CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' of github.com:Security-Onion-Solutions/securityonion-saltstack into dev

Browse Source
This commit is contained in:
William Wernert
2020-06-08 12:12:29 -04:00
parent e2c3fe3342 35bc5f9133
commit 941ad5acf6
46 changed files with 528 additions and 1664 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
pillar/logstash/master.sls
View File

@@ -2,5 +2,6 @@ logstash:
pipelines:
master:
config:
- so/0009_input_beats.conf
- so/0010_input_hhbeats.conf
- so/9999_output_redis.conf.jinja

2
pillar/logstash/search.sls
View File

@@ -5,12 +5,12 @@ logstash:
- so/0900_input_redis.conf.jinja
- so/9000_output_zeek.conf.jinja
- so/9002_output_import.conf.jinja
- so/9034_output_syslog.conf.jinja
- so/9100_output_osquery.conf.jinja
- so/9400_output_suricata.conf.jinja
- so/9500_output_beats.conf.jinja
- so/9600_output_ossec.conf.jinja
- so/9700_output_strelka.conf.jinja
templates:
- so/so-beats-template.json
- so/so-common-template.json
- so/so-zeek-template.json

4
salt/common/init.sls
View File

@@ -62,6 +62,7 @@ commonpkgs:
- python3-dateutil
- python3-m2crypto
- python3-mysqldb
- git
heldpackages:
pkg.installed:
- pkgs:
@@ -96,12 +97,13 @@ commonpkgs:
- device-mapper-persistent-data
- lvm2
- openssl
- git
heldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.2.13-3.2.el7
- docker-ce: 3:19.03.9-3.el7
- docker-ce: 3:19.03.11-3.el7
- hold: True
- update_holds: True
{% endif %}

112
salt/common/tools/sbin/so-docker-refresh Normal file
View File

@@ -0,0 +1,112 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
got_root(){
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
master_check() {
# Check to see if this is a master
MASTERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}')
if [ $MASTERCHECK == 'so-eval' ] || [ $MASTERCHECK == 'so-master' ] || [ $MASTERCHECK == 'so-mastersearch' ] || [ $MASTERCHECK == 'so-standalone' ] || [ $MASTERCHECK == 'so-helix' ]; then
echo "This is a master. We can proceed"
else
echo "Please run soup on the master. The master controls all updates."
exit 1
fi
}
update_docker_containers() {
# Download the containers from the interwebs
for i in "${TRUSTED_CONTAINERS[@]}"
do
# Pull down the trusted docker image
echo "Downloading $i"
docker pull --disable-content-trust=false docker.io/soshybridhunter/$i
# Tag it with the new registry destination
docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i
docker push $HOSTNAME:5000/soshybridhunter/$i
done
}
version_check() {
if [ -f /etc/soversion ]; then
VERSION=$(cat /etc/soversion)
else
echo "Unable to detect version. I will now terminate."
exit 1
fi
}
got_root
master_check
version_check
# Use the hostname
HOSTNAME=$(hostname)
BUILD=HH
# List all the containers
if [ $MASTERCHECK != 'so-helix' ]; then
TRUSTED_CONTAINERS=( \
"so-acng:$BUILD$VERSION" \
"so-thehive-cortex:$BUILD$VERSION" \
"so-curator:$BUILD$VERSION" \
"so-domainstats:$BUILD$VERSION" \
"so-elastalert:$BUILD$VERSION" \
"so-elasticsearch:$BUILD$VERSION" \
"so-filebeat:$BUILD$VERSION" \
"so-fleet:$BUILD$VERSION" \
"so-fleet-launcher:$BUILD$VERSION" \
"so-freqserver:$BUILD$VERSION" \
"so-grafana:$BUILD$VERSION" \
"so-idstools:$BUILD$VERSION" \
"so-influxdb:$BUILD$VERSION" \
"so-kibana:$BUILD$VERSION" \
"so-kratos:$BUILD$VERSION" \
"so-logstash:$BUILD$VERSION" \
"so-mysql:$BUILD$VERSION" \
"so-navigator:$BUILD$VERSION" \
"so-nginx:$BUILD$VERSION" \
"so-playbook:$BUILD$VERSION" \
"so-redis:$BUILD$VERSION" \
"so-soc:$BUILD$VERSION" \
"so-soctopus:$BUILD$VERSION" \
"so-steno:$BUILD$VERSION" \
"so-strelka:$BUILD$VERSION" \
"so-suricata:$BUILD$VERSION" \
"so-telegraf:$BUILD$VERSION" \
"so-thehive:$BUILD$VERSION" \
"so-thehive-es:$BUILD$VERSION" \
"so-wazuh:$BUILD$VERSION" \
"so-zeek:$BUILD$VERSION" )
else
TRUSTED_CONTAINERS=( \
"so-filebeat:$BUILD$VERSION" \
"so-idstools:$BUILD$VERSION" \
"so-logstash:$BUILD$VERSION" \
"so-nginx:$BUILD$VERSION" \
"so-redis:$BUILD$VERSION" \
"so-steno:$BUILD$VERSION" \
"so-suricata:$BUILD$VERSION" \
"so-telegraf:$BUILD$VERSION" \
"so-zeek:$BUILD$VERSION" )
fi
update_docker_containers

