From 9b1fac84173dabd6682b23552a5f9e35b0f98157 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 7 Feb 2022 14:36:40 -0500 Subject: [PATCH] Initial support - IDH Node --- salt/idh/Dockerfile | 12 +++ salt/idh/config/opencanary.conf | 113 +++++++++++++++++++++++++++++ salt/idh/init.sls | 46 ++++++++++++ salt/idh/supervise-opencanary.conf | 4 + setup/so-functions | 5 +- setup/so-setup | 11 +++ setup/so-whiptail | 1 + 7 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 salt/idh/Dockerfile create mode 100644 salt/idh/config/opencanary.conf create mode 100644 salt/idh/init.sls create mode 100644 salt/idh/supervise-opencanary.conf diff --git a/salt/idh/Dockerfile b/salt/idh/Dockerfile new file mode 100644 index 000000000..d4f4ad67b --- /dev/null +++ b/salt/idh/Dockerfile @@ -0,0 +1,12 @@ +FROM python:3.6-slim + +WORKDIR /root/ + +RUN rm /bin/sh && ln -s /bin/bash /bin/sh + +RUN apt update && apt-get install -y sudo supervisor && rm -rf /var/lib/apt/lists/* +RUN pip install opencanary + +ADD supervise-opencanary.conf /etc/supervisor/conf.d/supervise-opencanary.conf + +CMD ["/usr/bin/supervisord", "-n"] \ No newline at end of file diff --git a/salt/idh/config/opencanary.conf b/salt/idh/config/opencanary.conf new file mode 100644 index 000000000..84c65a3d2 --- /dev/null +++ b/salt/idh/config/opencanary.conf @@ -0,0 +1,113 @@ +{%- set HOSTNAME = salt['grains.get']('host') -%} + +{ + "device.node_id": "{{HOSTNAME}}", + "git.enabled": false, + "git.port" : 9418, + "ftp.enabled": false, + "ftp.port": 21, + "ftp.banner": "FTP server ready", + "http.banner": "Apache/2.2.22 (Ubuntu)", + "http.enabled": false, + "http.port": 80, + "http.skin": "nasLogin", + "http.skin.list": [ + { + "desc": "Plain HTML Login", + "name": "basicLogin" + }, + { + "desc": "Synology NAS Login", + "name": "nasLogin" + } + ], + "httpproxy.enabled" : false, + "httpproxy.port": 8080, + "httpproxy.skin": "squid", + "httproxy.skin.list": [ + { + "desc": "Squid", + "name": "squid" + }, + { + "desc": "Microsoft ISA Server Web Proxy", + "name": "ms-isa" + } + ], + "logger": { + "class": "PyLogger", + "kwargs": { + "formatters": { + "plain": { + "format": "%(message)s" + } + }, + "handlers": { + "console": { + "class": "logging.StreamHandler", + "stream": "ext://sys.stdout" + }, + "file": { + "class": "logging.FileHandler", + "filename": "/var/tmp/opencanary.log" + } + } + } + }, + "portscan.enabled": false, + "portscan.logfile":"/var/log/kern.log", + "portscan.synrate": 5, + "portscan.nmaposrate": 5, + "portscan.lorate": 3, + "smb.auditfile": "/var/log/samba-audit.log", + "smb.enabled": false, + "mysql.enabled": false, + "mysql.port": 3306, + "mysql.banner": "5.5.43-0ubuntu0.14.04.1", + "ssh.enabled": true, + "ssh.port": 2222, + "ssh.version": "SSH-2.0-OpenSSH_7.6p1 Ubuntu 4ubuntu0.3", + "redis.enabled": false, + "redis.port": 6379, + "rdp.enabled": false, + "rdp.port": 3389, + "sip.enabled": false, + "sip.port": 5060, + "snmp.enabled": false, + "snmp.port": 161, + "ntp.enabled": false, + "ntp.port": "123", + "tftp.enabled": false, + "tftp.port": 69, + "tcpbanner.maxnum":10, + "tcpbanner.enabled": false, + "tcpbanner_1.enabled": false, + "tcpbanner_1.port": 8001, + "tcpbanner_1.datareceivedbanner": "", + "tcpbanner_1.initbanner": "", + "tcpbanner_1.alertstring.enabled": false, + "tcpbanner_1.alertstring": "", + "tcpbanner_1.keep_alive.enabled": false, + "tcpbanner_1.keep_alive_secret": "", + "tcpbanner_1.keep_alive_probes": 11, + "tcpbanner_1.keep_alive_interval":300, + "tcpbanner_1.keep_alive_idle": 