Merge branch 'dev' of https://github.com/Security-Onion-Solutions/securityonion into dev

salt/pcap/init.sls

@@ -45,13 +45,6 @@ stenoconfdir:
     - group: 939
     - makedirs: True
 
-sensoroniconfdir:
-  file.directory:
-    - name: /opt/so/conf/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
-
 {% if BPF_STENO %}
    {% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
    {% if BPF_CALC['stderr'] == "" %}
@@ -77,15 +70,6 @@ stenoconf:
     - defaults:
         BPF_COMPILED: "{{ BPF_COMPILED }}"
 
-sensoroniagentconf:
-  file.managed:
-    - name: /opt/so/conf/sensoroni/sensoroni.json
-    - source: salt://pcap/files/sensoroni.json
-    - user: 939
-    - group: 939
-    - mode: 600
-    - template: jinja
-
 stenoca:
   file.directory:
     - name: /opt/so/conf/steno/certs
@@ -127,13 +111,6 @@ stenolog:
     - group: 941
     - makedirs: True
 
-sensoronilog:
-  file.directory:
-    - name: /opt/so/log/sensoroni
-    - user: 939
-    - group: 939
-    - makedirs: True
-
 so-steno:
   docker_container.{{ STENOOPTIONS.status }}:
     - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-steno:{{ VERSION }}
@@ -170,25 +147,6 @@ so-steno_so-status.disabled:
     - regex: ^so-steno$
   {% endif %}
 
-so-sensoroni:
-  docker_container.running:
-    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
-    - network_mode: host
-    - binds:
-      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
-      - /nsm/pcap:/nsm/pcap:rw
-      - /nsm/import:/nsm/import:rw
-      - /nsm/pcapout:/nsm/pcapout:rw
-      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
-      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
-    - watch:
-      - file: /opt/so/conf/sensoroni/sensoroni.json
-
-append_so-sensoroni_so-status.conf:
-  file.append:
-    - name: /opt/so/conf/so-status/so-status.conf
-    - text: so-sensoroni
-
 {% else %}
 
 pcap_state_not_allowed:

salt/sensoroni/files/sensoroni.json

@@ -1,6 +1,7 @@
-{%- set URLBASE = salt['pillar.get']('global:url_base') %}
-{%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%}
-{%- set CHECKININTERVALMS = salt['pillar.get']('pcap:sensor_checkin_interval_ms', 10000) -%}
+{% set URLBASE = salt['pillar.get']('global:url_base') -%}
+{% set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%}
+{% set CHECKININTERVALMS = salt['pillar.get']('sensoroni:sensor_checkin_interval_ms', 10000) -%}
+{% set STENOENABLED = salt['pillar.get']('steno:enabled', False) -%}
 {
   "logFilename": "/opt/sensoroni/logs/sensoroni.log",
   "logLevel":"info",
@@ -12,12 +13,16 @@
       "importer": {},
       "statickeyauth": {
         "apiKey": "{{ SENSORONIKEY }}"
-      },
+{%- if STENOENABLED %} 
+      },     
       "stenoquery": {
         "executablePath": "/opt/sensoroni/scripts/stenoquery.sh",
         "pcapInputPath": "/nsm/pcap",
         "pcapOutputPath": "/nsm/pcapout"
       }
+{%- else %}
+      }
+{%- endif %}
     }
   }
 }

salt/sensoroni/init.sls

@@ -0,0 +1,45 @@
+{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
+{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
+{% set MANAGER = salt['grains.get']('master') %}
+
+sensoroniconfdir:
+  file.directory:
+    - name: /opt/so/conf/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+sensoroniagentconf:
+  file.managed:
+    - name: /opt/so/conf/sensoroni/sensoroni.json
+    - source: salt://sensoroni/files/sensoroni.json
+    - user: 939
+    - group: 939
+    - mode: 600
+    - template: jinja
+
+sensoronilog:
+  file.directory:
+    - name: /opt/so/log/sensoroni
+    - user: 939
+    - group: 939
+    - makedirs: True
+
+so-sensoroni:
+  docker_container.running:
+    - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }}
+    - network_mode: host
+    - binds:
+      - /opt/so/conf/steno/certs:/etc/stenographer/certs:rw
+      - /nsm/pcap:/nsm/pcap:rw
+      - /nsm/import:/nsm/import:rw
+      - /nsm/pcapout:/nsm/pcapout:rw
+      - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
+      - /opt/so/log/sensoroni:/opt/sensoroni/logs:rw
+    - watch:
+      - file: /opt/so/conf/sensoroni/sensoroni.json
+
+append_so-sensoroni_so-status.conf:
+  file.append:
+    - name: /opt/so/conf/so-status/so-status.conf
+    - text: so-sensoroni

salt/thehive/etc/es/elasticsearch.yml

@@ -1,9 +1,11 @@
-cluster.name: "thehive"
+cluster.name: thehive
 network.host: 0.0.0.0
 discovery.zen.minimum_master_nodes: 1
 # This is a test -- if this is here, then the volume is mounted correctly.
 path.logs: /var/log/elasticsearch
 action.destructive_requires_name: true
+discovery.type: single-node
+script.allowed_types: inline
 transport.bind_host: 0.0.0.0
 transport.publish_host: 0.0.0.0
 transport.publish_port: 9500
@@ -11,6 +13,5 @@ http.host: 0.0.0.0
 http.port: 9400
 transport.tcp.port: 9500
 transport.host: 0.0.0.0
-thread_pool.index.queue_size: 100000
 thread_pool.search.queue_size: 100000
-thread_pool.bulk.queue_size: 100000
+thread_pool.write.queue_size: 100000

salt/thehive/init.sls

@@ -89,14 +89,6 @@ so-thehive-es:
       - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro
       - /opt/so/log/thehive:/var/log/elasticsearch:rw
     - environment:
-      - http.host=0.0.0.0
-      - http.port=9400
-      - transport.tcp.port=9500
-      - transport.host=0.0.0.0
-      - cluster.name=thehive
-      - thread_pool.index.queue_size=100000
-      - thread_pool.search.queue_size=100000
-      - thread_pool.bulk.queue_size=100000
       - ES_JAVA_OPTS=-Xms512m -Xmx512m
     - port_bindings:
       - 0.0.0.0:9400:9400
@@ -164,4 +156,4 @@ thehive_state_not_allowed:
   test.fail_without_changes:
     - name: thehive_state_not_allowed
 
-{% endif %}
+{% endif %}

salt/top.sls

@@ -44,6 +44,7 @@ base:
     - patch.os.schedule
     - motd
     - salt.minion-check
+    - sensoroni
     - salt.lasthighstate
   
   '*_helix and G@saltversion:{{saltversion}}':

salt/wazuh/files/agent/wazuh-register-agent

@@ -55,33 +55,58 @@ register_agent() {
   # Adding agent and getting Id from manager
   echo ""
   echo "Adding agent:"
-  echo "curl -s -u $USER:**** -k -X POST -d 'name=$AGENT_NAME&ip=$AGENT_IP' $PROTOCOL://$API_IP:$API_PORT/agents"
+  echo "Executing: curl -s -u $USER:**** -k -X POST -d 'name=$AGENT_NAME&ip=$AGENT_IP' $PROTOCOL://$API_IP:$API_PORT/agents"
   API_RESULT=$(curl -s -u $USER:"$PASSWORD" -k -X POST -d 'name='$AGENT_NAME'&ip='$AGENT_IP -L $PROTOCOL://$API_IP:$API_PORT/agents)
-  echo -e $API_RESULT | grep -q "\"error\":0" 2>&1
+  # Get agent id and key
+  AGENT_ID=$(echo "$API_RESULT" | jq -er ".data.id")
+  GOT_ID=$?
+  AGENT_KEY=$(echo "$API_RESULT" | jq -er ".data.key")
+  GOT_KEY=$?
 
-  if [ "$?" != "0" ]; then
-    echo -e $API_RESULT | sed -rn 's/.*"message":"(.+)".*/\1/p'
+  if [[ -z "$AGENT_ID" || -z "$AGENT_KEY" || $GOT_ID -ne 0 || $GOT_KEY -ne 0 ]]; then
+    echo "Failed Result: $API_RESULT"
+    return 1
   else
-    # Get agent id and agent key
-    AGENT_ID=$(echo $API_RESULT | cut -d':' -f 4 | cut -d ',' -f 1)
-    AGENT_KEY=$(echo $API_RESULT | cut -d':' -f 5 | cut -d '}' -f 1)
-
     echo "Agent '$AGENT_NAME' with ID '$AGENT_ID' added."
     echo "Key for agent '$AGENT_ID' received."
 
     # Importing key
     echo ""
     echo "Importing authentication key:"
-    echo "y" | /var/ossec/bin/manage_agents -i $AGENT_KEY
+    echo "y" | /var/ossec/bin/manage_agents -i '$AGENT_KEY'
 
     # Restarting agent
     echo ""
     echo "Restarting:"
     echo ""
     /var/ossec/bin/ossec-control restart
+    return 0
   fi
 }
 
+wait_for_manager() {
+  echo "Waiting for Wazuh manager to become ready..."
+
+  maxAttempts=$1
+  attempts=0
+  while [[ $attempts -lt $maxAttempts ]]; do
+    attempts=$((attempts+1))
+    AGENTS_OUTPUT=$(curl -s -u $USER:"$PASSWORD" -k -X GET -L $PROTOCOL://$API_IP:$API_PORT/agents)
+    MANAGER_STATUS=$(echo "$AGENTS_OUTPUT" | jq -r ".data.items[0].status")
+    if [ "$MANAGER_STATUS" == "Active" ]; then
+      echo "Wazuh manager is active, ready to proceed."
+      return 0
+    else
+      echo "Received non-Active status response: "
+      echo "$AGENTS_OUTPUT"
+      echo
+      echo "Manager is not ready after attempt $attempts of $maxAttempts, sleeping for 30 seconds."
+      sleep 30
+    fi
+  done
+  return 1
+}
+
 remove_agent() {
   echo "Found: $AGENT_ID"
   echo "Removing previous registration for '$AGENT_NAME' using ID: $AGENT_ID ..."
@@ -140,11 +165,18 @@ if [ -f /opt/so/conf/wazuh/initial_agent_registration.log ]; then
   echo "Agent $AGENT_ID already registered!"
   exit 0
 else
-  echo "Waiting before registering agent..."
-  sleep 30s
-  register_agent
-  cleanup_creds
-  echo "Initial agent $AGENT_ID with IP $AGENT_IP registered on $DATE." > /opt/so/conf/wazuh/initial_agent_registration.log
-  exit 0
+  retries=30
+  if wait_for_manager $retries; then
+    if register_agent; then
+      cleanup_creds
+      echo "Initial agent $AGENT_ID with IP $AGENT_IP registered on $DATE." > /opt/so/conf/wazuh/initial_agent_registration.log
+      exit 0
+    else
+      echo "ERROR: Failed to register agent"
+    fi
+  else
+    echo "ERROR: Wazuh manager did not become ready after $retries attempts; unable to proceed with registration"
+  fi
 fi
-#remove_agent
+
+exit 1

salt/wazuh/init.sls

@@ -71,7 +71,7 @@ wazuhagentconf:
 
 wazuhdir:
  file.directory:
-   - name: /nsm/wazuh
+   - name: /nsm/wazuh/etc
    - user: 945
    - group: 945
    - makedirs: True
@@ -115,6 +115,10 @@ append_so-wazuh_so-status.conf:
     - name: /opt/so/conf/so-status/so-status.conf
     - text: so-wazuh
 
+/opt/so/conf/wazuh:
+  file.symlink:
+    - target: /nsm/wazuh/etc
+
 # Register the agent
 registertheagent:
   cmd.run:
@@ -133,10 +137,6 @@ wazuhagentservice:
     - name: wazuh-agent
     - enable: True
 
-/opt/so/conf/wazuh:
-  file.symlink:
-    - target: /nsm/wazuh/etc
-
 hidsruledir:
  file.directory:
    - name: /opt/so/rules/hids

setup/so-functions

@@ -1166,7 +1166,7 @@ manager_global() {
                 "  managerupdate: $MANAGERUPDATES"\
 		"  imagerepo: '$IMAGEREPO'"\
 		"  pipeline: 'redis'"\
-		"pcap:"\
+		"sensoroni:"\
 		"  sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\
 		"strelka:"\
 		"  enabled: $STRELKA"\
@@ -1968,6 +1968,17 @@ set_updates() {
 	fi
 }
 
+steno_pillar() {
+
+	local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
+
+	# Create the stenographer pillar
+	printf '%s\n'\
+		"steno:"\
+		"  enabled: True" >> "$pillar_file"
+
+}
+
 mark_version() {
 	# Drop a file with the current version
 	echo "$SOVERSION" > /etc/soversion

setup/so-setup

@@ -511,6 +511,9 @@ fi
 	if [[ $is_sensor || $is_helix || $is_import ]]; then
 		set_progress_str 4 'Generating sensor pillar'
 		sensor_pillar >> $setup_log 2>&1
+		if [[ $is_sensor || $is_helix ]]; then
+			steno_pillar >> $setup_log
+		fi
 	fi
 
 	set_progress_str 5 'Installing Salt and dependencies'