From 9871ecd2235e298792cfd35acb8ae3cf43daca8d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 16 May 2023 10:14:31 -0400 Subject: [PATCH 01/19] import installs do not use monitor ifaces --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 6051ba742..b43f43e14 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -501,7 +501,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_import ]]; then waitforstate=true - monints=true + monints=false [[ $is_iso ]] && whiptail_airgap check_elastic_license check_requirements "import" From acc761902364092af8b4a7d93493db34df7b88f3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 16 May 2023 12:04:02 -0400 Subject: [PATCH 02/19] salt 3006.1 --- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- setup/so-functions | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index dac0e6e5c..126039802 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3006.0rc3 + version: 3006.1 diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 88a2435ca..7e1540d17 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3006.0rc3 + version: 3006.1 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. diff --git a/setup/so-functions b/setup/so-functions index 0bad00cbc..d6439c0fb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2020,8 +2020,8 @@ saltify() { #logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.0rc3/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.0rc3/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list + logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.1/SALT-PROJECT-GPG-PUBKEY-2023.gpg" + echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.1/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" From 2419fa43b65dc369ec3955fd02b062e965c94ea6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 16 May 2023 12:08:44 -0400 Subject: [PATCH 03/19] cwd for catrustscript --- salt/elasticsearch/ca.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/ca.sls b/salt/elasticsearch/ca.sls index 7d7f1bdfb..49eb44a94 100644 --- a/salt/elasticsearch/ca.sls +++ b/salt/elasticsearch/ca.sls @@ -17,10 +17,11 @@ catrustdir: {% if GLOBALS.is_manager %} # We have to add the Manager CA to the CA list -cascriptsync: +catrustscript: cmd.script: - source: salt://elasticsearch/tools/sbin_jinja/so-catrust - template: jinja + - cwd: /opt/so - defaults: GLOBALS: {{ GLOBALS }} {% endif %} From 000507c3664ad6160ff7f543ecb7cb7d81c3fa2a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 16 May 2023 12:50:40 -0400 Subject: [PATCH 04/19] Update Integrations --- .../endpoints-initial/system-endpoints.json | 37 ++++---------- .../endpoints-initial/windows-endpoints.json | 48 +++++++++++-------- .../grid-nodes/system-grid-nodes.json | 11 +---- 3 files changed, 39 insertions(+), 57 deletions(-) diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json index 1ba9a3347..a5890794a 100644 --- a/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json +++ b/salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json @@ -1,11 +1,11 @@ { + "policy_id": "endpoints-initial", "package": { "name": "system", "version": "" }, "name": "system-endpoints", "namespace": "default", - "policy_id": "endpoints-initial", "inputs": { "system-logfile": { "enabled": true, @@ -13,14 +13,9 @@ "system.auth": { "enabled": true, "vars": { - "ignore_older": "72h", "paths": [ "/var/log/auth.log*", "/var/log/secure*" - ], - "preserve_original_event": false, - "tags": [ - "system-auth" ] } }, @@ -30,47 +25,33 @@ "paths": [ "/var/log/messages*", "/var/log/syslog*" - ], - "tags": [], - "ignore_older": "72h" + ] } } } }, "system-winlog": { "enabled": true, + "vars": { + "preserve_original_event": false + }, "streams": { "system.application": { "enabled": true, "vars": { - "preserve_original_event": false, - "ignore_older": "72h", - "language": 0, "tags": [] } }, "system.security": { "enabled": true, "vars": { - "preserve_original_event": false, - "ignore_older": "72h", - "language": 0, - "tags": [] - } - }, - "system.system": { - "enabled": true, - "vars": { - "preserve_original_event": false, - "ignore_older": "72h", - "language": 0, "tags": [] } } - } - }, - "system-system/metrics": { - "enabled": false + } + }, + "system-system/metrics": { + "enabled": false } } } diff --git a/salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json b/salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json index 0f2787b9e..b17986a53 100644 --- a/salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json +++ b/salt/elasticfleet/files/integrations/endpoints-initial/windows-endpoints.json @@ -1,11 +1,12 @@ { + "policy_id": "endpoints-initial", "package": { "name": "windows", "version": "" }, "name": "windows-endpoints", + "description": "", "namespace": "default", - "policy_id": "endpoints-initial", "inputs": { "windows-winlog": { "enabled": true, @@ -13,47 +14,54 @@ "windows.forwarded": { "enabled": true, "vars": { - "preserve_original_event": false, - "ignore_older": "72h", - "language": 0, "tags": [ "forwarded" - ] + ], + "preserve_original_event": false } }, "windows.powershell": { "enabled": true, "vars": { - "preserve_original_event": false, - "event_id": "400, 403, 600, 800", - "ignore_older": "72h", - "language": 0, - "tags": [] + "tags": [], + "preserve_original_event": false } }, "windows.powershell_operational": { "enabled": true, "vars": { - "preserve_original_event": false, - "event_id": "4103, 4104, 4105, 4106", - "ignore_older": "72h", - "language": 0, - "tags": [] + "tags": [], + "preserve_original_event": false } }, "windows.sysmon_operational": { "enabled": true, "vars": { - "preserve_original_event": false, - "ignore_older": "72h", - "language": 0, - "tags": [] + "tags": [], + "preserve_original_event": false } } } }, "windows-windows/metrics": { - "enabled": false + "enabled": false, + "streams": { + "windows.perfmon": { + "enabled": false, + "vars": { + "perfmon.group_measurements_by_instance": false, + "perfmon.ignore_non_existent_counters": false, + "perfmon.queries": "- object: 'Process'\n instance: [\"*\"]\n counters:\n - name: '% Processor Time'\n field: cpu_perc\n format: \"float\"\n - name: \"Working Set\"\n", + "period": "10s" + } + }, + "windows.service": { + "enabled": false, + "vars": { + "period": "60s" + } + } + } } } } diff --git a/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json b/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json index a29553393..3c10227ca 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json +++ b/salt/elasticfleet/files/integrations/grid-nodes/system-grid-nodes.json @@ -1,11 +1,11 @@ { + "policy_id": "so-grid-nodes", "package": { "name": "system", "version": "" }, "name": "system-grid-nodes", "namespace": "default", - "policy_id": "so-grid-nodes", "inputs": { "system-logfile": { "enabled": true, @@ -13,14 +13,9 @@ "system.auth": { "enabled": true, "vars": { - "ignore_older": "72h", "paths": [ "/var/log/auth.log*", "/var/log/secure*" - ], - "preserve_original_event": false, - "tags": [ - "system-auth" ] } }, @@ -30,9 +25,7 @@ "paths": [ "/var/log/messages*", "/var/log/syslog*" - ], - "tags": [], - "ignore_older": "72h" + ] } } } From e4b61aa08d7b7af5b5cfc405d42e862f50145c77 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 16 May 2023 14:28:57 -0400 Subject: [PATCH 05/19] specify salt version to install during setup --- setup/so-functions | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d6439c0fb..9a4be972d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2000,6 +2000,7 @@ repo_sync_local() { } saltify() { + SALTVERSION=$(egrep 'version: [0-9]{4}' /opt/so/saltstack/default/salt/salt/master.defaults.yaml | sed 's/^.*version: //') if [[ $is_ubuntu ]]; then DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1 @@ -2020,8 +2021,8 @@ saltify() { #logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.1/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.1/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list + logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" + echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/$SALTVERSION/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" @@ -2036,7 +2037,7 @@ saltify() { # Ain't nothing but a GPG retry 150 20 "apt-get update" "" "Err:" || exit 1 - retry 150 20 "apt-get -y install salt-common salt-minion" || exit 1 + retry 150 20 "apt-get -y install salt-common-$SALTVERSION salt-minion-$SALTVERSION" || exit 1 retry 150 20 "apt-mark hold salt-minion salt-common" || exit 1 #retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1 @@ -2045,10 +2046,10 @@ saltify() { if [[ $is_rocky ]]; then if [[ $waitforstate ]]; then # install all for a manager - logCmd "dnf -y install salt salt-master salt-minion" + logCmd "dnf -y install salt-$SALTVERSION salt-master-$SALTVERSION salt-minion-$SALTVERSION" else # We just need the minion - logCmd "dnf -y install salt salt-minion" + logCmd "dnf -y install salt-$SALTVERSION salt-minion-$SALTVERSION" fi fi From 77834c1e58f79e7cc524ab48d6cac3263a6af145 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 16 May 2023 15:05:14 -0400 Subject: [PATCH 06/19] fix grep logic for so-elastic-fleet sostatus.sls --- salt/elasticfleet/sostatus.