Merge remote-tracking branch 'origin/2.4/dev' into orchit

salt/allowed_states.map.jinja

@@ -65,6 +65,7 @@
           'registry',
           'manager',
           'nginx',
+          'strelka.manager',
           'soc',
           'kratos',
           'influxdb',
@@ -91,6 +92,7 @@
           'nginx',
           'telegraf',
           'influxdb',
+          'strelka.manager',
           'soc',
           'kratos',
           'elasticfleet',
@@ -111,6 +113,7 @@
           'nginx',
           'telegraf',
           'influxdb',
+          'strelka.manager',
           'soc',
           'kratos',
           'elastic-fleet-package-registry',

salt/soc/merged.map.jinja

@@ -37,6 +37,17 @@
 {%   do SOCMERGED.config.server.modules.elastalertengine.update({'autoEnabledSigmaRules': SOCMERGED.config.server.modules.elastalertengine.autoEnabledSigmaRules.default}) %}
 {% endif %}
 
+{# set elastalertengine.rulesRepos and strelkaengine.rulesRepos based on airgap or not #}
+{% if GLOBALS.airgap %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.airgap}) %}
+{%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.airgap}) %}
+{%   do SOCMERGED.config.server.update({'airgapEnabled': true}) %}
+{% else %}
+{%   do SOCMERGED.config.server.modules.elastalertengine.update({'rulesRepos': SOCMERGED.config.server.modules.elastalertengine.rulesRepos.default}) %}
+{%   do SOCMERGED.config.server.modules.strelkaengine.update({'rulesRepos': SOCMERGED.config.server.modules.strelkaengine.rulesRepos.default}) %}
+{%   do SOCMERGED.config.server.update({'airgapEnabled': false}) %}
+{% endif %}
+
 {# remove these modules if detections is disabled #}
 {% if not SOCMERGED.config.server.client.detectionsEnabled %}
 {%   do SOCMERGED.config.server.modules.pop('elastalertengine') %}

salt/soc/soc_soc.yaml

@@ -107,21 +107,18 @@ soc:
             advanced: True
             helpLink: sigma.html
           rulesRepos:
-            description: 'Custom Git repos to pull Sigma rules from. License field is required, folder is optional.'
+            default: &eerulesRepos
+              description: "Custom Git repos to pull Sigma rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled."
               global: True
               advanced: True
               forcedType: "[]{}"
               helpLink: sigma.html
+            airgap: *eerulesRepos
           sigmaRulePackages:
             description: 'Defines the Sigma Community Ruleset you want to run. One of these (core | core+ | core++ | all ) as well as an optional Add-on (emerging_threats_addon). Once you have changed the ruleset here, you will need to wait for the rule update to take place (every 8 hours), or you can force the update by nagivating to Detections -->  Options dropdown menu --> Elastalert --> Full Update. WARNING! Changing the ruleset will remove all existing Sigma rules of the previous ruleset and their associated overrides. This removal cannot be undone.'
             global: True
             advanced: False
             helpLink: sigma.html
-          autoUpdateEnabled:
-            description: 'Set to true to enable automatic Internet-connected updates of the Sigma Community Ruleset. If this is an Airgap system, this setting will be overridden and set to false.'
-            global: True
-            advanced: True
-            helpLink: sigma.html
         elastic:
           index:
             description: Comma-separated list of indices or index patterns (wildcard "*" supported) that SOC will search for records.
@@ -185,45 +182,39 @@ soc:
             advanced: True
         strelkaengine:
           allowRegex:
-            description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
+            description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
             global: True
             advanced: True
             helpLink: yara.html
-          autoEnabledYaraRules:
-            description: 'Yara rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
+          autoEnabledYARARules:
+            description: 'YARA rules to automatically enable on initial import. Format is $Ruleset - for example, for the default shipped ruleset: securityonion-yara'
             global: True
             advanced: True
             helpLink: sigma.html
-          autoUpdateEnabled:
-            description: 'Set to true to enable automatic Internet-connected updates of the Yara rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
-            global: True
-            advanced: True
           denyRegex:
-            description: 'Regex used to filter imported Yara rules. Deny regex takes precedence over the Allow regex setting.'
+            description: 'Regex used to filter imported YARA rules. Deny regex takes precedence over the Allow regex setting.'
             global: True
             advanced: True
             helpLink: yara.html
           communityRulesImportFrequencySeconds:
-            description: 'How often to check for new Yara rules (in seconds). This applies to both Community Rules and any configured Git repos.'
+            description: 'How often to check for new YARA rules (in seconds). This applies to both Community Rules and any configured Git repos.'
             global: True
             advanced: True
             helpLink: yara.html
           rulesRepos:
-            description: 'Custom Git repos to pull Yara rules from. License field is required'
+            default: &serulesRepos
+              description: "Custom Git repos to pull YARA rules from. 'license' field is required, 'folder' is optional. 'community' disables some management options for the imported rules - they can't be deleted or edited, just tuned, duplicated and Enabled | Disabled."
               global: True
               advanced: True
               forcedType: "[]{}"
               helpLink: yara.html
+            airgap: *serulesRepos
         suricataengine:
           allowRegex:
             description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
             global: True
             advanced: True
             helpLink: suricata.html
-          autoUpdateEnabled:
-            description: 'Set to true to enable automatic Internet-connected updates of the Suricata rulesets. If this is an Airgap system, this setting will be overridden and set to false.'
-            global: True
-            advanced: True
           denyRegex:
             description: 'Regex used to filter imported Suricata rules. Deny regex takes precedence over the Allow regex setting.'
             global: True

