From 449e0d853ce36c2fb31fd3e35a8bc5cee0306f01 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 22 Mar 2021 15:52:51 -0400 Subject: [PATCH 01/45] Initial support for ntp service via chronyd --- setup/so-functions | 57 ++++++++++++++++++++++++++++++++++++++++++++-- setup/so-setup | 5 ++++ setup/so-variables | 3 +++ setup/so-whiptail | 18 +++++++++++++++ 4 files changed, 81 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 29a58e718..d5e8c0a6e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -486,6 +486,17 @@ collect_node_ls_pipeline_worker_count() { done } +collect_ntp_servers() { + if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' ]]; then + if whiptail_ntp_ask; then + [[ $is_airgap ]] && ntp_servers="" + whiptail_ntp_servers "$ntp_servers" + else + ntp_servers="" + fi + fi +} + collect_oinkcode() { whiptail_oinkcode @@ -702,6 +713,38 @@ configure_minion() { } >> "$setup_log" 2>&1 } +configure_ntp() { + local chrony_conf=/etc/chrony.conf + + # Install chrony if it isn't already installed + if command -v chronyc &> /dev/null; then + if [ "$OS" == centos ]; then + yum -y install chrony + else + retry 50 10 "apt-get -y install chrony" || exit 1 + fi + fi + + [[ -f $chrony_conf ]] && rm -f $chrony_conf + + # Build list of servers + for addr in "${ntp_servers[@]}"; do + echo "server $addr iburst" >> $chrony_conf + done + + printf '%s\n' \ + 'driftfile /var/lib/chrony/drift' \ + 'makestep 1.0 3' \ + 'rtcsync' \ + 'logdir /var/log/chrony' >> $chrony_conf + + systemctl enable chronyd + systemctl start chronyd + + # Sync time + chronyc -a makestep +} + checkin_at_boot() { local minion_config=/etc/salt/minion @@ -709,6 +752,12 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } +check_ntp_configured() { + if systemctl is-active --quiet chronyd || systemctl is-active --quiet ntpd; then + ntp_configured=true + fi +} + check_requirements() { local standalone_or_dist=$1 local node_type=$2 # optional @@ -1564,12 +1613,16 @@ manager_global() { "global:"\ " soversion: '$SOVERSION'"\ " hnmanager: '$HNMANAGER'"\ - " ntpserver: '$NTPSERVER'"\ " dockernet: '$DOCKERNET'"\ " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'" > "$global_pillar" + " managerip: '$MAINIP'" + " ntp_servers:" > "$global_pillar" + + for addr in "${ntp_servers[@]}"; do + echo " - '$addr'" >> "$global_pillar" + done if [[ $is_airgap ]]; then printf '%s\n'\ diff --git a/setup/so-setup b/setup/so-setup index 82e414ca4..2082653c5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -534,6 +534,9 @@ if [[ $is_sensor && ! $is_eval ]]; then fi fi +check_ntp_configured +[[ -z $ntp_configured ]] || collect_ntp_servers + if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced if [ "$NODESETUP" == 'NODEADVANCED' ]; then @@ -581,6 +584,8 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' + [[ -z $ntp_configured ]] || [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + reserve_ports set_path diff --git a/setup/so-variables b/setup/so-variables index a2fdf03c6..0a07fc79d 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -72,3 +72,6 @@ export install_opt_file net_init_file=/root/net_init export net_init_file + +ntp_servers="0.pool.ntp.org,1.pool.ntp.org" +export ntp_servers diff --git a/setup/so-whiptail b/setup/so-whiptail index a0425b5af..1ccdf6a90 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1105,6 +1105,24 @@ whiptail_node_ls_pipeline_worker() { } +whiptail_ntp_ask() { + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --yesno "Would you like to configure ntp servers?" 7 44 +} + +whiptail_ntp_servers() { + [ -n "$TESTING" ] && return + + ntp_string=$(whiptail --title "Security Onion Setup" \ + --inputbox "Input the NTP server(s) you would like to use, separated by commas:" 8 75 "$1" 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array +} + whiptail_oinkcode() { [ -n "$TESTING" ] && return From b3f558a1f8481a9144c2d96a50cb3ad8b0c147c9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:14:34 -0400 Subject: [PATCH 02/45] [fix] Also check if proxy is set before asking for ntp servers --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d5e8c0a6e..fd998da14 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -487,7 +487,7 @@ collect_node_ls_pipeline_worker_count() { } collect_ntp_servers() { - if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' ]]; then + if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then [[ $is_airgap ]] && ntp_servers="" whiptail_ntp_servers "$ntp_servers" From ace30c07ea5bb75489add30067bb802244764eca Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:22:09 -0400 Subject: [PATCH 03/45] [fix] Also sync time before updating system clock --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index fd998da14..a7a596abe 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -741,7 +741,8 @@ configure_ntp() { systemctl enable chronyd systemctl start chronyd - # Sync time + # Sync time & update the system time + chronyc -a 'burst 4/4' chronyc -a makestep } From 184c763b02d36e78024417cc31edfbe1b181d05f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:36:08 -0400 Subject: [PATCH 04/45] [fix] Export correct variable to check later in setup --- setup/so-functions | 2 +- setup/so-whiptail | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index a7a596abe..a346128e1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -592,7 +592,7 @@ collect_proxy_details() { else so_proxy="$proxy_addr" fi - export proxy + export so_proxy fi } diff --git a/setup/so-whiptail b/setup/so-whiptail index 1ccdf6a90..2743ab65b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1289,11 +1289,7 @@ whiptail_proxy_auth_pass() { [ -n "$TESTING" ] && return - if [[ $arg != 'confirm' ]]; then - proxy_pass=$(whiptail --title "Security Onion Setup" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3) - else - proxy_pass_confirm=$(whiptail --title "Security Onion Setup" --passwordbox "Please confirm the proxy password:" 8 60 3>&1 1>&2 2>&3) - fi + proxy_pass=$(whiptail --title "Security Onion Setup" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 0e9c81c145b1229bf82fc4976b55630b4a77e0aa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:44:44 -0400 Subject: [PATCH 05/45] Fix logic around ntp prompt --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 2082653c5..6ed3fa344 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -535,7 +535,7 @@ if [[ $is_sensor && ! $is_eval ]]; then fi check_ntp_configured -[[ -z $ntp_configured ]] || collect_ntp_servers +[[ -z $ntp_configured ]] && collect_ntp_servers if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced From 2d873b92fa3c19b43b5850220d65270536901a13 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 10:22:41 -0400 Subject: [PATCH 06/45] Fix ntp logic elsewhere --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 6ed3fa344..07eb49500 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,7 +584,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] || [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + [[ -z $ntp_configured ]] && [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 reserve_ports From 9f0afd90f1852d28ad42d126f3cee187d3ef2115 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 11:27:37 -0400 Subject: [PATCH 07/45] [fix] Add missing backslash --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index a346128e1..dbc92aabc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1618,7 +1618,7 @@ manager_global() { " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'" + " managerip: '$MAINIP'"\ " ntp_servers:" > "$global_pillar" for addr in "${ntp_servers[@]}"; do From 3287a777a2203a775265c25ca85d9b34ab1acaf7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 11:41:12 -0400 Subject: [PATCH 08/45] [fix] Pre-fill hostname re-enter on default --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index dbc92aabc..ffaa079c1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -400,7 +400,7 @@ collect_hostname() { if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once if ! (whiptail_avoid_default_hostname); then - whiptail_set_hostname + whiptail_set_hostname "$HOSTNAME" fi fi From 08f46a779ac6b1ae2f5754b078a7238f4eb3b9aa Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Mar 2021 21:16:17 -0400 Subject: [PATCH 09/45] Remove freqserver, minio, and domainstats from image list --- salt/common/tools/sbin/so-image-common | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 402ae97f3..be5a327f0 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -47,20 +47,17 @@ container_list() { TRUSTED_CONTAINERS=( "so-acng" "so-curator" - "so-domainstats" "so-elastalert" "so-elasticsearch" "so-filebeat" "so-fleet" "so-fleet-launcher" - "so-freqserver" "so-grafana" "so-idstools" "so-influxdb" "so-kibana" "so-kratos" "so-logstash" - "so-minio" "so-mysql" "so-nginx" "so-pcaptools" From af3951e1ad7dff3f28f03dbeb10466facf8d3cbb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Mar 2021 11:51:55 -0400 Subject: [PATCH 10/45] Attempt to use so repo for network install --- setup/so-functions | 49 ++++++++++++++++---------- setup/so-setup | 2 ++ setup/yum_repos/saltstack.repo | 6 ---- setup/yum_repos/securityonion.repo | 56 ++++++++++++++++++++++++++++++ setup/yum_repos/wazuh.repo | 7 ---- 5 files changed, 88 insertions(+), 32 deletions(-) delete mode 100644 