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/sostatus.sls b/salt/elasticfleet/sostatus.sls index 392733a4c..b5bed5629 100644 --- a/salt/elasticfleet/sostatus.sls +++ b/salt/elasticfleet/sostatus.sls @@ -10,7 +10,7 @@ append_so-elastic-fleet_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - text: so-elastic-fleet - - unless: grep -q ^so-elastic-fleet$ /opt/so/conf/so-status/so-status.conf + - unless: grep -q so-elastic-fleet$ /opt/so/conf/so-status/so-status.conf {% else %} From 3abb4d79bacd3e4dcc5f6597e54bb5c43968c915 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 16 May 2023 16:07:06 -0400 Subject: [PATCH 07/19] change path where SALTVERSION is pulled from --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 9a4be972d..9dd1b7713 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2000,7 +2000,7 @@ repo_sync_local() { } saltify() { - SALTVERSION=$(egrep 'version: [0-9]{4}' /opt/so/saltstack/default/salt/salt/master.defaults.yaml | sed 's/^.*version: //') + SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //') if [[ $is_ubuntu ]]; then DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1 From 24445cf36a5e300df254591303ab06c67e06b228 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 16 May 2023 16:43:21 -0400 Subject: [PATCH 08/19] Rename Fleet pipelines --- salt/logstash/defaults.yaml | 4 ++-- ...input_lumberjack_fleet.conf => 0013_input_http_fleet.conf} | 0 ...ack_fleet.conf.jinja => 9806_output_http_fleet.conf.jinja} | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename salt/logstash/pipelines/config/so/{0013_input_lumberjack_fleet.conf => 0013_input_http_fleet.conf} (100%) rename salt/logstash/pipelines/config/so/{9806_output_lumberjack_fleet.conf.jinja => 9806_output_http_fleet.conf.jinja} (100%) diff --git a/salt/logstash/defaults.yaml b/salt/logstash/defaults.yaml index 790ab0f3b..a273476e1 100644 --- a/salt/logstash/defaults.yaml +++ b/salt/logstash/defaults.yaml @@ -21,11 +21,11 @@ logstash: defined_pipelines: fleet: - so/0012_input_elastic_agent.conf - - so/9806_output_lumberjack_fleet.conf.jinja + - so/9806_output_http_fleet.conf.jinja manager: - so/0011_input_endgame.conf - so/0012_input_elastic_agent.conf - - so/0013_input_lumberjack_fleet.conf + - so/0013_input_http_fleet.conf - so/9999_output_redis.conf.jinja receiver: - so/0011_input_endgame.conf diff --git a/salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf b/salt/logstash/pipelines/config/so/0013_input_http_fleet.conf similarity index 100% rename from salt/logstash/pipelines/config/so/0013_input_lumberjack_fleet.conf rename to salt/logstash/pipelines/config/so/0013_input_http_fleet.conf diff --git a/salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja b/salt/logstash/pipelines/config/so/9806_output_http_fleet.conf.jinja similarity index 100% rename from salt/logstash/pipelines/config/so/9806_output_lumberjack_fleet.conf.jinja rename to salt/logstash/pipelines/config/so/9806_output_http_fleet.conf.jinja From 5536f5a8c2cc6e004d2a0c106fecf43470f428c2 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 17 May 2023 09:32:20 -0400 Subject: [PATCH 09/19] Add Fleet node to other roles --- salt/firewall/defaults.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index ee54f0c1f..176d12ec2 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -370,6 +370,19 @@ firewall: - elastic_agent_data - elastic_agent_update - localrules + fleet: + portgroups: + - elasticsearch_rest + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - beats_5056 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - beats_5044 @@ -458,6 +471,9 @@ firewall: dockernet: portgroups: - all + fleet: + portgroups: + - salt_manager localhost: portgroups: - all @@ -508,6 +524,19 @@ firewall: - elastic_agent_data - elastic_agent_update - localrules + fleet: + portgroups: + - elasticsearch_rest + - docker_registry + - influxdb + - sensoroni + - yum + - beats_5044 + - beats_5644 + - beats_5056 + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update sensor: portgroups: - beats_5044 @@ -594,6 +623,9 @@ firewall: dockernet: portgroups: - all + fleet: + portgroups: + - salt_manager localhost: portgroups: - all From 7d0251952c15cf67ab99a47ee66e6a0ecbfbfcad Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 17 May 2023 11:06:16 -0400 Subject: [PATCH 10/19] Filter out uneeded Logstash metadata --- .../pipelines/config/so/0013_input_http_fleet.