300, + "telnet.enabled": false, + "telnet.port": "23", + "telnet.banner": "", + "telnet.honeycreds": [ + { + "username": "admin", + "password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA" + }, + { + "username": "admin", + "password": "admin1" + } + ], + "mssql.enabled": false, + "mssql.version": "2012", + "mssql.port":1433, + "vnc.enabled": true, + "vnc.port":5900 +} diff --git a/salt/idh/init.sls b/salt/idh/init.sls new file mode 100644 index 000000000..22dbe5ede --- /dev/null +++ b/salt/idh/init.sls @@ -0,0 +1,46 @@ +# IDH State + +# Create a config directory +temp: + file.directory: + - name: /opt/so/conf/idh + - user: 939 + - group: 939 + - makedirs: True + +# Create a config directory +configdir: + file.directory: + - name: /nsm/idh + - user: 939 + - group: 939 + - makedirs: True + +# Sync IDH files +idhfiles: + file.recurse: + - name: /opt/so/conf/idh + - user: 0 + - group: 0 + - file_mode: 755 + - source: salt://idh/config + - replace: False + - template: jinja + +# Build IDH Docker +so-idh: + docker_image.present: + - build: /opt/so/saltstack/local/salt/idh + - tag: latest + +# Set IDH Docker to run +so-idh-run: + docker_container.running: + - image: so-idh + - name: so-idh + - detach: True + - network_mode: host + - restart_policy: always + - binds: + - /nsm/idh:/var/tmp:rw + - /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro diff --git a/salt/idh/supervise-opencanary.conf b/salt/idh/supervise-opencanary.conf new file mode 100644 index 000000000..c60a32d9f --- /dev/null +++ b/salt/idh/supervise-opencanary.conf @@ -0,0 +1,4 @@ + [program:opencanaryd] +command=/usr/local/bin/opencanaryd --start +redirect_stderr=true +autorestart=true \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 996620336..13434c772 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2619,7 +2619,7 @@ set_initial_firewall_policy() { $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" ;; - 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'RECEIVER') + 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" case "$install_type" in 'SENSOR') @@ -2639,6 +2639,9 @@ set_initial_firewall_policy() { 'FLEET') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" ;; + 'IDH') + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" + ;; 'RECEIVER') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receiverstab "$MINION_ID" "$MAINIP" diff --git a/setup/so-setup b/setup/so-setup index 90e57646d..eb44743f6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -251,6 +251,10 @@ elif [ "$install_type" = 'FLEET' ]; then is_minion=true is_fleet_standalone=true OSQUERY=1 +elif [ "$install_type" = 'IDH' ]; then + is_minion=true + is_idh_standalone=true + IDH=1 elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true elif [ "$install_type" = 'IMPORT' ]; then @@ -910,6 +914,13 @@ echo "1" > /root/accept_changes fi + if [[ "$IDH" = 1 ]]; then + + set_progress_str 79 "$(print_salt_state_apply 'idh')" + salt-call state.apply -l info idh >> $setup_log 2>&1 + + fi + if [[ "$WAZUH" = 1 ]]; then set_progress_str 79 "$(print_salt_state_apply 'wazuh')" salt-call state.apply -l info wazuh >> $setup_log 2>&1 diff --git a/setup/so-whiptail b/setup/so-whiptail index a4c72fb55..c7073d4be 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -803,6 +803,7 @@ whiptail_install_type_dist_existing() { "SEARCHNODE" "Add a search node with parsing " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \ + "IDH" "Intrusion Detection Honeypot Node " OFF \ "RECEIVER" "Receiver Node " OFF \ 3>&1 1>&2 2>&3 # "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO