From 92c6a524965308d0b66c0abd52a9baccbf4a1706 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 26 May 2020 14:49:22 -0400 Subject: [PATCH 01/31] [feat][WIP] Add functionality to run setup through a proxy --- setup/so-functions | 56 +++++++++++++++++++++++++++++++--------------- 1 file changed, 38 insertions(+), 18 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4e01c935c..fed162596 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -550,6 +550,9 @@ detect_os() { disable_onion_user() { # Disable the default account cause security. usermod -L onion + + # Remove the automated setup script from crontab, if it exists + crontab -u onion -r } disable_misc_network_features() { @@ -955,29 +958,47 @@ parse_options() { if [[ $is_master || $is_helix ]]; then local proxy proxy=$(echo "$1" | tr -d '"' | awk -F'--turbo=' '{print $2}') - proxy_addr="http://$proxy" - use_proxy "$proxy_addr" - TURBO="$proxy_addr" + proxy_url="http://$proxy" + TURBO="$proxy_url" + use_turbo_proxy "$TURBO" else echo "turbo is not supported on this install type" >> $setup_log 2>&1 fi ;; --proxy=*) - echo "Unimplimented" - return + local proxy + proxy=$(echo "$1" | tr -d '"' | awk -F'--proxy=' '{print $2}') - if [[ $2 != --proxy-user=* ]] || [[ $3 != --proxy-pass=* ]]; then - echo "Invalid options passed for proxy. Order is --proxy-user= --proxy-pass=" - else - local proxy + local proxy_protocol + proxy_protocol=$(echo "$proxy" |tr -d '"' | awk 'match($0, /http|https/) { print substr($0, RSTART, RLENGTH) }') + + if [[ ! $proxy_protocol =~ ^(http|https) ]]; then + echo "Invalid proxy protocol" + echo "Ignoring proxy" + return + fi + + if [[ $2 == --proxy-user=* && $3 == --proxy-pass=* ]]; then local proxy_user local proxy_password - proxy=$(echo "$1" | tr -d '"' | awk -F'--proxy=' '{print $2}') proxy_user=$(echo "$2" | tr -d '"' | awk -F'--proxy-user=' '{print $2}') proxy_password=$(echo "$3" | tr -d '"' | awk -F'--proxy-pass=' '{print $2}') - - use_proxy "$proxy" "$proxy_user" "$proxy_password" + + local proxy_addr + proxy_addr=$(echo "$proxy" | tr -d '"' | awk -F'http\:\/\/|https\:\/\/' '{print $2}') + + export http_proxy="${proxy_protocol}://${proxy_user}:${proxy_password}@${proxy_addr}" + + elif [[ (-z $2 || -z $3) && (-n $2 || -n $3) || ($2 != --proxy-user=* || $3 != --proxy-pass=*) ]]; then + echo "Invalid options passed for proxy. Order is --proxy-user= --proxy-pass=" + echo "Ignoring proxy" + return + + else + export http_proxy="$proxy" fi + + export {https,ftp,rsync,all}_proxy="$http_proxy" ;; *) echo "Invalid option" @@ -1479,18 +1500,17 @@ update_packages() { fi } -use_proxy() { - local proxy_addr=$1 +use_turbo_proxy() { + local proxy_url=$1 #TODO: add options for username + pass if [[ $OS == 'centos' ]]; then - printf '%s\n'\ - "proxy=${proxy_addr}:3142" >> /etc/yum.conf + printf '%s\n' "proxy=${proxy_url}:3142" >> /etc/yum.conf else printf '%s\n'\ "Acquire {"\ - "HTTP::proxy \"${proxy_addr}:3142\";"\ - "HTTPS::proxy \"${proxy_addr}:3142\";"\ + " HTTP::proxy \"${proxy_url}:3142\";"\ + " HTTPS::proxy \"${proxy_url}:3142\";"\ "}" > /etc/apt/apt.conf.d/proxy.conf fi } From 84e3ce508e72ab106c7b7b69f846ae5eabb86947 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 26 May 2020 15:19:37 -0400 Subject: [PATCH 02/31] [fix] Only check for proxy-user & proxy-pass when needed --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index fed162596..4b47d65d9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -989,7 +989,7 @@ parse_options() { export http_proxy="${proxy_protocol}://${proxy_user}:${proxy_password}@${proxy_addr}" - elif [[ (-z $2 || -z $3) && (-n $2 || -n $3) || ($2 != --proxy-user=* || $3 != --proxy-pass=*) ]]; then + elif [[ (-z $2 || -z $3) && (-n $2 || -n $3) || ( -n $2 && -n $3 && ($2 != --proxy-user=* || $3 != --proxy-pass=*) ) ]]; then echo "Invalid options passed for proxy. Order is --proxy-user= --proxy-pass=" echo "Ignoring proxy" return From 9e1ed6983f6d0dd0000fd2ea3efa4e2a1cdb8df6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 26 May 2020 15:25:30 -0400 Subject: [PATCH 03/31] [fix] Parse options at beginning of setup --- setup/so-functions | 10 +++------- setup/so-setup | 11 ++++++++--- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4b47d65d9..ae99d190e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -960,7 +960,6 @@ parse_options() { proxy=$(echo "$1" | tr -d '"' | awk -F'--turbo=' '{print $2}') proxy_url="http://$proxy" TURBO="$proxy_url" - use_turbo_proxy "$TURBO" else echo "turbo is not supported on this install type" >> $setup_log 2>&1 fi @@ -1501,16 +1500,13 @@ update_packages() { } use_turbo_proxy() { - local proxy_url=$1 - #TODO: add options for username + pass - if [[ $OS == 'centos' ]]; then - printf '%s\n' "proxy=${proxy_url}:3142" >> /etc/yum.conf + printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf else printf '%s\n'\ "Acquire {"\ - " HTTP::proxy \"${proxy_url}:3142\";"\ - " HTTPS::proxy \"${proxy_url}:3142\";"\ + " HTTP::proxy \"${TURBO}:3142\";"\ + " HTTPS::proxy \"${TURBO}:3142\";"\ "}" > /etc/apt/apt.conf.d/proxy.conf fi } diff --git a/setup/so-setup b/setup/so-setup index 4b0a4d6f6..6ce0a64ca 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -40,6 +40,12 @@ export PATH=$PATH:../salt/common/tools/sbin date -u > $setup_log 2>&1 got_root + +if [[ $# -gt 1 ]]; then + set -- "${@:2}" + parse_options "$@" >> $setup_log 2>&1 +fi + detect_os if [ "$OS" == ubuntu ]; then @@ -241,9 +247,8 @@ fi whiptail_make_changes -if [[ $# -gt 1 ]]; then - set -- "${@:2}" - parse_options "$@" >> $setup_log 2>&1 +if [[ -n "$TURBO" ]]; then + use_turbo_proxy fi if [[ "$setup_type" == 'iso' ]]; then From 001f7c6694946c478b5ab6fffc82ab2ad9709a15 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 26 May 2020 16:01:44 -0400 Subject: [PATCH 04/31] [fix] export TURBO var so it can be used from so-setup --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index ae99d190e..bf3f4d856 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -959,7 +959,7 @@ parse_options() { local proxy proxy=$(echo "$1" | tr -d '"' | awk -F'--turbo=' '{print $2}') proxy_url="http://$proxy" - TURBO="$proxy_url" + export TURBO="$proxy_url" else echo "turbo is not supported on this install type" >> $setup_log 2>&1 fi From 8e1bd32f4d5e9ecdd1b3bb8f3bdf334f1ad08a29 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 26 May 2020 16:11:31 -0400 Subject: [PATCH 05/31] Improve automated installs and remove sleep during progress updates --- setup/so-functions | 4 +--- setup/so-setup | 28 +++++++++++++++++++++++++--- 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index