44
salt/common/tools/sbin/so-fleet-setup Normal file
View File

@@ -0,0 +1,44 @@
#!/bin/bash
#so-fleet-setup $FleetEmail $FleetPassword
if [[ $# -ne 2 ]] ; then
echo "Username or Password was not set - exiting now."
exit 1
fi
# Checking to see if required containers are started...
if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
echo "Starting Docker Containers..."
salt-call state.apply mysql queue=True >> /root/fleet-setup.log
salt-call state.apply fleet queue=True >> /root/fleet-setup.log
salt-call state.apply redis queue=True >> /root/fleet-setup.log
fi
docker exec so-fleet fleetctl config set --address https://localhost:8080 --tls-skip-verify --url-prefix /fleet
docker exec so-fleet fleetctl setup --email $1 --password $2
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/so/so-default.yml
docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf
# Enable Fleet
echo "Enabling Fleet..."
salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
salt-call state.apply nginx queue=True >> /root/fleet-setup.log
# Generate osquery install packages
echo "Generating osquery install packages - this will take some time..."
salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
sleep 120
echo "Installing launcher via salt..."
salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
docker stop so-nginx
salt-call state.apply nginx queue=True >> /root/fleet-setup.log
echo "Fleet Setup Complete - Login with the username and password you ran the script with."

57
salt/common/tools/sbin/so-saltstack-update Normal file
View File

@@ -0,0 +1,57 @@
#!/bin/bash
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
default_salt_dir=/opt/so/saltstack/default
clone_to_tmp() {
# TODO Need to add a air gap option
# Make a temp location for the files
mkdir /tmp/sogh
cd /tmp/sogh
#git clone -b dev https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack.git
cd /tmp
}
copy_new_files() {
# Copy new files over to the salt dir
cd /tmp/sogh/securityonion-saltstack
git checkout $BRANCH
rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/
rsync -a --exclude-from 'exclude-list.txt' pillar $default_salt_dir/
chown -R socore:socore $default_salt_dir/salt
chown -R socore:socore $default_salt_dir/pillar
chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh
rm -rf /tmp/sogh
}
got_root(){
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
got_root
if [ $# -ne 1 ] ; then
BRANCH=master
else
BRANCH=$1
fi
clone_to_tmp
copy_new_files

6
salt/curator/init.sls
View File

@@ -89,7 +89,7 @@ curdel:
so-curatorcloseddeletecron:
cron.present:
- name: /usr/sbin/so-curator-closed-delete
- name: /usr/sbin/so-curator-closed-delete > /opt/so/log/curator/cron-closed-delete.log 2>&1
- user: root
- minute: '*'
- hour: '*'
@@ -99,7 +99,7 @@ so-curatorcloseddeletecron:
so-curatorclosecron:
cron.present:
- name: /usr/sbin/so-curator-close
- name: /usr/sbin/so-curator-close > /opt/so/log/curator/cron-close.log 2>&1
- user: root
- minute: '*'
- hour: '*'
@@ -109,7 +109,7 @@ so-curatorclosecron:
so-curatordeletecron:
cron.present:
- name: /usr/sbin/so-curator-delete
- name: /usr/sbin/so-curator-delete > /opt/so/log/curator/cron-delete.log 2>&1
- user: root
- minute: '*'
- hour: '*'

35
salt/elasticsearch/files/ingest/beats.common Normal file
View File

@@ -0,0 +1,35 @@
{
"description" : "beats.common",
"processors" : [
{"community_id": {"if": "ctx.winlog.event_data?.Protocol != null", "field":["winlog.event_data.SourceIp","winlog.event_data.SourcePort","winlog.event_data.DestinationIp","winlog.event_data.DestinationPort","winlog.event_data.Protocol"],"target_field":"network.community_id"}},
{ "set": { "if": "ctx.winlog?.channel != null", "field": "dataset", "value": "wel-{{winlog.channel}}", "override": true } },
{ "set": { "if": "ctx.agent?.type != null", "field": "module", "value": "{{agent.type}}", "override": true } },
{ "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 3", "field": "event.category", "value": "host,process,network", "override": true } },
{ "set": { "if": "ctx.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' && ctx.event?.code == 1", "field": "event.category", "value": "host,process", "override": true } },
{ "rename": { "field": "agent.hostname", "target_field": "agent.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationHostname", "target_field": "destination.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationIp", "target_field": "destination.ip", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.DestinationPort", "target_field": "destination.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Image", "target_field": "process.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ProcessID", "target_field": "process.pid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ProcessGuid", "target_field": "process.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.CommandLine", "target_field": "process.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.CurrentDirectory", "target_field": "process.working_directory", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Description", "target_field": "process.pe.description", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Product", "target_field": "process.pe.product", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.OriginalFileName", "target_field": "process.pe.original_file_name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.FileVersion", "target_field": "process.pe.file_version", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentCommandLine", "target_field": "process.parent.command_line", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentImage", "target_field": "process.parent.executable", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentProcessGuid", "target_field": "process.parent.entity_id", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.ParentProcessId", "target_field": "process.ppid", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.Protocol", "target_field": "network.transport", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.User", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceHostname", "target_field": "source.hostname", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourceIp", "target_field": "source.ip", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.SourcePort", "target_field": "source.port", "ignore_missing": true } },
{ "rename": { "field": "winlog.event_data.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "pipeline": { "name": "common" } }
]
}

