From a36a6d565921c3489a2de61ba4abf13f29ccf3d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 10:40:16 -0400 Subject: [PATCH 01/35] Strelka UI components --- salt/strelka/soc_strelka.yaml | 576 ++++++++++++++++++++++++++++++++++ 1 file changed, 576 insertions(+) create mode 100644 salt/strelka/soc_strelka.yaml diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml new file mode 100644 index 000000000..bd730579d --- /dev/null +++ b/salt/strelka/soc_strelka.yaml @@ -0,0 +1,576 @@ +strelka: + config: + backend: + backend: + logging_cfg: + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + limits: + max_files: + description: Max Files. + readonly: False + global: False + helpLink: strelka.html + time_to_live: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + max_depth: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + distribution: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + scanner: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + coordinator: + addr: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + tasting: + mime_db: '/usr/lib/file/magic.mgc' + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + yara_rules: '/etc/strelka/taste/' + description: Location in the container where the config file is located. + readonly: True + global: False + helpLink: strelka.html + advanced: True + scanners: + 'ScanBase64': + - positive: + filename: '^base64_' + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advanced: True + priority: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + + 'ScanBatch': + - positive: + flavors: + - 'text/x-msdos-batch' + - 'batch_file' + priority: 5 + 'ScanBzip2': + - positive: + flavors: + - 'application/x-bzip2' + - 'bzip2_file' + priority: 5 + 'ScanDocx': + - positive: + flavors: + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + priority: 5 + options: + extract_text: False + 'ScanElf': + - positive: + flavors: + - 'application/x-object' + - 'application/x-executable' + - 'application/x-sharedlib' + - 'application/x-coredump' + - 'elf_file' + priority: 5 + 'ScanEmail': + - positive: + flavors: + - 'application/vnd.ms-outlook' + - 'message/rfc822' + - 'email_file' + priority: 5 + 'ScanEntropy': + - positive: + flavors: + - '*' + priority: 5 + 'ScanExiftool': + - positive: + flavors: + description: Location in the container where the config file is located. + readonly: False + global: False + helpLink: strelka.html + advacned: True + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanGif': + - positive: + flavors: + - 'image/gif' + - 'gif_file' + priority: 5 + 'ScanGzip': + - positive: + flavors: + - 'application/gzip' + - 'application/x-gzip' + - 'gzip_file' + priority: 5 + 'ScanHash': + - positive: + flavors: + - '*' + priority: 5 + 'ScanHeader': + - positive: + flavors: + - '*' + priority: 5 + options: + length: 50 + 'ScanHtml': + - positive: + flavors: + - 'hta_file' + - 'text/html' + - 'html_file' + priority: 5 + options: + parser: "html5lib" + 'ScanIni': + - positive: + filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' + flavors: + - 'ini_file' + priority: 5 + 'ScanJarManifest': + - positive: + flavors: + - 'jar_manifest_file' + priority: 5 + 'ScanJavascript': + - negative: + flavors: + - 'text/html' + - 'html_file' + positive: + flavors: + - 'javascript_file' + - 'text/javascript' + priority: 5 + options: + beautify: True + 'ScanJpeg': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + priority: 5 + 'ScanJson': + - positive: + flavors: + - 'application/json' + - 'json_file' + priority: 5 + 'ScanLibarchive': + - positive: + flavors: + - 'application/vnd.ms-cab-compressed' + - 'cab_file' + - 'application/x-7z-compressed' + - '_7zip_file' + - 'application/x-cpio' + - 'cpio_file' + - 'application/x-xar' + - 'xar_file' + - 'arj_file' + - 'iso_file' + - 'application/x-debian-package' + - 'debian_package_file' + priority: 5 + options: + limit: 1000 + 'ScanLzma': + - positive: + flavors: + - 'application/x-lzma' + - 'lzma_file' + - 'application/x-xz' + - 'xz_file' + priority: 5 + 'ScanMacho': + - positive: + flavors: + - 'application/x-mach-binary' + - 'macho_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanOcr': + - positive: + flavors: + - 'image/jpeg' + - 'jpeg_file' + - 'image/png' + - 'png_file' + - 'image/tiff' + - 'type_is_tiff' + - 'image/x-ms-bmp' + - 'bmp_file' + priority: 5 + options: + extract_text: False + tmp_directory: '/dev/shm/' + 'ScanOle': + - positive: + flavors: + - 'application/CDFV2' + - 'application/msword' + - 'olecf_file' + priority: 5 + 'ScanPdf': + - positive: + flavors: + - 'application/pdf' + - 'pdf_file' + priority: 5 + options: + extract_text: False + limit: 2000 + 'ScanPe': + - positive: + flavors: + - 'application/x-dosexec' + - 'mz_file' + priority: 5 + 'ScanPgp': + - positive: + flavors: + - 'application/pgp-keys' + - 'pgp_file' + priority: 5 + 'ScanPhp': + - positive: + flavors: + - 'text/x-php' + - 'php_file' + priority: 5 + 'ScanPkcs7': + - positive: + flavors: + - 'pkcs7_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanPlist': + - positive: + flavors: + - 'bplist_file' + - 'plist_file' + priority: 5 + options: + keys: + - 'KeepAlive' + - 'Label' + - 'NetworkState' + - 'Program' + - 'ProgramArguments' + - 'RunAtLoad' + - 'StartInterval' + 'ScanRar': + - positive: + flavors: + - 'application/x-rar' + - 'rar_file' + priority: 5 + options: + limit: 1000 + 'ScanRpm': + - positive: + flavors: + - 'application/x-rpm' + - 'rpm_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanRtf': + - positive: + flavors: + - 'text/rtf' + - 'rtf_file' + priority: 5 + options: + limit: 1000 + 'ScanRuby': + - positive: + flavors: + - 'text/x-ruby' + priority: 5 + 'ScanSwf': + - positive: + flavors: + - 'application/x-shockwave-flash' + - 'fws_file' + - 'cws_file' + - 'zws_file' + priority: 5 + 'ScanTar': + - positive: + flavors: + - 'application/x-tar' + - 'tar_file' + priority: 5 + options: + limit: 1000 + 'ScanTnef': + - positive: + flavors: + - 'application/vnd.ms-tnef' + - 'tnef_file' + priority: 5 + 'ScanUpx': + - positive: + flavors: + - 'upx_file' + priority: 5 + options: + tmp_directory: '/dev/shm/' + 'ScanUrl': + - negative: + flavors: + - 'javascript_file' + positive: + flavors: + - 'text/plain' + priority: 5 + 'ScanVb': + - positive: + flavors: + - 'vb_file' + - 'vbscript' + priority: 5 + 'ScanVba': + - positive: + flavors: + - 'mhtml_file' + - 'application/msword' + - 'olecf_file' + - 'wordml_file' + priority: 5 + options: + analyze_macros: True + 'ScanX509': + - positive: + flavors: + - 'x509_der_file' + priority: 5 + options: + type: 'der' + - positive: + flavors: + - 'x509_pem_file' + priority: 5 + options: + type: 'pem' + 'ScanXml': + - positive: + flavors: + - 'application/xml' + - 'text/xml' + - 'xml_file' + - 'mso_file' + - 'soap_file' + priority: 5 + 'ScanYara': + - positive: + flavors: + - '*' + priority: 5 + options: + location: '/etc/yara/' + 'ScanZip': + - positive: + flavors: + - 'application/java-archive' + - 'application/zip' + - 'zip_file' + - 'application/vnd.openxmlformats-officedocument' + - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' + - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' + - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' + - 'ooxml_file' + priority: 5 + options: + limit: 1000 + password_file: '/etc/strelka/passwords.dat' + 'ScanZlib': + - positive: + flavors: + - 'application/zlib' + - 'zlib_file' + priority: 5 + logging: + version: 1 + formatters: + simple: + format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' + datefmt: '%Y-%m-%d %H:%M:%S' + handlers: + console: + class: logging.StreamHandler + formatter: simple + stream: ext://sys.stdout + root: + level: DEBUG + handlers: [console] + loggers: + OpenSSL: + propagate: 0 + bs4: + propagate: 0 + bz2: + propagate: 0 + chardet: + propagate: 0 + docx: + propagate: 0 + elftools: + propagate: 0 + email: + propagate: 0 + entropy: + propagate: 0 + esprima: + propagate: 0 + gzip: + propagate: 0 + hashlib: + propagate: 0 + json: + propagate: 0 + libarchive: + propagate: 0 + lxml: + propagate: 0 + lzma: + propagate: 0 + macholibre: + propagate: 0 + olefile: + propagate: 0 + oletools: + propagate: 0 + pdfminer: + propagate: 0 + pefile: + propagate: 0 + pgpdump: + propagate: 0 + pygments: + propagate: 0 + pylzma: + propagate: 0 + rarfile: + propagate: 0 + requests: + propagate: 0 + rpmfile: + propagate: 0 + ssdeep: + propagate: 0 + tarfile: + propagate: 0 + tnefparse: + propagate: 0 + yara: + propagate: 0 + zipfile: + propagate: 0 + zlib: + propagate: 0 + passwords: + - infected + - password + filestream: + conn: + server: 'HOST:57314' + cert: '' + timeout: + dial: 5s + file: 1m + throughput: + concurrency: 8 + chunk: 32768 + delay: 0s + files: + patterns: + - '/nsm/strelka/unprocessed/*' + delete: false + gatekeeper: true + processed: '/nsm/strelka/processed' + response: + report: 5s + delta: 5s + staging: '/nsm/strelka/staging' + frontend: + server: ":57314" + coordinator: + addr: 