bf6db26be..f8d41cfc7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -968,7 +968,7 @@ parse_options() { fi ;; --proxy=*) - echo "Unimplimented" + echo "Unimplemented" return if [[ $2 != --proxy-user=* ]] || [[ $3 != --proxy-pass=* ]]; then @@ -1268,8 +1268,6 @@ set_progress_str() { '----'\ "$percentage% - ${progress_bar_text^^}"\ "----" >> "$setup_log" 2>&1 - - sleep 5 } sensor_pillar() { diff --git a/setup/so-setup b/setup/so-setup index 69c5763f9..03889606d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -25,11 +25,33 @@ setup_type=$1 export setup_type automation=$2 + +automated=no + +function progress() { + if [ $automated == no ]; then + whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + fi +} + if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then echo "Preselecting variable values based on automated setup: $automation" - exit 1 source automation/$automation - sleep 30 # Re-implement with network availability probe + automated=yes + + attempt=1 + attempts=60 + ip a | grep "$MNIC:" | grep "state UP" + while [ $? -ne 0 ]; do + if [ $attempt -gt $attempts ]; then + echo "Network unavailable - setup cannot continue" + exit 1 + fi + echo "Waiting for network to come up (attempt $attempt of $attempts)" + attempt=$((attempt + 1)) + sleep 10; + ip a | grep "$MNIC:" | grep "state UP" + done fi case "$setup_type" in @@ -498,7 +520,7 @@ fi set_progress_str 95 'Verifying setup' salt-call -l info state.highstate >> $setup_log 2>&1 -} | whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 +} | progress success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ "$success" = 0 ]]; then From ec0ec79470fe0bc822ad3e189aba63c79ae492ec Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 26 May 2020 16:23:06 -0400 Subject: [PATCH 06/31] [fix] Test install type after it has been set --- setup/so-functions | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index bf3f4d856..1f5df9678 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -955,14 +955,10 @@ node_pillar() { parse_options() { case "$1" in --turbo=*) - if [[ $is_master || $is_helix ]]; then - local proxy - proxy=$(echo "$1" | tr -d '"' | awk -F'--turbo=' '{print $2}') - proxy_url="http://$proxy" - export TURBO="$proxy_url" - else - echo "turbo is not supported on this install type" >> $setup_log 2>&1 - fi + local proxy + proxy=$(echo "$1" | tr -d '"' | awk -F'--turbo=' '{print $2}') + proxy_url="http://$proxy" + TURBO="$proxy_url" ;; --proxy=*) local proxy @@ -971,7 +967,7 @@ parse_options() { local proxy_protocol proxy_protocol=$(echo "$proxy" |tr -d '"' | awk 'match($0, /http|https/) { print substr($0, RSTART, RLENGTH) }') - if [[ ! $proxy_protocol =~ ^(http|https) ]]; then + if [[ ! $proxy_protocol =~ ^(http|https)$ ]]; then echo "Invalid proxy protocol" echo "Ignoring proxy" return @@ -1500,6 +1496,11 @@ update_packages() { } use_turbo_proxy() { + if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH|STANDALONE)$ ]]; then + echo "turbo is not supported on this install type" >> $setup_log 2>&1 + return + fi + if [[ $OS == 'centos' ]]; then printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf else From 00681649bd7814144993071450cc89f231bfe7a1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 26 May 2020 16:41:41 -0400 Subject: [PATCH 07/31] [fix] Don't run tr on a string again --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 4eabd8657..20fa67dfd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -967,7 +967,7 @@ parse_options() { proxy=$(echo "$1" | tr -d '"' | awk -F'--proxy=' '{print $2}') local proxy_protocol - proxy_protocol=$(echo "$proxy" |tr -d '"' | awk 'match($0, /http|https/) { print substr($0, RSTART, RLENGTH) }') + proxy_protocol=$(echo "$proxy" | awk 'match($0, /http|https/) { print substr($0, RSTART, RLENGTH) }') if [[ ! $proxy_protocol =~ ^(http|https)$ ]]; then echo "Invalid proxy protocol" From 377d8e6336c2f30e6f08831a8fe4c8036eeb1d4a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 26 May 2020 16:54:51 -0400 Subject: [PATCH 08/31] [fix] Don't run tr on a string again --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 20fa67dfd..612b0147b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -982,7 +982,7 @@ parse_options() { proxy_password=$(echo "$3" | tr -d '"' | awk -F'--proxy-pass=' '{print $2}') local proxy_addr - proxy_addr=$(echo "$proxy" | tr -d '"' | awk -F'http\:\/\/|https\:\/\/' '{print $2}') + proxy_addr=$(echo "$proxy" | awk -F'http\:\/\/|https\:\/\/' '{print $2}') export http_proxy="${proxy_protocol}://${proxy_user}:${proxy_password}@${proxy_addr}" From 5d0a7f99e91aee191266d0e122cd158e73bb6e30 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 26 May 2020 18:45:29 -0400 Subject: [PATCH 09/31] Improve logging of automated setup --- setup/so-setup | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index fdc69076b..0d309bfc3 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -28,6 +28,8 @@ automation=$2 automated=no +echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 + function progress() { if [ $automated == no ]; then whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 @@ -35,31 +37,51 @@ function progress() { } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then - echo "Preselecting variable values based on automated setup: $automation" + echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 source automation/$automation automated=yes + echo "Checking network configuration" >> $setup_log 2>&1g + ip a >> $setup_log 2>&1 + attempt=1 attempts=60 - ip a | grep "$MNIC:" | grep "state UP" + ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 while [ $? -ne 0 ]; do + ip a >> $setup_log 2>&1 if [ $attempt -gt $attempts ]; then - echo "Network unavailable - setup cannot continue" + echo "Network unavailable - setup cannot continue" >> $setup_log 2>&1 exit 1 fi - echo "Waiting for network to come up (attempt $attempt of $attempts)" + echo "Waiting for network to come up (attempt $attempt of $attempts)" >> $setup_log 2>&1 attempt=$((attempt + 1)) sleep 10; - ip a | grep "$MNIC:" | grep "state UP" + ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 done + echo "Network is up on $MNIC" >> $setup_log 2>&1 + + attempt=1 + attempts=60 + ping -c google.com >> $setup_log 2>&1 + while [ $? -ne 0 ]; do + if [ $attempt -gt $attempts ]; then + echo "DNS unavailable - setup cannot continue" >> $setup_log 2>&1 + exit 1 + fi + echo "Waiting for DNS to become available (attempt $attempt of $attempts)" >> $setup_log 2>&1 + attempt=$((attempt + 1)) + sleep 10; + ping -c google.com >> $setup_log 2>&1 + done + echo "DNS is available" >> $setup_log 2>&1 fi