4
salt/elasticsearch/files/ingest/syslog
View File

@@ -6,6 +6,10 @@
"field": "message",
"pattern" : "%{message}",
"on_failure": [ { "drop" : { } } ]
},
"remove": {
"field": [ "type", "agent" ],
"ignore_failure": true
}
},
{ "pipeline": { "name": "common" } }

19
salt/filebeat/etc/filebeat.yml
View File

@@ -75,10 +75,10 @@ filebeat.modules:
filebeat.inputs:
#------------------------------ Log prospector --------------------------------
{%- if grains['role'] == 'so-sensor' or grains['role'] == "so-eval" or grains['role'] == "so-helix" or grains['role'] == "so-heavynode" or grains['role'] == "so-standalone" %}
- type: syslog
- type: udp
enabled: true
protocol.udp:
host: "0.0.0.0:514"
host: "0.0.0.0:514"
fields:
module: syslog
dataset: syslog
@@ -87,7 +87,20 @@ filebeat.inputs:
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
- type: tcp
enabled: true
host: "0.0.0.0:514"
fields:
module: syslog
dataset: syslog
pipeline: "syslog"
index: "so-syslog-%{+yyyy.MM.dd}"
processors:
- drop_fields:
fields: ["source", "prospector", "input", "offset", "beat"]
fields_under_root: true
{%- if BROVER != 'SURICATA' %}
{%- for LOGNAME in salt['pillar.get']('brologs:enabled', '') %}
- type: log

34
salt/firewall/init.sls
View File

@@ -6,7 +6,8 @@
{% elif grains['role'] == 'so-sensor' %}
{% set ip = salt['pillar.get']('sensor:mainip', '') %}
{% elif grains['role'] == 'so-fleet' %}
{% set ip = salt['pillar.get']('node:mainip', '') %}
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set ip = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
{% endif %}
{% set FLEET_NODE = salt['pillar.get']('static:fleet_node') %}
@@ -366,17 +367,6 @@ enable_minions_influxdb_8086_{{ip}}:
- position: 1
- save: True
enable_minion_osquery_8080_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 8080
- position: 1
- save: True
enable_minion_osquery_8090_{{ip}}:
iptables.insert:
- table: filter
@@ -803,7 +793,7 @@ enable_fleet_osquery_8080_{{ip}}:
- save: True
enable_fleetnodetemp_mysql_3306_{{ip}}:
enable_fleetnode_mysql_3306_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
@@ -814,7 +804,7 @@ enable_fleetnodetemp_mysql_3306_{{ip}}:
- position: 1
- save: True
enable_fleettemp_osquery_8080_{{ip}}:
enable_fleet_osquery_8080_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
@@ -858,4 +848,20 @@ enable_fleetnode_8090_{{ip}}:
{% endfor %}
# Make it so all the minions can talk to fleet standalone node
{% for ip in pillar.get('minions') %}
enable_minion_fleet_standalone_8090_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 8090
- position: 1
- save: True
{% endfor %}
{% endif %}

3
salt/fleet/event_enable-fleet.sls
View File

@@ -1,5 +1,6 @@
{% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret') %}
{%- set MAINIP = salt['pillar.get']('node:mainip') -%}
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
so/fleet:
event.send:

11
salt/fleet/event_gen-packages.sls
View File

@@ -1,15 +1,24 @@
{% set MASTER = salt['grains.get']('master') %}
{% set ENROLLSECRET = salt['pillar.get']('secrets:fleet_enroll-secret') %}
{% set CURRENTPACKAGEVERSION = salt['pillar.get']('static:fleet_packages-version') %}
{% set VERSION = salt['pillar.get']('static:soversion') %}
{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
{% if CUSTOM_FLEET_HOSTNAME != None && CUSTOM_FLEET_HOSTNAME != '' %}
{% set HOSTNAME = CUSTOM_FLEET_HOSTNAME %}
{% else %}
{% set HOSTNAME = grains.host %}
{% endif %}
so/fleet:
event.send:
- data:
action: 'genpackages'
hostname: {{ grains.host }}
package-hostname: {{ HOSTNAME }}
role: {{ grains.role }}
mainip: {{ grains.host }}
enroll-secret: {{ ENROLLSECRET }}
current-package-version: {{ CURRENTPACKAGEVERSION }}
master: {{ MASTER }}
version: {{ VERSION }}

9
salt/fleet/event_update-custom-hostname.sls Normal file
View File

@@ -0,0 +1,9 @@
{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
so/fleet:
event.send:
- data:
action: 'update_custom_hostname'
custom_hostname: {{ CUSTOM_FLEET_HOSTNAME }}
role: {{ grains.role }}

