CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/2.4/dev' into mineerror

Browse Source
This commit is contained in:
m0duspwnens
2023-08-01 16:21:22 -04:00
parent 7037fc52f8 da51fd59a0
commit 9ec4322bf4
35 changed files with 451 additions and 402 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
salt/common/tools/sbin/so-common
View File

@@ -5,7 +5,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
ELASTIC_AGENT_TARBALL_VERSION="8.7.1"
ELASTIC_AGENT_TARBALL_VERSION="8.8.2"
DEFAULT_SALT_DIR=/opt/so/saltstack/default
DOC_BASE_URL="https://docs.securityonion.net/en/2.4"
@@ -225,12 +225,15 @@ init_monitor() {
if [[ $MONITORNIC == "bond0" ]]; then
BIFACES=$(lookup_bond_interfaces)
for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
ethtool -K "$MONITORNIC" "$i" off;
done
else
BIFACES=$MONITORNIC
fi
for DEVICE_IFACE in $BIFACES; do
for i in rx tx sg tso ufo gso gro lro; do
for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
ethtool -K "$DEVICE_IFACE" "$i" off;
done
ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on

3
salt/elasticagent/enabled.sls
View File

@@ -35,6 +35,7 @@ so-elastic-agent:
- /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro
- /opt/so/log:/opt/so/log:ro
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }}
@@ -47,6 +48,8 @@ so-elastic-agent:
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- require:
- file: create-elastic-agent-config
- watch:
- file: create-elastic-agent-config