setup/yum_repos/saltstack.repo create mode 100644 setup/yum_repos/securityonion.repo delete mode 100644 setup/yum_repos/wazuh.repo diff --git a/setup/so-functions b/setup/so-functions index 29a58e718..b6cf569fb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1085,9 +1085,9 @@ docker_install() { if [ $OS = 'centos' ]; then { yum clean expire-cache; - if [[ ! $is_airgap ]]; then - yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo; - fi + #if [[ ! $is_airgap ]]; then + # yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo; + #fi if [[ ! $is_iso ]]; then yum -y install docker-ce-20.10.5-3.el7 containerd.io-1.4.4-3.1.el7; fi @@ -1990,8 +1990,8 @@ saltify() { if [ $OS = 'centos' ]; then set_progress_str 5 'Installing Salt repo' { - sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/SALTSTACK-GPG-KEY.pub; - cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; + sudo rpm --import https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub; + #cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' if [[ ! $is_iso ]]; then @@ -2001,7 +2001,7 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') reserve_group_ids >> "$setup_log" 2>&1 if [[ ! $is_iso ]]; then - logCmd "yum -y install epel-release" + #logCmd "yum -y install epel-release" logCmd "yum -y install sqlite argon2 curl mariadb-devel" fi # Download Ubuntu Keys in case manager updates = 1 @@ -2010,7 +2010,7 @@ saltify() { logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" - logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo" + #logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then @@ -2019,29 +2019,29 @@ saltify() { systemctl enable salt-master >> "$setup_log" 2>&1 ;; *) - if [ "$MANAGERUPDATES" = '1' ]; then - { - if [[ ! $is_airgap ]]; then + #if [ "$MANAGERUPDATES" = '1' ]; then + # { + # if [[ ! $is_airgap ]]; then # Create the GPG Public Key for the Salt Repo - cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key; + #cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key; # Copy repo files over - cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; - else - info "This is airgap" - fi - } >> "$setup_log" 2>&1 - fi + #cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; + # else + # info "This is airgap" + # fi + # } >> "$setup_log" 2>&1 + #fi ;; esac if [[ ! $is_airgap ]]; then - cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 + #cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 yum clean expire-cache >> "$setup_log" 2>&1 fi set_progress_str 8 'Installing salt-minion & python modules' { if [[ ! $is_iso ]]; then - yum -y install epel-release + #yum -y install epel-release yum -y install salt-minion-3002.5\ python3\ python36-docker\ @@ -2264,6 +2264,17 @@ secrets_pillar(){ fi } +securityonion_repo() { + # Remove all the current repos + if [ "$OS" = 'centos' ]; then + mkdir -p /root/oldrepos + mv /etc/yum.repos.d/* /root/oldrepos/ + cp -f ./yum_repos/securityonion.repo /etc/yum.repos.d/ + else + echo "This is Ubuntu" + fi +} + set_base_heapsizes() { es_heapsize ls_heapsize diff --git a/setup/so-setup b/setup/so-setup index 82e414ca4..a532158f4 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -622,6 +622,8 @@ set_redirect >> $setup_log 2>&1 info "Creating airgap repo" create_repo >> $setup_log 2>&1 airgap_rules >> $setup_log 2>&1 + else + securityonion_repo >> $setup_log 2>&1 fi if [[ $is_minion ]]; then diff --git a/setup/yum_repos/saltstack.repo b/setup/yum_repos/saltstack.repo deleted file mode 100644 index 0430a62b8..000000000 --- a/setup/yum_repos/saltstack.repo +++ /dev/null @@ -1,6 +0,0 @@ -[saltstack] -name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/ -enabled=1 -gpgcheck=1 -gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/SALTSTACK-GPG-KEY.pub \ No newline at end of file diff --git a/setup/yum_repos/securityonion.repo b/setup/yum_repos/securityonion.repo new file mode 100644 index 000000000..20c907289 --- /dev/null +++ b/setup/yum_repos/securityonion.repo @@ -0,0 +1,56 @@ +[base] +name=CentOS-$releasever - Base +baseurl=https://repo.securityonion.net/file/securityonion-repo/base/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#released updates +[updates] +name=CentOS-$releasever - Updates +baseurl=https://repo.securityonion.net/file/securityonion-repo/updates/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that may be useful +[extras] +name=CentOS-$releasever - Extras +baseurl=https://repo.securityonion.net/file/securityonion-repo/extras/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that extend functionality of existing packages +[centosplus] +name=CentOS-$releasever - Plus +baseurl=https://repo.securityonion.net/file/securityonion-repo/centosplus/ +gpgcheck=1 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +[epel] +name=Extra Packages for Enterprise Linux 7 - $basearch +baseurl=https://repo.securityonion.net/file/securityonion-repo/epel/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/RPM-GPG-KEY-EPEL-7 + +[docker-ce-stable] +name=Docker CE Stable - $basearch +baseurl=https://repo.securityonion.net/file/securityonion-repo/docker-ce-stable +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub + +[saltstack] +name=SaltStack repo for RHEL/CentOS $releasever PY3 +baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub + +[wazuh_repo] +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ +protect=1 \ No newline at end of file diff --git a/setup/yum_repos/wazuh.repo b/setup/yum_repos/wazuh.repo deleted file mode 100644 index ae462c62f..000000000 --- a/setup/yum_repos/wazuh.repo +++ /dev/null @@ -1,7 +0,0 @@ -[wazuh_repo] -gpgcheck=1 -gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH -enabled=1 -name=Wazuh repository -baseurl=https://packages.wazuh.com/3.x/yum/ -protect=1 From 150e724a4a52f0e58a224f3d1f82311964118abb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Mar 2021 13:37:54 -0400 Subject: [PATCH 11/45] Fix chrony install logic + add sleep for chrony to finish sync --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index ffaa079c1..c2ddb2125 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -717,7 +717,7 @@ configure_ntp() { local chrony_conf=/etc/chrony.conf # Install chrony if it isn't already installed - if command -v chronyc &> /dev/null; then + if ! command -v chronyc &> /dev/null; then if [ "$OS" == centos ]; then yum -y install chrony else @@ -743,6 +743,7 @@ configure_ntp() { # Sync time & update the system time chronyc -a 'burst 4/4' + sleep 20 # Wait for chrony to sync chronyc -a makestep } From eb674b3b938b3769ab5ae0886b80d7a6a462c29d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Mar 2021 14:45:33 -0400 Subject: [PATCH 12/45] Validate list of ntp servers (ip4, hostname, or fqdn) --- salt/common/tools/sbin/so-common | 14 ++++++++++++++ setup/so-functions | 13 ++++++++++--- setup/so-setup | 2 +- setup/so-variables | 4 ++-- setup/so-whiptail | 2 -- 5 files changed, 27 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 676b908ce..340525272 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -419,6 +419,20 @@ valid_proxy() { [[ $has_prefix == true ]] && [[ $valid_url == true ]] && return 0 || return 1 } +valid_ntp_list() { + local string=$1 + local ntp_arr + IFS="," read -r -a ntp_arr <<< "$string" + + for ntp in "${ntp_arr[@]}"; do + if ! valid_ip4 "$ntp" && ! valid_hostname "$ntp" && ! valid_fqdn "$ntp"; then + return 1 + fi + done + + return 0 +} + valid_string() { local str=$1 local min_length=${2:-1} diff --git a/setup/so-functions b/setup/so-functions index c2ddb2125..6dd10096b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -489,10 +489,17 @@ collect_node_ls_pipeline_worker_count() { collect_ntp_servers() { if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_servers="" - whiptail_ntp_servers "$ntp_servers" + [[ $is_airgap ]] && ntp_servers=() + whiptail_ntp_servers "$ntp_string" + + while ! valid_ntp_list "$ntp_string"; do + whiptail_invalid_input + whiptail_ntp_servers "$ntp_string" + done + + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array else - ntp_servers="" + ntp_servers=() fi fi } diff --git a/setup/so-setup b/setup/so-setup index 07eb49500..d9e64105a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,7 +584,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] && [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + [[ -z $ntp_configured ]] && [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 reserve_ports diff --git a/setup/so-variables b/setup/so-variables index 0a07fc79d..676cba4f0 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -73,5 +73,5 @@ export install_opt_file net_init_file=/root/net_init export net_init_file -ntp_servers="0.pool.ntp.org,1.pool.ntp.org" -export ntp_servers +ntp_string="0.pool.ntp.org,1.pool.ntp.org" +export ntp_string diff --git a/setup/so-whiptail b/setup/so-whiptail index 2743ab65b..00397a6fa 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1119,8 +1119,6 @@ whiptail_ntp_servers() { local exitstatus=$? whiptail_check_exitstatus $exitstatus - - IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array } whiptail_oinkcode() { From 0195d366cc9b386f73e1aa47ce4c437fb354118b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 26 Mar 2021 14:44:27 -0400 Subject: [PATCH 13/45] Add custom banner to login page --- salt/nginx/etc/nginx.conf | 2 +- salt/soc/files/soc/banner.md | 0 salt/soc/init.sls | 10 ++++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 salt/soc/files/soc/banner.md diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 25e8bc11f..ea820442b 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -157,7 +157,7 @@ http { ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; - location ~* (^/login/|^/js/.