start logstash $1

20
salt/common/tools/sbin/so-logstash-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop logstash $1

20
salt/common/tools/sbin/so-mysql-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart mysql $1

20
salt/common/tools/sbin/so-mysql-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start mysql $1

20
salt/common/tools/sbin/so-mysql-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop mysql $1

20
salt/common/tools/sbin/so-playbook-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start playbook $1

20
salt/common/tools/sbin/so-playbook-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop playbook $1

20
salt/common/tools/sbin/so-redis-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart redis $1

20
salt/common/tools/sbin/so-redis-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start redis $1

20
salt/common/tools/sbin/so-redis-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop redis $1

5
salt/common/tools/sbin/so-restart
View File

@@ -20,7 +20,7 @@
. /usr/sbin/so-common
echo $banner
printf "Restarting $1\n"
printf "Restarting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
echo $banner
if [ "$2" = "--force" ]
@@ -31,6 +31,5 @@ fi
case $1 in
"cortex") docker stop so-thehive-cortex so-thehive && docker rm so-thehive-cortex so-thehive && salt-call state.apply hive queue=True;;
"fleet") docker stop so-fleet so-redis && docker rm so-fleet so-redis && salt-call state.apply fleet queue=True;;
*) docker stop so-$1 && docker rm so-$1 && salt-call state.apply $1 queue=True;;
*) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
esac

20
salt/common/tools/sbin/so-soctopus-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start soctopus $1

20
salt/common/tools/sbin/so-soctopus-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop soctopus $1

37
salt/common/tools/sbin/so-start
View File

@@ -1 +1,36 @@
sudo salt-call state.highstate
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-start all | filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Starting $1...\n\nThis could take a while if another Salt job is running. \nRun this command with --force to stop all Salt jobs before proceeding.\n"
echo $banner
if [ "$2" = "--force" ]
then
printf "\nForce-stopping all Salt jobs before proceeding\n\n"
salt-call saltutil.kill_all_jobs
fi
case $1 in
"all") salt-call state.highstate queue=True;;
*) if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi
esac

27
salt/common/tools/sbin/so-stop Normal file
View File

@@ -0,0 +1,27 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Usage: so-stop filebeat | kibana | playbook | thehive
. /usr/sbin/so-common
echo $banner
printf "Stopping $1...\n"
echo $banner
docker stop so-$1 ; docker rm so-$1

20
salt/common/tools/sbin/so-thehive-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start thehive $1

20
salt/common/tools/sbin/so-thehive-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop thehive $1

2
salt/common/tools/sbin/so-wazuh-start
View File

@@ -14,4 +14,4 @@
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
docker rm so-wazuh && salt-call state.apply wazuh
docker stop so-wazuh

20
salt/common/tools/sbin/so-zeek-restart Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-restart bro $1

20
salt/common/tools/sbin/so-zeek-start Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-start bro $1

20
salt/common/tools/sbin/so-zeek-stop Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
#
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
. /usr/sbin/so-common
/usr/sbin/so-stop bro $1

51
salt/domainstats/init.sls Normal file
View File

@@ -0,0 +1,51 @@
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Create the group
dstatsgroup:
group.present:
- name: domainstats
- gid: 936
# Add user
domainstats:
user.present:
- uid: 936
- gid: 936
- home: /opt/so/conf/domainstats
- createhome: False
# Create the log directory
dstatslogdir:
file.directory:
- name: /opt/so/log/domainstats
- user: 936
- group: 939
- makedirs: True
so-domainstatsimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
so-domainstats:
docker_container.running:
- require:
- so-domainstatsimage
- image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
- hostname: domainstats
- name: so-domainstats
- user: domainstats
- binds:
- /opt/so/log/domainstats:/var/log/domain_stats

