From 11c641fd1bc9b49b4a5e13b219ee2172e6e6d479 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 27 May 2020 15:34:14 -0400 Subject: [PATCH 01/33] Initial support - integrated Fleet setup --- .../tools/sbin}/so-fleet-setup | 26 +++++++-------- salt/fleet/event_gen-packages.sls | 2 ++ salt/fleet/files/scripts/so-fleet-packages | 33 ------------------- salt/fleet/init.sls | 17 ---------- salt/reactor/fleet.sls | 5 +-- setup/so-setup | 8 ++++- 6 files changed, 25 insertions(+), 66 deletions(-) rename salt/{fleet/files/scripts => common/tools/sbin}/so-fleet-setup (72%) delete mode 100644 salt/fleet/files/scripts/so-fleet-packages diff --git a/salt/fleet/files/scripts/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup similarity index 72% rename from salt/fleet/files/scripts/so-fleet-setup rename to salt/common/tools/sbin/so-fleet-setup index 96ddd5156..93c1c9d74 100644 --- a/salt/fleet/files/scripts/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -2,24 +2,24 @@ {% set MAIN_HOSTNAME = salt['grains.get']('host') %} {% set MAIN_IP = salt['pillar.get']('node:mainip') %} -#so-fleet-setup.sh $FleetEmail +#so-fleet-setup.sh $FleetEmail $FleetPassword -# Enable Fleet -echo "Starting Docker Containers..." -salt-call state.apply mysql queue=True >> /root/fleet-setup.log -salt-call state.apply fleet queue=True >> /root/fleet-setup.log -salt-call state.apply redis queue=True >> /root/fleet-setup.log - -if [ ! "$(docker ps -q -f name=so-fleet)" ]; then - echo "so-fleet container not running... Exiting..." - exit 1 +if [[ $# -ne 2 ]] ; then + echo "Username or Password was not set - exiting now." + exit 1 fi -initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo) +# Checking to see if required containers are started... +if [ ! "$(docker ps -q -f name=so-fleet)" ]; then + echo "Starting Docker Containers..." + salt-call state.apply mysql queue=True >> /root/fleet-setup.log + salt-call state.apply fleet queue=True >> /root/fleet-setup.log + salt-call state.apply redis queue=True >> /root/fleet-setup.log +fi docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >> /etc/hosts" docker exec so-fleet fleetctl config set --address https://{{ MAIN_HOSTNAME }}:443 --tls-skip-verify --url-prefix /fleet -docker exec so-fleet fleetctl setup --email $1 --password $initpw +docker exec so-fleet fleetctl setup --email $1 --password $2 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml @@ -45,4 +45,4 @@ docker stop so-nginx salt-call state.apply nginx queue=True >> /root/fleet-setup.log echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}" -echo "Your username is $2 and your password is $initpw" +echo "Your username is $1 and your password is $2" diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index 3119ada51..11a3d9a0a 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -1,6 +1,7 @@ {% set MASTER = salt['grains.get']('master') %} {% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %} {% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %} +{% set VERSION = salt['pillar.get']('static:soversion') %} so/fleet: event.send: @@ -12,4 +13,5 @@ so/fleet: enroll-secret: {{ ENROLLSECRET }} current-package-version: {{ CURRENTPACKAGEVERSION }} master: {{ MASTER }} + version: {{ VERSION }} \ No newline at end of file diff --git a/salt/fleet/files/scripts/so-fleet-packages b/salt/fleet/files/scripts/so-fleet-packages deleted file mode 100644 index 49f3eebcd..000000000 --- a/salt/fleet/files/scripts/so-fleet-packages +++ /dev/null @@ -1,33 +0,0 @@ -#!/bin/bash -{% set MAIN_HOSTNAME = salt['grains.get']('host') %} -{% set MAIN_IP = salt['pillar.get']('node:mainip') %} - - -#so-fleet-packages $FleetHostname/IP - -#if [ ! "$(docker ps -q -f name=so-fleet)" ]; then -# echo "so-fleet container not running... Exiting..." -# exit 1 -#fi - -#docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >> /etc/hosts" -#esecret=$(docker exec so-fleet fleetctl get enroll-secret) - -#Concat fleet.crt & ca.crt - this is required for launcher connectivity -#cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt -#Actually only need to use /etc/ssl/certs/intca.crt - -#Create the output directory -#mkdir /opt/so/conf/fleet/packages - -docker run \ - --rm \ - --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \ - --mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \ - docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090 - -cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/ - -#Update timestamp on packages webpage -sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html -sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/files/dedicated-index.html \ No newline at end of file diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 7785a3c20..6a6eb9a30 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -16,14 +16,6 @@ include: - mysql -#{% if grains.id.split('_')|last in ['master', 'eval', 'fleet'] %} -#so/fleet: -# event.send: -# - data: -# action: 'enablefleet' -# hostname: {{ grains.host }} -#{% endif %} - # Fleet Setup fleetcdir: file.directory: @@ -67,15 +59,6 @@ fleetlogdir: - group: 939 - makedirs: True -fleetsetupscripts: - file.recurse: - - name: /usr/sbin - - user: 0 - - group: 0 - - file_mode: 755 - - template: jinja - - source: salt://fleet/files/scripts - osquerypackageswebpage: file.managed: - name: /opt/so/conf/fleet/packages/index.html diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index d841d54d6..ac4bd422f 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -13,11 +13,12 @@ def run(): ROLE = data['data']['role'] ESECRET = data['data']['enroll-secret'] MAINIP = data['data']['mainip'] + VERSION = data['data']['version'] STATICFILE = '/opt/so/saltstack/pillar/static.sls' SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls' - if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']: + if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch','standalone']: if ACTION == 'enablefleet': logging.info('so/fleet enablefleet reactor') @@ -55,7 +56,7 @@ def run(): # Run Docker container that will build the packages gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=/opt/so/saltstack/salt/fleet/packages,target=/output", \ - "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \ + "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \ f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) diff --git a/setup/so-setup b/setup/so-setup index 4e004b425..fc934e8a3 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -473,11 +473,17 @@ fi fi if [[ "$OSQUERY" = 1 ]]; then + set_progress_str 73 "$(print_salt_state_apply 'mysql')" + salt-call state.apply -l info mysql >> $setup_log 2>&1 + set_progress_str 73 "$(print_salt_state_apply 'fleet')" salt-call state.apply -l info fleet >> $setup_log 2>&1 - set_progress_str 74 "$(print_salt_state_apply 'redis')" + set_progress_str 73 "$(print_salt_state_apply 'redis')" salt-call state.apply -l info redis >> $setup_log 2>&1 + + set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" + so-fleet-setup $WEBUSER $WEBPASSWD1 >> $setup_log 2>&1 fi if [[ "$WAZUH" = 1 ]]; then From e53e891bd64cb88606cdaced256554ad557fecfb Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 28 May 2020 11:36:38 -0400 Subject: [PATCH 02/33] Fleet reactor - Typo fix --- salt/common/tools/sbin/so-fleet-setup | 3 +-- salt/reactor/fleet.sls | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup index 93c1c9d74..810b613c3 100644 --- a/salt/common/tools/sbin/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -44,5 +44,4 @@ salt-call state.apply filebeat queue=True >> /root/fleet-setup.log docker stop so-nginx salt-call state.apply nginx queue=True >> /root/fleet-setup.log -echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}" -echo "Your username is $1 and your password is $2" +echo "Fleet Setup Complete - Login here with the username and password you ran the script with: https://{{ MAIN_HOSTNAME }}" diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index ac4bd422f..2e929c59e 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -13,7 +13,6 @@ def run(): ROLE = data['data']['role'] ESECRET = data['data']['enroll-secret'] MAINIP = data['data']['mainip'] - VERSION = data['data']['version'] STATICFILE = '/opt/so/saltstack/pillar/static.sls' SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls' @@ -50,6 +49,7 @@ def run(): PACKAGEVERSION = data['data']['current-package-version'] MASTER = data['data']['master'] + VERSION = data['data']['version'] # Increment the package version by 1 PACKAGEVERSION += 1 From aeb71bb8f0597bdf0f59b9ea1cb02726cde7f95c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 28 May 2020 13:21:25 -0400 Subject: [PATCH 03/33] Simplified setup script --- salt/common/tools/sbin/so-fleet-setup | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup index 810b613c3..956a8b829 100644 --- a/salt/common/tools/sbin/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -1,8 +1,6 @@ #!