*|^/css/.*|^/images/.*) { + location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { proxy_pass http://{{ manager_ip }}:9822; proxy_read_timeout 90; proxy_connect_timeout 90; diff --git a/salt/soc/files/soc/banner.md b/salt/soc/files/soc/banner.md new file mode 100644 index 000000000..e69de29bb diff --git a/salt/soc/init.sls b/salt/soc/init.sls index a2d3ecf89..18fda41da 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -44,6 +44,15 @@ socmotd: - mode: 600 - template: jinja +socbanner: + file.managed: + - name: /opt/so/conf/soc/banner.md + - source: salt://soc/files/soc/banner.md + - user: 939 + - group: 939 + - mode: 600 + - template: jinja + soccustom: file.managed: - name: /opt/so/conf/soc/custom.js @@ -62,6 +71,7 @@ so-soc: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw - /opt/so/conf/soc/soc.json:/opt/sensoroni/sensoroni.json:ro - /opt/so/conf/soc/motd.md:/opt/sensoroni/html/motd.md:ro + - /opt/so/conf/soc/banner.md:/opt/sensoroni/html/login/banner.md:ro - /opt/so/conf/soc/custom.js:/opt/sensoroni/html/js/custom.js:ro - /opt/so/log/soc/:/opt/sensoroni/logs/:rw {%- if salt['pillar.get']('nodestab', {}) %} From 8819cc1371ae9106e323f39c67cbe9b071d12d64 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 Mar 2021 16:01:22 -0400 Subject: [PATCH 14/45] Fix acng to actually cache --- salt/airgap/init.sls | 2 +- salt/common/keys/GPG-KEY-WAZUH | 52 +++++++++++++++++++++++ salt/common/keys/RPM-GPG-KEY-EPEL-7 | 29 +++++++++++++ salt/common/keys/SALTSTACK-GPG-KEY.pub | 31 ++++++++++++++ salt/common/keys/docker.pub | 28 +++++++++++++ salt/common/keys/securityonion.pub | 52 +++++++++++++++++++++++ salt/common/tools/sbin/so-common | 17 ++++++++ salt/common/tools/sbin/soup | 1 + salt/manager/files/acng/acng.conf | 1 + setup/so-functions | 51 +++------------------- setup/so-setup | 4 +- setup/yum_repos/securityonioncache.repo | 56 +++++++++++++++++++++++++ 12 files changed, 277 insertions(+), 47 deletions(-) create mode 100644 salt/common/keys/GPG-KEY-WAZUH create mode 100644 salt/common/keys/RPM-GPG-KEY-EPEL-7 create mode 100644 salt/common/keys/SALTSTACK-GPG-KEY.pub create mode 100644 salt/common/keys/docker.pub create mode 100644 salt/common/keys/securityonion.pub create mode 100644 setup/yum_repos/securityonioncache.repo diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls index 818bb3a3b..4ff401099 100644 --- a/salt/airgap/init.sls +++ b/salt/airgap/init.sls @@ -11,7 +11,7 @@ airgap_repo: pkgrepo.managed: - humanname: Airgap Repo - baseurl: https://{{ MANAGER }}/repo - - gpgcheck: 0 + - gpgcheck: 1 - sslverify: 0 agbase: diff --git a/salt/common/keys/GPG-KEY-WAZUH b/salt/common/keys/GPG-KEY-WAZUH new file mode 100644 index 000000000..b424ccfae --- /dev/null +++ b/salt/common/keys/GPG-KEY-WAZUH @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.22 (GNU/Linux) + +mQINBFeeyYwBEACyf4VwV8c2++J5BmCl6ofLCtSIW3UoVrF4F+P19k/0ngnSfjWb +8pSWB11HjZ3Mr4YQeiD7yY06UZkrCXk+KXDlUjMK3VOY7oNPkqzNaP6+8bDwj4UA +hADMkaXBvWooGizhCoBtDb1bSbHKcAnQ3PTdiuaqF5bcyKk8hv939CHulL2xH+BP +mmTBi+PM83pwvR+VRTOT7QSzf29lW1jD79v4rtXHJs4KCz/amT/nUm/tBpv3q0sT +9M9rH7MTQPdqvzMl122JcZST75GzFJFl0XdSHd5PAh2mV8qYak5NYNnwA41UQVIa ++xqhSu44liSeZWUfRdhrQ/Nb01KV8lLAs11Sz787xkdF4ad25V/Rtg/s4UXt35K3 +klGOBwDnzPgHK/OK2PescI5Ve1z4x1C2bkGze+gk/3IcfGJwKZDfKzTtqkZ0MgpN +7RGghjkH4wpFmuswFFZRyV+s7jXYpxAesElDSmPJ0O07O4lQXQMROE+a2OCcm0eF +3+Cr6qxGtOp1oYMOVH0vOLYTpwOkAM12/qm7/fYuVPBQtVpTojjV5GDl2uGq7p0o +h9hyWnLeNRbAha0px6rXcF9wLwU5n7mH75mq5clps3sP1q1/VtP/Fr84Lm7OGke4 +9eD+tPNCdRx78RNWzhkdQxHk/b22LCn1v6p1Q0qBco9vw6eawEkz1qwAjQARAQAB +tDFXYXp1aC5jb20gKFdhenVoIFNpZ25pbmcgS2V5KSA8c3VwcG9ydEB3YXp1aC5j +b20+iQI9BBMBCAAnAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheABQJZHNOBBQkU +SgzvAAoJEJaz7l8pERFF6xUP/3SbcmrI/u7a2EqZ0GxwQ/LRkPzWkJRnozCtNYHD +ZjiZgSB/+77hkPS0tsBK/GXFLKfJAuf13XFrCvEuI4Q/pLOCCKIGumKXItUIwJBD +HiEmVt/XxIijmlF7O1jcWqE/5CQXofjr03WMx+qzNabIwU/6dTKZN4FrR1jDk7yS +6FYBsbhVcSoqSpGYx7EcuK3c3sKKtnbacK2Sw3K9n8Wdj+EK83cbpMg8D/efVRqv +xypeCeojtY10y4bmugEwMYPgFkrSbicuiZc8NA8qhvFp6JFRq/uL0PGACyg05wB3 +S9U4wvSkmlo2/G74awna22UlaoYmSSz3UZdpWd2zBxflx17948QfTqyhO6bM8qLz +dSyR6/6olAcR1N+PBup8PoMdBte4ul/hJp8WIviW0AxJUTZSbVj5v/t43QAKEpCE +IMHvkK8PRHz/9kMd/2xN7LgMtihCrGZOnzErkjhlZvmiJ6kcJoD7ywzFnfJrntOU +DjNb3eqUFSEwmhD60Hd2OCkfmiV7NEE/YTd9B72NSwzj4Za/JUdlF64LMeIiHbYp +Lh7P+mR+lMJf/SWsQmlyuiQ2u8SY2aDFvzBS9WtpwiznuUdrbRN87+TYLSVqDifj +Ea3zOnzLaLYbOr6LHz1xbhAvInv7KLobgiw1E4WnBNWN8xVwVJLKNE7wV88k43XV +3L/RuQINBFeeyYwBEADD1Y3zW5OrnYZ6ghTd5PXDAMB8Z1ienmnb2IUzLM+i0yE2 +TpKSP/XYCTBhFa390rYgFO2lbLDVsiz7Txd94nHrdWXGEQfwrbxsvdlLLWk7iN8l +Fb4B60OfRi3yoR96a/kIPNa0x26+n79LtDuWZ/DTq5JSHztdd9F1sr3h8i5zYmtv +luj99ZorpwYejbBVUm0+gP0ioaXM37uO56UFVQk3po9GaS+GtLnlgoE5volgNYyO +rkeIua4uZVsifREkHCKoLJip6P7S3kTyfrpiSLhouEZ7kV1lbMbFgvHXyjm+/AIx +HIBy+H+e+HNt5gZzTKUJsuBjx44+4jYsOR67EjOdtPOpgiuJXhedzShEO6rbu/O4 +wM1rX45ZXDYa2FGblHCQ/VaS0ttFtztk91xwlWvjTR8vGvp5tIfCi+1GixPRQpbN +Y/oq8Kv4A7vB3JlJscJCljvRgaX0gTBzlaF6Gq0FdcWEl5F1zvsWCSc/Fv5WrUPY +5mG0m69YUTeVO6cZS1aiu9Qh3QAT/7NbUuGXIaAxKnu+kkjLSz+nTTlOyvbG7BVF +a6sDmv48Wqicebkc/rCtO4g8lO7KoA2xC/K/6PAxDrLkVyw8WPsAendmezNfHU+V +32pvWoQoQqu8ysoaEYc/j9fN4H3mEBCN3QUJYCugmHP0pu7VtpWwwMUqcGeUVwAR +AQABiQIlBBgBCAAPAhsMBQJZHNOaBQkUSg0HAAoJEJaz7l8pERFFhpkQAJ09mjjp +n9f18JGSMzP41fVucPuLBZ5XJL/hy2boII1FvgfmOETzNxLPblHdkJVjZS5iMrhL +EJ1jv+GQDtf68/0jO+HXuQIBmUJ53YwbuuQlLWH7CI2AxlSAKAn2kOApWMKsjnAv +JwS3eNGukOKWRfEKTqz2Vwi1H7M7ppypZ9keoyAoSIWb61gm7rXbfT+tVBetHfrU +EM5vz3AS3pJk6Yfqn10IZfiexXmsBD+SpJBNzMBsznCcWO2y4qZNLjFferBoizvV +34UnZyd1bkSN0T/MKp8sgJwqDJBS72tH6ZIM8NNoy29aPDkeaa8XlhkWiBdRizqL +BcxrV/1n3xdzfY9FX6s4KGudo+gYsVpY0mrpZU8jG8YUNLDXQTXnRo4CQOtRJJbA +RFDoZfsDqToZftuEhIsk+MaKlyXoA0eIYqGe6lXa/jEwvViqLYubCNLu0+kgNQ3v +hKF8Pf7eXFDAePw7guuvDvBOMQqBCaKCxsz1HoKRNYBEdUYrEQBJnX235Q4IsdI/ +GcQ/dvERJXaDCG8EPhnwc517EMUJDiJ1CxT4+VMHphmFbiVqmctz0upIj+D037Xk +CcgxNte6LZorGRZ/l1MYINliGJKtCCFK7XGVPKiJ8zyGSyPj1FfwtBy5hUX3aQtm +bvP0H2BRCKoelsbRENu58BkU6YhiUry7pVul +=SJij +-----END PGP PUBLIC KEY BLOCK----- diff --git a/salt/common/keys/RPM-GPG-KEY-EPEL-7 b/salt/common/keys/RPM-GPG-KEY-EPEL-7 new file mode 100644 index 000000000..f205ede46 --- /dev/null +++ b/salt/common/keys/RPM-GPG-KEY-EPEL-7 @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFKuaIQBEAC1UphXwMqCAarPUH/ZsOFslabeTVO2pDk5YnO96f+rgZB7xArB +OSeQk7B90iqSJ85/c72OAn4OXYvT63gfCeXpJs5M7emXkPsNQWWSju99lW+AqSNm +jYWhmRlLRGl0OO7gIwj776dIXvcMNFlzSPj00N2xAqjMbjlnV2n2abAE5gq6VpqP +vFXVyfrVa/ualogDVmf6h2t4Rdpifq8qTHsHFU3xpCz+T6/dGWKGQ42ZQfTaLnDM +jToAsmY0AyevkIbX6iZVtzGvanYpPcWW4X0RDPcpqfFNZk643xI4lsZ+Y2Er9Yu5 +S/8x0ly+tmmIokaE0wwbdUu740YTZjCesroYWiRg5zuQ2xfKxJoV5E+Eh+tYwGDJ +n6HfWhRgnudRRwvuJ45ztYVtKulKw8QQpd2STWrcQQDJaRWmnMooX/PATTjCBExB +9dkz38Druvk7IkHMtsIqlkAOQMdsX1d3Tov6BE2XDjIG0zFxLduJGbVwc/6rIc95 +T055j36Ez0HrjxdpTGOOHxRqMK5m9flFbaxxtDnS7w77WqzW7HjFrD0VeTx2vnjj +GqchHEQpfDpFOzb8LTFhgYidyRNUflQY35WLOzLNV+pV3eQ3Jg11UFwelSNLqfQf +uFRGc+zcwkNjHh5yPvm9odR1BIfqJ6sKGPGbtPNXo7ERMRypWyRz0zi0twARAQAB +tChGZWRvcmEgRVBFTCAoNykgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB +AgAiBQJSrmiEAhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBqL66iNSxk +5cfGD/4spqpsTjtDM7qpytKLHKruZtvuWiqt5RfvT9ww9GUUFMZ4ZZGX4nUXg49q +ixDLayWR8ddG/s5kyOi3C0uX/6inzaYyRg+Bh70brqKUK14F1BrrPi29eaKfG+Gu +MFtXdBG2a7OtPmw3yuKmq9Epv6B0mP6E5KSdvSRSqJWtGcA6wRS/wDzXJENHp5re +9Ism3CYydpy0GLRA5wo4fPB5uLdUhLEUDvh2KK//fMjja3o0L+SNz8N0aDZyn5Ax +CU9RB3EHcTecFgoy5umRj99BZrebR1NO+4gBrivIfdvD4fJNfNBHXwhSH9ACGCNv +HnXVjHQF9iHWApKkRIeh8Fr2n5dtfJEF7SEX8GbX7FbsWo29kXMrVgNqHNyDnfAB +VoPubgQdtJZJkVZAkaHrMu8AytwT62Q4eNqmJI1aWbZQNI5jWYqc6RKuCK6/F99q +thFT9gJO17+yRuL6Uv2/vgzVR1RGdwVLKwlUjGPAjYflpCQwWMAASxiv9uPyYPHc +ErSrbRG0wjIfAR3vus1OSOx3xZHZpXFfmQTsDP7zVROLzV98R3JwFAxJ4/xqeON4 +vCPFU6OsT3lWQ8w7il5ohY95wmujfr6lk89kEzJdOTzcn7DBbUru33CQMGKZ3Evt +RjsC7FDbL017qxS+ZVA/HGkyfiu4cpgV8VUnbql5eAZ+1Ll6Dw== +=hdPa +-----END PGP PUBLIC KEY BLOCK----- diff --git a/salt/common/keys/SALTSTACK-GPG-KEY.pub b/salt/common/keys/SALTSTACK-GPG-KEY.pub new file mode 100644 index 000000000..14bd7d98c --- /dev/null +++ b/salt/common/keys/SALTSTACK-GPG-KEY.pub @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQENBFOpvpgBCADkP656H41i8fpplEEB8IeLhugyC2rTEwwSclb8tQNYtUiGdna9 +m38kb0OS2DDrEdtdQb2hWCnswxaAkUunb2qq18vd3dBvlnI+C4/xu5ksZZkRj+fW +tArNR18V+2jkwcG26m8AxIrT+m4M6/bgnSfHTBtT5adNfVcTHqiT1JtCbQcXmwVw +WbqS6v/LhcsBE//SHne4uBCK/GHxZHhQ5jz5h+3vWeV4gvxS3Xu6v1IlIpLDwUts +kT1DumfynYnnZmWTGc6SYyIFXTPJLtnoWDb9OBdWgZxXfHEcBsKGha+bXO+m2tHA +gNneN9i5f8oNxo5njrL8jkCckOpNpng18BKXABEBAAG0MlNhbHRTdGFjayBQYWNr +YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQE4BBMBAgAiBQJT +qb6YAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAOCKFJ3le/vhkqB/0Q +WzELZf4d87WApzolLG+zpsJKtt/ueXL1W1KA7JILhXB1uyvVORt8uA9FjmE083o1 +yE66wCya7V8hjNn2lkLXboOUd1UTErlRg1GYbIt++VPscTxHxwpjDGxDB1/fiX2o +nK5SEpuj4IeIPJVE/uLNAwZyfX8DArLVJ5h8lknwiHlQLGlnOu9ulEAejwAKt9CU +4oYTszYM4xrbtjB/fR+mPnYh2fBoQO4d/NQiejIEyd9IEEMd/03AJQBuMux62tjA +/NwvQ9eqNgLw9NisFNHRWtP4jhAOsshv1WW+zPzu3ozoO+lLHixUIz7fqRk38q8Q +9oNR31KvrkSNrFbA3D89uQENBFOpvpgBCADJ79iH10AfAfpTBEQwa6vzUI3Eltqb +9aZ0xbZV8V/8pnuU7rqM7Z+nJgldibFk4gFG2bHCG1C5aEH/FmcOMvTKDhJSFQUx +uhgxttMArXm2c22OSy1hpsnVG68G32Nag/QFEJ++3hNnbyGZpHnPiYgej3FrerQJ +zv456wIsxRDMvJ1NZQB3twoCqwapC6FJE2hukSdWB5yCYpWlZJXBKzlYz/gwD/Fr +GL578WrLhKw3UvnJmlpqQaDKwmV2s7MsoZogC6wkHE92kGPG2GmoRD3ALjmCvN1E +PsIsQGnwpcXsRpYVCoW7e2nW4wUf7IkFZ94yOCmUq6WreWI4NggRcFC5ABEBAAGJ +AR8EGAECAAkFAlOpvpgCGwwACgkQDgihSd5Xv74/NggA08kEdBkiWWwJZUZEy7cK +WWcgjnRuOHd4rPeT+vQbOWGu6x4bxuVf9aTiYkf7ZjVF2lPn97EXOEGFWPZeZbH4 +vdRFH9jMtP+rrLt6+3c9j0M8SIJYwBL1+CNpEC/BuHj/Ra/cmnG5ZNhYebm76h5f +T9iPW9fFww36FzFka4VPlvA4oB7ebBtquFg3sdQNU/MmTVV4jPFWXxh4oRDDR+8N +1bcPnbB11b5ary99F/mqr7RgQ+YFF0uKRE3SKa7a+6cIuHEZ7Za+zhPaQlzAOZlx +fuBmScum8uQTrEF5+Um5zkwC7EXTdH1co/+/V/fpOtxIg4XO4kcugZefVm5ERfVS +MA== +=dtMN +-----END PGP PUBLIC KEY BLOCK----- diff --git a/salt/common/keys/docker.pub b/salt/common/keys/docker.pub new file mode 100644 index 000000000..1967cbf01 --- /dev/null +++ b/salt/common/keys/docker.pub @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFit5IEBEADDt86QpYKz5flnCsOyZ/fk3WwBKxfDjwHf/GIflo+4GWAXS7wJ +1PSzPsvSDATV10J44i5WQzh99q+lZvFCVRFiNhRmlmcXG+rk1QmDh3fsCCj9Q/yP +w8jn3Hx0zDtz8PIB/18ReftYJzUo34COLiHn8WiY20uGCF2pjdPgfxE+K454c4G7 +gKFqVUFYgPug2CS0quaBB5b0rpFUdzTeI5RCStd27nHCpuSDCvRYAfdv+4Y1yiVh +KKdoe3Smj+RnXeVMgDxtH9FJibZ3DK7WnMN2yeob6VqXox+FvKYJCCLkbQgQmE50 +uVK0uN71A1mQDcTRKQ2q3fFGlMTqJbbzr3LwnCBE6hV0a36t+DABtZTmz5O69xdJ +WGdBeePCnWVqtDb/BdEYz7hPKskcZBarygCCe2Xi7sZieoFZuq6ltPoCsdfEdfbO ++VBVKJnExqNZCcFUTEnbH4CldWROOzMS8BGUlkGpa59Sl1t0QcmWlw1EbkeMQNrN +spdR8lobcdNS9bpAJQqSHRZh3cAM9mA3Yq/bssUS/P2quRXLjJ9mIv3dky9C3udM ++q2unvnbNpPtIUly76FJ3s8g8sHeOnmYcKqNGqHq2Q3kMdA2eIbI0MqfOIo2+Xk0 +rNt3ctq3g+cQiorcN3rdHPsTRSAcp+NCz1QF9TwXYtH1XV24A6QMO0+CZwARAQAB +tCtEb2NrZXIgUmVsZWFzZSAoQ0UgcnBtKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3 +BBMBCgAhBQJYrep4AhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEMUv62ti +Hp816C0P/iP+1uhSa6Qq3TIc5sIFE5JHxOO6y0R97cUdAmCbEqBiJHUPNQDQaaRG +VYBm0K013Q1gcJeUJvS32gthmIvhkstw7KTodwOM8Kl11CCqZ07NPFef1b2SaJ7l +TYpyUsT9+e343ph+O4C1oUQw6flaAJe+8ATCmI/4KxfhIjD2a/Q1voR5tUIxfexC +/LZTx05gyf2mAgEWlRm/cGTStNfqDN1uoKMlV+WFuB1j2oTUuO1/dr8mL+FgZAM3 +ntWFo9gQCllNV9ahYOON2gkoZoNuPUnHsf4Bj6BQJnIXbAhMk9H2sZzwUi9bgObZ +XO8+OrP4D4B9kCAKqqaQqA+O46LzO2vhN74lm/Fy6PumHuviqDBdN+HgtRPMUuao +xnuVJSvBu9sPdgT/pR1N9u/KnfAnnLtR6g+fx4mWz+ts/riB/KRHzXd+44jGKZra +IhTMfniguMJNsyEOO0AN8Tqcl0eRBxcOArcri7xu8HFvvl+e+ILymu4buusbYEVL +GBkYP5YMmScfKn+jnDVN4mWoN1Bq2yMhMGx6PA3hOvzPNsUoYy2BwDxNZyflzuAi +g59mgJm2NXtzNbSRJbMamKpQ69mzLWGdFNsRd4aH7PT7uPAURaf7B5BVp3UyjERW +5alSGnBqsZmvlRnVH5BDUhYsWZMPRQS9rRr4iGW0l+TH+O2VJ8aQ +=0Zqq +-----END PGP PUBLIC KEY BLOCK----- diff --git a/salt/common/keys/securityonion.pub b/salt/common/keys/securityonion.pub new file mode 100644 index 000000000..c9148ff5c --- /dev/null +++ b/salt/common/keys/securityonion.pub @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF7rzwEBEADBg87uJhnC3Ls7s60hbHGaywGrPtbz2WuYA/ev3YS3X7WS75p8 +PGlzTWUCujx0pEHbK2vYfExl3zksZ8ZmLyZ9VB3oSLiWBzJgKAeB7YCFEo8te+eE +P2Z+8c+kX4eOV+2waxZyewA2TipSkhWgStSI4Ow8SyVUcUWA3hCw7mo2duNVi7KO +C3vvI3wzirH+8/XIGo+lWTg6yYlSxdf+0xWzYvV2QCMpwzJfARw6GGXtfCZw/zoO +o4+YPsiyztQdyI1y+g3Fbesl65E36DelbyP+lYd2VecX8ELEv0wlKCgHYlk6lc+n +qnOotVjWbsyXuFfo06PHUd6O9n3nmo0drC6kmXGw1e8hu0t8VcGfMTKS/hszwVUY +bHS6kbfsOoAb6LXPWKfqxk/BdreLXmcHHz88DimS3OS0JufkcmkjxEzSFRL0kb2h +QVb1SATrbx+v2RWQXvi9sLCjT2fdOiwi1Tgc84orc7A1C3Jwu353YaX9cV+n5uyG +OZ2AULZ5z2h13sVuiZAwfyyFs/O0CJ783hFA2TNPnyNGAgw/kaIo7nNRnggtndBo +oQzVS+BHiFx98IF4zDqmF2r2+jOCjxSrw8KnZBe4bgXFtl89DmjoejGvWDnu2MVM +pZDEs1DcOxHBQmTCWMIYLyNKG0xW6diyWBxEIaa7YgrP6kA+RaDfZ/xXPwARAQAB +tD9TZWN1cml0eSBPbmlvbiBTb2x1dGlvbnMsIExMQyA8aW5mb0BzZWN1cml0eW9u +aW9uc29sdXRpb25zLmNvbT6JAlQEEwEKAD4WIQTIBKk9Nr4Mcz6hlkR8EGC3/lBw +EwUCXuvPAQIbAwUJEswDAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRB8EGC3 +/lBwExB1D/42xIDGU2XFNFyTU+ZqzDA8qNC9hEKjLeizbeM8RIm3xO+3p7SdqbuJ +7pA8gk0RiHuILb+Ba1xiSh/w/W2bOxQhsXuWHih2z3W1tI+hu6RQhIm4e6CIHHf7 +Vzj4RSvHOVS0AzITUwkHjv0x0Z8zVBPJfEHKkK2x03BqP1o12rd7n2ZMrSfN6sED +fUwOJLDjthShtyLSPBVG8j7T5cfSCPSLhfVOKPQVcI1sSir7RLeyxt1v1kzjQdaA ++znxO8EgfZJN93wzfBrAGcVT8KmpmgwR6p46m20wJXyZC9DZxJ0o1y3toVWTC+kP +Qj1ROPivySVn10rBoOJk8HteyhW07gTcydq+noKHV7SqJ1899xRAYP7rDCfI9iMW +Nn22ZDLnAkIcbNR7JLJCHwsZH/Umo9KO/dIccIqVQel3UCCYZcWTZW0VkcjqVKRa +eK+JQGaJPrBAoxIG5/sMlbk2sINSubNWlcbH6kM0V8NVwdPiOO9xLmp2hI4ICxE3 +M+O2HCNX4QYzVizzTFxEvW3ieLa4nePQ8J6lvMI2oLkFP7xHoFluvZnuwfNvoEy0 +RnlHExN1UQTUvcbCxIbzjaJ4HJXilWHjgmGaVQO1S7AYskWnNWQ7uJvxnuZBNNwm +pIvwYEZp23fYaWl/xKqnmPMy2ADjROBKlCm7L+Ntq1r7ELGW5ZCTobkCDQRe688B +ARAA22GzdkSAo+mwJ2S1RbJ1G20tFnLsG/NC8iMN3lEh/PSmyPdB7mBtjZ+HPDzF +VSznXZdr3LItBBQOli2hVIj1lZBY7+s2ZufV3TFFwselUwT3b1g1KMkopD95Ckf8 +WhLbSz2yqgrvcEvbB0HFX/ZEsHGqIz2kLacixjwXXLWOMQ2LNbeW1f5zQkBnaNNQ +/4njzTj68OxnvfplNYNJqi2pZGb2UqarYX04FqKNuocN8E7AC9FQdBXylmVctw9T +pQVwfCI76bTe6vPWb+keb6UNN1jyXVnhIQ3Fv5sFBsmgXf/hO8tqCotrKjEiK2/i +RkvFeqsGMXreCgYg9zW4k+DcJtVa+Q8juGOjElrubY3Ua9mCusx3vY4QYSWxQ5Ih +k1lXiUcM5Rt38lfpKHRJ5Pd4Y5xlWSQfZ7nmzbf/GzJQz+rWrA0X6Oc6cDOPLNXK +w1dAygre4f2bsp5kHQt6NMefxeNTDmi+4R62K0tb40f5q0Vxz8qdyD48bBsbULNx +kb6mjOAD+FNkfNXcGeuTq9oRnjx8i93mhYsIP5LFNDXS/zSP1nv0ZUFeIlGQGjV9 +1wOvT454qkI9sKiVFtd4FrNKZJbKszxxDm+DPfB5j+hRC4oeEJ7w+sVyh3EawtfM +V7Mwj8i+7c3YUCravXBhSwG7SCTggFUgA8lMr8oWVgCATYsAEQEAAYkCPAQYAQoA +JhYhBMgEqT02vgxzPqGWRHwQYLf+UHATBQJe688BAhsMBQkSzAMAAAoJEHwQYLf+ +UHATTtwQAJiztPW68ykifpFdwYFp1VC7c+uGLhWBqjDY9NSUKNC9caR7bV0cnNu8 +07UG6j18gCB2GSkukXjOR/oTj6rNcW/WouPYfQOrw7+M2Ya8M8iq+E/HOXaXB3b4 +FeCcB0UuwfcHHd2KbXrRHA+9GNpmuOcfTCdsPpIr41Xg4QltATDEt/FrzuKspXg4 +vUKDXgfnbj7y0JcJM2FfcwWGlnAG5MMRyjJQAleGdiidX/9WxgJ4Mweq4qJM0jr3 +Qsrc9VuzxsLr85no3Hn5UYVgT7bBZ59HUbQoi775m78MxN3mWUSdcyLQKovI+YXr +tshTxWIf/2Ovdzt6Wq1WWXOGGuK1qgdPJTFWrlh3amFdb70zR1p6A/Lthd7Zty+n +QjRZRQo5jBSnYtjhMrZP6rxM3QqnQ0frEKK9HfDYONk1Bw18CUtdwFGb9OMregLR +IjvNLp9coSh5yYAepZyUGEPRET0GsmVw2trQF0uyMSkQfiq2zjPto6WWbsmrrbLr +cfZ/wnBw1FoNEd51U54euo9yvOgOVtJGvqLgHNwB8574FhQhoWAMhyizqdgeEt26 +m3FXecUNKL/AK71/l04vor+/WsXe8uhDg3O84qeYa9wgd8LZZVmGZJDosSwqYjtb +LdNNm+v60Zo6rFWSREegqi/nRTTDdxdW99ybjlh+mpbq3xavyFXF +=bhkm +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 676b908ce..326ad39da 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -162,6 +162,23 @@ get_random_value() { head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 } +gpg_rpm_import() { + if [ $OS = 'centos' ]; then + if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then + local RPMKEYSLOC=$temp_install_dir/salt/common/keys + else + local RPMKEYSLOC=$UPDATEDIR/salt/common/keys + fi + + RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'GPG-KEY-WAZUH' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') + + for RPMKEY in "${RPMKEYS[@]}"; do + rpm --import $RPMKEYSLOC/$RPMKEY + echo "Imported $RPMKEY" + done + fi +} + header() { printf '%s\n' "" "$banner" " $*" "$banner" } diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 6ff298770..cb2d19aed 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -24,6 +24,7 @@ INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'}) DEFAULT_SALT_DIR=/opt/so/saltstack/default BATCHSIZE=5 SOUP_LOG=/root/soup.log +WHATWOULDYOUSAYYAHDOHERE=soup add_common() { cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/ diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf index a37d898af..1cc6bf6d9 100644 --- a/salt/manager/files/acng/acng.conf +++ b/salt/manager/files/acng/acng.conf @@ -20,6 +20,7 @@ Remap-npm: registry.npmjs.org Remap-node: nodejs.org Remap-apache: file:apache_mirrors ; file:backends_apache.us Remap-salt: repo.saltstack.com; https://repo.saltstack.com +Remap-securityonion: http://repocache.securityonion.net ; file:securityonion # Remap-secdeb: security.debian.org ReportPage: acng-report.html # SocketPath:/var/run/apt-cacher-ng/socket diff --git a/setup/so-functions b/setup/so-functions index b6cf569fb..d98a833da 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -159,11 +159,6 @@ check_network_manager_conf() { systemctl restart NetworkManager } >> "$setup_log" 2>&1 fi - - #if test -f "$nmconf"; then -# sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1 -# systemctl restart NetworkManager >> "$setup_log" 2>&1 -# fi if [[ ! -d "$preupdir" ]]; then mkdir "$preupdir" >> "$setup_log" 2>&1 @@ -1054,40 +1049,11 @@ disable_ipv6() { } >> /etc/sysctl.conf } -#disable_misc_network_features() { -# filter_unused_nics -# if [ ${#filtered_nics[@]} -ne 0 ]; then -# for unused_nic in "${filtered_nics[@]}"; do -# if [ -n "$unused_nic" ]; then -# echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1 -# -# # Disable DHCPv4/v6 and autoconnect -# nmcli con mod "$unused_nic" \ -# ipv4.method disabled \ -# ipv6.method ignore \ -# connection.autoconnect "no" >> "$setup_log" 2>&1 -# -# # Flush any existing IPs -# ip addr flush "$unused_nic" >> "$setup_log" 2>&1 -# fi -# done -# fi -# # Disable IPv6 -# { -# echo "net.ipv6.conf.all.disable_ipv6 = 1" -# echo "net.ipv6.conf.default.disable_ipv6 = 1" -# echo "net.ipv6.conf.lo.disable_ipv6 = 1" -# } >> /etc/sysctl.conf -#} - docker_install() { if [ $OS = 'centos' ]; then { yum clean expire-cache; - #if [[ ! $is_airgap ]]; then - # yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo; - #fi