case "$setup_type" in iso | network) # Accepted values - echo "Beginning Security Onion $setup_type install" + echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 ;; *) - echo "Invalid install type, must be 'iso' or 'network'" + echo "Invalid install type, must be 'iso' or 'network'" | tee $setup_log exit 1 ;; esac @@ -67,8 +89,6 @@ esac # Allow execution of SO tools during setup export PATH=$PATH:../salt/common/tools/sbin -date -u > $setup_log 2>&1 - got_root if [[ $# -gt 1 ]]; then @@ -87,7 +107,7 @@ setterm -blank 0 if [ "$setup_type" == 'iso' ] || (whiptail_you_sure); then true else - echo "User cancelled setup." >> $setup_log 2>&1 + echo "User cancelled setup." | tee $setup_log whiptail_cancel fi From 65431e0fccc7a82979637ac65cf5f1a353e15c1f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 26 May 2020 22:39:18 -0400 Subject: [PATCH 10/31] Do not expect network access to be available prior to the NIC being configured for DHCP/Static --- setup/so-setup | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 0d309bfc3..d18f60089 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -59,21 +59,6 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 done echo "Network is up on $MNIC" >> $setup_log 2>&1 - - attempt=1 - attempts=60 - ping -c google.com >> $setup_log 2>&1 - while [ $? -ne 0 ]; do - if [ $attempt -gt $attempts ]; then - echo "DNS unavailable - setup cannot continue" >> $setup_log 2>&1 - exit 1 - fi - echo "Waiting for DNS to become available (attempt $attempt of $attempts)" >> $setup_log 2>&1 - attempt=$((attempt + 1)) - sleep 10; - ping -c google.com >> $setup_log 2>&1 - done - echo "DNS is available" >> $setup_log 2>&1 fi case "$setup_type" in From f3809cb93d3871eabf722427499ab6d5aeac64e0 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 27 May 2020 08:31:14 -0400 Subject: [PATCH 11/31] Wrap with quotes --- salt/strelka/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index a9842924d..5767531f4 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -112,5 +112,5 @@ strelka_filestream: strelka_zeek_extracted_sync: cron.present: - user: root - - name: [ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1 + - name: '[ -d /nsm/zeek/extracted/complete/ ] && mv /nsm/zeek/extracted/complete/* /nsm/strelka/ > /dev/null 2>&1' - minute: '*' From c614e0a8805b87f4e5d00ea0e02607c334eacde2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 May 2020 10:11:54 -0400 Subject: [PATCH 12/31] [feat] Add prompt about master needing internet access When package updates go through the master node, that master needs internet access. Therefore, prompt the user about this requirement. Resolves #146 --- setup/so-setup | 3 +++ setup/so-whiptail | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index fdc69076b..c07cca70b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -231,6 +231,9 @@ fi if [[ $is_distmaster || ( $is_sensor || $is_node ) && ! $is_eval ]]; then whiptail_master_updates + if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then + whiptail_master_updates_warning + fi fi if [[ $is_minion ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index 72455fc9e..31a0c05ec 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1027,7 +1027,17 @@ whiptail_master_updates() { ;; esac +} +whiptail_master_updates_warning() { + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup"\ + --msgbox "Updating through the master node requires the master to have internet access, press ENTER to continue"\ + 8 75 + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_node_updates() { From 9cc2614cc8d31ead8b608bfe6d8c87e9b47ec288 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 27 May 2020 11:47:18 -0400 Subject: [PATCH 13/31] Automated setup will now output progress data to sosetup.log --- setup/so-functions | 4 +++- setup/so-setup | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 612b0147b..f6abdb047 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -998,7 +998,9 @@ parse_options() { export {https,ftp,rsync,all}_proxy="$http_proxy" ;; *) - echo "Invalid option" + if [[ $1 = --* ]]; then + echo "Invalid option" + fi esac } diff --git a/setup/so-setup b/setup/so-setup index 4e004b425..9ddb35a0a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -33,6 +33,8 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 function progress() { if [ $automated == no ]; then whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + else + cat >> $setup_log 2>&1 fi } From b7a0f79038c7c5d306ba8c79f1223d9a6f8b67bc Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 27 May 2020 16:58:31 +0000 Subject: [PATCH 14/31] Update Suricata init --- salt/suricata/init.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 39f419ad0..547eee863 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -55,6 +55,12 @@ surilogdir: - user: 940 - group: 939 +suridatadir: + file.directory: + - name: /nsm/suricata + - user: 940 + - group: 939 + surirulesync: file.recurse: - name: /opt/so/conf/suricata/rules/ @@ -119,6 +125,7 @@ so-suricata: - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw + - /nsm/suricata/:/nsm/suricata/:rw - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - network_mode: host - watch: From e78a3f32780b0c8c6c5093a5161479b881a92621 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 27 May 2020 16:59:26 +0000 Subject: [PATCH 15/31] update Suricata config --- salt/suricata/files/suricata.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/suricata/files/suricata.yaml b/salt/suricata/files/suricata.yaml index 5a0121b63..65465806f 100644 --- a/salt/suricata/files/suricata.yaml +++ b/salt/suricata/files/suricata.yaml @@ -99,7 +99,7 @@ outputs: - eve-log: enabled: yes filetype: regular #regular|syslog|unix_dgram|unix_stream|redis - filename: eve.json + filename: /nsm/eve.json rotate-interval: day community-id: true community-id-seed: 0 @@ -918,7 +918,7 @@ host-mode: auto # If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules # apply. In that case try something like 60000 or more. This is because the CUDA # pattern matcher buffers and scans as many packets as possible in parallel. -#max-pending-packets: 1024 +max-pending-packets: 5000 # Runmode the engine should use. Please check --list-runmodes to get the available # runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned From 3684cdf1c6e07011daee9e84c2e1d469d1728922 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 27 May 2020 17:00:09 +0000 Subject: [PATCH 16/31] Update FB and LS --- salt/filebeat/init.sls | 2 +- salt/logstash/init.