'HOST:6380' + db: 0 + gatekeeper: + addr: 'HOST:6381' + db: 0 + ttl: 1h + response: + log: "/var/log/strelka/strelka.log" + manager: + coordinator: + addr: 'HOST:6380' + db: 0 + + rules: + enabled: True + repos: + - https://github.com/Neo23x0/signature-base + excluded: + - apt_flame2_orchestrator.yar + - apt_tetris.yar + - gen_susp_js_obfuscatorio.yar + - gen_webshells.yar + - generic_anomalies.yar + - general_cloaking.yar + - thor_inverse_matches.yar + - yara_mixed_ext_vars.yar + - apt_apt27_hyperbro.yar + - apt_turla_gazer.yar + - gen_google_anomaly.yar + - gen_icon_anomalies.yar + - gen_nvidia_leaked_cert.yar + - gen_sign_anomalies.yar + - gen_susp_xor.yar + - gen_webshells_ext_vars.yar + - configured_vulns_ext_vars.yar + From 0d30c14561874e2cead1aced9eb24684576d42bf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 16:33:33 -0400 Subject: [PATCH 02/35] Re-Work IDSTOOLS --- salt/idh/init.sls | 2 ++ salt/idstools/defaults.yaml | 5 +++++ salt/idstools/etc/rulecat.conf | 39 ++++++++++++++++------------------ 3 files changed, 25 insertions(+), 21 deletions(-) create mode 100644 salt/idstools/defaults.yaml diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 2cf22c358..d1ba5ce33 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -74,6 +74,8 @@ so-idh: - file: opencanary_config - require: - file: opencanary_config + - extra_hosts: + - {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }} append_so-idh_so-status.conf: file.append: diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml new file mode 100644 index 000000000..f9f4da55c --- /dev/null +++ b/salt/idstools/defaults.yaml @@ -0,0 +1,5 @@ +idstools: + config: + urls: [] + ruleset: ETOPEN + oinkcode: \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 2b1a8cae1..771b87ff8 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,17 +1,14 @@ -{%- set URLS = salt['pillar.get']('idstools:config:urls') -%} -{%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} -{%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} -{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%} -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%} -{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %} -{%- if ISAIRGAP is sameas true -%} +{%- from 'vars/globals.map.jinja' import GLOBALS %} +{%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %} +{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools:config', IDSTOOLSDEFAULTS.config, merge=True) %} +{%- if GLOBALS.airgap is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules -{%- if ENGINE == "SURICATA" %} +{%- if GLOBAL.md_engine == "SURICATA" %} --local=/opt/so/rules/nids/sorules/extraction.rules --local=/opt/so/rules/nids/sorules/filters.rules -{%- endif %} ---url=http://{{ MANAGERIP }}:7788/rules/emerging-all.rules +{%- endif %} +--url=http://{{ GLOBALS.manager }}:7788/rules/emerging-all.rules --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf @@ -19,23 +16,23 @@ --suricata-version=6.0 --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules -{%- if ENGINE == "SURICATA" %} +{%- if GLOBALS.md_engine == "SURICATA" %} --local=/opt/so/rules/nids/sorules/extraction.rules --local=/opt/so/rules/nids/sorules/filters.rules -{%- endif %} +{%- endif %} --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf - {%- if RULESET == 'ETOPEN' %} +{%- if IDSTOOLSMERGED.ruleset == 'ETOPEN' %} --etopen - {%- elif RULESET == 'ETPRO' %} ---etpro={{ OINKCODE }} - {%- elif RULESET == 'TALOS' %} ---url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} - {%- endif %} +{%- elif IDSTOOLSMERGED.ruleset == 'ETPRO' %} +--etpro={{ IDSTOOLSMERGED.oinkcode }} +{%- elif IDSTOOLSMERGED.ruleset == 'TALOS' %} +--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.oinkcode }} +{%- endif %} {%- endif %} -{%- if URLS != None %} -{%- for URL in URLS %} +{%- if IDSTOOLSMERGED.urls | length > 0 %} +{%- for URL in IDSTOOLSMERGED.urls %} --url={{ URL }} -{%- endfor %} +{%- endfor %} {%- endif %} \ No newline at end of file From b56baf900cf3ba547a045dad5271a9f04d17651b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 16:44:53 -0400 Subject: [PATCH 03/35] Re-Work IDSTOOLS --- pillar/top.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pillar/top.sls b/pillar/top.sls index 60cface84..0c4c11957 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -51,6 +51,8 @@ base: - adv_global - manager.soc_manager - manager.adv_manager + - idstools.soc_idstools + - idstools.adv_idstools - soc.soc_soc - soc.adv_soc - kratos.soc_kratos @@ -90,6 +92,9 @@ base: - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - manager.soc_manager + - manager.adv_manager + - idstools.soc_idstools + - idstools.adv_idstools - soc.soc_soc - kratos.soc_kratos - kratos.adv_kratos @@ -120,6 +125,8 @@ base: - secrets - healthcheck.standalone - soc_global + - idstools.soc_idstools + - idstools.adv_idstools - kratos.soc_kratos - kratos.adv_kratos - redis.soc_redis @@ -129,6 +136,7 @@ base: - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - manager.soc_manager + - manager.adv_manager - soc.soc_soc - backup.soc_backup - backup.adv_backup @@ -195,6 +203,7 @@ base: - elasticsearch.soc_elasticsearch - elasticsearch.adv_elasticsearch - manager.soc_manager + - manager.adv_manager - soc.soc_soc - soc_global - adv_global From 02d013c0cc41bd37ee2d8ee4f1319910072a99c3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 16:47:43 -0400 Subject: [PATCH 04/35] Re-Work IDSTOOLS --- salt/idstools/etc/rulecat.conf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 771b87ff8..8a6840267 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,6 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %} -{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools:config', IDSTOOLSDEFAULTS.config, merge=True) %} +{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS, merge=True) %} {%- if GLOBALS.airgap is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules @@ -23,16 +23,16 @@ --disable=/opt/so/idstools/etc/disable.conf --enable=/opt/so/idstools/etc/enable.conf --modify=/opt/so/idstools/etc/modify.conf -{%- if IDSTOOLSMERGED.ruleset == 'ETOPEN' %} +{%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %} --etopen -{%- elif IDSTOOLSMERGED.ruleset == 'ETPRO' %} ---etpro={{ IDSTOOLSMERGED.oinkcode }} -{%- elif IDSTOOLSMERGED.ruleset == 'TALOS' %} ---url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.oinkcode }} +{%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %} +--etpro={{ IDSTOOLSMERGED.config.oinkcode }} +{%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %} +--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }} {%- endif %} {%- endif %} -{%- if IDSTOOLSMERGED.urls | length > 0 %} -{%- for URL in IDSTOOLSMERGED.urls %} +{%- if IDSTOOLSMERGED.config.urls | length > 0 %} +{%- for URL in IDSTOOLSMERGED.config.urls %} --url={{ URL }} {%- endfor %} {%- endif %} \ No newline at end of file From 28dc4907755c48d171362e6352e930f9d60abef5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 16:58:52 -0400 Subject: [PATCH 05/35] Re-Work IDSTOOLS --- salt/idstools/defaults.yaml | 2 +- setup/so-functions | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml index f9f4da55c..2d81c80e5 100644 --- a/salt/idstools/defaults.yaml +++ b/salt/idstools/defaults.yaml @@ -2,4 +2,4 @@ idstools: config: urls: [] ruleset: ETOPEN - oinkcode: \ No newline at end of file + oinkcode: "" \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 78033bda5..e11542639 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1362,8 +1362,7 @@ idstools_pillar() { printf '%s\n'\ "idstools:"\ " config:"\ - " ruleset: '$RULESETUP'"\ - " oinkcode: '$OINKCODE'"\ + " oinkcode: ''"\ " urls: []"\ " sids:"\ " enabled: []"\ From afcd1155bf4996f0b9e730d77d46bdb297ab4e24 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 17:19:33 -0400 Subject: [PATCH 06/35] Re-Work IDSTOOLS --- salt/idstools/defaults.yaml | 6 +++++- salt/idstools/etc/rulecat.conf | 2 +- setup/so-functions | 11 ----------- 3 files changed, 6 insertions(+), 13 deletions(-) diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml index 2d81c80e5..d23f23dd9 100644 --- a/salt/idstools/defaults.yaml +++ b/salt/idstools/defaults.yaml @@ -2,4 +2,8 @@ idstools: config: urls: [] ruleset: ETOPEN - oinkcode: "" \ No newline at end of file + oinkcode: "" + sids: + enabled: [] + isabled: [] + modify: [] \ No newline at end of file diff --git a/salt/idstools/etc/rulecat.conf b/salt/idstools/etc/rulecat.conf index 8a6840267..fad421243 100644 --- a/salt/idstools/etc/rulecat.conf +++ b/salt/idstools/etc/rulecat.conf @@ -1,6 +1,6 @@ {%- from 'vars/globals.map.jinja' import GLOBALS %} {%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %} -{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS, merge=True) %} +{%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %} {%- if GLOBALS.airgap is sameas true -%} --merged=/opt/so/rules/nids/all.rules --local=/opt/so/rules/nids/local.rules diff --git a/setup/so-functions b/setup/so-functions index e11542639..2f5c8e1a0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1359,17 +1359,6 @@ ls_heapsize() { idstools_pillar() { title "Ading IDSTOOLS pillar options" touch $adv_idstools_pillar_file - printf '%s\n'\ - "idstools:"\ - " config:"\ - " oinkcode: ''"\ - " urls: []"\ - " sids:"\ - " enabled: []"\ - " disabled: []"\ - " modify: []"\ - "" > "$idstools_pillar_file" - } soc_pillar() { From d4f5209e392e7ce4c63aebf79fd423277720d096 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 17:22:54 -0400 Subject: [PATCH 07/35] Re-Work IDSTOOLS --- salt/idstools/defaults.