/bin/bash -{% set MAIN_HOSTNAME = salt['grains.get']('host') %} -{% set MAIN_IP = salt['pillar.get']('node:mainip') %} -#so-fleet-setup.sh $FleetEmail $FleetPassword +#so-fleet-setup $FleetEmail $FleetPassword if [[ $# -ne 2 ]] ; then echo "Username or Password was not set - exiting now." @@ -17,8 +15,7 @@ if [ ! "$(docker ps -q -f name=so-fleet)" ]; then salt-call state.apply redis queue=True >> /root/fleet-setup.log fi -docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >> /etc/hosts" -docker exec so-fleet fleetctl config set --address https://{{ MAIN_HOSTNAME }}:443 --tls-skip-verify --url-prefix /fleet +docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet docker exec so-fleet fleetctl setup --email $1 --password $2 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml @@ -44,4 +41,4 @@ salt-call state.apply filebeat queue=True >> /root/fleet-setup.log docker stop so-nginx salt-call state.apply nginx queue=True >> /root/fleet-setup.log -echo "Fleet Setup Complete - Login here with the username and password you ran the script with: https://{{ MAIN_HOSTNAME }}" +echo "Fleet Setup Complete - Login with the username and password you ran the script with." From 0d8c0e1fa669d74b9c14c15a6ab225dc47bc7786 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 28 May 2020 16:27:18 -0400 Subject: [PATCH 04/33] Fleet standalone fixes --- setup/so-functions | 28 ++++++++++++++++++++++++++++ setup/so-setup | 11 +++++++++-- setup/so-whiptail | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 612b0147b..462d3b64c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -246,6 +246,10 @@ check_soremote_pass() { check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH" } +check_fleet_node_pass() { + check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "fpMATCH" +} + check_web_pass() { check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH" } @@ -283,6 +287,30 @@ collect_adminuser_inputs() { done } +collect_fleetuser_inputs() { + # Get a username & password for the Fleet admin user + local valid_user=no + while [[ $valid_user != yes ]]; do + whiptail_create_fleet_node_user + if so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; then + valid_user=yes + else + whiptail_invalid_user_warning + fi + done + + FPMATCH=no + while [[ $FPMATCH != yes ]]; do + whiptail_create_fleet_node_user_password1 + if echo "$FLEETNODEPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then + whiptail_create_fleet_node_user_password2 + check_fleet_node_pass + else + whiptail_invalid_pass_warning + fi + done +} + collect_webuser_inputs() { # Get a password for the web admin user diff --git a/setup/so-setup b/setup/so-setup index fc934e8a3..69f46184d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -481,9 +481,16 @@ fi set_progress_str 73 "$(print_salt_state_apply 'redis')" salt-call state.apply -l info redis >> $setup_log 2>&1 + + if [ "$install_type" = 'FLEET' ]; then + collect_fleetuser_inputs + set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" + so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 + else + set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" + so-fleet-setup $WEBUSER $WEBPASSWD1 >> $setup_log 2>&1 + fi - set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup $WEBUSER $WEBPASSWD1 >> $setup_log 2>&1 fi if [[ "$WAZUH" = 1 ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index 31a0c05ec..e9f691b55 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -165,6 +165,38 @@ whiptail_create_admin_user_password2() { } +whiptail_create_fleet_node_user() { + + [ -n "$TESTING" ] && return + + FLEETNODEUSER=$(whiptail --title "Security Onion Install" --inputbox \ + "Please enter an email as the username for the Fleet admin user." 10 60 3>&1 1>&2 2>&3) + +} + +whiptail_create_fleet_node_user_password1() { + + [ -n "$TESTING" ] && return + + FLEETNODEPASS1=$(whiptail --title "Security Onion Install" --passwordbox \ + "Enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + +whiptail_create_fleet_node_user_password2() { + + [ -n "$TESTING" ] && return + + FLEETNODEPASS2=$(whiptail --title "Security Onion Install" --passwordbox \ + "Re-enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} + whiptail_create_soremote_user() { [ -n "$TESTING" ] && return From e8e48a4bebae5bd8c6edb70baf834d920019e4cf Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 28 May 2020 16:40:12 -0400 Subject: [PATCH 05/33] Fleet standalone bugfixes --- setup/so-setup | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 69f46184d..5906eefec 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -283,6 +283,13 @@ if [[ $is_node && ! $is_eval ]]; then fi fi +if [ "$install_type" = 'FLEET' ]; then + collect_fleetuser_inputs +else + FLEETNODEUSER=$WEBUSER + FLEETNODEPASSWD1=$WEBPASSWD1 +fi + whiptail_make_changes if [[ -n "$TURBO" ]]; then @@ -482,14 +489,8 @@ fi set_progress_str 73 "$(print_salt_state_apply 'redis')" salt-call state.apply -l info redis >> $setup_log 2>&1 - if [ "$install_type" = 'FLEET' ]; then - collect_fleetuser_inputs - set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 - else - set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup $WEBUSER $WEBPASSWD1 >> $setup_log 2>&1 - fi + set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" + so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 fi From 046bca626e760a33e50dc2c1c2a5fba1d1835912 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 28 May 2020 16:51:37 -0400 Subject: [PATCH 06/33] Fleet pw check fix --- setup/so-functions | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 462d3b64c..e487e5542 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -247,7 +247,7 @@ check_soremote_pass() { } check_fleet_node_pass() { - check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "fpMATCH" + check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "FPMATCH" } check_web_pass() { @@ -302,12 +302,8 @@ collect_fleetuser_inputs() { FPMATCH=no while [[ $FPMATCH != yes ]]; do whiptail_create_fleet_node_user_password1 - if echo "$FLEETNODEPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then - whiptail_create_fleet_node_user_password2 - check_fleet_node_pass - else - whiptail_invalid_pass_warning - fi + whiptail_create_fleet_node_user_password2 + check_fleet_node_pass done } From 4b14ecf1d92cfe9aece77bef989be5b974932c03 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 1 Jun 2020 16:36:32 -0400 Subject: [PATCH 07/33] Fleet standalone fixes --- salt/fleet/event_enable-fleet.sls | 3 ++- salt/mysql/init.sls | 3 ++- salt/nginx/etc/nginx.conf.so-fleet | 4 +++- salt/ssl/init.sls | 3 ++- setup/so-functions | 11 +++++++++++ setup/so-setup | 7 ++++++- setup/so-whiptail | 2 +- 7 files changed, 27 insertions(+), 6 deletions(-) diff --git a/salt/fleet/event_enable-fleet.sls b/salt/fleet/event_enable-fleet.sls index 007f3690c..90bfec2d4 100644 --- a/salt/fleet/event_enable-fleet.sls +++ b/salt/fleet/event_enable-fleet.sls @@ -1,5 +1,6 @@ {% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret') %} -{%- set MAINIP = salt['pillar.get']('node:mainip') -%} +{% set MAININT = salt['pillar.get']('host:mainint') %} +{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} so/fleet: event.send: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index f3ce61784..c96be214c 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -6,7 +6,8 @@ {% set FLEETARCH = salt['grains.get']('role') %} {% if FLEETARCH == "so-fleet" %} - {% set MAINIP = salt['pillar.get']('node:mainip') %} + {% set MAININT = salt['pillar.get']('host:mainint') %} + {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% else %} {% set MAINIP = salt['pillar.get']('static:masterip') %} {% endif %} diff --git a/salt/nginx/etc/nginx.conf.so-fleet b/salt/nginx/etc/nginx.conf.so-fleet index 28372f448..7d6974532 100644 --- a/salt/nginx/etc/nginx.conf.so-fleet +++ b/salt/nginx/etc/nginx.conf.so-fleet @@ -1,4 +1,6 @@ -{%- set MAINIP = salt['pillar.get']('node:mainip', '') %} +{% set MAININT = salt['pillar.get']('host:mainint') %} +{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} + # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 384c5bd5f..ca6417dec 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,9 +1,10 @@ {% set master = salt['grains.get']('master') %} {% set masterip = salt['pillar.get']('static:masterip', '') %} {% set HOSTNAME = salt['grains.get']('host') %} -{% set MAINIP = salt['pillar.get']('node:mainip') %} {% set global_ca_text = [] %} {% set global_ca_server = [] %} +{% set MAININT = salt['pillar.get']('host:mainint') %} +{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% if grains.id.split('_')|last in ['master', 'eval', 'standalone'] %} {% set trusttheca_text = salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %} diff --git a/setup/so-functions b/setup/so-functions index e487e5542..3aea34bac 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -810,6 +810,17 @@ get_minion_type() { echo "$minion_type" } +host_pillar() { + + local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls + + # Create the host pillar + printf '%s\n'\ + "host:"\ + " mainint: $MNIC"\ + "" > "$pillar_file" +} + install_cleanup() { echo "Installer removing the following files:" ls -lR "$temp_install_dir" diff --git a/setup/so-setup b/setup/so-setup index 5906eefec..313586800 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -128,6 +128,7 @@ elif [ "$install_type" = 'HEAVYNODE' ]; then is_sensor=true elif [ "$install_type" = 'FLEET' ]; then is_minion=true + is_fleet_standalone=true OSQUERY=1 elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true @@ -234,7 +235,7 @@ if [[ $is_master ]]; then get_redirect fi -if [[ $is_distmaster || ( $is_sensor || $is_node ) && ! $is_eval ]]; then +if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then whiptail_master_updates if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then whiptail_master_updates_warning @@ -326,6 +327,10 @@ if [[ $is_minion ]]; then copy_ssh_key >> $setup_log 2>&1 fi +if [[ $is_fleet_standalone ]]; then + host_pillar >> $setup_log 2>&1 +fi + # Begin install { # Set initial percentage to 0 diff --git a/setup/so-whiptail b/setup/so-whiptail index e9f691b55..06712ace3 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -170,7 +170,7 @@ whiptail_create_fleet_node_user() { [ -n "$TESTING" ] && return FLEETNODEUSER=$(whiptail --title "Security Onion Install" --inputbox \ - "Please enter an email as the username for the Fleet admin user." 10 60 3>&1 1>&2 2>&3) + "Please enter an email for use as the username for the Fleet admin user." 10 60 3>&1 1>&2 2>&3) } From 307cbe4b776b8cfe60cd5218cf92cb143a73001e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 