CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #43 from TOoSmOotH/master

Browse Source 
1.0.8
This commit is contained in:
Mike Reeves
2019-05-07 09:49:15 -04:00
committed by GitHub
parent 49b526ceca 561df7e57b
commit a62c910203
29 changed files with 785 additions and 227 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@@ -1,6 +1,17 @@
# Security Onion Hybrid Hunter Tech Preview 1.0.7 ## Hybrid Hunter 1.0.8
### Changes: ### Changes:
- Suricata 4.1.4
- Eval and Master installs now ask which components you would like to install
- Fleet (osquery) now has it's own additional setup script. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion)
- Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu
- When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package
- We now have a progress bar during install!
- The setup script will now tell you if it was successful
- Added Grafana plugin Pie Chart
- The Hive Docker moved to Centos 7 based container
=======
- Suricata 4.1.3 - Suricata 4.1.3
- Updated Influxdb to 1.7.5 - Updated Influxdb to 1.7.5
- Updated Telegraf to 1.10.1 - Updated Telegraf to 1.10.1
@@ -18,6 +29,7 @@
- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release. - Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release.
- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master. - If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master.
### Warnings and Disclaimers ### Warnings and Disclaimers
- This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED! - This technology PREVIEW is PRE-ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!

6
pillar/data/addtotab.sh
View File

@@ -11,6 +11,8 @@ MANINT=$6
ROOTFS=$7 ROOTFS=$7
NSM=$8 NSM=$8
MONINT=$9 MONINT=$9
#NODETYPE=$10
#HOTNAME=$11
echo "Seeing if this host is already in here. If so delete it" echo "Seeing if this host is already in here. If so delete it"
if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then
@@ -49,3 +51,7 @@ if [ $TYPE == 'evaltab' ]; then
salt-call state.apply common queue=True salt-call state.apply common queue=True
salt-call state.apply utility queue=True salt-call state.apply utility queue=True
fi fi
#if [ $TYPE == 'nodestab' ]; then
# echo " nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls
# echo " hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls
#fi

12
salt/bro/init.sls
View File

@@ -90,8 +90,14 @@ localbrosync:
- group: 939 - group: 939
- template: jinja - template: jinja
so-communitybroimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-communitybro:HH1.0.3
so-bro: so-bro:
docker_container.running: docker_container.running:
- require:
- so-communitybroimage
- image: soshybridhunter/so-communitybro:HH1.0.3 - image: soshybridhunter/so-communitybro:HH1.0.3
- privileged: True - privileged: True
- binds: - binds:
@@ -117,8 +123,14 @@ localbrosync:
- group: 939 - group: 939
- template: jinja - template: jinja
so-broimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.0.6
so-bro: so-bro:
docker_container.running: docker_container.running:
- require:
- so-broimage
- image: soshybridhunter/so-bro:HH1.0.6 - image: soshybridhunter/so-bro:HH1.0.6
- privileged: True - privileged: True
- binds: - binds:

14
salt/common/grafana/grafana_dashboards/eval/eval.json
View File

@@ -3110,7 +3110,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "{{ SERVERNAME }} - Monitor Traffic", "title": "{{ SERVERNAME }} - Management Traffic",
"tooltip": { "tooltip": {
"msResolution": true, "msResolution": true,
"shared": true, "shared": true,
@@ -3862,7 +3862,7 @@
"condition": "AND", "condition": "AND",
"key": "interface", "key": "interface",
"operator": "=", "operator": "=",
"value": " {{ MANINT }}" "value": "{{ MONINT }}"
} }
] ]
}, },
@@ -3926,7 +3926,7 @@
"condition": "AND", "condition": "AND",
"key": "interface", "key": "interface",
"operator": "=", "operator": "=",
"value": "{{ MANINT }}" "value": "{{ MONINT }}"
} }
] ]
} }
@@ -3935,7 +3935,7 @@
"timeFrom": null, "timeFrom": null,
"timeRegions": [], "timeRegions": [],
"timeShift": null, "timeShift": null,
"title": "{{ SERVERNAME }} - Management Traffic", "title": "{{ SERVERNAME }} - Monitor Traffic",
"tooltip": { "tooltip": {
"msResolution": true, "msResolution": true,
"shared": true, "shared": true,
@@ -3984,10 +3984,10 @@
"fill": 1, "fill": 1,
"grid": {}, "grid": {},
"gridPos": { "gridPos": {
"h": 7, "h": 6,
"w": 8, "w": 8,
"x": 0, "x": 16,
"y": 29 "y": 15
}, },
"id": 15, "id": 15,
"legend": { "legend": {