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/idstools/defaults.yaml b/salt/idstools/defaults.yaml index d23f23dd9..e937ebc2d 100644 --- a/salt/idstools/defaults.yaml +++ b/salt/idstools/defaults.yaml @@ -4,6 +4,6 @@ idstools: ruleset: ETOPEN oinkcode: "" sids: - enabled: [] - isabled: [] - modify: [] \ No newline at end of file + enabled: [] + disabled: [] + modify: [] \ No newline at end of file From 3156b1ed0c122a241bd8ab4abc823f0d0b44a0fc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 17:53:14 -0400 Subject: [PATCH 08/35] Re-Work Backups --- salt/backup/config_backup.sls | 1 + salt/backup/defaults.yaml | 3 ++- salt/backup/soc_backup.yaml | 10 ++++++++++ salt/backup/tools/sbin/so-config-backup.jinja | 3 ++- 4 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 salt/backup/soc_backup.yaml diff --git a/salt/backup/config_backup.sls b/salt/backup/config_backup.sls index b4eeccfc1..20616f780 100644 --- a/salt/backup/config_backup.sls +++ b/salt/backup/config_backup.sls @@ -19,6 +19,7 @@ config_backup_script: - source: salt://backup/tools/sbin/so-config-backup.jinja - defaults: BACKUPLOCATIONS: {{ BACKUP_MERGED.locations }} + DESTINATION: {{ BACKUP_MERGED.destination }} # Add config backup so_config_backup: diff --git a/salt/backup/defaults.yaml b/salt/backup/defaults.yaml index 9b8d5909d..1aae64910 100644 --- a/salt/backup/defaults.yaml +++ b/salt/backup/defaults.yaml @@ -3,4 +3,5 @@ backup: - /opt/so/saltstack/local - /etc/pki - /etc/salt - - /opt/so/conf/kratos + - /nsm/kratos + destination: "/nsm/backup" \ No newline at end of file diff --git a/salt/backup/soc_backup.yaml b/salt/backup/soc_backup.yaml new file mode 100644 index 000000000..bedecb1ca --- /dev/null +++ b/salt/backup/soc_backup.yaml @@ -0,0 +1,10 @@ +backup: + locations: + description: List of locations to back up to the destination. + helpLink: backup.html + global: True + destination: + description: Directory to store the configuration backups in. + helpLink: backup.html + global: True + \ No newline at end of file diff --git a/salt/backup/tools/sbin/so-config-backup.jinja b/salt/backup/tools/sbin/so-config-backup.jinja index c0e24cd80..23e407653 100755 --- a/salt/backup/tools/sbin/so-config-backup.jinja +++ b/salt/backup/tools/sbin/so-config-backup.jinja @@ -8,7 +8,8 @@ . /usr/sbin/so-common TODAY=$(date '+%Y_%m_%d') -BACKUPFILE="/nsm/backup/so-config-backup-$TODAY.tar" +BACKUPDIR={{ DESTINATION }} +BACKUPFILE="$BACKUPDIR/so-config-backup-$TODAY.tar" MAXBACKUPS=7 # Create backup dir if it does not exist From f288d0dd6162d0d29c6d85e6297f1643bf7c95f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 15 Mar 2023 17:58:15 -0400 Subject: [PATCH 09/35] Re-Work Backups --- setup/so-functions | 3 --- 1 file changed, 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 2f5c8e1a0..88cd8bb6c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1488,9 +1488,6 @@ create_strelka_pillar() { backup_pillar() { title "Create the backup pillar file" touch $adv_backup_pillar_file - printf '%s\n'\ - "backup:"\ - " locations: []" > "$backup_pillar_file" } soctopus_pillar() { From 53e93f01c6de24f0fedd6595d3173fa359d4bb0b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 09:49:57 -0400 Subject: [PATCH 10/35] Force an update after repo is configured --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index b3b1319a5..d0afbe9f8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1959,6 +1959,7 @@ securityonion_repo() { echo "Syncing Repo" repo_sync_local fi + logCmd "dnf -y update" fi } From a96473554d0c4d60c6a2025d66fb0ebf773eef1e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 16 Mar 2023 12:56:04 -0400 Subject: [PATCH 11/35] Add IDH log ingest --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 4e60bf9ad..8d3d7735a 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -103,3 +103,9 @@ echo echo "Setting up Redis package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "redis", "version": "1.4.0" }, "id": "redis-logs", "name": "redis-logs", "description": "Redis logs", "namespace": "default", "inputs": { "redis-logfile": { "enabled": true, "streams": { "redis.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/redis/redis.log" ], "tags": [ "redis-log" ], "preserve_original_event": false } } } }, "redis-redis": { "enabled": false, "streams": { "redis.slowlog": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "password": "" } } } }, "redis-redis/metrics": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "idle_timeout": "20s", "maxconn": 10, "network": "tcp", "password": "" }, "streams": { "redis.info": { "enabled": false, "vars": { "period": "10s" } }, "redis.key": { "enabled": false, "vars": { "key.patterns": "- limit: 20\n pattern: '*'\n", "period": "10s" } }, "redis.keyspace": { "enabled": false, "vars": { "period": "10s" } } } } } }' echo + +# IDH logs +echo +echo "Setting up IDh package policy..." +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}' +echo \ No newline at end of file From d78128dbf4175e2f453bf0e151fa397a2500861b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 16 Mar 2023 13:11:12 -0400 Subject: [PATCH 12/35] Formatting --- salt/common/tools/sbin/so-elastic-fleet-integration-policy-load | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index 8d3d7735a..bc65161fa 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -106,6 +106,6 @@ echo # IDH logs echo -echo "Setting up IDh package policy..." +echo "Setting up IDH package policy..." curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}' echo \ No newline at end of file From 6e3194486c275f0beb6dba0386e2c209ec82a62a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 13:50:22 -0400 Subject: [PATCH 13/35] Force package update before syncing the repo --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index d0afbe9f8..b377a8d15 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1985,6 +1985,7 @@ repo_sync_local() { echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf dnf repolist + logCmd "dnf -c /root/repodownload.conf -y upgrade" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 849e82e39f5170ac1c8cf5a93d707ef083af7c01 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:36:43 -0400 Subject: [PATCH 14/35] Force package updates and curl check fix --- setup/so-functions | 9 +++++---- setup/so-whiptail | 4 +++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b377a8d15..3e2f55b3f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -139,11 +139,11 @@ check_admin_pass() { check_manager_connection() { # See if you can curl the manager. If not you can either try again or continue info "Checking manager connectivity" - man_test_err=$(curl -k -L -sS https://$MSRVIP/repo --connect-timeout 5 2>&1) + man_test_err=$(curl -s $MSRVIP:4505 --connect-timeout 5 2>&1) local ret=$? - if [[ $ret != 0 ]]; then + if [[ $ret != 1 ]]; then error "Could not reach $MSRV" whiptail_manager_unreachable fi @@ -1984,8 +1984,9 @@ repo_sync_local() { echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf - dnf repolist - logCmd "dnf -c /root/repodownload.conf -y upgrade" + logCmd "dnf repolist" + echo "This is trying to work" + logCmd "dnf -c /root/repodownload.conf -y upgrade --allowerasing" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" diff --git a/setup/so-whiptail b/setup/so-whiptail index 6123ea97d..bf1463c67 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1143,11 +1143,13 @@ whiptail_reinstall() { read -r -d '' message <<- EOM Setup has detected a previous install. Continuing the install will remove the previous install configuration. + Selecting continue is a destructive action. + Would you like to continue? EOM whiptail --title "$whiptail_title" \ - --yesno "$message" 11 75 \ + --yesno "$message" 13 75 \ --yes-button "Continue" --no-button "Exit" --defaultno local exitstatus=$? From 957467eae0446e86ad7f4aaf9f02c03169789ec0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:41:29 -0400 Subject: [PATCH 15/35] Force package update before syncing the repo --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 3e2f55b3f..70562fcf8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1985,8 +1985,9 @@ repo_sync_local() { echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf logCmd "dnf repolist" - echo "This is trying to work" + info "This is trying to work" logCmd "dnf -c /root/repodownload.conf -y upgrade --allowerasing" + info "There should be an update here # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 2b65c1498d856b1427871b777f77c9493807c93c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:45:04 -0400 Subject: [PATCH 16/35] Force package update before syncing the repo --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 70562fcf8..5a9af8000 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1987,7 +1987,7 @@ repo_sync_local() { logCmd "dnf repolist" info "This is trying to work" logCmd "dnf -c /root/repodownload.conf -y upgrade --allowerasing" - info "There should be an update here + info "There should be an update here" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From ef4882198a90c29e714136a7ca43ddc82c71aa34 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:48:57 -0400 Subject: [PATCH 17/35] Force package update before syncing the repo --- setup/so-functions | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5a9af8000..3a6d2bbfd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1985,9 +1985,6 @@ repo_sync_local() { echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf logCmd "dnf repolist" - info "This is trying to work" - logCmd "dnf -c /root/repodownload.conf -y upgrade --allowerasing" - info "There should be an update here" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" @@ -2385,7 +2382,7 @@ update_sudoers() { update_packages() { if [[ $is_rocky ]]; then logCmd "dnf repolist" - logCmd "dnf -y update --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" else retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 From d12367ed751bdef85e735dd18331d58053351518 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 15:54:00 -0400 Subject: [PATCH 18/35] Force package update before syncing the repo --- setup/so-functions | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 3a6d2bbfd..2378e31c5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1959,7 +1959,6 @@ securityonion_repo() { echo "Syncing Repo" repo_sync_local fi - logCmd "dnf -y update" fi } From 2056ce37c6414c46b0961b57206c9829aa59024d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Mar 2023 16:32:41 -0400 Subject: [PATCH 19/35] strelka ui things --- salt/strelka/defaults.yaml | 11 +- salt/strelka/filecheck/filecheck.yaml.jinja | 3 +- salt/strelka/filecheck/map.jinja | 12 - salt/strelka/init.sls | 10 +- salt/strelka/map.jinja | 10 + salt/strelka/soc_strelka.yaml | 953 ++++++++++---------- 6 files changed, 507 insertions(+), 492 deletions(-) delete mode 100644 salt/strelka/filecheck/map.jinja diff --git a/salt/strelka/defaults.yaml b/salt/strelka/defaults.yaml index 8060f520d..96c8501ce 100644 --- a/salt/strelka/defaults.yaml +++ b/salt/strelka/defaults.yaml @@ -531,10 +531,9 @@ strelka: response: log: "/var/log/strelka/strelka.log" manager: - coordinator: - addr: 'HOST:6380' - db: 0 - + coordinator: + addr: 'HOST:6380' + db: 0 rules: enabled: True repos: @@ -557,3 +556,7 @@ strelka: - gen_susp_xor.yar - gen_webshells_ext_vars.yar - configured_vulns_ext_vars.yar + filecheck: + historypath: '/nsm/strelka/history/' + strelkapath: '/nsm/strelka/unprocessed/' + logfile: '/opt/so/log/strelka/filecheck.log' diff --git a/salt/strelka/filecheck/filecheck.yaml.jinja b/salt/strelka/filecheck/filecheck.yaml.jinja index 95c5abab2..c3ee4ef67 100644 --- a/salt/strelka/filecheck/filecheck.yaml.jinja +++ b/salt/strelka/filecheck/filecheck.yaml.jinja @@ -1 +1,2 @@ -{{ FILECHECKCONFIG | yaml(false) }} +filecheck: +{{ FILECHECKCONFIG | yaml(false) | indent(width=2) }} diff --git a/salt/strelka/filecheck/map.jinja b/salt/strelka/filecheck/map.jinja deleted file mode 100644 index 670136b45..000000000 --- a/salt/strelka/filecheck/map.jinja +++ /dev/null @@ -1,12 +0,0 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} -{% import_yaml 'strelka/filecheck/defaults.yaml' as FILECHECKDEFAULTS %} - -{% if GLOBALS.md_engine == "SURICATA" %} -{% set extract_path = '/nsm/suricata/extracted' %} -{% set filecheck_runas = 'suricata' %} -{% else %} -{% set extract_path = '/nsm/zeek/extracted/complete' %} -{% set filecheck_runas = 'socore' %} -{% endif %} - -{% do FILECHECKDEFAULTS.filecheck.update({'extract_path': extract_path}) %} diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index f8b8262b0..8a59b0721 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -99,7 +99,7 @@ manager_config: - defaults: MANAGERCONFIG: {{ STRELKAMERGED.config.manager }} -{% if STRELKAMERGED.rules.enabled %} +{% if STRELKAMERGED.rules.enabled %} strelkarules: file.recurse: @@ -109,7 +109,7 @@ strelkarules: - group: 939 - clean: True -{% if grains['role'] in GLOBALS.manager_roles %} +{% if grains['role'] in GLOBALS.manager_roles %} strelkarepos: file.managed: - name: /opt/so/conf/strelka/repos.txt @@ -118,8 +118,8 @@ strelkarepos: - defaults: STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} -{% endif %} -{% endif %} +{% endif %} +{% endif %} strelkadatadir: file.directory: @@ -185,7 +185,7 @@ filecheck_conf: - source: salt://strelka/filecheck/filecheck.yaml.jinja - template: jinja - defaults: - FILECHECKCONFIG: {{ FILECHECKDEFAULTS }} + FILECHECKCONFIG: {{ STRELKAMERGED.filecheck }} filecheck_script: file.managed: diff --git a/salt/strelka/map.jinja b/salt/strelka/map.jinja index bf0a29a17..5df15aa59 100644 --- a/salt/strelka/map.jinja +++ b/salt/strelka/map.jinja @@ -17,4 +17,14 @@ {% set manager_coordinator_port = STRELKADEFAULTS.strelka.config.manager.coordinator.addr.split(':')[1] %} {% do STRELKADEFAULTS.strelka.config.manager.coordinator.update({'addr': HOST ~ ':' ~ manager_coordinator_port}) %} +{% if GLOBALS.md_engine == "SURICATA" %} +{% set extract_path = '/nsm/suricata/extracted' %} +{% set filecheck_runas = 'suricata' %} +{% else %} +{% set extract_path = '/nsm/zeek/extracted/complete' %} +{% set filecheck_runas = 'socore' %} +{% endif %} + +{% do STRELKADEFAULTS.strelka.filecheck.update({'extract_path': extract_path}) %} + {% set STRELKAMERGED = salt['pillar.get']('strelka', STRELKADEFAULTS.strelka, merge=True) %} diff --git a/salt/strelka/soc_strelka.yaml b/salt/strelka/soc_strelka.yaml index bd730579d..dbe949817 100644 --- a/salt/strelka/soc_strelka.yaml +++ b/salt/strelka/soc_strelka.yaml @@ -3,574 +3,587 @@ strelka: backend: backend: logging_cfg: - description: Location in the container where the config file is located. + description: Path to the Python logging configuration. readonly: True global: False helpLink: strelka.html advanced: True limits: max_files: - description: Max Files. + description: Number of files the backend will process before shutting down. readonly: False global: False helpLink: strelka.html time_to_live: - description: Location in the container where the config file is located. + description: Amount of time (in seconds) that the backend will run before shutting down (0 to disable). readonly: False global: False helpLink: strelka.html max_depth: - description: Location in the container where the config file is located. + description: Maximum depth that extracted files will be processed by the backend. readonly: False global: False helpLink: strelka.html distribution: - description: Location in the container where the config file is located. + description: Amount of time (in seconds) that a single file can be distributed to all scanners. readonly: False global: False helpLink: strelka.html scanner: - description: Location in the container where the config file is located. + description: Amount of time (in seconds) that a scanner can spend scanning a file (can be overridden per scanner). readonly: False global: False helpLink: strelka.html coordinator: addr: - description: Location in the container where the config file is located. + description: Network address of the coordinator. readonly: False global: False helpLink: strelka.html advanced: True - db: - description: Location in the container where the config file is located. + db: + description: Redis database of the coordinator. readonly: False global: False helpLink: strelka.html advanced: True tasting: - mime_db: '/usr/lib/file/magic.mgc' - description: Location in the container where the config file is located. + mime_db: + description: Location of the MIME database used to taste files. readonly: True global: False helpLink: strelka.html advanced: True - yara_rules: '/etc/strelka/taste/' - description: Location in the container where the config file is located. + yara_rules: + description: Location of the directory of YARA files that contains rules used to taste files. readonly: True global: False helpLink: strelka.html advanced: True scanners: - 'ScanBase64': - - positive: - filename: '^base64_' - description: Location in the container where the config file is located. - readonly: False - global: False - helpLink: strelka.html - advanced: True - priority: - description: Location in the container where the config file is located. - readonly: False - global: False - helpLink: strelka.html - - 'ScanBatch': - - positive: - flavors: - - 'text/x-msdos-batch' - - 'batch_file' - priority: 5 - 'ScanBzip2': - - positive: - flavors: - - 'application/x-bzip2' - - 'bzip2_file' - priority: 5 - 'ScanDocx': - - positive: - flavors: - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - priority: 5 - options: - extract_text: False - 'ScanElf': - - positive: - flavors: - - 'application/x-object' - - 'application/x-executable' - - 'application/x-sharedlib' - - 'application/x-coredump' - - 'elf_file' - priority: 5 - 'ScanEmail': - - positive: - flavors: - - 'application/vnd.ms-outlook' - - 'message/rfc822' - - 'email_file' - priority: 5 - 'ScanEntropy': - - positive: - flavors: - - '*' - priority: 5 - 'ScanExiftool': - - positive: - flavors: - description: Location in the container where the config file is located. - readonly: False - global: False - helpLink: strelka.html - advacned: True - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanGif': - - positive: - flavors: - - 'image/gif' - - 'gif_file' - priority: 5 - 'ScanGzip': - - positive: - flavors: - - 'application/gzip' - - 'application/x-gzip' - - 'gzip_file' - priority: 5 - 'ScanHash': - - positive: - flavors: - - '*' - priority: 5 - 'ScanHeader': - - positive: - flavors: - - '*' - priority: 5 - options: - length: 50 - 'ScanHtml': - - positive: - flavors: - - 'hta_file' - - 'text/html' - - 'html_file' - priority: 5 - options: - parser: "html5lib" - 'ScanIni': - - positive: - filename: '(\.