From e93e58fedb383a0a7487f7af7b0d884087da539f Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 26 Apr 2023 08:28:40 -0400 Subject: [PATCH 01/11] Update node.cfg.jinja --- salt/zeek/files/node.cfg.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/zeek/files/node.cfg.jinja b/salt/zeek/files/node.cfg.jinja index 9ef06bd5a..02b1518df 100644 --- a/salt/zeek/files/node.cfg.jinja +++ b/salt/zeek/files/node.cfg.jinja @@ -16,10 +16,10 @@ type=worker host=localhost interface=af_packet::{{ NODE.interface }} lb_method=custom - {%- if NODE.lb_procs %} -lb_procs={{ NODE.lb_procs }} - {%- else %} + {%- if NODE.pins %} lb_procs={{ NODE.pins | length }} + {%- else %} +lb_procs={{ NODE.lb_procs }} {%- endif %} {%- if NODE.pins %} pin_cpus={{ NODE.pins | join(", ") }} From f07f0775acfafb8743b173364bdc6bcf588b2f43 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 26 Apr 2023 08:30:28 -0400 Subject: [PATCH 02/11] Update top.sls --- pillar/top.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pillar/top.sls b/pillar/top.sls index 1acc5d030..9e373be31 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -18,7 +18,8 @@ base: '*_eval or *_heavynode or *_sensor or *_standalone or *_import': - match: compound - - zeek + - zeek.soc_zeek + - zeek.adv_zeek - bpf.soc_bpf - bpf.adv_bpf From 49a60bac765c3743399a000fbc786ea565326504 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 26 Apr 2023 08:49:04 -0400 Subject: [PATCH 03/11] Update soc_idstools.yaml --- salt/idstools/soc_idstools.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index bda436928..a7ccac207 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -7,6 +7,7 @@ idstools: ruleset: description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. global: True + regex: ET[PO][RP][OE] helpLink: rules.html urls: description: This is a list of additional rule download locations. @@ -16,14 +17,20 @@ idstools: disabled: description: List of SIDS that you want to disable. global: True + multiline: True + forcedType: "[]string" helpLink: managing-alerts.html enabled: description: List of SIDS that are disabled by the rule source that you want to enable. global: True + multiline: True + forcedType: "[]string" helpLink: managing-alerts.html modify: description: List of SIDS that you want to modify. global: True + multiline: True + forcedType: "[]string" helpLink: managing-alerts.html rules: local__rules: From 12120e94c8f5c2b84f403f0bf2f308a1ed4a18aa Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Wed, 26 Apr 2023 09:32:08 -0400 Subject: [PATCH 04/11] Update soc_idstools.yaml --- salt/idstools/soc_idstools.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index a7ccac207..2a411004d 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -7,7 +7,7 @@ idstools: ruleset: description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. global: True - regex: ET[PO][RP][OE] + regex: ETPRO\b|ETOPEN\b helpLink: rules.html urls: description: This is a list of additional rule download locations. From a8b8a1d0b76db7dd4ffa5f0c0088d26e74349360 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Thu, 27 Apr 2023 15:32:37 -0400 Subject: [PATCH 05/11] Update soc_idstools.yaml --- salt/idstools/soc_idstools.yaml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/salt/idstools/soc_idstools.yaml b/salt/idstools/soc_idstools.yaml index 2a411004d..e0ad6ba98 100644 --- a/salt/idstools/soc_idstools.yaml +++ b/salt/idstools/soc_idstools.yaml @@ -1,11 +1,12 @@ idstools: config: oinkcode: - description: Enter your registration code for paid rulesets. + description: Enter your registration/oink code for paid NIDS rulesets. + title: registraion code global: True helpLink: rules.html ruleset: - description: Define the ruleset you want to run. Options are ETOPEN or ETPRO. + description: Defines the ruleset you want to run. Options are ETOPEN or ETPRO. global: True regex: ETPRO\b|ETOPEN\b helpLink: rules.html @@ -15,26 +16,28 @@ idstools: helpLink: rules.html sids: disabled: - description: List of SIDS that you want to disable. + description: Contains the list of NIDS rules manually disabled across the grid. To disable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To disable multiple rules, you can use regular expressions. global: True multiline: True forcedType: "[]string" + regex: \d*|re:.* helpLink: managing-alerts.html enabled: - description: List of SIDS that are disabled by the rule source that you want to enable. + description: Contains the list of NIDS rules manually enabled across the grid. To enable a rule, add its signature ID (SID) to the Current Grid Value box, one entry per line. To enable multiple rules, you can use regular expressions. global: True multiline: True forcedType: "[]string" + regex: \d*|re:.