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 409594b2d..e5dc78d33 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -57,7 +57,7 @@ so-filebeat: - /opt/so/conf/filebeat/etc/filebeat.yml:/usr/share/filebeat/filebeat.yml:ro - /nsm/zeek:/nsm/zeek:ro - /nsm/strelka/log:/nsm/strelka/log:ro - - /opt/so/log/suricata:/suricata:ro + - /nsm/suricata:/suricata:ro - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - /opt/so/wazuh/logs/archives:/wazuh/archives:ro - /nsm/osquery/fleet/:/nsm/osquery/fleet:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index ba0e015f4..1118b6807 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -198,7 +198,7 @@ so-logstash: - /etc/pki/ca.crt:/usr/share/filebeat/ca.crt:ro {%- if grains['role'] == 'so-eval' %} - /nsm/zeek:/nsm/zeek:ro - - /opt/so/log/suricata:/suricata:ro + - /nsm/suricata:/suricata:ro - /opt/so/wazuh/logs/alerts:/wazuh/alerts:ro - /opt/so/wazuh/logs/archives:/wazuh/archives:ro - /opt/so/log/fleet/:/osquery/logs:ro From d56bc4c167937b850a3871c1dc79aee83fffd579 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 27 May 2020 17:01:05 +0000 Subject: [PATCH 17/31] fix path --- salt/suricata/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 547eee863..0f3d49bc3 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -125,7 +125,7 @@ so-suricata: - /opt/so/conf/suricata/threshold.conf:/etc/suricata/threshold.conf:ro - /opt/so/conf/suricata/rules:/etc/suricata/rules:ro - /opt/so/log/suricata/:/var/log/suricata/:rw - - /nsm/suricata/:/nsm/suricata/:rw + - /nsm/suricata/:/nsm/:rw - /opt/so/conf/suricata/bpf:/etc/suricata/bpf:ro - network_mode: host - watch: From b26f6826dd6a7c56fab1d9dc8a6a11a05d309a31 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 27 May 2020 17:17:55 +0000 Subject: [PATCH 18/31] Rename Hive to TheHive in several places --- salt/hive/thehive/scripts/hive_init | 64 ------------------- salt/{hive => }/thehive/etc/application.conf | 2 +- .../thehive/etc/cortex-application.conf | 2 +- .../thehive/etc/es/elasticsearch.yml | 2 +- .../thehive/etc/es/log4j2.properties | 0 salt/{hive => thehive}/init.sls | 40 ++++++------ salt/{hive => }/thehive/scripts/cortex_init | 0 salt/thehive/scripts/hive_init | 64 +++++++++++++++++++ 8 files changed, 87 insertions(+), 87 deletions(-) delete mode 100755 salt/hive/thehive/scripts/hive_init rename salt/{hive => }/thehive/etc/application.conf (99%) rename salt/{hive => }/thehive/etc/cortex-application.conf (99%) rename salt/{hive => }/thehive/etc/es/elasticsearch.yml (95%) rename salt/{hive => }/thehive/etc/es/log4j2.properties (100%) rename salt/{hive => thehive}/init.sls (70%) rename salt/{hive => }/thehive/scripts/cortex_init (100%) create mode 100755 salt/thehive/scripts/hive_init diff --git a/salt/hive/thehive/scripts/hive_init b/salt/hive/thehive/scripts/hive_init deleted file mode 100755 index b1ef62d68..000000000 --- a/salt/hive/thehive/scripts/hive_init +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{%- set HIVEUSER = salt['pillar.get']('static:hiveuser', '') %} -{%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} -{%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} - -hive_init(){ - sleep 120 - HIVE_IP="{{MASTERIP}}" - HIVE_USER="{{HIVEUSER}}" - HIVE_PASSWORD="{{HIVEPASSWORD}}" - HIVE_KEY="{{HIVEKEY}}" - SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" - - echo -n "Waiting for TheHive..." - COUNT=0 - HIVE_CONNECTED="no" - while [[ "$COUNT" -le 240 ]]; do - curl --output /dev/null --silent --head --fail -k "https://$HIVE_IP/thehive" - if [ $? -eq 0 ]; then - HIVE_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi - done - - if [ "$HIVE_CONNECTED" == "yes" ]; then - - # Migrate DB - curl -v -k -XPOST "https://$HIVE_IP:/thehive/api/maintenance/migrate" - - # Create intial TheHive user - curl -v -k "https://$HIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$HIVE_USER\",\"name\" : \"$HIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$HIVE_PASSWORD\", \"key\": \"$HIVE_KEY\"}" - - # Pre-load custom fields - # - # reputation - curl -v -k "https://$HIVE_IP/thehive/api/list/custom_fields" -H "Authorization: Bearer $HIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}" - - - touch /opt/so/state/thehive.txt - else - echo "We experienced an issue connecting to TheHive!" - fi -} - -if [ -f /opt/so/state/thehive.txt ]; then - exit 0 -else - rm -f garbage_file - while ! wget -O garbage_file {{MASTERIP}}:9400 2>/dev/null - do - echo "Waiting for Elasticsearch..." - rm -f garbage_file - sleep 1 - done - rm -f garbage_file - sleep 5 - hive_init -fi diff --git a/salt/hive/thehive/etc/application.conf b/salt/thehive/etc/application.conf similarity index 99% rename from salt/hive/thehive/etc/application.conf rename to salt/thehive/etc/application.conf index 230d87d67..8630cb386 100644 --- a/salt/hive/thehive/etc/application.conf +++ b/salt/thehive/etc/application.conf @@ -12,7 +12,7 @@ search { # Name of the index index = the_hive # Name of the Elasticsearch cluster - cluster = hive + cluster = thehive # Address of the Elasticsearch instance host = ["{{ MASTERIP }}:9500"] #search.uri = "http://{{ MASTERIP }}:9500" diff --git a/salt/hive/thehive/etc/cortex-application.conf b/salt/thehive/etc/cortex-application.conf similarity index 99% rename from salt/hive/thehive/etc/cortex-application.conf rename to salt/thehive/etc/cortex-application.conf index 356bfd7b3..1a887cdb3 100644 --- a/salt/hive/thehive/etc/cortex-application.conf +++ b/salt/thehive/etc/cortex-application.conf @@ -12,7 +12,7 @@ search { # Name of the index index = cortex # Name of the Elasticsearch cluster - cluster = hive + cluster = thehive # Address of the Elasticsearch instance host = ["{{ MASTERIP }}:9500"] # Scroll keepalive diff --git a/salt/hive/thehive/etc/es/elasticsearch.yml b/salt/thehive/etc/es/elasticsearch.yml similarity index 95% rename from salt/hive/thehive/etc/es/elasticsearch.yml rename to salt/thehive/etc/es/elasticsearch.yml index d00c01d5d..7f268a671 100644 --- a/salt/hive/thehive/etc/es/elasticsearch.yml +++ b/salt/thehive/etc/es/elasticsearch.yml @@ -1,4 +1,4 @@ -cluster.name: "hive" +cluster.name: "thehive" network.host: 0.0.0.0 discovery.zen.minimum_master_nodes: 1 # This is a test -- if this is here, then the volume is mounted correctly. diff --git a/salt/hive/thehive/etc/es/log4j2.properties b/salt/thehive/etc/es/log4j2.properties similarity index 100% rename from salt/hive/thehive/etc/es/log4j2.properties rename to salt/thehive/etc/es/log4j2.properties diff --git a/salt/hive/init.sls b/salt/thehive/init.sls similarity index 70% rename from salt/hive/init.sls rename to salt/thehive/init.sls index 2be2f7480..732fe4a77 100644 --- a/salt/hive/init.sls +++ b/salt/thehive/init.sls @@ -1,24 +1,24 @@ {% set MASTERIP = salt['pillar.get']('master:mainip', '') %} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {% set MASTER = salt['grains.get']('master') %} -hiveconfdir: +thehiveconfdir: file.directory: - - name: /opt/so/conf/hive/etc + - name: /opt/so/conf/thehive/etc - makedirs: True - user: 939 - group: 939 -hivelogdir: +thehivelogdir: file.directory: - - name: /opt/so/log/hive + - name: /opt/so/log/thehive - makedirs: True - user: 939 - group: 939 -hiveconf: +thehiveconf: file.recurse: - - name: /opt/so/conf/hive/etc - - source: salt://hive/thehive/etc + - name: /opt/so/conf/thehive/etc + - source: salt://thehive/etc - user: 939 - group: 939 - template: jinja @@ -40,7 +40,7 @@ cortexlogdir: cortexconf: file.recurse: - name: /opt/so/conf/cortex - - source: salt://hive/thehive/etc + - source: salt://thehive/etc - user: 939 - group: 939 - template: jinja @@ -48,9 +48,9 @@ cortexconf: # Install Elasticsearch # Made directory for ES data to live in -hiveesdata: +thehiveesdata: file.directory: - - name: /nsm/hive/esdata + - name: /nsm/thehive/esdata - makedirs: True - user: 939 - group: 939 @@ -64,16 +64,16 @@ so-thehive-es: - interactive: True - tty: True - binds: - - /nsm/hive/esdata:/usr/share/elasticsearch/data:rw - - /opt/so/conf/hive/etc/es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro - - /opt/so/conf/hive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro - - /opt/so/log/hive:/var/log/elasticsearch:rw + - /nsm/thehive/esdata:/usr/share/elasticsearch/data:rw + - /opt/so/conf/thehive/etc/es/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro + - /opt/so/conf/thehive/etc/es/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro + - /opt/so/log/thehive:/var/log/elasticsearch:rw - environment: - http.host=0.0.0.0 - http.port=9400 - transport.tcp.port=9500 - transport.host=0.0.0.0 - - cluster.name=hive + - cluster.name=thehive - thread_pool.index.queue_size=100000 - thread_pool.search.queue_size=100000 - thread_pool.bulk.queue_size=100000 @@ -90,13 +90,13 @@ so-cortex: - name: so-cortex - user: 939 - binds: - - /opt/so/conf/hive/etc/cortex-application.conf:/opt/cortex/conf/application.conf:ro + - /opt/so/conf/thehive/etc/cortex-application.conf:/opt/cortex/conf/application.conf:ro - port_bindings: - 0.0.0.0:9001:9001 cortexscript: cmd.script: - - source: salt://hive/thehive/scripts/cortex_init + - source: salt://thehive/scripts/cortex_init - cwd: /opt/so - template: jinja @@ -109,12 +109,12 @@ so-thehive: - name: so-thehive - user: 939 - binds: - - /opt/so/conf/hive/etc/application.conf:/opt/thehive/conf/application.conf:ro + - /opt/so/conf/thehive/etc/application.conf:/opt/thehive/conf/application.conf:ro - port_bindings: - 0.0.0.0:9000:9000 -hivescript: +thehivescript: cmd.script: - - source: salt://hive/thehive/scripts/hive_init + - source: salt://thehive/scripts/hive_init - cwd: /opt/so - template: jinja diff --git a/salt/hive/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init similarity index 100% rename from salt/hive/thehive/scripts/cortex_init rename to salt/thehive/scripts/cortex_init diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init new file mode 100755 index 000000000..296004e77 --- /dev/null +++ b/salt/thehive/scripts/hive_init @@ -0,0 +1,64 @@ +#!/bin/bash +{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} +{%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} +{%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} +{%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} + +thehive_init(){ + sleep 120 + THEHIVE_IP="{{MASTERIP}}" + THEHIVE_USER="{{THEHIVEUSER}}" + THEHIVE_PASSWORD="{{THEHIVEPASSWORD}}" + THEHIVE_KEY="{{THEHIVEKEY}}" + SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" + + echo -n "Waiting for TheHive..." + COUNT=0 + THEHIVE_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + curl --output /dev/null --silent --head --fail -k "https://$THEHIVE_IP/thehive" + if [ $? -eq 0 ]; then + THEHIVE_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + + if [ "$THEHIVE_CONNECTED" == "yes" ]; then + + # Migrate DB + curl -v -k -XPOST "https://$THEHIVE_IP:/thehive/api/maintenance/migrate" + + # Create intial TheHive user + curl -v -k "https://$THEHIVE_IP/thehive/api/user" -H "Content-Type: application/json" -d "{\"login\" : \"$THEHIVE_USER\",\"name\" : \"$THEHIVE_USER\",\"roles\" : [\"read\",\"alert\",\"write\",\"admin\"],\"preferences\" : \"{}\",\"password\" : \"$THEHIVE_PASSWORD\", \"key\": \"$THEHIVE_KEY\"}" + + # Pre-load custom fields + # + # reputation + curl -v -k "https://$THEHIVE_IP/thehive/api/list/custom_fields" -H "Authorization: Bearer $THEHIVE_KEY" -H "Content-Type: application/json" -d "{\"value\":{\"name\": \"reputation\", \"reference\": \"reputation\", \"description\": \"This field provides an overall reputation status for an address/domain.\", \"type\": \"string\", \"options\": []}}" + + + touch /opt/so/state/thehive.txt + else + echo "We experienced an issue connecting to TheHive!" + fi +} + +if [ -f /opt/so/state/thehive.txt ]; then + exit 0 +else + rm -f garbage_file + while ! wget -O garbage_file {{MASTERIP}}:9400 2>/dev/null + do + echo "Waiting for Elasticsearch..." + rm -f garbage_file + sleep 1 + done + rm -f garbage_file + sleep 5 + thehive_init +fi From 1952246c85d2cf85dd444d39ff6e7fca1d822ed5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 May 2020 13:23:37 -0400 Subject: [PATCH 19/31] [feat] Add flag to run so-allow automatically post-setup --- setup/automation/pm_standalone_defaults | 1 + setup/so-functions | 3 +++ setup/so-setup | 1 + 3 files changed, 5 insertions(+) diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index b5a6258ff..166d4a5d7 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -34,6 +34,7 @@ HNMASTER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit HOSTNAME=standalone install_type=STANDALONE +IP=192.168.0.0/16 # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= # LSPIPELINEBATCH= diff --git a/setup/so-functions b/setup/so-functions index f6abdb047..bedb9e204 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -997,6 +997,9 @@ parse_options() { export {https,ftp,rsync,all}_proxy="$http_proxy" ;; + "--allow-analyst"|"--allow=a") + allow='a' + ;; *) if [[ $1 = --* ]]; then echo "Invalid option" diff --git a/setup/so-setup b/setup/so-setup index 9ddb35a0a..2e8d9b85b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -540,6 +540,7 @@ fi success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ "$success" = 0 ]]; then whiptail_setup_complete + if [[ -n $allow ]]; then