28
salt/common/init.sls
View File

@@ -101,9 +101,15 @@ nginxtmp:
- makedirs: True - makedirs: True
# Start the core docker # Start the core docker
so-coreimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.0.7
so-core: so-core:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-core:HH1.0.7 - require:
- so-coreimage
- image: soshybridhunter/so-core:HH1.0.8
- hostname: so-core - hostname: so-core
- user: socore - user: socore
- binds: - binds:
@@ -114,7 +120,7 @@ so-core:
- /opt/so/tmp/nginx/:/run:rw - /opt/so/tmp/nginx/:/run:rw
- /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/masterssl.crt:/etc/pki/nginx/server.crt:ro
- /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro - /etc/pki/masterssl.key:/etc/pki/nginx/server.key:ro
- /opt/so/conf/fleet/packages:/opt/so/html/packages - /opt/so/conf/fleet/packages:/opt/socore/html/packages
- cap_add: NET_BIND_SERVICE - cap_add: NET_BIND_SERVICE
- port_bindings: - port_bindings:
- 80:80 - 80:80
@@ -155,8 +161,14 @@ tgrafconf:
- template: jinja - template: jinja
- source: salt://common/telegraf/etc/telegraf.conf - source: salt://common/telegraf/etc/telegraf.conf
so-telegrafimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.0.7
so-telegraf: so-telegraf:
docker_container.running: docker_container.running:
- require:
- so-telegrafimage
- image: soshybridhunter/so-telegraf:HH1.0.7 - image: soshybridhunter/so-telegraf:HH1.0.7
- environment: - environment:
- HOST_PROC=/host/proc - HOST_PROC=/host/proc
@@ -210,8 +222,14 @@ influxdbconf:
- template: jinja - template: jinja
- source: salt://common/influxdb/etc/influxdb.conf - source: salt://common/influxdb/etc/influxdb.conf
so-influximage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.0.7
so-influxdb: so-influxdb:
docker_container.running: docker_container.running:
- require:
- so-influximage
- image: soshybridhunter/so-influxdb:HH1.0.7 - image: soshybridhunter/so-influxdb:HH1.0.7
- hostname: influxdb - hostname: influxdb
- environment: - environment:
@@ -336,7 +354,7 @@ dashboard-{{ SN }}:
- defaults: - defaults:
SERVERNAME: {{ SN }} SERVERNAME: {{ SN }}
MANINT: {{ SNDATA.manint }} MANINT: {{ SNDATA.manint }}
MONINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.monint }}
CPUS: {{ SNDATA.totalcpus }} CPUS: {{ SNDATA.totalcpus }}
UID: {{ SNDATA.guid }} UID: {{ SNDATA.guid }}
ROOTFS: {{ SNDATA.rootfs }} ROOTFS: {{ SNDATA.rootfs }}
@@ -357,7 +375,7 @@ dashboard-{{ SN }}:
- defaults: - defaults:
SERVERNAME: {{ SN }} SERVERNAME: {{ SN }}
MANINT: {{ SNDATA.manint }} MANINT: {{ SNDATA.manint }}
MONINT: {{ SNDATA.manint }} MONINT: {{ SNDATA.monint }}
CPUS: {{ SNDATA.totalcpus }} CPUS: {{ SNDATA.totalcpus }}
UID: {{ SNDATA.guid }} UID: {{ SNDATA.guid }}
ROOTFS: {{ SNDATA.rootfs }} ROOTFS: {{ SNDATA.rootfs }}
@@ -369,7 +387,7 @@ dashboard-{{ SN }}:
# Install the docker. This needs to be behind nginx at some point # Install the docker. This needs to be behind nginx at some point
so-grafana: so-grafana:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-grafana:HH1.0.7 - image: soshybridhunter/so-grafana:HH1.0.8
- hostname: grafana - hostname: grafana
- user: socore - user: socore
- binds: - binds:

5
salt/curator/init.sls
View File

@@ -112,9 +112,14 @@ curdel:
- month: '*' - month: '*'
- dayweek: '*' - dayweek: '*'
so-curatorimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.0.3
so-curator: so-curator:
docker_container.running: docker_container.running:
- require:
- so-curatorimage
- image: soshybridhunter/so-curator:HH1.0.3 - image: soshybridhunter/so-curator:HH1.0.3
- hostname: curator - hostname: curator
- name: so-curator - name: so-curator

6
salt/elastalert/init.sls
View File

@@ -79,8 +79,14 @@ elastarules:
# - group: 939 # - group: 939
# - template: jinja # - template: jinja
so-elastalertimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.0.3
so-elastalert: so-elastalert:
docker_container.running: docker_container.running:
- require:
- so-elastalertimage
- image: soshybridhunter/so-elastalert:HH1.0.3 - image: soshybridhunter/so-elastalert:HH1.0.3
- hostname: elastalert - hostname: elastalert
- name: so-elastalert - name: so-elastalert

18
salt/elasticsearch/init.sls
View File

@@ -90,8 +90,14 @@ eslogdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
so-elasticsearchimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.0.6
so-elasticsearch: so-elasticsearch:
docker_container.running: docker_container.running:
- require:
- so-elasticsearchimage
- image: soshybridhunter/so-elasticsearch:HH1.0.6 - image: soshybridhunter/so-elasticsearch:HH1.0.6
- hostname: elasticsearch - hostname: elasticsearch
- name: so-elasticsearch - name: so-elasticsearch
@@ -143,8 +149,14 @@ freqlogdir:
- group: 935 - group: 935
- makedirs: True - makedirs: True
so-freqimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-freqserver:HH1.0.3
so-freq: so-freq:
docker_container.running: docker_container.running:
- require:
- so-freqimage
- image: soshybridhunter/so-freqserver:HH1.0.3 - image: soshybridhunter/so-freqserver:HH1.0.3
- hostname: freqserver - hostname: freqserver
- name: so-freqserver - name: so-freqserver
@@ -179,8 +191,14 @@ dstatslogdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
so-domainstatsimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-domainstats:HH1.0.3
so-domainstats: so-domainstats:
docker_container.running: docker_container.running:
- require:
- so-domainstatsimage
- image: soshybridhunter/so-domainstats:HH1.0.3 - image: soshybridhunter/so-domainstats:HH1.0.3
- hostname: domainstats - hostname: domainstats
- name: so-domainstats - name: so-domainstats