131
salt/elastalert/files/modules/so/thehive.py
View File

@@ -1,84 +1,107 @@
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
# HiveAlerter modified from original at: https://raw.githubusercontent.com/Nclose-ZA/elastalert_hive_alerter/master/elastalert_hive_alerter/hive_alerter.py
import uuid
import re
from elastalert.alerts import Alerter
from thehive4py.api import TheHiveApi
from thehive4py.models import Alert, AlertArtifact, CustomFieldHelper
class TheHiveAlerter(Alerter):
"""
Use matched data to create alerts containing observables in an instance of TheHive
This is a modified version for use with Security Onion
"""
required_options = set(['hive_connection', 'hive_alert_config'])
def alert(self, matches):
def get_aggregation_summary_text(self, matches):
text = super(TheHiveAlerter, self).get_aggregation_summary_text(matches)
if text:
text = '```\n{0}```\n'.format(text)
return text
def create_artifacts(self, match):
artifacts = []
context = {'rule': self.rule, 'match': match}
for mapping in self.rule.get('hive_observable_data_mapping', []):
for observable_type, match_data_key in mapping.items():
try:
artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
except KeyError as e:
print(('format string {} fail cause no key {} in {}'.format(e, match_data_key, context)))
return artifacts
def create_alert_config(self, match):
context = {'rule': self.rule, 'match': match}
alert_config = {
'artifacts': self.create_artifacts(match),
'sourceRef': str(uuid.uuid4())[0:6],
'title': '{rule[name]}'.format(**context)
}
alert_config.update(self.rule.get('hive_alert_config', {}))
for alert_config_field, alert_config_value in alert_config.items():
if alert_config_field == 'customFields':
custom_fields = CustomFieldHelper()
for cf_key, cf_value in alert_config_value.items():
try:
func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
except AttributeError:
raise Exception('unsupported custom field type {}'.format(cf_value['type']))
value = cf_value['value'].format(**context)
func(cf_key, value)
alert_config[alert_config_field] = custom_fields.build()
elif isinstance(alert_config_value, str):
alert_config[alert_config_field] = alert_config_value.format(**context)
elif isinstance(alert_config_value, (list, tuple)):
formatted_list = []
for element in alert_config_value:
try:
formatted_list.append(element.format(**context))
except (AttributeError, KeyError, IndexError):
formatted_list.append(element)
alert_config[alert_config_field] = formatted_list
return alert_config
def send_to_thehive(self, alert_config):
connection_details = self.rule['hive_connection']
api = TheHiveApi(
connection_details.get('hive_host'),
connection_details.get('hive_host', ''),
connection_details.get('hive_apikey', ''),
proxies=connection_details.get('hive_proxies', {'http': '', 'https': ''}),
cert=connection_details.get('hive_verify', False))
for match in matches:
context = {'rule': self.rule, 'match': match}
alert = Alert(**alert_config)
response = api.create_alert(alert)
if response.status_code != 201:
raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
def alert(self, matches):
if self.rule.get('hive_alert_config_type', 'custom') != 'classic':
for match in matches:
alert_config = self.create_alert_config(match)
self.send_to_thehive(alert_config)
else:
alert_config = self.create_alert_config(matches[0])
artifacts = []
for mapping in self.rule.get('hive_observable_data_mapping', []):
for observable_type, match_data_key in mapping.items():
try:
match_data_keys = re.findall(r'\{match\[([^\]]*)\]', match_data_key)
rule_data_keys = re.findall(r'\{rule\[([^\]]*)\]', match_data_key)
data_keys = match_data_keys + rule_data_keys
context_keys = list(context['match'].keys()) + list(context['rule'].keys())
if all([True if k in context_keys else False for k in data_keys]):
artifacts.append(AlertArtifact(dataType=observable_type, data=match_data_key.format(**context)))
except KeyError:
raise KeyError('\nformat string\n{}\nmatch data\n{}'.format(match_data_key, context))
for match in matches:
artifacts += self.create_artifacts(match)
if 'related_events' in match:
for related_event in match['related_events']:
artifacts += self.create_artifacts(related_event)
alert_config = {
'artifacts': artifacts,
'sourceRef': str(uuid.uuid4())[0:6],
'title': '{rule[index]}_{rule[name]}'.format(**context)
}
alert_config.update(self.rule.get('hive_alert_config', {}))
for alert_config_field, alert_config_value in alert_config.items():
if alert_config_field == 'customFields':
custom_fields = CustomFieldHelper()
for cf_key, cf_value in alert_config_value.items():
try:
func = getattr(custom_fields, 'add_{}'.format(cf_value['type']))
except AttributeError:
raise Exception('unsupported custom field type {}'.format(cf_value['type']))
value = cf_value['value'].format(**context)
func(cf_key, value)
alert_config[alert_config_field] = custom_fields.build()
elif isinstance(alert_config_value, str):
alert_config[alert_config_field] = alert_config_value.format(**context)
elif isinstance(alert_config_value, (list, tuple)):
formatted_list = []
for element in alert_config_value:
try:
formatted_list.append(element.format(**context))
except (AttributeError, KeyError, IndexError):
formatted_list.append(element)
alert_config[alert_config_field] = formatted_list
alert = Alert(**alert_config)
response = api.create_alert(alert)
if response.status_code != 201:
raise Exception('alert not successfully created in TheHive\n{}'.format(response.text))
alert_config['artifacts'] = artifacts
alert_config['title'] = self.create_title(matches)
alert_config['description'] = self.create_alert_body(matches)
self.send_to_thehive(alert_config)
def get_info(self):
return {
'type': 'hivealerter',
'hive_host': self.rule.get('hive_connection', {}).get('hive_host', '')
}
}