345
salt/elasticagent/files/elastic-agent.yml.jinja
View File

@@ -3,7 +3,7 @@
{%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
id: aea1ba80-1065-11ee-a369-97538913b6a9
revision: 2
revision: 1
outputs:
default:
type: elasticsearch
@@ -22,9 +22,9 @@ agent:
metrics: false
features: {}
inputs:
- id: logfile-logs-80ffa884-2cfc-459a-964a-34df25714d85
name: suricata-logs
revision: 1
- id: logfile-logs-fefef78c-422f-4cfa-8abf-4cd1b9428f62
name: import-evtx-logs
revision: 2
type: logfile
use_output: default
meta:
@@ -33,23 +33,336 @@ inputs:
version:
data_stream:
namespace: so
package_policy_id: 80ffa884-2cfc-459a-964a-34df25714d85
package_policy_id: fefef78c-422f-4cfa-8abf-4cd1b9428f62
streams:
- id: logfile-log.log-80ffa884-2cfc-459a-964a-34df25714d85
- id: logfile-log.log-fefef78c-422f-4cfa-8abf-4cd1b9428f62
data_stream:
dataset: import
paths:
- /nsm/import/*/evtx/*.json
processors:
- dissect:
field: log.file.path
tokenizer: '/nsm/import/%{import.id}/evtx/%{import.file}'
target_prefix: ''
- decode_json_fields:
fields:
- message
target: ''
- drop_fields:
ignore_missing: true
fields:
- host
- add_fields:
fields:
dataset: system.security
type: logs
namespace: default
target: data_stream
- add_fields:
fields:
dataset: system.security
module: system
imported: true
target: event
- then:
- add_fields:
fields:
dataset: windows.sysmon_operational
target: data_stream
- add_fields:
fields:
dataset: windows.sysmon_operational
module: windows
imported: true
target: event
if:
equals:
winlog.channel: Microsoft-Windows-Sysmon/Operational
- then:
- add_fields:
fields:
dataset: system.application
target: data_stream
- add_fields:
fields:
dataset: system.application
target: event
if:
equals:
winlog.channel: Application
- then:
- add_fields:
fields:
dataset: system.system
target: data_stream
- add_fields:
fields:
dataset: system.system
target: event
if:
equals:
winlog.channel: System
- then:
- add_fields:
fields:
dataset: windows.powershell_operational
target: data_stream
- add_fields:
fields:
dataset: windows.powershell_operational
module: windows
target: event
if:
equals:
winlog.channel: Microsoft-Windows-PowerShell/Operational
tags:
- import
- id: logfile-redis-fc98c947-7d17-4861-a318-7ad075f6d1b0
name: redis-logs
revision: 2
type: logfile
use_output: default
meta:
package:
name: redis
version:
data_stream:
namespace: default
package_policy_id: fc98c947-7d17-4861-a318-7ad075f6d1b0
streams:
- id: logfile-redis.log-fc98c947-7d17-4861-a318-7ad075f6d1b0
data_stream:
dataset: redis.log
type: logs
exclude_files:
- .gz$
paths:
- /opt/so/log/redis/redis.log
tags:
- redis-log
exclude_lines:
- '^\s+[\-`(''.|_]'
- id: logfile-logs-3b56803d-5ade-4c93-b25e-9b37182f66b8
name: import-suricata-logs
revision: 2
type: logfile
use_output: default
meta:
package:
name: log
version:
data_stream:
namespace: so
package_policy_id: 3b56803d-5ade-4c93-b25e-9b37182f66b8
streams:
- id: logfile-log.log-3b56803d-5ade-4c93-b25e-9b37182f66b8
data_stream:
dataset: import
pipeline: suricata.common
paths:
- /nsm/import/*/suricata/eve*.json
processors:
- add_fields:
fields:
module: suricata
imported: true
category: network
target: event
- dissect:
field: log.file.path
tokenizer: '/nsm/import/%{import.id}/suricata/%{import.file}'
target_prefix: ''
- id: logfile-logs-c327e1a3-1ebe-449c-a8eb-f6f35032e69d
name: soc-server-logs
revision: 2
type: logfile
use_output: default
meta:
package:
name: log
version:
data_stream:
namespace: so
package_policy_id: c327e1a3-1ebe-449c-a8eb-f6f35032e69d
streams:
- id: logfile-log.log-c327e1a3-1ebe-449c-a8eb-f6f35032e69d
data_stream:
dataset: soc
pipeline: common
paths:
- /opt/so/log/soc/sensoroni-server.log
processors:
- decode_json_fields:
add_error_key: true
process_array: true
max_depth: 2
fields:
- message
target: soc
- add_fields:
fields:
module: soc
dataset_temp: server
category: host
target: event
- rename:
ignore_missing: true
fields:
- from: soc.fields.sourceIp
to: source.ip
- from: soc.fields.status
to: http.response.status_code
- from: soc.fields.method
to: http.request.method
- from: soc.fields.path
to: url.path
- from: soc.message
to: event.action
- from: soc.level
to: log.level
tags:
- so-soc
- id: logfile-logs-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
name: soc-sensoroni-logs
revision: 2
type: logfile
use_output: default
meta:
package:
name: log
version:
data_stream:
namespace: so
package_policy_id: 906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
streams:
- id: logfile-log.log-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
data_stream:
dataset: soc
pipeline: common
paths:
- /opt/so/log/sensoroni/sensoroni.log
processors:
- decode_json_fields:
add_error_key: true
process_array: true
max_depth: 2
fields:
- message
target: sensoroni
- add_fields:
fields:
module: soc
dataset_temp: sensoroni
category: host
target: event
- rename:
ignore_missing: true
fields:
- from: sensoroni.fields.sourceIp
to: source.ip
- from: sensoroni.fields.status
to: http.response.status_code
- from: sensoroni.fields.method
to: http.request.method
- from: sensoroni.fields.path
to: url.path
- from: sensoroni.message
to: event.action
- from: sensoroni.level
to: log.level
- id: logfile-logs-df0d7f2c-221f-433b-b18b-d1cf83250515
name: soc-salt-relay-logs
revision: 2
type: logfile
use_output: default
meta:
package:
name: log
version:
data_stream:
namespace: so
package_policy_id: df0d7f2c-221f-433b-b18b-d1cf83250515
streams:
- id: logfile-log.log-df0d7f2c-221f-433b-b18b-d1cf83250515
data_stream:
dataset: soc
pipeline: common
paths:
- /opt/so/log/soc/salt-relay.log
processors:
- dissect:
field: message
tokenizer: '%{soc.ts} | %{event.action}'
target_prefix: ''
- add_fields:
fields:
module: soc
dataset_temp: salt_relay
category: host
target: event
tags:
- so-soc
- id: logfile-logs-74bd2366-fe52-493c-bddc-843a017fc4d0
name: soc-auth-sync-logs
revision: 2
type: logfile
use_output: default
meta:
package:
name: log
version:
data_stream:
namespace: so
package_policy_id: 74bd2366-fe52-493c-bddc-843a017fc4d0
streams:
- id: logfile-log.log-74bd2366-fe52-493c-bddc-843a017fc4d0
data_stream:
dataset: soc
pipeline: common
paths:
- /opt/so/log/soc/sync.log
processors:
- dissect:
field: message
tokenizer: '%{event.action}'
target_prefix: ''
- add_fields:
fields:
module: soc
dataset_temp: auth_sync
category: host
target: event
tags:
- so-soc
- id: logfile-logs-d151d9bf-ff2a-4529-9520-c99244bc0253
name: suricata-logs
revision: 2
type: logfile
use_output: default
meta:
package:
name: log
version:
data_stream:
namespace: so
package_policy_id: d151d9bf-ff2a-4529-9520-c99244bc0253
streams:
- id: logfile-log.log-d151d9bf-ff2a-4529-9520-c99244bc0253
data_stream:
dataset: suricata
pipeline: suricata.common
paths:
- /nsm/suricata/eve*.json
processors:
- add_fields:
target: event
fields:
category: network
module: suricata
pipeline: suricata.common
- id: logfile-logs-90103ac4-f6bd-4a4a-b596-952c332390fc
category: network
target: event
- id: logfile-logs-31f94d05-ae75-40ee-b9c5-0e0356eff327
name: strelka-logs
revision: 1
revision: 2
type: logfile
use_output: default
meta:
@@ -58,20 +371,20 @@ inputs:
version:
data_stream:
namespace: so
package_policy_id: 90103ac4-f6bd-4a4a-b596-952c332390fc
package_policy_id: 31f94d05-ae75-40ee-b9c5-0e0356eff327
streams:
- id: logfile-log.log-90103ac4-f6bd-4a4a-b596-952c332390fc
- id: logfile-log.log-31f94d05-ae75-40ee-b9c5-0e0356eff327
data_stream:
dataset: strelka
pipeline: strelka.file
paths:
- /nsm/strelka/log/strelka.log
processors:
- add_fields:
target: event
fields:
category: file
module: strelka
pipeline: strelka.file
category: file
target: event
- id: logfile-logs-6197fe84-9b58-4d9b-8464-3d517f28808d
name: zeek-logs
revision: 1

1
salt/elasticfleet/defaults.yaml
View File

@@ -32,4 +32,5 @@ elasticfleet:
- fim
- github
- google_workspace
- log
- 1password

2
salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json
View File

@@ -13,7 +13,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json
View File

@@ -14,7 +14,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json
View File

@@ -12,7 +12,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

2
salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json
View File

@@ -11,7 +11,7 @@
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"log.logs": {
"enabled": true,
"vars": {
"paths": [

106
salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json
View File

@@ -1,106 +0,0 @@
{
"package": {
"name": "elasticsearch",
"version": ""
},
"name": "elasticsearch-logs",
"namespace": "default",
"description": "Elasticsearch Logs",
"policy_id": "so-grid-nodes_heavy",
"inputs": {
"elasticsearch-logfile": {
"enabled": true,
"streams": {
"elasticsearch.audit": {
"enabled": false,
"vars": {
"paths": [
"/var/log/elasticsearch/*_audit.json"
]
}
},
"elasticsearch.deprecation": {
"enabled": false,
"vars": {
"paths": [
"/var/log/elasticsearch/*_deprecation.json"
]
}
},
"elasticsearch.gc": {
"enabled": false,
"vars": {
"paths": [
"/var/log/elasticsearch/gc.log.[0-9]*",
"/var/log/elasticsearch/gc.log"
]
}
},
"elasticsearch.server": {
"enabled": true,
"vars": {
"paths": [
"/opt/so/log/elasticsearch/*.log"
]
}
},
"elasticsearch.slowlog": {
"enabled": false,
"vars": {
"paths": [
"/var/log/elasticsearch/*_index_search_slowlog.json",
"/var/log/elasticsearch/*_index_indexing_slowlog.json"
]
}
}
}
},
"elasticsearch-elasticsearch/metrics": {
"enabled": false,
"vars": {
"hosts": [
"http://localhost:9200"
],
"scope": "node"
},
"streams": {
"elasticsearch.stack_monitoring.ccr": {
"enabled": false
},
"elasticsearch.stack_monitoring.cluster_stats": {
"enabled": false
},
"elasticsearch.stack_monitoring.enrich": {
"enabled": false
},
"elasticsearch.stack_monitoring.index": {
"enabled": false
},
"elasticsearch.stack_monitoring.index_recovery": {
"enabled": false,
"vars": {
"active.only": true
}
},
"elasticsearch.stack_monitoring.index_summary": {
"enabled": false
},
"elasticsearch.stack_monitoring.ml_job": {
"enabled": false
},
"elasticsearch.stack_monitoring.node": {
"enabled": false
},
"elasticsearch.stack_monitoring.node_stats": {
"enabled": false
},
"elasticsearch.stack_monitoring.pending_tasks": {
"enabled": false
},
"elasticsearch.stack_monitoring.shard": {
"enabled": false
}
}
}
}
}

