CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/2.4/dev' into 2.4/strelka

Browse Source
This commit is contained in:
m0duspwnens
2023-03-16 16:41:24 -04:00
parent 0dfbbfcf8e e88d459ef4
commit 7950f692a8
42 changed files with 220 additions and 1728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pillar/top.sls
View File

@@ -51,6 +51,8 @@ base:
- adv_global - adv_global
- manager.soc_manager - manager.soc_manager
- manager.adv_manager - manager.adv_manager
- idstools.soc_idstools
- idstools.adv_idstools
- soc.soc_soc - soc.soc_soc
- soc.adv_soc - soc.adv_soc
- kratos.soc_kratos - kratos.soc_kratos
@@ -90,6 +92,9 @@ base:
- elasticsearch.soc_elasticsearch - elasticsearch.soc_elasticsearch
- elasticsearch.adv_elasticsearch - elasticsearch.adv_elasticsearch
- manager.soc_manager - manager.soc_manager
- manager.adv_manager
- idstools.soc_idstools
- idstools.adv_idstools
- soc.soc_soc - soc.soc_soc
- kratos.soc_kratos - kratos.soc_kratos
- kratos.adv_kratos - kratos.adv_kratos
@@ -120,6 +125,8 @@ base:
- secrets - secrets
- healthcheck.standalone - healthcheck.standalone
- soc_global - soc_global
- idstools.soc_idstools
- idstools.adv_idstools
- kratos.soc_kratos - kratos.soc_kratos
- kratos.adv_kratos - kratos.adv_kratos
- redis.soc_redis - redis.soc_redis
@@ -129,6 +136,7 @@ base:
- elasticsearch.soc_elasticsearch - elasticsearch.soc_elasticsearch
- elasticsearch.adv_elasticsearch - elasticsearch.adv_elasticsearch
- manager.soc_manager - manager.soc_manager
- manager.adv_manager
- soc.soc_soc - soc.soc_soc
- backup.soc_backup - backup.soc_backup
- backup.adv_backup - backup.adv_backup
@@ -195,6 +203,7 @@ base:
- elasticsearch.soc_elasticsearch - elasticsearch.soc_elasticsearch
- elasticsearch.adv_elasticsearch - elasticsearch.adv_elasticsearch
- manager.soc_manager - manager.soc_manager
- manager.adv_manager
- soc.soc_soc - soc.soc_soc
- soc_global - soc_global
- adv_global - adv_global

1
salt/backup/config_backup.sls
View File

@@ -19,6 +19,7 @@ config_backup_script:
- source: salt://backup/tools/sbin/so-config-backup.jinja - source: salt://backup/tools/sbin/so-config-backup.jinja
- defaults: - defaults:
BACKUPLOCATIONS: {{ BACKUP_MERGED.locations }} BACKUPLOCATIONS: {{ BACKUP_MERGED.locations }}
DESTINATION: {{ BACKUP_MERGED.destination }}
# Add config backup # Add config backup
so_config_backup: so_config_backup:

3
salt/backup/defaults.yaml
View File

@@ -3,4 +3,5 @@ backup:
- /opt/so/saltstack/local - /opt/so/saltstack/local
- /etc/pki - /etc/pki
- /etc/salt - /etc/salt
- /opt/so/conf/kratos - /nsm/kratos
destination: "/nsm/backup"

10
salt/backup/soc_backup.yaml Normal file
View File

@@ -0,0 +1,10 @@
backup:
locations:
description: List of locations to back up to the destination.
helpLink: backup.html
global: True
destination:
description: Directory to store the configuration backups in.
helpLink: backup.html
global: True

3
salt/backup/tools/sbin/so-config-backup.jinja
View File

@@ -8,7 +8,8 @@
. /usr/sbin/so-common . /usr/sbin/so-common
TODAY=$(date '+%Y_%m_%d') TODAY=$(date '+%Y_%m_%d')
BACKUPFILE="/nsm/backup/so-config-backup-$TODAY.tar" BACKUPDIR={{ DESTINATION }}
BACKUPFILE="$BACKUPDIR/so-config-backup-$TODAY.tar"
MAXBACKUPS=7 MAXBACKUPS=7
# Create backup dir if it does not exist # Create backup dir if it does not exist