96
salt/fleet/files/dedicated-index.html
View File

@@ -1,96 +0,0 @@
{%- set PACKAGESTS = salt['pillar.get']('static:fleet_packages-timestamp:', 'N/A') -%}
<!DOCTYPE html>
<html lang="en">
<head>
<title>Security Onion - Hybrid Hunter</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
<style>
* {
box-sizing: border-box;
font-family: Arial, Helvetica, sans-serif;
padding-left: 30px;
padding-right: 30px;
}
body {
font-family: Arial, Helvetica, sans-serif;
background-color: #2a2a2a;
}
a {
color: #f2f2f2;
text-align: left;
padding: 0px;
}
.center-content {
margin: 0 auto;
}
/* Style the top navigation bar */
.topnav {
overflow: hidden;
background-color: #333;
width: 1080px;
display: flex;
align-content: center;
}
/* Style the topnav links */
.topnav a {
margin: auto;
color: #f2f2f2;
text-align: center;
padding: 14px 16px;
text-decoration: none;
}
/* Change color on hover */
.topnav a:hover {
background-color: #ddd;
color: black;
}
/* Style the content */
.content {
background-color: #2a2a2a;
padding: 10px;
padding-top: 20px;
padding-left: 60px;
color: #E3DBCC;
width: 1080px;
}
/* Style the footer */
.footer {
background-color: #2a2a2a;
padding: 60px;
color: #E3DBCC;
width: 1080px;
}
</style>
</head>
<body>
<div class="center-content">
<div class="topnav center-content">
<a href="/fleet/" target="_blank">Fleet</a>
<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion" target="_blank">Osquery/Fleet Docs</a>
<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
</div>
<div class="content center-content">
<p>
<div style="text-align: center;">
<h1>Security Onion - Dedicated Fleet Node</h1>
</div>
<br/>
<br/>
</p>
</div>
</div>
</body>
</html>

0
salt/fleet/files/packs/PUT.PACKS.IN.HERE
View File

13
salt/fleet/files/packs/hh/hh-post-login.sh
View File

@@ -1,13 +0,0 @@
#!/bin/sh
echo "Applying Post Configuration for Osquery"
#fleetctl apply -f /packs/hh/osquery.conf
fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
fleetctl apply -f /packs/hh/hhdefault.yml
for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml;
do fleetctl apply -f "$pack"
done
echo ""
echo "You can now exit the container by typing exit"

0
salt/fleet/files/packs/hh/osquery.conf → salt/fleet/files/packs/osquery-config.conf
View File

0
salt/fleet/files/packs/hh/hhdefault.yml → salt/fleet/files/packs/so/so-default.yml
View File

34
salt/fleet/files/scripts/so-fleet-packages
View File

@@ -1,34 +0,0 @@
#!/bin/bash
{% set MAIN_HOSTNAME = salt['grains.get']('host') %}
{% set MAIN_IP = salt['pillar.get']('node:mainip') %}
local_salt_dir=/opt/so/saltstack/local
#so-fleet-packages $FleetHostname/IP
#if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
# echo "so-fleet container not running... Exiting..."
# exit 1
#fi
#docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >> /etc/hosts"
#esecret=$(docker exec so-fleet fleetctl get enroll-secret)
#Concat fleet.crt & ca.crt - this is required for launcher connectivity
#cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt
#Actually only need to use /etc/ssl/certs/intca.crt
#Create the output directory
#mkdir /opt/so/conf/fleet/packages
docker run \
--rm \
--mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
--mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \
docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090
cp /opt/so/conf/fleet/packages/launcher.* $local_salt_dir/salt/launcher/packages/
#Update timestamp on packages webpage
sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $local_salt_dir/salt/fleet/files/dedicated-index.html

48
salt/fleet/files/scripts/so-fleet-setup
View File

@@ -1,48 +0,0 @@
#!/bin/bash
{% set MAIN_HOSTNAME = salt['grains.get']('host') %}
{% set MAIN_IP = salt['pillar.get']('node:mainip') %}
#so-fleet-setup.sh $FleetEmail
# Enable Fleet
echo "Starting Docker Containers..."
salt-call state.apply mysql queue=True >> /root/fleet-setup.log
salt-call state.apply fleet queue=True >> /root/fleet-setup.log
salt-call state.apply redis queue=True >> /root/fleet-setup.log
if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
echo "so-fleet container not running... Exiting..."
exit 1
fi
initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
docker exec so-fleet /bin/ash -c "echo {{ MAIN_IP }} {{ MAIN_HOSTNAME }} >> /etc/hosts"
docker exec so-fleet fleetctl config set --address https://{{ MAIN_HOSTNAME }}:443 --tls-skip-verify --url-prefix /fleet
docker exec so-fleet fleetctl setup --email $1 --password $initpw
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
docker exec so-fleet fleetctl apply -f /packs/hh/osquery.conf
# Enable Fleet
echo "Enabling Fleet..."
salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log
salt-call state.apply nginx queue=True >> /root/fleet-setup.log
# Generate osquery install packages
echo "Generating osquery install packages - this will take some time..."
salt-call state.apply fleet.event_gen-packages queue=True >> /root/fleet-setup.log
sleep 120
echo "Installing launcher via salt..."
salt-call state.apply fleet.install_package queue=True >> /root/fleet-setup.log
salt-call state.apply filebeat queue=True >> /root/fleet-setup.log
docker stop so-nginx
salt-call state.apply nginx queue=True >> /root/fleet-setup.log
echo "Fleet Setup Complete - Login here: https://{{ MAIN_HOSTNAME }}"
echo "Your username is $2 and your password is $initpw"

