CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into guifixes

Browse Source
This commit is contained in:
m0duspwnens
2023-03-24 13:52:38 -04:00
parent 462b2b23b9 890e1897af
commit 627b243cac
38 changed files with 422 additions and 177 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pillar/top.sls
View File

@@ -19,6 +19,8 @@ base:
'*_eval or *_heavynode or *_sensor or *_standalone or *_import':
- match: compound
- zeek
- bpf.soc_bpf
- bpf.adv_bpf
'*_managersearch or *_heavynode':
- match: compound

7
salt/bpf/defaults.yaml
View File

@@ -1,4 +1,5 @@
bpf:
pcap: []
suricata: []
zeek: []
pcap: []
suricata: []
zeek:
- ip or not ip

4
salt/bpf/pcap.map.jinja Normal file
View File

@@ -0,0 +1,4 @@
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% set PCAPBPF = BPFMERGED.pcap %}

6
salt/bpf/soc_bpf.yaml
View File

@@ -1,10 +1,16 @@
bpf:
pcap:
description: List of BPF filters to apply to PCAP.
multiline: True
forcedType: "[]string"
helpLink: bpf.html
suricata:
description: List of BPF filters to apply to Suricata.
multiline: True
forcedType: "[]string"
helpLink: bpf.html
zeek:
description: List of BPF filters to apply to Zeek.
multiline: True
forcedType: "[]string"
helpLink: bpf.html

4
salt/bpf/suricata.map.jinja Normal file
View File

@@ -0,0 +1,4 @@
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% set SURICATABPF = BPFMERGED.suricata %}

4
salt/bpf/zeek.map.jinja Normal file
View File

@@ -0,0 +1,4 @@
{% import_yaml 'bpf/defaults.yaml' as BPFDEFAULTS %}
{% set BPFMERGED = salt['pillar.get']('bpf', BPFDEFAULTS.bpf, merge=True) %}
{% set ZEEKBPF = BPFMERGED.zeek %}

10
salt/common/tools/sbin/so-common
View File

@@ -8,10 +8,12 @@
DEFAULT_SALT_DIR=/opt/so/saltstack/default
DOC_BASE_URL="https://docs.securityonion.net/en/2.4"
# Check for prerequisites
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
if [ -z $NOROOT ]; then
# Check for prerequisites
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
fi
# Define a banner to separate sections

28
salt/common/tools/sbin/so-elastic-fleet-integration-policy-load
View File

@@ -55,7 +55,7 @@ echo
# Strelka logs
echo
echo "Setting up Strelka package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "file", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}'
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "strelka-logs", "name": "strelka-logs", "description": "Strelka logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/nsm/strelka/log/strelka.log" ], "data_stream.dataset": "strelka", "tags": [],"processors": "- add_fields:\n target: event\n fields:\n category: file\n module: strelka", "custom": "pipeline: strelka.file" }}}}}}'
echo
# Syslog TCP Port 514
@@ -73,7 +73,7 @@ echo
# Kratos logs
echo
echo "Setting up Kratos package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- rename:\n fields:\n - from: \"audience\"\n to: \"event.dataset\"\n ignore_missing: true\n- add_fields:\n when:\n not: \n has_fields: ['event.dataset']\n target: ''\n fields:\n event.dataset: access", "custom": "pipeline: kratos" }}}}}}'
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "log", "version": "1.1.0" }, "id": "kratos-logs", "name": "kratos-logs", "description": "Kratos logs", "namespace": "so", "inputs": { "logs-logfile": { "enabled": true, "streams": { "log.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/kratos/kratos.log" ], "data_stream.dataset": "kratos", "tags": [],"custom":"pipeline: kratos","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos" }}}}}}'
echo
# RITA Logs
@@ -110,4 +110,28 @@ echo
echo
echo "Setting up IDH package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}'
echo
# SOC - Server logs
echo
echo "Setting up SOC - Server Logs package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-server-logs","namespace":"so","description":"Security Onion Console Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/sensoroni-server.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true","tags":[]}}}}}}'
echo
# SOC - Sensoroni logs
echo
echo "Setting up SOC - Sensoroni Logs package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-sensoroni-logs","namespace":"so","description":"Security Onion - Sensoroni - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/sensoroni/sensoroni.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true","tags":[]}}}}}}'
echo
# SOC - Elastic Auth Sync logs
echo
echo "Setting up SOC - Elastic Auth Sync Logs package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-auth-sync-logs","namespace":"so","description":"Security Onion - Elastic Auth Sync - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/sync.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync","tags":[]}}}}}}'
echo
# SOC - Salt Relay logs
echo
echo "Setting up SOC - Salt_Relay Logs package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"package":{"name":"log","version":"1.1.2"},"name":"soc-salt-relay-logs","namespace":"so","description":"Security Onion - Salt Relay - Logs","policy_id":"so-grid-nodes","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/opt/so/log/soc/salt-relay.log"],"data_stream.dataset":"soc","custom":"pipeline: common","processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay","tags":[]}}}}}}'
echo

