diff --git a/README.md b/README.md index 944e7e5e6..2135066ad 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,17 @@ -# Security Onion Hybrid Hunter Tech Preview 1.0.7 +## Hybrid Hunter 1.0.8 ### Changes: + +- Suricata 4.1.4 +- Eval and Master installs now ask which components you would like to install +- Fleet (osquery) now has it's own additional setup script. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion) +- Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu +- When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package +- We now have a progress bar during install! +- The setup script will now tell you if it was successful +- Added Grafana plugin Pie Chart +- The Hive Docker moved to Centos 7 based container +======= - Suricata 4.1.3 - Updated Influxdb to 1.7.5 - Updated Telegraf to 1.10.1 @@ -18,6 +29,7 @@ - Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release. - If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master. + ### Warnings and Disclaimers - This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED! diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index 1a1ac7984..ad302607c 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -11,6 +11,8 @@ MANINT=$6 ROOTFS=$7 NSM=$8 MONINT=$9 +#NODETYPE=$10 +#HOTNAME=$11 echo "Seeing if this host is already in here. If so delete it" if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then @@ -49,3 +51,7 @@ if [ $TYPE == 'evaltab' ]; then salt-call state.apply common queue=True salt-call state.apply utility queue=True fi +#if [ $TYPE == 'nodestab' ]; then +# echo " nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls +# echo " hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls +#fi diff --git a/salt/bro/init.sls b/salt/bro/init.sls index 285762a71..eada1103c 100644 --- a/salt/bro/init.sls +++ b/salt/bro/init.sls @@ -90,8 +90,14 @@ localbrosync: - group: 939 - template: jinja +so-communitybroimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-communitybro:HH1.0.3 + so-bro: docker_container.running: + - require: + - so-communitybroimage - image: soshybridhunter/so-communitybro:HH1.0.3 - privileged: True - binds: @@ -117,8 +123,14 @@ localbrosync: - group: 939 - template: jinja +so-broimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.0.6 + so-bro: docker_container.running: + - require: + - so-broimage - image: soshybridhunter/so-bro:HH1.0.6 - privileged: True - binds: diff --git a/salt/common/grafana/grafana_dashboards/eval/eval.json b/salt/common/grafana/grafana_dashboards/eval/eval.json index 11efd3f98..8dd5532d1 100644 --- a/salt/common/grafana/grafana_dashboards/eval/eval.json +++ b/salt/common/grafana/grafana_dashboards/eval/eval.json @@ -3110,7 +3110,7 @@ "timeFrom": null, "timeRegions": [], "timeShift": null, - "title": "{{ SERVERNAME }} - Monitor Traffic", + "title": "{{ SERVERNAME }} - Management Traffic", "tooltip": { "msResolution": true, "shared": true, @@ -3862,7 +3862,7 @@ "condition": "AND", "key": "interface", "operator": "=", - "value": " {{ MANINT }}" + "value": "{{ MONINT }}" } ] }, @@ -3926,7 +3926,7 @@ "condition": "AND", "key": "interface", "operator": "=", - "value": "{{ MANINT }}" + "value": "{{ MONINT }}" } ] } @@ -3935,7 +3935,7 @@ "timeFrom": null, "timeRegions": [], "timeShift": null, - "title": "{{ SERVERNAME }} - Management Traffic", + "title": "{{ SERVERNAME }} - Monitor Traffic", "tooltip": { "msResolution": true, "shared": true, @@ -3984,10 +3984,10 @@ "fill": 1, "grid": {}, "gridPos": { - "h": 7, + "h": 6, "w": 8, - "x": 0, - "y": 29 + "x": 16, + "y": 15 }, "id": 15, "legend": { diff --git a/salt/common/init.sls b/salt/common/init.sls index 22e36d1d2..15ba20e83 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -101,9 +101,15 @@ nginxtmp: - makedirs: True # Start the core docker +so-coreimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.0.7 + so-core: docker_container.running: - - image: soshybridhunter/so-core:HH1.0.7 + - require: + - so-coreimage + - image: soshybridhunter/so-core:HH1.0.8 - hostname: so-core - user: socore - binds: @@ -114,7 +120,7 @@ so-core: - /opt/so/tmp/nginx/:/run:rw - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro - - /opt/so/conf/fleet/packages:/opt/so/html/packages + - /opt/so/conf/fleet/packages:/opt/socore/html/packages - cap_add: NET_BIND_SERVICE - port_bindings: - 80:80 @@ -155,8 +161,14 @@ tgrafconf: - template: jinja - source: salt://common/telegraf/etc/telegraf.conf +so-telegrafimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.0.7 + so-telegraf: docker_container.running: + - require: + - so-telegrafimage - image: soshybridhunter/so-telegraf:HH1.0.7 - environment: - HOST_PROC=/host/proc @@ -210,8 +222,14 @@ influxdbconf: - template: jinja - source: salt://common/influxdb/etc/influxdb.conf +so-influximage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.0.7 + so-influxdb: docker_container.running: + - require: + - so-influximage - image: soshybridhunter/so-influxdb:HH1.0.7 - hostname: influxdb - environment: @@ -336,7 +354,7 @@ dashboard-{{ SN }}: - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} - MONINT: {{ SNDATA.manint }} + MONINT: {{ SNDATA.monint }} CPUS: {{ SNDATA.totalcpus }} UID: {{ SNDATA.guid }} ROOTFS: {{ SNDATA.rootfs }} @@ -357,7 +375,7 @@ dashboard-{{ SN }}: - defaults: SERVERNAME: {{ SN }} MANINT: {{ SNDATA.manint }} - MONINT: {{ SNDATA.manint }} + MONINT: {{ SNDATA.monint }} CPUS: {{ SNDATA.totalcpus }} UID: {{ SNDATA.guid }} ROOTFS: {{ SNDATA.rootfs }} @@ -369,7 +387,7 @@ dashboard-{{ SN }}: # Install the docker. This needs to be behind nginx at some point so-grafana: docker_container.running: - - image: soshybridhunter/so-grafana:HH1.0.7 + - image: soshybridhunter/so-grafana:HH1.0.8 - hostname: grafana - user: socore - binds: diff --git a/salt/curator/init.sls b/salt/curator/init.sls index adbf4f6b0..7e6f01544 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -112,9 +112,14 @@ curdel: - month: '*' - dayweek: '*' +so-curatorimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.0.3 so-curator: docker_container.running: + - require: + - so-curatorimage - image: soshybridhunter/so-curator:HH1.0.3 - hostname: curator - name: so-curator diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 28722fe01..298a56523 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -79,8 +79,14 @@ elastarules: # - group: 939 # - template: jinja +so-elastalertimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.0.3 + so-elastalert: docker_container.running: + - require: + - so-elastalertimage - image: soshybridhunter/so-elastalert:HH1.0.3 - hostname: elastalert - name: so-elastalert diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 693cb3de0..3c6337afc 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -90,8 +90,14 @@ eslogdir: - group: 939 - makedirs: True +so-elasticsearchimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.0.6 + so-elasticsearch: docker_container.running: + - require: + - so-elasticsearchimage - image: soshybridhunter/so-elasticsearch:HH1.0.6 - hostname: elasticsearch - name: so-elasticsearch @@ -143,8 +149,14 @@ freqlogdir: - group: 935 - makedirs: True +so-freqimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-freqserver:HH1.0.3 + so-freq: docker_container.running: + - require: + - so-freqimage - image: soshybridhunter/so-freqserver:HH1.0.3 - hostname: freqserver - name: so-freqserver @@ -179,8 +191,14 @@ dstatslogdir: - group: 939 - makedirs: True +so-domainstatsimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-domainstats:HH1.0.3 + so-domainstats: docker_container.running: + - require: + - so-domainstatsimage - image: soshybridhunter/so-domainstats:HH1.0.3 - hostname: domainstats - name: so-domainstats diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 1396b34fb..d8abb6470 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -49,9 +49,14 @@ filebeatconfsync: # - name: /opt/so/conf/filebeat/etc/pki/filebeat.key # - source: salt://filebeat/files/filebeat.key +so-filebeatimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.0.6 so-filebeat: docker_container.running: + - require: + - so-filebeatimage - image: soshybridhunter/so-filebeat:HH1.0.6 - hostname: so-filebeat - user: root diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 7ff009495..cfde43365 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -217,6 +217,17 @@ enable_masternode_mysql_3306_{{ip}}: - position: 1 - save: True +enable_master_osquery_8080_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: tcp + - source: {{ ip }} + - dport: 8080 + - position: 1 + - save: True + {% endfor %} # Make it so all the minions can talk to salt and update etc. @@ -277,6 +288,17 @@ enable_minions_influxdb_8086_{{ip}}: - position: 1 - save: True +enable_minion_osquery_8080_{{ip}}: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - proto: tcp + - source: {{ ip }} + - dport: 8080 + - position: 1 + - save: True + {% endfor %} # Allow Forward Nodes to send their beats traffic diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls index f3a844ff3..2ec83502b 100644 --- a/salt/fleet/init.sls +++ b/salt/fleet/init.sls @@ -31,6 +31,16 @@ fleetlogdir: - group: 939 - makedirs: True +fleetsetupscript: + file.managed: + - name: /opt/so/conf/fleet/so-fleet-setup.sh + - source: salt://fleet/so-fleet-setup.sh + +osquerypackageswebpage: + file.managed: + - name: /opt/so/conf/fleet/packages/index.html + - source: salt://fleet/osquery-packages.html + fleetdb: mysql_database.present: - name: fleet @@ -49,8 +59,14 @@ fleetdbpriv: - user: fleetdbuser - host: 172.17.0.0/255.255.0.0 +so-fleetimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.0.6 + so-fleet: docker_container.running: + - require: + - so-fleetimage - image: soshybridhunter/so-fleet:HH1.0.6 - hostname: so-fleet - port_bindings: diff --git a/salt/fleet/osquery-packages.html b/salt/fleet/osquery-packages.html new file mode 100644 index 000000000..c94ba89b9 --- /dev/null +++ b/salt/fleet/osquery-packages.html @@ -0,0 +1,113 @@ + + + +Security Onion - Hybrid Hunter + + + + + + + + +
+ Kibana + Grafana + Fleet + TheHive + Osquery Binaries + FAQ + Security Onion Solutions + Blog +
+ +
+ +

Osquery Packages


+ +

Notes

+ +

Downloads

+ + +

Known Issues

+ +

+
+ + + + diff --git a/salt/fleet/so-fleet-setup.sh b/salt/fleet/so-fleet-setup.sh new file mode 100644 index 000000000..85f8716e1 --- /dev/null +++ b/salt/fleet/so-fleet-setup.sh @@ -0,0 +1,49 @@ +#so-fleet-setup.sh $MasterIP $FleetEmail + +if [ ! "$(docker ps -q -f name=so-fleet)" ]; then + echo "so-fleet container not running... Exiting..." + exit 1 +fi + +initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo) + +docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify +docker exec so-fleet fleetctl setup --email $2 --password $initpw + +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml +docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml +docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml +docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done' + +esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret) + +#Concat fleet.crt & ca.crt - this is required for launcher connectivity +cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt + +#Create the output directory +mkdir /opt/so/conf/fleet/packages + +docker run \ + --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \ + --mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \ + soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080 + +cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/ +#Update timestamp on packages webpage +sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html +sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html + +# Enable Fleet on all the other parts of the infrastructure +sed -i 's/fleetsetup: 0/fleetsetup: 1/g' /opt/so/saltstack/pillar/static.sls + +# Install osquery locally +#if cat /etc/os-release | grep -q 'debian'; then +# dpkg -i /opt/so/conf/fleet/packages/launcher.deb +#else +# rpm -i /opt/so/conf/fleet/packages/launcher.rpm +#fi +echo "Installing launcher via salt" +salt-call state.apply launcher queue=True > /root/launcher.log +echo "Fleet Setup Complete - Login here: https://$1" +echo "Your username is $2 and your password is $initpw" diff --git a/salt/hive/init.sls b/salt/hive/init.sls index 371e790de..0fff5f488 100644 --- a/salt/hive/init.sls +++ b/salt/hive/init.sls @@ -30,8 +30,14 @@ hiveesdata: - user: 939 - group: 939 +so-thehive-esimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.0.7 + so-thehive-es: docker_container.running: + - require: + - so-thehive-esimage - image: soshybridhunter/so-thehive-es:HH1.0.7 - hostname: so-thehive-es - name: so-thehive-es @@ -60,16 +66,26 @@ so-thehive-es: # Install Cortex -so-cortex: - docker_container.running: - - image: thehiveproject/cortex:latest - - hostname: so-cortex - - name: so-cortex - - port_bindings: - - 0.0.0.0:9001:9001 +#so-corteximage: +# cmd.run: +# - name: docker pull --disable-content-trust=false soshybridhunter/so-cortex:HH1.0.3 + +#so-cortex: +# docker_container.running: +# - image: thehiveproject/cortex:latest +# - hostname: so-cortex +# - name: so-cortex +# - port_bindings: +# - 0.0.0.0:9001:9001 + +so-thehiveimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.0.7 so-thehive: docker_container.running: + - require: + - so-thehiveimage - image: soshybridhunter/so-thehive:HH1.0.7 - hostname: so-thehive - name: so-thehive diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 62a338769..17de745fb 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -48,11 +48,14 @@ ruleslink: - name: /opt/so/saltstack/salt/suricata/rules - target: /opt/so/rules/nids -toosmooth/so-idstools:test2: - docker_image.present +so-idstoolsimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.0.3 so-idstools: docker_container.running: + - require: + - so-idstoolsimage - image: soshybridhunter/so-idstools:HH1.0.3 - hostname: so-idstools - user: socore diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 050582c82..f1015410e 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -54,9 +54,15 @@ synckibanacustom: # File.Recurse for custom saved dashboards +so-kibanaimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.0.7 + # Start the kibana docker so-kibana: docker_container.running: + - require: + - so-kibanaimage - image: soshybridhunter/so-kibana:HH1.0.7 - hostname: kibana - user: kibana diff --git a/salt/launcher/init.sls b/salt/launcher/init.sls new file mode 100644 index 000000000..3ba9ad3a6 --- /dev/null +++ b/salt/launcher/init.sls @@ -0,0 +1,12 @@ +{%- set FLEETSETUP = salt['pillar.get']('static:fleetsetup', '0') -%} + +{%- if FLEETSETUP != 0 %} +launcherpkg: + pkg.installed: + - sources: + {% if grains['os'] == 'CentOS' %} + - launcher-final: salt://launcher/packages/launcher.rpm + {% elif grains['os'] == 'Ubuntu' %} + - launcher-final: salt://launcher/packages/launcher.deb + {% endif %} +{%- endif %} diff --git a/salt/launcher/packages/info.txt b/salt/launcher/packages/info.txt new file mode 100644 index 000000000..5529d123c --- /dev/null +++ b/salt/launcher/packages/info.txt @@ -0,0 +1 @@ +Fleet Packages will be copied to this folder diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index a583338ce..eff920150 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -146,9 +146,14 @@ lslogdir: - makedirs: True # Add the container +so-logstashimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.0.6 so-logstash: docker_container.running: + - require: + - so-logstashimage - image: soshybridhunter/so-logstash:HH1.0.6 - hostname: so-logstash - name: so-logstash diff --git a/salt/master/init.sls b/salt/master/init.sls index 8f20ef69f..b6d240863 100644 --- a/salt/master/init.sls +++ b/salt/master/init.sls @@ -46,9 +46,15 @@ acngcopyconf: - name: /opt/so/conf/aptcacher-ng/etc/acng.conf - source: salt://master/files/acng/acng.conf +so-acngimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.0.7 + # Install the apt-cacher-ng container so-aptcacherng: docker_container.running: + - require: + - so-acngimage - image: soshybridhunter/so-acng:HH1.0.7 - hostname: so-acng - port_bindings: diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index b1e875578..f956a37bc 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -48,8 +48,14 @@ mysqldatadir: - group: 939 - makedirs: True +so-mysqlimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.0.7 + so-mysql: docker_container.running: + - require: + - so-mysqlimage - image: soshybridhunter/so-mysql:HH1.0.7 - hostname: so-mysql - user: socore diff --git a/salt/pcap/init.sls b/salt/pcap/init.sls index 26fdf2910..bb381cb10 100644 --- a/salt/pcap/init.sls +++ b/salt/pcap/init.sls @@ -85,8 +85,14 @@ stenolog: - group: 941 - makedirs: True +so-stenoimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.0.3 + so-steno: docker_container.running: + - require: + - so-stenoimage - image: soshybridhunter/so-steno:HH1.0.3 - network_mode: host - privileged: True diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 6dfbb473d..369f39966 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -47,8 +47,14 @@ redisconfsync: toosmooth/so-redis:test2: docker_image.present +so-redisimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7 + so-redis: docker_container.running: + - require: + - so-redisimage - image: soshybridhunter/so-redis:HH1.0.7 - hostname: so-redis - user: socore diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 3902124e9..ed2ce8900 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -13,9 +13,15 @@ soctopussync: - group: 939 - template: jinja +so-soctopusimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8 + so-soctopus: docker_container.running: - - image: soshybridhunter/so-soctopus:HH1.0.7 + - require: + - so-soctopusimage + - image: soshybridhunter/so-soctopus:HH1.0.8 - hostname: soctopus - name: so-soctopus - binds: diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index a2d2b613f..841fc32ff 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -1,4 +1,5 @@ {% set master = salt['grains.get']('master') %} +{%- set masterip = salt['pillar.get']('static:masterip', '') -%} # Trust the CA @@ -109,6 +110,7 @@ fbcrtlink: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - CN: {{ master }} + - subjectAltName: DNS:{{ master }},IP:{{ masterip }} - days_remaining: 0 - days_valid: 3650 - backup: True diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 48106a83a..0453988f0 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -70,9 +70,15 @@ suriconfigsync: - group: 940 - template: jinja +so-suricataimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.0.8 + so-suricata: docker_container.running: - - image: soshybridhunter/so-suricata:HH1.0.7 + - require: + - so-suricataimage + - image: soshybridhunter/so-suricata:HH1.0.8 - privileged: True - environment: - INTERFACE={{ interface }} diff --git a/salt/top.sls b/salt/top.sls index 2a34c7548..0b22afa03 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,6 +1,8 @@ -{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} -{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') %} -{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') %} +{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%} +{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') -%} +{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%} +{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%} +{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%} base: 'G@role:so-sensor': - ca @@ -14,6 +16,9 @@ base: {%- endif %} - wazuh - filebeat + {%- if OSQUERY != 0 %} + - launcher + {%- endif %} - schedule 'G@role:so-eval': @@ -37,6 +42,7 @@ base: {%- if OSQUERY != 0 %} - fleet - redis + - launcher {%- endif %} {%- if WAZUH != 0 %} - wazuh @@ -45,6 +51,9 @@ base: - utility - schedule - soctopus + {%- if THEHIVE != 0 %} + - hive + {%- endif %} 'G@role:so-master': @@ -55,17 +64,28 @@ base: - master - idstools - redis + {%- if OSQUERY != 0 %} - mysql + {%- endif %} - elasticsearch - logstash - kibana - elastalert + {%- if WAZUH != 0 %} - wazuh + {%- endif %} - filebeat - utility - schedule + {%- if OSQUERY != 0 %} - fleet + - launcher + {%- endif %} - soctopus + {%- if THEHIVE != 0 %} + - hive + {%- endif %} + # Storage node logic @@ -74,6 +94,9 @@ base: - common - firewall - logstash + {%- if OSQUERY != 0 %} + - launcher + {%- endif %} - schedule 'G@role:so-node and I@node:node_type:hot': @@ -83,6 +106,9 @@ base: - logstash - elasticsearch - curator + {%- if OSQUERY != 0 %} + - launcher + {%- endif %} - schedule 'G@role:so-node and I@node:node_type:warm': @@ -90,6 +116,9 @@ base: - common - firewall - elasticsearch + {%- if OSQUERY != 0 %} + - launcher + {%- endif %} - schedule 'G@role:so-node and I@node:node_type:storage': @@ -101,8 +130,13 @@ base: - logstash - elasticsearch - curator + {%- if WAZUH != 0 %} - wazuh + {%- endif %} - filebeat + {%- if OSQUERY != 0 %} + - launcher + {%- endif %} - schedule 'G@role:mastersensor': @@ -110,4 +144,7 @@ base: - firewall - sensor - master + {%- if OSQUERY != 0 %} + - launcher + {%- endif %} - schedule diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 4e5c136b5..eb0fa5cb9 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -56,8 +56,14 @@ wazuhagentregister: - mode: 755 - template: jinja +so-wazuhimage: + cmd.run: + - name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.0.7 + so-wazuh: docker_container.running: + - require: + - so-wazuhimage - image: soshybridhunter/so-wazuh:HH1.0.7 - hostname: {{HOSTNAME}}-wazuh-manager - name: so-wazuh diff --git a/so-setup-network.sh b/so-setup-network.sh index dde654eb3..b61f81f8f 100644 --- a/so-setup-network.sh +++ b/so-setup-network.sh @@ -24,19 +24,22 @@ LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\" RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) NODE_ES_PORT="9200" +# Reset the Install Log +date -u >~/sosetup.log 2>&1 + # End Global Variable Section # Functions accept_salt_key_local() { - + echo "Accept the key locally on the master" >>~/sosetup.log 2>&1 # Accept the key locally on the master salt-key -ya $HOSTNAME } accept_salt_key_remote() { - + echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1 # Delete the key just in case. ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y salt-call state.apply ca @@ -45,6 +48,7 @@ accept_salt_key_remote() { } add_master_hostfile() { + echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1 # Pop up an input to get the IP address local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) @@ -56,6 +60,7 @@ add_master_hostfile() { } add_socore_user_master() { + echo "Add socore on the master" >>~/sosetup.log 2>&1 if [ $OS == 'centos' ]; then local ADDUSER=adduser else @@ -70,7 +75,7 @@ add_socore_user_master() { } add_socore_user_notmaster() { - + echo "Add socore user on non master" >>~/sosetup.log 2>&1 # Add socore user to the non master system. Probably not a bad idea to make system user groupadd --gid 939 socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore @@ -81,7 +86,7 @@ add_socore_user_notmaster() { auth_pillar(){ if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then - echo "Creating Auth Pillar" + echo "Creating Auth Pillar" >>~/sosetup.log 2>&1 mkdir -p /opt/so/saltstack/pillar echo "auth:" >> /opt/so/saltstack/pillar/auth.sls echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls @@ -92,6 +97,7 @@ auth_pillar(){ # Enable Bro Logs bro_logs_enabled() { + echo "Enabling Bro Logs" >>~/sosetup.log 2>&1 echo "brologs:" > pillar/brologs.sls echo " enabled:" >> pillar/brologs.sls @@ -157,12 +163,13 @@ calculate_useable_cores() { } checkin_at_boot() { + echo "Enabling checkin at boot" >>~/sosetup.log 2>&1 echo "startup_states: highstate" >> /etc/salt/minion } chown_salt_master() { - # Chown the salt dirs on the master for socore + echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1 chown -R socore:socore /opt/so } @@ -171,6 +178,7 @@ clear_master() { # Clear out the old master public key in case this is a re-install. # This only happens if you re-install the master. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then + echo "Clearing old master key" >>~/sosetup.log 2>&1 rm /etc/salt/pki/minion/minion_master.pub service salt-minion restart fi @@ -181,7 +189,7 @@ configure_minion() { # You have to pass the TYPE to this function so it knows if its a master or not local TYPE=$1 - echo "Configuring minion type as $TYPE" + echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1 touch /etc/salt/grains echo "role: so-$TYPE" > /etc/salt/grains if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then @@ -221,7 +229,7 @@ copy_minion_pillar() { local TYPE=$1 # Copy over the pillar - echo "Copying the pillar over" + echo "Copying the pillar over" >>~/sosetup.log 2>&1 scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls } @@ -240,7 +248,7 @@ copy_ssh_key() { create_bond() { # Create the bond interface - echo "Setting up Bond" + echo "Setting up Bond" >>~/sosetup.log 2>&1 # Set the MTU if [ $NSMSETUP != 'ADVANCED' ]; then @@ -269,17 +277,17 @@ create_bond() { echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC done - nmcli con reload - systemctl restart network + nmcli con reload >>~/sosetup.log 2>&1 + systemctl restart network >>~/sosetup.log 2>&1 else # Need to add 17.04 support still - apt-get -y install ifenslave + apt-get -y install ifenslave >>~/sosetup.log 2>&1 if ! grep -q bonding /etc/modules; then echo "bonding" >> /etc/modules fi - modprobe bonding + modprobe bonding >>~/sosetup.log 2>&1 local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces) local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces) @@ -311,7 +319,7 @@ create_bond() { echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC - echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC + echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC echo " bond-master bond0" >> /etc/network/interfaces.d/$BNIC echo " mtu $MTU" >> /etc/network/interfaces.d/$BNIC @@ -327,7 +335,7 @@ create_bond() { echo " mtu $MTU" >> /etc/network/interfaces.d/bond0 echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0 echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0 - echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0 + echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0 echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0 fi @@ -336,14 +344,14 @@ create_bond() { detect_os() { # Detect Base OS - echo "Detecting Base OS" + echo "Detecting Base OS" >>~/sosetup.log 2>&1 if [ -f /etc/redhat-release ]; then OS=centos yum -y install bind-utils elif [ -f /etc/os-release ]; then OS=ubuntu else - echo "We were unable to determine if you are using a supported OS." + echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1 exit fi @@ -358,7 +366,7 @@ docker_install() { yum -y update yum -y install docker-ce docker-python python-docker docker_registry - echo "Restarting Docker" + echo "Restarting Docker" >>~/sosetup.log 2>&1 systemctl restart docker systemctl enable docker @@ -366,17 +374,17 @@ docker_install() { if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then apt-get update >>~/sosetup.log 2>&1 apt-get -y install docker-ce >>~/sosetup.log 2>&1 - docker_registry - echo "Restarting Docker" - systemctl restart docker + docker_registry >>~/sosetup.log 2>&1 + echo "Restarting Docker" >>~/sosetup.log 2>&1 + systemctl restart docker >>~/sosetup.log 2>&1 else - apt-key add $TMP/gpg/docker.pub - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" + apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1 + add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1 apt-get update >>~/sosetup.log 2>&1 apt-get -y install docker-ce >>~/sosetup.log 2>&1 - docker_registry - echo "Restarting Docker" - systemctl restart docker + docker_registry >>~/sosetup.log 2>&1 + echo "Restarting Docker" >>~/sosetup.log 2>&1 + systemctl restart docker >>~/sosetup.log 2>&1 fi fi @@ -384,13 +392,13 @@ docker_install() { docker_registry() { - echo "Setting up Docker Registry" - mkdir -p /etc/docker + echo "Setting up Docker Registry" >>~/sosetup.log 2>&1 + mkdir -p /etc/docker >>~/sosetup.log 2>&1 # Make the host use the master docker registry echo "{" > /etc/docker/daemon.json echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json echo "}" >> /etc/docker/daemon.json - echo "Docker Registry Setup - Complete" + echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1 } @@ -489,7 +497,7 @@ install_master() { # Install the salt master package if [ $OS == 'centos' ]; then - yum -y install wget salt-common salt-master + yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1 # Create a place for the keys for Ubuntu minions mkdir -p /opt/so/gpg @@ -535,27 +543,6 @@ master_pillar() { echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - if [ $EVALADVANCED == 'ADVANCED' ]; then - if [ $EVALGRAFANA == '0' ]; then - echo " grafana: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - else - echo " grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - fi - if [ $EVALOSQUERY == '0' ]; then - echo " osquery: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - else - echo " osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - fi - if [ $EVALWAZUH == '0' ]; then - echo " wazuh: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - else - echo " wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - fi - else - echo " grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - echo " osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - echo " wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - fi else echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls @@ -574,7 +561,10 @@ master_pillar() { echo " cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls #echo " mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls #echo " fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls - + echo " grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls + echo " osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls + echo " wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls + echo " thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls } master_static() { @@ -592,6 +582,7 @@ master_static() { echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls + echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else @@ -630,6 +621,20 @@ node_pillar() { } +process_components() { + CLEAN=${COMPONENTS//\"} + GRAFANA=0 + OSQUERY=0 + WAZUH=0 + THEHIVE=0 + + IFS=$' ' + for item in $(echo "$CLEAN"); do + let $item=1 + done + unset IFS +} + saltify() { # Install updates and Salt @@ -863,25 +868,25 @@ salt_checkin() { # Master State to Fix Mine Usage if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then echo "Building Certificate Authority" - salt-call state.apply ca + salt-call state.apply ca >>~/sosetup.log 2>&1 echo " *** Restarting Salt to fix any SSL errors. ***" - service salt-master restart + service salt-master restart >>~/sosetup.log 2>&1 sleep 5 - service salt-minion restart + service salt-minion restart >>~/sosetup.log 2>&1 sleep 15 echo " Applyng a mine hack " - sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt + sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1 echo " Applying SSL state " - salt-call state.apply ssl + salt-call state.apply ssl >>~/sosetup.log 2>&1 echo "Still Working... Hang in there" - salt-call state.highstate + #salt-call state.highstate else # Run Checkin - salt-call state.apply ca - salt-call state.apply ssl - salt-call state.highstate + salt-call state.apply ca >>~/sosetup.log 2>&1 + salt-call state.apply ssl >>~/sosetup.log 2>&1 + #salt-call state.highstate >>~/sosetup.log 2>&1 fi @@ -1145,6 +1150,14 @@ whiptail_cur_close_days() { whiptail_check_exitstatus $exitstatus } +whiptail_enable_components() { + COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ + "Select Components to install" 20 78 8 \ + "GRAFANA" "Enable Grafana for system monitoring" ON \ + "OSQUERY" "Enable Fleet with osquery" ON \ + "WAZUH" "Enable Wazuh" ON \ + "THEHIVE" "Enable TheHive" ON 3>&1 1>&2 2>&3 ) +} whiptail_eval_adv() { EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \ @@ -1153,24 +1166,6 @@ whiptail_eval_adv() { "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 ) } -whiptail_eval_adv_service_grafana() { - whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Grafana for detailed monitoring?" 8 78 - local exitstatus=$? - EVALGRAFANA=$exitstatus -} - -whiptail_eval_adv_service_osquery() { - whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable OSquery for client monitoring?" 8 78 - local exitstatus=$? - EVALOSQUERY=$exitstatus -} - -whiptail_eval_adv_service_wazuh() { - whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Wazuh for client monitoring?" 8 78 - local exitstatus=$? - EVALWAZUH=$exitstatus -} - whiptail_eval_adv_warning() { whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78 } @@ -1349,23 +1344,6 @@ whiptail_master_adv_service_brologs() { "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) } -whiptail_master_adv_service_grafana() { - echo "blah" -} - -whiptail_master_adv_service_osquery() { - #MOSQ=$() - echo "blah" - -} - -whiptail_master_adv_service_wazuh() { - echo "blah" -} - - - - whiptail_network_notice() { whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 78 @@ -1484,6 +1462,14 @@ whiptail_setup_complete() { } +whiptail_setup_failed() { + + whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78 + install_cleanup + exit + +} + whiptail_shard_count() { SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \ @@ -1602,6 +1588,8 @@ if (whiptail_you_sure); then # Find out how to handle updates whiptail_master_updates + whiptail_enable_components + process_components # Do Advacned Setup if they chose it if [ $MASTERADV == 'ADVANCED' ]; then @@ -1609,9 +1597,6 @@ if (whiptail_you_sure); then if [ $BROVERSION != 'SURICATA' ]; then whiptail_master_adv_service_brologs fi - whiptail_master_adv_service_osquery - whiptail_master_adv_service_grafana - whiptail_master_adv_service_wazuh fi # Last Chance to back out @@ -1635,60 +1620,91 @@ if (whiptail_you_sure); then add_socore_user_master # Install salt and dependencies - echo " ** Installing Salt and Dependencies **" - saltify >>~/sosetup.log 2>&1 - docker_install + { + sleep 0.5 + echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX" + echo " ** Installing Salt and Dependencies **" >>~/sosetup.log + saltify >>~/sosetup.log 2>&1 + echo -e "XXX\n5\nInstalling Docker... \nXXX" + docker_install >>~/sosetup.log 2>&1 + echo -e "XXX\n10\nConfiguring Salt Master... \nXXX" + echo " ** Configuring Minion **" >>~/sosetup.log + configure_minion master >>~/sosetup.log 2>&1 + echo " ** Installing Salt Master **" >>~/sosetup.log + install_master >>~/sosetup.log 2>&1 + salt_master_directories >>~/sosetup.log 2>&1 + update_sudoers >>~/sosetup.log 2>&1 + chown_salt_master >>~/sosetup.log 2>&1 + es_heapsize >>~/sosetup.log 2>&1 + ls_heapsize >>~/sosetup.log 2>&1 + echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX" + master_static >>~/sosetup.log 2>&1 + echo "** Generating the master pillar **" >>~/sosetup.log + master_pillar >>~/sosetup.log 2>&1 + echo -e "XXX\n30\nAccepting Salt Keys... \nXXX" + # Do a checkin to push the key up + echo "** Pushing the key up to Master **" >>~/sosetup.log + salt_firstcheckin >>~/sosetup.log 2>&1 + # Accept the Master Key + echo "** Accepting the key on the master **" >>~/sosetup.log + accept_salt_key_local >>~/sosetup.log 2>&1 + echo -e "XXX\n35\nConfiguring Firewall... \nXXX" + # Open the firewall + echo "** Setting the initial firewall policy **" >>~/sosetup.log + set_initial_firewall_policy >>~/sosetup.log 2>&1 + # Do the big checkin but first let them know it will take a bit. + echo -e "XXX\n40\nGenerating CA... \nXXX" + salt_checkin >>~/sosetup.log 2>&1 + salt-call state.apply ca >>~/sosetup.log 2>&1 + salt-call state.apply ssl >>~/sosetup.log 2>&1 + echo -e "XXX\n43\nInstalling Common Components... \nXXX" + salt-call state.apply common >>~/sosetup.log 2>&1 + echo -e "XXX\n45\nApplying firewall rules... \nXXX" + salt-call state.apply firewall >>~/sosetup.log 2>&1 + salt-call state.apply master >>~/sosetup.log 2>&1 + salt-call state.apply idstools >>~/sosetup.log 2>&1 + echo -e "XXX\n40\nInstalling Redis... \nXXX" + salt-call state.apply redis >>~/sosetup.log 2>&1 + if [[ $OSQUERY == '1' ]]; then + echo -e "XXX\n41\nInstalling MySQL... \nXXX" + salt-call state.apply mysql >>~/sosetup.log 2>&1 + fi + echo -e "XXX\n45\nInstalling Elastic