29
salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json
View File

@@ -1,29 +0,0 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "kratos-logs",
"namespace": "so",
"description": "Kratos logs",
"policy_id": "so-grid-nodes_heavy",
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"enabled": true,
"vars": {
"paths": [
"/opt/so/log/kratos/kratos.log"
],
"data_stream.dataset": "kratos",
"tags": ["so-kratos"],
"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: iam\n module: kratos",
"custom": "pipeline: kratos"
}
}
}
}
}
}

2
salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json
View File

@@ -3,7 +3,7 @@
"name": "osquery_manager",
"version": ""
},
"name": "osquery-grid-nodes",
"name": "osquery-grid-nodes_heavy",
"namespace": "default",
"policy_id": "so-grid-nodes_heavy",
"inputs": {

76
salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json
View File

@@ -1,76 +0,0 @@
{
"package": {
"name": "redis",
"version": ""
},
"name": "redis-logs",
"namespace": "default",
"description": "Redis logs",
"policy_id": "so-grid-nodes_heavy",
"inputs": {
"redis-logfile": {
"enabled": true,
"streams": {
"redis.log": {
"enabled": true,
"vars": {
"paths": [
"/opt/so/log/redis/redis.log"
],
"tags": [
"redis-log"
],
"preserve_original_event": false
}
}
}
},
"redis-redis": {
"enabled": false,
"streams": {
"redis.slowlog": {
"enabled": false,
"vars": {
"hosts": [
"127.0.0.1:6379"
],
"password": ""
}
}
}
},
"redis-redis/metrics": {
"enabled": false,
"vars": {
"hosts": [
"127.0.0.1:6379"
],
"idle_timeout": "20s",
"maxconn": 10,
"network": "tcp",
"password": ""
},
"streams": {
"redis.info": {
"enabled": false,
"vars": {
"period": "10s"
}
},
"redis.key": {
"enabled": false,
"vars": {
"key.patterns": "- limit: 20\n pattern: *\n",
"period": "10s"
}
},
"redis.keyspace": {
"enabled": false,
"vars": {
"period": "10s"
}
}
}
}
}
}

29
salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json
View File

@@ -1,29 +0,0 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "soc-auth-sync-logs",
"namespace": "so",
"description": "Security Onion - Elastic Auth Sync - Logs",
"policy_id": "so-grid-nodes_heavy",
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"enabled": true,
"vars": {
"paths": [
"/opt/so/log/soc/sync.log"
],
"data_stream.dataset": "soc",
"tags": ["so-soc"],
"processors": "- dissect:\n tokenizer: \"%{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: auth_sync",
"custom": "pipeline: common"
}
}
}
}
}
}

29
salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json
View File

@@ -1,29 +0,0 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "soc-salt-relay-logs",
"namespace": "so",
"description": "Security Onion - Salt Relay - Logs",
"policy_id": "so-grid-nodes_heavy",
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"enabled": true,
"vars": {
"paths": [
"/opt/so/log/soc/salt-relay.log"
],
"data_stream.dataset": "soc",
"tags": ["so-soc"],
"processors": "- dissect:\n tokenizer: \"%{soc.ts} | %{event.action}\"\n field: \"message\"\n target_prefix: \"\"\n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: salt_relay",
"custom": "pipeline: common"
}
}
}
}
}
}

29
salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json
View File

@@ -1,29 +0,0 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "soc-sensoroni-logs",
"namespace": "so",
"description": "Security Onion - Sensoroni - Logs",
"policy_id": "so-grid-nodes_heavy",
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"enabled": true,
"vars": {
"paths": [
"/opt/so/log/sensoroni/sensoroni.log"
],
"data_stream.dataset": "soc",
"tags": [],
"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"sensoroni\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: sensoroni\n- rename:\n fields:\n - from: \"sensoroni.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"sensoroni.fields.status\"\n to: \"http.response.status_code\"\n - from: \"sensoroni.fields.method\"\n to: \"http.request.method\"\n - from: \"sensoroni.fields.path\"\n to: \"url.path\"\n - from: \"sensoroni.message\"\n to: \"event.action\"\n - from: \"sensoroni.level\"\n to: \"log.level\"\n ignore_missing: true",
"custom": "pipeline: common"
}
}
}
}
}
}

