Merge remote-tracking branch 'remotes/origin/dev' into salt3003.1

salt/common/init.sls

@@ -49,6 +49,11 @@ sosaltstackperms:
     - gid: 939
     - dir_mode: 770
 
+so_log_perms:
+  file.directory:
+    - name: /opt/so/log
+    - dir_mode: 755
+
 # Create a state directory
 statedir:
   file.directory:
@@ -228,8 +233,13 @@ sostatusdir:
     - group: 0
     - makedirs: True
 
+sostatus_log:
+  file.managed:
+    - name: /opt/so/log/sostatus/status.log
+    - mode: 644
+    
 # Install sostatus check cron
-/usr/sbin/so-status -q && echo $? > /opt/so/log/sostatus/status.log 2>&1:
+'/usr/sbin/so-status -q; echo $? > /opt/so/log/sostatus/status.log 2>&1':
   cron.present:
     - user: root
     - minute: '*/5'

salt/elasticsearch/files/ingest/win.eventlogs

@@ -4,8 +4,8 @@
     { "set":           { "if": "ctx.winlog?.channel != null",   "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true }  },
     { "set":           { "if": "ctx.winlog?.channel != null",   "field": "event.dataset", "value": "{{winlog.channel}}", "override": true }  },
     { "set":           { "if": "ctx.winlog?.computer_name != null",   "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true }  },
-    { "rename":         { "if": "ctx.winlog?.systemTime != null", "field": "@timestamp",      "target_field": "ingest.timestamp",     "ignore_missing": true } },
+    { "rename":       { "if": "ctx.winlog?.systemTime != null", "field": "@timestamp",      "target_field": "ingest.timestamp",     "ignore_missing": true } },
-    { "set":           { "if": "ctx.winlog?.systemTime != null",   "field": "@timestamp", "value": "{{winlog.systemTime}}", "override": true }  },
+    { "date":         { "if": "ctx.winlog?.systemTime != null", "field": "winlog.systemTime",      "formats": ["yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSS'Z'"] } },    
     { "set":           { "field": "event.code", "value": "{{winlog.event_id}}", "override": true }  },  
     { "set":           { "field": "event.category", "value": "host", "override": true }  },   
     { "rename": 	   { "field": "winlog.event_data.SubjectUserName", 			  "target_field": "user.name",		"ignore_failure": true,   "ignore_missing": true 	} },

salt/influxdb/etc/influxdb.conf

@@ -233,7 +233,7 @@
   # enabled = true
 
   # Determines whether the Flux query endpoint is enabled.
-  # flux-enabled = false
+  flux-enabled = true
 
   # The bind address used by the HTTP service.
   # bind-address = ":8086"

salt/sensoroni/files/sensoroni.json

@@ -1,9 +1,6 @@
 {%- set URLBASE = salt['pillar.get']('global:url_base') %}
-{%- if salt['pillar.get']('sensoroni:node_description') %}
+{%- set DESCRIPTION = salt['pillar.get']('sensoroni:node_description', '') %}
-{%-   set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') %}
+{%- set MODEL = salt['grains.get']('sosmodel', '') %}
-{%- else %}
-{%-   set DESCRIPTION = salt['grains.get']('sosmodel', '') %}
-{%- endif %}
 {%- set ADDRESS = salt['pillar.get']('sensoroni:node_address') %}
 {%- set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') %}
 {%- set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) %}
@@ -21,6 +18,7 @@
     "role": "{{ grains.role }}",
     "description": "{{ DESCRIPTION }}",
     "address": "{{ ADDRESS }}",
+    "model": "{{ MODEL }}",
     "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }},
     "serverUrl": "https://{{ URLBASE }}/sensoroniagents",
     "verifyCert": false,

salt/soc/files/soc/soc.json

@@ -53,6 +53,17 @@
         "cacheMs": {{ ES_FIELDCAPS_CACHE }},
         "verifyCert": false
       },
+      "influxdb": {
+{%- if grains['role'] in ['so-import'] %}
+        "hostUrl": "",
+{%- else %}
+        "hostUrl": "https://{{ MANAGERIP }}:8086",
+{%- endif %}
+        "token": "",
+        "org": "",
+        "bucket": "telegraf",
+        "verifyCert": false
+      },
       "sostatus": {
         "refreshIntervalMs": 30000,
         "offlineThresholdMs": 900000