salt/strelka/backend/enabled.sls

@@ -42,8 +42,6 @@ strelka_backend:
       {% endfor %}
     {% endif %}
     - restart_policy: on-failure
-    #- watch:
-      #- file: strelkarules
 
 delete_so-strelka-backend_so-status.disabled:
   file.uncomment:

salt/strelka/compile_yara/compile_yara.py

@@ -20,7 +20,7 @@ def check_syntax(rule_file):
 
 def compile_yara_rules(rules_dir):
     compiled_dir = os.path.join(rules_dir, "compiled")
-    compiled_rules_path = os.path.join(compiled_dir, "rules.compiled")
+    compiled_rules_path = [ os.path.join(compiled_dir, "rules.compiled"), "/opt/so/saltstack/default/salt/strelka/rules/compiled/rules.compiled" ]
     rule_files = glob.glob(os.path.join(rules_dir, '**/*.yar'), recursive=True)
     files_to_compile = {}
     removed_count = 0
@@ -57,8 +57,9 @@ def compile_yara_rules(rules_dir):
     # Compile all remaining valid rules into a single file
     if files_to_compile:
         compiled_rules = yara.compile(filepaths=files_to_compile)
-        compiled_rules.save(compiled_rules_path)
-        print(f"All remaining rules compiled and saved into {compiled_rules_path}")
+        for path in compiled_rules_path:
+          compiled_rules.save(path)
+          print(f"All remaining rules compiled and saved into {path}")
 
     # Print summary of compilation results
     print(f"Summary: {success_count} rules compiled successfully, {removed_count} rules removed due to errors.")

salt/strelka/config.sls

@@ -29,6 +29,15 @@ strelkarulesdir:
     - group: 939
     - makedirs: True
 
+{%- if grains.role in ['so-sensor', 'so-heavynode'] %}
+strelkasensorrules:
+  file.managed:
+    - name: /opt/so/conf/strelka/rules/compiled/rules.compiled
+    - source: salt://strelka/rules/compiled/rules.compiled
+    - user: 939
+    - group: 939
+{%- endif %}
+
 strelkareposdir:
   file.directory:
     - name: /opt/so/conf/strelka/repos

salt/strelka/manager.sls

@@ -0,0 +1,45 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls in allowed_states %}
+
+# Strelka config
+strelkaconfdir:
+  file.directory:
+    - name: /opt/so/conf/strelka/rules/compiled/
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkacompileyara:
+  file.managed:
+    - name: /opt/so/conf/strelka/compile_yara.py
+    - source: salt://strelka/compile_yara/compile_yara.py
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkarulesdir:
+  file.directory:
+    - name: /opt/so/conf/strelka/rules
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+strelkareposdir:
+  file.directory:
+    - name: /opt/so/conf/strelka/repos
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}

salt/top.sls

@@ -87,6 +87,7 @@ base:
     - registry
     - nginx
     - influxdb
+    - strelka.manager
     - soc
     - kratos
     - firewall
@@ -161,6 +162,7 @@ base:
     - registry
     - nginx
     - influxdb
+    - strelka.manager
     - soc
     - kratos
     - firewall
@@ -210,6 +212,7 @@ base:
     - manager
     - nginx
     - influxdb
+    - strelka.manager
     - soc
     - kratos
     - sensoroni

setup/so-verify

@@ -67,6 +67,7 @@ log_has_errors() {
         grep -vE "Reading first line of patchfile" | \
         grep -vE "Command failed with exit code" | \
         grep -vE "Running scope as unit" | \
+        grep -vE "securityonion-resources/sigma/stable" | \
         grep -vE "log-.*-pipeline_failed_attempts" &> "$error_log"
     
     if [[ $? -eq 0 ]]; then

setup/so-whiptail

@@ -14,7 +14,7 @@ whiptail_airgap() {
 	[[ $is_manager || $is_import ]] && node_str='manager'
 
 	INTERWEBS=$(whiptail --title "$whiptail_title" --menu \
-	"How should this $node_str be installed?" 10 70 2 \
+	"How should this $node_str be installed?\n\nFor more information, please see:\n$DOC_BASE_URL/airgap.html" 13 70 2 \
 	"Standard    " "This $node_str has access to the Internet"  \
 	"Airgap      " "This $node_str does not have access to the Internet" 3>&1 1>&2 2>&3 )
 
@@ -592,8 +592,8 @@ whiptail_install_type() {
 			"IMPORT" "Import PCAP or log files " \
 			"EVAL" "Evaluation mode (not for production) " \
 			"STANDALONE" "Standalone production install " \
-			"DISTRIBUTED" "Distributed install submenu " \
-			"DESKTOP" "Install Security Onion Desktop" \
+			"DISTRIBUTED" "Distributed deployment " \
+			"DESKTOP" "Security Onion Desktop" \
 			3>&1 1>&2 2>&3
 		)
 	elif [[ "$OSVER" == "focal" ]]; then