28
salt/fleet/init.sls
View File

@@ -3,12 +3,11 @@
{%- set FLEETJWT = salt['pillar.get']('secrets:fleet_jwt', None) -%}
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
{% set MASTER = salt['grains.get']('master') %}
{% set MAINIP = salt['pillar.get']('node:mainip') %}
{% set FLEETARCH = salt['grains.get']('role') %}
{% if FLEETARCH == "so-fleet" %}
{% set MAINIP = salt['pillar.get']('node:mainip') %}
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
{% else %}
{% set MAINIP = salt['pillar.get']('static:masterip') %}
{% endif %}
@@ -16,14 +15,6 @@
include:
- mysql
#{% if grains.id.split('_')|last in ['master', 'eval', 'fleet'] %}
#so/fleet:
# event.send:
# - data:
# action: 'enablefleet'
# hostname: {{ grains.host }}
#{% endif %}
# Fleet Setup
fleetcdir:
file.directory:
@@ -67,21 +58,6 @@ fleetlogdir:
- group: 939
- makedirs: True
fleetsetupscripts:
file.recurse:
- name: /usr/sbin
- user: 0
- group: 0
- file_mode: 755
- template: jinja
- source: salt://fleet/files/scripts
osquerypackageswebpage:
file.managed:
- name: /opt/so/conf/fleet/packages/index.html
- source: salt://fleet/files/dedicated-index.html
- template: jinja
fleetdb:
mysql_database.present:
- name: fleet

2
salt/idstools/init.sls
View File

@@ -39,7 +39,7 @@ idstoolsetcsync:
so-ruleupdatecron:
cron.present:
- name: /usr/sbin/so-rule-update.sh > /opt/so/log/idstools/download.log
- name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1
- user: root
- minute: '1'
- hour: '7'

6
salt/logstash/pipelines/config/so/0009_input_beats.conf Normal file
View File

@@ -0,0 +1,6 @@
input {
beats {
port => "5044"
tags => [ "beat-ext" ]
}
}

15
salt/logstash/pipelines/config/so/9034_output_syslog.conf.jinja
View File

@@ -3,24 +3,21 @@
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Justin Henderson
# SANS Instructor and author of SANS SEC555: SIEM and Tactical Analytics
# Updated by: Doug Burks
# Last Update: 5/15/2017
filter {
if "syslog" in [tags] and "test_data" not in [tags] {
if [module] =~ "syslog" {
mutate {
##add_tag => [ "conf_file_9034"]
}
##add_tag => [ "conf_file_9000"]
}
}
}
output {
if "syslog" in [tags] and "test_data" not in [tags] {
if [module] =~ "syslog" {
elasticsearch {
pipeline => "%{module}"
hosts => "{{ ES }}"
index => "so-syslog-%{+YYYY.MM.dd}"
template_name => "logstash"
template_name => "so-common"
template => "/so-common-template.json"
template_overwrite => true
}

17
salt/logstash/pipelines/config/so/9500_output_beats.conf.jinja
View File

@@ -3,22 +3,15 @@
{%- else %}
{%- set ES = salt['pillar.get']('node:mainip', '') -%}
{%- endif %}
# Author: Wes Lambert
# Last Update: 09/14/2018
filter {
if "beat" in [tags] {
mutate {
##add_tag => [ "conf_file_9500"]
}
}
}
output {
if "beat" in [tags] {
if "beat-ext" in [tags] {
elasticsearch {
pipeline => "beats.common"
hosts => "{{ ES }}"
index => "so-beats-%{+YYYY.MM.dd}"
template_name => "so-beats"
template => "/so-beats-template.json"
template_name => "so-common"
template => "/so-common-template.json"
template_overwrite => true
}
}

1286
salt/logstash/pipelines/templates/so/so-beats-template.json
View File

File diff suppressed because it is too large Load Diff

1
salt/master/init.sls
View File

@@ -61,6 +61,7 @@ so-aptcacherng:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-acng:{{ VERSION }}
- hostname: so-acng
- restart_policy: always
- port_bindings:
- 0.0.0.0:3142:3142
- binds:

3
salt/mysql/init.sls
View File

@@ -6,7 +6,8 @@
{% set FLEETARCH = salt['grains.get']('role') %}
{% if FLEETARCH == "so-fleet" %}
{% set MAINIP = salt['pillar.get']('node:mainip') %}
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
{% else %}
{% set MAINIP = salt['pillar.get']('static:masterip') %}
{% endif %}

2
salt/nginx/etc/nginx.conf.so-eval
View File

@@ -136,7 +136,7 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/auth/.*?(whoami|login|logout) {
location ~ ^/auth/.*?(whoami|login|logout|settings) {
rewrite /auth/(.*) /$1 break;
proxy_pass http://{{ masterip }}:4433;
proxy_read_timeout 90;

4
salt/nginx/etc/nginx.conf.so-fleet
View File

@@ -1,4 +1,6 @@
{%- set MAINIP = salt['pillar.get']('node:mainip', '') %}
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

2
salt/nginx/etc/nginx.conf.so-master
View File

@@ -136,7 +136,7 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/auth/.*?(whoami|login|logout) {
location ~ ^/auth/.*?(whoami|login|logout|settings) {
rewrite /auth/(.*) /$1 break;
proxy_pass http://{{ masterip }}:4433;
proxy_read_timeout 90;

2
salt/nginx/etc/nginx.conf.so-mastersearch
View File

@@ -136,7 +136,7 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/auth/.*?(whoami|login|logout) {
location ~ ^/auth/.*?(whoami|login|logout|settings) {
rewrite /auth/(.*) /$1 break;
proxy_pass http://{{ masterip }}:4433;
proxy_read_timeout 90;

2
salt/nginx/etc/nginx.conf.so-standalone
View File

@@ -136,7 +136,7 @@ http {
proxy_set_header X-Forwarded-Proto $scheme;
}
location ~ ^/auth/.*?(whoami|login|logout) {
location ~ ^/auth/.*?(whoami|login|logout|settings) {
rewrite /auth/(.*) /$1 break;
proxy_pass http://{{ masterip }}:4433;
proxy_read_timeout 90;

