diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index 2500c604a..eaafd45ca 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -480,3 +480,51 @@ role: localhost: portgroups: - {{ portgroups.all }} + importpcap: + chain: + DOCKER-USER: + hostgroups: + manager: + portgroups: + - {{ portgroups.kibana }} + - {{ portgroups.redis }} + - {{ portgroups.influxdb }} + - {{ portgroups.elasticsearch_rest }} + - {{ portgroups.elasticsearch_node }} + sensor: + portgroups: + - {{ portgroups.beats_5044 }} + - {{ portgroups.beats_5644 }} + search_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.elasticsearch_node }} + self: + portgroups: + - {{ portgroups.syslog}} + beats_endpoint: + portgroups: + - {{ portgroups.beats_5044 }} + beats_endpoint_ssl: + portgroups: + - {{ portgroups.beats_5644 }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} + analyst: + portgroups: + - {{ portgroups.nginx }} + INPUT: + hostgroups: + anywhere: + portgroups: + - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} + localhost: + portgroups: + - {{ portgroups.all }} + minion: + portgroups: + - {{ portgroups.salt_manager }} \ No newline at end of file diff --git a/salt/importpcap/bond.sls b/salt/importpcap/bond.sls new file mode 100644 index 000000000..85a4065a2 --- /dev/null +++ b/salt/importpcap/bond.sls @@ -0,0 +1,5 @@ +configure_bond0: + network.managed: + - name: bond0 + - type: bond + - enabled: True \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index cb9c75437..12f8d2ec0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -142,65 +142,7 @@ secrets_pillar(){ fi } -# Enable Bro Logs -zeek_logs_enabled() { - echo "Enabling Bro Logs" >> "$setup_log" 2>&1 - local zeeklogs_pillar=./pillar/zeeklogs.sls - - printf '%s\n'\ - "zeeklogs:"\ - " enabled:" > "$zeeklogs_pillar" - - if [ "$MANAGERADV" = 'ADVANCED' ]; then - for BLOG in "${BLOGS[@]}"; do - echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" - done - else - printf '%s\n'\ - " - conn"\ - " - dce_rpc"\ - " - dhcp"\ - " - dhcpv6"\ - " - dnp3"\ - " - dns"\ - " - dpd"\ - " - files"\ - " - ftp"\ - " - http"\ - " - intel"\ - " - irc"\ - " - kerberos"\ - " - modbus"\ - " - mqtt"\ - " - notice"\ - " - ntlm"\ - " - openvpn"\ - " - pe"\ - " - radius"\ - " - rfb"\ - " - rdp"\ - " - signatures"\ - " - sip"\ - " - smb_files"\ - " - smb_mapping"\ - " - smtp"\ - " - snmp"\ - " - software"\ - " - ssh"\ - " - ssl"\ - " - syslog"\ - " - telnet"\ - " - tunnel"\ - " - weird"\ - " - mysql"\ - " - socks"\ - " - x509" >> "$zeeklogs_pillar" - fi - - printf '%s\n' '----' >> "$setup_log" 2>&1 - cat "$zeeklogs_pillar" >> "$setup_log" 2>&1 -} check_admin_pass() { check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH" @@ -416,11 +358,19 @@ check_requirements() { req_cores=4 if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi + elif [[ "$standalone_or_dist" == 'importpcap' ]]; then + req_mem=4 + req_cores=2 + req_nics=1 fi - if [[ $setup_type == 'network' ]]; then + if [[ $setup_type == 'network' ]] ; then if [[ -n $nsm_mount ]]; then - req_storage=100 + if [[ "$standalone_or_dist" == 'importpcap' ]]; then + req_storage=50 + else + req_storage=100 + fi if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then whiptail_storage_requirements "/" "${free_space_root} GB" "${req_storage} GB" fi @@ -428,7 +378,11 @@ check_requirements() { whiptail_storage_requirements "/nsm" "${free_space_nsm} GB" "${req_storage} GB" fi else - req_storage=200 + if [[ "$standalone_or_dist" == 'importpcap' ]]; then + req_storage=50 + else + req_storage=200 + fi if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then whiptail_storage_requirements "/" "${free_space_root} GB" "${req_storage} GB" fi @@ -720,7 +674,7 @@ docker_install() { else case "$install_type" in - 'MANAGER' | 'EVAL') + 'MANAGER' | 