1 Jun 2020 20:48:25 -0400 Subject: [PATCH 08/33] Couple of QOL scripts --- salt/common/tools/sbin/so-docker-refresh | 112 +++++++++++++++++++++ salt/common/tools/sbin/so-saltstack-update | 57 +++++++++++ 2 files changed, 169 insertions(+) create mode 100644 salt/common/tools/sbin/so-docker-refresh create mode 100644 salt/common/tools/sbin/so-saltstack-update diff --git a/salt/common/tools/sbin/so-docker-refresh b/salt/common/tools/sbin/so-docker-refresh new file mode 100644 index 000000000..3c1a2e301 --- /dev/null +++ b/salt/common/tools/sbin/so-docker-refresh @@ -0,0 +1,112 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +got_root(){ + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 + fi +} + +master_check() { + # Check to see if this is a master + MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') + if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then + echo "This is a master. We can proceed" + else + echo "Please run soup on the master. The master controls all updates." + exit 1 + fi +} + +update_docker_containers() { + + # Download the containers from the interwebs + for i in "${TRUSTED_CONTAINERS[@]}" + do + # Pull down the trusted docker image + echo "Downloading $i" + docker pull --disable-content-trust=false docker.io/soshybridhunter/$i + # Tag it with the new registry destination + docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i + docker push $HOSTNAME:5000/soshybridhunter/$i + done + +} + +version_check() { + if [ -f /etc/soversion ]; then + VERSION=$(cat /etc/soversion) + else + echo "Unable to detect version. I will now terminate." + exit 1 + fi +} +got_root +master_check +version_check + +# Use the hostname +HOSTNAME=$(hostname) +BUILD=HH +# List all the containers +if [ $MASTERCHECK != 'so-helix' ]; then + TRUSTED_CONTAINERS=( \ + "so-acng:$BUILD$VERSION" \ + "so-thehive-cortex:$BUILD$VERSION" \ + "so-curator:$BUILD$VERSION" \ + "so-domainstats:$BUILD$VERSION" \ + "so-elastalert:$BUILD$VERSION" \ + "so-elasticsearch:$BUILD$VERSION" \ + "so-filebeat:$BUILD$VERSION" \ + "so-fleet:$BUILD$VERSION" \ + "so-fleet-launcher:$BUILD$VERSION" \ + "so-freqserver:$BUILD$VERSION" \ + "so-grafana:$BUILD$VERSION" \ + "so-idstools:$BUILD$VERSION" \ + "so-influxdb:$BUILD$VERSION" \ + "so-kibana:$BUILD$VERSION" \ + "so-kratos:$BUILD$VERSION" \ + "so-logstash:$BUILD$VERSION" \ + "so-mysql:$BUILD$VERSION" \ + "so-navigator:$BUILD$VERSION" \ + "so-nginx:$BUILD$VERSION" \ + "so-playbook:$BUILD$VERSION" \ + "so-redis:$BUILD$VERSION" \ + "so-soc:$BUILD$VERSION" \ + "so-soctopus:$BUILD$VERSION" \ + "so-steno:$BUILD$VERSION" \ + "so-strelka:$BUILD$VERSION" \ + "so-suricata:$BUILD$VERSION" \ + "so-telegraf:$BUILD$VERSION" \ + "so-thehive:$BUILD$VERSION" \ + "so-thehive-es:$BUILD$VERSION" \ + "so-wazuh:$BUILD$VERSION" \ + "so-zeek:$BUILD$VERSION" ) + else + TRUSTED_CONTAINERS=( \ + "so-filebeat:$BUILD$VERSION" \ + "so-idstools:$BUILD$VERSION" \ + "so-logstash:$BUILD$VERSION" \ + "so-nginx:$BUILD$VERSION" \ + "so-redis:$BUILD$VERSION" \ + "so-steno:$BUILD$VERSION" \ + "so-suricata:$BUILD$VERSION" \ + "so-telegraf:$BUILD$VERSION" \ + "so-zeek:$BUILD$VERSION" ) + fi + +update_docker_containers \ No newline at end of file diff --git a/salt/common/tools/sbin/so-saltstack-update b/salt/common/tools/sbin/so-saltstack-update new file mode 100644 index 000000000..d4e380b61 --- /dev/null +++ b/salt/common/tools/sbin/so-saltstack-update @@ -0,0 +1,57 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +default_salt_dir=/opt/so/saltstack/default +clone_to_tmp() { + + # TODO Need to add a air gap option + # Make a temp location for the files + mkdir /tmp/sogh + cd /tmp/sogh + #git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git + cd /tmp + +} + +copy_new_files() { + + # Copy new files over to the salt dir + cd /tmp/sogh/securityonion-saltstack + git checkout $BRANCH + rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/ + rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/ + chown -R socore:socore $default_salt_dir/salt + chown -R socore:socore $default_salt_dir/pillar + chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh + rm -rf /tmp/sogh +} + +got_root(){ + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 + fi +} + +got_root +if [ $# -ne 1 ] ; then + BRANCH=master +else + BRANCH=$1 +fi +clone_to_tmp +copy_new_files \ No newline at end of file From 9d5f4049b5c8e3d6f90c7ad4ac14bfe2ba9f8722 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 2 Jun 2020 05:51:58 -0400 Subject: [PATCH 09/33] Avoid filtering NIC when it's an empty string --- salt/sensoroni/files/sensoroni.json | 25 ---------------- salt/sensoroni/init.sls | 45 ----------------------------- setup/so-functions | 18 +++++++----- 3 files changed, 11 insertions(+), 77 deletions(-) delete mode 100644 salt/sensoroni/files/sensoroni.json delete mode 100644 salt/sensoroni/init.sls diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json deleted file mode 100644 index d53fe0a66..000000000 --- a/salt/sensoroni/files/sensoroni.json +++ /dev/null @@ -1,25 +0,0 @@ -{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%} -{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%} -{ - "logFilename": "/opt/sensoroni/logs/sensoroni-server.log", - "server": { - "bindAddress": "0.0.0.0:9822", - "maxPacketCount": 5000, - "htmlDir": "html", - "modules": { - "filedatastore": { - "jobDir": "jobs" - }, - "securityonion": { - "elasticsearchHost": "http://{{ MASTERIP }}:9200", - "elasticsearchUsername": "", - "elasticsearchPassword": "", - "elasticsearchVerifyCert": false - }, - "statickeyauth": { - "anonymousCidr": "172.17.0.0/24", - "apiKey": "{{ SENSORONIKEY }}" - } - } - } -} diff --git a/salt/sensoroni/init.sls b/salt/sensoroni/init.sls deleted file mode 100644 index 441394df6..000000000 --- a/salt/sensoroni/init.sls +++ /dev/null @@ -1,45 +0,0 @@ -{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} -{% set MASTER = salt['grains.get']('master') %} - -sensoronidir: - file.directory: - - name: /opt/so/conf/sensoroni - - user: 939 - - group: 939 - - makedirs: True - -sensoronidatadir: - file.directory: - - name: /nsm/sensoroni/jobs - - user: 939 - - group: 939 - - makedirs: True - -sensoronilogdir: - file.directory: - - name: /opt/so/log/sensoroni - - user: 939 - - group: 939 - - makedirs: True - -sensoronisync: - file.recurse: - - name: /opt/so/conf/sensoroni - - source: salt://sensoroni/files - - user: 939 - - group: 939 - - template: jinja - -so-sensoroni: - docker_container.running: - - image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:{{ VERSION }} - - hostname: sensoroni - - name: so-sensoroni - - binds: - - /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw - - /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro - - /opt/so/log/sensoroni/:/opt/sensoroni/logs/:rw - - port_bindings: - - 0.0.0.0:9822:9822 - - watch: - - file: /opt/so/conf/sensoroni diff --git a/setup/so-functions b/setup/so-functions index eeda4ea38..8db94e4e5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -585,14 +585,18 @@ disable_misc_network_features() { filter_unused_nics if [ ${#filtered_nics[@]} -ne 0 ]; then for unused_nic in "${filtered_nics[@]}"; do - # Disable DHCPv4/v6 and autoconnect - nmcli con mod "$unused_nic" \ - ipv4.method disabled \ - ipv6.method ignore \ - connection.autoconnect "no" >> "$setup_log" 2>&1 + if [ -n "$unused_nic" ]; then + echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1 - # Flush any existing IPs - ip addr flush "$unused_nic" >> "$setup_log" 2>&1 + # Disable DHCPv4/v6 and autoconnect + nmcli con mod "$unused_nic" \ + ipv4.method disabled \ + ipv6.method ignore \ + connection.autoconnect "no" >> "$setup_log" 2>&1 + + # Flush any existing IPs + ip addr flush "$unused_nic" >> "$setup_log" 2>&1 + fi done fi # Disable IPv6 From b695b7f24515c0b5ef8edf9e941dc327c9e1be50 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 Jun 2020 08:05:48 -0400 Subject: [PATCH 10/33] Fleet standalone fixes - firewall --- salt/firewall/init.sls | 3 ++- setup/so-functions | 3 +++ setup/so-setup | 4 +++- setup/so-whiptail | 4 ++-- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index b6c928eba..c27188f12 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -6,7 +6,8 @@ {% elif grains['role'] == 'so-sensor' %} {% set ip = salt['pillar.get']('sensor:mainip', '') %} {% elif grains['role'] == 'so-fleet' %} - {% set ip = salt['pillar.get']('node:mainip', '') %} + {% set MAININT = salt['pillar.get']('host:mainint') %} + {% set ip = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% endif %} {% set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} diff --git a/setup/so-functions b/setup/so-functions index 3aea34bac..55cb71327 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -398,6 +398,9 @@ check_requirements() { req_mem=12 req_cores=4 req_nics=2 + elif [[ "$eval_or_dist" == 'fleet' ]]; then + req_mem=4 + req_cores=4 elif [[ "$eval_or_dist" == 'dist' ]]; then req_mem=8 req_cores=4 diff --git a/setup/so-setup b/setup/so-setup index 313586800..f5d43eb38 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -138,6 +138,8 @@ if [[ $is_eval ]]; then check_requirements "eval" elif [[ $is_distmaster || $is_minion ]]; then check_requirements "dist" +elif [[ $is_fleet_standalone ]]; then + check_requirements "fleet" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" fi @@ -284,7 +286,7 @@ if [[ $is_node && ! $is_eval ]]; then fi fi -if [ "$install_type" = 'FLEET' ]; then +if [ "$install_type" == 'FLEET' ]; then collect_fleetuser_inputs else FLEETNODEUSER=$WEBUSER diff --git a/setup/so-whiptail b/setup/so-whiptail index 06712ace3..fc2429ad2 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -178,7 +178,7 @@ whiptail_create_fleet_node_user_password1() { [ -n "$TESTING" ] && return - FLEETNODEPASS1=$(whiptail --title "Security Onion Install" --passwordbox \ + FLEETNODEPASSWD1=$(whiptail --title "Security Onion Install" --passwordbox \ "Enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3) local exitstatus=$? @@ -189,7 +189,7 @@ whiptail_create_fleet_node_user_password2() { [ -n "$TESTING" ] && return - FLEETNODEPASS2=$(whiptail --title "Security Onion Install" --passwordbox \ + FLEETNODEPASSWD2=$(whiptail --title "Security Onion Install" --passwordbox \ "Re-enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3) local exitstatus=$? From 07c0075fc080759afae8aa6374c1e23ac57237c9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 2 Jun 2020 08:43:06 -0400 Subject: [PATCH 11/33] Upgrade containerd.io and docker-ce to match ISO rpms --- salt/common/init.sls | 2 +- setup/so-functions | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 09d71114b..deb30790e 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -101,7 +101,7 @@ heldpackages: pkg.installed: - pkgs: - containerd.io: 1.2.13-3.2.el7 - - docker-ce: 3:19.03.9-3.el7 + - docker-ce: 3:19.03.11-3.el7 - hold: True - update_holds: True {% endif %} diff --git a/setup/so-functions b/setup/so-functions index 8db94e4e5..8f6716c0a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -613,9 +613,9 @@ docker_install() { { yum clean expire-cache; yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo; - yum -y install docker-ce-19.03.9-3.el7 containerd.io-1.2.6-3.el7; - yum versionlock docker-ce-19.03.9-3.el7; - yum versionlock containerd.io-1.2.6-3.el7 + yum -y install docker-ce-19.03.11-3.el7 containerd.io-1.2.13-3.2.el7; + yum versionlock docker-ce-19.03.11-3.el7; + yum versionlock containerd.io-1.2.13-3.2.el7 } >> "$setup_log" 2>&1 else From 42683ddb674f8a4e414f648b956162ce7c0a25f1 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 2 Jun 2020 09:12:25 -0400 Subject: [PATCH 12/33] always restart acng and registry containers when docker restarts --- salt/master/init.sls | 1 + salt/registry/init.sls | 1 + 2 files changed, 2 insertions(+) diff --git a/salt/master/init.sls b/salt/master/init.sls index 4dab12a68..3c6b81e5e 100644 --- a/salt/master/init.sls +++ b/salt/master/init.sls @@ -61,6 +61,7 @@ so-aptcacherng: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-acng:{{ VERSION }} - hostname: so-acng + - restart_policy: always - port_bindings: - 0.0.0.0:3142:3142 - binds: diff --git a/salt/registry/init.sls b/salt/registry/init.sls index ed56d25ae..9ee44d1de 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -42,6 +42,7 @@ so-dockerregistry: docker_container.running: - image: registry:2 - hostname: so-registry + - restart_policy: always - port_bindings: - 0.0.0.0:5000:5000 - binds: From b5cc653179e45cf363a909a94fcdc3cf6a396ca2 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 Jun 2020 09:39:42 -0400 Subject: [PATCH 13/33] Fleet standalone fixes - mainip --- salt/fleet/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index 6a6eb9a30..a4998047e 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -3,12 +3,12 @@ {%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%} {% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %} {% set MASTER = salt['grains.get']('master') %} -{% set MAINIP = salt['pillar.get']('node:mainip') %} {% set FLEETARCH = salt['grains.get']('role') %} {% if FLEETARCH == "so-fleet" %} - {% set MAINIP = salt['pillar.get']('node:mainip') %} + {% set MAININT = salt['pillar.get']('host:mainint') %} + {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} {% else %} {% set MAINIP = salt['pillar.get']('static:masterip') %} {% endif %} From 77df87880ceab8fd06d12e8462438281202b1aee Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 Jun 2020 10:20:29 -0400 Subject: [PATCH 14/33] Fleet standalone fixes - fleet sa req --- setup/so-functions | 4 +--- setup/so-setup | 9 ++++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 55cb71327..f3e738678 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -398,13 +398,11 @@ check_requirements() { req_mem=12 req_cores=4 req_nics=2 - elif [[ "$eval_or_dist" == 'fleet' ]]; then - req_mem=4 - req_cores=4 elif [[ "$eval_or_dist" == 'dist' ]]; then req_mem=8 req_cores=4 if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi + if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi fi if [[ $num_nics -lt $req_nics ]]; then diff --git a/setup/so-setup b/setup/so-setup index f5d43eb38..45452a0a7 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -128,7 +128,6 @@ elif [ "$install_type" = 'HEAVYNODE' ]; then is_sensor=true elif [ "$install_type" = 'FLEET' ]; then is_minion=true - is_fleet_standalone=true OSQUERY=1 elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true @@ -136,10 +135,10 @@ fi if [[ $is_eval ]]; then check_requirements "eval" +elif [[ "$is_minon" && "$OSQUERY" == 1 ]]; then + check_requirements "dist" "fleet" elif [[ $is_distmaster || $is_minion ]]; then check_requirements "dist" -elif [[ $is_fleet_standalone ]]; then - check_requirements "fleet" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" fi @@ -237,7 +236,7 @@ if [[ $is_master ]]; then get_redirect fi -if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then +if [[ $is_distmaster || ( $is_sensor || $is_node || [[ "$is_minon" && "$OSQUERY" == 1 ]] ) && ! $is_eval ]]; then whiptail_master_updates if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then whiptail_master_updates_warning @@ -329,7 +328,7 @@ if [[ $is_minion ]]; then copy_ssh_key >> $setup_log 2>&1 fi -if [[ $is_fleet_standalone ]]; then +if [[ "$is_minon" && "$OSQUERY" == 1 ]]; then host_pillar >> $setup_log 2>&1 fi From 782c6698358d0cffd406be1128f2972b88666bb1 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 2 Jun 2020 12:42:14 -0400 Subject: [PATCH 15/33] Fleet standalone fixes - req --- setup/so-setup | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 45452a0a7..c583c4260 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -128,6 +128,7 @@ elif [ "$install_type" = 'HEAVYNODE' ]; then is_sensor=true elif [ "$install_type" = 'FLEET' ]; then is_minion=true + is_fleet_standalone=true OSQUERY=1 elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true @@ -135,12 +136,12 @@ fi if [[ $is_eval ]]; then check_requirements "eval" -elif [[ "$is_minon" && "$OSQUERY" == 1 ]]; then +elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" -elif [[ $is_distmaster || $is_minion ]]; then - check_requirements "dist" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" +elif [[ $is_distmaster || $is_minion ]]; then + check_requirements "dist" fi whiptail_patch_schedule @@ -236,7 +237,7 @@ if [[ $is_master ]]; then get_redirect fi -if [[ $is_distmaster || ( $is_sensor || $is_node || [[ "$is_minon" && "$OSQUERY" == 1 ]] ) && ! $is_eval ]]; then +if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then whiptail_master_updates if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then whiptail_master_updates_warning @@ -328,7 +329,7 @@ if [[ $is_minion ]]; then copy_ssh_key >> $setup_log 2>&1 fi -if [[ "$is_minon" && "$OSQUERY" == 1 ]]; then +if [[ $is_fleet_standalone ]]; then host_pillar >> $setup_log 2>&1 fi From 91673a5d70a49677c6eea65ab6b820d598d6dd89 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 2 Jun 2020 17:33:42 +0000 Subject: [PATCH 16/33] Update FB config --- salt/filebeat/etc/filebeat.yml | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index be04effb0..76c26b51d 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -75,10 +75,10 @@ filebeat.modules: filebeat.inputs: #------------------------------ Log prospector -------------------------------- {%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %} - - type: syslog + + - type: udp enabled: true - protocol.udp: - host: "0.0.0.0:514" + host: "0.0.0.0:514" fields: module: syslog dataset: syslog @@ -87,7 +87,20 @@ filebeat.inputs: processors: - drop_fields: fields: ["source", "prospector", "input", "offset", "beat"] + fields_under_root: true + - type: tcp + enabled: true + host: "0.0.0.0:514" + fields: + module: syslog + dataset: syslog + pipeline: "syslog" + index: "so-syslog-%{+yyyy.MM.dd}" + processors: + - drop_fields: + fields: ["source", "prospector", "input", "offset", "beat"] + fields_under_root: true {%- if BROVER != 'SURICATA' %} {%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %} - type: log From 8cac30728b088a5245c863478f54d4e4bc674094 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Tue, 2 Jun 2020 17:36:36 +0000 Subject: [PATCH 17/33] update Logstash config --- pillar/logstash/search.sls | 1 + .../config/so/9034_output_syslog.conf.jinja | 15 ++++++--------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index b4e42a8a3..30bf94cea 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -5,6 +5,7 @@ logstash: - so/0900_input_redis.conf.jinja - so/9000_output_zeek.conf.jinja - so/9002_output_import.conf.jinja + - so/9034_output_syslog.conf.jinja - so/9100_output_osquery.conf.jinja - so/9400_output_suricata.conf.jinja - so/9500_output_beats.conf.jinja diff --git a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja index 35d3cf7dc..7b35af576 100644 --- a/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja +++ b/salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja @@ -3,24 +3,21 @@ {%- else %} {%- set ES = salt['pillar.get']('node:mainip', '') -%} {%- endif %} -# Author: Justin Henderson -# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics -# Updated by: Doug Burks -# Last Update: 5/15/2017 filter { - if "syslog" in [tags] and "test_data" not in [tags] { + if [module] =~ "syslog" { mutate { - ##add_tag => [ "conf_file_9034"] - } + ##add_tag => [ "conf_file_9000"] + } } } output { - if "syslog" in [tags] and "test_data" not in [tags] { + if [module] =~ "syslog" { elasticsearch { + pipeline => "%{module}" hosts => "{{ ES }}" index => "so-syslog-%{+YYYY.MM.dd}" - template_name => "logstash" + template_name => "so-common" template => "/so-common-template.json" template_overwrite => true } From c91bc0e68161d4a89d7be77c0e7e14951bf91ac7 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 2 Jun 2020 15:31:48 -0400 Subject: [PATCH 18/33] Clean up some stuff --- salt/elasticsearch/files/ingest/syslog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/elasticsearch/files/ingest/syslog b/salt/elasticsearch/files/ingest/syslog index d34e79d4a..1af0bc1c8 100644 --- a/salt/elasticsearch/files/ingest/syslog +++ b/salt/elasticsearch/files/ingest/syslog @@ -6,6 +6,10 @@ "field": "message", "pattern" : "%{message}", "on_failure": [ { "drop" : { } } ] + }, + "remove": { + "field": [ "type", "agent" ], + "ignore_failure": true } }, { "pipeline": { "name": "common" } } From e6fcf75181228629d21cba64a35d35bc30e18bf7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 2 Jun 2020 17:31:43 -0400 Subject: [PATCH 19/33] Re-ordered wazuh setup to avoid agent-service failures due to missing client.keys file; Prepare for user profile settings screen support in reverse proxy --- salt/nginx/etc/nginx.conf.so-eval | 2 +- salt/nginx/etc/nginx.conf.so-master | 2 +- salt/nginx/etc/nginx.conf.so-mastersearch | 2 +- salt/soc/files/kratos/kratos.yaml | 2 +- salt/wazuh/init.sls | 10 +++++----- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/nginx/etc/nginx.conf.so-eval b/salt/nginx/etc/nginx.conf.so-eval index 336d27343..0d793f70a 100644 --- a/salt/nginx/etc/nginx.conf.so-eval +++ b/salt/nginx/etc/nginx.conf.so-eval @@ -134,7 +134,7 @@ http { proxy_set_header Connection "Upgrade"; } - location ~ ^/auth/.*?(whoami|login|logout) { + location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; proxy_pass http://{{ masterip }}:4433; proxy_read_timeout 90; diff --git a/salt/nginx/etc/nginx.conf.so-master b/salt/nginx/etc/nginx.conf.so-master index 33edb9c3e..2178b6017 100644 --- a/salt/nginx/etc/nginx.conf.so-master +++ b/salt/nginx/etc/nginx.conf.so-master @@ -134,7 +134,7 @@ http { proxy_set_header Connection "Upgrade"; } - location ~ ^/auth/.*?(whoami|login|logout) { + location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; proxy_pass http://{{ masterip }}:4433; proxy_read_timeout 90; diff --git a/salt/nginx/etc/nginx.conf.so-mastersearch b/salt/nginx/etc/nginx.conf.so-mastersearch index 33edb9c3e..2178b6017 100644 --- a/salt/nginx/etc/nginx.conf.so-mastersearch +++ b/salt/nginx/etc/nginx.conf.so-mastersearch @@ -134,7 +134,7 @@ http { proxy_set_header Connection "Upgrade"; } - location ~ ^/auth/.*?(whoami|login|logout) { + location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; proxy_pass http://{{ masterip }}:4433; proxy_read_timeout 90; diff --git a/salt/soc/files/kratos/kratos.yaml b/salt/soc/files/kratos/kratos.yaml index e5a970557..7939ec35b 100644 --- a/salt/soc/files/kratos/kratos.yaml +++ b/salt/soc/files/kratos/kratos.yaml @@ -42,7 +42,7 @@ urls: login_ui: https://{{ WEBACCESS }}/login/ registration_ui: https://{{ WEBACCESS }}/login/ error_ui: https://{{ WEBACCESS }}/login/ - settings_ui: https://{{ WEBACCESS }}/ + settings_ui: https://{{ WEBACCESS }}/?r=/settings verify_ui: https://{{ WEBACCESS }}/ mfa_ui: https://{{ WEBACCESS }}/ diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 54db40787..c483f07a0 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -80,11 +80,6 @@ wazuhmgrwhitelist: - mode: 755 - template: jinja -wazuhagentservice: - service.running: - - name: wazuh-agent - - enable: True - so-wazuh: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }} @@ -110,3 +105,8 @@ whitelistmanager: cmd.run: - name: /usr/sbin/wazuh-manager-whitelist - cwd: / + +wazuhagentservice: + service.running: + - name: wazuh-agent + - enable: True From eaacb7b71e6a3ff83063a64dcb9f6c1411345a50 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 3 Jun 2020 05:54:35 -0400 Subject: [PATCH 20/33] Fleet cleanup --- salt/common/tools/sbin/so-fleet-setup | 4 +- salt/firewall/init.sls | 31 +++--- salt/fleet/files/dedicated-index.html | 96 ------------------- salt/fleet/files/packs/PUT.PACKS.IN.HERE | 0 salt/fleet/files/packs/hh/hh-post-login.sh | 13 --- .../{hh/osquery.conf => osquery-config.conf} | 0 .../{hh/hhdefault.yml => so/so-default.yml} | 0 salt/fleet/init.sls | 7 -- 8 files changed, 20 insertions(+), 131 deletions(-) delete mode 100644 salt/fleet/files/dedicated-index.html delete mode 100644 salt/fleet/files/packs/PUT.PACKS.IN.HERE delete mode 100644 salt/fleet/files/packs/hh/hh-post-login.sh rename salt/fleet/files/packs/{hh/osquery.conf => osquery-config.conf} (100%) rename salt/fleet/files/packs/{hh/hhdefault.yml => so/so-default.yml} (100%) diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup index 956a8b829..9801c803b 100644 --- a/salt/common/tools/sbin/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -20,9 +20,9 @@ docker exec so-fleet fleetctl setup --email $1 --password $2 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml -docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml +docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done' -docker exec so-fleet fleetctl apply -f /packs/hh/osquery.conf +docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf # Enable Fleet diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index c27188f12..a91ea20d0 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -355,17 +355,6 @@ enable_minions_influxdb_8086_{{ip}}: - position: 1 - save: True -enable_minion_osquery_8080_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 8080 - - position: 1 - - save: True - enable_minion_osquery_8090_{{ip}}: iptables.insert: - table: filter @@ -792,7 +781,7 @@ enable_fleet_osquery_8080_{{ip}}: - save: True -enable_fleetnodetemp_mysql_3306_{{ip}}: +enable_fleetnode_mysql_3306_{{ip}}: iptables.insert: - table: filter - chain: DOCKER-USER @@ -803,7 +792,7 @@ enable_fleetnodetemp_mysql_3306_{{ip}}: - position: 1 - save: True -enable_fleettemp_osquery_8080_{{ip}}: +enable_fleet_osquery_8080_{{ip}}: iptables.insert: - table: filter - chain: DOCKER-USER @@ -847,4 +836,20 @@ enable_fleetnode_8090_{{ip}}: {% endfor %} +# Make it so all the minions can talk to fleet standalone node +{% for ip in pillar.get('minions') %} + +enable_minion_fleet_standalone_8090_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: tcp + - source: {{ ip }} + - dport: 8090 + - position: 1 + - save: True + +{% endfor %} + {% endif %} diff --git a/salt/fleet/files/dedicated-index.html b/salt/fleet/files/dedicated-index.html deleted file mode 100644 index 4a27b6104..000000000 --- a/salt/fleet/files/dedicated-index.html +++ /dev/null @@ -1,96 +0,0 @@ -{%- set PACKAGESTS = salt['pillar.get']('static:fleet_packages-timestamp:', 'N/A') -%} - - - - -Security Onion - Hybrid Hunter - - - - - - - -
-
- Fleet - Osquery/Fleet Docs - Security Onion Solutions -
- -
-

-

-

Security Onion - Dedicated Fleet Node

-
-
-
-

-
-
- - diff --git a/salt/fleet/files/packs/PUT.PACKS.IN.HERE b/salt/fleet/files/packs/PUT.PACKS.IN.HERE deleted file mode 100644 index e69de29bb..000000000 diff --git a/salt/fleet/files/packs/hh/hh-post-login.sh b/salt/fleet/files/packs/hh/hh-post-login.sh deleted file mode 100644 index cc787decf..000000000 --- a/salt/fleet/files/packs/hh/hh-post-login.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -echo "Applying Post Configuration for Osquery" -#fleetctl apply -f /packs/hh/osquery.conf -fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml -fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml -fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml -fleetctl apply -f /packs/hh/hhdefault.yml - -for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; - do fleetctl apply -f "$pack" -done -echo "" -echo "You can now exit the container by typing exit" diff --git a/salt/fleet/files/packs/hh/osquery.conf b/salt/fleet/files/packs/osquery-config.conf similarity index 100% rename from salt/fleet/files/packs/hh/osquery.conf rename to salt/fleet/files/packs/osquery-config.conf diff --git a/salt/fleet/files/packs/hh/hhdefault.yml b/salt/fleet/files/packs/so/so-default.yml similarity index 100% rename from salt/fleet/files/packs/hh/hhdefault.yml rename to salt/fleet/files/packs/so/so-default.yml diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index a4998047e..65f32e213 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -5,7 +5,6 @@ {% set MASTER = salt['grains.get']('master') %} {% set FLEETARCH = salt['grains.get']('role') %} - {% if FLEETARCH == "so-fleet" %} {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} @@ -59,12 +58,6 @@ fleetlogdir: - group: 939 - makedirs: True -osquerypackageswebpage: - file.managed: - - name: /opt/so/conf/fleet/packages/index.html - - source: salt://fleet/files/dedicated-index.html - - template: jinja - fleetdb: mysql_database.present: - name: fleet From 9f0e48e3378f731768e8b4d3c7eaac0ff7003554 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 3 Jun 2020 08:55:06 -0400 Subject: [PATCH 21/33] Send stderr to /dev/null as well, since it's already been decided this output is unsuited for the logfile based on the comment --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 8f6716c0a..0f6f79d1d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1217,7 +1217,7 @@ salt_checkin() { # Run a salt command to generate the minion key salt_firstcheckin() { - salt-call state.show_top >> /dev/null # send output to /dev/null because we don't actually care about the ouput + salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput } set_base_heapsizes() { From 970368c74e430371c8efb26cf8bf488be83a4deb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 3 Jun 2020 09:42:44 -0400 Subject: [PATCH 22/33] Avoid logs leaking to stdout/stderr during