From 12125deecb223fa23de0d6ef710d9b8e43b20c64 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 9 Nov 2020 11:06:08 -0500 Subject: [PATCH 01/76] [feat] Show link state in whiptail menus --- setup/so-common-functions | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/setup/so-common-functions b/setup/so-common-functions index c3df787cc..0afd732ce 100644 --- a/setup/so-common-functions +++ b/setup/so-common-functions @@ -18,12 +18,22 @@ filter_unused_nics() { fi # Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use) - filtered_nics=$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g') + filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g') readarray -t filtered_nics <<< "$filtered_nics" nic_list=() for nic in "${filtered_nics[@]}"; do - nic_list+=("$nic" "" "OFF") + case $(cat "/sys/class/net/${nic}/carrier") in + 1) + nic_list+=("$nic" "Link UP " "OFF") + ;; + 0) + nic_list+=("$nic" "Link DOWN " "OFF") + ;; + *) + nic_list+=("$nic" "Link UNKNOWN " "OFF") + ;; + esac done export nic_list From 7e578d2ce04c692311641f3b29821145c4813a31 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Mon, 9 Nov 2020 16:53:53 +0000 Subject: [PATCH 02/76] Pull out additional fields from Exif info --- salt/elasticsearch/files/ingest/strelka.file | 22 +++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/strelka.file b/salt/elasticsearch/files/ingest/strelka.file index 82474d8b5..e5e8560f8 100644 --- a/salt/elasticsearch/files/ingest/strelka.file +++ b/salt/elasticsearch/files/ingest/strelka.file @@ -12,7 +12,7 @@ { "if": "ctx.exiftool?.keys !=null", "field": "exiftool.keys", - "processor":{ + "processor": { "append": { "field": "scan.exiftool", "value": "{{_ingest._value.key}}={{_ingest._value.value}}" @@ -20,6 +20,18 @@ } } }, + { "foreach": + { + "if": "ctx.exiftool?.keys !=null", + "field": "exiftool.keys", + "processor": { + "set": { + "field": "exiftool.{{_ingest._value.key}}", + "value": "{{_ingest._value.value}}" + } + } + } + }, { "foreach": { "if": "ctx.scan?.yara?.meta !=null", @@ -32,6 +44,14 @@ } } }, + { "set": { "if": "ctx.exiftool?.SourceFile != null", "field": "file.source", "value": "{{exiftool.SourceFile}}", "ignore_failure": true }}, + { "set": { "if": "ctx.exiftool?.FilePermissions != null", "field": "file.permissions", "value": "{{exiftool.FilePermissions}}", "ignore_failure": true }}, + { "set": { "if": "ctx.exiftool?.FileName != null", "field": "file.name", "value": "{{exiftool.FileName}}", "ignore_failure": true }}, + { "set": { "if": "ctx.exiftool?.FileModifyDate != null", "field": "file.mtime", "value": "{{exiftool.FileModifyDate}}", "ignore_failure": true }}, + { "set": { "if": "ctx.exiftool?.FileAccessDate != null", "field": "file.accessed", "value": "{{exiftool.FileAccessDate}}", "ignore_failure": true }}, + { "set": { "if": "ctx.exiftool?.FileInodeChangeDate != null", "field": "file.ctime", "value": "{{exiftool.FileInodeChangeDate}}", "ignore_failure": true }}, + { "set": { "if": "ctx.exiftool?.FileDirectory != null", "field": "file.directory", "value": "{{exiftool.FileDirectory}}", "ignore_failure": true }}, + { "set": { "if": "ctx.exiftool?.Subsystem != null", "field": "host.subsystem", "value": "{{exiftool.Subsystem}}", "ignore_failure": true }}, { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "rule.name", "value": "{{scan.yara.matches.0}}" }}, { "set": { "if": "ctx.scan?.yara?.matches != null", "field": "dataset", "value": "alert", "override": true }}, { "rename": { "field": "file.flavors.mime", "target_field": "file.mime_type", "ignore_missing": true }}, From 9960cf05921c8f121521f80857a0f24d472938d4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 9 Nov 2020 12:05:37 -0500 Subject: [PATCH 03/76] [feat] Add salt module to check if mysql is accepting db connections --- salt/_modules/mysql.py | 35 +++++++++++++++++++++++++++++++++++ salt/mysql/init.sls | 5 +++++ 2 files changed, 40 insertions(+) create mode 100644 salt/_modules/mysql.py diff --git a/salt/_modules/mysql.py b/salt/_modules/mysql.py new file mode 100644 index 000000000..f4e35ae76 --- /dev/null +++ b/salt/_modules/mysql.py @@ -0,0 +1,35 @@ +#!py + +from MySQLdb import _mysql +import logging +import time + +log = logging.getLogger(__name__) + + +def status(retry): + mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) + mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] + + mysql_up = False + for i in range(0, retry): + log.debug(f'Connection attempt {i+1}') + try: + _mysql.connect( + host=mainip, + user="root", + passwd=__salt__['pillar.get']('secrets:mysql') + ) + mysql_up = True + break + except _mysql.OperationalError as e: + log.debug(e) + except Exception as e: + log.error(e) + break + time.sleep(1) + + if not mysql_up: + log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.') + + return mysql_up diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 818b5c303..e1f37f29c 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -97,6 +97,11 @@ so-mysql: - timeout: 900 - onchanges: - docker_container: so-mysql + module.run: + - mysql.status: + - retry: 900 + - onchanges: + - cmd: so-mysql {% endif %} {% else %} From 394fa727cbb87346411c46a1db2e0662b45968aa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 9 Nov 2020 13:05:29 -0500 Subject: [PATCH 04/76] [fix] Don't overwrite mysql module --- salt/_modules/mysql.py | 35 ----------------------------------- salt/_modules/so.py | 36 +++++++++++++++++++++++++++++++++++- salt/mysql/init.sls | 2 +- 3 files changed, 36 insertions(+), 37 deletions(-) delete mode 100644 salt/_modules/mysql.py diff --git a/salt/_modules/mysql.py b/salt/_modules/mysql.py deleted file mode 100644 index f4e35ae76..000000000 --- a/salt/_modules/mysql.py +++ /dev/null @@ -1,35 +0,0 @@ -#!py - -from MySQLdb import _mysql -import logging -import time - -log = logging.getLogger(__name__) - - -def status(retry): - mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) - mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] - - mysql_up = False - for i in range(0, retry): - log.debug(f'Connection attempt {i+1}') - try: - _mysql.connect( - host=mainip, - user="root", - passwd=__salt__['pillar.get']('secrets:mysql') - ) - mysql_up = True - break - except _mysql.OperationalError as e: - log.debug(e) - except Exception as e: - log.error(e) - break - time.sleep(1) - - if not mysql_up: - log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.') - - return mysql_up diff --git a/salt/_modules/so.py b/salt/_modules/so.py index 50c29902f..43ffac250 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -1,4 +1,38 @@ #!py +import logging + def status(): - return __salt__['cmd.run']('/usr/sbin/so-status') \ No newline at end of file + return __salt__['cmd.run']('/usr/sbin/so-status') + + +def mysql_conn(retry): + from MySQLdb import _mysql + import time + + log = logging.getLogger(__name__) + mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) + mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] + + mysql_up = False + for i in range(0, retry): + log.debug(f'Connection attempt {i+1}') + try: + _mysql.connect( + host=mainip, + user="root", + passwd=__salt__['pillar.get']('secrets:mysql') + ) + mysql_up = True + break + except _mysql.OperationalError as e: + log.debug(e) + except Exception as e: + log.error(e) + break + time.sleep(1) + + if not mysql_up: + log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.') + + return mysql_up \ No newline at end of file diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index e1f37f29c..121e689f8 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -98,7 +98,7 @@ so-mysql: - onchanges: - docker_container: so-mysql module.run: - - mysql.status: + - so.mysql_conn: - retry: 900 - onchanges: - cmd: so-mysql From 5616aa6beb48c107178b8c0a56a517911afcecb2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Nov 2020 13:12:45 -0500 Subject: [PATCH 05/76] fix top logic for mysql - https://github.com/Security-Onion-Solutions/securityonion/issues/1857 --- salt/top.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 36fd171e1..5976e3eaa 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -98,7 +98,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -156,7 +156,7 @@ base: - manager - idstools - suricata.manager - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -206,7 +206,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -337,7 +337,7 @@ base: - manager - idstools - suricata.manager - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} From f647a06239e0d54cbb25b0c10bd961bba0cbbb4b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 9 Nov 2020 13:37:42 -0500 Subject: [PATCH 06/76] [fix] Correct percentage steps --- setup/so-setup | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index cf180000f..0d98d6a01 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -701,24 +701,24 @@ fi salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 fi - set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" + set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')" so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 fi if [[ "$WAZUH" = 1 ]]; then - set_progress_str 78 "$(print_salt_state_apply 'wazuh')" + set_progress_str 79 "$(print_salt_state_apply 'wazuh')" salt-call state.apply -l info wazuh >> $setup_log 2>&1 fi if [[ "$THEHIVE" = 1 ]]; then - set_progress_str 79 "$(print_salt_state_apply 'thehive')" + set_progress_str 80 "$(print_salt_state_apply 'thehive')" salt-call state.apply -l info thehive >> $setup_log 2>&1 fi if [[ "$STRELKA" = 1 ]]; then if [[ $is_sensor ]]; then - set_progress_str 80 "$(print_salt_state_apply 'strelka')" + set_progress_str 81 "$(print_salt_state_apply 'strelka')" salt-call state.apply -l info strelka >> $setup_log 2>&1 fi if [[ $STRELKARULES == 1 ]]; then @@ -727,15 +727,15 @@ fi fi if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 81 "$(print_salt_state_apply 'utility')" + set_progress_str 82 "$(print_salt_state_apply 'utility')" salt-call state.apply -l info utility >> $setup_log 2>&1 fi if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then - set_progress_str 82 "$(print_salt_state_apply 'logstash')" + set_progress_str 83 "$(print_salt_state_apply 'logstash')" salt-call state.apply -l info logstash >> $setup_log 2>&1 - set_progress_str 83 "$(print_salt_state_apply 'filebeat')" + set_progress_str 84 "$(print_salt_state_apply 'filebeat')" salt-call state.apply -l info filebeat >> $setup_log 2>&1 fi From ff4d7a6cb60654c68cde17cc896462bcb73f80a2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 9 Nov 2020 14:01:19 -0500 Subject: [PATCH 07/76] [fix] Sync modules so states can use our modules during setup --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index c19490e73..51a9b01c0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1729,6 +1729,7 @@ salt_checkin() { { salt-call state.apply ca; salt-call state.apply ssl; + salt-call saltutil.sync_modules; } >> "$setup_log" 2>&1 } From 0e19594c97142b8e4436791d1cebd9d2afddb56f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Nov 2020 15:25:11 -0500 Subject: [PATCH 08/76] enable fleet in global pillars before running fleet state during setup https://github.com/Security-Onion-Solutions/securityonion/issues/1857 --- salt/fleet/event_enable-fleet.sls | 2 +- salt/reactor/fleet.sls | 11 ++++++----- setup/so-setup | 7 ++----- 3 files changed, 9 insertions(+), 11 deletions(-) diff --git a/salt/fleet/event_enable-fleet.sls b/salt/fleet/event_enable-fleet.sls index d09749a55..28542ba6c 100644 --- a/salt/fleet/event_enable-fleet.sls +++ b/salt/fleet/event_enable-fleet.sls @@ -1,4 +1,4 @@ -{% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %} +{% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default', '') %} {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index a32fb5cfd..a4226b027 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -31,16 +31,17 @@ def run(): print(line) # Update the enroll secret in the secrets pillar - for line in fileinput.input(SECRETSFILE, inplace=True): - line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip()) - print(line) + if ESECRET != "": + for line in fileinput.input(SECRETSFILE, inplace=True): + line = re.sub(r'fleet_enroll-secret: \S*', f"fleet_enroll-secret: {ESECRET}", line.rstrip()) + print(line) - # Update the Fleet host in the static pillar + # Update the Fleet host in the static pillar for line in fileinput.input(STATICFILE, inplace=True): line = re.sub(r'fleet_hostname: \S*', f"fleet_hostname: '{HOSTNAME}'", line.rstrip()) print(line) - # Update the Fleet IP in the static pillar + # Update the Fleet IP in the static pillar for line in fileinput.input(STATICFILE, inplace=True): line = re.sub(r'fleet_ip: \S*', f"fleet_ip: '{MAINIP}'", line.rstrip()) print(line) diff --git a/setup/so-setup b/setup/so-setup index cf180000f..c8f401656 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -684,12 +684,9 @@ fi fi if [[ "$OSQUERY" = 1 ]]; then - if [[ "$PLAYBOOK" != 1 ]]; then - set_progress_str 74 "$(print_salt_state_apply 'mysql')" - salt-call state.apply -l info mysql >> $setup_log 2>&1 - fi set_progress_str 75 "$(print_salt_state_apply 'fleet')" + salt-call state.apply fleet.event_enable-fleet # enable fleet in the global pillar salt-call state.apply -l info fleet >> $setup_log 2>&1 set_progress_str 76 "$(print_salt_state_apply 'redis')" @@ -701,7 +698,7 @@ fi salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 fi - set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" + set_progress_str 77 "$(print_salt_state_apply 'so-fleet-setup')" so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 fi From f5a1bd40747dff47bcfbd61fdfb9c5696bb76162 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Nov 2020 16:25:28 -0500 Subject: [PATCH 09/76] only try to get enrollsecret if fleet is already enabled https://github.com/Security-Onion-Solutions/securityonion/issues/1857 --- salt/fleet/event_enable-fleet.sls | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/fleet/event_enable-fleet.sls b/salt/fleet/event_enable-fleet.sls index 28542ba6c..83e5af4c3 100644 --- a/salt/fleet/event_enable-fleet.sls +++ b/salt/fleet/event_enable-fleet.sls @@ -1,4 +1,10 @@ -{% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default', '') %} +{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} +{% if FLEETNODE or FLEETMANAGER %} + {% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %} +{% else %}} + {% set ENROLLSECRET = '' %} +{% endif %} {% set MAININT = salt['pillar.get']('host:mainint') %} {% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} From ae5bc297dd30d59d42c97623e3538f06050557a5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Nov 2020 17:06:32 -0500 Subject: [PATCH 10/76] remove extra squigly https://github.com/Security-Onion-Solutions/securityonion/issues/1857 --- salt/fleet/event_enable-fleet.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/fleet/event_enable-fleet.sls b/salt/fleet/event_enable-fleet.sls index 83e5af4c3..34b031685 100644 --- a/salt/fleet/event_enable-fleet.sls +++ b/salt/fleet/event_enable-fleet.sls @@ -2,7 +2,7 @@ {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% if FLEETNODE or FLEETMANAGER %} {% set ENROLLSECRET = salt['cmd.run']('docker exec so-fleet fleetctl get enroll-secret default') %} -{% else %}} +{% else %} {% set ENROLLSECRET = '' %} {% endif %} {% set MAININT = salt['pillar.get']('host:mainint') %} From 66cd91c0a7ecbda9cb81cf771c65b0e336f7b5c4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 9 Nov 2020 18:16:02 -0500 Subject: [PATCH 11/76] make so-status line color same as service state https://github.com/Security-Onion-Solutions/securityonion/issues/1864 --- salt/common/tools/sbin/so-status | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 904c3ae7d..951f55078 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -175,7 +175,7 @@ print_line() { printf " $service_name " for i in $(seq 0 $(( $columns - $PADDING_CONSTANT - ${#service_name} - ${#service_state} ))); do - printf "-" + printf "${state_color}%b\e[0m" "-" done printf " [ " printf "${state_color}%b\e[0m" "$service_state" From dba30fb0edb1d354dfbf62dbfa22d175f8595c4a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 10 Nov 2020 09:48:20 -0500 Subject: [PATCH 12/76] [refactor] Split 15 min mysql startup between two wait states --- salt/mysql/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 121e689f8..c8683b1a1 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -94,12 +94,12 @@ so-mysql: - /opt/so/conf/mysql/etc cmd.run: - name: until nc -z {{ MAINIP }} 3306; do sleep 1; done - - timeout: 900 + - timeout: 600 - onchanges: - docker_container: so-mysql module.run: - so.mysql_conn: - - retry: 900 + - retry: 300 - onchanges: - cmd: so-mysql {% endif %} From 22b7de819cd4a603eb44b78bce7f54c84eeb127b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 10 Nov 2020 10:00:21 -0500 Subject: [PATCH 13/76] [fix] Put mysql import in try,catch in case it hasn't been installed --- salt/_modules/so.py | 57 ++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 26 deletions(-) diff --git a/salt/_modules/so.py b/salt/_modules/so.py index 43ffac250..de337c43f 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -3,36 +3,41 @@ import logging def status(): - return __salt__['cmd.run']('/usr/sbin/so-status') + return __salt__['cmd.run']('/usr/sbin/so-status') def mysql_conn(retry): - from MySQLdb import _mysql - import time + log = logging.getLogger(__name__) - log = logging.getLogger(__name__) - mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) - mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] + try: + from MySQLdb import _mysql + except ImportError as e: + log.error(e) + return False + from time import sleep - mysql_up = False - for i in range(0, retry): - log.debug(f'Connection attempt {i+1}') - try: - _mysql.connect( - host=mainip, - user="root", - passwd=__salt__['pillar.get']('secrets:mysql') - ) - mysql_up = True - break - except _mysql.OperationalError as e: - log.debug(e) - except Exception as e: - log.error(e) - break - time.sleep(1) + mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) + mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] - if not mysql_up: - log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.') + mysql_up = False + for i in range(0, retry): + log.debug(f'Connection attempt {i+1}') + try: + _mysql.connect( + host=mainip, + user="root", + passwd=__salt__['pillar.get']('secrets:mysql') + ) + mysql_up = True + break + except _mysql.OperationalError as e: + log.debug(e) + except Exception as e: + log.error(e) + break + sleep(1) - return mysql_up \ No newline at end of file + if not mysql_up: + log.error(f'Could not connect to MySQL server on {mainip} after {retry} attempts.') + + return mysql_up \ No newline at end of file From 54d732a0602e12170a59ba464eb37adbc76e90aa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 10 Nov 2020 10:01:10 -0500 Subject: [PATCH 14/76] [refactor] Code cleanup --- salt/_modules/so.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/_modules/so.py b/salt/_modules/so.py index de337c43f..9a3706c78 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -9,12 +9,13 @@ def status(): def mysql_conn(retry): log = logging.getLogger(__name__) + from time import sleep + try: from MySQLdb import _mysql except ImportError as e: log.error(e) return False - from time import sleep mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] From b3c527e7a91ae2f266001b992d2e9fc257ba64e4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 10 Nov 2020 10:05:06 -0500 Subject: [PATCH 15/76] [refactor] Code cleanup pt. 2 --- salt/_modules/so.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/_modules/so.py b/salt/_modules/so.py index 9a3706c78..a15e7ee66 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -25,15 +25,17 @@ def mysql_conn(retry): log.debug(f'Connection attempt {i+1}') try: _mysql.connect( - host=mainip, - user="root", - passwd=__salt__['pillar.get']('secrets:mysql') + host=mainip, + user='root', + passwd=__salt__['pillar.get']('secrets:mysql') ) + log.debug(f'Connected to MySQL server on {mainip} after {retry} attempts.') mysql_up = True break except _mysql.OperationalError as e: log.debug(e) except Exception as e: + log.error('Unexpected error occured.') log.error(e) break sleep(1) From 7f218e52973a96a5805fffbc652e8187bc61115d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 10 Nov 2020 11:02:34 -0500 Subject: [PATCH 16/76] [feat] Also run query against mysql to ensure queries can complete --- salt/_modules/so.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/_modules/so.py b/salt/_modules/so.py index a15e7ee66..2356f68da 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -24,12 +24,14 @@ def mysql_conn(retry): for i in range(0, retry): log.debug(f'Connection attempt {i+1}') try: - _mysql.connect( + db = _mysql.connect( host=mainip, user='root', passwd=__salt__['pillar.get']('secrets:mysql') ) - log.debug(f'Connected to MySQL server on {mainip} after {retry} attempts.') + log.debug(f'Connected to MySQL server on {mainip} after {i} attempts.') + db.query("""SELECT 1;""") + log.debug(f'Successfully completed query against MySQL server on {mainip}') mysql_up = True break except _mysql.OperationalError as e: From d3227bbcb189e0a15a065e136f7e48d81a18ebbd Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 10 Nov 2020 11:03:43 -0500 Subject: [PATCH 17/76] [refactor] Code cleanup pt. 3 --- salt/_modules/so.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/_modules/so.py b/salt/_modules/so.py index 2356f68da..b9fd3c693 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -30,8 +30,10 @@ def mysql_conn(retry): passwd=__salt__['pillar.get']('secrets:mysql') ) log.debug(f'Connected to MySQL server on {mainip} after {i} attempts.') + db.query("""SELECT 1;""") log.debug(f'Successfully completed query against MySQL server on {mainip}') + mysql_up = True break except _mysql.OperationalError as e: From 676b4f077703e50eb023ac82d7393bfd26ace382 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 10 Nov 2020 11:42:40 -0500 Subject: [PATCH 18/76] [fix] Close connection in mysql_conn module --- salt/_modules/so.py | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/_modules/so.py b/salt/_modules/so.py index b9fd3c693..e75c90ec8 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -34,6 +34,7 @@ def mysql_conn(retry): db.query("""SELECT 1;""") log.debug(f'Successfully completed query against MySQL server on {mainip}') + db.close() mysql_up = True break except _mysql.OperationalError as e: From 1fca5e65df4a5844bc14e881ca15acaa75641703 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 10 Nov 2020 15:31:47 -0500 Subject: [PATCH 19/76] redo how containers get added to so-status https://github.com/Security-Onion-Solutions/securityonion/issues/1681 --- salt/common/init.sls | 17 +++++++++ salt/common/maps/domainstats.map.jinja | 5 --- salt/common/maps/eval.map.jinja | 20 ---------- salt/common/maps/fleet.map.jinja | 10 ----- salt/common/maps/fleet_manager.map.jinja | 7 ---- salt/common/maps/freq.map.jinja | 5 --- salt/common/maps/grafana.map.jinja | 6 --- salt/common/maps/heavynode.map.jinja | 15 -------- salt/common/maps/helixsensor.map.jinja | 12 ------ salt/common/maps/hotnode.map.jinja | 9 ----- salt/common/maps/import.map.jinja | 10 ----- salt/common/maps/manager.map.jinja | 21 ----------- salt/common/maps/managersearch.map.jinja | 21 ----------- salt/common/maps/mdengine.map.jinja | 5 --- salt/common/maps/playbook.map.jinja | 5 --- salt/common/maps/searchnode.map.jinja | 10 ----- salt/common/maps/sensor.map.jinja | 9 ----- salt/common/maps/so-status.map.jinja | 48 ------------------------ salt/common/maps/standalone.map.jinja | 25 ------------ salt/common/maps/strelka.map.jinja | 9 ----- salt/common/maps/thehive.map.jinja | 7 ---- salt/common/maps/warmnode.map.jinja | 7 ---- salt/common/maps/wazuh.map.jinja | 5 --- salt/common/tools/sbin/so-status | 13 +++---- salt/curator/init.sls | 6 +++ salt/domainstats/init.sls | 5 +++ salt/elastalert/init.sls | 6 +++ salt/elasticsearch/init.sls | 6 ++- salt/filebeat/init.sls | 5 +++ salt/fleet/init.sls | 5 +++ salt/freqserver/init.sls | 5 +++ salt/grafana/init.sls | 5 +++ salt/idstools/init.sls | 5 +++ salt/influxdb/init.sls | 5 +++ salt/kibana/init.sls | 5 +++ salt/logstash/init.sls | 5 +++ salt/manager/init.sls | 5 +++ salt/minio/init.sls | 5 +++ salt/mysql/init.sls | 6 +++ salt/nginx/init.sls | 5 +++ salt/nodered/init.sls | 5 +++ salt/pcap/init.sls | 23 ++++++++++++ salt/playbook/init.sls | 5 +++ salt/redis/init.sls | 5 +++ salt/registry/init.sls | 5 +++ salt/soc/init.sls | 10 +++++ salt/soctopus/init.sls | 5 +++ salt/strelka/init.sls | 30 +++++++++++++++ salt/suricata/init.sls | 5 +++ salt/telegraf/init.sls | 5 +++ salt/thehive/init.sls | 15 ++++++++ salt/wazuh/init.sls | 5 +++ salt/zeek/init.sls | 5 +++ 53 files changed, 228 insertions(+), 280 deletions(-) delete mode 100644 salt/common/maps/domainstats.map.jinja delete mode 100644 