5
salt/filebeat/init.sls
View File

@@ -49,9 +49,14 @@ filebeatconfsync:
# - name: /opt/so/conf/filebeat/etc/pki/filebeat.key # - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
# - source: salt://filebeat/files/filebeat.key # - source: salt://filebeat/files/filebeat.key
so-filebeatimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.0.6
so-filebeat: so-filebeat:
docker_container.running: docker_container.running:
- require:
- so-filebeatimage
- image: soshybridhunter/so-filebeat:HH1.0.6 - image: soshybridhunter/so-filebeat:HH1.0.6
- hostname: so-filebeat - hostname: so-filebeat
- user: root - user: root

22
salt/firewall/init.sls
View File

@@ -217,6 +217,17 @@ enable_masternode_mysql_3306_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_master_osquery_8080_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 8080
- position: 1
- save: True
{% endfor %} {% endfor %}
# Make it so all the minions can talk to salt and update etc. # Make it so all the minions can talk to salt and update etc.
@@ -277,6 +288,17 @@ enable_minions_influxdb_8086_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_minion_osquery_8080_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 8080
- position: 1
- save: True
{% endfor %} {% endfor %}
# Allow Forward Nodes to send their beats traffic # Allow Forward Nodes to send their beats traffic

16
salt/fleet/init.sls
View File

@@ -31,6 +31,16 @@ fleetlogdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
fleetsetupscript:
file.managed:
- name: /opt/so/conf/fleet/so-fleet-setup.sh
- source: salt://fleet/so-fleet-setup.sh
osquerypackageswebpage:
file.managed:
- name: /opt/so/conf/fleet/packages/index.html
- source: salt://fleet/osquery-packages.html
fleetdb: fleetdb:
mysql_database.present: mysql_database.present:
- name: fleet - name: fleet
@@ -49,8 +59,14 @@ fleetdbpriv:
- user: fleetdbuser - user: fleetdbuser
- host: 172.17.0.0/255.255.0.0 - host: 172.17.0.0/255.255.0.0
so-fleetimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.0.6
so-fleet: so-fleet:
docker_container.running: docker_container.running:
- require:
- so-fleetimage
- image: soshybridhunter/so-fleet:HH1.0.6 - image: soshybridhunter/so-fleet:HH1.0.6
- hostname: so-fleet - hostname: so-fleet
- port_bindings: - port_bindings:

113
salt/fleet/osquery-packages.html Normal file
View File

@@ -0,0 +1,113 @@
<!DOCTYPE html>
<html lang="en">
<head>
<title>Security Onion - Hybrid Hunter</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="icon" type="image/png" href="favicon-32x32.png" sizes="32x32" />
<link rel="icon" type="image/png" href="favicon-16x16.png" sizes="16x16" />
<style>
* {
box-sizing: border-box;
font-family: Arial, Helvetica, sans-serif;
padding-left: 30px;
padding right: 30px;
}
body {
font-family: Arial, Helvetica, sans-serif;
background-color: #2a2a2a;
}
a {
color: #f2f2f2;
text-align: left;
padding: 0px;
}
/* Style the top navigation bar */
.topnav {
overflow: hidden;
background-color: #333;
width: 1080px;
}
/* Style the topnav links */
.topnav a {
float: left;
display: block;
color: #f2f2f2;
text-align: center;
padding: 14px 16px;
text-decoration: none;
}
/* Change color on hover */
.topnav a:hover {
background-color: #ddd;
color: black;
}
/* Style the content */
.content {
background-color: #2a2a2a;
padding: 10px;
padding-top: 20px;
padding-left: 60px;
color: #E3DBCC;
width: 1080px;
}
/* Style the footer */
.footer {
background-color: #2a2a2a;
padding: 60px;
color: #E3DBCC;
width: 1080px;
}
</style>
</head>
<body>
<div class="topnav">
<a href="/kibana/" target="_blank">Kibana</a>
<a href="/grafana/" target="_blank">Grafana</a>
<a href="/fleet/" target="_blank">Fleet</a>
<a href="/thehive/" target="_blank">TheHive</a>
<a href="/packages/" target="_blank">Osquery Binaries</a>
<a href="https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/FAQ" target="_blank">FAQ</a>
<a href="https://www.securityonionsolutions.com" target="_blank">Security Onion Solutions</a>
<a href="https://blog.securityonion.net" target="_blank">Blog</a>
</div>
<div class="content">
<p><center><h1>Osquery Packages</h1></center><br>
<h2>Notes</h2>
<ul>
<li>These packages are customized for this specific Fleet install and will only be generated after the Fleet setup script has been run. If you want vanilla osquery packages, you can get them directly from <a href="https://osquery.io/downloads">osquery.io</a></li>
<li>Packages are not signed.</li>
</ul>
<BR> <h2>Downloads</h2>
<ul>
Generated: N/A
<BR><BR>Packages:
<li><a href="/packages/launcher.msi" download="msi-launcher.msi">MSI (Windows)</a></li>
<li><a href="/packages/launcher.deb" download="deb-launcher.deb">DEB (Debian)</a></li>
<li><a href="/packages/launcher.rpm" download="rpm-launcher.rpm">RPM (RPM)</a></li>
<BR><BR>Config Files:
<li><a href="/packages/launcher.flags" download="launcher.flags.txt">RPM & DEB Flag File</a></li>
<li><a href="/packages/launcher-msi.flags" download="launcher-msi.flags.txt">MSI Flag File</a></li>
</ul>
<BR><h2>Known Issues</h2>
<ul>
<li>None</li>
</ul>
</p>
</div>
</body>
</html>

