CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-02-20 06:05:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' of https://github.com/Security-Onion-Solutions/securityonion into airgaps

Browse Source
This commit is contained in:
Mike Reeves
2023-05-18 15:19:15 -04:00
parent 0fd9fb9294 059f80bfc4
commit 7ab31e36af
23 changed files with 141 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/common/tools/sbin/so-common
View File

@@ -172,12 +172,14 @@ elastic_fleet_policy_create() {
NAME=$1
DESC=$2
FLEETSERVER=$3
TIMEOUT=$4
JSON_STRING=$( jq -n \
--arg NAME "$NAME" \
--arg DESC "$DESC" \
--arg TIMEOUT $TIMEOUT \
--arg FLEETSERVER "$FLEETSERVER" \
'{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"has_fleet_server":$FLEETSERVER}'
'{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}'
)
# Create Fleet Policy
curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"

1
salt/common/tools/sbin/so-restart
View File

@@ -24,6 +24,7 @@ if [ $# -ge 1 ]; then
case $1 in
"steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;;
"elastic-fleet") docker stop so-elastic-fleet && docker rm so-elastic-fleet && salt-call state.apply elasticfleet queue=True;;
*) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;;
esac
else

1
salt/common/tools/sbin/so-start
View File

@@ -24,6 +24,7 @@ if [ $# -ge 1 ]; then
case $1 in
"all") salt-call state.highstate queue=True;;
"steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;;
"elastic-fleet") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply elasticfleet queue=True; fi ;;
*) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;;
esac
else

37
salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json
View File

@@ -1,11 +1,11 @@
{
"policy_id": "endpoints-initial",
"package": {
"name": "system",
"version": ""
},
"name": "system-endpoints",
"namespace": "default",
"policy_id": "endpoints-initial",
"inputs": {
"system-logfile": {
"enabled": true,
@@ -13,14 +13,9 @@
"system.auth": {
"enabled": true,
"vars": {
"ignore_older": "72h",
"paths": [
"/var/log/auth.log*",
"/var/log/secure*"
],
"preserve_original_event": false,
"tags": [
"system-auth"
]
}
},
@@ -30,47 +25,33 @@
"paths": [
"/var/log/messages*",
"/var/log/syslog*"
],
"tags": [],
"ignore_older": "72h"
]
}
}
}
},
"system-winlog": {
"enabled": true,
"vars": {
"preserve_original_event": false
},
"streams": {
"system.application": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
},
"system.security": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
},
"system.system": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
}
}
},
"system-system/metrics": {
"enabled": false
}
},
"system-system/metrics": {
"enabled": false
}
}
}

48
salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json
View File

@@ -1,11 +1,12 @@
{
"policy_id": "endpoints-initial",
"package": {
"name": "windows",
"version": ""
},
"name": "windows-endpoints",
"description": "",
"namespace": "default",
"policy_id": "endpoints-initial",
"inputs": {
"windows-winlog": {
"enabled": true,
@@ -13,47 +14,54 @@
"windows.forwarded": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": [
"forwarded"
]
],
"preserve_original_event": false
}
},
"windows.powershell": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"event_id": "400, 403, 600, 800",
"ignore_older": "72h",
"language": 0,
"tags": []
"tags": [],
"preserve_original_event": false
}
},
"windows.powershell_operational": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"event_id": "4103, 4104, 4105, 4106",
"ignore_older": "72h",
"language": 0,
"tags": []
"tags": [],
"preserve_original_event": false
}
},
"windows.sysmon_operational": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
"tags": [],
"preserve_original_event": false
}
}
}
},
"windows-windows/metrics": {
"enabled": false
"enabled": false,
"streams": {
"windows.perfmon": {
"enabled": false,
"vars": {
"perfmon.group_measurements_by_instance": false,
"perfmon.ignore_non_existent_counters": false,
"perfmon.queries": "- object: 'Process'\n instance: [\"*\"]\n counters:\n - name: '% Processor Time'\n field: cpu_perc\n format: \"float\"\n - name: \"Working Set\"\n",
"period": "10s"
}
},
"windows.service": {
"enabled": false,
"vars": {
"period": "60s"
}
}
}
}
}
}

11
salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json
View File

@@ -1,11 +1,11 @@
{
"policy_id": "so-grid-nodes",
"package": {
"name": "system",
"version": ""
},
"name": "system-grid-nodes",
"namespace": "default",
"policy_id": "so-grid-nodes",
"inputs": {
"system-logfile": {
"enabled": true,
@@ -13,14 +13,9 @@
"system.auth": {
"enabled": true,
"vars": {
"ignore_older": "72h",
"paths": [
"/var/log/auth.log*",
"/var/log/secure*"
],
"preserve_original_event": false,
"tags": [
"system-auth"
]
}
},
@@ -30,9 +25,7 @@
"paths": [
"/var/log/messages*",
"/var/log/syslog*"
],
"tags": [],
"ignore_older": "72h"
]
}
}
}

