From df590bfd23fa20a5528a62603a028baa5fa2f615 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Jan 2021 11:09:38 -0500 Subject: [PATCH 1/7] pillarize disk freespace for steno https://github.com/Security-Onion-Solutions/securityonion/issues/2095 --- salt/pcap/files/config | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/pcap/files/config b/salt/pcap/files/config index 4a612fbf1..048775ef7 100644 --- a/salt/pcap/files/config +++ b/salt/pcap/files/config @@ -1,10 +1,12 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} +{%- set diskfreepercentage = salt['pillar.get']('steno:diskfreepercentage', 10) %} + { "Threads": [ { "PacketsDirectory": "/nsm/pcap" , "IndexDirectory": "/nsm/pcapindex" , "MaxDirectoryFiles": 30000 - , "DiskFreePercentage": 10 + , "DiskFreePercentage": {{ diskfreepercentage }} } ] , "StenotypePath": "/usr/bin/stenotype" @@ -13,4 +15,4 @@ , "Host": "127.0.0.1" , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}] , "CertPath": "/etc/stenographer/certs" -} +} \ No newline at end of file From ea1ab75072bfc7fb74d79886b3d1b9582c6fad5d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 12:42:41 -0500 Subject: [PATCH 2/7] Refactored so-common node type checks for improved readability; Updated so-tcpreplay to support distributed grids --- salt/common/tools/sbin/so-common | 32 ++++++++++++++++++++++------- salt/common/tools/sbin/so-tcpreplay | 28 ++++++++++++++++++------- setup/so-setup | 2 +- 3 files changed, 47 insertions(+), 15 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 0c18c4482..881be83ca 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -111,9 +111,7 @@ set_version() { } require_manager() { - # Check to see if this is a manager - MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ] || [ $MANAGERCHECK == 'so-import' ]; then + if is_manager; then echo "This is a manager, We can proceed." else echo "Please run this command on the manager; the manager controls the grid." @@ -121,12 +119,32 @@ require_manager() { fi } +is_manager() { + # Check to see if this is a manager node + role=$(lookup_role) + is_single_node_grid && return 0 + [ $role == 'manager' ] && return 0 + [ $role == 'managersearch' ] && return 0 + [ $role == 'helix' ] && return 0 + return 1 +} + +is_sensor() { + # Check to see if this is a sensor (forward) node + role=$(lookup_role) + is_single_node_grid && return 0 + [ $role == 'sensor' ] && return 0 + [ $role == 'heavynode' ] && return 0 + [ $role == 'helix' ] && return 0 + return 1 +} + is_single_node_grid() { role=$(lookup_role) - if [ "$role" != "eval" ] && [ "$role" != "standalone" ] && [ "$role" != "import" ]; then - return 1 - fi - return 0 + [ $role == 'eval' ] && return 0 + [ $role == 'standalone' ] && return 0 + [ $role == 'import' ] && return 0 + return 1 } fail() { diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index fa992bdd8..8b81c32cf 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -47,13 +47,27 @@ if ! docker ps | grep -q so-tcpreplay; then echo "Replay functionality not enabled; attempting to enable now (may require Internet access)..." echo - TRUSTED_CONTAINERS=("so-tcpreplay") - mkdir -p /opt/so/log/tcpreplay - update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" - so-tcpreplay-start || fail "Unable to initialize tcpreplay" + if is_manager; then + TRUSTED_CONTAINERS=("so-tcpreplay") + mkdir -p /opt/so/log/tcpreplay + update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" + elif is_sensor; then + if ! is_manager; then + echo "Attempting to start replay container. If this fails then you may need to run this command on the manager first." + fi + so-tcpreplay-start || fail "Unable to initialize tcpreplay" + else + echo "Unable to enable replay functionality on this node type." + fi fi -echo "Replaying PCAP(s) at ${REPLAYSPEED} Mbps on interface ${REPLAYIFACE}..." -docker exec so-tcpreplay /usr/bin/bash -c "/usr/local/bin/tcpreplay -i ${REPLAYIFACE} -M${REPLAYSPEED} $@" +if is_sensor; then + echo "Replaying PCAP(s) at ${REPLAYSPEED} Mbps on interface ${REPLAYIFACE}..." + docker exec so-tcpreplay /usr/bin/bash -c "/usr/local/bin/tcpreplay -i ${REPLAYIFACE} -M${REPLAYSPEED} $@" -echo "Replay completed. Warnings shown above are typically expected." + echo "Replay completed. Warnings shown above are typically expected." +elif is_manager; then + echo "The sensor nodes in this grid can now replay traffic." +else + echo "Unable to replay traffic since this node is not a sensor node." +fi diff --git a/setup/so-setup b/setup/so-setup index b4b0fd6ed..2cee0dc6a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -852,7 +852,7 @@ if [[ -n $SO_ERROR ]]; then else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { - [[ -n "$TESTING" && $is_sensor ]] && logCmd so-test + [[ -n "$TESTING" ]] && logCmd so-test export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then From 0a1ab29d196edd085af90d5be9625c353ef7d434 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 14:28:54 -0500 Subject: [PATCH 3/7] Add distributed airgap automation files --- setup/automation/distributed-airgap-manager | 78 +++++++++++++++++++++ setup/automation/distributed-airgap-search | 78 +++++++++++++++++++++ setup/automation/distributed-airgap-sensor | 78 +++++++++++++++++++++ 3 files changed, 234 insertions(+) create mode 100644 setup/automation/distributed-airgap-manager create mode 100644 setup/automation/distributed-airgap-search create mode 100644 setup/automation/distributed-airgap-sensor diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager new file mode 100644 index 000000000..f44bbc231 --- /dev/null +++ b/setup/automation/distributed-airgap-manager @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=7 +BASICSURI=7 +# BLOGS= +#BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-manager +install_type=MANAGER +INTERWEBS=AIRGAP +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search new file mode 100644 index 000000000..aec7afd31 --- /dev/null +++ b/setup/automation/distributed-airgap-search @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +# ALLOW_CIDR=0.0.0.0/0 +# ALLOW_ROLE=a +# BASICZEEK=7 +# BASICSURI=7 +# BLOGS= +# BNICS=eth1 +# ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +# GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-search +install_type=SEARCHNODE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +# MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +MSRV=distributed-manager +MSRVIP=10.66.166.42 +# MTU= +# NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +# OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +# PLAYBOOK=1 +# REDIRECTHOST= +# REDIRECTINFO=IP +# RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +# STRELKA=1 +# THEHIVE=1 +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor new file mode 100644 index 000000000..4cc3f6a75 --- /dev/null +++ b/setup/automation/distributed-airgap-sensor @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +# ALLOW_CIDR=0.0.0.0/0 +# ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +# GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-sensor +install_type=SENSOR +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +# MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +MSRV=distributed-manager +MSRVIP=10.66.166.42 +# MTU= +# NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +# NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +# OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +# PLAYBOOK=1 +# REDIRECTHOST= +# REDIRECTINFO=IP +# RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +# STRELKA=1 +# THEHIVE=1 +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r From 6d6779bba60249f071b04d83be4c44d0cac29e8a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 15:43:43 -0500 Subject: [PATCH 4/7] Added automation files for network eval/standalone installs; Reduced Zeek threads from 7 to 2 on all test nodes --- setup/automation/distributed-airgap-manager | 4 +- setup/automation/eval-airgap | 4 +- setup/automation/eval-ami | 4 +- setup/automation/eval-centos | 77 +++++++++++++++++++++ setup/automation/eval-iso | 4 +- setup/automation/eval-ubuntu | 77 +++++++++++++++++++++ setup/automation/standalone-airgap | 4 +- setup/automation/standalone-ami | 4 +- setup/automation/standalone-centos | 77 +++++++++++++++++++++ setup/automation/standalone-iso | 4 +- setup/automation/standalone-ubuntu | 77 +++++++++++++++++++++ 11 files changed, 322 insertions(+), 14 deletions(-) create mode 100644 setup/automation/eval-centos create mode 100644 setup/automation/eval-ubuntu create mode 100644 setup/automation/standalone-centos create mode 100644 setup/automation/standalone-ubuntu diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index f44bbc231..051212cdd 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= #BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap index ce25a2784..4ab28a795 100644 --- a/setup/automation/eval-airgap +++ b/setup/automation/eval-airgap @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/eval-ami b/setup/automation/eval-ami index 288bc7287..a1192c93e 100644 --- a/setup/automation/eval-ami +++ b/setup/automation/eval-ami @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/eval-centos b/setup/automation/eval-centos new file mode 100644 index 000000000..d8df5631a --- /dev/null +++ b/setup/automation/eval-centos @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +# address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=EVAL +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/eval-iso b/setup/automation/eval-iso index 6e5560028..81b04b9dc 100644 --- a/setup/automation/eval-iso +++ b/setup/automation/eval-iso @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/eval-ubuntu b/setup/automation/eval-ubuntu new file mode 100644 index 000000000..a6ec2edad --- /dev/null +++ b/setup/automation/eval-ubuntu @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +# address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=ens19 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=STANDALONE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=ens18 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap index 9ed05a27e..df6dca6b2 100644 --- a/setup/automation/standalone-airgap +++ b/setup/automation/standalone-airgap @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/standalone-ami b/setup/automation/standalone-ami index d32e1fad7..d9e84ebe8 100644 --- a/setup/automation/standalone-ami +++ b/setup/automation/standalone-ami @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/standalone-centos b/setup/automation/standalone-centos new file mode 100644 index 000000000..9d223fb4d --- /dev/null +++ b/setup/automation/standalone-centos @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +# address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=STANDALONE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-iso b/setup/automation/standalone-iso index 0561a2883..15b21e2df 100644 --- a/setup/automation/standalone-iso +++ b/setup/automation/standalone-iso @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/standalone-ubuntu b/setup/automation/standalone-ubuntu new file mode 100644 index 000000000..a6ec2edad --- /dev/null +++ b/setup/automation/standalone-ubuntu @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +# address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=ens19 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=STANDALONE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=ens18 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r From b68685e00e6089b0ca165b8b7316b6f72d35a8b0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 13 Jan 2021 17:26:27 -0500 Subject: [PATCH 5/7] [fix] Correct metadata function name --- setup/so-whiptail | 36 +++++++++++++----------------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index f3e612f70..7bbc12042 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -65,17 +65,6 @@ whiptail_basic_zeek() { whiptail_check_exitstatus $exitstatus } -whiptail_zeek_version() { - - [ -n "$TESTING" ] && return - - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \ - "ZEEK" "Zeek (formerly known as Bro)" ON \ - "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} whiptail_bond_nics_mtu() { @@ -964,6 +953,19 @@ whiptail_manager_updates_warning() { whiptail_check_exitstatus $exitstatus } +whiptail_metadata_tool() { + + [ -n "$TESTING" ] && return + + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \ + "ZEEK" "Zeek (formerly known as Bro)" ON \ + "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} + whiptail_nids() { [ -n "$TESTING" ] && return @@ -1582,15 +1584,3 @@ whiptail_zeek_pins() { IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" } - -whiptail_zeek_version() { - - [ -n "$TESTING" ] && return - - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)" ON \ - "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} From 2ccf77eaef958c12d9f2369a5792006009e8d5bf Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 17:29:42 -0500 Subject: [PATCH 6/7] Rename network automation files --- setup/automation/{eval-centos => eval-net-centos} | 0 setup/automation/{eval-ubuntu => eval-net-ubuntu} | 0 setup/automation/{standalone-centos => standalone-net-centos} | 0 setup/automation/{standalone-ubuntu => standalone-net-ubuntu} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename setup/automation/{eval-centos => eval-net-centos} (100%) rename setup/automation/{eval-ubuntu => eval-net-ubuntu} (100%) rename setup/automation/{standalone-centos => standalone-net-centos} (100%) rename setup/automation/{standalone-ubuntu => standalone-net-ubuntu} (100%) diff --git a/setup/automation/eval-centos b/setup/automation/eval-net-centos similarity index 100% rename from setup/automation/eval-centos rename to setup/automation/eval-net-centos diff --git a/setup/automation/eval-ubuntu b/setup/automation/eval-net-ubuntu similarity index 100% rename from setup/automation/eval-ubuntu rename to setup/automation/eval-net-ubuntu diff --git a/setup/automation/standalone-centos b/setup/automation/standalone-net-centos similarity index 100% rename from setup/automation/standalone-centos rename to setup/automation/standalone-net-centos diff --git a/setup/automation/standalone-ubuntu b/setup/automation/standalone-net-ubuntu similarity index 100% rename from setup/automation/standalone-ubuntu rename to setup/automation/standalone-net-ubuntu From 9d0dca05b118b17a1396df5f751bee470fe27b6a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 22:29:58 -0500 Subject: [PATCH 7/7] Adjusted logic on so-tcpreplay to handle init for standalone/eval nodes --- salt/common/tools/sbin/so-tcpreplay | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index 8b81c32cf..e8e24a474 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -51,13 +51,12 @@ if ! docker ps | grep -q so-tcpreplay; then TRUSTED_CONTAINERS=("so-tcpreplay") mkdir -p /opt/so/log/tcpreplay update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" - elif is_sensor; then + fi + if is_sensor; then if ! is_manager; then echo "Attempting to start replay container. If this fails then you may need to run this command on the manager first." fi so-tcpreplay-start || fail "Unable to initialize tcpreplay" - else - echo "Unable to enable replay functionality on this node type." fi fi