49
salt/fleet/so-fleet-setup.sh Normal file
View File

@@ -0,0 +1,49 @@
#so-fleet-setup.sh $MasterIP $FleetEmail
if [ ! "$(docker ps -q -f name=so-fleet)" ]; then
echo "so-fleet container not running... Exiting..."
exit 1
fi
initpw=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
docker exec so-fleet fleetctl config set --address https://$1:443 --tls-skip-verify
docker exec so-fleet fleetctl setup --email $2 --password $initpw
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/options.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/Windows/osquery.yaml
docker exec so-fleet fleetctl apply -f /packs/hh/hhdefault.yml
docker exec so-fleet /bin/sh -c 'for pack in /packs/palantir/Fleet/Endpoints/packs/*.yaml; do fleetctl apply -f "$pack"; done'
esecret=$(sudo docker exec so-fleet fleetctl get enroll-secret)
#Concat fleet.crt & ca.crt - this is required for launcher connectivity
cat /etc/pki/fleet.crt /etc/pki/ca.crt > /etc/pki/launcher.crt
#Create the output directory
mkdir /opt/so/conf/fleet/packages
docker run \
--mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
--mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \
soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080
cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
#Update timestamp on packages webpage
sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/osquery-packages.html
# Enable Fleet on all the other parts of the infrastructure
sed -i 's/fleetsetup: 0/fleetsetup: 1/g' /opt/so/saltstack/pillar/static.sls
# Install osquery locally
#if cat /etc/os-release | grep -q 'debian'; then
# dpkg -i /opt/so/conf/fleet/packages/launcher.deb
#else
# rpm -i /opt/so/conf/fleet/packages/launcher.rpm
#fi
echo "Installing launcher via salt"
salt-call state.apply launcher queue=True > /root/launcher.log
echo "Fleet Setup Complete - Login here: https://$1"
echo "Your username is $2 and your password is $initpw"

30
salt/hive/init.sls
View File

@@ -30,8 +30,14 @@ hiveesdata:
- user: 939 - user: 939
- group: 939 - group: 939
so-thehive-esimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.0.7
so-thehive-es: so-thehive-es:
docker_container.running: docker_container.running:
- require:
- so-thehive-esimage
- image: soshybridhunter/so-thehive-es:HH1.0.7 - image: soshybridhunter/so-thehive-es:HH1.0.7
- hostname: so-thehive-es - hostname: so-thehive-es
- name: so-thehive-es - name: so-thehive-es
@@ -60,16 +66,26 @@ so-thehive-es:
# Install Cortex # Install Cortex
so-cortex: #so-corteximage:
docker_container.running: # cmd.run:
- image: thehiveproject/cortex:latest # - name: docker pull --disable-content-trust=false soshybridhunter/so-cortex:HH1.0.3
- hostname: so-cortex
- name: so-cortex #so-cortex:
- port_bindings: # docker_container.running:
- 0.0.0.0:9001:9001 # - image: thehiveproject/cortex:latest
# - hostname: so-cortex
# - name: so-cortex
# - port_bindings:
# - 0.0.0.0:9001:9001
so-thehiveimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.0.7
so-thehive: so-thehive:
docker_container.running: docker_container.running:
- require:
- so-thehiveimage
- image: soshybridhunter/so-thehive:HH1.0.7 - image: soshybridhunter/so-thehive:HH1.0.7
- hostname: so-thehive - hostname: so-thehive
- name: so-thehive - name: so-thehive

7
salt/idstools/init.sls
View File

@@ -48,11 +48,14 @@ ruleslink:
- name: /opt/so/saltstack/salt/suricata/rules - name: /opt/so/saltstack/salt/suricata/rules
- target: /opt/so/rules/nids - target: /opt/so/rules/nids
toosmooth/so-idstools:test2: so-idstoolsimage:
docker_image.present cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.0.3
so-idstools: so-idstools:
docker_container.running: docker_container.running:
- require:
- so-idstoolsimage
- image: soshybridhunter/so-idstools:HH1.0.3 - image: soshybridhunter/so-idstools:HH1.0.3
- hostname: so-idstools - hostname: so-idstools
- user: socore - user: socore

6
salt/kibana/init.sls
View File

@@ -54,9 +54,15 @@ synckibanacustom:
# File.Recurse for custom saved dashboards # File.Recurse for custom saved dashboards
so-kibanaimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.0.7
# Start the kibana docker # Start the kibana docker
so-kibana: so-kibana:
docker_container.running: docker_container.running:
- require:
- so-kibanaimage
- image: soshybridhunter/so-kibana:HH1.0.7 - image: soshybridhunter/so-kibana:HH1.0.7
- hostname: kibana - hostname: kibana
- user: kibana - user: kibana

12
salt/launcher/init.sls Normal file
View File

@@ -0,0 +1,12 @@
{%- set FLEETSETUP = salt['pillar.get']('static:fleetsetup', '0') -%}
{%- if FLEETSETUP != 0 %}
launcherpkg:
pkg.installed:
- sources:
{% if grains['os'] == 'CentOS' %}
- launcher-final: salt://launcher/packages/launcher.rpm
{% elif grains['os'] == 'Ubuntu' %}
- launcher-final: salt://launcher/packages/launcher.deb
{% endif %}
{%- endif %}