([Cc][Ff][Gg]|[Ii][Nn][Ii])|PROJECT)$' - flavors: - - 'ini_file' - priority: 5 - 'ScanJarManifest': - - positive: - flavors: - - 'jar_manifest_file' - priority: 5 - 'ScanJavascript': - - negative: - flavors: - - 'text/html' - - 'html_file' - positive: - flavors: - - 'javascript_file' - - 'text/javascript' - priority: 5 - options: - beautify: True - 'ScanJpeg': - - positive: - flavors: - - 'image/jpeg' - - 'jpeg_file' - priority: 5 - 'ScanJson': - - positive: - flavors: - - 'application/json' - - 'json_file' - priority: 5 - 'ScanLibarchive': - - positive: - flavors: - - 'application/vnd.ms-cab-compressed' - - 'cab_file' - - 'application/x-7z-compressed' - - '_7zip_file' - - 'application/x-cpio' - - 'cpio_file' - - 'application/x-xar' - - 'xar_file' - - 'arj_file' - - 'iso_file' - - 'application/x-debian-package' - - 'debian_package_file' - priority: 5 - options: - limit: 1000 - 'ScanLzma': - - positive: - flavors: - - 'application/x-lzma' - - 'lzma_file' - - 'application/x-xz' - - 'xz_file' - priority: 5 - 'ScanMacho': - - positive: - flavors: - - 'application/x-mach-binary' - - 'macho_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanOcr': - - positive: - flavors: - - 'image/jpeg' - - 'jpeg_file' - - 'image/png' - - 'png_file' - - 'image/tiff' - - 'type_is_tiff' - - 'image/x-ms-bmp' - - 'bmp_file' - priority: 5 - options: - extract_text: False - tmp_directory: '/dev/shm/' - 'ScanOle': - - positive: - flavors: - - 'application/CDFV2' - - 'application/msword' - - 'olecf_file' - priority: 5 - 'ScanPdf': - - positive: - flavors: - - 'application/pdf' - - 'pdf_file' - priority: 5 - options: - extract_text: False - limit: 2000 - 'ScanPe': - - positive: - flavors: - - 'application/x-dosexec' - - 'mz_file' - priority: 5 - 'ScanPgp': - - positive: - flavors: - - 'application/pgp-keys' - - 'pgp_file' - priority: 5 - 'ScanPhp': - - positive: - flavors: - - 'text/x-php' - - 'php_file' - priority: 5 - 'ScanPkcs7': - - positive: - flavors: - - 'pkcs7_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanPlist': - - positive: - flavors: - - 'bplist_file' - - 'plist_file' - priority: 5 - options: - keys: - - 'KeepAlive' - - 'Label' - - 'NetworkState' - - 'Program' - - 'ProgramArguments' - - 'RunAtLoad' - - 'StartInterval' - 'ScanRar': - - positive: - flavors: - - 'application/x-rar' - - 'rar_file' - priority: 5 - options: - limit: 1000 - 'ScanRpm': - - positive: - flavors: - - 'application/x-rpm' - - 'rpm_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanRtf': - - positive: - flavors: - - 'text/rtf' - - 'rtf_file' - priority: 5 - options: - limit: 1000 - 'ScanRuby': - - positive: - flavors: - - 'text/x-ruby' - priority: 5 - 'ScanSwf': - - positive: - flavors: - - 'application/x-shockwave-flash' - - 'fws_file' - - 'cws_file' - - 'zws_file' - priority: 5 - 'ScanTar': - - positive: - flavors: - - 'application/x-tar' - - 'tar_file' - priority: 5 - options: - limit: 1000 - 'ScanTnef': - - positive: - flavors: - - 'application/vnd.ms-tnef' - - 'tnef_file' - priority: 5 - 'ScanUpx': - - positive: - flavors: - - 'upx_file' - priority: 5 - options: - tmp_directory: '/dev/shm/' - 'ScanUrl': - - negative: - flavors: - - 'javascript_file' - positive: - flavors: - - 'text/plain' - priority: 5 - 'ScanVb': - - positive: - flavors: - - 'vb_file' - - 'vbscript' - priority: 5 - 'ScanVba': - - positive: - flavors: - - 'mhtml_file' - - 'application/msword' - - 'olecf_file' - - 'wordml_file' - priority: 5 - options: - analyze_macros: True - 'ScanX509': - - positive: - flavors: - - 'x509_der_file' - priority: 5 - options: - type: 'der' - - positive: - flavors: - - 'x509_pem_file' - priority: 5 - options: - type: 'pem' - 'ScanXml': - - positive: - flavors: - - 'application/xml' - - 'text/xml' - - 'xml_file' - - 'mso_file' - - 'soap_file' - priority: 5 - 'ScanYara': - - positive: - flavors: - - '*' - priority: 5 - options: - location: '/etc/yara/' - 'ScanZip': - - positive: - flavors: - - 'application/java-archive' - - 'application/zip' - - 'zip_file' - - 'application/vnd.openxmlformats-officedocument' - - 'application/vnd.openxmlformats-officedocument.presentationml.presentation' - - 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' - - 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' - - 'ooxml_file' - priority: 5 - options: - limit: 1000 - password_file: '/etc/strelka/passwords.dat' - 'ScanZlib': - - positive: - flavors: - - 'application/zlib' - - 'zlib_file' - priority: 5 + 'ScanBase64': &scannerOptions + description: Configuration options for this scanner. + readonly: False + global: False + helpLink: strelka.html + advanced: True + type: json + multiline: True + 'ScanBatch': *scannerOptions + 'ScanBzip2': *scannerOptions + 'ScanDocx': *scannerOptions + 'ScanElf': *scannerOptions + 'ScanEmail': *scannerOptions + 'ScanEntropy': *scannerOptions + 'ScanExiftool': *scannerOptions + 'ScanGif': *scannerOptions + 'ScanGzip': *scannerOptions + 'ScanHash': *scannerOptions + 'ScanHeader': *scannerOptions + 'ScanHtml': *scannerOptions + 'ScanIni': *scannerOptions + 'ScanJarManifest': *scannerOptions + 'ScanJavascript': *scannerOptions + 'ScanJpeg': *scannerOptions + 'ScanJson': *scannerOptions + 'ScanLibarchive': *scannerOptions + 'ScanLzma': *scannerOptions + 'ScanMacho': *scannerOptions + 'ScanOcr': *scannerOptions + 'ScanOle': *scannerOptions + 'ScanPdf': *scannerOptions + 'ScanPe': *scannerOptions + 'ScanPgp': *scannerOptions + 'ScanPhp': *scannerOptions + 'ScanPkcs7': *scannerOptions + 'ScanPlist': *scannerOptions + 'ScanRar': *scannerOptions + 'ScanRpm': *scannerOptions + 'ScanRtf': *scannerOptions + 'ScanRuby': *scannerOptions + 'ScanSwf': *scannerOptions + 'ScanTar': *scannerOptions + 'ScanTnef': *scannerOptions + 'ScanUpx': *scannerOptions + 'ScanUrl': *scannerOptions + 'ScanVb': *scannerOptions + 'ScanVba': *scannerOptions + 'ScanX509': *scannerOptions + 'ScanXml': *scannerOptions + 'ScanYara': *scannerOptions + 'ScanZip': *scannerOptions + 'ScanZlib': *scannerOptions logging: - version: 1 + version: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True formatters: simple: - format: '%(asctime)s - [%(levelname)s] %(name)s [%(module)s.%(funcName)s]: %(message)s' - datefmt: '%Y-%m-%d %H:%M:%S' + format: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + datefmt: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True handlers: console: - class: logging.StreamHandler - formatter: simple - stream: ext://sys.stdout + class: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + formatter: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + stream: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True root: - level: DEBUG - handlers: [console] + level: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True + handlers: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True loggers: OpenSSL: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True bs4: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True bz2: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True chardet: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True docx: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True elftools: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True email: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True entropy: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True esprima: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True gzip: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True hashlib: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True json: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True libarchive: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True