92
salt/elasticsearch/init.sls
View File

@@ -1,4 +1,4 @@
# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -16,22 +16,16 @@
{% set esclustername = salt['pillar.get']('master:esclustername', '') %}
{% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% elif grains['role'] == 'so-eval' %}
{% set esclustername = salt['pillar.get']('master:esclustername', '') %}
{% set esheap = salt['pillar.get']('master:esheap', '') %}
{% set freq = salt['pillar.get']('master:freq', '0') %}
{% set dstats = salt['pillar.get']('master:dstats', '0') %}
{% elif grains['role'] == 'so-node' %}
{% set esclustername = salt['pillar.get']('node:esclustername', '') %}
{% set esheap = salt['pillar.get']('node:esheap', '') %}
{% set freq = salt['pillar.get']('node:freq', '0') %}
{% set dstats = salt['pillar.get']('node:dstats', '0') %}
{% endif %}
@@ -150,87 +144,3 @@ so-elasticsearch-pipelines:
# Tell the main cluster I am here
#curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}'
# See if Freqserver is enabled
{% if freq == 1 %}
# Create the user
fservergroup:
group.present:
- name: freqserver
- gid: 935
# Add ES user
freqserver:
user.present:
- uid: 935
- gid: 935
- home: /opt/so/conf/freqserver
- createhome: False
# Create the log directory
freqlogdir:
file.directory:
- name: /opt/so/log/freq_server
- user: 935
- group: 935
- makedirs: True
so-freqimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
so-freq:
docker_container.running:
- require:
- so-freqimage
- image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
- hostname: freqserver
- name: so-freqserver
- user: freqserver
- binds:
- /opt/so/log/freq_server:/var/log/freq_server:rw
{% endif %}
{% if dstats == 1 %}
# Create the group
dstatsgroup:
group.present:
- name: domainstats
- gid: 936
# Add user
domainstats:
user.present:
- uid: 936
- gid: 936
- home: /opt/so/conf/domainstats
- createhome: False
# Create the log directory
dstatslogdir:
file.directory:
- name: /opt/so/log/domainstats
- user: 936
- group: 939
- makedirs: True
so-domainstatsimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-domainstats:HH1.0.3
so-domainstats:
docker_container.running:
- require:
- so-domainstatsimage
- image: docker.io/soshybridhunter/so-domainstats:HH1.0.3
- hostname: domainstats
- name: so-domainstats
- user: domainstats
- binds:
- /opt/so/log/domainstats:/var/log/domain_stats
{% endif %}

52
salt/freqserver/init.sls Normal file
View File

@@ -0,0 +1,52 @@
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Create the user
fservergroup:
group.present:
- name: freqserver
- gid: 935
# Add ES user
freqserver:
user.present:
- uid: 935
- gid: 935
- home: /opt/so/conf/freqserver
- createhome: False
# Create the log directory
freqlogdir:
file.directory:
- name: /opt/so/log/freq_server
- user: 935
- group: 935
- makedirs: True
so-freqimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-freqserver:HH1.0.3
so-freq:
docker_container.running:
- require:
- so-freqimage
- image: docker.io/soshybridhunter/so-freqserver:HH1.0.3
- hostname: freqserver
- name: so-freqserver
- user: freqserver
- binds:
- /opt/so/log/freq_server:/var/log/freq_server:rw

BIN
salt/playbook/files/redmine.db
View File

Binary file not shown.