1
salt/launcher/packages/info.txt Normal file
View File

@@ -0,0 +1 @@
Fleet Packages will be copied to this folder

5
salt/logstash/init.sls
View File

@@ -146,9 +146,14 @@ lslogdir:
- makedirs: True - makedirs: True
# Add the container # Add the container
so-logstashimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.0.6
so-logstash: so-logstash:
docker_container.running: docker_container.running:
- require:
- so-logstashimage
- image: soshybridhunter/so-logstash:HH1.0.6 - image: soshybridhunter/so-logstash:HH1.0.6
- hostname: so-logstash - hostname: so-logstash
- name: so-logstash - name: so-logstash

6
salt/master/init.sls
View File

@@ -46,9 +46,15 @@ acngcopyconf:
- name: /opt/so/conf/aptcacher-ng/etc/acng.conf - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
- source: salt://master/files/acng/acng.conf - source: salt://master/files/acng/acng.conf
so-acngimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.0.7
# Install the apt-cacher-ng container # Install the apt-cacher-ng container
so-aptcacherng: so-aptcacherng:
docker_container.running: docker_container.running:
- require:
- so-acngimage
- image: soshybridhunter/so-acng:HH1.0.7 - image: soshybridhunter/so-acng:HH1.0.7
- hostname: so-acng - hostname: so-acng
- port_bindings: - port_bindings:

6
salt/mysql/init.sls
View File

@@ -48,8 +48,14 @@ mysqldatadir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
so-mysqlimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.0.7
so-mysql: so-mysql:
docker_container.running: docker_container.running:
- require:
- so-mysqlimage
- image: soshybridhunter/so-mysql:HH1.0.7 - image: soshybridhunter/so-mysql:HH1.0.7
- hostname: so-mysql - hostname: so-mysql
- user: socore - user: socore

6
salt/pcap/init.sls
View File

@@ -85,8 +85,14 @@ stenolog:
- group: 941 - group: 941
- makedirs: True - makedirs: True
so-stenoimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.0.3
so-steno: so-steno:
docker_container.running: docker_container.running:
- require:
- so-stenoimage
- image: soshybridhunter/so-steno:HH1.0.3 - image: soshybridhunter/so-steno:HH1.0.3
- network_mode: host - network_mode: host
- privileged: True - privileged: True

6
salt/redis/init.sls
View File

@@ -47,8 +47,14 @@ redisconfsync:
toosmooth/so-redis:test2: toosmooth/so-redis:test2:
docker_image.present docker_image.present
so-redisimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7
so-redis: so-redis:
docker_container.running: docker_container.running:
- require:
- so-redisimage
- image: soshybridhunter/so-redis:HH1.0.7 - image: soshybridhunter/so-redis:HH1.0.7
- hostname: so-redis - hostname: so-redis
- user: socore - user: socore

8
salt/soctopus/init.sls
View File

@@ -13,9 +13,15 @@ soctopussync:
- group: 939 - group: 939
- template: jinja - template: jinja
so-soctopusimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8
so-soctopus: so-soctopus:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-soctopus:HH1.0.7 - require:
- so-soctopusimage
- image: soshybridhunter/so-soctopus:HH1.0.8
- hostname: soctopus - hostname: soctopus
- name: so-soctopus - name: so-soctopus
- binds: - binds:

2
salt/ssl/init.sls
View File

@@ -1,4 +1,5 @@
{% set master = salt['grains.get']('master') %} {% set master = salt['grains.get']('master') %}
{%- set masterip = salt['pillar.get']('static:masterip', '') -%}
# Trust the CA # Trust the CA
@@ -109,6 +110,7 @@ fbcrtlink:
x509.certificate_managed: x509.certificate_managed:
- signing_private_key: /etc/pki/fleet.key - signing_private_key: /etc/pki/fleet.key
- CN: {{ master }} - CN: {{ master }}
- subjectAltName: DNS:{{ master }},IP:{{ masterip }}
- days_remaining: 0 - days_remaining: 0
- days_valid: 3650 - days_valid: 3650
- backup: True - backup: True

8
salt/suricata/init.sls
View File

@@ -70,9 +70,15 @@ suriconfigsync:
- group: 940 - group: 940
- template: jinja - template: jinja
so-suricataimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.0.8
so-suricata: so-suricata:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-suricata:HH1.0.7 - require:
- so-suricataimage
- image: soshybridhunter/so-suricata:HH1.0.8
- privileged: True - privileged: True
- environment: - environment:
- INTERFACE={{ interface }} - INTERFACE={{ interface }}