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/logstash/pipelines/config/so/0013_input_http_fleet.conf b/salt/logstash/pipelines/config/so/0013_input_http_fleet.conf index 894ecddb2..f3257eb20 100644 --- a/salt/logstash/pipelines/config/so/0013_input_http_fleet.conf +++ b/salt/logstash/pipelines/config/so/0013_input_http_fleet.conf @@ -10,4 +10,12 @@ input { ssl_verify_mode => "peer" ecs_compatibility => v8 } +} + +filter { + if "elastic-agent" in [tags] { + mutate { + remove_field => ["http","[metadata][input]","url","user_agent"] +} + } } \ No newline at end of file From 47e67fda46ac1a226372394f3b3af32993068ce5 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 17 May 2023 15:37:39 -0400 Subject: [PATCH 11/19] Rework restart scripts for Elastic Fleet --- salt/common/tools/sbin/so-restart | 1 + salt/common/tools/sbin/so-start | 1 + salt/elasticfleet/tools/sbin/so-elastic-fleet-restart | 2 +- salt/elasticfleet/tools/sbin/so-elastic-fleet-start | 2 +- salt/elasticfleet/tools/sbin/so-elastic-fleet-stop | 2 +- 5 files changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-restart b/salt/common/tools/sbin/so-restart index dfedf290b..8f73faee1 100755 --- a/salt/common/tools/sbin/so-restart +++ b/salt/common/tools/sbin/so-restart @@ -24,6 +24,7 @@ if [ $# -ge 1 ]; then case $1 in "steno") docker stop so-steno && docker rm so-steno && salt-call state.apply pcap queue=True;; + "elastic-fleet") docker stop so-elastic-fleet && docker rm so-elastic-fleet && salt-call state.apply elasticfleet queue=True;; *) docker stop so-$1 ; docker rm so-$1 ; salt-call state.apply $1 queue=True;; esac else diff --git a/salt/common/tools/sbin/so-start b/salt/common/tools/sbin/so-start index fbf3e4300..b0d5780e2 100755 --- a/salt/common/tools/sbin/so-start +++ b/salt/common/tools/sbin/so-start @@ -24,6 +24,7 @@ if [ $# -ge 1 ]; then case $1 in "all") salt-call state.highstate queue=True;; "steno") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply pcap queue=True; fi ;; + "elastic-fleet") if docker ps | grep -q so-$1; then printf "\n$1 is already running!\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply elasticfleet queue=True; fi ;; *) if docker ps | grep -E -q '^so-$1$'; then printf "\n$1 is already running\n\n"; else docker rm so-$1 >/dev/null 2>&1 ; salt-call state.apply $1 queue=True; fi ;; esac else diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart b/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart index 6d4ac36c6..e3c38b409 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-restart @@ -9,4 +9,4 @@ . /usr/sbin/so-common -/usr/sbin/so-restart elasticfleet $1 +/usr/sbin/so-restart elastic-fleet $1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-start b/salt/elasticfleet/tools/sbin/so-elastic-fleet-start index 2f58307a6..5ae7d21a1 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-start +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-start @@ -9,4 +9,4 @@ . /usr/sbin/so-common -/usr/sbin/so-start elasticfleet $1 +/usr/sbin/so-start elastic-fleet $1 diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop b/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop index 234706bc9..f3fc3b923 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-stop @@ -9,4 +9,4 @@ . /usr/sbin/so-common -/usr/sbin/so-stop elasticfleet $1 +/usr/sbin/so-stop elastic-fleet $1 From f7ddf57f39c1a5fb5a6063b055bfb640e3836bd7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 17 May 2023 15:49:22 -0400 Subject: [PATCH 12/19] move files out of config --- salt/soc/soc_soc.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 6551b632b..e0835937c 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -2,16 +2,6 @@ soc: enabled: description: You can enable or disable SOC. advanced: True - config: - licenseKey: - title: License Key - description: Optional Security Onion license key to unlock enterprise features. - global: True - logLevel: - title: Log Level - description: The SOC log level, useful for enabling debug logging for advanced troubleshooting. Allowed values are debug, info, warn, error. The SOC log is available at /opt/so/log/soc/sensoroni-server.log. - global: True - regex: ^(info|debug|warn|error)$ files: soc: banner__md: @@ -42,6 +32,16 @@ soc: global: True advanced: True helpLink: soc-customization.html + config: + licenseKey: + title: License Key + description: Optional Security Onion license key to unlock enterprise features. + global: True + logLevel: + title: Log Level + description: The SOC log level, useful for enabling debug logging for advanced