36
salt/suricata/files/threshold.conf.jinja Normal file
View File

@@ -0,0 +1,36 @@
{% set THRESHOLDING = salt['pillar.get']('thresholding', {}) -%}
{% if THRESHOLDING -%}
{% for EACH_SID in THRESHOLDING.sids -%}
{% for ACTIONS_LIST in THRESHOLDING.sids[EACH_SID] -%}
{% for EACH_ACTION in ACTIONS_LIST -%}
{%- if EACH_ACTION == 'threshold' %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, type {{ ACTIONS_LIST[EACH_ACTION].type }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}
{%- elif EACH_ACTION == 'rate_filter' %}
{%- if ACTIONS_LIST[EACH_ACTION].new_action not in ['drop','reject'] %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
{%- else %}
##### Security Onion does not support drop or reject actions for rate_filter
##### {{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, count {{ ACTIONS_LIST[EACH_ACTION].count }}, seconds {{ ACTIONS_LIST[EACH_ACTION].seconds }}, new_action {{ ACTIONS_LIST[EACH_ACTION].new_action }}, timeout {{ ACTIONS_LIST[EACH_ACTION].timeout }}
{%- endif %}
{%- elif EACH_ACTION == 'suppress' %}
{%- if ACTIONS_LIST[EACH_ACTION].track is defined %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}, track {{ ACTIONS_LIST[EACH_ACTION].track }}, ip {{ ACTIONS_LIST[EACH_ACTION].ip }}
{%- else %}
{{ EACH_ACTION }} gen_id {{ ACTIONS_LIST[EACH_ACTION].gen_id }}, sig_id {{ EACH_SID }}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- else %}
##### The thresholding pillar has not been defined
{%- endif %}

10
salt/suricata/init.sls
View File

@@ -70,6 +70,14 @@ suriconfigsync:
- group: 940
- template: jinja
surithresholding:
file.managed:
- name: /opt/so/conf/suricata/threshold.conf
- source: salt://suricata/files/threshold.conf.jinja
- user: 940
- group: 940
- template: jinja
so-suricataimage:
cmd.run:
- name: docker pull --disable-content-trust=false docker.io/soshybridhunter/so-suricata:HH1.1.1
@@ -84,9 +92,11 @@ so-suricata:
- INTERFACE={{ interface }}
- binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro
- /opt/so/conf/suricata/rules:/etc/suricata/rules:ro
- /opt/so/log/suricata/:/var/log/suricata/:rw
- network_mode: host
- watch:
- file: /opt/so/conf/suricata/suricata.yaml
- file: surithresholding
- file: /opt/so/conf/suricata/rules/

2
salt/tcpreplay/init.sls
View File

@@ -7,7 +7,7 @@ so-tcpreplayimage:
so-tcpreplay:
docker_container.running:
- require:
- so-tcpreplay
- so-tcpreplayimage
- network_mode: "host"
- image: docker.io/soshybridhunter/so-tcpreplay:HH1.1.4
- name: so-tcpreplay

17
salt/top.sls
View File

@@ -4,6 +4,9 @@
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%}
{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
{%- set PLAYBOOK = salt['pillar.get']('master:playbook', '0') -%}
{%- set FREQSERVER = salt['pillar.get']('master:freq', '0') -%}
{%- set DOMAINSTATS = salt['pillar.get']('master:domainstats', '0') -%}
base:
'*':
- patch.os.schedule
@@ -78,7 +81,12 @@ base:
{%- if PLAYBOOK != 0 %}
- playbook
{%- endif %}
{%- if FREQSERVER != 0 %}
- freqserver
{%- endif %}
{%- if DOMAINSTATS != 0 %}
- domainstats
{%- endif %}
'G@role:so-master':
@@ -114,7 +122,12 @@ base:
{%- if PLAYBOOK != 0 %}
- playbook
{%- endif %}
{%- if FREQSERVER != 0 %}
- freqserver
{%- endif %}
{%- if DOMAINSTATS != 0 %}
- domainstats
{%- endif %}
# Search node logic

9
salt/wazuh/files/agent/ossec.conf
View File

@@ -179,12 +179,17 @@
<log_format>syslog</log_format>
<location>/var/ossec/logs/active-responses.log</location>
</localfile>
{%- if grains['os'] == 'Ubuntu' %}
<localfile>
<log_format>syslog</log_format>
<location>/var/log/auth.log</location>
</localfile>
{%- else %}
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
{%- endif %}
<localfile>
<log_format>syslog</log_format>
<location>/var/log/syslog</location>