6
salt/common/tools/sbin/so-elastic-fleet-setup
View File

@@ -97,9 +97,9 @@ salt-call state.apply elasticfleet queue=True
/usr/sbin/so-elastic-fleet-integration-policy-load
# Temp
wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-darwin-x86_64.tar.gz
wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-linux-x86_64.tar.gz
wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.4.1/so-elastic-agent-8.4.1-windows-x86_64.tar.gz
wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-darwin-x86_64.tar.gz
wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-linux-x86_64.tar.gz
wget --progress=bar:force:noscroll -P /opt/so/saltstack/default/salt/elasticfleet/files/elastic-agent/ https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/so_elastic-agent-8.6.2/so-elastic-agent-8.6.2-windows-x86_64.tar.gz
#git clone -b 2.4-so-elastic-agent https://github.com/Security-Onion-Solutions/securityonion-image.git
#cd securityonion-image/so-elastic-agent-builder

14
salt/common/tools/sbin/so-minion
View File

@@ -129,10 +129,6 @@ function add_elastic_to_minion() {
printf '%s\n'\
"elasticsearch:"\
" esheap: '$ES_HEAP_SIZE'"\
" config:"\
" node:"\
" attr:"\
" box_type: hot"\
" " >> $PILLARFILE
}
@@ -206,6 +202,12 @@ function add_sensor_to_minion() {
echo " enabled: True" >> $PILLARFILE
}
function updateMine() {
salt "$MINION_ID" mine.send network.ip_addrs interface="$MNIC"
}
function apply_ES_state() {
salt-call state.apply elasticsearch concurrent=True
}
function createEVAL() {
add_elastic_to_minion
add_logstash_to_minion
@@ -245,6 +247,8 @@ function createSENSOR() {
function createSEARCHNODE() {
add_elastic_to_minion
add_logstash_to_minion
updateMine
apply_ES_state
}
function createSTANDALONE() {
@@ -297,4 +301,4 @@ fi
if [[ "$OPERATION" = 'test' ]]; then
testminion
fi
fi

2
salt/common/tools/sbin/soup
View File

@@ -340,7 +340,7 @@ check_os_updates() {
clean_dockers() {
# Place Holder for cleaning up old docker images
echo "Trying to clean up old dockers."
docker system prune -a -f
docker system prune -a -f --volumes
}

