From f4f31ef2a5a05df3ee83c563d78f540967d89d48 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 9 Mar 2020 15:22:30 -0400 Subject: [PATCH 1/9] Update so-functions --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index b9367890d..3a569baff 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1096,7 +1096,7 @@ EOF echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" apt-key add $TMP/gpg/SALTSTACK-GPG-KEY.pub apt-key add $TMP/gpg/GPG-KEY-WAZUH - echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list + echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2 xenial main" > /etc/apt/sources.list.d/saltstack.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list # Initialize the new repos apt-get update >> $SETUPLOG 2>&1 From 93c0730a2f8707c24ac6c9854a475c2b3fb286a9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 16 Apr 2020 16:12:24 -0400 Subject: [PATCH 2/9] remove logstash pillars from eval in top --- pillar/top.sls | 2 -- 1 file changed, 2 deletions(-) diff --git a/pillar/top.sls b/pillar/top.sls index 039ec5752..f629558af 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -34,8 +34,6 @@ base: - data.* - brologs - secrets - - logstash - - logstash.eval - healthcheck.eval - minions.{{ grains.id }} From 39d70d2e9952155c77a888e18b92700c7a12418c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Apr 2020 13:30:35 -0400 Subject: [PATCH 3/9] Update README.md --- README.md | 59 +++++++++++++++++++++++++++++++++---------------------- 1 file changed, 35 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index 0bddd2831..b62a4836c 100644 --- a/README.md +++ b/README.md @@ -1,33 +1,44 @@ -## Hybrid Hunter Alpha 1.1.4 - Feature Parity Release +## Hybrid Hunter Beta 1.2.1 - Beta 1 ### Changes: -- Added new in-house auth method [Security Onion Auth](https://github.com/Security-Onion-Solutions/securityonion-auth). -- Web user creation is done via the browser now instead of so-user-add. -- New Logstash pipeline setup. Now uses multiple pipelines. -- New Master + Search node type and well as a Heavy Node type in the install. -- Change all nodes to point to the docker registry on the Master. This cuts down on the calls to dockerhub. -- Zeek 3.0.1 -- Elastic 6.8.6 -- New SO Start | Stop | Restart scripts for all components (eg. `so-playbook-restart`). -- BPF support for Suricata (NIDS), Steno (PCAP) & Zeek ([Docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/BPF)). -- Updated Domain Stats & Frequency Server containers to Python3 & created new Salt states for them. -- Added so-status script which gives an easy to read look at container status. -- Manage threshold.conf for Suricata using the thresholding pillar. -- The ISO now includes all the docker containers for faster install speeds. -- You now set the password for the onion account during the iso install. This account is temporary and will be removed after so-setup. -- Updated Helix parsers for better compatibility. -- Updated telegraf docker to include curl and jq. -- CVE-2020-0601 Zeek Detection Script. -- ISO Install now prompts you to create a password for the onion user during imaging. This account gets disabled during setup. +- Full support for Ubuntu 18.04. 16.04 is no longer supported for Hybrid Hunter. +- Introduction of the Security Onion Console. Once logged in you are directly taken to the SOC. +- New authentication using Kratos. +- During install you must specify how you would like to access the SOC ui. This is for strict cookie security. +- Ability to list and delete web users from the SOC ui. +- The soremote account is now used to add nodes to the grid vs using socore. +- Community ID support for Zeek, osquery, and Suricata. You can now tie host events to connection logs! +- Elastic 7.6.1 with ECS support. +- New set of Kibana dashboards that align with ECS. +- Eval mode no longer uses Logstash for parsing (Filebeat -> ES Ingest) +- Ingest node parsing for osquery-shipped logs (osquery, WEL, Sysmon). +- Fleet