salt/common/maps/eval.map.jinja delete mode 100644 salt/common/maps/fleet.map.jinja delete mode 100644 salt/common/maps/fleet_manager.map.jinja delete mode 100644 salt/common/maps/freq.map.jinja delete mode 100644 salt/common/maps/grafana.map.jinja delete mode 100644 salt/common/maps/heavynode.map.jinja delete mode 100644 salt/common/maps/helixsensor.map.jinja delete mode 100644 salt/common/maps/hotnode.map.jinja delete mode 100644 salt/common/maps/import.map.jinja delete mode 100644 salt/common/maps/manager.map.jinja delete mode 100644 salt/common/maps/managersearch.map.jinja delete mode 100644 salt/common/maps/mdengine.map.jinja delete mode 100644 salt/common/maps/playbook.map.jinja delete mode 100644 salt/common/maps/searchnode.map.jinja delete mode 100644 salt/common/maps/sensor.map.jinja delete mode 100644 salt/common/maps/so-status.map.jinja delete mode 100644 salt/common/maps/standalone.map.jinja delete mode 100644 salt/common/maps/strelka.map.jinja delete mode 100644 salt/common/maps/thehive.map.jinja delete mode 100644 salt/common/maps/warmnode.map.jinja delete mode 100644 salt/common/maps/wazuh.map.jinja diff --git a/salt/common/init.sls b/salt/common/init.sls index 90a713c11..1f8782575 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -32,6 +32,23 @@ soconfperms: - gid: 939 - dir_mode: 770 +sostatusconf: + file.directory: + - name: /opt/so/conf/so-status + - uid: 939 + - gid: 939 + - dir_mode: 770 + +so-status.running.conf: + file.touch: + - name: /opt/so/conf/so-status/so-status.conf + - unless: ls /opt/so/conf/so-status/so-status.conf + +so-status.stopped.conf: + file.touch: + - name: /opt/so/conf/so-status/so-status.disabled.conf + - unless: ls /opt/so/conf/so-status/so-status.disabled.conf + sosaltstackperms: file.directory: - name: /opt/so/saltstack diff --git a/salt/common/maps/domainstats.map.jinja b/salt/common/maps/domainstats.map.jinja deleted file mode 100644 index 221dcde03..000000000 --- a/salt/common/maps/domainstats.map.jinja +++ /dev/null @@ -1,5 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-domainstats' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/eval.map.jinja b/salt/common/maps/eval.map.jinja deleted file mode 100644 index 075344e82..000000000 --- a/salt/common/maps/eval.map.jinja +++ /dev/null @@ -1,20 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-filebeat', - 'so-nginx', - 'so-telegraf', - 'so-dockerregistry', - 'so-soc', - 'so-kratos', - 'so-idstools', - 'so-elasticsearch', - 'so-kibana', - 'so-steno', - 'so-suricata', - 'so-zeek', - 'so-curator', - 'so-elastalert', - 'so-soctopus', - 'so-sensoroni' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/fleet.map.jinja b/salt/common/maps/fleet.map.jinja deleted file mode 100644 index c55223125..000000000 --- a/salt/common/maps/fleet.map.jinja +++ /dev/null @@ -1,10 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-mysql', - 'so-fleet', - 'so-redis', - 'so-filebeat', - 'so-nginx', - 'so-telegraf' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/fleet_manager.map.jinja b/salt/common/maps/fleet_manager.map.jinja deleted file mode 100644 index 91850846c..000000000 --- a/salt/common/maps/fleet_manager.map.jinja +++ /dev/null @@ -1,7 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-mysql', - 'so-fleet', - 'so-redis' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/freq.map.jinja b/salt/common/maps/freq.map.jinja deleted file mode 100644 index d3f692484..000000000 --- a/salt/common/maps/freq.map.jinja +++ /dev/null @@ -1,5 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-freqserver' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/grafana.map.jinja b/salt/common/maps/grafana.map.jinja deleted file mode 100644 index 1118a50fe..000000000 --- a/salt/common/maps/grafana.map.jinja +++ /dev/null @@ -1,6 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-influxdb', - 'so-grafana' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/heavynode.map.jinja b/salt/common/maps/heavynode.map.jinja deleted file mode 100644 index cbd0fc3b0..000000000 --- a/salt/common/maps/heavynode.map.jinja +++ /dev/null @@ -1,15 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-nginx', - 'so-telegraf', - 'so-redis', - 'so-logstash', - 'so-elasticsearch', - 'so-curator', - 'so-steno', - 'so-suricata', - 'so-wazuh', - 'so-filebeat', - 'so-sensoroni' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/helixsensor.map.jinja b/salt/common/maps/helixsensor.map.jinja deleted file mode 100644 index 84866de3a..000000000 --- a/salt/common/maps/helixsensor.map.jinja +++ /dev/null @@ -1,12 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-nginx', - 'so-telegraf', - 'so-idstools', - 'so-steno', - 'so-zeek', - 'so-redis', - 'so-logstash', - 'so-filebeat - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/hotnode.map.jinja b/salt/common/maps/hotnode.map.jinja deleted file mode 100644 index bc9d58360..000000000 --- a/salt/common/maps/hotnode.map.jinja +++ /dev/null @@ -1,9 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-nginx', - 'so-telegraf', - 'so-logstash', - 'so-elasticsearch', - 'so-curator', - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/import.map.jinja b/salt/common/maps/import.map.jinja deleted file mode 100644 index 324536d11..000000000 --- a/salt/common/maps/import.map.jinja +++ /dev/null @@ -1,10 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-filebeat', - 'so-nginx', - 'so-soc', - 'so-kratos', - 'so-elasticsearch', - 'so-kibana' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/manager.map.jinja b/salt/common/maps/manager.map.jinja deleted file mode 100644 index 45358d017..000000000 --- a/salt/common/maps/manager.map.jinja +++ /dev/null @@ -1,21 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-dockerregistry', - 'so-nginx', - 'so-telegraf', - 'so-soc', - 'so-kratos', - 'so-idstools', - 'so-redis', - 'so-elasticsearch', - 'so-logstash', - 'so-kibana', - 'so-elastalert', - 'so-filebeat', - 'so-soctopus' - ] -} %} - -{% if salt['pillar.get']('global:managerupdate') == 1 %} - {% do docker.containers.append('so-aptcacherng') %} -{% endif %} \ No newline at end of file diff --git a/salt/common/maps/managersearch.map.jinja b/salt/common/maps/managersearch.map.jinja deleted file mode 100644 index 66c5afd43..000000000 --- a/salt/common/maps/managersearch.map.jinja +++ /dev/null @@ -1,21 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-nginx', - 'so-telegraf', - 'so-soc', - 'so-kratos', - 'so-idstools', - 'so-redis', - 'so-logstash', - 'so-elasticsearch', - 'so-curator', - 'so-kibana', - 'so-elastalert', - 'so-filebeat', - 'so-soctopus' - ] -} %} - -{% if salt['pillar.get']('global:managerupdate') == 1 %} - {% do docker.containers.append('so-aptcacherng') %} -{% endif %} \ No newline at end of file diff --git a/salt/common/maps/mdengine.map.jinja b/salt/common/maps/mdengine.map.jinja deleted file mode 100644 index 881e3ec4f..000000000 --- a/salt/common/maps/mdengine.map.jinja +++ /dev/null @@ -1,5 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-zeek' - ] -} %} diff --git a/salt/common/maps/playbook.map.jinja b/salt/common/maps/playbook.map.jinja deleted file mode 100644 index 84baa8dec..000000000 --- a/salt/common/maps/playbook.map.jinja +++ /dev/null @@ -1,5 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-playbook' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/searchnode.map.jinja b/salt/common/maps/searchnode.map.jinja deleted file mode 100644 index b46652742..000000000 --- a/salt/common/maps/searchnode.map.jinja +++ /dev/null @@ -1,10 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-nginx', - 'so-telegraf', - 'so-logstash', - 'so-elasticsearch', - 'so-curator', - 'so-filebeat' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/sensor.map.jinja b/salt/common/maps/sensor.map.jinja deleted file mode 100644 index 3f5ebe8eb..000000000 --- a/salt/common/maps/sensor.map.jinja +++ /dev/null @@ -1,9 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-telegraf', - 'so-steno', - 'so-suricata', - 'so-filebeat', - 'so-sensoroni' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/so-status.map.jinja b/salt/common/maps/so-status.map.jinja deleted file mode 100644 index 12bddfec7..000000000 --- a/salt/common/maps/so-status.map.jinja +++ /dev/null @@ -1,48 +0,0 @@ -{% set role = grains.id.split('_') | last %} -{% from 'common/maps/'~ role ~'.map.jinja' import docker with context %} - -# Check if the service is enabled and append it's required containers -# to the list predefined by the role / minion id affix -{% macro append_containers(pillar_name, k, compare )%} - {% if salt['pillar.get'](pillar_name~':'~k, {}) != compare %} - {% if k == 'enabled' %} - {% set k = pillar_name %} - {% endif %} - {% from 'common/maps/'~k~'.map.jinja' import docker as d with context %} - {% for li in d['containers'] %} - {{ docker['containers'].append(li) }} - {% endfor %} - {% endif %} -{% endmacro %} - -{% set docker = salt['grains.filter_by']({ - '*_'~role: { - 'containers': docker['containers'] - } -},grain='id', merge=salt['pillar.get']('docker')) %} - -{% if role in ['eval', 'managersearch', 'manager', 'standalone'] %} - {{ append_containers('manager', 'grafana', 0) }} - {{ append_containers('global', 'fleet_manager', 0) }} - {{ append_containers('global', 'wazuh', 0) }} - {{ append_containers('manager', 'thehive', 0) }} - {{ append_containers('manager', 'playbook', 0) }} - {{ append_containers('manager', 'freq', 0) }} - {{ append_containers('manager', 'domainstats', 0) }} -{% endif %} - -{% if role in ['eval', 'heavynode', 'sensor', 'standalone'] %} - {{ append_containers('strelka', 'enabled', 0) }} -{% endif %} - -{% if role in ['heavynode', 'standalone'] %} - {{ append_containers('global', 'mdengine', 'SURICATA') }} -{% endif %} - -{% if role == 'searchnode' %} - {{ append_containers('manager', 'wazuh', 0) }} -{% endif %} - -{% if role == 'sensor' %} - {{ append_containers('global', 'mdengine', 'SURICATA') }} -{% endif %} \ No newline at end of file diff --git a/salt/common/maps/standalone.map.jinja b/salt/common/maps/standalone.map.jinja deleted file mode 100644 index ae3177f4b..000000000 --- a/salt/common/maps/standalone.map.jinja +++ /dev/null @@ -1,25 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-nginx', - 'so-telegraf', - 'so-soc', - 'so-kratos', - 'so-idstools', - 'so-redis', - 'so-logstash', - 'so-elasticsearch', - 'so-curator', - 'so-kibana', - 'so-elastalert', - 'so-filebeat', - 'so-suricata', - 'so-steno', - 'so-dockerregistry', - 'so-soctopus', - 'so-sensoroni' - ] -} %} - -{% if salt['pillar.get']('global:managerupdate') == 1 %} - {% do docker.containers.append('so-aptcacherng') %} -{% endif %} \ No newline at end of file diff --git a/salt/common/maps/strelka.map.jinja b/salt/common/maps/strelka.map.jinja deleted file mode 100644 index b26a1241b..000000000 --- a/salt/common/maps/strelka.map.jinja +++ /dev/null @@ -1,9 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-strelka-coordinator', - 'so-strelka-gatekeeper', - 'so-strelka-manager', - 'so-strelka-frontend', - 'so-strelka-filestream' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/thehive.map.jinja b/salt/common/maps/thehive.map.jinja deleted file mode 100644 index e4ca7d2a2..000000000 --- a/salt/common/maps/thehive.map.jinja +++ /dev/null @@ -1,7 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-thehive', - 'so-thehive-es', - 'so-cortex' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/warmnode.map.jinja b/salt/common/maps/warmnode.map.jinja deleted file mode 100644 index 08cf2dbb8..000000000 --- a/salt/common/maps/warmnode.map.jinja +++ /dev/null @@ -1,7 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-nginx', - 'so-telegraf', - 'so-elasticsearch' - ] -} %} \ No newline at end of file diff --git a/salt/common/maps/wazuh.map.jinja b/salt/common/maps/wazuh.map.jinja deleted file mode 100644 index 5217a79ee..000000000 --- a/salt/common/maps/wazuh.map.jinja +++ /dev/null @@ -1,5 +0,0 @@ -{% set docker = { - 'containers': [ - 'so-wazuh' - ] -} %} \ No newline at end of file diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 951f55078..9daf30a56 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -14,8 +14,6 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{%- from 'common/maps/so-status.map.jinja' import docker with context %} -{%- set container_list = docker['containers'] | sort | unique %} if ! [ "$(id -u)" = 0 ]; then echo "This command must be run as root" @@ -39,9 +37,8 @@ declare -a BAD_STATUSES=("removing" "paused" "exited" "dead") declare -a PENDING_STATUSES=("paused" "created" "restarting") declare -a GOOD_STATUSES=("running") declare -a DISABLED_CONTAINERS=() -{%- if salt['pillar.get']('steno:enabled', 'True') is sameas false %} -DISABLED_CONTAINERS+=("so-steno") -{%- endif %} +mapfile -t DISABLED_CONTAINERS < <(sort -u /opt/so/conf/so-status/so-status.disabled.conf) + declare -a temp_container_name_list=() declare -a temp_container_state_list=() @@ -83,9 +80,9 @@ compare_lists() { # {% endraw %} create_expected_container_list() { - {% for item in container_list -%} - expected_container_list+=("{{ item }}") - {% endfor -%} + + mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf) + } populate_container_lists() { diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 31f738349..2f0147794 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -127,6 +127,12 @@ so-curator: - /opt/so/conf/curator/curator.yml:/etc/curator/config/curator.yml:ro - /opt/so/conf/curator/action/:/etc/curator/action:ro - /opt/so/log/curator:/var/log/curator:rw + +append_so-curator_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-curator + # Begin Curator Cron Jobs # Close diff --git a/salt/domainstats/init.sls b/salt/domainstats/init.sls index daac87387..7716ddf83 100644 --- a/salt/domainstats/init.sls +++ b/salt/domainstats/init.sls @@ -56,6 +56,11 @@ so-domainstats: - binds: - /opt/so/log/domainstats:/var/log/domain_stats +append_so-domainstats_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-domainstats + {% else %} domainstats_state_not_allowed: diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 2e757805c..7caef532f 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -121,6 +121,12 @@ so-elastalert: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - module: wait_for_elasticsearch + +append_so-elastalert_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-elastalert + {% endif %} {% else %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 1406df02c..0b28ee6d1 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -215,13 +215,17 @@ so-elasticsearch: - /etc/pki/ca.crt:/usr/share/elasticsearch/config/ca.crt:ro - /etc/pki/elasticsearch.p12:/usr/share/elasticsearch/config/elasticsearch.p12:ro - /opt/so/conf/elasticsearch/sotls.yml:/usr/share/elasticsearch/config/sotls.yml:ro - - watch: - file: cacertz - file: esyml - file: esingestconf - file: so-elasticsearch-pipelines-file +append_so-elasticsearch_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-elasticsearch + so-elasticsearch-pipelines-file: file.managed: - name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 26aca3542..98229ca35 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -86,6 +86,11 @@ so-filebeat: - watch: - file: /opt/so/conf/filebeat/etc/filebeat.yml +append_so-filebeat_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-filebeat + {% else %} filebeat_state_not_allowed: diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index e85358542..db3414a18 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -134,4 +134,9 @@ so-fleet: - watch: - /opt/so/conf/fleet/etc +append_so-fleet_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-fleet + {% endif %} \ No newline at end of file diff --git a/salt/freqserver/init.sls b/salt/freqserver/init.sls index 668e33079..5ff454bcc 100644 --- a/salt/freqserver/init.sls +++ b/salt/freqserver/init.sls @@ -56,6 +56,11 @@ so-freq: - binds: - /opt/so/log/freq_server:/var/log/freq_server:rw +append_so-freq_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-freq + {% else %} freqserver_state_not_allowed: diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 39c2cc26c..8fe88f354 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -236,6 +236,11 @@ so-grafana: - watch: - file: /opt/so/conf/grafana/* +append_so-grafana_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-grafana + {% endif %} {% else %} diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index f3f040895..2aacb973d 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -76,6 +76,11 @@ so-idstools: - watch: - file: idstoolsetcsync +append_so-idstools_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-idstools + {% else %} idstools_state_not_allowed: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 669c9e9eb..9dc7ee692 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -54,6 +54,11 @@ so-influxdb: - watch: - file: influxdbconf +append_so-influxdb_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-influxdb + {% endif %} {% else %} diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 7f91719d4..02e76495d 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -90,6 +90,11 @@ so-kibana: - port_bindings: - 0.0.0.0:5601:5601 +append_so-kibana_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-kibana + kibanadashtemplate: file.managed: - name: /opt/so/conf/kibana/saved_objects.ndjson.template diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index cec84bbc1..e23e4eef2 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -202,6 +202,11 @@ so-logstash: - file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }} {% endfor %} +append_so-logstash_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-logstash + {% else %} logstash_state_not_allowed: diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 66e614b62..ddd1673e8 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -81,6 +81,11 @@ so-aptcacherng: - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro +append_so-aptcacher_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-aptcacherng + {% endif %} strelka_yara_update: diff --git a/salt/minio/init.sls b/salt/minio/init.sls index c1a681747..484eac1f9 100644 --- a/salt/minio/init.sls +++ b/salt/minio/init.sls @@ -62,6 +62,11 @@ so-minio: - /etc/pki/minio.crt:/.minio/certs/public.crt:ro - entrypoint: "/usr/bin/docker-entrypoint.sh server --certs-dir /.minio/certs --address :9595 /data" +append_so-minio_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-minio + {% else %} minio_state_not_allowed: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 818b5c303..756547843 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -97,6 +97,12 @@ so-mysql: - timeout: 900 - onchanges: - docker_container: so-mysql + +append_so-mysql_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-mysql + {% endif %} {% else %} diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 9a63ead6c..8d6dd46f7 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -98,6 +98,11 @@ so-nginx: - file: nginxconf - file: nginxconfdir +append_so-nginx_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-nginx + {% else %} nginx_state_not_allowed: diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index 8b583bf91..a594c23d9 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -74,6 +74,11 @@ so-nodered: - port_bindings: - 0.0.0.0:1880:1880 +append_so-nodered_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-nodered + so-nodered-flows: cmd.run: - name: /usr/sbin/so-nodered-load-flows diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index ade70d718..0db9e7f61 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -152,6 +152,24 @@ so-steno: - watch: - file: /opt/so/conf/steno/config +append_so-steno_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-steno + + {% if STENOOPTIONS.status == 'running' %} +delete_so-steno_so-status.disabled: + file.line: + - name: /opt/so/conf/so-status/so-status.disabled.conf + - match: so-steno + - mode: delete + {% elif STENOOPTIONS.status == 'stopped' %} +append_so-steno_so-status.disabled: + file.append: + - name: /opt/so/conf/so-status/so-status.disabled.conf + - text: so-steno + {% endif %} + so-sensoroni: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-soc:{{ VERSION }} @@ -166,6 +184,11 @@ so-sensoroni: - watch: - file: /opt/so/conf/sensoroni/sensoroni.json +append_so-sensoroni_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-sensoroni + {% else %} pcap_state_not_allowed: diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index eb009b23e..46cd33f17 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -93,6 +93,11 @@ so-playbook: - port_bindings: - 0.0.0.0:3200:3000 +append_so-playbook_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-playbook + {% endif %} so-playbooksynccron: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 1b7611eab..57f189865 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -70,6 +70,11 @@ so-redis: - watch: - file: /opt/so/conf/redis/etc +append_so-redis_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-redis + {% else %} redis_state_not_allowed: diff --git a/salt/registry/init.sls b/salt/registry/init.sls index c98577ca2..c456aa0c4 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -57,6 +57,11 @@ so-dockerregistry: - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro +append_so-dockerregistry_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-dockerregistry + {% else %} registry_state_not_allowed: diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 012dae330..cc8aee048 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -67,6 +67,11 @@ so-soc: - watch: - file: /opt/so/conf/soc/* +append_so-soc_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-soc + # Add Kratos Group kratosgroup: group.present: @@ -119,6 +124,11 @@ so-kratos: - watch: - file: /opt/so/conf/kratos +append_so-kratos_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-kratos + {% else %} soc_state_not_allowed: diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 2c9e721ac..2137a4511 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -73,6 +73,11 @@ so-soctopus: - extra_hosts: - {{MANAGER_URL}}:{{MANAGER_IP}} +append_so-soctopus_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-soctopus + {% else %} soctopus_state_not_allowed: diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index dabd58fe5..8748cbe50 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -87,6 +87,11 @@ strelka_coordinator: - port_bindings: - 0.0.0.0:6380:6379 +append_so-strelka-coordinator_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-coordinator + strelka_gatekeeper: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-redis:{{ VERSION }} @@ -95,6 +100,11 @@ strelka_gatekeeper: - port_bindings: - 0.0.0.0:6381:6379 +append_so-strelka-gatekeeper_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-gatekeeper + strelka_frontend: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-frontend:{{ VERSION }} @@ -107,6 +117,11 @@ strelka_frontend: - port_bindings: - 0.0.0.0:57314:57314 +append_so-strelka-frontend_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-frontend + strelka_backend: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-backend:{{ VERSION }} @@ -117,6 +132,11 @@ strelka_backend: - command: strelka-backend - restart_policy: on-failure +append_so-strelka-backend_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-backend + strelka_manager: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-manager:{{ VERSION }} @@ -125,6 +145,11 @@ strelka_manager: - name: so-strelka-manager - command: strelka-manager +append_so-strelka-manager_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-manager + strelka_filestream: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-strelka-filestream:{{ VERSION }} @@ -133,6 +158,11 @@ strelka_filestream: - /nsm/strelka:/nsm/strelka - name: so-strelka-filestream - command: strelka-filestream + +append_so-strelka-filestream_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-strelka-filestream strelka_zeek_extracted_sync: cron.present: diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 6245b9e51..0c50bb5d1 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -163,6 +163,11 @@ so-suricata: - file: /opt/so/conf/suricata/rules/ - file: /opt/so/conf/suricata/bpf +append_so-suricata_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-suricata + surilogrotate: file.managed: - name: /opt/so/conf/suricata/suri-rotate.conf diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index bae80c697..8d400ca1e 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -73,6 +73,11 @@ so-telegraf: - file: tgrafconf - file: tgrafsyncscripts +append_so-telegraf_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-telegraf + {% else %} telegraf_state_not_allowed: diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index 443ac9a8f..e695c237f 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -102,6 +102,11 @@ so-thehive-es: - 0.0.0.0:9400:9400 - 0.0.0.0:9500:9500 +append_so-thehive-es_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-thehive-es + # Install Cortex so-cortex: docker_container.running: @@ -116,6 +121,11 @@ so-cortex: - port_bindings: - 0.0.0.0:9001:9001 +append_so-cortex_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-cortex + cortexscript: cmd.script: - source: salt://thehive/scripts/cortex_init @@ -136,6 +146,11 @@ so-thehive: - port_bindings: - 0.0.0.0:9000:9000 +append_so-thehive_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-thehive + thehivescript: cmd.script: - source: salt://thehive/scripts/hive_init diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 03cd3f89e..e8e40c720 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -110,6 +110,11 @@ so-wazuh: - binds: - /nsm/wazuh:/var/ossec/data:rw +append_so-wazuh_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-wazuh + # Register the agent registertheagent: cmd.run: diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 712ca53fd..f6edae136 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -196,6 +196,11 @@ so-zeek: - file: /opt/so/conf/zeek/policy - file: /opt/so/conf/zeek/bpf +append_so-zeek_so-status.conf: + file.append: + - name: /opt/so/conf/so-status/so-status.conf + - text: so-zeek + {% else %} zeek_state_not_allowed: From c58039ab473c4230c70a24dac9ff3ceea81c3d7d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 10 Nov 2020 15:34:10 -0500 Subject: [PATCH 20/76] rename state https://github.com/Security-Onion-Solutions/securityonion/issues/1681 --- salt/common/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 1f8782575..bc66d8cf2 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -39,12 +39,12 @@ sostatusconf: - gid: 939 - dir_mode: 770 -so-status.running.conf: +so-status.conf: file.touch: - name: /opt/so/conf/so-status/so-status.conf - unless: ls /opt/so/conf/so-status/so-status.conf -so-status.stopped.conf: +so-status.disabled.conf: file.touch: - name: /opt/so/conf/so-status/so-status.disabled.conf - unless: ls /opt/so/conf/so-status/so-status.disabled.conf From 1fc94a8f5968cc0eb803a1c32d708ce4d302c198 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 10 Nov 2020 15:37:03 -0500 Subject: [PATCH 21/76] change to so-acng for so-status https://github.com/Security-Onion-Solutions/securityonion/issues/1681 --- salt/manager/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index ddd1673e8..5360c07dc 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -81,10 +81,10 @@ so-aptcacherng: - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro -append_so-aptcacher_so-status.conf: +append_so-acng_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - - text: so-aptcacherng + - text: so-acng {% endif %} From edb00c2058b301ce77fb4cd5d85488279d758b37 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 10 Nov 2020 17:09:38 -0500 Subject: [PATCH 22/76] remove redundant common from top, create so-status conf files on manager before registry state https://github.com/Security-Onion-Solutions/securityonion/issues/1681 --- salt/registry/init.sls | 4 ++-- salt/top.sls | 14 -------------- setup/so-setup | 5 +++++ 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/salt/registry/init.sls b/salt/registry/init.sls index c456aa0c4..5782c2033 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -57,10 +57,10 @@ so-dockerregistry: - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro -append_so-dockerregistry_so-status.conf: +append_so-registry_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - - text: so-dockerregistry + - text: so-registry {% else %} diff --git a/salt/top.sls b/salt/top.sls index 5976e3eaa..0c7bde183 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -42,7 +42,6 @@ base: - salt.master - ca - ssl - - common - registry - telegraf - firewall @@ -60,7 +59,6 @@ base: - match: compound - ca - ssl - - common - telegraf - firewall - nginx @@ -86,7 +84,6 @@ base: - salt.master - ca - ssl - - common - registry - manager - nginx @@ -145,7 +142,6 @@ base: - salt.master - ca - ssl - - common - registry - nginx - telegraf @@ -194,7 +190,6 @@ base: - salt.master - ca - ssl - - common - registry - manager - nginx @@ -252,7 +247,6 @@ base: '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}': - match: compound - - common - firewall - logstash {%- if FLEETMANAGER or FLEETNODE %} @@ -263,7 +257,6 @@ base: '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}': - match: compound - - common - firewall - logstash - curator @@ -275,7 +268,6 @@ base: '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}': - match: compound - - common - firewall - elasticsearch {%- if FLEETMANAGER or FLEETNODE %} @@ -288,7 +280,6 @@ base: - match: compound - ca - ssl - - common - nginx - telegraf - firewall @@ -307,7 +298,6 @@ base: '*_managersensor and G@saltversion:{{saltversion}}': - match: compound - - common - nginx - telegraf - influxdb @@ -326,7 +316,6 @@ base: - salt.master - ca - ssl - - common - registry - nginx - telegraf @@ -375,7 +364,6 @@ base: - match: compound - ca - ssl - - common - nginx - telegraf - firewall @@ -406,7 +394,6 @@ base: - match: compound - ca - ssl - - common - nginx - telegraf - firewall @@ -422,7 +409,6 @@ base: - salt.master - ca - ssl - - common - registry - manager - nginx diff --git a/setup/so-setup b/setup/so-setup index 70502251e..a39411a8f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -590,6 +590,11 @@ fi set_progress_str 25 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 + # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf + mkdir -p /opt/so/conf/so-status/ + touch /opt/so/conf/so-status/so-status.conf + touch /opt/so/conf/so-status/so-status.disabled.conf + if [[ "$setup_type" == 'iso' ]]; then set_progress_str 26 'Copying containers from iso' else From 15f243f0ce1b363f5b53fb0513424d5ad2e33c57 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 10 Nov 2020 17:51:00 -0500 Subject: [PATCH 23/76] change names of acng and docker registry containers https://github.com/Security-Onion-Solutions/securityonion/issues/1681 --- salt/manager/init.sls | 4 ++-- salt/registry/init.sls | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 5360c07dc..b506d06bf 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -81,10 +81,10 @@ so-aptcacherng: - /opt/so/log/aptcacher-ng:/var/log/apt-cacher-ng:rw - /opt/so/conf/aptcacher-ng/etc/acng.conf:/etc/apt-cacher-ng/acng.conf:ro -append_so-acng_so-status.conf: +append_so-aptcacherng_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - - text: so-acng + - text: so-aptcacherng {% endif %} diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 5782c2033..c456aa0c4 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -57,10 +57,10 @@ so-dockerregistry: - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro -append_so-registry_so-status.conf: +append_so-dockerregistry_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - - text: so-registry + - text: so-dockerregistry {% else %} From 1c326f561befe42633b6fc23604fb44171c52146 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 11 Nov 2020 13:26:59 +0000 Subject: [PATCH 24/76] Allow for disabling Elastic stack via pillar --- salt/top.sls | 106 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 102 insertions(+), 4 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 0c7bde183..f1a2af0e8 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -5,6 +5,15 @@ {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} +{% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} +{% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} +{% set KIBANA = salt['pillar.get']('kibana:enabled', True) %} +{% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} +{% set CURATOR = salt['pillar.get']('curator:enabled', True) %} +{% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} @@ -51,8 +60,12 @@ base: - suricata - zeek - redis + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - schedule '*_sensor and G@saltversion:{{saltversion}}': @@ -95,14 +108,18 @@ base: - idstools - suricata.manager - healthcheck - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} - pcap - suricata {%- if ZEEKVER != 'SURICATA' %} @@ -111,9 +128,15 @@ base: {%- if STRELKA %} - strelka {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet - redis @@ -152,18 +175,30 @@ base: - manager - idstools - suricata.manager - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - utility - schedule {%- if FLEETMANAGER or FLEETNODE %} @@ -201,16 +236,24 @@ base: - idstools - suricata.manager - healthcheck - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} - pcap - suricata {%- if ZEEKVER != 'SURICATA' %} @@ -219,9 +262,15 @@ base: {%- if STRELKA %} - strelka {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet - fleet.install_package @@ -248,7 +297,9 @@ base: '*_node and I@node:node_type:parser and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if LOGSTASH %} - logstash + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -258,8 +309,12 @@ base: '*_node and I@node:node_type:hot and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -269,7 +324,9 @@ base: '*_node and I@node:node_type:warm and G@saltversion:{{saltversion}}': - match: compound - firewall + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -286,10 +343,18 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} {%- if FLEETMANAGER or FLEETNODE %} - fleet.install_package {%- endif %} @@ -326,19 +391,34 @@ base: - manager - idstools - suricata.manager - {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} + {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if ELASTALERT %} - elastalert + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} + - utility - schedule {%- if FLEETMANAGER or FLEETNODE %} @@ -370,11 +450,21 @@ base: {%- if WAZUH != 0 %} - wazuh {%- endif %} + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if LOGSTASH %} - logstash + {%- endif %} + {%- if REDIS %} - redis + {%- endif %} + {%- if CURATOR %} - curator + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} {%- if STRELKA %} - strelka {%- endif %} @@ -386,7 +476,9 @@ base: {%- if ZEEKVER != 'SURICATA' %} - zeek {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - schedule - docker_clean @@ -417,9 +509,15 @@ base: - idstools - suricata.manager - pcap + {%- if ELASTICSEARCH %} - elasticsearch + {%- endif %} + {%- if KIBANA %} - kibana + {%- endif %} + {%- if FILEBEAT %} - filebeat + {%- endif %} - utility - suricata - zeek From 625307ac5f6a4b9cc2e6344fb7755e300a6dcb61 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 11 Nov 2020 08:52:39 -0500 Subject: [PATCH 25/76] Fix duplicate vars --- salt/top.sls | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index f1a2af0e8..9a043ecc1 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -5,8 +5,7 @@ {% set FREQSERVER = salt['pillar.get']('manager:freq', '0') %} {% set DOMAINSTATS = salt['pillar.get']('manager:domainstats', '0') %} {% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} -{% set FLEETMANAGER = salt['pillar.get']('global:fleet_manager', False) %} +{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set ELASTALERT = salt['pillar.get']('elastalert:enabled', True) %} {% set ELASTICSEARCH = salt['pillar.get']('elasticsearch:enabled', True) %} {% set FILEBEAT = salt['pillar.get']('filebeat:enabled', True) %} @@ -14,7 +13,6 @@ {% set LOGSTASH = salt['pillar.get']('logstash:enabled', True) %} {% set CURATOR = salt['pillar.get']('curator:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} -{% set FLEETNODE = salt['pillar.get']('global:fleet_node', False) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} From da9a915421762090b51d55d8451133479a184a35 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 11 Nov 2020 09:15:50 -0500 Subject: [PATCH 26/76] add top change for fleet getting mysql state back was reverted in https://github.com/Security-Onion-Solutions/securityonion/pull/1880/files --- salt/top.