27
salt/elasticsearch/config.map.jinja
View File

@@ -4,26 +4,23 @@
{% set HIGHLANDER = salt['pillar.get']('global:highlander', False) %}
{% if grains.id.split('_') | last in ['manager','managersearch'] %}
{% if grains.id.split('_') | last in ['manager','managersearch','standalone'] %}
{% if LOGSTASH_NODES | length > 1 %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data', 'remote_cluster_client']}) %}
{% if HIGHLANDER %}
{% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'transform']) %}
{% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %}
{% for NODE in LOGSTASH_NODES %}
{% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
{% endfor %}
{% if grains.id.split('_') | last == 'manager' %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master','data','remote_cluster_client']}) %}
{% else %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['master', 'data_hot', 'remote_cluster_client']}) %}
{% endif %}
{% endif %}
{% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': []}}) %}
{% for NODE in LOGSTASH_NODES %}
{% do ESCONFIG.elasticsearch.config.discovery.seed_hosts.append(NODE.keys()|first) %}
{% endfor %}
{% endif %}
{% if grains.id.split('_') | last == 'manager' %}
{% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': ''}) %}
{% endif %}
{% elif grains.id.split('_') | last not in ['eval', 'standalone', 'import'] %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data', 'ingest']}) %}
{% elif grains.id.split('_') | last == 'searchnode' %}
{% do ESCONFIG.elasticsearch.config.node.update({'roles': ['data_hot', 'ingest']}) %}
{% if HIGHLANDER %}
{% do ESCONFIG.elasticsearch.config.node.roles.extend(['ml', 'master', 'transform']) %}
{% endif %}
{% do ESCONFIG.elasticsearch.config.node.attr.update({'box_type': 'hot'}) %}
{% do ESCONFIG.elasticsearch.config.update({'discovery': {'seed_hosts': [GLOBALS.manager]}}) %}
{% endif %}
{% if HIGHLANDER %}

141
salt/elasticsearch/defaults.yaml
View File

@@ -1,8 +1,6 @@
elasticsearch:
config:
node:
attr:
box_type: hot
node: {}
cluster:
routing:
allocation:
@@ -57,7 +55,75 @@ elasticsearch:
elasticsearch:
deprecation: ERROR
index_settings:
so-logs-elastic_agent.apm_server:
so-logs:
index_sorting: False
index_template:
index_patterns:
- "logs-*-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5001
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "so-data-streams-mappings"
- "so-logs-mappings"
- "so-logs-settings"
priority: 225
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
logs-osquery-manager:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery*"
template:
settings:
index:
number_of_replicas: 0
priority: 501
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
logs-elastic_agent.apm_server:
index_sorting: False
index_template:
index_patterns:
@@ -79,8 +145,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.apm_server@package"
- "so-logs-elastic_agent.apm_server@custom"
- "logs-elastic_agent.apm_server@package"
- "logs-elastic_agent.apm_server@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -111,7 +177,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.auditbeat:
logs-elastic_agent.auditbeat:
index_sorting: False
index_template:
index_patterns:
@@ -133,8 +199,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.auditbeat@package"
- "so-logs-elastic_agent.auditbeat@custom"
- "logs-elastic_agent.auditbeat@package"
- "logs-elastic_agent.auditbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -165,7 +231,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.cloudbeat:
logs-elastic_agent.cloudbeat:
index_sorting: False
index_template:
index_patterns:
@@ -187,8 +253,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.cloudbeat@package"
- "so-logs-elastic_agent.cloudbeat@custom"
- "logs-elastic_agent.cloudbeat@package"
- "logs-elastic_agent.cloudbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -216,7 +282,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.endpoint_security:
logs-elastic_agent.endpoint_security:
index_sorting: False
index_template:
index_patterns:
@@ -238,8 +304,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.endpoint_security@package"
- "so-logs-elastic_agent.endpoint_security@custom"
- "logs-elastic_agent.endpoint_security@package"
- "logs-elastic_agent.endpoint_security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -270,7 +336,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.filebeat:
logs-elastic_agent.filebeat:
index_sorting: False
index_template:
index_patterns:
@@ -292,11 +358,14 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.filebeat@package"
- "so-logs-elastic_agent.filebeat@custom"
- "logs-elastic_agent.filebeat@package"
- "logs-elastic_agent.filebeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
@@ -321,7 +390,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.fleet_server:
logs-elastic_agent.fleet_server:
index_sorting: False
index_template:
index_patterns:
@@ -343,8 +412,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.fleet_server@package"
- "so-logs-elastic_agent.fleet_server@custom"
- "logs-elastic_agent.fleet_server@package"
- "logs-elastic_agent.fleet_server@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -375,7 +444,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.heartbeat:
logs-elastic_agent.heartbeat:
index_sorting: False
index_template:
index_patterns:
@@ -397,8 +466,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.heartbeat@package"
- "so-logs-elastic_agent.heartbeat@custom"
- "logs-elastic_agent.heartbeat@package"
- "logs-elastic_agent.heartbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -426,7 +495,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent:
logs-elastic_agent:
index_sorting: False
index_template:
index_patterns:
@@ -448,8 +517,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent@package"
- "so-logs-elastic_agent@custom"
- "logs-elastic_agent@package"
- "logs-elastic_agent@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -480,7 +549,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.metricbeat:
logs-elastic_agent.metricbeat:
index_sorting: False
index_template:
index_patterns:
@@ -502,8 +571,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.metricbeat@package"
- "so-logs-elastic_agent.metricbeat@custom"
- "logs-elastic_agent.metricbeat@package"
- "logs-elastic_agent.metricbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -534,7 +603,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.osquerybeat:
logs-elastic_agent.osquerybeat:
index_sorting: False
index_template:
index_patterns:
@@ -556,8 +625,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.osquerybeat@package"
- "so-logs-elastic_agent.osquerybeat@custom"
- "logs-elastic_agent.osquerybeat@package"
- "logs-elastic_agent.osquerybeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200
@@ -588,7 +657,7 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.packetbeat:
logs-elastic_agent.packetbeat:
index_sorting: False
index_template:
index_patterns:
@@ -610,8 +679,8 @@ elasticsearch:
managed_by: security_onion
managed: true
composed_of:
- "so-logs-elastic_agent.packetbeat@package"
- "so-logs-elastic_agent.packetbeat@custom"
- "logs-elastic_agent.packetbeat@package"
- "logs-elastic_agent.packetbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 200