2
salt/elasticfleet/sostatus.sls
View File

@@ -10,7 +10,7 @@ append_so-elastic-fleet_so-status.conf:
file.append:
- name: /opt/so/conf/so-status/so-status.conf
- text: so-elastic-fleet
- unless: grep -q ^so-elastic-fleet$ /opt/so/conf/so-status/so-status.conf
- unless: grep -q so-elastic-fleet$ /opt/so/conf/so-status/so-status.conf
{% else %}

2
salt/elasticfleet/tools/sbin/so-elastic-fleet-restart
View File

@@ -9,4 +9,4 @@
. /usr/sbin/so-common
/usr/sbin/so-restart elasticfleet $1
/usr/sbin/so-restart elastic-fleet $1

2
salt/elasticfleet/tools/sbin/so-elastic-fleet-start
View File

@@ -9,4 +9,4 @@
. /usr/sbin/so-common
/usr/sbin/so-start elasticfleet $1
/usr/sbin/so-start elastic-fleet $1

2
salt/elasticfleet/tools/sbin/so-elastic-fleet-stop
View File

@@ -9,4 +9,4 @@
. /usr/sbin/so-common
/usr/sbin/so-stop elasticfleet $1
/usr/sbin/so-stop elastic-fleet $1

6
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
View File

@@ -44,7 +44,7 @@ printf "\n\n"
### Create Policies & Associated Integration Configuration ###
# Manager Fleet Server Host
elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" | jq
elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120"
#Temp Fixup for ES Output bug
JSON_STRING=$( jq -n \
@@ -54,10 +54,10 @@ JSON_STRING=$( jq -n \
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_{{ GLOBALS.hostname }}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
# Initial Endpoints Policy
elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false"
elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" "1209600"
# Grid Nodes Policy
elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false"
elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false" "1209600"
# Load Integrations for default policies
so-elastic-fleet-integration-policy-load

5
salt/elasticsearch/ca.sls
View File

@@ -17,15 +17,15 @@ catrustdir:
{% if GLOBALS.is_manager %}
# We have to add the Manager CA to the CA list
cascriptsync:
catrustscript:
cmd.script:
- source: salt://elasticsearch/tools/sbin_jinja/so-catrust
- template: jinja
- cwd: /opt/so
- defaults:
GLOBALS: {{ GLOBALS }}
{% endif %}
{% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-searchnode'] %}
cacertz:
file.managed:
- name: /opt/so/conf/ca/cacerts
@@ -39,7 +39,6 @@ capemz:
- source: salt://elasticsearch/tls-ca-bundle.pem
- user: 939
- group: 939
{% endif %}
{% else %}

32
salt/firewall/defaults.yaml
View File

@@ -370,6 +370,19 @@ firewall:
- elastic_agent_data
- elastic_agent_update
- localrules
fleet:
portgroups:
- elasticsearch_rest
- docker_registry
- influxdb
- sensoroni
- yum
- beats_5044
- beats_5644
- beats_5056
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
sensor:
portgroups:
- beats_5044
@@ -458,6 +471,9 @@ firewall:
dockernet:
portgroups:
- all
fleet:
portgroups:
- salt_manager
localhost:
portgroups:
- all
@@ -508,6 +524,19 @@ firewall:
- elastic_agent_data
- elastic_agent_update
- localrules
fleet:
portgroups:
- elasticsearch_rest
- docker_registry
- influxdb
- sensoroni
- yum
- beats_5044
- beats_5644
- beats_5056
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
sensor:
portgroups:
- beats_5044
@@ -594,6 +623,9 @@ firewall:
dockernet:
portgroups:
- all
fleet:
portgroups:
- salt_manager
localhost:
portgroups:
- all

4
salt/logstash/defaults.yaml
View File

@@ -21,11 +21,11 @@ logstash:
defined_pipelines:
fleet:
- so/0012_input_elastic_agent.conf
- so/9806_output_lumberjack_fleet.conf.jinja
- so/9806_output_http_fleet.conf.jinja
manager:
- so/0011_input_endgame.conf
- so/0012_input_elastic_agent.conf
- so/0013_input_lumberjack_fleet.conf
- so/0013_input_http_fleet.conf
- so/9999_output_redis.conf.jinja
receiver:
- so/0011_input_endgame.conf

8
salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf → salt/logstash/pipelines/config/so/0013_input_http_fleet.conf
View File

@@ -10,4 +10,12 @@ input {
ssl_verify_mode => "peer"
ecs_compatibility => v8
}
}
filter {
if "elastic-agent" in [tags] {
mutate {
remove_field => ["http","[metadata][input]","url","user_agent"]
}
}
}

0
salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja → salt/logstash/pipelines/config/so/9806_output_http_fleet.conf.jinja
View File