Components... \nXXX" + salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 + salt-call state.apply logstash >>~/sosetup.log 2>&1 + salt-call state.apply kibana >>~/sosetup.log 2>&1 + salt-call state.apply elastalert >>~/sosetup.log 2>&1 + if [[ $WAZUH == '1' ]]; then + echo -e "XXX\n68\nInstalling Wazuh... \nXXX" + salt-call state.apply wazuh >>~/sosetup.log 2>&1 + fi + echo -e "XXX\n75\nInstalling Filebeat... \nXXX" + salt-call state.apply filebeat >>~/sosetup.log 2>&1 + salt-call state.apply utility >>~/sosetup.log 2>&1 + salt-call state.apply schedule >>~/sosetup.log 2>&1 + if [[ $OSQUERY == '1' ]]; then + echo -e "XXX\n79\nInstalling Fleet... \nXXX" + salt-call state.apply fleet >>~/sosetup.log 2>&1 + salt-call state.apply launcher >>~/sosetup.log 2>&1 + fi + echo -e "XXX\n85\nConfiguring SOctopus... \nXXX" + salt-call state.apply soctopus >>~/sosetup.log 2>&1 + if [[ $THEHIVE == '1' ]]; then + echo -e "XXX\n87\nInstalling TheHive... \nXXX" + salt-call state.apply hive >>~/sosetup.log 2>&1 + fi + echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX" + checkin_at_boot >>~/sosetup.log 2>&1 + echo -e "XXX\n95\nVerifying Install... \nXXX" + salt-call state.highstate >>~/sosetup.log 2>&1 - # Configure the Minion - echo " ** Configuring Minion **" - configure_minion master >>~/sosetup.log 2>&1 - - # Install the salt master - echo " ** Installing Salt Master **" - install_master >>~/sosetup.log 2>&1 - - # Copy the data over - salt_master_directories >>~/sosetup.log 2>&1 - - # Update sudoers file to allow keys and firewalls to be changed - update_sudoers - - # Change perms on the master dir - chown_salt_master - - # Determine the ES Heap Size - es_heapsize - - # Determine the Logstash Heap Size - ls_heapsize - - # Set the static values - master_static - - echo "** Generating the master pillar **" - master_pillar - - # Do a checkin to push the key up - echo "** Pushing the key up to Master **" - salt_firstcheckin >>~/sosetup.log 2>&1 - - # Accept the Master Key - echo "** Accepting the key on the master **" - accept_salt_key_local - - # Open the firewall - echo "** Setting the initial firewall policy **" - set_initial_firewall_policy - - # Do the big checkin but first let them know it will take a bit. - salt_checkin_message - salt_checkin - - # Enable salt to run a checking when the service starts - checkin_at_boot - - # We are done! - whiptail_setup_complete + } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 + GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') + if [[ $GOODSETUP == '0' ]]; then + whiptail_setup_complete + else + whiptail_setup_failed + fi fi @@ -1721,23 +1737,47 @@ if (whiptail_you_sure); then get_filesystem_root get_filesystem_nsm copy_ssh_key - set_initial_firewall_policy - create_bond - sensor_pillar - saltify - docker_install - configure_minion sensor - copy_minion_pillar sensors - salt_firstcheckin - # Accept the Salt Key - accept_salt_key_remote - # Do the big checkin but first let them know it will take a bit. - salt_checkin_message - salt_checkin - checkin_at_boot - - whiptail_setup_complete - + { + sleep 0.5 + echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX" + set_initial_firewall_policy >>~/sosetup.log 2>&1 + echo -e "XXX\n3\nCreating Bond Interface... \nXXX" + create_bond >>~/sosetup.log 2>&1 + echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX" + sensor_pillar >>~/sosetup.log 2>&1 + echo -e "XXX\n5\nInstalling Salt Components... \nXXX" + saltify >>~/sosetup.log 2>&1 + echo -e "XXX\n20\nInstalling Docker... \nXXX" + docker_install >>~/sosetup.log 2>&1 + echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX" + configure_minion sensor >>~/sosetup.log 2>&1 + echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX" + copy_minion_pillar sensors >>~/sosetup.log 2>&1 + echo -e "XXX\n25\nSending Salt Key to Master... \nXXX" + salt_firstcheckin >>~/sosetup.log 2>&1 + echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX" + # Accept the Salt Key + accept_salt_key_remote >>~/sosetup.log 2>&1 + echo -e "XXX\n27\nApplying SSL Certificates... \nXXX" + salt-call state.apply ca >>~/sosetup.log 2>&1 + salt-call state.apply ssl >>~/sosetup.log 2>&1 + echo -e "XXX\n35\nInstalling Core Components... \nXXX" + salt-call state.apply common >>~/sosetup.log 2>&1 + salt-call state.apply firewall >>~/sosetup.log 2>&1 + echo -e "XXX\n50\nInstalling PCAP... \nXXX" + salt-call state.apply pcap >>~/sosetup.log 2>&1 + echo -e "XXX\n60\nInstalling IDS components... \nXXX" + salt-call state.apply suricata >>~/sosetup.log 2>&1 + echo -e "XXX\n80\nVerifying Install... \nXXX" + salt-call state.highstate >>~/sosetup.log 2>&1 + checkin_at_boot >>~/sosetup.log 2>&1 + } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 + GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') + if [[ $GOODSETUP == '0' ]]; then + whiptail_setup_complete + else + whiptail_setup_failed + fi fi ####################### @@ -1756,15 +1796,8 @@ if (whiptail_you_sure); then # Snag the HOME_NET whiptail_homenet_master - - # Ask about advanced mode - whiptail_eval_adv - if [ $EVALADVANCED == 'ADVANCED' ]; then - whiptail_eval_adv_warning - whiptail_eval_adv_service_grafana - whiptail_eval_adv_service_osquery - whiptail_eval_adv_service_wazuh - fi + whiptail_eval_adv_warning + whiptail_enable_components # Set a bunch of stuff since this is eval es_heapsize @@ -1780,6 +1813,7 @@ if (whiptail_you_sure); then NIDS=Suricata BROVERSION=ZEEK CURCLOSEDAYS=30 + process_components whiptail_make_changes #eval_mode_hostsfile generate_passwords @@ -1795,29 +1829,107 @@ if (whiptail_you_sure); then echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors" echo "" add_socore_user_master - create_bond - saltify - docker_install - install_master - # Copy the data over - salt_master_directories - update_sudoers - # Change perms on the master dir - chown_salt_master - # Set the static values - master_static - echo "** Generating the master pillar **" - master_pillar - configure_minion eval - set_node_type - node_pillar - set_initial_firewall_policy - salt_firstcheckin - accept_salt_key_local - salt_checkin_message - salt_checkin - checkin_at_boot - whiptail_setup_complete + { + sleep 0.5 + echo -e "XXX\n0\nCreating Bond Interface... \nXXX" + create_bond >>~/sosetup.log 2>&1 + echo -e "XXX\n1\nInstalling saltstack... \nXXX" + saltify >>~/sosetup.log 2>&1 + echo -e "XXX\n3\nInstalling docker... \nXXX" + docker_install >>~/sosetup.log 2>&1 + echo -e "XXX\n5\nInstalling master code... \nXXX" + install_master >>~/sosetup.log 2>&1 + echo -e "XXX\n6\nCopying salt code... \nXXX" + salt_master_directories >>~/sosetup.log 2>&1 + echo -e "XXX\n6\nupdating suduers... \nXXX" + update_sudoers >>~/sosetup.log 2>&1 + echo -e "XXX\n7\nFixing some permissions... \nXXX" + chown_salt_master >>~/sosetup.log 2>&1 + echo -e "XXX\n7\nCreating the static pillar... \nXXX" + # Set the static values + master_static >>~/sosetup.log 2>&1 + echo -e "XXX\n7\nCreating the master pillar... \nXXX" + master_pillar >>~/sosetup.log 2>&1 + echo -e "XXX\n7\nConfiguring minion... \nXXX" + configure_minion eval >>~/sosetup.log 2>&1 + echo -e "XXX\n7\nSetting the node type to eval... \nXXX" + set_node_type >>~/sosetup.log 2>&1 + echo -e "XXX\n7\nStorage node pillar... \nXXX" + node_pillar >>~/sosetup.log 2>&1 + echo -e "XXX\n8\nCreating firewall policies... \nXXX" + set_initial_firewall_policy >>~/sosetup.log 2>&1 + echo -e "XXX\n10\nRegistering agent... \nXXX" + salt_firstcheckin >>~/sosetup.log 2>&1 + echo -e "XXX\n11\nAccepting Agent... \nXXX" + accept_salt_key_local >>~/sosetup.log 2>&1 + echo -e "XXX\n12\nRunning the SSL states... \nXXX" + salt_checkin >>~/sosetup.log 2>&1 + salt-call state.apply ca >>~/sosetup.log 2>&1 + salt-call state.apply ssl >>~/sosetup.log 2>&1 + echo -e "XXX\n15\nInstalling core components... \nXXX" + salt-call state.apply common >>~/sosetup.log 2>&1 + echo -e "XXX\n18\nInitializing firewall rules... \nXXX" + salt-call state.apply firewall >>~/sosetup.log 2>&1 + echo -e "XXX\n25\nInstalling master components... \nXXX" + salt-call state.apply master >>~/sosetup.log 2>&1 + salt-call state.apply idstools >>~/sosetup.log 2>&1 + if [[ $OSQUERY == '1' ]]; then + salt-call state.apply mysql >>~/sosetup.log 2>&1 + fi + echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX" + salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 + echo -e "XXX\n40\nInstalling Logstash... \nXXX" + salt-call state.apply logstash >>~/sosetup.log 2>&1 + echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX" + salt-call state.apply kibana >>~/sosetup.log 2>&1 + echo -e "XXX\n50\nInstalling pcap... \nXXX" + salt-call state.apply pcap >>~/sosetup.log 2>&1 + echo -e "XXX\n52\nInstalling Suricata... \nXXX" + salt-call state.apply suricata >>~/sosetup.log 2>&1 + echo -e "XXX\n54\nInstalling Zeek... \nXXX" + salt-call state.apply bro >>~/sosetup.log 2>&1 + echo -e "XXX\n56\nInstalling curator... \nXXX" + salt-call state.apply curator >>~/sosetup.log 2>&1 + echo -e "XXX\n58\nInstalling elastalert... \nXXX" + salt-call state.apply elastalert >>~/sosetup.log 2>&1 + if [[ $OSQUERY == '1' ]]; then + echo -e "XXX\n60\nInstalling fleet... \nXXX" + salt-call state.apply fleet >>~/sosetup.log 2>&1 + salt-call state.apply redis >>~/sosetup.log 2>&1 + fi + if [[ $WAZUH == '1' ]]; then + echo -e "XXX\n65\nInstalling Wazuh components... \nXXX" + salt-call state.apply wazuh >>~/sosetup.log 2>&1 + fi + echo -e "XXX\n85\nInstalling filebeat... \nXXX" + salt-call state.apply filebeat >>~/sosetup.log 2>&1 + salt-call state.apply utility >>~/sosetup.log 2>&1 + echo -e "XXX\n95\nInstalling misc components... \nXXX" + salt-call state.apply schedule >>~/sosetup.log 2>&1 + salt-call state.apply soctopus >>~/sosetup.log 2>&1 + if [[ $THEHIVE == '1' ]]; then + salt-call state.apply hive >>~/sosetup.log 2>&1 + fi + echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX" + checkin_at_boot >>~/sosetup.log 2>&1 + echo -e "XXX\n99\nVerifying Setup... \nXXX" + salt-call state.highstate >>~/sosetup.log 2>&1 + + } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 + GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') + if [ $OS == 'centos' ]; then + if [[ $GOODSETUP == '1' ]]; then + whiptail_setup_complete + else + whiptail_setup_failed + fi + else + if [[ $GOODSETUP == '0' ]]; then + whiptail_setup_complete + else + whiptail_setup_failed + fi + fi fi ################### @@ -1857,6 +1969,46 @@ if (whiptail_you_sure); then get_filesystem_root get_filesystem_nsm copy_ssh_key + { + sleep 0.5 + echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX" + set_initial_firewall_policy >>~/sosetup.log 2>&1 + echo -e "XXX\n5\nInstalling Salt Packages... \nXXX" + saltify >>~/sosetup.log 2>&1 + echo -e "XXX\n20\nInstalling Docker... \nXXX" + docker_install >>~/sosetup.log 2>&1 + echo -e "XXX\n30\nInitializing Minion... \nXXX" + configure_minion node >>~/sosetup.log 2>&1 + set_node_type >>~/sosetup.log 2>&1 + node_pillar >>~/sosetup.log 2>&1 + copy_minion_pillar nodes >>~/sosetup.log 2>&1 + echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX" + salt_firstcheckin >>~/sosetup.log 2>&1 + # Accept the Salt Key + accept_salt_key_remote >>~/sosetup.log 2>&1 + echo -e "XXX\n40\nApplying SSL Certificates... \nXXX" + salt-call state.apply ca >>~/sosetup.log 2>&1 + salt-call state.apply ssl >>~/sosetup.log 2>&1 + echo -e "XXX\n50\nConfiguring Firewall... \nXXX" + salt-call state.apply common >>~/sosetup.log 2>&1 + salt-call state.apply firewall >>~/sosetup.log 2>&1 + echo -e "XXX\n70\nInstalling Elastic Components... \nXXX" + salt-call state.apply logstash >>~/sosetup.log 2>&1 + salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 + salt-call state.apply curator >>~/sosetup.log 2>&1 + salt-call state.apply filebeat >>~/sosetup.log 2>&1 + echo -e "XXX\n90\nVerifying Install... \nXXX" + salt-call state.highstate >>~/sosetup.log 2>&1 + checkin_at_boot >>~/sosetup.log 2>&1 + + } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 + GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') + if [[ $GOODSETUP == '0' ]]; then + whiptail_setup_complete + else + whiptail_setup_failed + fi + set_initial_firewall_policy saltify docker_install