43
salt/top.sls
View File

@@ -1,6 +1,8 @@
{%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') %} {%- set BROVER = salt['pillar.get']('static:broversion', 'COMMUNITY') -%}
{%- set OSQUERY = salt['pillar.get']('master:osquery', '0') %} {%- set OSQUERY = salt['pillar.get']('master:osquery', '0') -%}
{%- set WAZUH = salt['pillar.get']('master:wazuh', '0') %} {%- set WAZUH = salt['pillar.get']('master:wazuh', '0') -%}
{%- set GRAFANA = salt['pillar.get']('master:grafana', '0') -%}
{%- set THEHIVE = salt['pillar.get']('master:thehive', '0') -%}
base: base:
'G@role:so-sensor': 'G@role:so-sensor':
- ca - ca
@@ -14,6 +16,9 @@ base:
{%- endif %} {%- endif %}
- wazuh - wazuh
- filebeat - filebeat
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule - schedule
'G@role:so-eval': 'G@role:so-eval':
@@ -37,6 +42,7 @@ base:
{%- if OSQUERY != 0 %} {%- if OSQUERY != 0 %}
- fleet - fleet
- redis - redis
- launcher
{%- endif %} {%- endif %}
{%- if WAZUH != 0 %} {%- if WAZUH != 0 %}
- wazuh - wazuh
@@ -45,6 +51,9 @@ base:
- utility - utility
- schedule - schedule
- soctopus - soctopus
{%- if THEHIVE != 0 %}
- hive
{%- endif %}
'G@role:so-master': 'G@role:so-master':
@@ -55,17 +64,28 @@ base:
- master - master
- idstools - idstools
- redis - redis
{%- if OSQUERY != 0 %}
- mysql - mysql
{%- endif %}
- elasticsearch - elasticsearch
- logstash - logstash
- kibana - kibana
- elastalert - elastalert
{%- if WAZUH != 0 %}
- wazuh - wazuh
{%- endif %}
- filebeat - filebeat
- utility - utility
- schedule - schedule
{%- if OSQUERY != 0 %}
- fleet - fleet
- launcher
{%- endif %}
- soctopus - soctopus
{%- if THEHIVE != 0 %}
- hive
{%- endif %}
# Storage node logic # Storage node logic
@@ -74,6 +94,9 @@ base:
- common - common
- firewall - firewall
- logstash - logstash
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule - schedule
'G@role:so-node and I@node:node_type:hot': 'G@role:so-node and I@node:node_type:hot':
@@ -83,6 +106,9 @@ base:
- logstash - logstash
- elasticsearch - elasticsearch
- curator - curator
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule - schedule
'G@role:so-node and I@node:node_type:warm': 'G@role:so-node and I@node:node_type:warm':
@@ -90,6 +116,9 @@ base:
- common - common
- firewall - firewall
- elasticsearch - elasticsearch
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule - schedule
'G@role:so-node and I@node:node_type:storage': 'G@role:so-node and I@node:node_type:storage':
@@ -101,8 +130,13 @@ base:
- logstash - logstash
- elasticsearch - elasticsearch
- curator - curator
{%- if WAZUH != 0 %}
- wazuh - wazuh
{%- endif %}
- filebeat - filebeat
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule - schedule
'G@role:mastersensor': 'G@role:mastersensor':
@@ -110,4 +144,7 @@ base:
- firewall - firewall
- sensor - sensor
- master - master
{%- if OSQUERY != 0 %}
- launcher
{%- endif %}
- schedule - schedule

6
salt/wazuh/init.sls
View File

@@ -56,8 +56,14 @@ wazuhagentregister:
- mode: 755 - mode: 755
- template: jinja - template: jinja
so-wazuhimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.0.7
so-wazuh: so-wazuh:
docker_container.running: docker_container.running:
- require:
- so-wazuhimage
- image: soshybridhunter/so-wazuh:HH1.0.7 - image: soshybridhunter/so-wazuh:HH1.0.7
- hostname: {{HOSTNAME}}-wazuh-manager - hostname: {{HOSTNAME}}-wazuh-manager
- name: so-wazuh - name: so-wazuh