11
salt/playbook/init.sls
View File

@@ -86,15 +86,22 @@ so-playbook:
{% endif %}
playbooklogdir:
file.directory:
- name: /opt/so/log/playbook
- user: 939
- group: 939
- makedirs: True
so-playbooksynccron:
cron.present:
- name: /usr/sbin/so-playbook-sync
- name: /usr/sbin/so-playbook-sync > /opt/so/log/playbook/sync.log 2>&1
- user: root
- minute: '*/5'
so-playbookruleupdatecron:
cron.present:
- name: /usr/sbin/so-playbook-ruleupdate
- name: /usr/sbin/so-playbook-ruleupdate > /opt/so/log/playbook/update.log 2>&1
- user: root
- minute: '1'
- hour: '6'

31
salt/reactor/fleet.sls
View File

@@ -9,19 +9,19 @@ import subprocess
def run():
MINIONID = data['id']
ACTION = data['data']['action']
HOSTNAME = data['data']['hostname']
ROLE = data['data']['role']
ESECRET = data['data']['enroll-secret']
MAINIP = data['data']['mainip']
local_salt_dir = /opt/so/saltstack/local
STATICFILE = local_salt_dir + '/pillar/static.sls'
SECRETSFILE = local_salt_dir + '/pillar/secrets.sls'
if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch','standalone']:
if ACTION == 'enablefleet':
logging.info('so/fleet enablefleet reactor')
ESECRET = data['data']['enroll-secret']
MAINIP = data['data']['mainip']
ROLE = data['data']['role']
HOSTNAME = data['data']['hostname']
# Enable Fleet
for line in fileinput.input(STATICFILE, inplace=True):
if ROLE == 'so-fleet':
@@ -49,15 +49,18 @@ def run():
logging.info('so/fleet genpackages reactor')
PACKAGEVERSION = data['data']['current-package-version']
PACKAGEHOSTNAME = data['data']['package-hostname']
MASTER = data['data']['master']
VERSION = data['data']['version']
ESECRET = data['data']['enroll-secret']
# Increment the package version by 1
PACKAGEVERSION += 1
# Run Docker container that will build the packages
gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + local_salt_dir + "/salt/fleet/packages,target=/output", \
"--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \
f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')
gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,ssource=" + local_salt_dir + "/salt/fleet/packages,target=/output", \
"--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:{ VERSION }", \
f"{ESECRET}", f"{PACKAGEHOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')
# Update the 'packages-built' timestamp on the webpage (stored in the static pillar)
for line in fileinput.input(STATICFILE, inplace=True):
@@ -72,4 +75,14 @@ def run():
# Copy over newly-built packages
copy_packages = subprocess.run(["salt-call", "state.apply","fleet"], stdout=subprocess.PIPE, encoding='ascii')
if ACTION == 'update_custom_hostname':
logging.info('so/fleet update_custom_hostname reactor')
CUSTOMHOSTNAME = data['data']['custom_hostname']
# Update the Fleet host in the static pillar
for line in fileinput.input(STATICFILE, inplace=True):
line = re.sub(r'fleet_custom_hostname: \S*', f"fleet_custom_hostname: {CUSTOMHOSTNAME}", line.rstrip())
print(line)
return {}

1
salt/registry/init.sls
View File

@@ -42,6 +42,7 @@ so-dockerregistry:
docker_container.running:
- image: registry:2
- hostname: so-registry
- restart_policy: always
- port_bindings:
- 0.0.0.0:5000:5000
- binds:

25
salt/sensoroni/files/sensoroni.json
View File

@@ -1,25 +0,0 @@
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
{
"logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
"server": {
"bindAddress": "0.0.0.0:9822",
"maxPacketCount": 5000,
"htmlDir": "html",
"modules": {
"filedatastore": {
"jobDir": "jobs"
},
"securityonion": {
"elasticsearchHost": "http://{{ MASTERIP }}:9200",
"elasticsearchUsername": "",
"elasticsearchPassword": "",
"elasticsearchVerifyCert": false
},
"statickeyauth": {
"anonymousCidr": "172.17.0.0/24",
"apiKey": "{{ SENSORONIKEY }}"
}
}
}
}

45
salt/sensoroni/init.sls
View File

@@ -1,45 +0,0 @@
{% set VERSION = salt['pillar.get']('static:soversion', 'HH1.2.2') %}
{% set MASTER = salt['grains.get']('master') %}
sensoronidir:
file.directory:
- name: /opt/so/conf/sensoroni
- user: 939
- group: 939
- makedirs: True
sensoronidatadir:
file.directory:
- name: /nsm/sensoroni/jobs
- user: 939
- group: 939
- makedirs: True
sensoronilogdir:
file.directory:
- name: /opt/so/log/sensoroni
- user: 939
- group: 939
- makedirs: True
sensoronisync:
file.recurse:
- name: /opt/so/conf/sensoroni
- source: salt://sensoroni/files
- user: 939
- group: 939
- template: jinja
so-sensoroni:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-sensoroni:{{ VERSION }}
- hostname: sensoroni
- name: so-sensoroni
- binds:
- /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw
- /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/log/sensoroni/:/opt/sensoroni/logs/:rw
- port_bindings:
- 0.0.0.0:9822:9822
- watch:
- file: /opt/so/conf/sensoroni

2
salt/soc/files/kratos/kratos.yaml
View File

@@ -42,7 +42,7 @@ urls:
login_ui: https://{{ WEBACCESS }}/login/
registration_ui: https://{{ WEBACCESS }}/login/
error_ui: https://{{ WEBACCESS }}/login/
settings_ui: https://{{ WEBACCESS }}/
settings_ui: https://{{ WEBACCESS }}/?r=/settings
verify_ui: https://{{ WEBACCESS }}/
mfa_ui: https://{{ WEBACCESS }}/

7
salt/ssl/init.sls
View File

@@ -1,9 +1,11 @@
{% set master = salt['grains.get']('master') %}
{% set masterip = salt['pillar.get']('static:masterip', '') %}
{% set HOSTNAME = salt['grains.get']('host') %}
{% set MAINIP = salt['pillar.get']('node:mainip') %}
{% set global_ca_text = [] %}
{% set global_ca_server = [] %}
{% set MAININT = salt['pillar.get']('host:mainint') %}
{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %}
{% set CUSTOM_FLEET_HOSTNAME = salt['pillar.get']('static:fleet_custom_hostname', None) %}
{% if grains.id.split('_')|last in ['master', 'eval', 'standalone'] %}
{% set trusttheca_text = salt['mine.get'](grains.id, 'x509.get_pem_entries')[grains.id]['/etc/pki/ca.crt']|replace('\n', '') %}
@@ -200,6 +202,7 @@ chownfilebeatp8:
- signing_policy: masterssl
- public_key: /etc/pki/masterssl.key
- CN: {{ HOSTNAME }}
- subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
- days_remaining: 0
- days_valid: 820
- backup: True
@@ -222,7 +225,7 @@ chownfilebeatp8:
x509.certificate_managed:
- signing_private_key: /etc/pki/fleet.key
- CN: {{ HOSTNAME }}
- subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }}
- subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
- days_remaining: 0
- days_valid: 820
- backup: True

10
salt/wazuh/init.sls
View File

@@ -80,11 +80,6 @@ wazuhmgrwhitelist:
- mode: 755
- template: jinja
wazuhagentservice:
service.running:
- name: wazuh-agent
- enable: True
so-wazuh:
docker_container.running:
- image: {{ MASTER }}:5000/soshybridhunter/so-wazuh:{{ VERSION }}
@@ -110,3 +105,8 @@ whitelistmanager:
cmd.run:
- name: /usr/sbin/wazuh-manager-whitelist
- cwd: /
wazuhagentservice:
service.running:
- name: wazuh-agent
- enable: True

2
salt/zeek/cron/packetloss.sh
View File

@@ -1,2 +1,2 @@
#!/bin/bash
/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log
/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1

67
setup/so-functions
View File

@@ -258,6 +258,10 @@ check_soremote_pass() {
check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH"
}
check_fleet_node_pass() {
check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "FPMATCH"
}
check_web_pass() {
check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH"
}
@@ -295,6 +299,30 @@ collect_adminuser_inputs() {
done
}
collect_fleet_custom_hostname_inputs() {
whiptail_fleet_custom_hostname
}
collect_fleetuser_inputs() {
# Get a username & password for the Fleet admin user
local valid_user=no
while [[ $valid_user != yes ]]; do
whiptail_create_fleet_node_user
if so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; then
valid_user=yes
else
whiptail_invalid_user_warning
fi
done
FPMATCH=no
while [[ $FPMATCH != yes ]]; do
whiptail_create_fleet_node_user_password1
whiptail_create_fleet_node_user_password2
check_fleet_node_pass
done
}
collect_webuser_inputs() {
# Get a password for the web admin user
@@ -390,6 +418,7 @@ check_requirements() {
req_mem=8
req_cores=4
if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
fi
if [[ $num_nics -lt $req_nics ]]; then
@@ -585,14 +614,18 @@ disable_misc_network_features() {
filter_unused_nics
if [ ${#filtered_nics[@]} -ne 0 ]; then
for unused_nic in "${filtered_nics[@]}"; do
# Disable DHCPv4/v6 and autoconnect
nmcli con mod "$unused_nic" \
ipv4.method disabled \
ipv6.method ignore \
connection.autoconnect "no" >> "$setup_log" 2>&1
if [ -n "$unused_nic" ]; then
echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1
# Flush any existing IPs
ip addr flush "$unused_nic" >> "$setup_log" 2>&1
# Disable DHCPv4/v6 and autoconnect
nmcli con mod "$unused_nic" \
ipv4.method disabled \
ipv6.method ignore \
connection.autoconnect "no" >> "$setup_log" 2>&1
# Flush any existing IPs
ip addr flush "$unused_nic" >> "$setup_log" 2>&1
fi
done
fi
# Disable IPv6
@@ -609,9 +642,9 @@ docker_install() {
{
yum clean expire-cache;
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
yum -y install docker-ce-19.03.9-3.el7 containerd.io-1.2.6-3.el7;
yum versionlock docker-ce-19.03.9-3.el7;
yum versionlock containerd.io-1.2.6-3.el7
yum -y install docker-ce-19.03.11-3.el7 containerd.io-1.2.13-3.2.el7;
yum versionlock docker-ce-19.03.11-3.el7;
yum versionlock containerd.io-1.2.13-3.2.el7
} >> "$setup_log" 2>&1
else
@@ -812,6 +845,17 @@ get_minion_type() {
echo "$minion_type"
}
host_pillar() {
local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls
# Create the host pillar
printf '%s\n'\
"host:"\
" mainint: $MNIC"\
"" > "$pillar_file"
}
install_cleanup() {
echo "Installer removing the following files:"
ls -lR "$temp_install_dir"
@@ -904,6 +948,7 @@ master_static() {
" cortexorgname: SecurityOnion"\
" cortexorguser: soadmin"\
" cortexorguserkey: $CORTEXORGUSERKEY"\
" fleet_custom_hostname: "\
" fleet_master: False"\
" fleet_node: False"\
" fleet_packages-timestamp: N/A"\
@@ -1213,7 +1258,7 @@ salt_checkin() {
# Run a salt command to generate the minion key
salt_firstcheckin() {
salt-call state.show_top >> /dev/null # send output to /dev/null because we don't actually care about the ouput
salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput
}
set_base_heapsizes() {