cron jobs --- salt/curator/init.sls | 6 +++--- salt/idstools/init.sls | 2 +- salt/playbook/init.sls | 11 +++++++++-- salt/zeek/cron/packetloss.sh | 2 +- 4 files changed, 14 insertions(+), 7 deletions(-) diff --git a/salt/curator/init.sls b/salt/curator/init.sls index d064b9f20..37b4fac87 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -89,7 +89,7 @@ curdel: so-curatorcloseddeletecron: cron.present: - - name: /usr/sbin/so-curator-closed-delete + - name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1 - user: root - minute: '*' - hour: '*' @@ -99,7 +99,7 @@ so-curatorcloseddeletecron: so-curatorclosecron: cron.present: - - name: /usr/sbin/so-curator-close + - name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1 - user: root - minute: '*' - hour: '*' @@ -109,7 +109,7 @@ so-curatorclosecron: so-curatordeletecron: cron.present: - - name: /usr/sbin/so-curator-delete + - name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1 - user: root - minute: '*' - hour: '*' diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 9bda4dd58..d145a4e15 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -39,7 +39,7 @@ idstoolsetcsync: so-ruleupdatecron: cron.present: - - name: /usr/sbin/so-rule-update.sh > /opt/so/log/idstools/download.log + - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1 - user: root - minute: '1' - hour: '7' diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index a5242f561..fec93b71e 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -86,15 +86,22 @@ so-playbook: {% endif %} +playbooklogdir: + file.directory: + - name: /opt/so/log/playbook + - user: 939 + - group: 939 + - makedirs: True + so-playbooksynccron: cron.present: - - name: /usr/sbin/so-playbook-sync + - name: /usr/sbin/so-playbook-sync > /opt/so/log/playbook/sync.log 2>&1 - user: root - minute: '*/5' so-playbookruleupdatecron: cron.present: - - name: /usr/sbin/so-playbook-ruleupdate + - name: /usr/sbin/so-playbook-ruleupdate > /opt/so/log/playbook/update.log 2>&1 - user: root - minute: '1' - hour: '6' \ No newline at end of file diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index 51812edf5..c8750dd92 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log +/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 From 3d92145bb93a2d8d860a7dfc087f848a5343e2ec Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 3 Jun 2020 15:52:18 -0400 Subject: [PATCH 23/33] Fleet standalone - custom hostnames --- salt/fleet/event_gen-packages.sls | 9 +++++++- salt/fleet/event_update-custom-hostname.sls | 9 ++++++++ salt/reactor/fleet.sls | 25 ++++++++++++++++----- salt/ssl/init.sls | 4 +++- setup/so-functions | 4 ++++ setup/so-setup | 7 ++++++ setup/so-whiptail | 13 +++++++++++ 7 files changed, 63 insertions(+), 8 deletions(-) create mode 100644 salt/fleet/event_update-custom-hostname.sls diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index 11a3d9a0a..72c02be45 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -2,12 +2,19 @@ {% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %} {% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %} {% set VERSION = salt['pillar.get']('static:soversion') %} +{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} + +{% if CUSTOM_FLEET_HOSTNAME != None %} + {% set HOSTNAME = {{ CUSTOM_FLEET_HOSTNAME }} %} +{% else %} + {% set HOSTNAME = {{ grains.host }} %} +{% endif %} so/fleet: event.send: - data: action: 'genpackages' - hostname: {{ grains.host }} + package-hostname: {{ HOSTNAME }} role: {{ grains.role }} mainip: {{ grains.host }} enroll-secret: {{ ENROLLSECRET }} diff --git a/salt/fleet/event_update-custom-hostname.sls b/salt/fleet/event_update-custom-hostname.sls new file mode 100644 index 000000000..9278862ed --- /dev/null +++ b/salt/fleet/event_update-custom-hostname.sls @@ -0,0 +1,9 @@ +{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} + +so/fleet: + event.send: + - data: + action: 'update_custom_hostname' + custom_hostname: {{ CUSTOM_FLEET_HOSTNAME }} + role: {{ grains.role }} + \ No newline at end of file diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index 2e929c59e..c7bade3ab 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -9,10 +9,6 @@ import subprocess def run(): MINIONID = data['id'] ACTION = data['data']['action'] - HOSTNAME = data['data']['hostname'] - ROLE = data['data']['role'] - ESECRET = data['data']['enroll-secret'] - MAINIP = data['data']['mainip'] STATICFILE = '/opt/so/saltstack/pillar/static.sls' SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls' @@ -21,6 +17,11 @@ def run(): if ACTION == 'enablefleet': logging.info('so/fleet enablefleet reactor') + ESECRET = data['data']['enroll-secret'] + MAINIP = data['data']['mainip'] + ROLE = data['data']['role'] + HOSTNAME = data['data']['hostname'] + # Enable Fleet for line in fileinput.input(STATICFILE, inplace=True): if ROLE == 'so-fleet': @@ -48,8 +49,10 @@ def run(): logging.info('so/fleet genpackages reactor') PACKAGEVERSION = data['data']['current-package-version'] + PACKAGEHOSTNAME = data['data']['package-hostname'] MASTER = data['data']['master'] VERSION = data['data']['version'] + ESECRET = data['data']['enroll-secret'] # Increment the package version by 1 PACKAGEVERSION += 1 @@ -57,7 +60,7 @@ def run(): # Run Docker container that will build the packages gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=/opt/so/saltstack/salt/fleet/packages,target=/output", \ "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \ - f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') + f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') # Update the 'packages-built' timestamp on the webpage (stored in the static pillar) for line in fileinput.input(STATICFILE, inplace=True): @@ -70,6 +73,16 @@ def run(): print(line) # Copy over newly-built packages - copy_packages = subprocess.run(["salt-call", "state.apply","fleet"], stdout=subprocess.PIPE, encoding='ascii') + copy_packages = subprocess.run(["salt-call", "state.apply","fleet"], stdout=subprocess.PIPE, encoding='ascii') + + if ACTION == 'update_custom_hostname': + logging.info('so/fleet update_custom_hostname reactor') + + CUSTOMHOSTNAME = data['data']['custom_hostname'] + + # Update the Fleet host in the static pillar + for line in fileinput.input(STATICFILE, inplace=True): + line = re.sub(r'fleet_custom_hostname: \S*', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip()) + print(line) return {} diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index ca6417dec..897ab84d0 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -5,6 +5,7 @@ {% set global_ca_server = [] %} {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} +{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} {% if grains.id.split('_')|last in ['master', 'eval', 'standalone'] %} {% set trusttheca_text = salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %} @@ -201,6 +202,7 @@ chownfilebeatp8: - signing_policy: masterssl - public_key: /etc/pki/masterssl.key - CN: {{ HOSTNAME }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -223,7 +225,7 @@ chownfilebeatp8: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - CN: {{ HOSTNAME }} - - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 - backup: True diff --git a/setup/so-functions b/setup/so-functions index f3e738678..96190b60c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -287,6 +287,10 @@ collect_adminuser_inputs() { done } +collect_fleet_custom_hostname_inputs{ + whiptail_fleet_custom_hostname +} + collect_fleetuser_inputs() { # Get a username & password for the Fleet admin user local valid_user=no diff --git a/setup/so-setup b/setup/so-setup index c583c4260..7f55c1e46 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -288,6 +288,7 @@ fi if [ "$install_type" == 'FLEET' ]; then collect_fleetuser_inputs + collect_fleet_custom_hostname_inputs else FLEETNODEUSER=$WEBUSER FLEETNODEPASSWD1=$WEBPASSWD1 @@ -495,6 +496,12 @@ fi set_progress_str 73 "$(print_salt_state_apply 'redis')" salt-call state.apply -l info redis >> $setup_log 2>&1 + + if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then + set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" + pillar_override="{"static":{"fleet_custom_hostname":"$FLEETCUSTOMHOSTNAME"}}" + salt-call state.apply -l info fleet.event_update-custom-hostname pillar=$pillar_override >> $setup_log 2>&1 + fi set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index fc2429ad2..dd6d1edac 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -270,6 +270,19 @@ whiptail_create_web_user_password2() { } +whiptail_fleet_custom_hostname() { + + [ -n "$TESTING" ] && return + + FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \ + "What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + + + whiptail_requirements_error() { local requirement_needed=$1 From a09991d770504693ddbcbd78d2f9180e43ab2685 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 3 Jun 2020 15:56:59 -0400 Subject: [PATCH 24/33] Fleet standalone - custom hostnames --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index 96190b60c..f300b985d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -918,6 +918,7 @@ master_static() { " cortexorgname: SecurityOnion"\ " cortexorguser: soadmin"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ + " fleet_custom_hostname: "\ " fleet_master: False"\ " fleet_node: False"\ " fleet_packages-timestamp: N/A"\ From f3fabcd93cc711c3c72b3a0fb4216271f8cd7351 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 3 Jun 2020 16:21:45 -0400 Subject: [PATCH 25/33] Enable git --- salt/common/init.sls | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index deb30790e..0ecba198d 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -62,6 +62,7 @@ commonpkgs: - python3-dateutil - python3-m2crypto - python3-mysqldb + - git heldpackages: pkg.installed: - pkgs: @@ -96,6 +97,7 @@ commonpkgs: - device-mapper-persistent-data - lvm2 - openssl + - git heldpackages: pkg.installed: @@ -128,4 +130,4 @@ utilsyncscripts: - group: 0 - file_mode: 755 - template: jinja - - source: salt://common/tools/sbin \ No newline at end of file + - source: salt://common/tools/sbin From 5a9030883a94babc489b8fe7518c8ce9ceec3881 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 3 Jun 2020 16:44:52 -0400 Subject: [PATCH 26/33] Rename Bro to Zeek in some whiptail menus --- setup/so-whiptail | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 9ba4ebc20..1ec1823c9 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -24,7 +24,7 @@ whiptail_basic_bro() { [ -n "$TESTING" ] && return BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the number of bro processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3) + "Enter the number of zeek processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -51,7 +51,7 @@ whiptail_bro_pins() { cpu_core_list_whiptail+=("$item" "OFF") done - BROPINS=$(whiptail --noitem --title "Pin Bro CPUS" --checklist "Please select $lb_procs cores to pin Bro to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) + BROPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 08901715272dd0817500709e3f922f499162438b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Jun 2020 07:51:05 -0400 Subject: [PATCH 27/33] Fixes --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index f300b985d..487b98f0b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -287,7 +287,7 @@ collect_adminuser_inputs() { done } -collect_fleet_custom_hostname_inputs{ +collect_fleet_custom_hostname_inputs() { whiptail_fleet_custom_hostname } From 7edf9a67c3e1f6205a47774c1536df05f6363512 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 4 Jun 2020 10:46:27 -0400 Subject: [PATCH 28/33] Ensure standalone mode supports the settings flow --- salt/nginx/etc/nginx.conf.so-standalone | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index 33edb9c3e..2178b6017 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -134,7 +134,7 @@ http { proxy_set_header Connection "Upgrade"; } - location ~ ^/auth/.*?(whoami|login|logout) { + location ~ ^/auth/.*?(whoami|login|logout|settings) { rewrite /auth/(.*) /$1 break; proxy_pass http://{{ masterip }}:4433; proxy_read_timeout 90; From 4e4eeedb4109a035be794d87ab300c04686d347a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 4 Jun 2020 22:41:35 -0400 Subject: [PATCH 29/33] Initial support - external beats --- pillar/logstash/master.sls | 1 + pillar/logstash/search.sls | 1 - salt/elasticsearch/files/ingest/beats.common | 35 + .../pipelines/config/so/0009_input_beats.conf | 6 + .../config/so/9500_output_beats.conf.jinja | 17 +- .../templates/so/so-beats-template.json | 1286 ----------------- 6 files changed, 47 insertions(+), 1299 deletions(-) create mode 100644 salt/elasticsearch/files/ingest/beats.common create mode 100644 salt/logstash/pipelines/config/so/0009_input_beats.conf delete mode 100644 salt/logstash/pipelines/templates/so/so-beats-template.json diff --git a/pillar/logstash/master.sls b/pillar/logstash/master.sls index 61d1bb6d1..1ff41b43c 100644 --- a/pillar/logstash/master.sls +++ b/pillar/logstash/master.sls @@ -2,5 +2,6 @@ logstash: pipelines: master: config: + - so/0009_input_beats.conf - so/0010_input_hhbeats.conf - so/9999_output_redis.conf.jinja diff --git a/pillar/logstash/search.sls b/pillar/logstash/search.sls index 30bf94cea..6b3d0422e 100644 --- a/pillar/logstash/search.sls +++ b/pillar/logstash/search.sls @@ -12,6 +12,5 @@ logstash: - so/9600_output_ossec.conf.jinja - so/9700_output_strelka.conf.jinja templates: - - so/so-beats-template.json - so/so-common-template.json - so/so-zeek-template.json diff --git a/salt/elasticsearch/files/ingest/beats.common b/salt/elasticsearch/files/ingest/beats.common new file mode 100644 index 000000000..0e93abb03 --- /dev/null +++ b/salt/elasticsearch/files/ingest/beats.common @@ -0,0 +1,35 @@ +{ + "description" : "beats.common", + "processors" : [ + {"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}}, + { "set": { "if": "ctx.winlog?.channel != null", "field": "dataset", "value": "wel-{{winlog.channel}}", "override": true } }, + { "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } }, + { "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } }, + { "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ProcessID", "target_field": "process.pid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } }, + { "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } }, + { "pipeline": { "name": "common" } } + ] +} \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/0009_input_beats.conf b/salt/logstash/pipelines/config/so/0009_input_beats.conf new file mode 100644 index 000000000..a5c1d491c --- /dev/null +++ b/salt/logstash/pipelines/config/so/0009_input_beats.conf @@ -0,0 +1,6 @@ +input { + beats { + port => "5044" + tags => [ "beat-ext" ] + } +} \ No newline at end of file diff --git a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja index dcfefa852..e50c04eee 100644 --- a/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja +++ b/salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja @@ -3,22 +3,15 @@ {%- else %} {%- set ES = salt['pillar.get']('node:mainip', '') -%} {%- endif %} -# Author: Wes Lambert -# Last Update: 09/14/2018 -filter { - if "beat" in [tags] { - mutate { - ##add_tag => [ "conf_file_9500"] - } - } -} + output { - if "beat" in [tags] { + if "beat-ext" in [tags] { elasticsearch { + pipeline => "beats.common" hosts => "{{ ES }}" index => "so-beats-%{+YYYY.MM.dd}" - template_name => "so-beats" - template => "/so-beats-template.json" + template_name => "so-common" + template => "/so-common-template.json" template_overwrite => true } } diff --git a/salt/logstash/pipelines/templates/so/so-beats-template.json b/salt/logstash/pipelines/templates/so/so-beats-template.json deleted file mode 100644 index 858f1d5e5..000000000 --- a/salt/logstash/pipelines/templates/so/so-beats-template.json +++ /dev/null @@ -1,1286 +0,0 @@ -{ - "index_patterns": [ - "so-beats-*" - ], - "mappings": { - "_meta": { - "version": "6.1.3" - }, - "date_detection": false, - "dynamic_templates": [ - { - "fields": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "fields.*" - } - }, - { - "docker.container.labels": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "docker.container.labels.*" - } - }, - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "@timestamp": { - "type": "date" - }, - "event_data": { - "type":"object", - "dynamic": true - }, - "beat_host": { - "type":"object", - "dynamic": true - }, - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "beat": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "username":{ - "type":"text", - "fields": { - "keyword":{ - "type":"keyword" - } - } - }, - "computer_name": { - "type": "text", - "fields":{ - "keyword":{ - "type":"keyword" - } - } - }, - "docker": { - "properties": { - "container": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "error": { - "properties": { - "code": { - "type": "long" - }, - "message": { - "norms": false, - "type": "text" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event_id": { - "type": "long" - }, - "fields": { - "type": "object" - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "kubernetes": { - "properties": { - "annotations": { - "type": "object" - }, - "container": { - "properties": { - "image": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "pod": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "message_error": { - "ignore_above": 1024, - "type": "keyword" - }, - "meta": { - "properties": { - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "process_id": { - "type": "long" - }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "record_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "related_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread_id": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "type": "keyword" - }, - "identifier": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "user_data": { - "type": "object", - "dynamic": "true" - }, - "version": { - "type": "keyword" - }, - "xml": { - "norms": false, - "type": "text" - }, - "apache2": { - "properties": { - "access": { - "properties": { - "agent": { - "norms": false, - "type": "text" - }, - "body_sent": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "geoip": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "response_code": { - "type": "long" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "properties": { - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "major": { - "type": "long" - }, - "minor": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_major": { - "type": "long" - }, - "os_minor": { - "type": "long" - }, - "os_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "patch": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "type": "long" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "tid": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "auditd": { - "properties": { - "log": { - "properties": { - "a0": { - "ignore_above": 1024, - "type": "keyword" - }, - "acct": { - "ignore_above": 1024, - "type": "keyword" - }, - "geoip": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "item": { - "ignore_above": 1024, - "type": "keyword" - }, - "items": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_auid": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_ses": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_auid": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_ses": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ppid": { - "ignore_above": 