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/top.sls b/salt/top.sls index 9a043ecc1..d707af003 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -106,7 +106,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -173,7 +173,7 @@ base: - manager - idstools - suricata.manager - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -234,7 +234,7 @@ base: - idstools - suricata.manager - healthcheck - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} @@ -389,7 +389,7 @@ base: - manager - idstools - suricata.manager - {%- if FLEETMANAGER or FLEETNODE or PLAYBOOK != 0 %} + {%- if (FLEETMANAGER or FLEETNODE) or PLAYBOOK != 0 %} - mysql {%- endif %} {%- if WAZUH != 0 %} From ea1f53b40ccc12a4af03bf2d045a73e6bace0049 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 11 Nov 2020 10:29:58 -0500 Subject: [PATCH 27/76] Add check for field --- salt/elasticsearch/files/ingest/syslog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/syslog b/salt/elasticsearch/files/ingest/syslog index b4e09e9df..6d28aa705 100644 --- a/salt/elasticsearch/files/ingest/syslog +++ b/salt/elasticsearch/files/ingest/syslog @@ -13,7 +13,7 @@ } }, { "grok": { "field": "message", "patterns": ["<%{INT:syslog.priority}>%{DATA:syslog.timestamp} %{WORD:source.application}: %{GREEDYDATA:real_message}"], "ignore_failure": false } }, - { "set": { "if": "ctx.source.application == 'filterlog'", "field": "dataset", "value": "firewall" } }, + { "set": { "if": "ctx.source?.application == 'filterlog'", "field": "dataset", "value": "firewall" } }, { "pipeline": { "if": "ctx.dataset == 'firewall'", "name": "filterlog" } }, { "pipeline": { "name": "common" } } ] From f9b52677d7d17fde79da05f0a3a4fd92fe2df606 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:15:45 -0500 Subject: [PATCH 28/76] Update suriloss.sh --- salt/telegraf/scripts/suriloss.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index 48745c161..6a1f8a6c5 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -1,5 +1,14 @@ #!/bin/bash +APP=suriloss +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + SURILOG=$(tac /var/log/suricata/stats.log | grep kernel | head -4) CHECKIT=$(echo $SURILOG | grep -o 'drop' | wc -l) From ea1227de9dde68378d0cf78c706520b3f2d0435f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:16:15 -0500 Subject: [PATCH 29/76] Update checkfiles.sh --- salt/telegraf/scripts/checkfiles.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/telegraf/scripts/checkfiles.sh b/salt/telegraf/scripts/checkfiles.sh index a22735696..0ae56c177 100644 --- a/salt/telegraf/scripts/checkfiles.sh +++ b/salt/telegraf/scripts/checkfiles.sh @@ -1,5 +1,14 @@ #!/bin/bash +APP=checkfiles +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + FILES=$(ls -1x /host/nsm/faf/complete/ | wc -l) echo "faffiles files=$FILES" From 711f5ab38f87d634e22400426bca28365c1c3b71 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:16:47 -0500 Subject: [PATCH 30/76] Update helixeps.sh --- salt/telegraf/scripts/helixeps.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/telegraf/scripts/helixeps.sh b/salt/telegraf/scripts/helixeps.sh index eee4f65c3..9cb4b77b7 100644 --- a/salt/telegraf/scripts/helixeps.sh +++ b/salt/telegraf/scripts/helixeps.sh @@ -1,5 +1,14 @@ #!/bin/bash +APP=helixeps +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + PREVCOUNTFILE='/tmp/helixevents.txt' EVENTCOUNTCURRENT="$(curl -s localhost:9600/_node/stats | jq '.pipelines.helix.events.out')" From a4d3e109e6c9a50df0f54edb30ddd94c47e13a97 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:17:18 -0500 Subject: [PATCH 31/76] Update influxdbsize.sh --- salt/telegraf/scripts/influxdbsize.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/telegraf/scripts/influxdbsize.sh b/salt/telegraf/scripts/influxdbsize.sh index 7060942ae..140c19b23 100644 --- a/salt/telegraf/scripts/influxdbsize.sh +++ b/salt/telegraf/scripts/influxdbsize.sh @@ -1,5 +1,14 @@ #!/bin/bash +APP=influxsize +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + INFLUXSIZE=$(du -s -k /host/nsm/influxdb | awk {'print $1'}) echo "influxsize kbytes=$INFLUXSIZE" From cb46c13054b17a6ddb46e7728a1a76099d46b077 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:22:28 -0500 Subject: [PATCH 32/76] Update oldpcap.sh --- salt/telegraf/scripts/oldpcap.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index 970c47589..4aee393ac 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -1,5 +1,14 @@ #!/bin/bash +APP=oldpcap +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + # Get the data OLDPCAP=$(find /host/nsm/pcap -type f -exec stat -c'%n %Z' {} + | sort | grep -v "\." | head -n 1 | awk {'print $2'}) DATE=$(date +%s) From d3f65ac1a8e431de74815d931d35d3ffce5b9268 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:22:52 -0500 Subject: [PATCH 33/76] Update redis.sh --- salt/telegraf/scripts/redis.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index a91e1f2dc..a1fe0a5ca 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -1,5 +1,14 @@ #!/bin/bash +APP=redis +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + UNPARSED=$(redis-cli llen logstash:unparsed | awk '{print $1}') PARSED=$(redis-cli llen logstash:parsed | awk '{print $1}') From 9548b3df54302bcf3ee2a46444ccde327335bbb2 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:23:20 -0500 Subject: [PATCH 34/76] Update stenoloss.sh --- salt/telegraf/scripts/stenoloss.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/telegraf/scripts/stenoloss.sh b/salt/telegraf/scripts/stenoloss.sh index 1b60f0517..83b07e4f6 100644 --- a/salt/telegraf/scripts/stenoloss.sh +++ b/salt/telegraf/scripts/stenoloss.sh @@ -1,5 +1,14 @@ #!/bin/bash +APP=stenoloss +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + # Get the data DROP=$(tac /var/log/stenographer/stenographer.log | grep -m1 drop | awk '{print $14}' | awk -F "=" '{print $2}') From fc9c31706d23f317f42fb647a12c2dcf5dcad339 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 16:31:42 +0000 Subject: [PATCH 35/76] Auto-publish so-acng image signature --- sigs/images/so-acng.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-acng.sig diff --git a/sigs/images/so-acng.sig b/sigs/images/so-acng.sig new file mode 100644 index 0000000000000000000000000000000000000000..ef0728b1c244bfcbf780a83d44a985a2d4c942ee GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5J5$*sA2@qb#TbW_DIM!sA) zcp6qqW+7ltbDOD2I}PGK=7r88^4Pmw1eqFo(%CT*ii?ALrJ|!nfq(41<$yjv)ahh? zE`S(ebZi=Ofe*HmcaKZfV@JeImupuZR~l3sG)x#Dwi!(RqdO0NI^1e$P16ub5~o}+ z&pu{OUvZsSHxs^AiwbrXKcHK`DOFv_ZuTJNY;GB(A@|BO(c(smbx3D^W>~Bokftc` z!vLt_7!CRoPFPlHKj_jW{dCw!dZHJo*bTcuor7+L5d%C7cPq*bR|s%2b!`=EB+sLc zqxTjY0GBqg0}kc=?jwN5Yi9D1QMW|&A^vijjDZG;f+QUFXDqFoF5EiS>tzjxl{JE< z&eMJ?>rP Date: Wed, 11 Nov 2020 11:38:48 -0500 Subject: [PATCH 36/76] just use so-status.conf for containers to fix salt warning https://github.com/Security-Onion-Solutions/securityonion/issues/1681 --- salt/common/init.sls | 5 ----- salt/common/tools/sbin/so-status | 4 ++-- salt/pcap/init.sls | 16 ++++++++-------- setup/so-setup | 1 - 4 files changed, 10 insertions(+), 16 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index bc66d8cf2..cf791cfa2 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -44,11 +44,6 @@ so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - unless: ls /opt/so/conf/so-status/so-status.conf -so-status.disabled.conf: - file.touch: - - name: /opt/so/conf/so-status/so-status.disabled.conf - - unless: ls /opt/so/conf/so-status/so-status.disabled.conf - sosaltstackperms: file.directory: - name: /opt/so/saltstack diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 9daf30a56..344db61c6 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -37,7 +37,7 @@ declare -a BAD_STATUSES=("removing" "paused" "exited" "dead") declare -a PENDING_STATUSES=("paused" "created" "restarting") declare -a GOOD_STATUSES=("running") declare -a DISABLED_CONTAINERS=() -mapfile -t DISABLED_CONTAINERS < <(sort -u /opt/so/conf/so-status/so-status.disabled.conf) +mapfile -t DISABLED_CONTAINERS < <(sort -u /opt/so/conf/so-status/so-status.conf | grep "^\s*#" | tr -d "#") declare -a temp_container_name_list=() @@ -81,7 +81,7 @@ compare_lists() { create_expected_container_list() { - mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf) + mapfile -t expected_container_list < <(sort -u /opt/so/conf/so-status/so-status.conf | tr -d "#") } diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 0db9e7f61..5a13c1231 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -156,18 +156,18 @@ append_so-steno_so-status.conf: file.append: - name: /opt/so/conf/so-status/so-status.conf - text: so-steno + - unless: grep so-steno /opt/so/conf/so-status/so-status.conf {% if STENOOPTIONS.status == 'running' %} delete_so-steno_so-status.disabled: - file.line: - - name: /opt/so/conf/so-status/so-status.disabled.conf - - match: so-steno - - mode: delete + file.uncomment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-steno$ {% elif STENOOPTIONS.status == 'stopped' %} -append_so-steno_so-status.disabled: - file.append: - - name: /opt/so/conf/so-status/so-status.disabled.conf - - text: so-steno +so-steno_so-status.disabled: + file.comment: + - name: /opt/so/conf/so-status/so-status.conf + - regex: ^so-steno$ {% endif %} so-sensoroni: diff --git a/setup/so-setup b/setup/so-setup index a39411a8f..fe69e8148 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -593,7 +593,6 @@ fi # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf mkdir -p /opt/so/conf/so-status/ touch /opt/so/conf/so-status/so-status.conf - touch /opt/so/conf/so-status/so-status.disabled.conf if [[ "$setup_type" == 'iso' ]]; then set_progress_str 26 'Copying containers from iso' From 6ff192278811c17a3e9d4f49e61703a51cfee69c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:42:58 -0500 Subject: [PATCH 37/76] Update zeekcaptureloss.sh --- salt/telegraf/scripts/zeekcaptureloss.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index a2e350212..8b0b97c70 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -1,6 +1,15 @@ #!/bin/bash # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp +APP=zeekloss +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + if [ -d "/host/nsm/zeek/spool/logger" ]; then WORKERS={{ salt['pillar.get']('sensor:zeek_lbprocs', salt['pillar.get']('sensor:zeek_pins') | length) }} ZEEKLOG=/host/nsm/zeek/spool/logger/capture_loss.log @@ -23,4 +32,4 @@ if [ -f "$ZEEKLOG" ]; then fi fi echo "$CURRENTTS" > $LASTCAPTURELOSSLOG -fi \ No newline at end of file +fi From edb0d71e87858c55091e56fb987be399ca0aafe6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:43:28 -0500 Subject: [PATCH 38/76] Update zeekloss.sh --- salt/telegraf/scripts/zeekloss.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 579fdf9f2..8c134916c 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -1,5 +1,15 @@ #!/bin/bash # This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage + +APP=zeekloss +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2) declare RESULT=($ZEEKLOG) CURRENTDROP=${RESULT[3]} @@ -14,4 +24,4 @@ else TOTAL=$((CURRENTPACKETS - PASTPACKETS)) LOSS=$(echo $DROPPED $TOTAL / p | dc) echo "zeekdrop drop=$LOSS" -fi \ No newline at end of file +fi From 73c17b77ae65abf0ec44710b62d5601258052187 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 11:43:48 -0500 Subject: [PATCH 39/76] Update zeekcaptureloss.sh --- salt/telegraf/scripts/zeekcaptureloss.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index 8b0b97c70..095428140 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -1,7 +1,7 @@ #!/bin/bash # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp -APP=zeekloss +APP=zeekcaploss lf=/tmp/$APP-pidLockFile # create empty lock file if none exists cat /dev/null >> $lf From 2a119d78244924cdd3760eaace06c047a007dd37 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 17:08:52 +0000 Subject: [PATCH 40/76] Auto-publish so-soc image signature --- sigs/images/so-soc.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-soc.sig diff --git a/sigs/images/so-soc.sig b/sigs/images/so-soc.sig new file mode 100644 index 0000000000000000000000000000000000000000..4b89684bba0f3228a9cd538874caff0de294f29c GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5J8l(UU2@qb#x#4}kzS7qW1ATylYPJ8=n`!7v%VgR>)3vF8FYiqgGy89f~( zD5mT2-Gm`oAu^}bY$23F!(LKtm)&8 zWdXZy)~^@Cbz$s6<{W6aAgejPr0ho50zOFT(`C@cqPFhb;Qxx+94wf#(g$;)snBpC ze*xbHX`*r}a0f}{Au*-m_~SdQ>NPw4!AN^HFQIE2k3JjTJPwp8@g;Ao%*hD_e@_gZ z;TMRo-%JTkTAa*imi$5mjTTOjQ=yumxi#<=Ii_Uf$nMj#Y&g)cD0|_T)B3W6rkeGP zmCv?RF$x Date: Wed, 11 Nov 2020 17:12:03 +0000 Subject: [PATCH 41/76] Auto-publish so-fleet image signature --- sigs/images/so-fleet.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-fleet.sig diff --git a/sigs/images/so-fleet.sig b/sigs/images/so-fleet.sig new file mode 100644 index 0000000000000000000000000000000000000000..3277719ae6f015558037707a7a4e82328a418e58 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5J8)EBBhnWFim>7u5;K zakBxZpQ>er-KyK`oB74na?2X{tvS$uNKP|;UAd6+V8zn=Aqv8v?QQ^OT4I@jn~ro$ zW!V?fg$Evc)G4v7Xcpxd76DcmS;zM=fG=`yOxhUJ(tNemL37(-sO^N5^C9#3E72&_ zxip=MJKZW6EIyrnD#eT?+hi*|-U}zVJ2i41{k^-R!92jq1lR%qtHJ>@gOvlT+Q>Hctbx>;d+!mR z^%*f~$dbq)#9G);X?2CYmtG>C7HPJZ%x-@Rrz{sx5BTwaN&7ZwJ7V=07!#I}tl^g}$cLEtwDLDj&9v Date: Wed, 11 Nov 2020 17:39:18 +0000 Subject: [PATCH 42/76] Auto-publish so-acng image signature --- sigs/images/so-acng.sig | Bin 543 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/sigs/images/so-acng.sig b/sigs/images/so-acng.sig index ef0728b1c244bfcbf780a83d44a985a2d4c942ee..91c06b7f4bc8044b90d4df895d0d430e3c18a68c 100644 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JA;tg-2@qb#M(iQD9>Qi4Y1i z%6S9jhkwRGG%p2-kv*;sUhxi1DeedjW!E=#)P#s{ZXsD30s&ze5t{?SNSXn=m-O@> z={;-XN_A%g*yvm$0S5kG1*3&IG>Ya{nI(7`Xd&RE{Wq2jl8yCB(4;vGn_DRao|{)O zI^_3g^+tD#JTp_fNF#9;48vkmWF@JE6fcw_^13d2<38AIoxC`jW8&JW*G|9v*`$@Wp^=7&2``19)WapQpJgWrJr1PjlQ7pjLA_>n!DACn=_INjoQ zBij~YupRR;LK$+w3S7AjN5dW*00x<4<%57WTR!zPciSg1NUUudJT@ieP3or!<1DE& zBEOJo!`90()uqF9*pH5b^bg#0c$mAzl}dw#%`8N@0!%WuNJo zPkGEkS6119bLO(cjTe%j1WzM7QTZg~VOcws9!H%yNvEghy7fTbW_DIM!sA) zcp6qqW+7ltbDOD2I}PGK=7r88^4Pmw1eqFo(%CT*ii?ALrJ|!nfq(41<$yjv)ahh? zE`S(ebZi=Ofe*HmcaKZfV@JeImupuZR~l3sG)x#Dwi!(RqdO0NI^1e$P16ub5~o}+ z&pu{OUvZsSHxs^AiwbrXKcHK`DOFv_ZuTJNY;GB(A@|BO(c(smbx3D^W>~Bokftc` z!vLt_7!CRoPFPlHKj_jW{dCw!dZHJo*bTcuor7+L5d%C7cPq*bR|s%2b!`=EB+sLc zqxTjY0GBqg0}kc=?jwN5Yi9D1QMW|&A^vijjDZG;f+QUFXDqFoF5EiS>tzjxl{JE< z&eMJ?>rP Date: Wed, 11 Nov 2020 17:41:08 +0000 Subject: [PATCH 43/76] Auto-publish so-zeek image signature --- sigs/images/so-zeek.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-zeek.sig diff --git a/sigs/images/so-zeek.sig b/sigs/images/so-zeek.sig new file mode 100644 index 0000000000000000000000000000000000000000..363196aef0b2e0a201136860efeab7258e511f33 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JA~XOB2@qb#EpH2Ls{9VW zk(ri%0uPSzr+j{I#|;A@zA5({ls-BjRv_$jaBH)Q7fDl z!-PZkXsk~0xAG%8vf)YO|CJl z!dFp`d?PB7DViP;pJ^30%G^#d zi)3Vmu>sE5+BnB(2$x|j*9Cd=E6{ooqA&#g1}(xvjXwn`2>c20+|2+ literal 0 HcmV?d00001 From b4989c6c0e20f0d092e909a68c7a63fe796216d5 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 17:43:17 +0000 Subject: [PATCH 44/76] Auto-publish so-minio image signature --- sigs/images/so-minio.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-minio.sig diff --git a/sigs/images/so-minio.sig b/sigs/images/so-minio.sig new file mode 100644 index 0000000000000000000000000000000000000000..32f77e0e9b3430ce3e36c7ff9a053884a573f819 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JBDDYt2@qb#2dh_{taNs-IASe9vEsFou@f-MdU0uN7qPfUW319TD*hdWeRG`7N&-m^ z0TKMQDXcrQOoVoWdLp%QT1}HW<>I?av_%?V_gywQaLza<=kMHVEV{#8F9R#}H!Gno z%b*B}ym8ap?hm91ucs{g%YoUQUpVk<269Im%qh%6$?!XWq8N`hr=Nv(Av@!71s{D` zxGq!h3Vjc4;ZNL%K~ Date: Wed, 11 Nov 2020 12:46:19 -0500 Subject: [PATCH 45/76] Update so-curator-close --- salt/curator/files/bin/so-curator-close | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index 11324dd31..b03d99e31 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -1,2 +1,12 @@ #!/bin/bash + +APP=closeddelete +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + /usr/sbin/so-curator-closed-delete > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-zeek-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-beats-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-firewall-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ids-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-import-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-osquery-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-ossec-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-strelka-close.yml > /dev/null 2>&1; docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/so-syslog-close.yml > /dev/null 2>&1 From d85c99abf3ec20620644e401994cf8c5c4ec275a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:46:44 -0500 Subject: [PATCH 46/76] Update so-curator-close --- salt/curator/files/bin/so-curator-close | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index b03d99e31..be3ddf77d 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -1,6 +1,6 @@ #!/bin/bash -APP=closeddelete +APP=close lf=/tmp/$APP-pidLockFile # create empty lock file if none exists cat /dev/null >> $lf From 1e2df983af2a7729cef72b2e9cdfc7de117e9819 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 17:46:57 +0000 Subject: [PATCH 47/76] Auto-publish so-redis image signature --- sigs/images/so-redis.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-redis.sig diff --git a/sigs/images/so-redis.sig b/sigs/images/so-redis.sig new file mode 100644 index 0000000000000000000000000000000000000000..0154990b7399f858752e8697edec6228a7b64a48 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JBai?J2@qb#1RQ`{!rS_ zWgbJ=bxW}fLz%tB(g4~_w$4()g(e%WS;)=5y|+mF$;FmS9IIe@1a-W`7dsrOw=n=b zuR>B08u~*ZESQai{1?P0CRPaIhz9gQ^VaENn;y-MggnSPGV<3!#x ztF*6SI`5KozFm>^OG^M@v+K?C8>7Vw=UG7w0bNLCl=t}HOX5^!izi}l;~v#SH!saC zB}%R40|o%!5cL_qMFH=|V)w|RlwpA=AUg0#EBxJ9I(RBBp{zD7^>|>9{dK+Ae8%yV zSn**^M--P5-Au|kLGUaE>W02M1KK4@9^BdNH6#7!T(y>`m(BE=mV}b(*8f!@I@7_t zMT>zN)+;+TOrNSk<jCW3{S>h+l>q;%1@}1^FG*lq%beII~U}MZLu_xa# zrHckRU}|@+nJJ~+HY%nx{dqJjvS8Ls8h}va*+$Z!`>eWM#ja@IFfQ;`ip)Te83Ar* hk?d(DUxSBVem?OX+=$K Date: Wed, 11 Nov 2020 17:48:03 +0000 Subject: [PATCH 48/76] Auto-publish so-kratos image signature --- sigs/images/so-kratos.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-kratos.sig diff --git a/sigs/images/so-kratos.sig b/sigs/images/so-kratos.sig new file mode 100644 index 0000000000000000000000000000000000000000..7b2b6e9a35ba05c15c8e079b037c5c940b029c10 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JBhvs12@qb#yVe*tGeod|_g)mllS z3Fmx#VgVqby|h)hG$;@gmUe`HK_uRtnH3^gM7;c>d-L;gF7*c0IH?q|Ss`}8_;(0N zn3woT%Stx9dR@eAOrnRl?_Vi$waHh}S#lq@ag=+Tc-D~~N$P}IdAy$a{8U_gY?>@6Zp5(JDbkOn~MY zzAAj!lLcD?btM$1+uAnzy~fwaT>_3_F@W`!0{gNZ{fOe|W9EEw!9l`qi7cJc?sfv6 zPOn8CXlf!M9ez`i7?87%O?RC&S}v?fu1q?C^chP&OBpv_=e-w%x>L&Gc@2o*v_pRr hdVDT@P0sivk$RCnxQ^7(JbB3u28}zb^%B4Yc_bL*04D$d literal 0 HcmV?d00001 From e68f90c3b5d51d71561018a1cf94e4964667178b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:48:28 -0500 Subject: [PATCH 49/76] Update so-curator-closed-delete-delete --- salt/curator/files/bin/so-curator-closed-delete-delete | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 689056dc2..c681c04e9 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -1,6 +1,15 @@ #!/bin/bash +APP=closedeletedelete +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + {%- if grains['role'] in ['so-node', 'so-heavynode'] %} {%- set ELASTICSEARCH_HOST = salt['pillar.get']('elasticsearch:mainip', '') -%} {%- set ELASTICSEARCH_PORT = salt['pillar.get']('elasticsearch:es_port', '') -%} From 578250a9946a9153653ad1f24591768dd733c721 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:48:55 -0500 Subject: [PATCH 50/76] Update so-curator-delete --- salt/curator/files/bin/so-curator-delete | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/curator/files/bin/so-curator-delete b/salt/curator/files/bin/so-curator-delete index 166497855..d79555dee 100644 --- a/salt/curator/files/bin/so-curator-delete +++ b/salt/curator/files/bin/so-curator-delete @@ -1,2 +1,12 @@ #!/bin/bash + +APP=delete +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + docker exec so-curator curator --config /etc/curator/config/curator.yml /etc/curator/action/delete.yml > /dev/null 2>&1 From a354a6279b70dbcabc5858cc38bca41dda7b9b41 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 17:49:25 +0000 Subject: [PATCH 51/76] Auto-publish so-idstools image signature --- sigs/images/so-idstools.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-idstools.sig diff --git a/sigs/images/so-idstools.sig b/sigs/images/so-idstools.sig new file mode 100644 index 0000000000000000000000000000000000000000..74c6d746ca100d78a68efba2c09268c95dee0f67 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JBqaa}2@qb#}dIR8Cj(c*GDNpi^ozr%~oP$7g3g1bpYb0Vnyz(n)OuW-;tn<*zzM~N2#WAzf~-;O|eqH<7doeXb3H;jyE+oXMLm~xMP3^Wr>3E4(+r7SYK&f1>y0y{wq2FtDCi_8%I!h6% z*r8;Lr&+bOTBeYBXv`#|H?=BBL4hFG_2&JZ@WJ#lq#Ae3IkmmJ3+rG+DBKWG9De4^ ztJ%V+gGxp{HMVXOh5TzvhAex$_0fIJG4p3#4UyTo!j+JMM4aq*plsi{puhW2jjr#J zYGozs8CLBMv&)e=X>~J%2Zqdlv6O8}> literal 0 HcmV?d00001 From 2eb3378b62bb5378cb674d665b24d186f2209a22 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:50:59 -0500 Subject: [PATCH 52/76] Update so-curator-closed-delete --- salt/curator/files/bin/so-curator-closed-delete | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/salt/curator/files/bin/so-curator-closed-delete b/salt/curator/files/bin/so-curator-closed-delete index 8f6d0a8ea..c2949a4fc 100755 --- a/salt/curator/files/bin/so-curator-closed-delete +++ b/salt/curator/files/bin/so-curator-closed-delete @@ -34,6 +34,13 @@ #fi # Avoid starting multiple instances -if ! pgrep -f "so-curator-closed-delete-delete" >/dev/null; then - /usr/sbin/so-curator-closed-delete-delete -fi +APP=closeddelete +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf + +/usr/sbin/so-curator-closed-delete-delete From 047ab95e68da6010d55b9e556f3c299a78d41fa9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:52:38 -0500 Subject: [PATCH 53/76] Update so-curator-close --- salt/curator/files/bin/so-curator-close | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/curator/files/bin/so-curator-close b/salt/curator/files/bin/so-curator-close index be3ddf77d..682653ce4 100644 --- a/salt/curator/files/bin/so-curator-close +++ b/salt/curator/files/bin/so-curator-close @@ -1,4 +1,19 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . APP=close lf=/tmp/$APP-pidLockFile From 33bf799b479b14fb042a1cc4d5759994704a3d31 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 17:52:55 +0000 Subject: [PATCH 54/76] Auto-publish so-freqserver image signature --- sigs/images/so-freqserver.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-freqserver.sig diff --git a/sigs/images/so-freqserver.sig b/sigs/images/so-freqserver.sig new file mode 100644 index 0000000000000000000000000000000000000000..42f780ca35fb7fd109939ec212388adbcd10b9f7 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JB=-Oc2@qb# zZlrv^CRc)eHJ2IjvqrMS|H9^M>(G|Jm$Yb0XECP;w|X#>ELKHy-O?j@z2U6b-W-*E z_~-5|RIJ#mgjLC@-O6#Epg~ish)n7jut1hIPaEuYdf44FF2q(`j2=cfX9rS!So$#8 zrE`f%!r#omkPsr*D6;7VU>uq+gf7E+Km~4+7}V+rt&y&PWSwwrvVb71HOkR{0M=k& z8o!O%suPx6EA@W|6T7mi(v~7TWjcRQQscWX8Ki$J4&|po6YrpiG-NSVGNO7Fan1%3 z>Q*H2@q?$yG6s=w$XAOIH`gV;(h_><6r!Uc)G6CqvUx9q+hi0)U=<>VWV#PXf#kyk z2aexk28#a3H^^U+x25Sk6vASBs_BGB32ki#Vhw-s7*IVT`>iLSi)_MDMkOh#Z{~l< zFf3`itnFGGDnrdGCJ|Ku+r5%Hv|`8I<%!= Date: Wed, 11 Nov 2020 12:53:05 -0500 Subject: [PATCH 55/76] Update so-curator-closed-delete --- salt/curator/files/bin/so-curator-closed-delete | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-closed-delete b/salt/curator/files/bin/so-curator-closed-delete index c2949a4fc..714aa5f6f 100755 --- a/salt/curator/files/bin/so-curator-closed-delete +++ b/salt/curator/files/bin/so-curator-closed-delete @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From c11d8367fac5c4ed2c00fd0d7c7fd1f61d1e12e8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:53:36 -0500 Subject: [PATCH 56/76] Update so-curator-closed-delete-delete --- .../files/bin/so-curator-closed-delete-delete | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index c681c04e9..ac5a1aba2 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -1,5 +1,19 @@ - #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . APP=closedeletedelete lf=/tmp/$APP-pidLockFile From c75536db6d5726754322f10ab786356aef258f53 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:54:04 -0500 Subject: [PATCH 57/76] Update so-curator-delete --- salt/curator/files/bin/so-curator-delete | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/curator/files/bin/so-curator-delete b/salt/curator/files/bin/so-curator-delete index d79555dee..6a85eddb4 100644 --- a/salt/curator/files/bin/so-curator-delete +++ b/salt/curator/files/bin/so-curator-delete @@ -1,4 +1,19 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . APP=delete lf=/tmp/$APP-pidLockFile From c5ddddda2aa6d7f43880c972ff0ffb7b82ed87ca Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:54:31 -0500 Subject: [PATCH 58/76] Update checkfiles.sh --- salt/telegraf/scripts/checkfiles.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/telegraf/scripts/checkfiles.sh b/salt/telegraf/scripts/checkfiles.sh index 0ae56c177..4b6a8493a 100644 --- a/salt/telegraf/scripts/checkfiles.sh +++ b/salt/telegraf/scripts/checkfiles.sh @@ -1,4 +1,19 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . APP=checkfiles lf=/tmp/$APP-pidLockFile From 814aa85dbad049ad44de315d618a6c85bdc96f7c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:54:48 -0500 Subject: [PATCH 59/76] Update helixeps.sh --- salt/telegraf/scripts/helixeps.