6
salt/common/tools/sbin/so-elastic-fleet-integration-policy-load
View File

@@ -103,3 +103,9 @@ echo
echo "Setting up Redis package policy..." echo "Setting up Redis package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "redis", "version": "1.4.0" }, "id": "redis-logs", "name": "redis-logs", "description": "Redis logs", "namespace": "default", "inputs": { "redis-logfile": { "enabled": true, "streams": { "redis.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/redis/redis.log" ], "tags": [ "redis-log" ], "preserve_original_event": false } } } }, "redis-redis": { "enabled": false, "streams": { "redis.slowlog": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "password": "" } } } }, "redis-redis/metrics": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "idle_timeout": "20s", "maxconn": 10, "network": "tcp", "password": "" }, "streams": { "redis.info": { "enabled": false, "vars": { "period": "10s" } }, "redis.key": { "enabled": false, "vars": { "key.patterns": "- limit: 20\n pattern: '*'\n", "period": "10s" } }, "redis.keyspace": { "enabled": false, "vars": { "period": "10s" } } } } } }' curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{ "policy_id": "so-grid-nodes", "package": { "name": "redis", "version": "1.4.0" }, "id": "redis-logs", "name": "redis-logs", "description": "Redis logs", "namespace": "default", "inputs": { "redis-logfile": { "enabled": true, "streams": { "redis.log": { "enabled": true, "vars": { "paths": [ "/opt/so/log/redis/redis.log" ], "tags": [ "redis-log" ], "preserve_original_event": false } } } }, "redis-redis": { "enabled": false, "streams": { "redis.slowlog": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "password": "" } } } }, "redis-redis/metrics": { "enabled": false, "vars": { "hosts": [ "127.0.0.1:6379" ], "idle_timeout": "20s", "maxconn": 10, "network": "tcp", "password": "" }, "streams": { "redis.info": { "enabled": false, "vars": { "period": "10s" } }, "redis.key": { "enabled": false, "vars": { "key.patterns": "- limit: 20\n pattern: '*'\n", "period": "10s" } }, "redis.keyspace": { "enabled": false, "vars": { "period": "10s" } } } } } }'
echo echo
# IDH logs
echo
echo "Setting up IDH package policy..."
curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/fleet/package_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'{"policy_id":"so-grid-nodes","package":{"name":"log","version":"1.1.1"},"id":"idh-logs","name":"idh-logs","namespace":"so","description":"IDH integration","inputs":{"logs-logfile":{"enabled":true,"streams":{"log.log":{"enabled":true,"vars":{"paths":["/nsm/idh/opencanary.log"],"data_stream.dataset":"idh","custom":"pipeline: common","processors": "\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true\n- drop_fields:\n when:\n equals:\n logtype: \"1001\"\n fields: [\"src_host\", \"src_port\", \"dst_host\", \"dst_port\" ]\n ignore_missing: true\n- rename:\n fields:\n - from: \"src_host\"\n to: \"source.ip\"\n - from: \"src_port\"\n to: \"source.port\"\n - from: \"dst_host\"\n to: \"destination.host\"\n - from: \"dst_port\"\n to: \"destination.port\"\n ignore_missing: true\n- convert:\n fields:\n - {from: \"logtype\", to: \"event.code\", type: \"string\"}\n ignore_missing: true\n- drop_fields:\n fields: '\''[\"prospector\", \"input\", \"offset\", \"beat\"]'\''\n- add_fields:\n target: event\n fields:\n category: host\n module: opencanary","tags":[]}}}}}}'
echo

21
salt/common/tools/sbin/so-minion
View File

@@ -23,6 +23,7 @@ if [[ $# -lt 1 ]]; then
echo " accept: Accepts a new key and adds the minion files" echo " accept: Accepts a new key and adds the minion files"
echo " delete: Removes the key and deletes the minion files" echo " delete: Removes the key and deletes the minion files"
echo " reject: Rejects a key" echo " reject: Rejects a key"
echo " test: Ingest test data"
echo "" echo ""
exit 1 exit 1
fi fi
@@ -75,6 +76,22 @@ function getinstallinfo() {
source <(echo $INSTALLVARS) source <(echo $INSTALLVARS)
} }
function testminion() {
# Always run on the host, since this is going to be the manager of a distributed grid, or an eval/standalone.
# Distributed managers must run this in order for the sensor nodes to have access to the so-tcpreplay image.
so-test
result=$?
# If this so-minion script is not running on the given minion ID, run so-test remotely on the sensor as well
local_id=$(lookup_grain id)
if [[ ! "$local_id" =~ "${MINION_ID}_" ]]; then
salt "$MINION_ID" cmd.run 'so-test'
result=$?
fi
exit $result
}
function listminions() { function listminions() {
salt-key list -F --out=json salt-key list -F --out=json
exit $? exit $?
@@ -277,3 +294,7 @@ if [[ "$OPERATION" = 'add' || "$OPERATION" = 'setup' ]]; then
create$NODETYPE create$NODETYPE
echo "Minion file created for $MINION_ID" echo "Minion file created for $MINION_ID"
fi fi
if [[ "$OPERATION" = 'test' ]]; then
testminion
fi

2
salt/common/tools/sbin/so-playbook-reset
View File

@@ -17,6 +17,6 @@ salt-call state.apply playbook,playbook.automation_user_create
/usr/sbin/so-soctopus-restart /usr/sbin/so-soctopus-restart
echo "Importing Plays - this will take some time...." echo "Importing Plays - NOTE: this will continue after installation finishes and could take an hour or more. Rebooting while the import is in progress will delay playbook imports."
sleep 5 sleep 5
so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 &