'EVAL' | 'STANDALONE' | 'MANAGERSEARCH' | 'IMPORTPCAP') apt-get update >> "$setup_log" 2>&1 ;; *) @@ -1264,7 +1218,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' yum -y install wget nmap-ncat >> "$setup_log" 2>&1 case "$install_type" in - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE') + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORTPCAP') reserve_group_ids >> "$setup_log" 2>&1 yum -y install epel-release >> "$setup_log" 2>&1 yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1 @@ -1335,7 +1289,7 @@ saltify() { 'FLEET') if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi ;; - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE') # TODO: should this also be HELIXSENSOR? + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORTPCAP') # TODO: should this also be HELIXSENSOR? # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3001/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 @@ -1802,3 +1756,63 @@ es_heapsize() { export NODE_ES_HEAP_SIZE fi } + +# Enable Bro Logs +zeek_logs_enabled() { + echo "Enabling Bro Logs" >> "$setup_log" 2>&1 + + local zeeklogs_pillar=./pillar/zeeklogs.sls + + printf '%s\n'\ + "zeeklogs:"\ + " enabled:" > "$zeeklogs_pillar" + + if [ "$MANAGERADV" = 'ADVANCED' ]; then + for BLOG in "${BLOGS[@]}"; do + echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar" + done + else + printf '%s\n'\ + " - conn"\ + " - dce_rpc"\ + " - dhcp"\ + " - dhcpv6"\ + " - dnp3"\ + " - dns"\ + " - dpd"\ + " - files"\ + " - ftp"\ + " - http"\ + " - intel"\ + " - irc"\ + " - kerberos"\ + " - modbus"\ + " - mqtt"\ + " - notice"\ + " - ntlm"\ + " - openvpn"\ + " - pe"\ + " - radius"\ + " - rfb"\ + " - rdp"\ + " - signatures"\ + " - sip"\ + " - smb_files"\ + " - smb_mapping"\ + " - smtp"\ + " - snmp"\ + " - software"\ + " - ssh"\ + " - ssl"\ + " - syslog"\ + " - telnet"\ + " - tunnel"\ + " - weird"\ + " - mysql"\ + " - socks"\ + " - x509" >> "$zeeklogs_pillar" + fi + + printf '%s\n' '----' >> "$setup_log" 2>&1 + cat "$zeeklogs_pillar" >> "$setup_log" 2>&1 +} \ No newline at end of file diff --git a/setup/so-setup b/setup/so-setup index 68ca99824..260642415 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -165,6 +165,8 @@ elif [ "$install_type" = 'FLEET' ]; then OSQUERY=1 elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true +elif [ "$install_type" = 'IMPORTPCAP' ]; then + is_importpcap=true fi if [[ $is_manager && $is_sensor ]]; then @@ -173,8 +175,10 @@ elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" -elif [[ $is_distmanager || $is_minion ]]; then +elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_importpcap ]]; then check_requirements "dist" +elif [[ $is_importpcap ]]; then + check_requirements "importpcap" fi whiptail_patch_schedule @@ -239,13 +243,38 @@ if [[ $is_node ]]; then CURCLOSEDAYS=30 fi +if [[ $is_importpcap ]]; then + patch_schedule=Automatic + RULESETUP=ETOPEN + NSMSETUP=BASIC + HNSENSOR=inherit + MANAGERUPDATES=0 + MANAGERADV=BASIC + ZEEKVERSION=ZEEK + NIDS=Suricata + RULESETUP=ETOPEN + GRAFANA=0 + OSQUERY=0 + WAZUH=0 + THEHIVE=0 + PLAYBOOK=0 + STRELKA=0 + +fi + + # Start user prompts + + if [[ $is_helix || $is_sensor ]]; then whiptail_sensor_nics +fi + +if [[ $is_helix || $is_sensor || $is_importpcap ]]; then calculate_useable_cores fi -if [[ $is_helix || $is_manager ]]; then +if [[ $is_helix || $is_manager || $is_importpcap ]]; then whiptail_homenet_manager fi @@ -274,6 +303,9 @@ if [[ $is_manager ]]; then if [[ $STRELKA == 1 ]]; then whiptail_strelka_rules fi +fi + +if [[ $is_manager || $is_importpcap ]]; then collect_webuser_inputs get_redirect fi @@ -335,7 +367,7 @@ else FLEETNODEPASSWD1=$WEBPASSWD1 fi -if [[ $is_manager ]]; then whiptail_so_allow; fi +if [[ $is_manager || $is_importpcap ]]; then whiptail_so_allow; fi