if [[ ! $is_iso ]]; then yum -y install docker-ce-20.10.5-3.el7 containerd.io-1.4.4-3.1.el7; fi @@ -1988,11 +1954,6 @@ saltify() { # Install updates and Salt if [ $OS = 'centos' ]; then - set_progress_str 5 'Installing Salt repo' - { - sudo rpm --import https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub; - #cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; - } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' if [[ ! $is_iso ]]; then logCmd "yum -y install wget nmap-ncat" @@ -2001,7 +1962,6 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') reserve_group_ids >> "$setup_log" 2>&1 if [[ ! $is_iso ]]; then - #logCmd "yum -y install epel-release" logCmd "yum -y install sqlite argon2 curl mariadb-devel" fi # Download Ubuntu Keys in case manager updates = 1 @@ -2010,7 +1970,6 @@ saltify() { logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" - #logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then @@ -2035,13 +1994,11 @@ saltify() { ;; esac if [[ ! $is_airgap ]]; then - #cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 yum clean expire-cache >> "$setup_log" 2>&1 fi set_progress_str 8 'Installing salt-minion & python modules' { if [[ ! $is_iso ]]; then - #yum -y install epel-release yum -y install salt-minion-3002.5\ python3\ python36-docker\ @@ -2266,10 +2223,14 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [ "$OS" = 'centos' ]; then + if [[ "$OS" == "centos" ]]; then mkdir -p /root/oldrepos mv /etc/yum.repos.d/* /root/oldrepos/ - cp -f ./yum_repos/securityonion.repo /etc/yum.repos.d/ + if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then + cp -f ./yum_repos/securityonioncache.repo /etc/yum.repos.d/ + else + cp -f ./yum_repos/securityonion.repo /etc/yum.repos.d/ + fi else echo "This is Ubuntu" fi diff --git a/setup/so-setup b/setup/so-setup index a532158f4..5989012ce 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -632,7 +632,9 @@ set_redirect >> $setup_log 2>&1 fi set_progress_str 2 'Updating packages' - update_packages >> $setup_log 2>&1 + if [[ ! $is_airgap ]] + update_packages >> $setup_log 2>&1 + fi if [[ $is_sensor || $is_helix || $is_import ]]; then set_progress_str 3 'Generating sensor pillar' diff --git a/setup/yum_repos/securityonioncache.repo b/setup/yum_repos/securityonioncache.repo new file mode 100644 index 000000000..a38bac944 --- /dev/null +++ b/setup/yum_repos/securityonioncache.repo @@ -0,0 +1,56 @@ +[base] +name=CentOS-$releasever - Base +baseurl=https://repocache.securityonion.net/file/securityonion-repo/base/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#released updates +[updates] +name=CentOS-$releasever - Updates +baseurl=http://repocache.securityonion.net/file/securityonion-repo/updates/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that may be useful +[extras] +name=CentOS-$releasever - Extras +baseurl=http://repocache.securityonion.net/file/securityonion-repo/extras/ +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +#additional packages that extend functionality of existing packages +[centosplus] +name=CentOS-$releasever - Plus +baseurl=http://repocache.securityonion.net/file/securityonion-repo/centosplus/ +gpgcheck=1 +enabled=0 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 + +[epel] +name=Extra Packages for Enterprise Linux 7 - $basearch +baseurl=http://repocache.securityonion.net/file/securityonion-repo/epel/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/RPM-GPG-KEY-EPEL-7 + +[docker-ce-stable] +name=Docker CE Stable - $basearch +baseurl=http://repocache.securityonion.net/file/securityonion-repo/docker-ce-stable +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub + +[saltstack] +name=SaltStack repo for RHEL/CentOS $releasever PY3 +baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ +enabled=1 +gpgcheck=1 +gpgkey=https://repocache.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub + +[wazuh_repo] +gpgcheck=1 +gpgkey=http://repocache.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ +protect=1 \ No newline at end of file From 26f8ae87c59c56dc621e9cfd5a8c763ca0851494 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 Mar 2021 16:10:00 -0400 Subject: [PATCH 15/45] Fix acng to actually cache --- setup/so-setup | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 5989012ce..edbb5b408 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -47,6 +47,7 @@ source ./so-variables # Parse command line arguments setup_type=$1 automation=$2 +WHATWOULDYOUSAYYAHDOHERE=setup while [[ $# -gt 0 ]]; do arg="$1" @@ -622,8 +623,6 @@ set_redirect >> $setup_log 2>&1 info "Creating airgap repo" create_repo >> $setup_log 2>&1 airgap_rules >> $setup_log 2>&1 - else - securityonion_repo >> $setup_log 2>&1 fi if [[ $is_minion ]]; then @@ -632,7 +631,11 @@ set_redirect >> $setup_log 2>&1 fi set_progress_str 2 'Updating packages' + # Import the gpg keys + gpg_rpm_import if [[ ! $is_airgap ]] + securityonion_repo >> $setup_log 2>&1 + gpg_rpm_import >> $setup_log 2>&1 update_packages >> $setup_log 2>&1 fi From 955d41abde6522c5834e2c93b188a39921ff8690 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 Mar 2021 16:18:49 -0400 Subject: [PATCH 16/45] Fix acng to actually cache --- salt/common/tools/sbin/so-common | 2 +- setup/so-setup | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 326ad39da..985042876 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -163,7 +163,7 @@ get_random_value() { } gpg_rpm_import() { - if [ $OS = 'centos' ]; then + if [[ "$OS" = "centos" ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then local RPMKEYSLOC=$temp_install_dir/salt/common/keys else diff --git a/setup/so-setup b/setup/so-setup index edbb5b408..7d42f94bc 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -635,7 +635,6 @@ set_redirect >> $setup_log 2>&1 gpg_rpm_import if [[ ! $is_airgap ]] securityonion_repo >> $setup_log 2>&1 - gpg_rpm_import >> $setup_log 2>&1 update_packages >> $setup_log 2>&1 fi From bab062e52b7bd8cef5cae153edf0fb22c6063648 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 26 Mar 2021 16:21:03 -0400 Subject: [PATCH 17/45] Fix acng to actually cache --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 985042876..53901a73a 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -163,7 +163,7 @@ get_random_value() { } gpg_rpm_import() { - if [[ "$OS" = "centos" ]]; then + if [[ "$OS" == "centos" ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then local RPMKEYSLOC=$temp_install_dir/salt/common/keys else From 362bf555260b4141bb6dd796da6fdf10d12df582 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 28 Mar 2021 22:01:58 -0400 Subject: [PATCH 18/45] fixpath for GPG keys --- setup/so-functions | 1 + setup/so-setup | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d98a833da..99819e9a9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2226,6 +2226,7 @@ securityonion_repo() { if [[ "$OS" == "centos" ]]; then mkdir -p /root/oldrepos mv /etc/yum.repos.d/* /root/oldrepos/ + rm -f /etc/yum.repos.d/* if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ./yum_repos/securityonioncache.repo /etc/yum.repos.d/ else diff --git a/setup/so-setup b/setup/so-setup index 7d42f94bc..9beb11cec 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -632,8 +632,8 @@ set_redirect >> $setup_log 2>&1 set_progress_str 2 'Updating packages' # Import the gpg keys - gpg_rpm_import - if [[ ! $is_airgap ]] + gpg_rpm_import >> $setup_log 2>&1 + if [[ ! $is_airgap ]]; then securityonion_repo >> $setup_log 2>&1 update_packages >> $setup_log 2>&1 fi From 5882642c3255b43714c8195d1947f9cbf1f993ff Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 28 Mar 2021 22:10:02 -0400 Subject: [PATCH 19/45] fixpath for GPG Keys for real --- salt/common/tools/sbin/so-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 53901a73a..04fcf529d 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -165,9 +165,9 @@ get_random_value() { gpg_rpm_import() { if [[ "$OS" == "centos" ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then - local RPMKEYSLOC=$temp_install_dir/salt/common/keys + local RPMKEYSLOC="../salt/common/keys" else - local RPMKEYSLOC=$UPDATEDIR/salt/common/keys + local RPMKEYSLOC="$UPDATEDIR/salt/common/keys" fi RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'GPG-KEY-WAZUH' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') From d889bd26946775839a68ec20faed79d15533aaeb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Sun, 28 Mar 2021 22:32:03 -0400 Subject: [PATCH 20/45] Fix Security Onio Pub Key --- salt/common/keys/securityonion.pub | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/keys/securityonion.pub b/salt/common/keys/securityonion.pub index c9148ff5c..15be14ca9 100644 --- a/salt/common/keys/securityonion.pub +++ b/salt/common/keys/securityonion.pub @@ -49,4 +49,4 @@ cfZ/wnBw1FoNEd51U54euo9yvOgOVtJGvqLgHNwB8574FhQhoWAMhyizqdgeEt26 m3FXecUNKL/AK71/l04vor+/WsXe8uhDg3O84qeYa9wgd8LZZVmGZJDosSwqYjtb LdNNm+v60Zo6rFWSREegqi/nRTTDdxdW99ybjlh+mpbq3xavyFXF =bhkm ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file +-----END PGP PUBLIC KEY BLOCK----- From 6bce8e8e2cffb4ee655eea8671767cde22c869b4 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 29 Mar 2021 07:30:26 -0400 Subject: [PATCH 21/45] Remove incompatible example --- salt/soc/files/soc/custom.js | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/salt/soc/files/soc/custom.js b/salt/soc/files/soc/custom.js index b23b7c36b..575e019a7 100644 --- a/salt/soc/files/soc/custom.js +++ b/salt/soc/files/soc/custom.js @@ -17,8 +17,5 @@ suggested to avoid and/or minimize the extent of any content placed here so that upgrading to newer version of Security Onion do not become a burden. - - Example: - - i18n.translations["en-US"].loginHeader = "Unauthorized use of this computer system is prohibited..."; + */ From 2ff790699fc9960c85d1566a3558f9ca5840e87c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Mar 2021 09:36:24 -0400 Subject: [PATCH 22/45] [fix] Set ntp_string to empty, not ntp_servers --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 6dd10096b..533a77a92 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -489,7 +489,7 @@ collect_node_ls_pipeline_worker_count() { collect_ntp_servers() { if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_servers=() + [[ $is_airgap ]] && ntp_string="" whiptail_ntp_servers "$ntp_string" while ! valid_ntp_list "$ntp_string"; do From 1a58479f39178207ce08c7b028e5af7de2e7c9a8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Mar 2021 15:15:34 -0400 Subject: [PATCH 23/45] Fix acng passthrough --- salt/manager/files/acng/acng.