8
salt/wazuh/files/agent/wazuh-register-agent
View File

@@ -31,6 +31,7 @@ USER="foo"
PASSWORD="bar"
AGENT_NAME=$(hostname)
AGENT_IP="{{ip}}"
AGENT_ID=001
display_help() {
cat <<HELP_USAGE
@@ -135,5 +136,10 @@ shift $(($OPTIND - 1))
# Default action -> try to register the agent
sleep 10s
register_agent
STATUS=$(curl -s -k -u $USER:$PASSWORD $PROTOCOL://$API_IP:$API_PORT/agents/$AGENT_ID | jq .data.status | sed s'/"//g')
if [[ $STATUS == "Active" ]]; then
echo "Agent $AGENT_ID already registered!"
else
register_agent
fi
#remove_agent

197
setup/functions.sh
View File

@@ -270,9 +270,9 @@ copy_minion_tmp_files() {
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo "Copying pillar and salt files in $TMP to /opt/so/saltstack"
cp -Rv $TMP/pillar/ /opt/so/saltstack/pillar/ >> $SETUPLOG 2>&1
cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
if [ -d $TMP/salt ] ; then
cp -Rv $TMP/salt/ /opt/so/saltstack/salt/ >> $SETUPLOG 2>&1
cp -Rv $TMP/salt/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
fi
else
echo "scp pillar and salt files in $TMP to master /opt/so/saltstack"
@@ -545,7 +545,8 @@ got_root() {
install_cleanup() {
echo "install_cleanup called" >> $SETUPLOG 2>&1
echo "install_cleanup removing the following files:"
ls -lR $TMP
# Clean up after ourselves
rm -rf /root/installtmp
@@ -556,6 +557,8 @@ install_prep() {
# Create a tmp space that isn't in /tmp
mkdir /root/installtmp
mkdir /root/installtmp/pillar
mkdir /root/installtmp/pillar/minions
TMP=/root/installtmp
}
@@ -595,47 +598,50 @@ ls_heapsize() {
master_pillar() {
PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
# Create the master pillar
touch /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo "master:" > /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " mainip: $MAINIP" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " mainint: $MAININT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " esheap: $ES_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " esclustername: {{ grains.host }}" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo "master:" >> $PILLARFILE
echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainint: $MAININT" >> $PILLARFILE
echo " esheap: $ES_HEAP_SIZE" >> $PILLARFILE
echo " esclustername: {{ grains.host }}" >> $PILLARFILE
if [ $INSTALLTYPE == 'EVALMODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " domainstats: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " ls_pipeline_batch_size: 125" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " freq: 0" >> $PILLARFILE
echo " domainstats: 0" >> $PILLARFILE
echo " ls_pipeline_batch_size: 125" >> $PILLARFILE
echo " ls_input_threads: 1" >> $PILLARFILE
echo " ls_batch_count: 125" >> $PILLARFILE
echo " mtu: 1500" >> $PILLARFILE
else
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " domainstats: 0" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " freq: 0" >> $PILLARFILE
echo " domainstats: 0" >> $PILLARFILE
fi
if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " lsheap: 1000m" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " lsheap: 1000m" >> $PILLARFILE
else
echo " lsheap: $LS_HEAP_SIZE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " lsheap: $LS_HEAP_SIZE" >> $PILLARFILE
fi
echo " lsaccessip: 127.0.0.1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " elastalert: 1" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " ls_pipeline_workers: $CPUCORES" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " nids_rules: $RULESETUP" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " oinkcode: $OINKCODE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
#echo " access_key: $ACCESS_KEY" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
#echo " access_secret: $ACCESS_SECRET" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " es_port: $NODE_ES_PORT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " log_size_limit: $LOG_SIZE_LIMIT" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
