CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial support - IDH Node

Browse Source
This commit is contained in:
Josh Brower
2022-02-07 14:36:40 -05:00
parent c9b40d8569
commit 9b1fac8417
7 changed files with 191 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
salt/idh/Dockerfile Normal file
View File

@@ -0,0 +1,12 @@
FROM python:3.6-slim
WORKDIR /root/
RUN rm /bin/sh && ln -s /bin/bash /bin/sh
RUN apt update && apt-get install -y sudo supervisor && rm -rf /var/lib/apt/lists/*
RUN pip install opencanary
ADD supervise-opencanary.conf /etc/supervisor/conf.d/supervise-opencanary.conf
CMD ["/usr/bin/supervisord", "-n"]

113
salt/idh/config/opencanary.conf Normal file
View File

@@ -0,0 +1,113 @@
{%- set HOSTNAME = salt['grains.get']('host') -%}
{
"device.node_id": "{{HOSTNAME}}",
"git.enabled": false,
"git.port" : 9418,
"ftp.enabled": false,
"ftp.port": 21,
"ftp.banner": "FTP server ready",
"http.banner": "Apache/2.2.22 (Ubuntu)",
"http.enabled": false,
"http.port": 80,
"http.skin": "nasLogin",
"http.skin.list": [
{
"desc": "Plain HTML Login",
"name": "basicLogin"
},
{
"desc": "Synology NAS Login",
"name": "nasLogin"
}
],
"httpproxy.enabled" : false,
"httpproxy.port": 8080,
"httpproxy.skin": "squid",
"httproxy.skin.list": [
{
"desc": "Squid",
"name": "squid"
},
{
"desc": "Microsoft ISA Server Web Proxy",
"name": "ms-isa"
}
],
"logger": {
"class": "PyLogger",
"kwargs": {
"formatters": {
"plain": {
"format": "%(message)s"
}
},
"handlers": {
"console": {
"class": "logging.StreamHandler",
"stream": "ext://sys.stdout"
},
"file": {
"class": "logging.FileHandler",
"filename": "/var/tmp/opencanary.log"
}
}
}
},
"portscan.enabled": false,
"portscan.logfile":"/var/log/kern.log",
"portscan.synrate": 5,
"portscan.nmaposrate": 5,
"portscan.lorate": 3,
"smb.auditfile": "/var/log/samba-audit.log",
"smb.enabled": false,
"mysql.enabled": false,
"mysql.port": 3306,
"mysql.banner": "5.5.43-0ubuntu0.14.04.1",
"ssh.enabled": true,
"ssh.port": 2222,
"ssh.version": "SSH-2.0-OpenSSH_7.6p1 Ubuntu 4ubuntu0.3",
"redis.enabled": false,
"redis.port": 6379,
"rdp.enabled": false,
"rdp.port": 3389,
"sip.enabled": false,
"sip.port": 5060,
"snmp.enabled": false,
"snmp.port": 161,
"ntp.enabled": false,
"ntp.port": "123",
"tftp.enabled": false,
"tftp.port": 69,
"tcpbanner.maxnum":10,
"tcpbanner.enabled": false,
"tcpbanner_1.enabled": false,
"tcpbanner_1.port": 8001,
"tcpbanner_1.datareceivedbanner": "",
"tcpbanner_1.initbanner": "",
"tcpbanner_1.alertstring.enabled": false,
"tcpbanner_1.alertstring": "",
"tcpbanner_1.keep_alive.enabled": false,
"tcpbanner_1.keep_alive_secret": "",
"tcpbanner_1.keep_alive_probes": 11,
"tcpbanner_1.keep_alive_interval":300,
"tcpbanner_1.keep_alive_idle": 300,
"telnet.enabled": false,
"telnet.port": "23",
"telnet.banner": "",
"telnet.honeycreds": [
{
"username": "admin",
"password": "$pbkdf2-sha512$19000$bG1NaY3xvjdGyBlj7N37Xw$dGrmBqqWa1okTCpN3QEmeo9j5DuV2u1EuVFD8Di0GxNiM64To5O/Y66f7UASvnQr8.LCzqTm6awC8Kj/aGKvwA"
},
{
"username": "admin",
"password": "admin1"
}
],
"mssql.enabled": false,
"mssql.version": "2012",
"mssql.port":1433,
"vnc.enabled": true,
"vnc.port":5900
}