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf index 1cc6bf6d9..3492cf111 100644 --- a/salt/manager/files/acng/acng.conf +++ b/salt/manager/files/acng/acng.conf @@ -80,7 +80,7 @@ RedirMax: 6 VfileUseRangeOps: 0 # PassThroughPattern: private-ppa\.launchpad\.net:443$ # PassThroughPattern: .* # this would allow CONNECT to everything -PassThroughPattern: (download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/ +PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirrors\.fedoraproject\.org:443|packages\.wazuh\.com:443|repo\.saltstack\.com:443|yum\.dockerproject\.org:443|download\.docker\.com:443|registry\.npmjs\.org:443|registry\.yarnpkg\.com:443)$ # yarn/npm pkg, cant to http :/ # ResponseFreezeDetectTime: 500 # ReuseConnections: 1 # PipelineDepth: 255 From f73bf947bcbd662d8693296b3642bdb2764722a6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Mar 2021 15:42:26 -0400 Subject: [PATCH 24/45] Fix repo url --- setup/yum_repos/securityonioncache.repo | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/yum_repos/securityonioncache.repo b/setup/yum_repos/securityonioncache.repo index a38bac944..a55ee47d4 100644 --- a/setup/yum_repos/securityonioncache.repo +++ b/setup/yum_repos/securityonioncache.repo @@ -1,6 +1,6 @@ [base] name=CentOS-$releasever - Base -baseurl=https://repocache.securityonion.net/file/securityonion-repo/base/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/base/ gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 @@ -45,11 +45,11 @@ name=SaltStack repo for RHEL/CentOS $releasever PY3 baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ enabled=1 gpgcheck=1 -gpgkey=https://repocache.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub [wazuh_repo] gpgcheck=1 -gpgkey=http://repocache.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ From 3fce63e0c5e4a6142a5b998c29e03092c4119644 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 29 Mar 2021 16:43:44 -0400 Subject: [PATCH 25/45] Fix Repo Again --- setup/yum_repos/securityonioncache.repo | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/yum_repos/securityonioncache.repo b/setup/yum_repos/securityonioncache.repo index a55ee47d4..4fcb992d5 100644 --- a/setup/yum_repos/securityonioncache.repo +++ b/setup/yum_repos/securityonioncache.repo @@ -52,5 +52,5 @@ gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH enabled=1 name=Wazuh repository -baseurl=https://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ protect=1 \ No newline at end of file From 0e9ffe033d86ce9ab78df1d6c1d157692ef6e40c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 09:30:06 -0400 Subject: [PATCH 26/45] Show message about setting up network earlier during setup --- setup/so-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index d9e64105a..982195703 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -298,6 +298,10 @@ if ! [[ -f $install_opt_file ]]; then source "$net_init_file" fi + if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then + whiptail_management_interface_setup + fi + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then network_init fi @@ -315,10 +319,6 @@ if ! [[ -f $install_opt_file ]]; then [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi - if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then - whiptail_management_interface_setup - fi - if [[ $is_minion ]]; then add_mngr_ip_to_hosts fi From 25eca39428a585557183535c3424b0cda00d9479 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 09:54:21 -0400 Subject: [PATCH 27/45] Always ask for ntp setup on iso installs, don't ask on network installs --- setup/so-functions | 48 ++++++++++++++++++---------------------------- setup/so-setup | 5 ++--- 2 files changed, 21 insertions(+), 32 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 533a77a92..5c69b817a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -487,20 +487,18 @@ collect_node_ls_pipeline_worker_count() { } collect_ntp_servers() { - if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then - if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_string="" + if whiptail_ntp_ask; then + [[ $is_airgap ]] && ntp_string="" + whiptail_ntp_servers "$ntp_string" + + while ! valid_ntp_list "$ntp_string"; do + whiptail_invalid_input whiptail_ntp_servers "$ntp_string" + done - while ! valid_ntp_list "$ntp_string"; do - whiptail_invalid_input - whiptail_ntp_servers "$ntp_string" - done - - IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array - else - ntp_servers=() - fi + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array + else + ntp_servers=() fi } @@ -725,21 +723,19 @@ configure_ntp() { # Install chrony if it isn't already installed if ! command -v chronyc &> /dev/null; then - if [ "$OS" == centos ]; then - yum -y install chrony - else - retry 50 10 "apt-get -y install chrony" || exit 1 - fi + yum -y install chrony fi - [[ -f $chrony_conf ]] && rm -f $chrony_conf + [[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak" + + echo "# Config created by Security Onion" > $chrony_conf # Build list of servers for addr in "${ntp_servers[@]}"; do echo "server $addr iburst" >> $chrony_conf done - printf '%s\n' \ + printf '%s\n\n' \ 'driftfile /var/lib/chrony/drift' \ 'makestep 1.0 3' \ 'rtcsync' \ @@ -748,10 +744,10 @@ configure_ntp() { systemctl enable chronyd systemctl start chronyd - # Sync time & update the system time - chronyc -a 'burst 4/4' - sleep 20 # Wait for chrony to sync - chronyc -a makestep + # Tell the chrony daemon to sync time & update the system time + # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made + chronyc -a 'burst 4/4' && sleep 30 + chronyc -a makestep && sleep 30 } checkin_at_boot() { @@ -761,12 +757,6 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } -check_ntp_configured() { - if systemctl is-active --quiet chronyd || systemctl is-active --quiet ntpd; then - ntp_configured=true - fi -} - check_requirements() { local standalone_or_dist=$1 local node_type=$2 # optional diff --git a/setup/so-setup b/setup/so-setup index 982195703..37121c4fb 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -534,8 +534,7 @@ if [[ $is_sensor && ! $is_eval ]]; then fi fi -check_ntp_configured -[[ -z $ntp_configured ]] && collect_ntp_servers +[[ $is_iso ]] && collect_ntp_servers if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced @@ -584,7 +583,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] && [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 reserve_ports From 5f5a53b8bb9dfb85e23f13fce913b4ea4fbe404b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 30 Mar 2021 11:14:58 -0400 Subject: [PATCH 28/45] Push repolist to dev null --- salt/common/init.sls | 5 ----- setup/so-functions | 1 + 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 157f2d49a..3e6774219 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -72,11 +72,6 @@ repair_yumdb: - onlyif: - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' -epel: - pkg.installed: - - skip_suggestions: True - - pkgs: - - epel-release {% endif %} # Install common packages diff --git a/setup/so-functions b/setup/so-functions index 99819e9a9..9adb22b86 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2644,6 +2644,7 @@ update_sudoers() { update_packages() { if [ "$OS" = 'centos' ]; then + yum repolist >> /dev/null yum -y update >> "$setup_log" else retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 From 09064baf716afaad69837e64ce16d12434575253 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 30 Mar 2021 11:21:19 -0400 Subject: [PATCH 29/45] Update so-common --- salt/common/tools/sbin/so-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 04fcf529d..ccf211637 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -173,8 +173,8 @@ gpg_rpm_import() { RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'GPG-KEY-WAZUH' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do - rpm --import $RPMKEYSLOC/$RPMKEY - echo "Imported $RPMKEY" + rpm --import $RPMKEYSLOC/$RPMKEY + echo "Imported $RPMKEY" done fi } From fc3fd00216913b6446706a185b3dfdeafe95af1a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 