3
salt/elasticsearch/files/ingest-dynamic/common
View File

@@ -57,7 +57,8 @@
{ "convert": { "field": "log.id.uid", "type": "string", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "agent.id", "type": "string", "ignore_failure": true, "ignore_missing": true } },
{ "convert": { "field": "event.severity", "type": "integer", "ignore_failure": true, "ignore_missing": true } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset" ], "ignore_missing": true, "ignore_failure": true } }
{ "set": { "field": "event.dataset", "ignore_empty_value":true, "copy_from":"event.dataset_temp" }},
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp" ], "ignore_missing": true, "ignore_failure": true } }
{%- endraw %}
{%- if HIGHLANDER %}
,

6
salt/elasticsearch/files/ingest/kratos
View File

@@ -1,7 +1,9 @@
{
"description" : "kratos",
"processors" : [
{ "set": { "field": "event.dataset", "value": "access" } },
{"set":{"field":"audience","value":"access","override":false,"ignore_failure":true}},
{"set":{"field":"event.dataset","ignore_empty_value":true,"ignore_failure":true,"value":"kratos.{{{audience}}}","media_type":"text/plain"}},
{"set":{"field":"event.action","ignore_failure":true,"copy_from":"msg" }},
{ "pipeline": { "name": "common" } }
]
}
}

1
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -1,6 +1,7 @@
{
"description" : "strelka",
"processors" : [
{ "set": { "field": "event.dataset", "value": "file" } },
{ "json": { "field": "message", "target_field": "message2", "ignore_failure": true } },
{ "rename": { "field": "message2.file", "target_field": "file", "ignore_missing": true } },
{ "rename": { "field": "message2.scan", "target_field": "scan", "ignore_missing": true } },

67
salt/elasticsearch/templates/component/elastic-agent/so-data-streams-mappings.json Normal file
View File

@@ -0,0 +1,67 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"match_ip": {
"mapping": {
"type": "ip"
},
"match_mapping_type": "string",
"match": "ip"
}
},
{
"match_message": {
"mapping": {
"type": "match_only_text"
},
"match_mapping_type": "string",
"match": "message"
}
},
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false,
"properties": {
"@timestamp": {
"type": "date"
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"data_stream": {
"properties": {
"namespace": {
"type": "constant_keyword"
},
"dataset": {
"type": "constant_keyword"
}
}
},
"host": {
"type": "object"
}
}
}
},
"version": 2,
"_meta": {
"managed": true,
"description": "general mapping conventions for data streams"
}
}

21
salt/elasticsearch/templates/component/elastic-agent/so-logs-mappings.json Normal file
View File

@@ -0,0 +1,21 @@
{
"template": {
"mappings": {
"properties": {
"data_stream": {
"properties": {
"type": {
"type": "constant_keyword",
"value": "logs"
}
}
}
}
}
},
"version": 2,
"_meta": {
"managed": true,
"description": "default mappings for the logs index template installed by x-pack"
}
}

22
salt/elasticsearch/templates/component/elastic-agent/so-logs-settings.json Normal file
View File

@@ -0,0 +1,22 @@
{
"template": {
"settings": {
"index": {
"lifecycle": {
"name": "logs"
},
"codec": "best_compression",
"query": {
"default_field": [
"message"
]
}
}
}
},
"version": 2,
"_meta": {
"managed": true,
"description": "default settings for the logs index template installed by x-pack"
}
}

7
salt/elasticsearch/templates/component/so/case-settings.json
View File

@@ -2,13 +2,6 @@
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"

7
salt/elasticsearch/templates/component/so/common-settings.json
View File

@@ -2,13 +2,6 @@
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"

3
salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load
View File

@@ -31,8 +31,11 @@ if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then
echo
echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'"
echo
exit 1
fi
set -e
cd ${ELASTICSEARCH_TEMPLATES}/component/ecs
echo "Loading ECS component templates..."

43
salt/firewall/assigned_hostgroups.map.yaml
View File

@@ -295,6 +295,7 @@ role:
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
heavynodes:
portgroups:
@@ -303,6 +304,7 @@ role:
- {{ portgroups.sensoroni }}
- {{ portgroups.yum }}
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
@@ -355,47 +357,6 @@ role:
heavynodes:
portgroups:
- {{ portgroups.salt_manager }}
helixsensor:
chain:
DOCKER-USER:
hostgroups:
manager:
portgroups:
- {{ portgroups.playbook }}
- {{ portgroups.mysql }}
- {{ portgroups.kibana }}
- {{ portgroups.redis }}
- {{ portgroups.influxdb }}
- {{ portgroups.elasticsearch_rest }}
- {{ portgroups.elasticsearch_node }}
sensors:
portgroups:
- {{ portgroups.beats_5044 }}
- {{ portgroups.beats_5644 }}
searchnodes:
portgroups:
- {{ portgroups.redis }}
- {{ portgroups.elasticsearch_node }}
self:
portgroups:
- {{ portgroups.syslog}}
beats_endpoint:
portgroups:
- {{ portgroups.beats_5044 }}
analyst:
portgroups:
- {{ portgroups.nginx }}
INPUT:
hostgroups:
anywhere:
portgroups:
- {{ portgroups.ssh }}
dockernet:
portgroups:
- {{ portgroups.all }}
localhost:
portgroups:
- {{ portgroups.all }}
searchnode:
chain:
DOCKER-USER:

5
salt/manager/defaults.yaml Normal file
View File

@@ -0,0 +1,5 @@
manager:
reposync:
enabled: True
hour: 3
minute: 0

4
salt/common/tools/sbin/so-repo-sync → salt/manager/files/so-repo-sync
View File

@@ -4,7 +4,7 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
NOROOT=1
. /usr/sbin/so-common
set_version
@@ -12,5 +12,5 @@ set_os
salt_minion_count
curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup
dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
createrepo /nsm/repo