46
salt/idh/init.sls Normal file
View File

@@ -0,0 +1,46 @@
# IDH State
# Create a config directory
temp:
file.directory:
- name: /opt/so/conf/idh
- user: 939
- group: 939
- makedirs: True
# Create a config directory
configdir:
file.directory:
- name: /nsm/idh
- user: 939
- group: 939
- makedirs: True
# Sync IDH files
idhfiles:
file.recurse:
- name: /opt/so/conf/idh
- user: 0
- group: 0
- file_mode: 755
- source: salt://idh/config
- replace: False
- template: jinja
# Build IDH Docker
so-idh:
docker_image.present:
- build: /opt/so/saltstack/local/salt/idh
- tag: latest
# Set IDH Docker to run
so-idh-run:
docker_container.running:
- image: so-idh
- name: so-idh
- detach: True
- network_mode: host
- restart_policy: always
- binds:
- /nsm/idh:/var/tmp:rw
- /opt/so/conf/idh/opencanary.conf:/etc/opencanaryd/opencanary.conf:ro

4
salt/idh/supervise-opencanary.conf Normal file
View File

@@ -0,0 +1,4 @@
[program:opencanaryd]
command=/usr/local/bin/opencanaryd --start
redirect_stderr=true
autorestart=true

5
setup/so-functions
View File

@@ -2619,7 +2619,7 @@ set_initial_firewall_policy() {
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
;; ;;
'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'RECEIVER') 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER')
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
case "$install_type" in case "$install_type" in
'SENSOR') 'SENSOR')
@@ -2639,6 +2639,9 @@ set_initial_firewall_policy() {
'FLEET') 'FLEET')
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
;; ;;
'IDH')
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
;;
'RECEIVER') 'RECEIVER')
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP"
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receiverstab "$MINION_ID" "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh receiverstab "$MINION_ID" "$MAINIP"

11
setup/so-setup
View File

@@ -251,6 +251,10 @@ elif [ "$install_type" = 'FLEET' ]; then
is_minion=true is_minion=true
is_fleet_standalone=true is_fleet_standalone=true
OSQUERY=1 OSQUERY=1
elif [ "$install_type" = 'IDH' ]; then
is_minion=true
is_idh_standalone=true
IDH=1
elif [ "$install_type" = 'HELIXSENSOR' ]; then elif [ "$install_type" = 'HELIXSENSOR' ]; then
is_helix=true is_helix=true
elif [ "$install_type" = 'IMPORT' ]; then elif [ "$install_type" = 'IMPORT' ]; then
@@ -910,6 +914,13 @@ echo "1" > /root/accept_changes
fi fi
if [[ "$IDH" = 1 ]]; then
set_progress_str 79 "$(print_salt_state_apply 'idh')"
salt-call state.apply -l info idh >> $setup_log 2>&1
fi
if [[ "$WAZUH" = 1 ]]; then if [[ "$WAZUH" = 1 ]]; then
set_progress_str 79 "$(print_salt_state_apply 'wazuh')" set_progress_str 79 "$(print_salt_state_apply 'wazuh')"
salt-call state.apply -l info wazuh >> $setup_log 2>&1 salt-call state.apply -l info wazuh >> $setup_log 2>&1

1
setup/so-whiptail
View File

@@ -803,6 +803,7 @@ whiptail_install_type_dist_existing() {
"SEARCHNODE" "Add a search node with parsing " OFF \ "SEARCHNODE" "Add a search node with parsing " OFF \
"FLEET" "Dedicated Fleet Osquery Node " OFF \ "FLEET" "Dedicated Fleet Osquery Node " OFF \
"HEAVYNODE" "Sensor + Search Node " OFF \ "HEAVYNODE" "Sensor + Search Node " OFF \
"IDH" "Intrusion Detection Honeypot Node " OFF \
"RECEIVER" "Receiver Node " OFF \ "RECEIVER" "Receiver Node " OFF \
3>&1 1>&2 2>&3 3>&1 1>&2 2>&3
# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO # "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO