From e430be1017b5a46e11b43bbb6bc97ebb7f398f67 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 2 Apr 2021 16:36:29 -0400 Subject: [PATCH 01/16] Enable Flux compatibility mode to prepare for eventual migration to 2.0 --- salt/influxdb/etc/influxdb.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/etc/influxdb.conf b/salt/influxdb/etc/influxdb.conf index 86c1ccfe8..9d89ca774 100644 --- a/salt/influxdb/etc/influxdb.conf +++ b/salt/influxdb/etc/influxdb.conf @@ -233,7 +233,7 @@ # enabled = true # Determines whether the Flux query endpoint is enabled. - # flux-enabled = false + flux-enabled = true # The bind address used by the HTTP service. # bind-address = ":8086" From f7f95b6c541c6db3a5264f1094da7b604b3ff617 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 8 Apr 2021 11:22:54 -0400 Subject: [PATCH 02/16] Add model to sensoroni agent config --- salt/sensoroni/files/sensoroni.json | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index df2990404..378d42373 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,9 +1,6 @@ {%- set URLBASE = salt['pillar.get']('global:url_base') %} -{%- if salt['pillar.get']('sensoroni:node_description') %} -{%- set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') %} -{%- else %} -{%- set DESCRIPTION = salt['grains.get']('sosmodel', '') %} -{%- endif %} +{%- set DESCRIPTION = salt['pillar.get']('sensoroni:node_description', '') %} +{%- set MODEL = salt['grains.get']('sosmodel', '') %} {%- set ADDRESS = salt['pillar.get']('sensoroni:node_address') %} {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %} {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %} @@ -21,6 +18,7 @@ "role": "{{ grains.role }}", "description": "{{ DESCRIPTION }}", "address": "{{ ADDRESS }}", + "model": "{{ MODEL }}", "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, "serverUrl": "https://{{ URLBASE }}/sensoroniagents", "verifyCert": false, From b2fcd438c26d699da9a556fc7558c207caf6927a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 9 Apr 2021 09:39:33 -0400 Subject: [PATCH 03/16] Initial support for checking state of manager during setup --- salt/common/init.sls | 5 +++++ setup/so-functions | 19 +++++++++++++++++++ setup/so-setup | 4 ++++ setup/so-whiptail | 17 +++++++++++++++-- 4 files changed, 43 insertions(+), 2 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 93f76c3b3..3ce6286be 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -304,6 +304,11 @@ sostatusdir: - user: 0 - group: 0 - makedirs: True + +sostatus_log: + file.managed: + - name: /opt/so/log/sostatus/status.log + - mode: 644 # Install sostatus check cron /usr/sbin/so-status -q && echo $? > /opt/so/log/sostatus/status.log 2>&1: diff --git a/setup/so-functions b/setup/so-functions index b7acf7cb1..604eb56b7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -162,6 +162,25 @@ check_hive_init() { docker rm so-thehive } +check_manager_state() { + echo "Checking state of manager services. This may take a moment..." + retry 2 15 "__check_so_status" && retry 2 15 "__check_salt_master" && return 0 || return 1 +} + +__check_so_status() { + local so_status_output + so_status_output=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/log/sostatus/status.log) + [[ -z $so_status_output ]] && so_status_output=1 + return $so_status_output +} + +__check_salt_master() { + local salt_master_status + salt_master_status=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" systemctl is-active --quiet salt-master) + [[ -z $salt_master_status ]] && salt_master_status=1 + return $salt_master_status +} + check_network_manager_conf() { local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf" local nmconf="/etc/NetworkManager/NetworkManager.conf" diff --git a/setup/so-setup b/setup/so-setup index 5b1a7417c..79c9b9784 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -574,6 +574,10 @@ if [[ $is_manager || $is_import ]]; then collect_so_allow; fi # This block sets REDIRECTIT which is used by a function outside the below subshell set_redirect >> $setup_log 2>&1 +if [[ $is_minion ]] && ! check_manager_state; then + whiptail_manager_error || exit 1 +fi + whiptail_end_settings # From here on changes will be made. diff --git a/setup/so-whiptail b/setup/so-whiptail index 493ae7a68..2b1199fb5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -79,7 +79,7 @@ whiptail_bond_nics_mtu() { whiptail_cancel() { - whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 + whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup." 8 75 if [ -d "/root/installtmp" ]; then { echo "/root/installtmp exists"; @@ -88,7 +88,7 @@ whiptail_cancel() { } >> $setup_log 2>&1 fi - title "User cancelled setup, no changes made." + title "User cancelled setup." exit } @@ -1140,6 +1140,19 @@ whiptail_manager_adv_service_zeeklogs() { } +whiptail_manager_error() { + local msg + read -r -d '' <<- EOM + Setup could not determine if the manager $MSRV is in a good state. + + Continuing without verifying all services on the manager are running may result in a failure. + + Would you like to continue anyway? + EOM + + whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1 +} + whiptail_manager_updates() { [ -n "$TESTING" ] && return From 9b5276f1ab401a65f99de480304d8bfd1174ec8a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 9 Apr 2021 09:59:54 -0400 Subject: [PATCH 04/16] Remove bad `||` statement --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 79c9b9784..84fcf5c34 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -575,7 +575,7 @@ if [[ $is_manager || $is_import ]]; then collect_so_allow; fi set_redirect >> $setup_log 2>&1 if [[ $is_minion ]] && ! check_manager_state; then - whiptail_manager_error || exit 1 + whiptail_manager_error fi whiptail_end_settings From fc9df2bbaec84bc8d6a1d780074de4cd588f0019 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 9 Apr 2021 10:00:50 -0400 Subject: [PATCH 05/16] Update airgap question to ask during minion installs too --- setup/so-setup | 2 +- setup/so-whiptail | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 84fcf5c34..f53909bdc 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -264,7 +264,7 @@ elif [ "$install_type" = 'ANALYST' ]; then fi # Check if this is an airgap install -if [[ ( $is_manager || $is_import ) && $is_iso ]]; then +if [[ $is_iso || $is_minion ]]; then whiptail_airgap if [[ "$INTERWEBS" == 'AIRGAP' ]]; then is_airgap=true diff --git a/setup/so-whiptail b/setup/so-whiptail index 2b1199fb5..368b6b0cd 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -19,10 +19,13 @@ whiptail_airgap() { [ -n "$TESTING" ] && return + local node_str='node' + [[ $is_manager || $is_import ]] && node_str='manager' + INTERWEBS=$(whiptail --title "Security Onion Setup" --radiolist \ "Choose your install conditions:" 20 75 4 \ - "STANDARD" "This manager has internet accesss" ON \ - "AIRGAP" "This manager does not have internet access" OFF 3>&1 1>&2 2>&3 ) + "STANDARD" "This $node_str has internet accesss" ON \ + "AIRGAP" "This $node_str does not have internet access" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 764307bfa055a667f00b8fd5fae5b173c5407103 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 9 Apr 2021 10:09:28 -0400 Subject: [PATCH 06/16] Reformat airgap whiptail prompt --- setup/so-whiptail | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 368b6b0cd..1fbfa34dd 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -23,12 +23,14 @@ whiptail_airgap() { [[ $is_manager || $is_import ]] && node_str='manager' INTERWEBS=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose your install conditions:" 20 75 4 \ - "STANDARD" "This $node_str has internet accesss" ON \ - "AIRGAP" "This $node_str does not have internet access" OFF 3>&1 1>&2 2>&3 ) + "How should this $node_str be installed?" 10 60 2 \ + "Standard " "This $node_str has internet accesss." ON \ + "Airgap " "This $node_str does not have internet access." OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus + + INTERWEBS=$(echo "${INTERWEBS^^}" | tr -d ' ') } whiptail_avoid_default_hostname() { From 026ce769666f11a4e439dc70149654863a0cd1e9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 9 Apr 2021 10:11:00 -0400 Subject: [PATCH 07/16] Change airgap prompt to menu --- setup/so-whiptail | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 1fbfa34dd..50b50e353 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -22,10 +22,10 @@ whiptail_airgap() { local node_str='node' [[ $is_manager || $is_import ]] && node_str='manager' - INTERWEBS=$(whiptail --title "Security Onion Setup" --radiolist \ + INTERWEBS=$(whiptail --title "Security Onion Setup" --menu \ "How should this $node_str be installed?" 