21
salt/common/tools/sbin/so-status
View File

@@ -24,12 +24,14 @@ def showUsage(options, args):
print(' -h - Prints this usage information') print(' -h - Prints this usage information')
print(' -q - Suppress output; useful for automation of exit code value') print(' -q - Suppress output; useful for automation of exit code value')
print(' -j - Output in JSON format') print(' -j - Output in JSON format')
print(' -i - Consider the installation outcome regardless of whether the system appears healthy')
print('') print('')
print(' Exit codes:') print(' Exit codes:')
print(' 0 - Success, system appears to be running correctly') print(' 0 - Success, system appears to be running correctly')
print(' 1 - Error, one or more subsystems are not running') print(' 1 - Error, one or more subsystems are not running')
print(' 2 - System is starting') print(' 2 - System is starting')
print(' 99 - Installation in progress') print(' 99 - Installation in progress')
print(' 100 - System installation encountered errors')
sys.exit(1) sys.exit(1)
@@ -38,6 +40,16 @@ def fail(msg):
sys.exit(1) sys.exit(1)
def check_installation_status(options, console):
if "-i" in options:
if os.path.isfile('/root/failure'):
return 100
if os.path.isfile('/root/success'):
return 0
return 99
return 0
def check_system_status(options, console): def check_system_status(options, console):
code = 0 code = 0
highstate_end_time = 0 highstate_end_time = 0
@@ -66,6 +78,8 @@ def output(options, console, code, data):
console.print(" [bold yellow]:hourglass: [bold white]System appears to be starting. No highstate has completed since the system was restarted.") console.print(" [bold yellow]:hourglass: [bold white]System appears to be starting. No highstate has completed since the system was restarted.")
elif code == 99: elif code == 99:
console.print(" [bold red]:exclamation: [bold white]Installation does not appear to be complete. A highstate has not fully completed.") console.print(" [bold red]:exclamation: [bold white]Installation does not appear to be complete. A highstate has not fully completed.")
elif code == 100:
console.print(" [bold red]:exclamation: [bold white]Installation encountered errors.")
else: else:
table = Table(title = "Security Onion Status", show_edge = False, safe_box = True, box = box.MINIMAL) table = Table(title = "Security Onion Status", show_edge = False, safe_box = True, box = box.MINIMAL)
table.add_column("Container", justify="right", style="white", no_wrap=True) table.add_column("Container", justify="right", style="white", no_wrap=True)
@@ -137,7 +151,9 @@ def check_container_status(options, console):
def check_status(options, console): def check_status(options, console):
container_list = [] container_list = []
code = check_system_status(options, console) code = check_installation_status(options, console)
if code == 0:
code = check_system_status(options, console)
if code == 0: if code == 0:
code, container_list = check_container_status(options, console) code, container_list = check_container_status(options, console)
output(options, console, code, container_list) output(options, console, code, container_list)
@@ -150,9 +166,8 @@ def main():
for option in args: for option in args:
if option.startswith("-"): if option.startswith("-"):
options.append(option) options.append(option)
args.remove(option)
if len(args) != 0 or "-h" in options: if "-h" in options or "--help" in options or "-?" in options:
showUsage(options, None) showUsage(options, None)
if os.environ["USER"] != "root": if os.environ["USER"] != "root":

18
salt/common/tools/sbin/so-user
View File

@@ -496,19 +496,6 @@ EOF
fi fi
} }
function migrateLockedUsers() {
# This is a migration function to convert locked users from prior to 2.3.90
# to inactive users using the newer Kratos functionality. This should only
# find locked users once.
lockedEmails=$(curl -s ${kratosUrl}/identities | jq -r '.[] | select(.traits.status == "locked") | .traits.email')
if [[ -n "$lockedEmails" ]]; then
echo "Disabling locked users..."
for email in $lockedEmails; do
updateStatus "$email" locked
done
fi
}
function updateStatus() { function updateStatus() {
email=$1 email=$1
status=$2 status=$2
@@ -703,11 +690,6 @@ case "${operation}" in
echo "Password is acceptable" echo "Password is acceptable"
;; ;;
"migrate")
migrateLockedUsers
echo "User migration complete"
;;
*) *)
fail "Unsupported operation: $operation" fail "Unsupported operation: $operation"
usage usage

2
salt/idh/init.sls
View File

@@ -74,6 +74,8 @@ so-idh:
- file: opencanary_config - file: opencanary_config
- require: - require:
- file: opencanary_config - file: opencanary_config
- extra_hosts:
- {{ GLOBALS.manager }}:{{ GLOBALS.manager_ip }}
append_so-idh_so-status.conf: append_so-idh_so-status.conf:
file.append: file.append:

9
salt/idstools/defaults.yaml Normal file
View File

@@ -0,0 +1,9 @@
idstools:
config:
urls: []
ruleset: ETOPEN
oinkcode: ""
sids:
enabled: []
disabled: []
modify: []

39
salt/idstools/etc/rulecat.conf
View File

@@ -1,17 +1,14 @@
{%- set URLS = salt['pillar.get']('idstools:config:urls') -%} {%- from 'vars/globals.map.jinja' import GLOBALS %}
{%- set RULESET = salt['pillar.get']('idstools:config:ruleset') -%} {%- import_yaml 'idstools/defaults.yaml' as IDSTOOLSDEFAULTS %}
{%- set OINKCODE = salt['pillar.get']('idstools:config:oinkcode', '' ) -%} {%- set IDSTOOLSMERGED = salt['pillar.get']('idstools', IDSTOOLSDEFAULTS.idstools, merge=True) %}
{%- set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') -%} {%- if GLOBALS.airgap is sameas true -%}
{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') -%}
{%- set ENGINE = salt['pillar.get']('global:mdengine', '') %}
{%- if ISAIRGAP is sameas true -%}
--merged=/opt/so/rules/nids/all.rules --merged=/opt/so/rules/nids/all.rules
--local=/opt/so/rules/nids/local.rules --local=/opt/so/rules/nids/local.rules
{%- if ENGINE == "SURICATA" %} {%- if GLOBAL.md_engine == "SURICATA" %}
--local=/opt/so/rules/nids/sorules/extraction.rules --local=/opt/so/rules/nids/sorules/extraction.rules
--local=/opt/so/rules/nids/sorules/filters.rules --local=/opt/so/rules/nids/sorules/filters.rules
{%- endif %} {%- endif %}
--url=http://{{ MANAGERIP }}:7788/rules/emerging-all.rules --url=http://{{ GLOBALS.manager }}:7788/rules/emerging-all.rules
--disable=/opt/so/idstools/etc/disable.conf --disable=/opt/so/idstools/etc/disable.conf
--enable=/opt/so/idstools/etc/enable.conf --enable=/opt/so/idstools/etc/enable.conf
--modify=/opt/so/idstools/etc/modify.conf --modify=/opt/so/idstools/etc/modify.conf
@@ -19,23 +16,23 @@
--suricata-version=6.0 --suricata-version=6.0
--merged=/opt/so/rules/nids/all.rules --merged=/opt/so/rules/nids/all.rules
--local=/opt/so/rules/nids/local.rules --local=/opt/so/rules/nids/local.rules
{%- if ENGINE == "SURICATA" %} {%- if GLOBALS.md_engine == "SURICATA" %}
--local=/opt/so/rules/nids/sorules/extraction.rules --local=/opt/so/rules/nids/sorules/extraction.rules
--local=/opt/so/rules/nids/sorules/filters.rules --local=/opt/so/rules/nids/sorules/filters.rules
{%- endif %} {%- endif %}
--disable=/opt/so/idstools/etc/disable.conf --disable=/opt/so/idstools/etc/disable.conf
--enable=/opt/so/idstools/etc/enable.conf --enable=/opt/so/idstools/etc/enable.conf
--modify=/opt/so/idstools/etc/modify.conf --modify=/opt/so/idstools/etc/modify.conf
{%- if RULESET == 'ETOPEN' %} {%- if IDSTOOLSMERGED.config.ruleset == 'ETOPEN' %}
--etopen --etopen
{%- elif RULESET == 'ETPRO' %} {%- elif IDSTOOLSMERGED.config.ruleset == 'ETPRO' %}
--etpro={{ OINKCODE }} --etpro={{ IDSTOOLSMERGED.config.oinkcode }}
{%- elif RULESET == 'TALOS' %} {%- elif IDSTOOLSMERGED.config.ruleset == 'TALOS' %}
--url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ OINKCODE }} --url=https://www.snort.org/rules/snortrules-snapshot-2983.tar.gz?oinkcode={{ IDSTOOLSMERGED.config.oinkcode }}
{%- endif %} {%- endif %}
{%- endif %} {%- endif %}
{%- if URLS != None %} {%- if IDSTOOLSMERGED.config.urls | length > 0 %}
{%- for URL in URLS %} {%- for URL in IDSTOOLSMERGED.config.urls %}
--url={{ URL }} --url={{ URL }}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}

5
salt/strelka/defaults.yaml
View File

@@ -308,11 +308,6 @@ strelka:
priority: 5 priority: 5
options: options:
limit: 1000 limit: 1000
'ScanRuby':
- positive:
flavors:
- 'text/x-ruby'
priority: 5
'ScanSwf': 'ScanSwf':
- positive: - positive:
flavors: flavors:

67
setup/automation/distributed-airgap-manager
View File

@@ -1,67 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
#BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=Distributed-manager
install_type=MANAGER
INTERWEBS=AIRGAP
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

68
setup/automation/distributed-airgap-search
View File

@@ -1,68 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
# ALLOW_CIDR=0.0.0.0/0
# ALLOW_ROLE=a
# BASICZEEK=7
# BASICSURI=7
# BLOGS=
# BNICS=eth1
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-search
install_type=SEARCHNODE
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
# MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.66.166.52
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
# REDIRECTINFO=IP
# RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
# STRELKA=1
# THEHIVE=0
# WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

68
setup/automation/distributed-airgap-sensor
View File

@@ -1,68 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
# ALLOW_CIDR=0.0.0.0/0
# ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=Distributed-sensor
install_type=SENSOR
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
# MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.66.166.52
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
# NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
# REDIRECTINFO=IP
# RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
# STRELKA=1
# THEHIVE=0
# WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

66
setup/automation/distributed-cloud-manager
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
#BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-manager
install_type=MANAGER
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
REDIRECTHOST=$(cat /root/public_ip)
REDIRECTINFO=OTHER
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=0
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

68
setup/automation/distributed-cloud-search
View File

@@ -1,68 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
#ALLOW_CIDR=0.0.0.0/0
#ALLOW_ROLE=a
#BASICZEEK=7
#BASICSURI=7
# BLOGS=
#BNICS=ens6
#ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-search
install_type=SEARCHNODE
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
#MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.99.1.20
# MTU=
#NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
#OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
#PLAYBOOK=1
# REDIRECTHOST=
#REDIRECTINFO=HOSTNAME
#RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=0
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
#STRELKA=1
#THEHIVE=0
#WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

68
setup/automation/distributed-cloud-sensor
View File

@@ -1,68 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
#ALLOW_CIDR=0.0.0.0/0
#ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-sensor
install_type=SENSOR
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
#MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.99.1.20
# MTU=
#NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
#NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
#OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
#PLAYBOOK=1
# REDIRECTHOST=
#REDIRECTINFO=HOSTNAME
#RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=0
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
#STRELKA=1
#THEHIVE=0
#WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

66
setup/automation/distributed-iso-manager
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=7
BASICSURI=7
# BLOGS=
#BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-manager
install_type=MANAGER
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

68
setup/automation/distributed-iso-search
View File

@@ -1,68 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
# ALLOW_CIDR=0.0.0.0/0
# ALLOW_ROLE=a
# BASICZEEK=7
# BASICSURI=7
# BLOGS=
# BNICS=eth1
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-search
install_type=SEARCHNODE
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
# MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.66.166.42
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=ADVANCED
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
# REDIRECTINFO=IP
# RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
# STRELKA=1
# THEHIVE=0
# WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

70
setup/automation/distributed-iso-sensor
View File

@@ -1,70 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
# ALLOW_CIDR=0.0.0.0/0
# ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=Distributed-Sensor
install_type=SENSOR
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
# MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.66.166.42
MTU=1500
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
# NODESETUP=NODEBASIC
NSMSETUP=ADVANCED
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
# REDIRECTINFO=IP
# RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
# STRELKA=1
SURIPINS=(2 3)
# THEHIVE=0
# WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r
ZEEKPINS=(0 1)

66
setup/automation/distributed-net-manager
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=7
BASICSURI=7
# BLOGS=
#BNICS=eth1
ZEEKVERSION=SURICATA
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-manager
install_type=MANAGER
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

68
setup/automation/distributed-net-search
View File

@@ -1,68 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
# ALLOW_CIDR=0.0.0.0/0
# ALLOW_ROLE=a
# BASICZEEK=7
# BASICSURI=7
# BLOGS=
# BNICS=eth1
# ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-search
install_type=SEARCHNODE
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
# MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.66.166.72
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
# REDIRECTINFO=IP
# RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
# STRELKA=1
# THEHIVE=0
# WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

68
setup/automation/distributed-net-sensor
View File

@@ -1,68 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
# ALLOW_CIDR=0.0.0.0/0
# ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=SURICATA
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=distributed-sensor
install_type=SENSOR
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
# MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
MSRVIP=10.66.166.72
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
# NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
# REDIRECTINFO=IP
# RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
# STRELKA=1
# THEHIVE=0
# WAZUH=1
# WEBUSER=onionuser@somewhere.invalid
# WEBPASSWD1=0n10nus3r
# WEBPASSWD2=0n10nus3r

67
setup/automation/eval-airgap
View File

@@ -1,67 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=eval
install_type=EVAL
INTERWEBS=AIRGAP
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/eval-cloud
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=eval
install_type=EVAL
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
REDIRECTHOST=$(cat /root/public_ip)
REDIRECTINFO=OTHER
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/eval-iso
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=eval
install_type=EVAL
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/eval-net
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
# address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=eval
install_type=EVAL
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

67
setup/automation/import-airgap
View File

@@ -1,67 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
#BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=import
install_type=IMPORT
INTERWEBS=AIRGAP
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
# SOREMOTEPASS1=onionuser
# SOREMOTEPASS2=onionuser
STRELKA=1
# THEHIVE=0
# WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/import-cloud
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
#BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=import
install_type=IMPORT
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
REDIRECTHOST=$(cat /root/public_ip)
REDIRECTINFO=OTHER
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
# SOREMOTEPASS1=onionuser
# SOREMOTEPASS2=onionuser
STRELKA=1
# THEHIVE=0
# WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/import-iso
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
#BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=import
install_type=IMPORT
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
# SOREMOTEPASS1=onionuser
# SOREMOTEPASS2=onionuser
STRELKA=1
# THEHIVE=0
# WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/import-net
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
# address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
#BNICS=eth1
ZEEKVERSION=SURICATA
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=import
install_type=IMPORT
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
# OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
# SOREMOTEPASS1=onionuser
# SOREMOTEPASS2=onionuser
STRELKA=1
# THEHIVE=0
# WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

67
setup/automation/standalone-airgap
View File

@@ -1,67 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=standalone
install_type=STANDALONE
INTERWEBS=AIRGAP
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/standalone-cloud
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=standalone
install_type=STANDALONE
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
REDIRECTHOST=$(cat /root/public_ip)
REDIRECTINFO=OTHER
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/standalone-iso
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=ZEEK
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=standalone
install_type=STANDALONE
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

66
setup/automation/standalone-net
View File

@@ -1,66 +0,0 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
TESTING=true
# address_type=DHCP
ADMINUSER=onionuser
ADMINPASS1=onionuser
ADMINPASS2=onionuser
ALLOW_CIDR=0.0.0.0/0
ALLOW_ROLE=a
BASICZEEK=2
BASICSURI=2
# BLOGS=
BNICS=eth1
ZEEKVERSION=SURICATA
# CURCLOSEDAYS=
# EVALADVANCED=BASIC
# HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit
HOSTNAME=standalone
install_type=STANDALONE
# LSINPUTBATCHCOUNT=
# LSINPUTTHREADS=
# LSPIPELINEBATCH=
# LSPIPELINEWORKERS=
MANAGERADV=BASIC
# MDNS=
# MGATEWAY=
# MIP=
# MMASK=
MNIC=eth0
# MSEARCH=
# MSRV=
# MTU=
NIDS=Suricata
# NODE_ES_HEAP_SIZE=
# NODE_LS_HEAP_SIZE=
NODESETUP=NODEBASIC
NSMSETUP=BASIC
NODEUPDATES=MANAGER
# OINKCODE=
OSQUERY=1
# PATCHSCHEDULEDAYS=
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
PLAYBOOK=1
# REDIRECTHOST=
REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
SOREMOTEPASS1=onionuser
SOREMOTEPASS2=onionuser
STRELKA=1
THEHIVE=0
WAZUH=1
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r