29
salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json
View File

@@ -1,29 +0,0 @@
{
"package": {
"name": "log",
"version": ""
},
"name": "soc-server-logs",
"namespace": "so",
"description": "Security Onion Console Logs",
"policy_id": "so-grid-nodes_heavy",
"inputs": {
"logs-logfile": {
"enabled": true,
"streams": {
"log.log": {
"enabled": true,
"vars": {
"paths": [
"/opt/so/log/soc/sensoroni-server.log"
],
"data_stream.dataset": "soc",
"tags": ["so-soc"],
"processors": "- decode_json_fields:\n fields: [\"message\"]\n target: \"soc\"\n process_array: true\n max_depth: 2\n add_error_key: true \n- add_fields:\n target: event\n fields:\n category: host\n module: soc\n dataset_temp: server\n- rename:\n fields:\n - from: \"soc.fields.sourceIp\"\n to: \"source.ip\"\n - from: \"soc.fields.status\"\n to: \"http.response.status_code\"\n - from: \"soc.fields.method\"\n to: \"http.request.method\"\n - from: \"soc.fields.path\"\n to: \"url.path\"\n - from: \"soc.message\"\n to: \"event.action\"\n - from: \"soc.level\"\n to: \"log.level\"\n ignore_missing: true",
"custom": "pipeline: common"
}
}
}
}
}
}

2
salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json
View File

@@ -4,7 +4,7 @@
"name": "system",
"version": ""
},
"name": "system-grid-nodes",
"name": "system-grid-nodes_heavy",
"namespace": "default",
"inputs": {
"system-logfile": {

87
salt/firewall/defaults.yaml
View File

@@ -198,9 +198,6 @@ firewall:
portgroups:
- redis
- elasticsearch_node
self:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
@@ -218,9 +215,6 @@ firewall:
strelka_frontend:
portgroups:
- strelka_frontend
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
@@ -255,6 +249,12 @@ firewall:
localhost:
portgroups:
- all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -425,12 +425,6 @@ firewall:
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
@@ -497,6 +491,12 @@ firewall:
receiver:
portgroups:
- salt_manager
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -588,9 +588,6 @@ firewall:
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
self:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
@@ -608,9 +605,6 @@ firewall:
endgame:
portgroups:
- endgame
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
@@ -660,6 +654,12 @@ firewall:
receiver:
portgroups:
- salt_manager
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -760,9 +760,6 @@ firewall:
- elastic_agent_control
- elastic_agent_data
- elastic_agent_update
self:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
@@ -783,9 +780,6 @@ firewall:
strelka_frontend:
portgroups:
- strelka_frontend
syslog:
portgroups:
- syslog
analyst:
portgroups:
- nginx
@@ -838,6 +832,12 @@ firewall:
receiver:
portgroups:
- salt_manager
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -866,6 +866,14 @@ firewall:
portgroups:
- elasticsearch_node
- elasticsearch_rest
managersearch:
portgroups:
- elasticsearch_node
- elasticsearch_rest
standalone:
portgroups:
- elasticsearch_node
- elasticsearch_rest
dockernet:
portgroups:
- elasticsearch_node
@@ -876,9 +884,6 @@ firewall:
searchnode:
portgroups:
- elasticsearch_node
self:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -910,6 +915,12 @@ firewall:
localhost:
portgroups:
- all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -934,9 +945,6 @@ firewall:
chain:
DOCKER-USER:
hostgroups:
self:
portgroups:
- syslog
strelka_frontend:
portgroups:
- strelka_frontend
@@ -971,6 +979,12 @@ firewall:
localhost:
portgroups:
- all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -1022,6 +1036,9 @@ firewall:
strelka_frontend:
portgroups:
- strelka_frontend
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:
@@ -1181,11 +1198,7 @@ firewall:
self:
portgroups:
- redis
- syslog
- beats_5644
syslog:
portgroups:
- syslog
beats_endpoint:
portgroups:
- beats_5044
@@ -1226,6 +1239,12 @@ firewall:
localhost:
portgroups:
- all
self:
portgroups:
- syslog
syslog:
portgroups:
- syslog
customhostgroup0:
portgroups: []
customhostgroup1:

1
salt/idh/enabled.sls
View File

@@ -6,6 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls.split('.')[0] in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
include:
- idh.config

2
salt/kibana/files/config_saved_objects.ndjson
View File

@@ -1 +1 @@
{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.7.1","id": "8.7.1","migrationVersion": {"config": "7.13.0"},"references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}
{"attributes": {"buildNum": 39457,"defaultIndex": "logs-*","defaultRoute": "/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize": 100,"theme:darkMode": true,"timepicker:timeDefaults": "{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion": "8.8.2","id": "8.8.2","references": [],"type": "config","updated_at": "2021-10-10T10:10:10.105Z","version": "WzI5NzUsMl0="}