48
salt/manager/init.sls
View File

@@ -7,6 +7,8 @@
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'strelka/map.jinja' import STRELKAMERGED %}
{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %}
{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %}
include:
- salt.minion
@@ -14,6 +16,52 @@ include:
- manager.sync_es_users
- manager.elasticsearch
repo_log_dir:
file.directory:
- name: /opt/so/log/reposync
- user: socore
- group: socore
- recurse:
- user
- group
repo_conf_dir:
file.directory:
- name: /opt/so/conf/reposync
- user: socore
- group: socore
- recurse:
- user
- group
repo_dir:
file.directory:
- name: /nsm/repo
- user: socore
- group: socore
- recurse:
- user
- group
repo_sync_script:
file.managed:
- name: /usr/sbin/so-repo-sync
- source: salt://manager/files/so-repo-sync
- user: root
- group: root
- mode: 755
reposync_cron:
{% if MANAGERMERGED.reposync.enabled %}
cron.present:
{% else %}
cron.absent:
{% endif %}
- user: socore
- name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1'
- hour: '{{ MANAGERMERGED.reposync.hour }}'
- minute: '{{ MANAGERMERGED.reposync.minute }}'
socore_own_saltstack:
file.directory:
- name: /opt/so/saltstack

13
salt/manager/soc_manager.yaml
View File

@@ -1,4 +1,17 @@
manager:
reposync:
enabled:
description: This is the daily task of syncing the Security Onion OS packages. It is recommended that you leave this enabled.
global: True
helpLink: manager.html
hour:
description: The hour of the day in which the repo sync takes place.
global: True
helpLink: manager.html
minute:
description: The minute within the hour to run the repo sync.
global: True
helpLink: manager.html
elastalert:
description: Enable elastalert 1=enabled 0=disabled.
global: True

8
salt/pcap/init.sls
View File

@@ -9,8 +9,8 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from "pcap/map.jinja" import STENOOPTIONS with context %}
{% from "pcap/config.map.jinja" import PCAPMERGED with context %}
{% set INTERFACE = salt['pillar.get']('sensor:interface', 'bond0') %}
{% set BPF_STENO = salt['pillar.get']('bpf:pcap', None) %}
{% from 'bpf/pcap.map.jinja' import PCAPBPF %}
{% set BPF_COMPILED = "" %}
# PCAP Section
@@ -33,8 +33,8 @@ stenoconfdir:
- group: 939
- makedirs: True
{% if BPF_STENO %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', INTERFACE + ' ' + BPF_STENO|join(" "),cwd='/root') %}
{% if PCAPBPF %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + PCAPBPF|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %}
{% set BPF_COMPILED = ",\\\"--filter=" + BPF_CALC['stdout'] + "\\\"" %}
{% else %}

2
salt/salt/map.jinja
View File

@@ -17,7 +17,7 @@
{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
{% endif %}
{% set INSTALLEDSALTVERSION = salt['pkg.version']('salt-minion').split(SPLITCHAR)[0] %}
{% set INSTALLEDSALTVERSION = grains.saltversion %}
{% if grains.saltversion|string != SALTVERSION|string %}
{% if grains.os|lower in ['Rocky', 'redhat'] %}

6
salt/soc/defaults.yaml
View File

@@ -1123,10 +1123,14 @@ soc:
description: Show all events grouped by module and dataset
query: '* | groupby event.module* event.dataset'
showSubtitle: true
- name: SOC Auth
- name: SOC - Auth
description: Users authenticated to SOC grouped by IP address and identity
query: 'event.module:kratos AND event.dataset:audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id'
showSubtitle: true
- name: SOC - App
description: Logs generated by the Security Onion Console (SOC) server and modules
query: 'event.module: "soc" | groupby event.module* event.dataset* log.level* | groupby agent.name | groupby event.action* | groupby "http.request.method" | groupby "url.path"'
showSubtitle: true
- name: Elastalerts
description: ''
query: '_type:elastalert | groupby rule.name'