60
setup/so-functions
View File

@@ -17,11 +17,11 @@ log() {
} }
error() { error() {
log "$1" "E" log "$1" "ERROR"
} }
info() { info() {
log "$1" "I" log "$1" "INFO"
} }
title() { title() {
@@ -68,9 +68,7 @@ add_web_user() {
wait_for_file /nsm/kratos/db/db.sqlite 30 5 wait_for_file /nsm/kratos/db/db.sqlite 30 5
{ {
info "Attempting to add administrator user for web interface..."; info "Attempting to add administrator user for web interface...";
export SKIP_STATE_APPLY=true
echo "$WEBPASSWD1" | /usr/sbin/so-user add --email "$WEBUSER" --role "superuser"; echo "$WEBPASSWD1" | /usr/sbin/so-user add --email "$WEBUSER" --role "superuser";
unset SKIP_STATE_APPLY
info "Add user result: $?"; info "Add user result: $?";
} >> "/root/so-user-add.log" 2>&1 } >> "/root/so-user-add.log" 2>&1
} }
@@ -141,11 +139,11 @@ check_admin_pass() {
check_manager_connection() { check_manager_connection() {
# See if you can curl the manager. If not you can either try again or continue # See if you can curl the manager. If not you can either try again or continue
info "Checking manager connectivity" info "Checking manager connectivity"
man_test_err=$(curl -k -L -sS https://$MSRVIP/repo --connect-timeout 5 2>&1) man_test_err=$(curl -s $MSRVIP:4505 --connect-timeout 5 2>&1)
local ret=$? local ret=$?
if [[ $ret != 0 ]]; then if [[ $ret != 1 ]]; then
error "Could not reach $MSRV" error "Could not reach $MSRV"
whiptail_manager_unreachable whiptail_manager_unreachable
fi fi
@@ -322,7 +320,7 @@ collect_hostname() {
} }
collect_hostname_validate() { collect_hostname_validate() {
if [[ $automated == no ]] && [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi if [[ -z "$TESTING" ]] && [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi
whiptail_set_hostname "$HOSTNAME" whiptail_set_hostname "$HOSTNAME"
@@ -1359,18 +1357,6 @@ ls_heapsize() {
idstools_pillar() { idstools_pillar() {
title "Ading IDSTOOLS pillar options" title "Ading IDSTOOLS pillar options"
touch $adv_idstools_pillar_file touch $adv_idstools_pillar_file
printf '%s\n'\
"idstools:"\
" config:"\
" ruleset: '$RULESETUP'"\
" oinkcode: '$OINKCODE'"\
" urls: []"\
" sids:"\
" enabled: []"\
" disabled: []"\
" modify: []"\
"" > "$idstools_pillar_file"
} }
soc_pillar() { soc_pillar() {
@@ -1500,9 +1486,6 @@ create_strelka_pillar() {
backup_pillar() { backup_pillar() {
title "Create the backup pillar file" title "Create the backup pillar file"
touch $adv_backup_pillar_file touch $adv_backup_pillar_file
printf '%s\n'\
"backup:"\
" locations: []" > "$backup_pillar_file"
} }
soctopus_pillar() { soctopus_pillar() {
@@ -1612,6 +1595,15 @@ networking_needful() {
fi fi
set_main_ip set_main_ip
compare_main_nic_ip compare_main_nic_ip
# Attempt to autodetect the manager IP, if an offset value exists
if [[ -n "$MSRVIP_OFFSET" && -z "$MSRVIP" ]]; then
mips1=$(echo "$MNIC_IP" | awk -F. '{print $1}')
mips2=$(echo "$MNIC_IP" | awk -F. '{print $2}')
mips3=$(echo "$MNIC_IP" | awk -F. '{print $3}')
mips4=$(echo "$MNIC_IP" | awk -F. '{print $4}')
MSRVIP="$mips1.$mips2.$mips3.$((mips4+$MSRVIP_OFFSET))"
fi
} }
network_setup() { network_setup() {
@@ -1778,6 +1770,10 @@ reinstall_init() {
local service_retry_count=20 local service_retry_count=20
# Disregard previous install outcomes
rm -f /root/failure
rm -f /root/success
{ {
# remove all of root's cronjobs # remove all of root's cronjobs
logCmd "crontab -r -u root" logCmd "crontab -r -u root"
@@ -1987,7 +1983,7 @@ repo_sync_local() {
echo "gpgcheck=1" >> /root/repodownload.conf echo "gpgcheck=1" >> /root/repodownload.conf
echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf
dnf repolist logCmd "dnf repolist"
# Make sure we can get to the sig repo # Make sure we can get to the sig repo
logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup"
logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/"
@@ -2281,20 +2277,20 @@ set_initial_firewall_policy() {
title "Setting Initial Firewall Policy" title "Setting Initial Firewall Policy"
if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi
case "$install_type" in case "$install_type" in
'MANAGER') 'EVAL' | 'MANAGER' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=manager --ip=$MAINIP --apply=true $default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true
;; ;;
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') esac
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=$install_type --ip=$MAINIP --apply=true
;;
esac
} }
set_initial_firewall_access() { set_initial_firewall_access() {
if [[ ! -z "$ALLOW_CIDR" ]]; then if [[ ! -z "$ALLOW_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true $default_salt_dir/salt/common/tools/sbin/so-firewall --role=analyst --ip=$ALLOW_CIDR --apply=true
fi fi
if [[ ! -z "$MINION_CIDR" ]]; then
$default_salt_dir/salt/common/tools/sbin/so-firewall --role=sensors --ip=$MINION_CIDR --apply=true
fi
} }
# Set up the management interface on the ISO # Set up the management interface on the ISO
@@ -2385,7 +2381,7 @@ update_sudoers() {
update_packages() { update_packages() {
if [[ $is_rocky ]]; then if [[ $is_rocky ]]; then
logCmd "dnf repolist" logCmd "dnf repolist"
logCmd "dnf -y update --exclude=salt*,wazuh*,docker*,containerd*" logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*"
else else
retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1
retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1