#echo " mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
#echo " fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " playbook: $PLAYBOOK" >> /opt/so/saltstack/pillar/masters/$MINION_ID.sls
echo " lsaccessip: 127.0.0.1" >> $PILLARFILE
echo " elastalert: 1" >> $PILLARFILE
echo " ls_pipeline_workers: $CPUCORES" >> $PILLARFILE
echo " nids_rules: $RULESETUP" >> $PILLARFILE
echo " oinkcode: $OINKCODE" >> $PILLARFILE
#echo " access_key: $ACCESS_KEY" >> $PILLARFILE
#echo " access_secret: $ACCESS_SECRET" >> $PILLARFILE
echo " es_port: $NODE_ES_PORT" >> $PILLARFILE
echo " log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE
echo " cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE
#echo " mysqlpass: $MYSQLPASS" >> $PILLARFILE
#echo " fleetpass: $FLEETPASS" >> $PILLARFILE
echo " grafana: $GRAFANA" >> $PILLARFILE
echo " osquery: $OSQUERY" >> $PILLARFILE
echo " wazuh: $WAZUH" >> $PILLARFILE
echo " thehive: $THEHIVE" >> $PILLARFILE
echo " playbook: $PLAYBOOK" >> $PILLARFILE
echo "" >> $PILLARFILE
}
master_static() {
@@ -695,53 +701,39 @@ network_setup() {
node_pillar() {
NODEPILLARPATH=$TMP/pillar/nodes
if [ ! -d $NODEPILLARPATH ]; then
mkdir -p $NODEPILLARPATH
fi
PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
# Create the node pillar
touch $NODEPILLARPATH/$MINION_ID.sls
echo "node:" > $NODEPILLARPATH/$MINION_ID.sls
echo " mainip: $MAINIP" >> $NODEPILLARPATH/$MINION_ID.sls
echo " mainint: $MAININT" >> $NODEPILLARPATH/$MINION_ID.sls
echo " esheap: $NODE_ES_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls
echo " esclustername: {{ grains.host }}" >> $NODEPILLARPATH/$MINION_ID.sls
echo " lsheap: $NODE_LS_HEAP_SIZE" >> $NODEPILLARPATH/$MINION_ID.sls
echo " ls_pipeline_workers: $LSPIPELINEWORKERS" >> $NODEPILLARPATH/$MINION_ID.sls
echo " ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $NODEPILLARPATH/$MINION_ID.sls
echo " ls_input_threads: $LSINPUTTHREADS" >> $NODEPILLARPATH/$MINION_ID.sls
echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls
echo " es_shard_count: $SHARDCOUNT" >> $NODEPILLARPATH/$MINION_ID.sls
echo " node_type: $NODETYPE" >> $NODEPILLARPATH/$MINION_ID.sls
echo " es_port: $NODE_ES_PORT" >> $NODEPILLARPATH/$MINION_ID.sls
echo " log_size_limit: $LOG_SIZE_LIMIT" >> $NODEPILLARPATH/$MINION_ID.sls
echo " cur_close_days: $CURCLOSEDAYS" >> $NODEPILLARPATH/$MINION_ID.sls
echo "node:" >> $PILLARFILE
echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainint: $MAININT" >> $PILLARFILE
echo " esheap: $NODE_ES_HEAP_SIZE" >> $PILLARFILE
echo " esclustername: {{ grains.host }}" >> $PILLARFILE
echo " lsheap: $NODE_LS_HEAP_SIZE" >> $PILLARFILE
echo " ls_pipeline_workers: $LSPIPELINEWORKERS" >> $PILLARFILE
echo " ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $PILLARFILE
echo " ls_input_threads: $LSINPUTTHREADS" >> $PILLARFILE
echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> $PILLARFILE
echo " es_shard_count: $SHARDCOUNT" >> $PILLARFILE
echo " node_type: $NODETYPE" >> $PILLARFILE
echo " es_port: $NODE_ES_PORT" >> $PILLARFILE
echo " log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE
echo " cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE
echo "" >> $PILLARFILE
}
patch_pillar() {
case $INSTALLTYPE in
MASTERONLY | EVALMODE | HELIXSENSOR)
PATCHPILLARPATH=/opt/so/saltstack/pillar/masters
;;
SENSORONLY)
PATCHPILLARPATH=$SENSORPILLARPATH
;;
SEARCHNODE | PARSINGNODE | HOTNODE | WARMNODE)
PATCHPILLARPATH=$NODEPILLARPATH
;;
esac
echo "" >> $PATCHPILLARPATH/$MINION_ID.sls
echo "patch:" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " os:" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " schedule_name: $PATCHSCHEDULENAME" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " enabled: True" >> $PATCHPILLARPATH/$MINION_ID.sls
echo " splay: 300" >> $PATCHPILLARPATH/$MINION_ID.sls
PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
echo "" >> $PILLARFILE
echo "patch:" >> $PILLARFILE
echo " os:" >> $PILLARFILE
echo " schedule_name: $PATCHSCHEDULENAME" >> $PILLARFILE
echo " enabled: True" >> $PILLARFILE
echo " splay: 300" >> $PILLARFILE
echo "" >> $PILLARFILE
}
@@ -1105,51 +1097,44 @@ salt_install_mysql_deps() {
}
sensor_pillar() {
if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
SENSORPILLARPATH=/opt/so/saltstack/pillar/sensors
mkdir -p $TMP
mkdir -p $SENSORPILLARPATH
else
SENSORPILLARPATH=$TMP/pillar/sensors
fi
if [ ! -d $SENSORPILLARPATH ]; then
mkdir -p $SENSORPILLARPATH
fi
PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls
# Create the sensor pillar
touch $SENSORPILLARPATH/$MINION_ID.sls
echo "sensor:" > $SENSORPILLARPATH/$MINION_ID.sls
echo " interface: bond0" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " mainip: $MAINIP" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " mainint: $MAININT" >> $SENSORPILLARPATH/$MINION_ID.sls
touch $PILLARFILE
echo "sensor:" >> $PILLARFILE
echo " interface: bond0" >> $PILLARFILE
echo " mainip: $MAINIP" >> $PILLARFILE
echo " mainint: $MAININT" >> $PILLARFILE
if [ $NSMSETUP == 'ADVANCED' ]; then
echo " bro_pins:" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " bro_pins:" >> $PILLARFILE
for PIN in $BROPINS; do
PIN=$(echo $PIN | cut -d\" -f2)
echo " - $PIN" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " - $PIN" >> $PILLARFILE
done
echo " suripins:" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " suripins:" >> $PILLARFILE
for SPIN in $SURIPINS; do
SPIN=$(echo $SPIN | cut -d\" -f2)
echo " - $SPIN" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " - $SPIN" >> $PILLARFILE
done
elif [ $INSTALLTYPE == 'HELIXSENSOR' ]; then
echo " bro_lbprocs: $LBPROCS" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " suriprocs: $LBPROCS" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " bro_lbprocs: $LBPROCS" >> $PILLARFILE
echo " suriprocs: $LBPROCS" >> $PILLARFILE
else
echo " bro_lbprocs: $BASICBRO" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " suriprocs: $BASICSURI" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " bro_lbprocs: $BASICBRO" >> $PILLARFILE
echo " suriprocs: $BASICSURI" >> $PILLARFILE
fi
echo " brobpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " pcapbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " nidsbpf:" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " master: $MSRV" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " mtu: $MTU" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " brobpf:" >> $PILLARFILE
echo " pcapbpf:" >> $PILLARFILE
echo " nidsbpf:" >> $PILLARFILE
echo " master: $MSRV" >> $PILLARFILE
echo " mtu: $MTU" >> $PILLARFILE
if [ $HNSENSOR != 'inherit' ]; then
echo " hnsensor: $HNSENSOR" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " hnsensor: $HNSENSOR" >> $PILLARFILE
fi
echo " access_key: $ACCESS_KEY" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " access_secret: $ACCESS_SECRET" >> $SENSORPILLARPATH/$MINION_ID.sls
echo " access_key: $ACCESS_KEY" >> $PILLARFILE
echo " access_secret: $ACCESS_SECRET" >> $PILLARFILE
echo "" >> $PILLARFILE
}

6
setup/whiptail.sh
View File

@@ -90,7 +90,7 @@ whiptail_cancel() {
whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75
if [ -d "/root/installtmp" ]; then
echo "/root/installtmp exists" >> $SETUPLOG 2>&1
install_cleanup
install_cleanup >> $SETUPLOG 2>&1
echo "/root/installtmp removed" >> $SETUPLOG 2>&1
fi
exit
@@ -685,14 +685,14 @@ whiptail_set_hostname() {
whiptail_setup_complete() {
whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. Press Enter to reboot." 8 75
install_cleanup
install_cleanup >> $SETUPLOG 2>&1
}
whiptail_setup_failed() {
whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details. Press Enter to reboot." 8 75
install_cleanup
install_cleanup >> $SETUPLOG 2>&1
}