2
salt/kibana/tools/sbin_jinja/so-kibana-config-load
View File

@@ -63,7 +63,7 @@ update() {
IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))'
for i in "${LINES[@]}"; do
RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.7.1" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/8.8.2" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ")
echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi
done

5
salt/logstash/enabled.sls
View File

@@ -9,6 +9,11 @@
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from 'logstash/map.jinja' import LOGSTASH_MERGED %}
{% from 'logstash/map.jinja' import REDIS_NODES %}
{# we append the manager here so that it is added to extra_hosts so the heavynode can resolve it #}
{# we cannont append in the logstash/map.jinja because then it would be added to the 0900_input_redis.conf #}
{% if GLOBALS.role == 'so-heavynode' %}
{% do REDIS_NODES.append({GLOBALS.manager:GLOBALS.manager_ip}) %}
{% endif %}
{% set lsheap = LOGSTASH_MERGED.settings.lsheap %}
include:

14
salt/sensor/files/99-so-checksum-offload-disable Executable file
View File

@@ -0,0 +1,14 @@
#!/bin/bash
#
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% set MNIC = salt['pillar.get']('sensor:interface') %}
init_monitor {{ MNIC }}

12
salt/sensor/init.sls Normal file
View File

@@ -0,0 +1,12 @@
offload_script:
file.managed:
- name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable
- source: salt://sensor/files/99-so-checksum-offload-disable
- mode: 755
- template: jinja
execute_checksum:
cmd.run:
- name: /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable
- onchanges:
- file: offload_script

6
salt/sensor/soc_sensor.yaml
View File

@@ -1,9 +1,9 @@
sensor:
interface:
description: Main sensor monitoring interface.
helpLink: sensor.html
helpLink: network.html
readonly: True
mtu:
description: Main IP address of the grid host.
helpLink: host.html
description: Maximum Transmission Unit (MTU) of the sensor monitoring interface.
helpLink: network.html
readonly: True

4
salt/soc/defaults.yaml
View File

@@ -1140,7 +1140,7 @@ soc:
showSubtitle: true
- name: SOC - Auth
description: Users authenticated to SOC grouped by IP address and identity
query: 'event.dataset:kratos.audit AND msg:authenticated | groupby http_request.headers.x-real-ip identity_id'
query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby http_request.headers.x-real-ip identity_id'
showSubtitle: true
- name: SOC - App
description: Logs generated by the Security Onion Console (SOC) server and modules
@@ -1405,7 +1405,7 @@ soc:
query: '* | groupby -sankey event.dataset event.category* | groupby -pie event.category | groupby -bar event.module* | groupby event.dataset | groupby event.module* | groupby event.category | groupby observer.name | groupby source.ip | groupby destination.ip | groupby destination.port | groupby destination_geo.organization_name'
- name: SOC Auth
description: SOC (Security Onion Console) authentication logs
query: 'event.dataset:kratos.audit AND msg:authenticated | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
query: 'event.dataset:kratos.audit AND msg:*authenticated* | groupby -sankey http_request.headers.x-real-ip identity_id | groupby http_request.headers.x-real-ip | groupby identity_id | groupby http_request.headers.user-agent'
- name: Elastalerts
description: Elastalert logs
query: '_index: "*:elastalert*" | groupby rule_name | groupby alert_info.type'

5
salt/top.sls
View File

@@ -36,6 +36,7 @@ base:
'*_sensor and G@saltversion:{{saltversion}}':
- match: compound
- sensor
- ssl
- sensoroni
- telegraf
@@ -52,6 +53,7 @@ base:
'*_eval and G@saltversion:{{saltversion}}':
- match: compound
- salt.master
- sensor
- ca
- ssl
- registry
@@ -118,6 +120,7 @@ base:
'*_standalone and G@saltversion:{{saltversion}}':
- match: compound
- salt.master
- sensor
- ca
- ssl
- registry
@@ -196,6 +199,7 @@ base:
'*_heavynode and G@saltversion:{{saltversion}}':
- match: compound
- sensor
- ssl
- sensoroni
- nginx
@@ -216,6 +220,7 @@ base:
'*_import and G@saltversion:{{saltversion}}':
- match: compound
- salt.master
- sensor
- ca
- ssl
- registry