30 Mar 2021 11:28:47 -0400 Subject: [PATCH 30/45] Fix formatting --- setup/so-functions | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9adb22b86..aff7a8375 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1978,19 +1978,6 @@ saltify() { systemctl enable salt-master >> "$setup_log" 2>&1 ;; *) - #if [ "$MANAGERUPDATES" = '1' ]; then - # { - # if [[ ! $is_airgap ]]; then - # Create the GPG Public Key for the Salt Repo - #cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key; - - # Copy repo files over - #cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; - # else - # info "This is airgap" - # fi - # } >> "$setup_log" 2>&1 - #fi ;; esac if [[ ! $is_airgap ]]; then @@ -2645,7 +2632,7 @@ update_sudoers() { update_packages() { if [ "$OS" = 'centos' ]; then yum repolist >> /dev/null - yum -y update >> "$setup_log" + yum -y update >> "$setup_log" else retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 From 7049383ba68d162fe60f0f9391f391eeb1875012 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 30 Mar 2021 15:47:05 +0000 Subject: [PATCH 31/45] Add Elastic scripts --- .../tools/sbin/so-elasticsearch-indices-list | 21 ++++++++++++++++ .../tools/sbin/so-elasticsearch-pipeline-view | 25 +++++++++++++++++++ .../tools/sbin/so-elasticsearch-shards-list | 21 ++++++++++++++++ .../sbin/so-elasticsearch-template-remove | 21 ++++++++++++++++ .../tools/sbin/so-elasticsearch-template-view | 25 +++++++++++++++++++ .../tools/sbin/so-kibana-space-defaults | 0 salt/common/tools/sbin/so-logstash-events | 25 +++++++++++++++++++ .../tools/sbin/so-logstash-pipeline-stats | 25 +++++++++++++++++++ 8 files changed, 163 insertions(+) create mode 100755 salt/common/tools/sbin/so-elasticsearch-indices-list create mode 100755 salt/common/tools/sbin/so-elasticsearch-pipeline-view create mode 100755 salt/common/tools/sbin/so-elasticsearch-shards-list create mode 100755 salt/common/tools/sbin/so-elasticsearch-template-remove create mode 100755 salt/common/tools/sbin/so-elasticsearch-template-view mode change 100644 => 100755 salt/common/tools/sbin/so-kibana-space-defaults create mode 100755 salt/common/tools/sbin/so-logstash-events create mode 100755 salt/common/tools/sbin/so-logstash-pipeline-stats diff --git a/salt/common/tools/sbin/so-elasticsearch-indices-list b/salt/common/tools/sbin/so-elasticsearch-indices-list new file mode 100755 index 000000000..c9df67a25 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-indices-list @@ -0,0 +1,21 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} + +. /usr/sbin/so-common + +curl -s -k -L https://{{ NODEIP }}:9200/_cat/indices?pretty diff --git a/salt/common/tools/sbin/so-elasticsearch-pipeline-view b/salt/common/tools/sbin/so-elasticsearch-pipeline-view new file mode 100755 index 000000000..04901e122 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-pipeline-view @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} + +. /usr/sbin/so-common + +if [ "$1" == "" ]; then + curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/* | jq . +else + curl -s -k -L https://{{ NODEIP }}:9200/_ingest/pipeline/$1 | jq . +fi diff --git a/salt/common/tools/sbin/so-elasticsearch-shards-list b/salt/common/tools/sbin/so-elasticsearch-shards-list new file mode 100755 index 000000000..9d28ed95b --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-shards-list @@ -0,0 +1,21 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} + +. /usr/sbin/so-common + +curl -s -k -L https://{{ NODEIP }}:9200/_cat/shards?pretty diff --git a/salt/common/tools/sbin/so-elasticsearch-template-remove b/salt/common/tools/sbin/so-elasticsearch-template-remove new file mode 100755 index 000000000..f7c3e6812 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-template-remove @@ -0,0 +1,21 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} + +. /usr/sbin/so-common + +curl -s -k -L -XDELETE https://{{ NODEIP }}:9200/_template/$1 diff --git a/salt/common/tools/sbin/so-elasticsearch-template-view b/salt/common/tools/sbin/so-elasticsearch-template-view new file mode 100755 index 000000000..c9f3ec199 --- /dev/null +++ b/salt/common/tools/sbin/so-elasticsearch-template-view @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} + +. /usr/sbin/so-common + +if [ "$1" == "" ]; then + curl -s -k -L https://{{ NODEIP }}:9200/_template/* | jq . +else + curl -s -k -L https://{{ NODEIP }}:9200/_template/$1 | jq . +fi diff --git a/salt/common/tools/sbin/so-kibana-space-defaults b/salt/common/tools/sbin/so-kibana-space-defaults old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-logstash-events b/salt/common/tools/sbin/so-logstash-events new file mode 100755 index 000000000..817cafb72 --- /dev/null +++ b/salt/common/tools/sbin/so-logstash-events @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} + +. /usr/sbin/so-common + +if [ "$1" == "" ]; then + for i in $(curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines | jq '. | to_entries | .[].key' | sed 's/\"//g'); do echo ${i^}:; curl -s localhost:9600/_node/stats | jq .pipelines.$i.events; done +else + curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines.$1.events +fi diff --git a/salt/common/tools/sbin/so-logstash-pipeline-stats b/salt/common/tools/sbin/so-logstash-pipeline-stats new file mode 100755 index 000000000..b82a125d2 --- /dev/null +++ b/salt/common/tools/sbin/so-logstash-pipeline-stats @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} + +. /usr/sbin/so-common + +if [ "$1" == "" ]; then + curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines +else + curl -s -L http://{{ NODEIP }}:9600/_node/stats | jq .pipelines.$1 +fi From 679925ebd967160aa3242405127e3ce5b829c07b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 30 Mar 2021 13:29:56 -0400 Subject: [PATCH 32/45] Fix sensor cleanup & playbook sync scripts --- salt/common/tools/sbin/so-playbook-sync | 4 ++++ salt/common/tools/sbin/so-sensor-clean | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index 250e4a3ad..a76d398cb 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -17,4 +17,8 @@ . /usr/sbin/so-common +# Check to see if we are already running +IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l) +[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0 + docker exec so-soctopus python3 playbook_play-sync.py diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 63f102f0c..e62c3c4da 100755 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -115,7 +115,7 @@ clean() { } # Check to see if we are already running -IS_RUNNING=$(ps aux | grep "so-sensor-clean" | grep -v grep | wc -l) +IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l) [ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then From be6eb3ed6c91495a79c8e760f0cf15372a5eee16 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 14:17:05 -0400 Subject: [PATCH 33/45] Restart chrony in case it's already running --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 5c69b817a..87c9b4885 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -742,7 +742,7 @@ configure_ntp() { 'logdir /var/log/chrony' >> $chrony_conf systemctl enable chronyd - systemctl start chronyd + systemctl restart chronyd # Tell the chrony daemon to sync time & update the system time # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made From fd51b327ee1d860221c88dbb30c7c16a9cd105c5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 15:23:57 -0400 Subject: [PATCH 34/45] Add messaging to explain chronyc output to log --- setup/so-functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 87c9b4885..d31eb28a3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -746,7 +746,9 @@ configure_ntp() { # Tell the chrony daemon to sync time & update the system time # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made + printf "Syncing chrony time to server: " chronyc -a 'burst 4/4' && sleep 30 + printf "Forcing chrony to update the time: " chronyc -a makestep && sleep 30 } From 177989269fda48a1fa833cbf3e75e2379e07ed1b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 15:50:37 -0400 Subject: [PATCH 35/45] Better formatting of chrony.conf --- setup/so-functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d31eb28a3..862854c69 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -728,14 +728,16 @@ configure_ntp() { [[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak" - echo "# Config created by Security Onion" > $chrony_conf + printf '%s\n' "# NTP server list" > $chrony_conf # Build list of servers for addr in "${ntp_servers[@]}"; do echo "server $addr iburst" >> $chrony_conf done - printf '%s\n\n' \ + printf '\n%s\n' "# Config options" >> $chrony_conf + + printf '%s\n' \ 'driftfile /var/lib/chrony/drift' \ 'makestep 1.0 3' \ 'rtcsync' \ From 0b9cf57b5f10b73dfffd094e414fca5ebe75042f Mon Sep 17 00:00:00 2001 From: gebhard73 Date: Wed, 31 Mar 2021 14:22:06 +0200 Subject: [PATCH 36/45] Update so-index-list Sort by index name. --- salt/common/tools/sbin/so-index-list | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-index-list b/salt/common/tools/sbin/so-index-list index dcfebbf58..cf9232150 100755 --- a/salt/common/tools/sbin/so-index-list +++ b/salt/common/tools/sbin/so-index-list @@ -15,4 +15,4 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -curl -X GET -k -L https://localhost:9200/_cat/indices?v +curl -X GET -k -L "https://localhost:9200/_cat/indices?v&s=index" From 942de130caabc46726b7f658de6bf083a53cc60b Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 31 Mar 2021 12:24:51 +0000 Subject: [PATCH 37/45] Enforce date type for ingest.timestamp --- salt/elasticsearch/templates/so/so-common-template.