setup/so-functions

@@ -162,6 +162,25 @@ check_hive_init() {
 	docker rm so-thehive
 }
 
+check_manager_state() {
+	echo "Checking state of manager services. This may take a moment..."
+	retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1
+}
+
+__check_so_status() {
+	local so_status_output
+	so_status_output=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/log/sostatus/status.log)
+	[[ -z $so_status_output ]] && so_status_output=1
+	return $so_status_output
+}
+
+__check_salt_master() {
+	local salt_master_status
+	salt_master_status=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" systemctl is-active --quiet salt-master)
+	[[ -z $salt_master_status ]] && salt_master_status=1
+	return $salt_master_status
+}
+
 check_network_manager_conf() {
 	local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf"
 	local nmconf="/etc/NetworkManager/NetworkManager.conf"

setup/so-setup

@@ -264,7 +264,7 @@ elif [ "$install_type" = 'ANALYST' ]; then
 fi
 
 # Check if this is an airgap install
-if [[ ( $is_manager || $is_import ) && $is_iso ]]; then
+if [[ $is_iso || $is_minion ]]; then
 	whiptail_airgap
 	if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
 		is_airgap=true
@@ -339,7 +339,7 @@ if ! [[ -f $install_opt_file ]]; then
 			"HOSTNAME=$HOSTNAME" \
 			"MSRV=$MSRV" \
 			"MSRVIP=$MSRVIP" \
-			"NODE_DESCRIPTION=$NODE_DESCRIPTION" > "$install_opt_file"
+			"NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file"
 		[[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file"
 		download_repo_tarball
 		exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}"
@@ -574,6 +574,11 @@ if [[ $is_manager || $is_import ]]; then collect_so_allow; fi
 # This block sets REDIRECTIT which is used by a function outside the below subshell
 set_redirect >> $setup_log 2>&1
 
+if [[ $is_minion ]] && ! check_manager_state; then
+	echo "Manager was not in a good state" >> "$setup_log" 2>&1
+	whiptail_manager_error
+fi
+
 whiptail_end_settings
 
 # From here on changes will be made.

setup/so-whiptail

@@ -19,13 +19,18 @@ whiptail_airgap() {
 
 	[ -n "$TESTING" ] && return
 
-	INTERWEBS=$(whiptail --title "Security Onion Setup" --radiolist \
+	local node_str='node'
-	"Choose your install conditions:" 20 75 4 \
+	[[ $is_manager || $is_import ]] && node_str='manager'
-	"STANDARD" "This manager has internet accesss" ON  \
+
-	"AIRGAP" "This manager does not have internet access" OFF 3>&1 1>&2 2>&3 )
+	INTERWEBS=$(whiptail --title "Security Onion Setup" --menu \
+	"How should this $node_str be installed?" 10 60 2 \
+	"Standard    " "This $node_str has internet accesss"  \
+	"Airgap      " "This $node_str does not have internet access" 3>&1 1>&2 2>&3 )
 
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
+
+	INTERWEBS=$(echo "${INTERWEBS^^}" | tr -d ' ')
 }
 
 whiptail_avoid_default_hostname() {
@@ -79,7 +84,7 @@ whiptail_bond_nics_mtu() {
 
 whiptail_cancel() {
 
-	whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75
+	whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup." 8 75
 	if [ -d "/root/installtmp" ]; then
 		{
 			echo "/root/installtmp exists";
@@ -88,7 +93,7 @@ whiptail_cancel() {
 		} >> $setup_log 2>&1
 	fi
 
-	title "User cancelled setup, no changes made."
+	title "User cancelled setup."
 	
 	exit
 }
@@ -1140,6 +1145,22 @@ whiptail_manager_adv_service_zeeklogs() {
 
 }
 
+whiptail_manager_error() {
+
+	[ -n "$TESTING" ] && return
+
+	local msg
+	read -r -d '' msg <<- EOM
+	Setup could not determine if the manager $MSRV is in a good state.
+
+	Continuing without verifying all services on the manager are running may result in a failure.
+
+	Would you like to continue anyway?
+	EOM
+
+	whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1
+}
+
 whiptail_manager_updates() {
 
 	[ -n "$TESTING" ] && return