* helpLink: managing-alerts.html modify: - description: List of SIDS that you want to modify. + description: Contains the list of NIDS rules that were modified from their default values. Entries must adhere to the following format - SID "REGEX_SEARCH_TERM" "REGEX_REPLACE_TERM" global: True multiline: True forcedType: "[]string" helpLink: managing-alerts.html rules: local__rules: - description: This is where custom Suricata rules are entered. + description: Contains the list of custom NIDS rules applied to the grid. To add custom NIDS rules to the grid, enter one rule per line in the Current Grid Value box. file: True global: True advanced: True From 57d90a62f787fb811acaed00678c60278ca5c713 Mon Sep 17 00:00:00 2001 From: bryant-treacle Date: Thu, 27 Apr 2023 16:21:41 -0400 Subject: [PATCH 06/11] Update soc_zeek.yaml --- salt/zeek/soc_zeek.yaml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/salt/zeek/soc_zeek.yaml b/salt/zeek/soc_zeek.yaml index 86c48712a..a3ad624b6 100644 --- a/salt/zeek/soc_zeek.yaml +++ b/salt/zeek/soc_zeek.yaml @@ -6,30 +6,36 @@ zeek: config: local: load: - description: List of Zeek policies to load + description: Contains a list of policies and scripts loaded by Zeek. Values in the Current Grid Value dialog box apply to every instance of Zeek. Values in a dialog box for a specific node will only apply to that node. forcedType: "[]string" helpLink: zeek.html load-sigs: - description: List of Zeek signatures to load + description: Contains a list of signatures loaded by Zeek. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node. forcedType: "[]string" helpLink: zeek.html redef: - description: List of Zeek variables to redefine + description: List of Zeek variables to redefine. Values placed in the Current Grid Value dialog box apply to every instance of Zeek. Values placed in a dialog box for a specific node will only apply to that node. forcedType: "[]string" advanced: True helpLink: zeek.html node: lb_procs: - description: This is the number of CPUs to use for Zeek. This setting is ignored if you are using pins. + description: Contains the number of CPU cores or workers used by Zeek. This setting should only be applied to individual nodes and will be ignored if CPU affinity is enabled. + title: workers helpLink: zeek.html node: True pins_enabled: description: Enabling this setting allows you to pin Zeek to specific CPUs. + title: cpu affinity enabled + forcedType: bool helpLink: zeek.html node: True advanced: True pins: - description: This is a list of CPUs you want to pin Zeek to. + description: Contains a list of specific CPU cores pinned to Zeek workers. To set the CPU affinity, enter the processor ID number in the dialog box for the desired node. To retrieve the processor ID numbers, run the command "cat /proc/cpuinfo | grep processor" on the desired node. Please note that this setting should only be applied to individual nodes. + title: cpu affinity + multiline: True + forcedType: "[]string" helpLink: zeek.html node: True advanced: True @@ -47,5 +53,5 @@ zeek: global: True advanced: True file_extraction: - description: This is a list of MIME types that Zeek will extract from the network streams. + description: Contains a list of file or MIME types Zeek will extract from the network streams. Values must adhere to the following format - {"MIME_TYPE":"FILE_EXTENTION"} helpLink: zeek.html From 4c58aa2ccf5b264bd7d71225304aa0f21313f833 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 28 Apr 2023 13:14:30 -0400 Subject: [PATCH 07/11] Add privileged session config option to kratos config UI --- salt/kratos/defaults.yaml | 2 ++ salt/kratos/soc_kratos.yaml | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index bcb166772..b1572a5ff 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -5,6 +5,8 @@ kratos: whoami: required_aal: highest_available selfservice: + settings: + privileged_session_max_age: 5m methods: password: enabled: true diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index e3b88e28f..4fefa0583 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -12,6 +12,11 @@ kratos: advanced: True helpLink: kratos.html selfservice: + settings: + privileged_session_max_age: + description: The length of time after a successful authentication for a user's session to be elevated to a privileged session. Privileged sessions are able to change passwords and MFA settings for that user. If a session is no longer privileged then the user is sent to the login form first, before the security settings can be adjusted. + global: True + helpLink: kratos.html methods: password: enabled: @@ -23,7 +28,6 @@ kratos: haveibeenpwned_enabled: description: Set to True to check if a newly chosen password has ever been found in a published list of previously-compromised passwords. Requires outbound Internet connectivity when enabled. global: True - advanced: True helpLink: kratos.html totp: enabled: From 666d4ea260782427877ea5a020c59fbf3ce65728 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 28 Apr 2023 13:56:28 -0400 Subject: [PATCH 08/11] Add privileged session config option to kratos config UI --- salt/kratos/defaults.yaml | 3 +-- salt/kratos/soc_kratos.yaml | 9 ++++----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/salt/kratos/defaults.yaml b/salt/kratos/defaults.yaml index b1572a5ff..8f7a72b00 100644 --- a/salt/kratos/defaults.yaml +++ b/salt/kratos/defaults.yaml @@ -5,8 +5,6 @@ kratos: whoami: required_aal: highest_available selfservice: - settings: - privileged_session_max_age: 5m methods: password: enabled: true @@ -18,6 +16,7 @@ kratos: issuer: Security Onion flows: settings: + privileged_session_max_age: 5m ui_url: https://URL_BASE/?r=/settings required_aal: highest_available verification: diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index 4fefa0583..d08e3682b 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -12,11 +12,6 @@ kratos: advanced: True helpLink: kratos.html selfservice: - settings: - privileged_session_max_age: - description: The length of time after a successful authentication for a user's session to be elevated to a privileged session. Privileged sessions are able to change passwords and MFA settings for that user. If a session is no longer privileged then the user is sent to the login form first, before the security settings can be adjusted. - global: True - helpLink: kratos.html methods: password: enabled: @@ -43,6 +38,10 @@ kratos: helpLink: kratos.html flows: settings: + privileged_session_max_age: + description: The length of time after a successful authentication for a user's session to be elevated to a privileged session. Privileged sessions are able to change passwords and MFA settings for that user. If a session is no longer privileged then the user is sent to the login form first, before the security settings can be adjusted. + global: True + helpLink: kratos.html ui_url: description: User accessible URL containing the user self-service profile and security settings. Leave as default to ensure proper operation. global: True From 03c89a02adf8aa6b46edd790db248ccd7bfddd5e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 28 Apr 2023 14:01:19 -0400 Subject: [PATCH 09/11] Add privileged session config option to kratos config UI --- salt/kratos/soc_kratos.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kratos/soc_kratos.yaml b/salt/kratos/soc_kratos.yaml index d08e3682b..d2555bf11 100644 --- a/salt/kratos/soc_kratos.yaml +++ b/salt/kratos/soc_kratos.yaml @@ -39,7 +39,7 @@ kratos: flows: settings: privileged_session_max_age: - description: The length of time after a successful authentication for a user's session to be elevated to a privileged session. Privileged sessions are able to change passwords and MFA settings for that user. If a session is no longer privileged then the user is sent to the login form first, before the security settings can be adjusted. + description: The length of time after a successful authentication for a user's session to remain elevated to a privileged session. Privileged sessions are able to change passwords and other security settings for that user. If a session is no longer privileged then the user is redirected to the login form in order to confirm the security change. global: True helpLink: kratos.html ui_url: From 17e6f5b899720fc303df2c1ce758c8602569815e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 1 May 2023 11:06:00 -0400 Subject: [PATCH 10/11] simplify cloud detection --- setup/so-functions | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f7f67dfe2..7bc792e5b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -919,11 +919,9 @@ create_repo() { detect_cloud() { info "Testing if setup is running on a cloud instance..." - if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || \ - ( curl --fail -s -m 5 -H "X-aws-ec2-metadata-token: $(curl -s -X PUT -m 5 'http://169.254.169.254/latest/api/token' -H 'X-aws-ec2-metadata-token-ttl-seconds: 30')" http://169.254.169.254/latest/meta-data/instance-id > /dev/null) || \ - (dmidecode -s bios-vendor | grep -q Google > /dev/null) || \ + if dmidecode -s bios-version | grep -q amazon || \ + dmidecode -s bios-vendor | grep -q Google || \ [ -f /var/log/waagent.log ]; then - info "Detected a cloud installation..." && export is_cloud="true"; else info "This does not appear to be a cloud installation." From 40ff2677c4ad280a32eff75be000c66a656d0941 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 2 May 2023 07:57:49 -0400 Subject: [PATCH 11/11] more detection improvements --- setup/so-functions | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 7bc792e5b..0edc873a1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -917,15 +917,19 @@ create_repo() { logCmd "createrepo /nsm/repo" } + detect_cloud() { - info "Testing if setup is running on a cloud instance..." - if dmidecode -s bios-version | grep -q amazon || \ - dmidecode -s bios-vendor | grep -q Google || \ - [ -f /var/log/waagent.log ]; then - info "Detected a cloud installation..." && export is_cloud="true"; - else - info "This does not appear to be a cloud installation." - fi + info "Testing if setup is running on a cloud instance..." + if dmidecode -s bios-version | grep -q amazon || \ + dmidecode -s bios-vendor | grep -q Amazon || \ + dmidecode -s bios-vendor | grep -q Google || \ + [ -f /var/log/waagent.log ]; then + + info "Detected a cloud installation..." + export is_cloud="true" + else + info "This does not appear to be a cloud installation." + fi } detect_os() {