12
salt/suricata/init.sls
View File

@@ -9,11 +9,9 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from "suricata/map.jinja" import SURICATAOPTIONS with context %}
{% set interface = salt['pillar.get']('sensor:interface') %}
{% set BPF_NIDS = salt['pillar.get']('bpf:suricata', None) %}
{% from 'bpf/suricata.map.jinja' import SURICATABPF %}
{% set BPF_STATUS = 0 %}
{# import_yaml 'suricata/files/defaults2.yaml' as suricata #}
{% from 'suricata/suricata_config.map.jinja' import suricata_defaults as suricata_config with context %}
{% from "suricata/map.jinja" import START with context %}
@@ -109,8 +107,8 @@ surithresholding:
- template: jinja
# BPF compilation and configuration
{% if BPF_NIDS %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', interface + ' ' + BPF_NIDS|join(" "),cwd='/root') %}
{% if SURICATABPF %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + SURICATABPF|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %}
{% else %}
@@ -128,7 +126,7 @@ suribpf:
- user: 940
- group: 940
{% if BPF_STATUS %}
- contents_pillar: nids:bpf
- contents: {{ SURICATABPF }}
{% else %}
- contents:
- ""
@@ -141,7 +139,7 @@ so-suricata:
- start: {{ SURICATAOPTIONS.start }}
- privileged: True
- environment:
- INTERFACE={{ interface }}
- INTERFACE={{ GLOBALS.sensor.interface }}
- binds:
- /opt/so/conf/suricata/suricata.yaml:/etc/suricata/suricata.yaml:ro
- /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro

11
salt/top.sls
View File

@@ -22,6 +22,7 @@ base:
- cron.running
- repo.client
- ntp
- schedule
'not G@saltversion:{{saltversion}}':
- match: compound
@@ -57,7 +58,6 @@ base:
{%- if STRELKA %}
- strelka
{%- endif %}
- schedule
- docker_clean
- elasticfleet.install_agent_grid
@@ -100,7 +100,6 @@ base:
- elastalert
{%- endif %}
- utility
- schedule
- soctopus
{%- if PLAYBOOK != 0 %}
- playbook
@@ -144,7 +143,6 @@ base:
- elastalert
{%- endif %}
- utility
- schedule
- soctopus
- playbook
- elasticfleet
@@ -195,7 +193,6 @@ base:
- elastalert
{%- endif %}
- utility
- schedule
- soctopus
- playbook
- elasticfleet
@@ -214,7 +211,6 @@ base:
{%- if LOGSTASH %}
- logstash
{%- endif %}
- schedule
- elasticfleet.install_agent_grid
- docker_clean
@@ -254,7 +250,6 @@ base:
- elastalert
{%- endif %}
- utility
- schedule
- soctopus
- playbook
- elasticfleet
@@ -285,7 +280,6 @@ base:
{%- if ZEEKVER != 'SURICATA' %}
- zeek
{%- endif %}
- schedule
- elasticfleet.install_agent_grid
- docker_clean
@@ -316,7 +310,6 @@ base:
- utility
- suricata
- zeek
- schedule
- elasticfleet
- docker_clean
@@ -332,7 +325,6 @@ base:
{%- if REDIS %}
- redis
{%- endif %}
- schedule
- elasticfleet.install_agent_grid
- docker_clean
@@ -342,7 +334,6 @@ base:
- sensoroni
- telegraf
- firewall
- schedule
- elasticfleet.install_agent_grid
- docker_clean
- idh

4
salt/vars/eval.map.jinja
View File

@@ -1,10 +1,12 @@
{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %}
{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %}
{% set ROLE_GLOBALS = {} %}
{% set EVAL_GLOBALS =
[
ELASTICSEARCH_GLOBALS
ELASTICSEARCH_GLOBALS,
SENSOR_GLOBALS
]
%}