522
so-setup-network.sh
View File

@@ -24,19 +24,22 @@ LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\"
RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
NODE_ES_PORT="9200" NODE_ES_PORT="9200"
# Reset the Install Log
date -u >~/sosetup.log 2>&1
# End Global Variable Section # End Global Variable Section
# Functions # Functions
accept_salt_key_local() { accept_salt_key_local() {
echo "Accept the key locally on the master" >>~/sosetup.log 2>&1
# Accept the key locally on the master # Accept the key locally on the master
salt-key -ya $HOSTNAME salt-key -ya $HOSTNAME
} }
accept_salt_key_remote() { accept_salt_key_remote() {
echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1
# Delete the key just in case. # Delete the key just in case.
ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y
salt-call state.apply ca salt-call state.apply ca
@@ -45,6 +48,7 @@ accept_salt_key_remote() {
} }
add_master_hostfile() { add_master_hostfile() {
echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1
# Pop up an input to get the IP address # Pop up an input to get the IP address
local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
@@ -56,6 +60,7 @@ add_master_hostfile() {
} }
add_socore_user_master() { add_socore_user_master() {
echo "Add socore on the master" >>~/sosetup.log 2>&1
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
local ADDUSER=adduser local ADDUSER=adduser
else else
@@ -70,7 +75,7 @@ add_socore_user_master() {
} }
add_socore_user_notmaster() { add_socore_user_notmaster() {
echo "Add socore user on non master" >>~/sosetup.log 2>&1
# Add socore user to the non master system. Probably not a bad idea to make system user # Add socore user to the non master system. Probably not a bad idea to make system user
groupadd --gid 939 socore groupadd --gid 939 socore
$ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
@@ -81,7 +86,7 @@ add_socore_user_notmaster() {
auth_pillar(){ auth_pillar(){
if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
echo "Creating Auth Pillar" echo "Creating Auth Pillar" >>~/sosetup.log 2>&1
mkdir -p /opt/so/saltstack/pillar mkdir -p /opt/so/saltstack/pillar
echo "auth:" >> /opt/so/saltstack/pillar/auth.sls echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
@@ -92,6 +97,7 @@ auth_pillar(){
# Enable Bro Logs # Enable Bro Logs
bro_logs_enabled() { bro_logs_enabled() {
echo "Enabling Bro Logs" >>~/sosetup.log 2>&1
echo "brologs:" > pillar/brologs.sls echo "brologs:" > pillar/brologs.sls
echo " enabled:" >> pillar/brologs.sls echo " enabled:" >> pillar/brologs.sls
@@ -157,12 +163,13 @@ calculate_useable_cores() {
} }
checkin_at_boot() { checkin_at_boot() {
echo "Enabling checkin at boot" >>~/sosetup.log 2>&1
echo "startup_states: highstate" >> /etc/salt/minion echo "startup_states: highstate" >> /etc/salt/minion
} }
chown_salt_master() { chown_salt_master() {
# Chown the salt dirs on the master for socore echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1
chown -R socore:socore /opt/so chown -R socore:socore /opt/so
} }
@@ -171,6 +178,7 @@ clear_master() {
# Clear out the old master public key in case this is a re-install. # Clear out the old master public key in case this is a re-install.
# This only happens if you re-install the master. # This only happens if you re-install the master.
if [ -f /etc/salt/pki/minion/minion_master.pub ]; then if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
echo "Clearing old master key" >>~/sosetup.log 2>&1
rm /etc/salt/pki/minion/minion_master.pub rm /etc/salt/pki/minion/minion_master.pub
service salt-minion restart service salt-minion restart
fi fi
@@ -181,7 +189,7 @@ configure_minion() {
# You have to pass the TYPE to this function so it knows if its a master or not # You have to pass the TYPE to this function so it knows if its a master or not
local TYPE=$1 local TYPE=$1
echo "Configuring minion type as $TYPE" echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1
touch /etc/salt/grains touch /etc/salt/grains
echo "role: so-$TYPE" > /etc/salt/grains echo "role: so-$TYPE" > /etc/salt/grains
if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
@@ -221,7 +229,7 @@ copy_minion_pillar() {
local TYPE=$1 local TYPE=$1
# Copy over the pillar # Copy over the pillar
echo "Copying the pillar over" echo "Copying the pillar over" >>~/sosetup.log 2>&1
scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
} }
@@ -240,7 +248,7 @@ copy_ssh_key() {
create_bond() { create_bond() {
# Create the bond interface # Create the bond interface
echo "Setting up Bond" echo "Setting up Bond" >>~/sosetup.log 2>&1
# Set the MTU # Set the MTU
if [ $NSMSETUP != 'ADVANCED' ]; then if [ $NSMSETUP != 'ADVANCED' ]; then
@@ -269,17 +277,17 @@ create_bond() {
echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC
done done
nmcli con reload nmcli con reload >>~/sosetup.log 2>&1
systemctl restart network systemctl restart network >>~/sosetup.log 2>&1
else else
# Need to add 17.04 support still # Need to add 17.04 support still
apt-get -y install ifenslave apt-get -y install ifenslave >>~/sosetup.log 2>&1
if ! grep -q bonding /etc/modules; then if ! grep -q bonding /etc/modules; then
echo "bonding" >> /etc/modules echo "bonding" >> /etc/modules
fi fi
modprobe bonding modprobe bonding >>~/sosetup.log 2>&1
local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces) local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces) local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
@@ -311,7 +319,7 @@ create_bond() {
echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC
echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC
echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC
echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC
echo " bond-master bond0" >> /etc/network/interfaces.d/$BNIC echo " bond-master bond0" >> /etc/network/interfaces.d/$BNIC
echo " mtu $MTU" >> /etc/network/interfaces.d/$BNIC echo " mtu $MTU" >> /etc/network/interfaces.d/$BNIC
@@ -327,7 +335,7 @@ create_bond() {
echo " mtu $MTU" >> /etc/network/interfaces.d/bond0 echo " mtu $MTU" >> /etc/network/interfaces.d/bond0
echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0 echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0
echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0 echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0
echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0 echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0 echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0
fi fi
@@ -336,14 +344,14 @@ create_bond() {
detect_os() { detect_os() {
# Detect Base OS # Detect Base OS
echo "Detecting Base OS" echo "Detecting Base OS" >>~/sosetup.log 2>&1
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ]; then
OS=centos OS=centos
yum -y install bind-utils yum -y install bind-utils