1024, - "type": "keyword" - }, - "record_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "res": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - } - } - } - } - }, - "fileset": { - "properties": { - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "icinga": { - "properties": { - "debug": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "main": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "startup": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "kafka": { - "properties": { - "log": { - "properties": { - "class": { - "norms": false, - "type": "text" - }, - "component": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "trace": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "norms": false, - "type": "text" - }, - "message": { - "norms": false, - "type": "text" - } - } - } - } - } - } - }, - "logstash": { - "properties": { - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_event": { - "type": "object" - }, - "message": { - "norms": false, - "type": "text" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "norms": false, - "type": "text" - } - } - }, - "slowlog": { - "properties": { - "event": { - "norms": false, - "type": "text" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_params": { - "norms": false, - "type": "text" - }, - "plugin_params_object": { - "type": "object" - }, - "plugin_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "norms": false, - "type": "text" - }, - "took_in_millis": { - "type": "long" - }, - "took_in_nanos": { - "type": "long" - } - } - } - } - }, - "mysql": { - "properties": { - "error": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "thread_id": { - "type": "long" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "slowlog": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "type": "long" - }, - "ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "lock_time": { - "properties": { - "sec": { - "type": "float" - } - } - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "query_time": { - "properties": { - "sec": { - "type": "float" - } - } - }, - "rows_examined": { - "type": "long" - }, - "rows_sent": { - "type": "long" - }, - "timestamp": { - "type": "long" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "nginx": { - "properties": { - "access": { - "properties": { - "agent": { - "norms": false, - "type": "text" - }, - "body_sent": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "geoip": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "response_code": { - "type": "long" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "properties": { - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "major": { - "type": "long" - }, - "minor": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_major": { - "type": "long" - }, - "os_minor": { - "type": "long" - }, - "os_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "patch": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "connection_id": { - "type": "long" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "pid": { - "type": "long" - }, - "tid": { - "type": "long" - } - } - } - } - }, - "offset": { - "type": "long" - }, - "postgresql": { - "properties": { - "log": { - "properties": { - "database": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "float" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread_id": { - "type": "long" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "prospector": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "read_timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "redis": { - "properties": { - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "pid": { - "type": "long" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "slowlog": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "properties": { - "us": { - "type": "long" - } - } - }, - "id": { - "type": "long" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "stream": { - "ignore_above": 1024, - "type": "keyword" - }, - "system": { - "properties": { - "auth": { - "properties": { - "groupadd": { - "properties": { - "gid": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "program": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh": { - "properties": { - "dropped_ip": { - "type": "ip" - }, - "event": { - "ignore_above": 1024, - "type": "keyword" - }, - "geoip": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sudo": { - "properties": { - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "ignore_above": 1024, - "type": "keyword" - }, - "pwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "useradd": { - "properties": { - "gid": { - "type": "long" - }, - "home": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "shell": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "type": "long" - } - } - } - } - }, - "syslog": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "ignore_above": 1024, - "type": "keyword" - }, - "program": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "traefik": { - "properties": { - "access": { - "properties": { - "agent": { - "norms": false, - "type": "text" - }, - "backend_url": { - "norms": false, - "type": "text" - }, - "body_sent": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "frontend_name": { - "norms": false, - "type": "text" - }, - "geoip": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_count": { - "type": "long" - }, - "response_code": { - "type": "long" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "properties": { - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "major": { - "type": "long" - }, - "minor": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_major": { - "type": "long" - }, - "os_minor": { - "type": "long" - }, - "os_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "patch": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "order": 1, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": 10000 - } - }, - "number_of_replicas": 0, - "number_of_shards": 1, - "refresh_interval": "30s" - } - } -} From 33f21c05f79937556aa623aaf2a062d539c00f32 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 6 Jun 2020 10:03:25 -0400 Subject: [PATCH 30/33] Fleet standaline custom fqdn fixes --- salt/fleet/event_gen-packages.sls | 4 ++-- setup/so-setup | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index 72c02be45..6d1e2264a 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -5,9 +5,9 @@ {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} {% if CUSTOM_FLEET_HOSTNAME != None %} - {% set HOSTNAME = {{ CUSTOM_FLEET_HOSTNAME }} %} + {% set HOSTNAME = CUSTOM_FLEET_HOSTNAME %} {% else %} - {% set HOSTNAME = {{ grains.host }} %} + {% set HOSTNAME = grains.host %} {% endif %} so/fleet: diff --git a/setup/so-setup b/setup/so-setup index 7f55c1e46..fbae5b15d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -499,7 +499,7 @@ fi if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" - pillar_override="{"static":{"fleet_custom_hostname":"$FLEETCUSTOMHOSTNAME"}}" + pillar_override=='"{"static":{"fleet_custom_hostname":"'$FLEETCUSTOMHOSTNAME'"}}"' salt-call state.apply -l info fleet.event_update-custom-hostname pillar=$pillar_override >> $setup_log 2>&1 fi From ab6e36e00a3adf0cb0085d436aeec531a968850e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sat, 6 Jun 2020 13:15:44 -0400 Subject: [PATCH 31/33] Fleet syntax error fix --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index fbae5b15d..ea9084831 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -499,7 +499,7 @@ fi if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" - pillar_override=='"{"static":{"fleet_custom_hostname":"'$FLEETCUSTOMHOSTNAME'"}}"' + pillar_override='"{"static":{"fleet_custom_hostname":"'$FLEETCUSTOMHOSTNAME'"}}"' salt-call state.apply -l info fleet.event_update-custom-hostname pillar=$pillar_override >> $setup_log 2>&1 fi From 950d4077f6148b51c0adaa960535fd7d907fe02e Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 8 Jun 2020 08:12:14 -0400 Subject: [PATCH 32/33] Update so-setup --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index ea9084831..92147f8f8 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -499,7 +499,7 @@ fi if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" - pillar_override='"{"static":{"fleet_custom_hostname":"'$FLEETCUSTOMHOSTNAME'"}}"' + pillar_override=$'\'{"static":{"fleet_custom_hostname":"'$FLEETCUSTOMHOSTNAME$'"}}\'' salt-call state.apply -l info fleet.event_update-custom-hostname pillar=$pillar_override >> $setup_log 2>&1 fi From 51f97f5ae5e1e517c3deeb3bf71a0a7baa5566df Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 8 Jun 2020 08:47:06 -0400 Subject: [PATCH 33/33] Fleet setup - final fixes --- salt/fleet/event_gen-packages.sls | 2 +- setup/so-setup | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/fleet/event_gen-packages.sls b/salt/fleet/event_gen-packages.sls index 6d1e2264a..1bdccea48 100644 --- a/salt/fleet/event_gen-packages.sls +++ b/salt/fleet/event_gen-packages.sls @@ -4,7 +4,7 @@ {% set VERSION = salt['pillar.get']('static:soversion') %} {% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %} -{% if CUSTOM_FLEET_HOSTNAME != None %} +{% if CUSTOM_FLEET_HOSTNAME != None && CUSTOM_FLEET_HOSTNAME != '' %} {% set HOSTNAME = CUSTOM_FLEET_HOSTNAME %} {% else %} {% set HOSTNAME = grains.host %} diff --git a/setup/so-setup b/setup/so-setup index 8e72a1b42..05aa0de27 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -526,8 +526,8 @@ fi if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" - pillar_override=$'\'{"static":{"fleet_custom_hostname":"'$FLEETCUSTOMHOSTNAME$'"}}\'' - salt-call state.apply -l info fleet.event_update-custom-hostname pillar=$pillar_override >> $setup_log 2>&1 + pillar_override="{\"static\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}" + salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 fi set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"