standalone mode with improved Web UI & API access control. +- Improved Fleet integration support. +- Playbook now has full Windows Sigma community ruleset builtin. +- Automatic Sigma community rule updates. +- Playbook stability enhancements. +- Zeek health check. Zeek will now auto restart if a worker crashes. +- zeekctl is now managed by salt. +- Grafana dashboard improvements and cleanup. +- Moved logstash configs to pillars. +- Salt logs moved to /opt/so/log/salt. +- Strelka integrated for file-oriented detection/analysis at scale -## Version 1.1.4 ISO Download +### Known issues: -[HH1.1.4-46.ISO](https://download.securityonion.net/file/Hybrid-Hunter/HH-1.1.4-46.iso) +- Updating users via the SOC ui is known to fail. To change a user, delete the user and re-add them. +- Due to the move to ECS, the current Playbook plays may not alert correctly at this time. +- The osquery MacOS package does not install correctly. -MD5: ACF6B4586E8EE7D1938FB2C028DFC987 -SHA1: C29B4F3748604196357EC7262BF071177E696D86 -SHA256: 4D977B650196441294D53372F248B50C23E933B8FBEC5CC5BAB569DFEF31E7E8 + +## Version 1.2.1 Beta 1 ISO Download + +[HH1.2.1-6.ISO](https://download.securityonion.net/file/Hybrid-Hunter/HH-1.2.1-6.iso) + +MD5: D7E66CA8AAC37E70E2A2F7BB12EB3C23 +SHA1: D91D921896F9ADA600EBA0ADAA548D8630B5341F +SHA256: D69E327597AB429DCE13C1177BCE6C1FAD934E78A09F73D14778C2CAE616557B ### Warnings and Disclaimers From 0e654f5394ddfb4dc7e0bda852032efe2d473f4c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 17 Apr 2020 13:38:13 -0400 Subject: [PATCH 4/9] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b62a4836c..01452a210 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,7 @@ SHA256: D69E327597AB429DCE13C1177BCE6C1FAD934E78A09F73D14778C2CAE616557B ### Warnings and Disclaimers -- This ALPHA release is BLEEDING EDGE and TOTALLY UNSUPPORTED! +- This BETA release is BLEEDING EDGE and TOTALLY UNSUPPORTED! - If this breaks your system, you get to keep both pieces! - This script is a work in progress and is in constant flux. - This script is intended to build a quick prototype proof of concept so you can see what our new platform might look like. This configuration will change drastically over time leading up to the final release. From 997cb8f9ae09ed5af7055520643773eee04e2bef Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 18 Apr 2020 06:26:12 -0400 Subject: [PATCH 5/9] Update README.md --- README.md | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 01452a210..9d7134c78 100644 --- a/README.md +++ b/README.md @@ -31,15 +31,6 @@ - Due to the move to ECS, the current Playbook plays may not alert correctly at this time. - The osquery MacOS package does not install correctly. - -## Version 1.2.1 Beta 1 ISO Download - -[HH1.2.1-6.ISO](https://download.securityonion.net/file/Hybrid-Hunter/HH-1.2.1-6.iso) - -MD5: D7E66CA8AAC37E70E2A2F7BB12EB3C23 -SHA1: D91D921896F9ADA600EBA0ADAA548D8630B5341F -SHA256: D69E327597AB429DCE13C1177BCE6C1FAD934E78A09F73D14778C2CAE616557B - ### Warnings and Disclaimers - This BETA release is BLEEDING EDGE and TOTALLY UNSUPPORTED! @@ -67,15 +58,17 @@ Distributed: - Minimum 4 CPU cores per VM - Minimum 2 NICs for forward nodes -### Prerequisites for Network Based Install +### Installation -Install git if using a Centos 7 Minimal install: +For most users, we recommend installing using [our ISO image](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO). + +If instead you would like to try a manual installation (not using our ISO), you can build from CentOS 7 or Ubuntu 18.04. + +If using CentOS 7 Minimal, you will need to install git: ```sudo yum -y install git``` -### Installation - -Once you resolve those requirements or are using Ubuntu 16.04 do the following: +Once you have git, then do the following: ``` git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack From eebc75d2452c1c23d296f6bb68acc5548648ed29 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 18 Apr 2020 06:48:12 -0400 Subject: [PATCH 6/9] Update README.md --- README.md | 22 ++++++++-------------- 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 01452a210..7164d616e 100644 --- a/README.md +++ b/README.md @@ -31,15 +31,6 @@ - Due to the move to ECS, the current Playbook plays may not alert correctly at this time. - The osquery MacOS package does not install correctly. - -## Version 1.2.1 Beta 1 ISO Download - -[HH1.2.1-6.ISO](https://download.securityonion.net/file/Hybrid-Hunter/HH-1.2.1-6.iso) - -MD5: D7E66CA8AAC37E70E2A2F7BB12EB3C23 -SHA1: D91D921896F9ADA600EBA0ADAA548D8630B5341F -SHA256: D69E327597AB429DCE13C1177BCE6C1FAD934E78A09F73D14778C2CAE616557B - ### Warnings and Disclaimers - This BETA release is BLEEDING EDGE and TOTALLY UNSUPPORTED! @@ -67,21 +58,24 @@ Distributed: - Minimum 4 CPU cores per VM - Minimum 2 NICs for forward nodes -### Prerequisites for Network Based Install +### Installation -Install git if using a Centos 7 Minimal install: +For most users, we recommend installing using [our ISO image](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/ISO). + +If instead you would like to try a manual installation (not using our ISO), you can build from CentOS 7 or Ubuntu 18.04. + +If using CentOS 7 Minimal, you will need to install git: ```sudo yum -y install git``` -### Installation - -Once you resolve those requirements or are using Ubuntu 16.04 do the following: +Once you have git, then do the following: ``` git clone https://github.com/Security-Onion-Solutions/securityonion-saltstack cd securityonion-saltstack sudo bash so-setup-network ``` + Follow the prompts and reboot if asked to do so. Then proceed to the [Hybrid Hunter Quick Start Guide](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Hybrid-Hunter-Quick-Start-Guide). From ea7dd0763f0e150a866291ccf9203902699e7dab Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sat, 18 Apr 2020 06:50:17 -0400 Subject: [PATCH 7/9] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7164d616e..1b7661956 100644 --- a/README.md +++ b/README.md @@ -46,14 +46,14 @@ Evaluation Mode: -- ISO or a Single VM running Ubuntu 16.04 or CentOS 7 +- ISO or a Single VM running Ubuntu 18.04 or CentOS 7 - Minimum 12GB of RAM - Minimum 4 CPU cores - Minimum 2 NICs Distributed: -- 3 VMs running the ISO or Ubuntu 16.04 or CentOS 7 (You can mix and match) +- 3 VMs running the ISO or Ubuntu 18.04 or CentOS 7 (You can mix and match) - Minimum 8GB of RAM per VM - Minimum 4 CPU cores per VM - Minimum 2 NICs for forward nodes From f271fadfecbbf79e327b9b034202d8700482f33b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Apr 2020 15:28:13 -0400 Subject: [PATCH 8/9] Fix tarball --- setup/so-functions | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index ef635c47b..3402dd6b1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -603,9 +603,9 @@ docker_seed_registry() { "so-soctopus:$VERSION" \ "so-steno:$VERSION" \ "so-strelka-frontend:$VERSION" \ - "so-strelka-manager:$VERSION" \ - "so-strelka-backend:$VERSION" \ - "so-strelka-filestream:$VERSION" \ + "so-strelka-manager:$VERSION" \ + "so-strelka-backend:$VERSION" \ + "so-strelka-filestream:$VERSION" \ "so-suricata:$VERSION" \ "so-telegraf:$VERSION" \ "so-thehive:$VERSION" \ @@ -645,6 +645,8 @@ docker_seed_registry() { done else # We already have the goods son + cd /nsm/docker-registry/docker + tar xvf so-dockers-$VERSION.tar rm /nsm/docker-registry/docker/so-dockers-$VERSION.tar fi From c024bdf427ebc18066aebc98ea6c1e9700428225 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 20 Apr 2020 15:31:13 -0400 Subject: [PATCH 9/9] remove proxy declaration --- salt/registry/etc/config.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/registry/etc/config.yml b/salt/registry/etc/config.yml index d25a034b0..ccd64aa25 100644 --- a/salt/registry/etc/config.yml +++ b/salt/registry/etc/config.yml @@ -19,5 +19,4 @@ health: enabled: true interval: 10s threshold: 3 -proxy: - remoteurl: https://registry-1.docker.io +