86
setup/so-setup
View File

@@ -37,10 +37,10 @@ source ./so-variables
# Parse command line arguments # Parse command line arguments
setup_type=$1 setup_type=$1
automation=$2 test_profile=$2
WHATWOULDYOUSAYYAHDOHERE=setup WHATWOULDYOUSAYYAHDOHERE=setup
# This is for automation
while [[ $# -gt 0 ]]; do while [[ $# -gt 0 ]]; do
arg="$1" arg="$1"
shift shift
@@ -49,12 +49,8 @@ while [[ $# -gt 0 ]]; do
export TURBO="http://${arg#*=}";; export TURBO="http://${arg#*=}";;
"--proxy="* ) "--proxy="* )
export {http,https,ftp,rsync,all}_proxy="${arg#*=}";; export {http,https,ftp,rsync,all}_proxy="${arg#*=}";;
"--allow-role="* )
export ALLOW_ROLE="${arg#*=}";;
"--allow-cidr="* ) "--allow-cidr="* )
export ALLOW_CIDR="${arg#*=}";; export ALLOW_CIDR="${arg#*=}";;
"--skip-reboot" )
export SKIP_REBOOT=1;;
* ) * )
if [[ "$arg" == "--"* ]]; then if [[ "$arg" == "--"* ]]; then
echo "Invalid option" echo "Invalid option"
@@ -166,41 +162,65 @@ catch() {
exit 1 exit 1
} }
automated=no
# Add the progress function for manager node type installs # Add the progress function for manager node type installs
progress() { progress() {
local msg=${1:-'Please wait while installing...'} local msg=${1:-'Please wait while installing...'}
if [ $automated == no ]; then if [ -z "$TESTING" ]; then
whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text
else else
cat >> $setup_log 2>&1 cat >> $setup_log 2>&1
fi fi
} }
# If using automation let's do automation things. if [ -n "$test_profile" ]; then
if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then install_type="$(echo $test_profile |awk -F- '{print $1}')"
info "Preselecting variable values based on automated setup: $automation" if [[ "$install_type" == "distributed" ]]; then
source automation/$automation install_type=MANAGER
automated=yes else
install_type=${install_type^^}
fi
attempt=1 # The below settings are hardcoded purely for automated testing purposes.
attempts=60 TESTING=true
ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1
while [ $? -ne 0 ]; do if [[ "$test_profile" =~ "-sensor" ]]; then
logCmd "ip a" install_type=SENSOR
if [ $attempt -gt $attempts ]; then HOSTNAME=sensor
error "Network unavailable - setup cannot continue" MSRVIP_OFFSET=-2
exit 1 elif [[ "$test_profile" =~ "-search" ]]; then
fi install_type=SEARCHNODE
info "Waiting for network to come up (attempt $attempt of $attempts)" HOSTNAME=search
attempt=$((attempt + 1)) MSRVIP_OFFSET=-1
info "Sleeping 10s to try again" else
sleep 10; HOSTNAME=manager
logCmd "ip a | grep '$MNIC:' | grep 'state UP'" fi
done
info "Network is up on $MNIC" info "Activating test profile; profile=$test_profile; install_type=$install_type"
MINION_CIDR=10.0.0.0/8
MSRV=manager
if [[ "$test_profile" =~ "-net" ]]; then
address_type=DHCP
elif [[ "$test_profile" =~ "-cloud" ]]; then
MSRVIP=10.99.1.20
elif [[ "$test_profile" =~ "-airgap" ]]; then
is_airgap=true
fi
if [ -f "/root/public_ip" ]; then
REDIRECTHOST=$(cat /root/public_ip)
REDIRECTINFO=OTHER
else
REDIRECTINFO=IP
fi
ALLOW_CIDR=0.0.0.0/0
MNIC=$(ls -1 /sys/class/net | head -1)
BNICS=$(ls -1 /sys/class/net | head -2 | tail -1)
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r
fi fi
# Make sure the setup type is suppoted. # Make sure the setup type is suppoted.
@@ -227,7 +247,7 @@ dmesg -D
# Kernel consoleblank is causing whiptail progress screen to appear to hang #1084 # Kernel consoleblank is causing whiptail progress screen to appear to hang #1084
# https://github.com/Security-Onion-Solutions/securityonion/issues/1084 # https://github.com/Security-Onion-Solutions/securityonion/issues/1084
if [ "$automated" == no ]; then if [ -z "$TESTING" ]; then
TTY=$(tty) TTY=$(tty)
info "Setup is running on TTY $TTY" info "Setup is running on TTY $TTY"
if echo $TTY | grep -q "/dev/tty"; then if echo $TTY | grep -q "/dev/tty"; then
@@ -283,7 +303,7 @@ if ! [[ -f $install_opt_file ]]; then
compare_main_nic_ip compare_main_nic_ip
fi fi
if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then if [[ $setup_type == 'iso' ]] && [ -z "$TESTING" ]; then
whiptail_first_menu_iso whiptail_first_menu_iso
if [[ $option == "CONFIGURENETWORK" ]]; then if [[ $option == "CONFIGURENETWORK" ]]; then
collect_hostname collect_hostname
@@ -454,7 +474,7 @@ if ! [[ -f $install_opt_file ]]; then
add_mngr_ip_to_hosts add_mngr_ip_to_hosts
check_manager_connection check_manager_connection
collect_idh_services collect_idh_services
collect_idh_preferences collect_idh_preferences
set_minion_info set_minion_info
whiptail_end_settings whiptail_end_settings