10 60 2 \ - "Standard " "This $node_str has internet accesss." ON \ - "Airgap " "This $node_str does not have internet access." OFF 3>&1 1>&2 2>&3 ) + "Standard " "This $node_str has internet accesss" \ + "Airgap " "This $node_str does not have internet access" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 4db20a00fff56b2be682cb4199c975acfb83dfc7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 9 Apr 2021 10:16:19 -0400 Subject: [PATCH 08/16] Add quotes around description, since it can contain spaces --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index f53909bdc..bac2fcdfd 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -339,7 +339,7 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ "MSRVIP=$MSRVIP" \ - "NODE_DESCRIPTION=$NODE_DESCRIPTION" > "$install_opt_file" + "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" download_repo_tarball exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" From 5cb73ced36ef40f6683be14db1d5ec4391fd8328 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 9 Apr 2021 14:58:15 -0400 Subject: [PATCH 09/16] Add Influx module to SOC config --- salt/soc/files/soc/soc.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 6e2850aca..1dcd46c63 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -53,6 +53,13 @@ "cacheMs": {{ ES_FIELDCAPS_CACHE }}, "verifyCert": false }, + "influxdb": { + "hostUrl": "https://{{ MANAGERIP }}:8086", + "token": "", + "org": "", + "bucket": "telegraf", + "verifyCert": false + }, "sostatus": { "refreshIntervalMs": 30000, "offlineThresholdMs": 900000 From 8facbcf18c16b432fdb2beef12cbfc023c8abead Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 9 Apr 2021 20:40:44 -0400 Subject: [PATCH 10/16] Do not set influxdb hostUrl if import node since import nodes don't run influxdb --- salt/soc/files/soc/soc.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 1dcd46c63..6f1c3a6da 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -54,7 +54,11 @@ "verifyCert": false }, "influxdb": { +{%- if grains['role'] in ['so-import'] %} + "hostUrl": "", +{%- else %} "hostUrl": "https://{{ MANAGERIP }}:8086", +{%- endif %} "token": "", "org": "", "bucket": "telegraf", From 5d98c896a3791434491afdedc1de6a55fbf87a40 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 12 Apr 2021 12:53:17 -0400 Subject: [PATCH 11/16] /opt/so/log needs 755 permissions for soremote to read sostatus log --- salt/common/init.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index 3ce6286be..ee7cad5e6 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -51,6 +51,11 @@ sosaltstackperms: - gid: 939 - dir_mode: 770 +so_log_perms: + file.directory: + - name: /opt/so/log + - dir_mode: 755 + # Create a state directory statedir: file.directory: From 73a1bdd885f7943ee52538e025282dcc736101fa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 12 Apr 2021 12:59:45 -0400 Subject: [PATCH 12/16] Send stdout to log, and actually populate error message --- setup/so-functions | 2 +- setup/so-whiptail | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 604eb56b7..5f07bb3b0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -164,7 +164,7 @@ check_hive_init() { check_manager_state() { echo "Checking state of manager services. This may take a moment..." - retry 2 15 "__check_so_status" && retry 2 15 "__check_salt_master" && return 0 || return 1 + retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1 } __check_so_status() { diff --git a/setup/so-whiptail b/setup/so-whiptail index 50b50e353..6ce2c214c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1147,7 +1147,7 @@ whiptail_manager_adv_service_zeeklogs() { whiptail_manager_error() { local msg - read -r -d '' <<- EOM + read -r -d '' msg <<- EOM