lxml: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True lzma: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True macholibre: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True olefile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True oletools: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pdfminer: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pefile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pgpdump: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pygments: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True pylzma: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True rarfile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True requests: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True rpmfile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True ssdeep: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True tarfile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True tnefparse: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True yara: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True zipfile: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True zlib: - propagate: 0 + propagate: + description: This is an advanced option for Strelka logging. + readonly: False + global: False + helpLink: strelka.html + advanced: True passwords: - - infected - - password + description: Passwords that will be stored in the password_file used in scanner options. + readonly: False + global: False + helpLink: strelka.html + multiline: True filestream: conn: - server: 'HOST:57314' - cert: '' + server: + description: Network address of the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + cert: + description: Local path to the frontend SSL server certificate. + readonly: False + global: False + helpLink: strelka.html + advanced: True timeout: - dial: 5s - file: 1m + dial: + description: Amount of time to wait for the client to dial the server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + file: + description: Amount of time to wait for an individual file to complete a scan. + readonly: False + global: False + helpLink: strelka.html + advanced: True throughput: - concurrency: 8 - chunk: 32768 - delay: 0s + concurrency: + description: Number of concurrent requests to make. + readonly: False + global: False + helpLink: strelka.html + advanced: True + chunk: + description: Size of file chunks that will be sent to the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delay: + description: Artificial sleep between the submission of each chunk. + readonly: False + global: False + helpLink: strelka.html + advanced: True files: patterns: - - '/nsm/strelka/unprocessed/*' - delete: false - gatekeeper: true - processed: '/nsm/strelka/processed' + description: List of glob patterns that determine which files will be sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delete: + description: Boolean that determines if files should be deleted after being sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + gatekeeper: + description: Boolean that determines if events should be pulled from the temporary event cache. + readonly: False + global: False + helpLink: strelka.html + advanced: True + processed: + description: Directory where files will be moved after being submitted for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True response: - report: 5s - delta: 5s - staging: '/nsm/strelka/staging' + report: + description: Frequency at which the frontend reports the number of files processed. + readonly: False + global: False + helpLink: strelka.html + advanced: True + delta: + description: Time value that determines how much time must pass since a file was last modified before it is sent for scanning. + readonly: False + global: False + helpLink: strelka.html + advanced: True + staging: + description: Directory where files are staged before being sent to the cluster. + readonly: False + global: False + helpLink: strelka.html + advanced: True frontend: - server: ":57314" + server: + description: Network address of the frontend server. + readonly: False + global: False + helpLink: strelka.html + advanced: True coordinator: - addr: 'HOST:6380' - db: 0 + addr: + description: Network address of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True gatekeeper: - addr: 'HOST:6381' - db: 0 - ttl: 1h + addr: + description: Network address of the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True + ttl: + description: Time-to-live for events added to the gatekeeper. + readonly: False + global: False + helpLink: strelka.html + advanced: True response: - log: "/var/log/strelka/strelka.log" + log: + description: Location where worker scan results are logged to. + readonly: False + global: False + helpLink: strelka.html + advanced: True manager: - coordinator: - addr: 'HOST:6380' - db: 0 - + coordinator: + addr: + description: Network address of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True + db: + description: Redis database of the coordinator. + readonly: False + global: False + helpLink: strelka.html + advanced: True rules: - enabled: True + enabled: + description: Boolean that determines if yara rules sync from the Salt manager to the backend nodes. + readonly: False + global: False + helpLink: strelka.html + advanced: False repos: - - https://github.com/Neo23x0/signature-base + description: List of repos for so-yara-update to use to download rules. + readonly: False + global: False + helpLink: strelka.html + advanced: False excluded: - - apt_flame2_orchestrator.yar - - apt_tetris.yar - - gen_susp_js_obfuscatorio.yar - - gen_webshells.yar - - generic_anomalies.yar - - general_cloaking.yar - - thor_inverse_matches.yar - - yara_mixed_ext_vars.yar - - apt_apt27_hyperbro.yar - - apt_turla_gazer.yar - - gen_google_anomaly.yar - - gen_icon_anomalies.yar - - gen_nvidia_leaked_cert.yar - - gen_sign_anomalies.yar - - gen_susp_xor.yar - - gen_webshells_ext_vars.yar - - configured_vulns_ext_vars.yar + description: List of rules to exclude so-yara-update from download and propagating to backend nodes. + readonly: False + global: False + helpLink: strelka.html + advanced: False + filecheck: + historypath: + description: The path for previously scanned files. + readonly: True + global: False + helpLink: strelka.html + advanced: True + strelkapath: + description: The path for unprocessed files. + readonly: True + global: False + helpLink: strelka.html + advanced: True + logfile: + description: The path for the filecheck log. + readonly: False + global: False + helpLink: strelka.html + advanced: True From 0dfbbfcf8e13b7a6b8aad9136f9b40253c4d7896 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Mar 2023 16:37:38 -0400 Subject: [PATCH 20/35] fix spacing on filecheck config --- salt/strelka/filecheck/filecheck.yaml.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/filecheck/filecheck.yaml.jinja b/salt/strelka/filecheck/filecheck.yaml.jinja index c3ee4ef67..1f5453f93 100644 --- a/salt/strelka/filecheck/filecheck.yaml.jinja +++ b/salt/strelka/filecheck/filecheck.yaml.jinja @@ -1,2 +1,2 @@ filecheck: -{{ FILECHECKCONFIG | yaml(false) | indent(width=2) }} + {{ FILECHECKCONFIG | yaml(false) | indent(width=2) }} From a9b8877268adcd8fd946e5904505a7dc89c688b5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Mar 2023 17:15:52 -0400 Subject: [PATCH 21/35] remove filecheckdefaults from strelka init --- salt/strelka/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 8a59b0721..b732dc257 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -9,7 +9,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} -{% from 'strelka/filecheck/map.jinja' import FILECHECKDEFAULTS %} {% from 'strelka/filecheck/map.jinja' import filecheck_runas %} # Strelka config From dd4461daf44f78478963eb8f67c03457947e24a5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Mar 2023 17:50:19 -0400 Subject: [PATCH 22/35] remove other filecheck map import --- salt/strelka/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index b732dc257..8df8a0774 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -9,7 +9,6 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} -{% from 'strelka/filecheck/map.jinja' import filecheck_runas %} # Strelka config strelkaconfdir: From bd1eb9c7df07464bcdd8f5cd06547c74169a1d2b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 16 Mar 2023 18:05:38 -0400 Subject: [PATCH 23/35] Change yum to dnf --- salt/repo/client/rocky.