so-allow -$allow; fi if [[ $THEHIVE == 1 ]]; then check_hive_init_then_reboot else From b80eb5f73b0cb350c7a1f2f2b0adff04bde9323d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 27 May 2020 17:43:17 +0000 Subject: [PATCH 20/31] Add Hive/ES/Cortex scripts --- salt/common/tools/sbin/so-cortex-restart | 5 +++-- salt/common/tools/sbin/so-cortex-start | 2 +- salt/common/tools/sbin/so-cortex-stop | 2 +- salt/common/tools/sbin/so-thehive-es-restart | 21 ++++++++++++++++++++ salt/common/tools/sbin/so-thehive-es-start | 20 +++++++++++++++++++ salt/common/tools/sbin/so-thehive-es-stop | 20 +++++++++++++++++++ salt/common/tools/sbin/so-thehive-restart | 2 +- salt/common/tools/sbin/so-thehive-stop | 2 +- 8 files changed, 68 insertions(+), 6 deletions(-) create mode 100755 salt/common/tools/sbin/so-thehive-es-restart create mode 100755 salt/common/tools/sbin/so-thehive-es-start create mode 100755 salt/common/tools/sbin/so-thehive-es-stop diff --git a/salt/common/tools/sbin/so-cortex-restart b/salt/common/tools/sbin/so-cortex-restart index ef0e3e4fe..841ca1bb6 100755 --- a/salt/common/tools/sbin/so-cortex-restart +++ b/salt/common/tools/sbin/so-cortex-restart @@ -1,5 +1,5 @@ #!/bin/bash - +# # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify @@ -17,4 +17,5 @@ . /usr/sbin/so-common -/usr/sbin/so-restart cortex $1 +/usr/sbin/so-stop cortex $1 +/usr/sbin/so-start thehive $1 diff --git a/salt/common/tools/sbin/so-cortex-start b/salt/common/tools/sbin/so-cortex-start index a08969cab..92fe88bb5 100755 --- a/salt/common/tools/sbin/so-cortex-start +++ b/salt/common/tools/sbin/so-cortex-start @@ -17,4 +17,4 @@ . /usr/sbin/so-common -/usr/sbin/so-start cortex $1 +/usr/sbin/so-start thehive $1 diff --git a/salt/common/tools/sbin/so-cortex-stop b/salt/common/tools/sbin/so-cortex-stop index a13d1e2e3..727b2c7fa 100755 --- a/salt/common/tools/sbin/so-cortex-stop +++ b/salt/common/tools/sbin/so-cortex-stop @@ -1,5 +1,5 @@ #!/bin/bash - +# # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify diff --git a/salt/common/tools/sbin/so-thehive-es-restart b/salt/common/tools/sbin/so-thehive-es-restart new file mode 100755 index 000000000..d58caecdc --- /dev/null +++ b/salt/common/tools/sbin/so-thehive-es-restart @@ -0,0 +1,21 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop thehive-es $1 +/usr/sbin/so-start thehive $1 diff --git a/salt/common/tools/sbin/so-thehive-es-start b/salt/common/tools/sbin/so-thehive-es-start new file mode 100755 index 000000000..92fe88bb5 --- /dev/null +++ b/salt/common/tools/sbin/so-thehive-es-start @@ -0,0 +1,20 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-start thehive $1 diff --git a/salt/common/tools/sbin/so-thehive-es-stop b/salt/common/tools/sbin/so-thehive-es-stop new file mode 100755 index 000000000..cf9cc2310 --- /dev/null +++ b/salt/common/tools/sbin/so-thehive-es-stop @@ -0,0 +1,20 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +/usr/sbin/so-stop thehive-es $1 diff --git a/salt/common/tools/sbin/so-thehive-restart b/salt/common/tools/sbin/so-thehive-restart index 08cd8318e..4b28c0030 100755 --- a/salt/common/tools/sbin/so-thehive-restart +++ b/salt/common/tools/sbin/so-thehive-restart @@ -1,5 +1,5 @@ #!/bin/bash - +# # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify diff --git a/salt/common/tools/sbin/so-thehive-stop b/salt/common/tools/sbin/so-thehive-stop index b326f699c..6c56e0473 100755 --- a/salt/common/tools/sbin/so-thehive-stop +++ b/salt/common/tools/sbin/so-thehive-stop @@ -1,5 +1,5 @@ #!/bin/bash - +# # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify From 769f5674ebd86231316d6aca5090e05df2a18b65 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 May 2020 14:08:27 -0400 Subject: [PATCH 21/31] [fix] Always call set_default_log_size --- setup/so-common-functions | 28 ---------------------------- setup/so-functions | 27 +++++++++++++++++++++++++++ setup/so-setup | 7 ++++++- setup/so-whiptail | 1 - 4 files changed, 33 insertions(+), 30 deletions(-) diff --git a/setup/so-common-functions b/setup/so-common-functions index 15cb3e686..fc380f85b 100644 --- a/setup/so-common-functions +++ b/setup/so-common-functions @@ -38,31 +38,3 @@ calculate_useable_cores() { if [ "$lb_procs_round" -lt 1 ]; then lb_procs=1; else lb_procs=$lb_procs_round; fi export lb_procs } - -set_defaul_log_size() { - local percentage - - case $INSTALLTYPE in - EVAL | HEAVYNODE) - percentage=50 - ;; - *) - percentage=80 - ;; - esac - - local disk_dir="/" - if [ -d /nsm ]; then - disk_dir="/nsm" - fi - local disk_size_1k - disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}') - - local ratio="1048576" - - local disk_size_gb - disk_size_gb=$( echo "$disk_size_1k" "$ratio" | awk '{print($1/$2)}' ) - - log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}') - export log_size_limit -} diff --git a/setup/so-functions b/setup/so-functions index bedb9e204..61bb256ce 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1336,6 +1336,33 @@ sensor_pillar() { cat "$pillar_file" >> "$setup_log" 2>&1 } +set_default_log_size() { + local percentage + + case $INSTALLTYPE in + EVAL | HEAVYNODE) + percentage=50 + ;; + *) + percentage=80 + ;; + esac + + local disk_dir="/" + if [ -d /nsm ]; then + disk_dir="/nsm" + fi + local disk_size_1k + disk_size_1k=$(df $disk_dir | grep -v "^Filesystem" | awk '{print $2}') + + local ratio="1048576" + + local disk_size_gb + disk_size_gb=$( echo "$disk_size_1k" "$ratio" | awk '{print($1/$2)}' ) + + log_size_limit=$( echo "$disk_size_gb" "$percentage" | awk '{printf("%.0f", $1 * ($2/100))}') +} + set_hostname() { set_hostname_iso diff --git a/setup/so-setup b/setup/so-setup index 2e8d9b85b..f3972b299 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -177,17 +177,21 @@ echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 minion_type=$(get_minion_type) -# Set any constants needed +# Set any variables needed +set_default_log_size >> $setup_log 2>&1 + if [[ $is_helix ]]; then RULESETUP=ETOPEN NSMSETUP=BASIC HNSENSOR=inherit MASTERUPDATES=0 fi + if [[ $is_helix || ( $is_master && $is_node ) ]]; then RULESETUP=ETOPEN NSMSETUP=BASIC fi + if [[ $is_master && $is_node ]]; then LSPIPELINEWORKERS=1 LSPIPELINEBATCH=125 @@ -196,6 +200,7 @@ if [[ $is_master && $is_node ]]; then NIDS=Suricata BROVERSION=ZEEK fi + if [[ $is_node ]]; then CURCLOSEDAYS=30 fi diff --git a/setup/so-whiptail b/setup/so-whiptail index 31a0c05ec..9ba4ebc20 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -413,7 +413,6 @@ whiptail_log_size_limit() { [ -n "$TESTING" ] && return - set_defaul_log_size log_size_limit=$(whiptail --title "Security Onion Setup" --inputbox \ "Please specify the amount of disk space (in GB) you would like to allocate for Elasticsearch data storage. \ From 6a935b5452f6fdb8652407f576ee9d59294af9bc Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 27 May 2020 15:43:41 -0400 Subject: [PATCH 22/31] Hive to TheHive --- salt/top.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 95acae1fd..4d60b01c0 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -100,7 +100,7 @@ base: - schedule - soctopus {%- if THEHIVE != 0 %} - - hive + - thehive {%- endif %} {%- if PLAYBOOK != 0 %} - playbook @@ -149,7 +149,7 @@ base: {%- endif %} - soctopus {%- if THEHIVE != 0 %} - - hive + - thehive {%- endif %} {%- if PLAYBOOK != 0 %} - playbook @@ -203,7 +203,7 @@ base: - schedule - soctopus {%- if THEHIVE != 0 %} - - hive + - thehive {%- endif %} {%- if PLAYBOOK != 0 %} - playbook @@ -318,7 +318,7 @@ base: {%- endif %} - soctopus {%- if THEHIVE != 0 %} - - hive + - thehive {%- endif %} {%- if PLAYBOOK != 0 %} - playbook From 3712eb0acb4e3cd786a09a18ff59f9166225860c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 May 2020 15:49:41 -0400 Subject: [PATCH 23/31] [fix] Redirect so-allow output to log --- setup/so-functions | 2 +- setup/so-setup | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 61bb256ce..b86665a1f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -998,7 +998,7 @@ parse_options() { export {https,ftp,rsync,all}_proxy="$http_proxy" ;; "--allow-analyst"|"--allow=a") - allow='a' + export allow='a' ;; *) if [[ $1 = --* ]]; then diff --git a/setup/so-setup b/setup/so-setup index f3972b299..0d1123d10 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -545,7 +545,9 @@ fi success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ "$success" = 0 ]]; then whiptail_setup_complete - if [[ -n $allow ]]; then so-allow -$allow; fi + if [[ -n $allow ]]; then + so-allow -$allow >> $setup_log 2>&1 + fi if [[ $THEHIVE == 1 ]]; then check_hive_init_then_reboot else From 1e5d5397a409c9bcd114c7dcec49c055c4ecb2e8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 27 May 2020 19:42:48 -0400 Subject: [PATCH 24/31] Support multiple command line options for setup, along with dynamic values per option --- setup/so-functions | 53 ---------------------------------------------- setup/so-setup | 29 +++++++++++++++++-------- 2 files changed, 20 insertions(+), 62 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b86665a1f..6707e6841 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -954,59 +954,6 @@ node_pillar() { cat "$pillar_file" >> "$setup_log" 2>&1 } -parse_options() { - case "$1" in - --turbo=*) - local proxy - proxy=$(echo "$1" | tr -d '"' | awk -F'--turbo=' '{print $2}') - proxy_url="http://$proxy" - TURBO="$proxy_url" - ;; - --proxy=*) - local proxy - proxy=$(echo "$1" | tr -d '"' | awk -F'--proxy=' '{print $2}') - - local proxy_protocol - proxy_protocol=$(echo "$proxy" | awk 'match($0, /http|https/) { print substr($0, RSTART, RLENGTH) }') - - if [[ ! $proxy_protocol =~ ^(http|https)$ ]]; then - echo "Invalid proxy protocol" - echo "Ignoring proxy" - return - fi - - if [[ $2 == --proxy-user=* && $3 == --proxy-pass=* ]]; then - local proxy_user - local proxy_password - proxy_user=$(echo "$2" | tr -d '"' | awk -F'--proxy-user=' '{print $2}') - proxy_password=$(echo "$3" | tr -d '"' | awk -F'--proxy-pass=' '{print $2}') - - local proxy_addr - proxy_addr=$(echo "$proxy" | awk -F'http\:\/\/|https\:\/\/' '{print $2}') - - export http_proxy="${proxy_protocol}://${proxy_user}:${proxy_password}@${proxy_addr}" - - elif [[ (-z $2 || -z $3) && (-n $2 || -n $3) || ( -n $2 && -n $3 && ($2 != --proxy-user=* || $3 != --proxy-pass=*) ) ]]; then - echo "Invalid options passed for proxy. Order is --proxy-user= --proxy-pass=" - echo "Ignoring proxy" - return - - else - export http_proxy="$proxy" - fi - - export {https,ftp,rsync,all}_proxy="$http_proxy" - ;; - "--allow-analyst"|"--allow=a") - export allow='a' - ;; - *) - if [[ $1 = --* ]]; then - echo "Invalid option" - fi - esac -} - patch_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls diff --git a/setup/so-setup b/setup/so-setup index 0d1123d10..6b002a157 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -21,15 +21,31 @@ source ./so-common-functions source ./so-whiptail source ./so-variables +# Parse command line arguments setup_type=$1 -export setup_type - automation=$2 -automated=no +while [[ $# -gt 0 ]]; do + arg="$1" + shift + case "$arg" in + "--turbo="* ) + export TURBO="http://${arg#*=}";; + "--proxy="* ) + export {http,https,ftp,rsync,all}_proxy="${arg#*=}";; + "--allow="* ) + export allow="${arg#*=}";; + * ) + if [[ "$arg" == "--"* ]]; then + echo "Invalid option" + fi + esac +done +# Begin Installation pre-processing echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 +automated=no function progress() { if [ $automated == no ]; then whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 @@ -43,7 +59,7 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th source automation/$automation automated=yes - echo "Checking network configuration" >> $setup_log 2>&1g + echo "Checking network configuration" >> $setup_log 2>&1 ip a >> $setup_log 2>&1 attempt=1 @@ -78,11 +94,6 @@ export PATH=$PATH:../salt/common/tools/sbin got_root -if [[ $# -gt 1 ]]; then - set -- "${@:2}" - parse_options "$@" >> $setup_log 2>&1 -fi - detect_os if [ "$OS" == ubuntu ]; then From a75301cd0e654c3a7cc97e1e2116d1451335c65e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 27 May 2020 22:00:58 -0400 Subject: [PATCH 25/31] Ensure IP is available to child process executing so-allow --- setup/automation/pm_standalone_defaults | 3 ++- setup/so-setup | 11 +++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index 166d4a5d7..b47f5bf2d 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -21,6 +21,8 @@ address_type=DHCP ADMINUSER=onionuser ADMINPASS1=onionuser ADMINPASS2=onionuser +ALLOW_CIDR=192.168.0.0/16 +ALLOW_ROLE=a BASICBRO=7 BASICSURI=7 # BLOGS= @@ -34,7 +36,6 @@ HNMASTER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit HOSTNAME=standalone install_type=STANDALONE -IP=192.168.0.0/16 # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= # LSPIPELINEBATCH= diff --git a/setup/so-setup b/setup/so-setup index 6b002a157..0d0022feb 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -33,8 +33,10 @@ while [[ $# -gt 0 ]]; do export TURBO="http://${arg#*=}";; "--proxy="* ) export {http,https,ftp,rsync,all}_proxy="${arg#*=}";; - "--allow="* ) - export allow="${arg#*=}";; + "--allow-role="* ) + export ALLOW_ROLE="${arg#*=}";; + "--allow-cidr="* ) + export ALLOW_CIDR="${arg#*=}";; * ) if [[ "$arg" == "--"* ]]; then echo "Invalid option" @@ -556,8 +558,9 @@ fi success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ "$success" = 0 ]]; then whiptail_setup_complete - if [[ -n $allow ]]; then - so-allow -$allow >> $setup_log 2>&1 + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + export IP=$ALLOW_CIDR + so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi if [[ $THEHIVE == 1 ]]; then check_hive_init_then_reboot From 2a21d7403f28cfd378faa32e1f1ee4f8135d8af1 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 28 May 2020 00:47:46 -0400 Subject: [PATCH 26/31] Open firewall from all networks for automated testing --- setup/automation/pm_standalone_defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index b47f5bf2d..74ba8323f 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -21,7 +21,7 @@ address_type=DHCP ADMINUSER=onionuser ADMINPASS1=onionuser ADMINPASS2=onionuser -ALLOW_CIDR=192.168.0.0/16 +ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a BASICBRO=7 BASICSURI=7 From 60cc3e96756c1ec3a76e16761c76ba471d1945a0 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 28 May 2020 07:50:52 -0400 Subject: [PATCH 27/31] remove address from DHCP leases query --- salt/soc/files/soc/soc.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 76770e2bd..6a48d026a 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -99,7 +99,7 @@ { "name": "Connections", "description": "Connections grouped by destination country", "query": "event.module:zeek AND event.dataset:conn | groupby destination.geo.country_name"}, { "name": "Connections", "description": "Connections grouped by source country", "query": "event.module:zeek AND event.dataset:conn | groupby source.geo.country_name"}, { "name": "DCE_RPC", "description": "DCE_RPC grouped by operation", "query": "event.module:zeek AND event.dataset:dce_rpc | groupby dce_rpc.operation"}, - { "name": "DHCP", "description": "DHCP leases", "query": "event.module:zeek AND event.dataset:dhcp | groupby host.hostname host.domain dhcp.requested_address"}, + { "name": "DHCP", "description": "DHCP leases", "query": "event.module:zeek AND event.dataset:dhcp | groupby host.hostname host.domain"}, { "name": "DHCP", "description": "DHCP grouped by message type", "query": "event.module:zeek AND event.dataset:dhcp | groupby dhcp.message_types"}, { "name": "DNP3", "description": "DNP3 grouped by reply", "query": "event.module:zeek AND event.dataset:dnp3 | groupby dnp3.fc_reply"}, { "name": "DNS", "description": "DNS queries grouped by port ", "query": "event.module:zeek AND event.dataset:dns | groupby dns.query.name destination.port"}, From f3efafc9ca05bf7123130ad00ca3b37783c7fb8a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 28 May 2020 08:01:33 -0400 Subject: [PATCH 28/31] combine two notice queries into one query with multiple groupby --- salt/soc/files/soc/soc.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 6a48d026a..e98ee7bf7 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -122,8 +122,7 @@ { "name": "KERBEROS", "description": "KERBEROS grouped by service", "query": "event.module:zeek AND event.dataset:kerberos | groupby kerberos.service"}, { "name": "MODBUS", "description": "MODBUS grouped by function", "query": "event.module:zeek AND event.dataset:modbus | groupby modbus.function"}, { "name": "MYSQL", "description": "MYSQL grouped by command", "query": "event.module:zeek AND event.dataset:mysql | groupby mysql.command"}, - { "name": "NOTICE", "description": "Zeek notice logs grouped by note", "query": "event.module:zeek AND event.dataset:notice | groupby notice.note"}, - { "name": "NOTICE", "description": "Zeek notice logs grouped by message", "query": "event.module:zeek AND event.dataset:notice | groupby notice.message"}, + { "name": "NOTICE", "description": "Zeek notice logs grouped by note and message", "query": "event.module:zeek AND event.dataset:notice | groupby notice.note notice.message"}, { "name": "NTLM", "description": "NTLM grouped by computer name", "query": "event.module:zeek AND event.dataset:ntlm | groupby ntlm.server.dns.name"}, { "name": "PE", "description": "PE files list", "query": "event.module:zeek AND event.dataset:pe | groupby file.machine file.os file.subsystem"}, { "name": "RADIUS", "description": "RADIUS grouped by username", "query": "event.module:zeek AND event.dataset:radius | groupby user.name.keyword"}, From b9bdca509ebd6085ec3208855afb14276a124599 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 28 May 2020 12:33:41 +0000 Subject: [PATCH 29/31] update Filebeat config for syslog --- salt/filebeat/etc/filebeat.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 1c4bee013..be04effb0 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -75,6 +75,19 @@ filebeat.modules: filebeat.inputs: #------------------------------ Log prospector -------------------------------- {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %} + - type: syslog + enabled: true + protocol.udp: + host: "0.0.0.0:514" + fields: + module: syslog + dataset: syslog + pipeline: "syslog" + index: "so-syslog-%{+yyyy.MM.dd}" + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + {%- if BROVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} - type: log From 5afc05feb2ef3c8ac2ba387c7de43fc2b0871ca8 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 28 May 2020 12:35:22 +0000 Subject: [PATCH 30/31] Update FB init for syslog --- salt/filebeat/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index e5dc78d33..8540faeb6 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -64,5 +64,7 @@ so-filebeat: - /opt/so/conf/filebeat/etc/pki/filebeat.crt:/usr/share/filebeat/filebeat.crt:ro - /opt/so/conf/filebeat/etc/pki/filebeat.key:/usr/share/filebeat/filebeat.key:ro - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro + - port_bindings: + - 0.0.0.0:514:514/udp - watch: - file: /opt/so/conf/filebeat/etc/filebeat.yml From d2b93d531e0df7a325fa9a8b04f653e9695f1855 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 28 May 2020 12:36:29 +0000 Subject: [PATCH 31/31] Basic syslog config --- salt/elasticsearch/files/ingest/syslog | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/syslog diff --git a/salt/elasticsearch/files/ingest/syslog b/salt/elasticsearch/files/ingest/syslog new file mode 100644 index 000000000..d34e79d4a --- /dev/null +++ b/salt/elasticsearch/files/ingest/syslog @@ -0,0 +1,13 @@ +{ + "description" : "syslog", + "processors" : [ + { + "dissect": { + "field": "message", + "pattern" : "%{message}", + "on_failure": [ { "drop" : { } } ] + } + }, + { "pipeline": { "name": "common" } } + ] +}