Setup could not determine if the manager $MSRV is in a good state. Continuing without verifying all services on the manager are running may result in a failure. From cf4de255eccddbef4a44c79116de9a8bd04dc567 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 12 Apr 2021 15:18:18 -0400 Subject: [PATCH 13/16] Fix Wazuh WEL Shipping --- salt/elasticsearch/files/ingest/win.eventlogs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/files/ingest/win.eventlogs b/salt/elasticsearch/files/ingest/win.eventlogs index 2644be7a2..ec5cf911c 100644 --- a/salt/elasticsearch/files/ingest/win.eventlogs +++ b/salt/elasticsearch/files/ingest/win.eventlogs @@ -4,8 +4,8 @@ { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, { "set": { "if": "ctx.winlog?.channel != null", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, { "set": { "if": "ctx.winlog?.computer_name != null", "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true } }, - { "rename": { "if": "ctx.winlog?.systemTime != null", "field": "@timestamp", "target_field": "ingest.timestamp", "ignore_missing": true } }, - { "set": { "if": "ctx.winlog?.systemTime != null", "field": "@timestamp", "value": "{{winlog.systemTime}}", "override": true } }, + { "rename": { "if": "ctx.winlog?.systemTime != null", "field": "@timestamp", "target_field": "ingest.timestamp", "ignore_missing": true } }, + { "date": { "if": "ctx.winlog?.systemTime != null", "field": "winlog.systemTime", "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSS'Z'"] } }, { "set": { "field": "event.code", "value": "{{winlog.event_id}}", "override": true } }, { "set": { "field": "event.category", "value": "host", "override": true } }, { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_failure": true, "ignore_missing": true } }, From cc344d921ac481d17e5d2e6f4179215a46e1ca9e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 12 Apr 2021 16:13:32 -0400 Subject: [PATCH 14/16] Skip whiptail during testing, echo error message to setup log --- setup/so-setup | 1 + setup/so-whiptail | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index bac2fcdfd..ad210048a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -575,6 +575,7 @@ if [[ $is_manager || $is_import ]]; then collect_so_allow; fi set_redirect >> $setup_log 2>&1 if [[ $is_minion ]] && ! check_manager_state; then + echo "Manager was not in a good state" >> "$setup_log" 2>&1 whiptail_manager_error fi diff --git a/setup/so-whiptail b/setup/so-whiptail index 6ce2c214c..6f1cc6171 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1146,6 +1146,9 @@ whiptail_manager_adv_service_zeeklogs() { } whiptail_manager_error() { + + [ -n "$TESTING" ] && return + local msg read -r -d '' msg <<- EOM Setup could not determine if the manager $MSRV is in a good state. @@ -1159,9 +1162,6 @@ whiptail_manager_error() { } whiptail_manager_updates() { - - [ -n "$TESTING" ] && return - local update_string update_string=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?" 20 75 4 \ From 25637b74dbece9886e23489555ddb80b395466f5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 12 Apr 2021 16:14:47 -0400 Subject: [PATCH 15/16] Add back removed testing skip --- setup/so-whiptail | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 6f1cc6171..6127a174a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1162,6 +1162,9 @@ whiptail_manager_error() { } whiptail_manager_updates() { + + [ -n "$TESTING" ] && return + local update_string update_string=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?" 20 75 4 \ From 9d09e7bec3cbfa0d192e4df4a1594483ffbb5155 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 12 Apr 2021 16:25:17 -0400 Subject: [PATCH 16/16] Fix sostatus log cron job --- salt/common/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index ee7cad5e6..f7a4d6731 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -316,7 +316,7 @@ sostatus_log: - mode: 644 # Install sostatus check cron -/usr/sbin/so-status -q && echo $? > /opt/so/log/sostatus/status.log 2>&1: +'/usr/sbin/so-status -q; echo $? > /opt/so/log/sostatus/status.log 2>&1': cron.present: - user: root - minute: '*/5'