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/telegraf/scripts/helixeps.sh b/salt/telegraf/scripts/helixeps.sh index 9cb4b77b7..aed559932 100644 --- a/salt/telegraf/scripts/helixeps.sh +++ b/salt/telegraf/scripts/helixeps.sh @@ -1,4 +1,19 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . APP=helixeps lf=/tmp/$APP-pidLockFile From ee0e1ce8d72026bebbbd3c8142eb8821f7e5bed7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:55:08 -0500 Subject: [PATCH 60/76] Update influxdbsize.sh --- salt/telegraf/scripts/influxdbsize.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/telegraf/scripts/influxdbsize.sh b/salt/telegraf/scripts/influxdbsize.sh index 140c19b23..4e74c4cf5 100644 --- a/salt/telegraf/scripts/influxdbsize.sh +++ b/salt/telegraf/scripts/influxdbsize.sh @@ -1,4 +1,19 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . APP=influxsize lf=/tmp/$APP-pidLockFile From c9bfd8a2539ab7aa34785ca42bbdd113343d7b9b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 12:55:28 -0500 Subject: [PATCH 61/76] Update oldpcap.sh --- salt/telegraf/scripts/oldpcap.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/telegraf/scripts/oldpcap.sh b/salt/telegraf/scripts/oldpcap.sh index 4aee393ac..b8d383112 100644 --- a/salt/telegraf/scripts/oldpcap.sh +++ b/salt/telegraf/scripts/oldpcap.sh @@ -1,4 +1,19 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . APP=oldpcap lf=/tmp/$APP-pidLockFile From ea88fa731959eabecf68fa93a681fb75248f7074 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 17:56:28 +0000 Subject: [PATCH 62/76] Auto-publish so-soctopus image signature --- sigs/images/so-soctopus.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-soctopus.sig diff --git a/sigs/images/so-soctopus.sig b/sigs/images/so-soctopus.sig new file mode 100644 index 0000000000000000000000000000000000000000..2567336642d9f769483b3c9ffe6f39870b2664d9 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JCCmT{2@qb#VzK8O)Q_|0RvXLeAe(wPv{-5IUOM3Cu!4oPXXM~#Lrv)h?_foJ>02;AkFl{6zCm`rn?F~Kk$p8gPBkTz}1u`9kw0My)} zU_8#>JL0;;5jg@p6TUpeD9^;SM71@EA3<4Go<+erBNkNXB9^c~Mfb&RgIN%~5ToFN zGWm4(i{?iRTQ_x}3p3fq#a{#}vN@f1M^#rOK!FC{xFGe8nBPv#hi}5je89GCX Date: Wed, 11 Nov 2020 17:58:56 +0000 Subject: [PATCH 63/76] Auto-publish so-fleet-launcher image signature --- sigs/images/so-fleet-launcher.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-fleet-launcher.sig diff --git a/sigs/images/so-fleet-launcher.sig b/sigs/images/so-fleet-launcher.sig new file mode 100644 index 0000000000000000000000000000000000000000..1a9a00a3b866217a710daa868f544094be4bbd4e GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JCSU*x2@qb#gJKcb z$%^uAf=%Cq?whmVfvVJhHWv_4fsC`5qbG~oW5vcC@NVR3g0_;4b9=RneMPWy+H34s znFNS!?O&!tP>U)QBx!t>{US+9E|EC&Kyu1%TvwVi1Vmq8Kn5d&shE!gJ46z8mP&gL zk8z5o{W;XmH%nMVu}W&o*_2oa(ccPcCYkR?mW2(@MzQ9gOwo#sU*aE-@bEo8V7Wjo0Cb1B zuU=Fqy!;I6bxHi5lqQ3UE^p=A8CtC2vPS*w>4bq+_TJu@Wp4=r;yGwju<+iQmIJgv z#Wp2Oed(lEtT8l-+urqkwL5Lh{T06esn;cg{GT+eh{M-^v>srcLbm<$!gJTk20ecz z8C_e!omG6Yt^NDD0*sNCGp77I_I{WBb$G4uPE)2EtgqPBs2xdnzySNM-Yx6oCa Date: Wed, 11 Nov 2020 18:02:54 +0000 Subject: [PATCH 64/76] Auto-publish so-strelka-manager image signature --- sigs/images/so-strelka-manager.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-strelka-manager.sig diff --git a/sigs/images/so-strelka-manager.sig b/sigs/images/so-strelka-manager.sig new file mode 100644 index 0000000000000000000000000000000000000000..0e1bafe983a37f1d6ed8012d1bad2045b79ed11d GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JCr$tg2@qb#_49S;+| zDN=A`RB#lKdn|i08U~4K&ASOy;+};&_<%hTFV%a_PQlE~VLM_%=X?B6UUw+S-9dZk zUM@{4Rb*$@J3lK1I`^HDRn|PcjT@qU zz8gxFuf#AP1 z*L2kc7CwqMCGyrANRZb@i?i}?)(_W;dEG5m;V0df>ScArk~l~2q(7y7`e^7pGs|4A hS1c!ZqrG;h_V5aUX{n*T8QTyz6yDGwlTS4>t++vq1|I+b literal 0 HcmV?d00001 From 307af1248ca74d6cbccaff9aeffdec8bbbae2467 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 18:05:26 +0000 Subject: [PATCH 65/76] Auto-publish so-thehive-cortex image signature --- sigs/images/so-thehive-cortex.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-thehive-cortex.sig diff --git a/sigs/images/so-thehive-cortex.sig b/sigs/images/so-thehive-cortex.sig new file mode 100644 index 0000000000000000000000000000000000000000..18198fa9640e07f65e1a314587a7e304ea9d7868 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JC*}YO2@qb#)XnE?dWrqmFfom<=oHZE?7&V|?sI0YJQgV-lXhmV{2UA^n$EUXl zDg{piPkDd&igQ9IwGgoqkD8)TG(JEyr_Y1a^&D8di}nrbngTP`i}LWru@0Yff{@T$lPI#^3=rXj3Azsa5XsWwR|ygp3CCO*Ss2RHx# literal 0 HcmV?d00001 From 3a9c9e3d99c588a35deadbec204410c006f8d87b Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 18:08:03 +0000 Subject: [PATCH 66/76] Auto-publish so-strelka-frontend image signature --- sigs/images/so-strelka-frontend.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-strelka-frontend.sig diff --git a/sigs/images/so-strelka-frontend.sig b/sigs/images/so-strelka-frontend.sig new file mode 100644 index 0000000000000000000000000000000000000000..b8b8dddb3900290e530f1a455a06cf817187a535 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JD1!hB2@qb#yYkG z#HI@F+01?G#4PeRn*@jn{B$q+`e9L(9&O|c)!)F~nRltLFgWwpT#@9O00>Pu{d#9n zhj9iQF2Qv2Zf`Mw6qy3qT9XBXZ_ijx?Bn-gHqo-M#{qO+|LiZo2SOrHME@Cn z;xM(n0}1$36&UMDbh<$!&NcSPHhXe#uGZPS)U>US`*Hk?TF2Jl`<9M-hb2jSyJjC? z96YhXao9$8t$*zEt1=9Q6f7V7@0f2w6xIk7qm9ebktf)(G)q^B>p7}9X?<6%7byIG zsPOgLX7{Ut!=;@fVS%6FiH?&;&QsV9^g#*A1Rz42CDG$&>*3zcFO)U*W Date: Wed, 11 Nov 2020 13:08:28 -0500 Subject: [PATCH 67/76] Update redis.sh --- salt/telegraf/scripts/redis.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/salt/telegraf/scripts/redis.sh b/salt/telegraf/scripts/redis.sh index a1fe0a5ca..9f5dbd37f 100644 --- a/salt/telegraf/scripts/redis.sh +++ b/salt/telegraf/scripts/redis.sh @@ -1,4 +1,20 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + APP=redis lf=/tmp/$APP-pidLockFile From 8e88c350d53ba4b99da3122a2318ac5bca3bfbce Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 13:08:43 -0500 Subject: [PATCH 68/76] Update stenoloss.sh --- salt/telegraf/scripts/stenoloss.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/salt/telegraf/scripts/stenoloss.sh b/salt/telegraf/scripts/stenoloss.sh index 83b07e4f6..d078284a4 100644 --- a/salt/telegraf/scripts/stenoloss.sh +++ b/salt/telegraf/scripts/stenoloss.sh @@ -1,4 +1,20 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + APP=stenoloss lf=/tmp/$APP-pidLockFile From 4a80c371674cb8c6304c9953f4ffaabcd0cd3309 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 13:09:08 -0500 Subject: [PATCH 69/76] Update suriloss.sh --- salt/telegraf/scripts/suriloss.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index 6a1f8a6c5..cc2cff94c 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -1,4 +1,20 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + APP=suriloss lf=/tmp/$APP-pidLockFile From a4df3623be69d743ef0a25ab812a1fc582ad13f3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Nov 2020 13:09:31 -0500 Subject: [PATCH 70/76] Update zeekcaptureloss.sh --- salt/telegraf/scripts/zeekcaptureloss.sh | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/salt/telegraf/scripts/zeekcaptureloss.sh b/salt/telegraf/scripts/zeekcaptureloss.sh index 095428140..36962e109 100644 --- a/salt/telegraf/scripts/zeekcaptureloss.sh +++ b/salt/telegraf/scripts/zeekcaptureloss.sh @@ -1,4 +1,21 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + + # This script returns the average of all the workers average capture loss to telegraf / influxdb in influx format include nanosecond precision timestamp APP=zeekcaploss From 80b926bc31f055768c217505fd7bef1450c23f55 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 18:09:41 +0000 Subject: [PATCH 71/76] Auto-publish so-logstash image signature --- sigs/images/so-logstash.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-logstash.sig diff --git a/sigs/images/so-logstash.sig b/sigs/images/so-logstash.sig new file mode 100644 index 0000000000000000000000000000000000000000..33c754f0d0290ad9faa2803bf6aa4c5c3c5785d2 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JDCGbO2@qb#0d7Q2Qt;a_#laOnUa{4NhQje&dK)RNczuI7duUdA~fqN;1w3QKTv8q5E@WH1B7xB z1KvKceuJKM(l9;bp0S59f2GtFD{;l}lOk1KE3@8~uPzO$oCW=B(vv#{8 z^_Yv#_l7vOr$jT8d#in>%phvhJZp2gT+KgNE&oYa7jkv|ZS5!4;grsLB#_N96e*Z$$mMK<5%hS2UwA%oawvD1(L?3{NZfa0 z8SR}quNiBd;)MhihoQw?VCUzJ$_er}Qymv|l^NR1msV$+h3NcWaj67!r*SZPhY!g< zP}yELd2_2Lgak#eV`Ee;2;SjtVoM?K7wrz65^ows=F!u!6*?u@als~{NSHD&zvcp! zsZ)8A>k`t~fTatAtrX)CH=Ejrc{Cu>LjFCJ%?2%7V@xAqYqCw9B8RIYE9RIH9hAMQ zePhXcYwbiU=xnRKE#-ZFtsi*ne)>jdDG_LTP@p^ Date: Wed, 11 Nov 2020 13:09:52 -0500 Subject: [PATCH 72/76] Update zeekloss.sh --- salt/telegraf/scripts/zeekloss.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 8c134916c..9a64ef4dd 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -1,4 +1,20 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + # This script returns the packets dropped by Zeek, but it isn't a percentage. $LOSS * 100 would be the percentage APP=zeekloss From 97f5f8438c017fa15d488bcf3b96b588720253d6 Mon Sep 17 00:00:00 2001 From: Automation Date: Wed, 11 Nov 2020 18:11:17 +0000 Subject: [PATCH 73/76] Auto-publish so-thehive-es image signature --- sigs/images/so-thehive-es.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-thehive-es.sig diff --git a/sigs/images/so-thehive-es.sig b/sigs/images/so-thehive-es.sig new file mode 100644 index 0000000000000000000000000000000000000000..0fc118c27fd263c313830cf44cf53291654bd17b GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JDMbJZ2@qb#wv&D|Bj{uwsT#d zSZ+(i`d0xeUPVB&o0&u|HunLbWfV%*N@Xavlhe;audGJksM5=ULk0;!Y1>Jd@R&{l z`^mfWmIQ?31yeQyFiL)~8Yi*7K2EMlJ^SVY=YX%zFjk2m_4JLZmNj958NnCbJjH&r zDB5r11a~(7eM2fMk{_Y07N7i?jF%*Be(B5bQ~yE&Nttx?p2Lv=kL-1oEHaHgr+oW_ zsd{ykSC1OKgIou_3w{!q@*R9z0jRD$T2*O|NZ-KPGq>QR#PmLPg1&XzDGK^pO8k`L z5{n#NqLVgR)sTaX=2+>G_6B@9P%_?wAeyB^!xv@K(7H}jE+nn9Re6(Fpz6`>80en2 zJU^7Ln4OE+k6q7%aGNGq6&_*U?$|`*fip*;?egMvqBfe4SksdpdonkTeL+^bY@ZY! zNx#bUG77rcf?!Do@z1#`8XkdW)r-EiP-m2t99&{N-BR6bIVeCf|0;PnQJn6_+A*JX z=O$DH$gx`QcpYGMVbbhx=ev~==XWr)lR`(RV)G(0lc94Bt6^1z%Y Date: Wed, 11 Nov 2020 18:12:47 +0000 Subject: [PATCH 74/76] Auto-publish so-strelka-filestream image signature --- sigs/images/so-strelka-filestream.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-strelka-filestream.sig diff --git a/sigs/images/so-strelka-filestream.sig b/sigs/images/so-strelka-filestream.sig new file mode 100644 index 0000000000000000000000000000000000000000..1bca113cd5613727d95e59ade3238a6f00a03a04 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JDW3oe2@qb#U1&&*?f8v&btk=ooZ?w=XY8F;QO)%`Aaq--8@U7t8;Pim0&iVc zp%+~Gp6+ZN7NWDcs6u#O*YCl!oy`qX<^h+X)@qxNyH^oC_KOvwIR$31E(}CM3W?}1 zsGIAsOvvlhLBCalcUgM$=L6Sy*0S9(y6;glTq-ssAw?;bA?tlt)Z&1e{4323Fu6g0 z-eUjj&%GFn*;CF;RAp;(LN$*)Y+x<^K1{ZB$Itm8UjdxKb@~&`eIy1RhfZ0cj>$EU z^ARqldfn`MGs1iACVIrfKJ1H5yyvW#i?zk|ZGFS1WQacT7_NWQy})0m`BgSrVoj=d zC^7zsvLEBa96CoN6gABpe4S9B?9Wa($u6cC zk#`p>IsqwBJOjPXzj-bO!;$B2BZB+B`T6BP= z%8Leh)Xo3SiO0p*zXh-!gM{>YW4>0P!q!n8ux{7w_{pUr=5TK$FVX&X9qu*-S>K0B zoD)-G5w3HxAY~_xRmYkR`E2B2YRyere7(qk(~0(}Ja=b}I0iC#V6>Eo0ikNn^Qj?U h``u Date: Wed, 11 Nov 2020 18:14:28 +0000 Subject: [PATCH 75/76] Auto-publish so-strelka-backend image signature --- sigs/images/so-strelka-backend.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-strelka-backend.sig diff --git a/sigs/images/so-strelka-backend.sig b/sigs/images/so-strelka-backend.sig new file mode 100644 index 0000000000000000000000000000000000000000..5a54bf2e06dd213ced77341b016878024353b5c3 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JDg*!u2@qb#CeyjlgD1j@lYMMGC2rmyv>-q?R9KP!9aFZI zj>XW;Bmvia4e7BS8!jJ=s)!r zs;9vWKSKX9%==Uje_nxhGMR4(}H z{QCor@43}+wbBlQo{xSSi^M$C%u$gAWoUnOit?zid|8)iwR_x8^A*?4&Z@;9Eut|G z3;BQ*nZEOC` Date: Wed, 11 Nov 2020 18:25:23 +0000 Subject: [PATCH 76/76] Auto-publish so-mysql image signature --- sigs/images/so-mysql.sig | Bin 0 -> 543 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 sigs/images/so-mysql.sig diff --git a/sigs/images/so-mysql.sig b/sigs/images/so-mysql.sig new file mode 100644 index 0000000000000000000000000000000000000000..2f2c47f53f66b1cf7b8425af59ddb913a0dc2c1b GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;5JERz5V2@qb#K?prr>+ z>iskbL=ES_Q~S8E9X!wkwc4fpA%pzL1Uy+qloQy1z!OC(2j_FfSoH3bWsZCqB(-R&X5Qd6pvdMFT(?aBlB@^&4~MjW+2#tk00u&_-Jm%WT&BClc(=MP^=$_NUNc#DRx?pPGRAdrh+ImGVO=0a