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json b/salt/elasticsearch/templates/so/so-common-template.json index ebf123fed..c1f0a6755 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json +++ b/salt/elasticsearch/templates/so/so-common-template.json @@ -267,9 +267,14 @@ }, "ingest":{ "type":"object", - "dynamic": true + "dynamic": true, + "properties":{ + "timestamp":{ + "type":"date" + } + } }, - "intel":{ + "intel":{ "type":"object", "dynamic": true, "properties":{ From 5203c25971d7bbcdab4fe5b76897ac60b73a0bb4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 09:13:38 -0400 Subject: [PATCH 38/45] Add Wazuh 4 Repo --- setup/yum_repos/securityonion.repo | 8 ++++++++ setup/yum_repos/securityonioncache.repo | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/setup/yum_repos/securityonion.repo b/setup/yum_repos/securityonion.repo index 20c907289..e61829380 100644 --- a/setup/yum_repos/securityonion.repo +++ b/setup/yum_repos/securityonion.repo @@ -53,4 +53,12 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ +protect=1 + +[wazuh4_repo] +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ protect=1 \ No newline at end of file diff --git a/setup/yum_repos/securityonioncache.repo b/setup/yum_repos/securityonioncache.repo index 4fcb992d5..6d5058337 100644 --- a/setup/yum_repos/securityonioncache.repo +++ b/setup/yum_repos/securityonioncache.repo @@ -53,4 +53,12 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=http://repocache.securityonion.net/file/securityonion-repo/wazuh_repo/ +protect=1 + +[wazuh4_repo] +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +enabled=1 +name=Wazuh repository +baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ protect=1 \ No newline at end of file From c03e2b2c11279bb3fc7b1c53815b01207a252cfa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 09:14:40 -0400 Subject: [PATCH 39/45] Move ntp server array to its own pillar in the minion sls file --- setup/so-functions | 24 +++++++++++++++--------- setup/so-setup | 1 + 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 862854c69..702ccece3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1591,8 +1591,7 @@ manager_pillar() { printf '%s\n'\ " kratoskey: '$KRATOSKEY'"\ "" >> "$pillar_file" - - } +} manager_global() { local global_pillar="$local_salt_dir/pillar/global.sls" @@ -1620,12 +1619,7 @@ manager_global() { " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'"\ - " ntp_servers:" > "$global_pillar" - - for addr in "${ntp_servers[@]}"; do - echo " - '$addr'" >> "$global_pillar" - done + " managerip: '$MAINIP'" > "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ @@ -1774,7 +1768,6 @@ manager_global() { " bip: '$DOCKERBIP'"\ "redis_settings:"\ " redis_maxmemory: 812" >> "$global_pillar" - printf '%s\n' '----' >> "$setup_log" 2>&1 } @@ -1837,6 +1830,19 @@ network_setup() { } >> "$setup_log" 2>&1 } +ntp_pillar() { + local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls + + if [[ ${#ntp_servers[@]} -gt 0 ]]; then + printf '%s\n'\ + "ntp:"\ + " servers:" >> "$global_pillar" + for addr in "${ntp_servers[@]}"; do + printf '%s\n' " - '$addr'" >> "$pillar_file" + done + fi +} + parse_install_username() { # parse out the install username so things copy correctly INSTALLUSERNAME=${SUDO_USER:-${USER}} diff --git a/setup/so-setup b/setup/so-setup index 37121c4fb..65be15dc1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,6 +584,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 0 'Running initial configuration steps' [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + ntp_pillar >> $setup_log 2>&1 reserve_ports From bb39ccc1aa512b72dc400b435030eecdb49356a1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 09:25:21 -0400 Subject: [PATCH 40/45] Fix Automation Testing --- setup/automation/eval-net-centos | 2 +- setup/automation/import-net-centos | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/automation/eval-net-centos b/setup/automation/eval-net-centos index abd0c4765..82d2cc9ec 100644 --- a/setup/automation/eval-net-centos +++ b/setup/automation/eval-net-centos @@ -41,7 +41,7 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-net-centos b/setup/automation/import-net-centos index 37ca6ac51..f6394bde1 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net-centos @@ -41,7 +41,7 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= From 46865809ed92cddb1199ab73a8bad9fd4c3de00c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 31 Mar 2021 09:28:02 -0400 Subject: [PATCH 41/45] Fix Automation Testing round 2 --- setup/automation/import-airgap | 2 +- setup/automation/import-ami | 2 +- setup/automation/import-iso | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index bfd0e3641..9c394ef2f 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -42,7 +42,7 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-ami b/setup/automation/import-ami index 88734c352..10758be9a 100644 --- a/setup/automation/import-ami +++ b/setup/automation/import-ami @@ -41,7 +41,7 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-iso b/setup/automation/import-iso index 011623091..fbfdd364b 100644 --- a/setup/automation/import-iso +++ b/setup/automation/import-iso @@ -41,7 +41,7 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 +MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= From 1c4ba28336423c6164c671615e2d90d52e4fd4c4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 13:28:42 -0400 Subject: [PATCH 42/45] [fix] host_pillar overwrites the file, so run ntp_pillar after it --- setup/so-setup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 84e94e780..e2c866964 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -585,7 +585,6 @@ set_redirect >> $setup_log 2>&1 set_progress_str 0 'Running initial configuration steps' [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - ntp_pillar >> $setup_log 2>&1 reserve_ports @@ -619,6 +618,8 @@ set_redirect >> $setup_log 2>&1 fi host_pillar >> $setup_log 2>&1 + ntp_pillar >> $setup_log 2>&1 + if [[ $is_minion || $is_import ]]; then set_updates >> $setup_log 2>&1 From 761a12ebbb6a95f8414f7b6e07b074a46ae025c2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 13:32:49 -0400 Subject: [PATCH 43/45] Fix variable name --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 6b4f693e3..2732a0ee9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1802,7 +1802,7 @@ ntp_pillar() { if [[ ${#ntp_servers[@]} -gt 0 ]]; then printf '%s\n'\ "ntp:"\ - " servers:" >> "$global_pillar" + " servers:" >> "$pillar_file" for addr in "${ntp_servers[@]}"; do printf '%s\n' " - '$addr'" >> "$pillar_file" done From f7e99b496134345e81ef8f787bb627997773358d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 31 Mar 2021 15:17:15 -0400 Subject: [PATCH 44/45] https://github.com/Security-Onion-Solutions/securityonion/issues/3709 --- salt/firewall/map.jinja | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 2df668a07..496e6f568 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -18,14 +18,18 @@ {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %} + {% set translated_pillar_assigned_hostgroups = {'chain': {}} %} {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %} {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %} - {% do translated_pillar_assigned_hostgroups.update({"chain": {chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}}) %} + {% if translated_pillar_assigned_hostgroups.chain[chain] is defined %} + {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups.update({pillar_hostgroup: {"portgroups": []}}) %} + {% else %} + {% do translated_pillar_assigned_hostgroups.chain.update({chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}) %} + {% endif %} {% for pillar_portgroup in pillar_portgroups.portgroups %} {% set pillar_portgroup = pillar_portgroup.split('.') | last %} {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %} - {% endfor %} {% endfor %} {% endfor %} @@ -39,7 +43,6 @@ {% set assigned_hostgroups = default_assigned_hostgroups.role[role] %} {% endif %} - {% if translated_pillar_assigned_hostgroups %} {% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %} {% endif %} \ No newline at end of file From ef984455605de8b1cb6f1ea7ee7b13d49afa824a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 31 Mar 2021 15:44:41 -0400 Subject: [PATCH 45/45] Fix Playbook Alert timestamps --- salt/elastalert/files/modules/so/playbook-es.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index c10a80f2c..ab2327ab7 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -17,7 +17,7 @@ class PlaybookESAlerter(Alerter): def alert(self, matches): for match in matches: today = strftime("%Y.%m.%d", gmtime()) - timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S", gmtime()) + timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S"'.000Z', gmtime()) headers = {"Content-Type": "application/json"} payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp} url = f"https://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/"