2
salt/manager/tools/sbin/so-minion
View File

@@ -375,7 +375,7 @@ function create_fleet_policy() {
JSON_STRING_UPDATE=$( jq -n \
--arg NAME "FleetServer_$LSHOSTNAME" \
--arg DESC "Fleet Server - $LSHOSTNAME" \
'{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"data_output_id":"so-manager_elasticsearch"}'
'{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":120,"data_output_id":"so-manager_elasticsearch"}'
)
# Update Fleet Policy - ES Output

2
salt/salt/master.defaults.yaml
View File

@@ -2,4 +2,4 @@
# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
salt:
master:
version: 3006.0rc3
version: 3006.1

2
salt/salt/minion.defaults.yaml
View File

@@ -2,6 +2,6 @@
# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
salt:
minion:
version: 3006.0rc3
version: 3006.1
check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
service_start_delay: 30 # in seconds.

2
salt/soc/files/bin/salt-relay.sh
View File

@@ -70,7 +70,7 @@ function manage_user() {
lastName=$(echo "$request" | jq -r .lastName)
note=$(echo "$request" | jq -r .note)
log "Performing user '$op' for user '$email' with firstname '$firstName', lastname '$lastName', note '$note' and role '$role'"
response=$(echo "$password" | so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note" --role "$role" --skip-sync)
response=$(echo "$password" | $CMD_PREFIX so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note" --role "$role" --skip-sync)
exit_code=$?
;;
add|enable|disable|delete)

60
salt/soc/soc_soc.yaml
View File

@@ -2,6 +2,36 @@ soc:
enabled:
description: You can enable or disable SOC.
advanced: True
files:
soc:
banner__md:
title: Login Banner
description: Customize the login page with a specific markdown-formatted message.
file: True
global: True
syntax: md
helpLink: soc-customization.html
motd__md:
title: Overview Page
description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
file: True
global: True
syntax: md
helpLink: soc-customization.html
custom__js:
title: Custom Javascript
description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
file: True
global: True
advanced: True
helpLink: soc-customization.html
custom_roles:
title: Custom Roles
description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
file: True
global: True
advanced: True
helpLink: soc-customization.html
config:
licenseKey:
title: License Key
@@ -12,36 +42,6 @@ soc:
description: The SOC log level, useful for enabling debug logging for advanced troubleshooting. Allowed values are debug, info, warn, error. The SOC log is available at /opt/so/log/soc/sensoroni-server.log.
global: True
regex: ^(info|debug|warn|error)$
files:
soc:
banner__md:
title: Login Banner
description: Customize the login page with a specific markdown-formatted message.
file: True
global: True
syntax: md
helpLink: soc-customization.html
motd__md:
title: Overview Page
description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser.
file: True
global: True
syntax: md
helpLink: soc-customization.html
custom__js:
title: Custom Javascript
description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades.
file: True
global: True
advanced: True
helpLink: soc-customization.html
custom_roles:
title: Custom Roles
description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system.
file: True
global: True
advanced: True
helpLink: soc-customization.html
actions:
description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action.
global: True

16
setup/so-functions
View File

@@ -399,6 +399,11 @@ collect_mngr_hostname() {
done
else
MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}')
whiptail_manager_ip "$MSRVIP"
while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do
whiptail_invalid_input
whiptail_manager_ip "$MSRVIP"
done
fi
}
@@ -2000,6 +2005,7 @@ repo_sync_local() {
}
saltify() {
SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //')
if [[ $is_ubuntu ]]; then
DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1
@@ -2020,8 +2026,8 @@ saltify() {
#logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub"
logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.0rc3/SALT-PROJECT-GPG-PUBKEY-2023.gpg"
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.0rc3/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list
logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg"
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list
logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg"
#logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub"
@@ -2036,7 +2042,7 @@ saltify() {
# Ain't nothing but a GPG
retry 150 20 "apt-get update" "" "Err:" || exit 1
retry 150 20 "apt-get -y install salt-common salt-minion" || exit 1
retry 150 20 "apt-get -y install salt-common-$SALTVERSION salt-minion-$SALTVERSION" || exit 1
retry 150 20 "apt-mark hold salt-minion salt-common" || exit 1
#retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1
@@ -2045,10 +2051,10 @@ saltify() {
if [[ $is_rocky ]]; then
if [[ $waitforstate ]]; then
# install all for a manager
logCmd "dnf -y install salt salt-master salt-minion"
logCmd "dnf -y install salt-$SALTVERSION salt-master-$SALTVERSION salt-minion-$SALTVERSION"
else
# We just need the minion
logCmd "dnf -y install salt salt-minion"
logCmd "dnf -y install salt-$SALTVERSION salt-minion-$SALTVERSION"
fi
fi

2
setup/so-setup
View File

@@ -501,7 +501,7 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_import ]]; then
waitforstate=true
monints=true
monints=false
[[ $is_iso ]] && whiptail_airgap
check_elastic_license
check_requirements "import"