36
setup/so-setup
View File

@@ -145,6 +145,7 @@ elif [ "$install_type" = 'HEAVYNODE' ]; then
is_sensor=true
elif [ "$install_type" = 'FLEET' ]; then
is_minion=true
is_fleet_standalone=true
OSQUERY=1
elif [ "$install_type" = 'HELIXSENSOR' ]; then
is_helix=true
@@ -152,10 +153,12 @@ fi
if [[ $is_eval ]]; then
check_requirements "eval"
elif [[ $is_distmaster || $is_minion ]]; then
check_requirements "dist"
elif [[ $is_fleet_standalone ]]; then
check_requirements "dist" "fleet"
elif [[ $is_sensor && ! $is_eval ]]; then
check_requirements "dist" "sensor"
elif [[ $is_distmaster || $is_minion ]]; then
check_requirements "dist"
fi
whiptail_patch_schedule
@@ -256,7 +259,7 @@ if [[ $is_master ]]; then
get_redirect
fi
if [[ $is_distmaster || ( $is_sensor || $is_node ) && ! $is_eval ]]; then
if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then
whiptail_master_updates
if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then
whiptail_master_updates_warning
@@ -305,6 +308,14 @@ if [[ $is_node && ! $is_eval ]]; then
fi
fi
if [ "$install_type" == 'FLEET' ]; then
collect_fleetuser_inputs
collect_fleet_custom_hostname_inputs
else
FLEETNODEUSER=$WEBUSER
FLEETNODEPASSWD1=$WEBPASSWD1
fi
whiptail_make_changes
if [[ -n "$TURBO" ]]; then
@@ -341,6 +352,10 @@ if [[ $is_minion ]]; then
copy_ssh_key >> $setup_log 2>&1
fi
if [[ $is_fleet_standalone ]]; then
host_pillar >> $setup_log 2>&1
fi
# Begin install
{
# Set initial percentage to 0
@@ -500,11 +515,24 @@ fi
fi
if [[ "$OSQUERY" = 1 ]]; then
set_progress_str 73 "$(print_salt_state_apply 'mysql')"
salt-call state.apply -l info mysql >> $setup_log 2>&1
set_progress_str 73 "$(print_salt_state_apply 'fleet')"
salt-call state.apply -l info fleet >> $setup_log 2>&1
set_progress_str 74 "$(print_salt_state_apply 'redis')"
set_progress_str 73 "$(print_salt_state_apply 'redis')"
salt-call state.apply -l info redis >> $setup_log 2>&1
if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then
set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')"
pillar_override="{\"static\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}"
salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
fi
set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"
so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1
fi
if [[ "$WAZUH" = 1 ]]; then

49
setup/so-whiptail
View File

@@ -24,7 +24,7 @@ whiptail_basic_bro() {
[ -n "$TESTING" ] && return
BASICBRO=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter the number of bro processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3)
"Enter the number of zeek processes:" 10 75 "$lb_procs" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -51,7 +51,7 @@ whiptail_bro_pins() {
cpu_core_list_whiptail+=("$item" "OFF")
done
BROPINS=$(whiptail --noitem --title "Pin Bro CPUS" --checklist "Please select $lb_procs cores to pin Bro to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 )
BROPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $lb_procs cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -165,6 +165,38 @@ whiptail_create_admin_user_password2() {
}
whiptail_create_fleet_node_user() {
[ -n "$TESTING" ] && return
FLEETNODEUSER=$(whiptail --title "Security Onion Install" --inputbox \
"Please enter an email for use as the username for the Fleet admin user." 10 60 3>&1 1>&2 2>&3)
}
whiptail_create_fleet_node_user_password1() {
[ -n "$TESTING" ] && return
FLEETNODEPASSWD1=$(whiptail --title "Security Onion Install" --passwordbox \
"Enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_create_fleet_node_user_password2() {
[ -n "$TESTING" ] && return
FLEETNODEPASSWD2=$(whiptail --title "Security Onion Install" --passwordbox \
"Re-enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_create_soremote_user() {
[ -n "$TESTING" ] && return
@@ -238,6 +270,19 @@ whiptail_create_web_user_password2() {
}
whiptail_fleet_custom_hostname() {
[ -n "$TESTING" ] && return
FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \
"What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_requirements_error() {
local requirement_needed=$1