whiptail_make_changes @@ -359,7 +391,7 @@ fi } >> $setup_log 2>&1 -if [[ $is_manager ]]; then +if [[ $is_manager || $is_importpcap ]]; then { generate_passwords; secrets_pillar; @@ -399,6 +431,9 @@ fi if [[ $is_sensor || $is_helix ]]; then set_progress_str 3 'Configuring sensor interface' configure_network_sensor >> $setup_log 2>&1 + fi + + if [[ $is_sensor || $is_helix || $is_importpcap ]]; then set_progress_str 4 'Generating sensor pillar' sensor_pillar >> $setup_log 2>&1 fi @@ -415,7 +450,7 @@ fi set_progress_str 9 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ $is_manager || $is_helix ]]; then + if [[ $is_manager || $is_helix || $is_importpcap ]]; then set_progress_str 10 'Configuring Salt master' { create_local_directories; @@ -459,7 +494,7 @@ fi accept_salt_key_remote >> $setup_log 2>&1 fi - if [[ $is_manager ]]; then + if [[ $is_manager || $is_importpcap ]]; then set_progress_str 20 'Accepting Salt key' salt-key -ya "$MINION_ID" >> $setup_log 2>&1 fi @@ -472,10 +507,15 @@ fi salt-call state.apply salt.minion -l info >> $setup_log 2>&1 fi + if [[ $is_importpcap ]]; then + set_progress_str 22 'Configuring bond interface' + salt-call state.apply importpcap.bond -l info >> $setup_log 2>&1 + fi + set_progress_str 23 'Generating CA and checking in' salt_checkin >> $setup_log 2>&1 - if [[ $is_manager || $is_helix ]]; then + if [[ $is_manager || $is_helix || $is_importpcap ]]; then set_progress_str 25 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 @@ -485,14 +525,18 @@ fi set_progress_str 26 'Downloading containers from the internet' fi - salt-call state.apply -l info registry >> $setup_log 2>&1 - docker_seed_registry 2>> "$setup_log" # ~ 60% when finished + if [[ ! $is_importpcap ]]; then + salt-call state.apply -l info registry >> $setup_log 2>&1 + docker_seed_registry 2>> "$setup_log" # ~ 60% when finished + fi set_progress_str 60 "$(print_salt_state_apply 'manager')" salt-call state.apply -l info manager >> $setup_log 2>&1 - set_progress_str 61 "$(print_salt_state_apply 'idstools')" - salt-call state.apply -l info idstools >> $setup_log 2>&1 + if [[ ! $is_importpcap ]]; then + set_progress_str 61 "$(print_salt_state_apply 'idstools')" + salt-call state.apply -l info idstools >> $setup_log 2>&1 + fi set_progress_str 61 "$(print_salt_state_apply 'suricata.manager')" salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 @@ -513,7 +557,7 @@ fi set_progress_str 64 "$(print_salt_state_apply 'nginx')" salt-call state.apply -l info nginx >> $setup_log 2>&1 - if [[ $is_manager || $is_node ]]; then + if [[ $is_manager || $is_node || $is_importpcap ]]; then set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 fi @@ -521,7 +565,9 @@ fi if [[ $is_sensor ]]; then set_progress_str 65 "$(print_salt_state_apply 'pcap')" salt-call state.apply -l info pcap >> $setup_log 2>&1 + fi + if [[ $is_sensor || $is_importpcap ]]; then set_progress_str 66 "$(print_salt_state_apply 'suricata')" salt-call state.apply -l info suricata >> $setup_log 2>&1 @@ -534,13 +580,15 @@ fi salt-call state.apply -l info curator >> $setup_log 2>&1 fi - if [[ $is_manager ]]; then + if [[ $is_manager || $is_importpcap ]]; then set_progress_str 69 "$(print_salt_state_apply 'soc')" salt-call state.apply -l info soc >> $setup_log 2>&1 set_progress_str 70 "$(print_salt_state_apply 'kibana')" salt-call state.apply -l info kibana >> $setup_log 2>&1 + fi + if [[ $is_manager ]]; then set_progress_str 71 "$(print_salt_state_apply 'elastalert')" salt-call state.apply -l info elastalert >> $setup_log 2>&1 @@ -598,7 +646,7 @@ fi fi fi - if [[ $is_manager || $is_helix ]]; then + if [[ $is_manager || $is_helix || $is_importpcap ]]; then set_progress_str 81 "$(print_salt_state_apply 'utility')" salt-call state.apply -l info utility >> $setup_log 2>&1 fi