43
setup/so-verify
View File

@@ -32,7 +32,7 @@ log_has_errors() {
# Ignore Failed: 0 since that is the salt state output, and we detect state failures # Ignore Failed: 0 since that is the salt state output, and we detect state failures
# via Result: False already. # via Result: False already.
grep -E "FAILED|Failed|failed|ERROR|Error|Result: False" "$setup_log" | \ grep -E "FAILED|Failed|failed|ERROR|Result: False" "$setup_log" | \
grep -vE "The Salt Master has cached the public key for this node" | \ grep -vE "The Salt Master has cached the public key for this node" | \
grep -vE "Minion failed to authenticate with the master" | \ grep -vE "Minion failed to authenticate with the master" | \
grep -vE "Failed to connect to ::1" | \ grep -vE "Failed to connect to ::1" | \
@@ -79,20 +79,51 @@ status_failed() {
return 1 return 1
} }
# Creates scripts that are going to be invoked by the automated test system. These scripts will
# overwritten by Salt, once the minion is accepted into the grid and the salt states run.
create_temp_scripts_if_missing() {
if [ ! -f /usr/sbin/so-status ]; then
if [ -f /root/success ]; then
echo "echo 'so-status not yet available'" > /usr/sbin/so-status
echo "exit 0" >> /usr/sbin/so-status
# Pretend so-test succeeded in the interim period while waiting for this minion to be accepted. This avoids tests getting hung up.
echo "echo 'so-test not yet available'" > /usr/sbin/so-test
echo "exit 0" >> /usr/sbin/so-test
chmod a+x /usr/sbin/so-test
else
echo "echo 'Installation failed - so-status not available'" > /usr/sbin/so-status
echo "exit 100" >> /usr/sbin/so-status
fi
chmod a+x /usr/sbin/so-status
fi
}
main() { main() {
exit_code=0 exit_code=0
if log_has_errors; then if [ -f /root/success ]; then
echo "WARNING: Errors detected during setup" echo "Successfully completed setup a while ago"
elif [ -f /root/failure ]; then
echo "WARNING: Failed setup a while ago"
exit_code=1 exit_code=1
elif log_has_errors; then
echo "WARNING: Errors detected during setup"
exit_code=1
touch /root/failure
elif using_iso && cron_error_in_mail_spool; then elif using_iso && cron_error_in_mail_spool; then
echo "WARNING: Unexpected cron job output in mail spool" echo "WARNING: Unexpected cron job output in mail spool"
exit_code=1 exit_code=1
touch /root/failure
elif is_manager_node && status_failed; then elif is_manager_node && status_failed; then
echo "WARNING: Containers are not in a healthy state" echo "WARNING: Containers are not in a healthy state"
exit_code=1 exit_code=1
touch /root/failure
else else
echo "Successfully completed setup!" echo "Successfully completed setup!"
fi touch /root/success
fi
create_temp_scripts_if_missing
exit $exit_code exit $exit_code
} }

4
setup/so-whiptail
View File

@@ -1143,11 +1143,13 @@ whiptail_reinstall() {
read -r -d '' message <<- EOM read -r -d '' message <<- EOM
Setup has detected a previous install. Continuing the install will remove the previous install configuration. Setup has detected a previous install. Continuing the install will remove the previous install configuration.
Selecting continue is a destructive action.
Would you like to continue? Would you like to continue?
EOM EOM
whiptail --title "$whiptail_title" \ whiptail --title "$whiptail_title" \
--yesno "$message" 11 75 \ --yesno "$message" 13 75 \
--yes-button "Continue" --no-button "Exit" --defaultno --yes-button "Continue" --no-button "Exit" --defaultno
local exitstatus=$? local exitstatus=$?