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/repo/client/rocky.sls b/salt/repo/client/rocky.sls index a99d3f422..405bba7f6 100644 --- a/salt/repo/client/rocky.sls +++ b/salt/repo/client/rocky.sls @@ -16,13 +16,13 @@ file.absent: - name: {{ REPOPATH }}{{ file }} - onchanges_in: - - cmd: cleanyum + - cmd: cleandnf {% endfor %} {% endif %} -cleanyum: +cleandnf: cmd.run: - - name: 'yum clean all' + - name: 'dnf clean all' - onchanges: - so_repo From 924d598a8afdc176682978971e56955622903478 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 17 Mar 2023 08:38:56 -0400 Subject: [PATCH 24/35] add filecheck_runas --- salt/strelka/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 8df8a0774..bbb2bcaf6 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -9,6 +9,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'strelka/map.jinja' import filecheck_runas %} # Strelka config strelkaconfdir: From 8f5daa785b82627e4c6bf2322acf44e182cbe799 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Mar 2023 10:14:44 -0400 Subject: [PATCH 25/35] Add next steps to install summary --- setup/so-whiptail | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 6123ea97d..ce11101fb 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1281,14 +1281,25 @@ whiptail_setup_complete() { local accessMessage="" fi - + MINIONFINGERPRINT=$(salt-call --local key.finger --out=newline_values_only) read -r -d '' message <<- EOM - Finished ${install_type} installation. + ${install_type} initialization is now complete! + + To finish configuration, open the Security Onion Console web interface + and navigate to Administration -> Grid Members. + + Then find this node in the Pending Members list, + click the Review button, and then click the Accept button. + + Node Hostname: $HOSTNAME + Node Fingerprint: + $MINIONFINGERPRINT + $accessMessage - Press the Enter key to exit setup. + Press TAB and then the ENTER key to exit this screen. EOM - whiptail --title "$whiptail_title" --msgbox "$message" 12 75 + whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext } whiptail_setup_failed() { From c5b16494d7f3561332e232f02b2a5c4d29e3be8d Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 17 Mar 2023 10:21:21 -0400 Subject: [PATCH 26/35] Fix typo and improve formatting in so-whiptail --- setup/so-whiptail | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 8eac58dbe..4ed473381 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -974,9 +974,10 @@ whiptail_manager_unreachable() { read -r -d '' msg <<- EOM Setup is unable to access the manager at this time. - Run the following on the manger: + Run the following on the manager: so-firewall-minion --role=$install_type --ip=$MAINIP + Would you like to retry? EOM whiptail --title "$whiptail_title" --yesno "$msg" 20 75 From 4944365341d3a74feb3a1b019b5bbb096944aaea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Mar 2023 11:02:02 -0400 Subject: [PATCH 27/35] Change the salt dir for elastic fleet --- salt/allowed_states.map.jinja | 10 +++++----- .../tools/sbin/so-elastic-agent-gen-installers | 4 ++-- .../files/so_agent-installers/readme | 0 salt/{elastic-fleet => elasticfleet}/init.sls | 0 .../install_agent_grid.sls | 2 +- salt/nginx/init.sls | 2 +- salt/ssl/init.sls | 6 +++--- salt/top.sls | 18 +++++++++--------- 8 files changed, 21 insertions(+), 21 deletions(-) rename salt/{elastic-fleet => elasticfleet}/files/so_agent-installers/readme (100%) rename salt/{elastic-fleet => elasticfleet}/init.sls (100%) rename salt/{elastic-fleet => elasticfleet}/install_agent_grid.sls (86%) diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index 3548a7f0d..a837950e4 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -34,7 +34,7 @@ 'influxdb', 'soc', 'kratos', - 'elastic-fleet', + 'elasticfleet', 'firewall', 'idstools', 'suricata.manager', @@ -105,7 +105,7 @@ 'schedule', 'tcpreplay', 'docker_clean', - 'elastic-fleet' + 'elasticfleet' ], 'so-manager': [ 'salt.master', @@ -118,7 +118,7 @@ 'influxdb', 'soc', 'kratos', - 'elastic-fleet', + 'elasticfleet', 'firewall', 'idstools', 'suricata.manager', @@ -137,7 +137,7 @@ 'influxdb', 'soc', 'kratos', - 'elastic-fleet', + 'elasticfleet', 'firewall', 'manager', 'idstools', @@ -166,7 +166,7 @@ 'influxdb', 'soc', 'kratos', - 'elastic-fleet', + 'elasticfleet', 'firewall', 'idstools', 'suricata.manager', diff --git a/salt/common/tools/sbin/so-elastic-agent-gen-installers b/salt/common/tools/sbin/so-elastic-agent-gen-installers index 131292dab..128f894e4 100755 --- a/salt/common/tools/sbin/so-elastic-agent-gen-installers +++ b/salt/common/tools/sbin/so-elastic-agent-gen-installers @@ -24,11 +24,11 @@ mkdir -p /tmp/elastic-agent-workspace for OS in "${CONTAINERGOOS[@]}" do printf "\n\nGenerating $OS Installer..." - cp /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz + cp /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/so-elastic-agent-*-$OS-x86_64.tar.gz /tmp/elastic-agent-workspace/$OS.tar.gz docker run -e CGO_ENABLED=0 -e GOOS=$OS \ --mount type=bind,source=/etc/ssl/certs/,target=/workspace/files/cert/ \ --mount type=bind,source=/tmp/elastic-agent-workspace/,target=/workspace/files/elastic-agent/ \ - --mount type=bind,source=/opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/,target=/output/ \ + --mount type=bind,source=/opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/,target=/output/ \ {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elastic-agent-builder:{{ GLOBALS.so_version }} go build -ldflags "-X main.fleetHost=$FLEETHOST -X main.enrollmentToken=$ENROLLMENTOKEN" -o /output/so-elastic-agent_$OS printf "\n $OS Installer Generated..." done diff --git a/salt/elastic-fleet/files/so_agent-installers/readme b/salt/elasticfleet/files/so_agent-installers/readme similarity index 100% rename from salt/elastic-fleet/files/so_agent-installers/readme rename to salt/elasticfleet/files/so_agent-installers/readme diff --git a/salt/elastic-fleet/init.sls b/salt/elasticfleet/init.sls similarity index 100% rename from salt/elastic-fleet/init.sls rename to salt/elasticfleet/init.sls diff --git a/salt/elastic-fleet/install_agent_grid.sls b/salt/elasticfleet/install_agent_grid.sls similarity index 86% rename from salt/elastic-fleet/install_agent_grid.sls rename to salt/elasticfleet/install_agent_grid.sls index 2f848ac2e..c4c389cea 100644 --- a/salt/elastic-fleet/install_agent_grid.sls +++ b/salt/elasticfleet/install_agent_grid.sls @@ -9,7 +9,7 @@ run_installer: cmd.script: - - name: salt://elastic-fleet/files/so_agent-installers/so-elastic-agent_linux + - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux - args: -token={{ GRIDNODETOKEN }} {% endif %} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index e3a13c2f2..52d018354 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -95,7 +95,7 @@ so-nginx: - /opt/so/log/nginx/:/var/log/nginx:rw - /opt/so/tmp/nginx/:/var/lib/nginx:rw - /opt/so/tmp/nginx/:/run:rw - - /opt/so/saltstack/local/salt/elastic-fleet/files/so_agent-installers/:/opt/socore/html/packages + - /opt/so/saltstack/local/salt/elasticfleet/files/so_agent-installers/:/opt/socore/html/packages {% if grains.role in ['so-manager', 'so-managersearch', 'so-eval', 'so-standalone', 'so-import'] %} - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index bf31fff27..4a521f12c 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -210,19 +210,19 @@ chownilogstashelasticfleetp8: # Create Symlinks to the keys so I can distribute it to all the things elasticfleetdircerts: file.directory: - - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs - makedirs: True efkeylink: file.symlink: - - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.p8 + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.p8 - target: /etc/pki/elasticfleet.p8 - user: socore - group: socore efcrtlink: file.symlink: - - name: /opt/so/saltstack/local/salt/elastic-fleet/files/certs/elasticfleet.crt + - name: /opt/so/saltstack/local/salt/elasticfleet/files/certs/elasticfleet.crt - target: /etc/pki/elasticfleet.crt - user: socore - group: socore diff --git a/salt/top.sls b/salt/top.sls index a07e16013..2c6ad266f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -59,7 +59,7 @@ base: {%- endif %} - schedule - docker_clean - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid '*_eval and G@saltversion:{{saltversion}}': - match: compound @@ -147,7 +147,7 @@ base: - schedule - soctopus - playbook - - elastic-fleet + - elasticfleet - docker_clean '*_standalone and G@saltversion:{{saltversion}}': @@ -198,7 +198,7 @@ base: - schedule - soctopus - playbook - - elastic-fleet + - elasticfleet - docker_clean '*_searchnode and G@saltversion:{{saltversion}}': @@ -215,7 +215,7 @@ base: - logstash {%- endif %} - schedule - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid - docker_clean '*_managersearch and G@saltversion:{{saltversion}}': @@ -257,7 +257,7 @@ base: - schedule - soctopus - playbook - - elastic-fleet + - elasticfleet - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': @@ -286,7 +286,7 @@ base: - zeek {%- endif %} - schedule - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid - docker_clean '*_import and G@saltversion:{{saltversion}}': @@ -317,7 +317,7 @@ base: - suricata - zeek - schedule - - elastic-fleet + - elasticfleet - docker_clean '*_receiver and G@saltversion:{{saltversion}}': @@ -333,7 +333,7 @@ base: - redis {%- endif %} - schedule - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid - docker_clean '*_idh and G@saltversion:{{saltversion}}': @@ -343,7 +343,7 @@ base: - telegraf - firewall - schedule - - elastic-fleet.install_agent_grid + - elasticfleet.install_agent_grid - docker_clean - idh From d7b0ed93c9b4d53f482ed75c3eac75f1fb2f8651 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Mar 2023 11:27:29 -0400 Subject: [PATCH 28/35] Update so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 2378e31c5..96c357c74 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -144,7 +144,7 @@ check_manager_connection() { local ret=$? if [[ $ret != 1 ]]; then - error "Could not reach $MSRV" + info "Could not reach $MSRV" whiptail_manager_unreachable fi } From caa08e9cf0b5b80a79bc3f429b5ecf659e0bc5db Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Mar 2023 11:44:56 -0400 Subject: [PATCH 29/35] Change the salt dir for elastic fleet --- salt/common/tools/sbin/so-elastic-fleet-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 9c2d60eca..13eb81ecb 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -97,13 +97,13 @@ salt-call state.apply elastic-fleet queue=True /usr/sbin/so-elastic-fleet-integration-policy-load # Temp -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz +wget -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz #git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git #cd securityonion-image/so-elastic-agent-builder #docker build -t so-elastic-agent-builder . so-elastic-agent-gen-installers -salt-call state.apply elastic-fleet.install_agent_grid queue=True +salt-call state.apply elasticfleet.install_agent_grid queue=True From 536391bb3bd16133b254b14f5216ae4fc6745a8a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 17 Mar 2023 16:14:29 -0400 Subject: [PATCH 30/35] rename elasticfleet state --- salt/common/tools/sbin/so-elastic-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 13eb81ecb..ac2ce47f9 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -91,7 +91,7 @@ printf '%s\n'\ "" >> "$global_pillar_file" # Call Elastic-Fleet Salt State -salt-call state.apply elastic-fleet queue=True +salt-call state.apply elasticfleet queue=True # Load Elastic Fleet integrations /usr/sbin/so-elastic-fleet-integration-policy-load From 792732a8cfe56dc79fe542e6b3a4b9d890098892 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 18 Mar 2023 13:09:46 -0400 Subject: [PATCH 31/35] summary changes --- setup/so-whiptail | 66 +++++++++++++++++++++++++++++------------------ 1 file changed, 41 insertions(+), 25 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 4ed473381..1a286f0f0 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1271,38 +1271,54 @@ whiptail_setup_complete() { [ -n "$TESTING" ] && return - if [[ -n "$REDIRECTIT" && $is_manager = true ]]; then + + if [[ $waitforstate ]]; then + # Manager-type Nodes - Install Summary if [[ -n $ALLOW_CIDR ]]; then local sentence_prefix="Access" else local sentence_prefix="Run so-allow to access" fi - local accessMessage="\n${sentence_prefix} the web interface at: https://${REDIRECTIT}\n" - elif [[ $is_idh ]]; then - local accessMessage="\nSSH for this node has been moved to TCP/2222, accessible only from the Manager node.\n" + + read -r -d '' message <<- EOM + ${install_type} setup is now complete! + + ${sentence_prefix} the Security Onion Console web interface by navigating to: + https://${REDIRECTIT} + + Login with the following username and the password: + + SOC Username: ${WEBUSER} + SOC Password: Use the password that was entered during setup + + Press TAB and then the ENTER key to exit this screen. + EOM + whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext else - local accessMessage="" + if [[ $is_idh ]]; then + local accessMessage="\nSSH for this node has been moved to TCP/2222, accessible only from the Manager node.\n" + else + local accessMessage="" + fi + MINIONFINGERPRINT=$(salt-call --local key.finger --out=newline_values_only) + read -r -d '' message <<- EOM + ${install_type} initialization is now complete! + + To finish configuration, open the Security Onion Console web interface + and navigate to Administration -> Grid Members. + + Then find this node in the Pending Members list, + click the Review button, and then click the Accept button. + + Node Hostname: $HOSTNAME + Node Fingerprint: + $MINIONFINGERPRINT + $accessMessage + Press TAB and then the ENTER key to exit this screen. + EOM + + whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext fi - - MINIONFINGERPRINT=$(salt-call --local key.finger --out=newline_values_only) - read -r -d '' message <<- EOM - ${install_type} initialization is now complete! - - To finish configuration, open the Security Onion Console web interface - and navigate to Administration -> Grid Members. - - Then find this node in the Pending Members list, - click the Review button, and then click the Accept button. - - Node Hostname: $HOSTNAME - Node Fingerprint: - $MINIONFINGERPRINT - - $accessMessage - Press TAB and then the ENTER key to exit this screen. - EOM - - whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext } whiptail_setup_failed() { From 5b9ff06a8544bb14be22efe799822e98898dc369 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sun, 19 Mar 2023 09:17:12 -0400 Subject: [PATCH 32/35] Setup Kibana default space --- .../tools/sbin/so-elastic-fleet-integration-policy-load | 4 +++- salt/common/tools/sbin/so-kibana-space-defaults | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load index bc65161fa..b87ede0fe 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load +++ b/salt/common/tools/sbin/so-elastic-fleet-integration-policy-load @@ -17,7 +17,9 @@ SESSIONCOOKIE=$(curl -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http: # Disable certain Features from showing up in the Kibana UI echo -echo "Setting up default Security Onion package policies for Elastic Agent..." +echo "Disable certain Features from showing up in the Kibana UI" +so-kibana-space-defaults +echo # Suricata logs echo diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults index 9175a36bc..430054e06 100755 --- a/salt/common/tools/sbin/so-kibana-space-defaults +++ b/salt/common/tools/sbin/so-kibana-space-defaults @@ -13,6 +13,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","fleet","fleetv2","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","siem","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo From cbf7b66729df561e674c675e5fb9acef8e0a4e7b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 20 Mar 2023 07:29:10 -0400 Subject: [PATCH 33/35] Set wget to be quiet --- salt/common/tools/sbin/so-elastic-fleet-setup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-elastic-fleet-setup b/salt/common/tools/sbin/so-elastic-fleet-setup index 9c2d60eca..f76deb317 100755 --- a/salt/common/tools/sbin/so-elastic-fleet-setup +++ b/salt/common/tools/sbin/so-elastic-fleet-setup @@ -97,9 +97,9 @@ salt-call state.apply elastic-fleet queue=True /usr/sbin/so-elastic-fleet-integration-policy-load # Temp -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz -wget -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz +wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elastic-fleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz #git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git #cd securityonion-image/so-elastic-agent-builder From c89bae73190f49ed36313b4c71056aef613d405a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 20 Mar 2023 07:51:44 -0400 Subject: [PATCH 34/35] Wording tweaks --- setup/so-whiptail | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 1a286f0f0..331c27be3 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1283,10 +1283,10 @@ whiptail_setup_complete() { read -r -d '' message <<- EOM ${install_type} setup is now complete! - ${sentence_prefix} the Security Onion Console web interface by navigating to: + ${sentence_prefix} the Security Onion Console (SOC) web interface by navigating to: https://${REDIRECTIT} - Login with the following username and the password: + Then login with the following username and password. SOC Username: ${WEBUSER} SOC Password: Use the password that was entered during setup From cdbbc8e64c9e6c9c5c8cb9c3b706d3d6c56e4f0d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Mar 2023 09:46:57 -0400 Subject: [PATCH 35/35] Add gui components for fleet --- salt/elasticfleet/soc_elasticfleet.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 salt/elasticfleet/soc_elasticfleet.yaml diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml new file mode 100644 index 000000000..0e111feca --- /dev/null +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -0,0 +1,18 @@ +elasticfleet: + server: + endpoints_enrollment: + description: Endpoint enrollment key. + global: True + helpLink: elastic-fleet.html + es_token: + description: Elastic auth token. + global: True + helpLink: elastic-fleet.html + grid_enrollment: + description: Grid enrollment key. + global: True + helpLink: elastic-fleet.html + url: + description: Agent connection URL. + global: True + helpLink: elastic-fleet.html \ No newline at end of file