4
salt/vars/standalone.map.jinja
View File

@@ -1,12 +1,14 @@
{% from 'vars/elasticsearch.map.jinja' import ELASTICSEARCH_GLOBALS %}
{% from 'vars/logstash.map.jinja' import LOGSTASH_GLOBALS %}
{% from 'vars/sensor.map.jinja' import SENSOR_GLOBALS %}
{% set ROLE_GLOBALS = {} %}
{% set STANDALONE_GLOBALS =
[
ELASTICSEARCH_GLOBALS,
LOGSTASH_GLOBALS
LOGSTASH_GLOBALS,
SENSOR_GLOBALS
]
%}

1
salt/zeek/defaults.yaml
View File

@@ -102,4 +102,3 @@ zeek:
- application/vnd.ms-powerpoint.presentation.macroenabled.12: doc
- application/vnd.ms-powerpoint.slideshow.macroenabled.12: doc
- application/vnd.openxmlformats-officedocument: doc
bpf: []

8
salt/zeek/init.sls
View File

@@ -10,6 +10,8 @@
{% from "zeek/config.map.jinja" import ZEEKOPTIONS with context %}
{% from "zeek/config.map.jinja" import ZEEKMERGED with context %}
{% from 'bpf/zeek.map.jinja' import ZEEKBPF %}
{% set BPF_STATUS = 0 %}
# Zeek Salt State
@@ -162,8 +164,8 @@ zeekpacketlosscron:
- dayweek: '*'
# BPF compilation and configuration
{% if ZEEKMERGED.zeek.bpf %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKMERGED.zeek.bpf|join(" "),cwd='/root') %}
{% if ZEEKBPF %}
{% set BPF_CALC = salt['cmd.script']('/usr/sbin/so-bpf-compile', GLOBALS.sensor.interface + ' ' + ZEEKBPF|join(" "),cwd='/root') %}
{% if BPF_CALC['stderr'] == "" %}
{% set BPF_STATUS = 1 %}
{% else %}
@@ -181,7 +183,7 @@ zeekbpf:
- user: 940
- group: 940
{% if BPF_STATUS %}
- contents: {{ ZEEKMERGED.bpf }}
- contents: {{ ZEEKBPF }}
{% else %}
- contents:
- "ip or not ip"

36
setup/so-functions
View File

@@ -1967,28 +1967,28 @@ repo_sync_local() {
# Check for reposync
info "Backing up old repos"
mkdir -p /nsm/repo
mkdir -p /root/reposync_cache
echo "[main]" > /root/repodownload.conf
echo "gpgcheck=1" >> /root/repodownload.conf
echo "installonly_limit=3" >> /root/repodownload.conf
echo "clean_requirements_on_remove=True" >> /root/repodownload.conf
echo "best=True" >> /root/repodownload.conf
echo "skip_if_unavailable=False" >> /root/repodownload.conf
echo "cachedir=/root/reposync_cache" >> /root/repodownload.conf
echo "keepcache=0" >> /root/repodownload.conf
echo "[securityonionsync]" >> /root/repodownload.conf
echo "name=Security Onion Repo repo" >> /root/repodownload.conf
echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /root/repodownload.conf
echo "enabled=1" >> /root/repodownload.conf
echo "gpgcheck=1" >> /root/repodownload.conf
echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf
mkdir -p /opt/so/conf/reposync/cache
echo "[main]" > /opt/so/conf/reposync/repodownload.conf
echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf
echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf
echo "best=True" >> /opt/so/conf/reposync/repodownload.conf
echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf
echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf
echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf
echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf
echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf
echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /opt/so/conf/reposync/repodownload.conf
echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf
echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf
echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /opt/so/conf/reposync/repodownload.conf
logCmd "dnf repolist"
# Make sure we can get to the sig repo
logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup"
logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/"
logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/install"
logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/"
# Run it again and make sure we got allt he things
logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/"
logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/"
# After the download is complete run createrepo
create_repo

2
setup/so-whiptail
View File

@@ -976,7 +976,7 @@ whiptail_manager_unreachable() {
Run the following on the manager:
so-firewall-minion --role=$install_type --ip=$MAINIP
sudo so-firewall-minion --role=$install_type --ip=$MAINIP
Would you like to retry?
EOM