troubleshooting. Allowed values are debug, info, warn, error. The SOC log is available at /opt/so/log/soc/sensoroni-server.log. + global: True + regex: ^(info|debug|warn|error)$ actions: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True From e15c14cc2e8ce186b0dd3dae7b4e0dc493715ab3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 17 May 2023 15:50:31 -0400 Subject: [PATCH 13/19] fix indent --- salt/soc/soc_soc.yaml | 60 +++++++++++++++++++++---------------------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index e0835937c..d3a94691e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -2,36 +2,36 @@ soc: enabled: description: You can enable or disable SOC. advanced: True - files: - soc: - banner__md: - title: Login Banner - description: Customize the login page with a specific markdown-formatted message. - file: True - global: True - syntax: md - helpLink: soc-customization.html - motd__md: - title: Overview Page - description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser. - file: True - global: True - syntax: md - helpLink: soc-customization.html - custom__js: - title: Custom Javascript - description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. - file: True - global: True - advanced: True - helpLink: soc-customization.html - custom_roles: - title: Custom Roles - description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system. - file: True - global: True - advanced: True - helpLink: soc-customization.html + files: + soc: + banner__md: + title: Login Banner + description: Customize the login page with a specific markdown-formatted message. + file: True + global: True + syntax: md + helpLink: soc-customization.html + motd__md: + title: Overview Page + description: Customize the overview page with specific markdown-formatted content. Images can be used but must be hosted from another host that is accessible by the user's browser. + file: True + global: True + syntax: md + helpLink: soc-customization.html + custom__js: + title: Custom Javascript + description: Customize SOC UI behavior with custom Javascript code. Custom Javascript not provided by Security Onion Solutions is unsupported, and should be removed prior to requesting support and prior to performing upgrades. + file: True + global: True + advanced: True + helpLink: soc-customization.html + custom_roles: + title: Custom Roles + description: Customize role and permission mappings. Changing this setting requires a complete understanding of the SOC RBAC system. + file: True + global: True + advanced: True + helpLink: soc-customization.html config: licenseKey: title: License Key From 901e3c4a20b4225958dd25ad7282ece950a24d66 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 17 May 2023 16:07:59 -0400 Subject: [PATCH 14/19] Set Fleet Host timeouts to 120 seconds --- salt/common/tools/sbin/so-common | 4 +++- salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup | 6 +++--- salt/manager/tools/sbin/so-minion | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 5419b17b2..ddb85f654 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -172,12 +172,14 @@ elastic_fleet_policy_create() { NAME=$1 DESC=$2 FLEETSERVER=$3 + TIMEOUT=$4 JSON_STRING=$( jq -n \ --arg NAME "$NAME" \ --arg DESC "$DESC" \ + --arg TIMEOUT $TIMEOUT \ --arg FLEETSERVER "$FLEETSERVER" \ - '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"has_fleet_server":$FLEETSERVER}' + '{"name": $NAME,"id":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":$TIMEOUT,"has_fleet_server":$FLEETSERVER}' ) # Create Fleet Policy curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/agent_policies" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index 7c5db70f7..6ad97a223 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -44,7 +44,7 @@ printf "\n\n" ### Create Policies & Associated Integration Configuration ### # Manager Fleet Server Host -elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" | jq +elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120" #Temp Fixup for ES Output bug JSON_STRING=$( jq -n \ @@ -54,10 +54,10 @@ JSON_STRING=$( jq -n \ curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/agent_policies/FleetServer_{{ GLOBALS.hostname }}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" # Initial Endpoints Policy -elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" +elastic_fleet_policy_create "endpoints-initial" "Initial Endpoint Policy" "false" "1209600" # Grid Nodes Policy -elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false" +elastic_fleet_policy_create "so-grid-nodes" "SO Grid Node Policy" "false" "1209600" # Load Integrations for default policies so-elastic-fleet-integration-policy-load diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index 3342f3c15..7d0703653 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -375,7 +375,7 @@ function create_fleet_policy() { JSON_STRING_UPDATE=$( jq -n \ --arg NAME "FleetServer_$LSHOSTNAME" \ --arg DESC "Fleet Server - $LSHOSTNAME" \ - '{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":1209600,"data_output_id":"so-manager_elasticsearch"}' + '{"name":$NAME,"description":$DESC,"namespace":"default","monitoring_enabled":["logs"],"inactivity_timeout":120,"data_output_id":"so-manager_elasticsearch"}' ) # Update Fleet Policy - ES Output From 4930ae4ba6548dd05c0a9724dc21d013d1bd8f3a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 17 May 2023 18:14:21 -0400 Subject: [PATCH 15/19] add missing var for local dev --- salt/soc/files/bin/salt-relay.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/bin/salt-relay.sh b/salt/soc/files/bin/salt-relay.sh index 1b21ac225..8a81fc715 100755 --- a/salt/soc/files/bin/salt-relay.sh +++ b/salt/soc/files/bin/salt-relay.sh @@ -70,7 +70,7 @@ function manage_user() { lastName=$(echo "$request" | jq -r .lastName) note=$(echo "$request" | jq -r .note) log "Performing user '$op' for user '$email' with firstname '$firstName', lastname '$lastName', note '$note' and role '$role'" - response=$(echo "$password" | so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note" --role "$role" --skip-sync) + response=$(echo "$password" | $CMD_PREFIX so-user "$op" --email "$email" --firstName "$firstName" --lastName "$lastName" --note "$note" --role "$role" --skip-sync) exit_code=$? ;; add|enable|disable|delete) From f4b8d385ee6cf9c540aaa18f2b0f2e81e7b2ce4f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 May 2023 08:36:24 -0400 Subject: [PATCH 16/19] remove conditional on cacertz and capemz --- salt/elasticsearch/ca.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/elasticsearch/ca.sls b/salt/elasticsearch/ca.sls index 49eb44a94..5485bb676 100644 --- a/salt/elasticsearch/ca.sls +++ b/salt/elasticsearch/ca.sls @@ -26,7 +26,6 @@ catrustscript: GLOBALS: {{ GLOBALS }} {% endif %} -{% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-searchnode'] %} cacertz: file.managed: - name: /opt/so/conf/ca/cacerts @@ -40,7 +39,6 @@ capemz: - source: salt://elasticsearch/tls-ca-bundle.pem - user: 939 - group: 939 -{% endif %} {% else %} From 25b0934cda538008783947c02c2d1b4e1e9399f9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 May 2023 13:06:20 -0400 Subject: [PATCH 17/19] confirm manager ip when found in setup --- setup/so-functions | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9dd1b7713..e5ec16e4a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -49,8 +49,9 @@ add_admin_user() { } add_mngr_ip_to_hosts() { - info "Adding $MSRV to /etc/hosts with IP: $MSRVIP" - echo "$MSRVIP $MSRV" >> /etc/hosts + info "Adding $MSRV to /etc/hosts with IP: $MSRVIP" + whiptail_manager_ip $MSRVIP + echo "$MSRVIP $MSRV" >> /etc/hosts } add_socore_user_manager() { From 02920b5ac9f26eb612f454ea17ef3ae467c9aa30 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 May 2023 13:25:12 -0400 Subject: [PATCH 18/19] confirm manager ip when found in setup --- setup/so-functions | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index e5ec16e4a..d9322c171 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -49,8 +49,7 @@ add_admin_user() { } add_mngr_ip_to_hosts() { - info "Adding $MSRV to /etc/hosts with IP: $MSRVIP" - whiptail_manager_ip $MSRVIP + info "Adding $MSRV to /etc/hosts with IP: $MSRVIP" echo "$MSRVIP $MSRV" >> /etc/hosts } @@ -400,6 +399,11 @@ collect_mngr_hostname() { done else MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}') + whiptail_manager_ip "$MSRVIP" + while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do + whiptail_invalid_input + whiptail_manager_ip "$MSRVIP" + done fi } From bab2f7282c70acf5a1186657e0798cba73076a99 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 18 May 2023 13:27:48 -0400 Subject: [PATCH 19/19] fix spaciong --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d9322c171..09e219cfd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -49,8 +49,8 @@ add_admin_user() { } add_mngr_ip_to_hosts() { - info "Adding $MSRV to /etc/hosts with IP: $MSRVIP" - echo "$MSRVIP $MSRV" >> /etc/hosts + info "Adding $MSRV to /etc/hosts with IP: $MSRVIP" + echo "$MSRVIP $MSRV" >> /etc/hosts } add_socore_user_manager() {