elif [ -f /etc/os-release ]; then elif [ -f /etc/os-release ]; then
OS=ubuntu OS=ubuntu
else else
echo "We were unable to determine if you are using a supported OS." echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1
exit exit
fi fi
@@ -358,7 +366,7 @@ docker_install() {
yum -y update yum -y update
yum -y install docker-ce docker-python python-docker yum -y install docker-ce docker-python python-docker
docker_registry docker_registry
echo "Restarting Docker" echo "Restarting Docker" >>~/sosetup.log 2>&1
systemctl restart docker systemctl restart docker
systemctl enable docker systemctl enable docker
@@ -366,17 +374,17 @@ docker_install() {
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
apt-get update >>~/sosetup.log 2>&1 apt-get update >>~/sosetup.log 2>&1
apt-get -y install docker-ce >>~/sosetup.log 2>&1 apt-get -y install docker-ce >>~/sosetup.log 2>&1
docker_registry docker_registry >>~/sosetup.log 2>&1
echo "Restarting Docker" echo "Restarting Docker" >>~/sosetup.log 2>&1
systemctl restart docker systemctl restart docker >>~/sosetup.log 2>&1
else else
apt-key add $TMP/gpg/docker.pub apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1
apt-get update >>~/sosetup.log 2>&1 apt-get update >>~/sosetup.log 2>&1
apt-get -y install docker-ce >>~/sosetup.log 2>&1 apt-get -y install docker-ce >>~/sosetup.log 2>&1
docker_registry docker_registry >>~/sosetup.log 2>&1
echo "Restarting Docker" echo "Restarting Docker" >>~/sosetup.log 2>&1
systemctl restart docker systemctl restart docker >>~/sosetup.log 2>&1
fi fi
fi fi
@@ -384,13 +392,13 @@ docker_install() {
docker_registry() { docker_registry() {
echo "Setting up Docker Registry" echo "Setting up Docker Registry" >>~/sosetup.log 2>&1
mkdir -p /etc/docker mkdir -p /etc/docker >>~/sosetup.log 2>&1
# Make the host use the master docker registry # Make the host use the master docker registry
echo "{" > /etc/docker/daemon.json echo "{" > /etc/docker/daemon.json
echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
echo "}" >> /etc/docker/daemon.json echo "}" >> /etc/docker/daemon.json
echo "Docker Registry Setup - Complete" echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1
} }
@@ -489,7 +497,7 @@ install_master() {
# Install the salt master package # Install the salt master package
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
yum -y install wget salt-common salt-master yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1
# Create a place for the keys for Ubuntu minions # Create a place for the keys for Ubuntu minions
mkdir -p /opt/so/gpg mkdir -p /opt/so/gpg
@@ -535,27 +543,6 @@ master_pillar() {
echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " ls_input_threads: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " ls_batch_count: 125" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " mtu: 1500" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
if [ $EVALADVANCED == 'ADVANCED' ]; then
if [ $EVALGRAFANA == '0' ]; then
echo " grafana: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
if [ $EVALOSQUERY == '0' ]; then
echo " osquery: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
if [ $EVALWAZUH == '0' ]; then
echo " wazuh: 1" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
else
echo " wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
else
echo " grafana: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " osquery: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " wazuh: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
fi
else else
echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " freq: 0" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
@@ -574,7 +561,10 @@ master_pillar() {
echo " cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo " cur_close_days: $CURCLOSEDAYS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
#echo " mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls #echo " mysqlpass: $MYSQLPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
#echo " fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls #echo " fleetpass: $FLEETPASS" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " grafana: $GRAFANA" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " osquery: $OSQUERY" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " wazuh: $WAZUH" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo " thehive: $THEHIVE" >> /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
} }
master_static() { master_static() {
@@ -592,6 +582,7 @@ master_static() {
echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls
echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
if [[ $MASTERUPDATES == 'MASTER' ]]; then if [[ $MASTERUPDATES == 'MASTER' ]]; then
echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
else else
@@ -630,6 +621,20 @@ node_pillar() {
} }
process_components() {
CLEAN=${COMPONENTS//\"}
GRAFANA=0
OSQUERY=0
WAZUH=0
THEHIVE=0
IFS=$' '
for item in $(echo "$CLEAN"); do
let $item=1
done
unset IFS
}
saltify() { saltify() {
# Install updates and Salt # Install updates and Salt
@@ -863,25 +868,25 @@ salt_checkin() {
# Master State to Fix Mine Usage # Master State to Fix Mine Usage
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
echo "Building Certificate Authority" echo "Building Certificate Authority"
salt-call state.apply ca salt-call state.apply ca >>~/sosetup.log 2>&1
echo " *** Restarting Salt to fix any SSL errors. ***" echo " *** Restarting Salt to fix any SSL errors. ***"
service salt-master restart service salt-master restart >>~/sosetup.log 2>&1
sleep 5 sleep 5
service salt-minion restart service salt-minion restart >>~/sosetup.log 2>&1
sleep 15 sleep 15
echo " Applyng a mine hack " echo " Applyng a mine hack "
sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1
echo " Applying SSL state " echo " Applying SSL state "
salt-call state.apply ssl salt-call state.apply ssl >>~/sosetup.log 2>&1
echo "Still Working... Hang in there" echo "Still Working... Hang in there"
salt-call state.highstate #salt-call state.highstate
else else
# Run Checkin # Run Checkin
salt-call state.apply ca salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl salt-call state.apply ssl >>~/sosetup.log 2>&1
salt-call state.highstate #salt-call state.highstate >>~/sosetup.log 2>&1
fi fi
@@ -1145,6 +1150,14 @@ whiptail_cur_close_days() {
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
} }
whiptail_enable_components() {
COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \
"Select Components to install" 20 78 8 \
"GRAFANA" "Enable Grafana for system monitoring" ON \
"OSQUERY" "Enable Fleet with osquery" ON \
"WAZUH" "Enable Wazuh" ON \
"THEHIVE" "Enable TheHive" ON 3>&1 1>&2 2>&3 )
}
whiptail_eval_adv() { whiptail_eval_adv() {
EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \ EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \
@@ -1153,24 +1166,6 @@ whiptail_eval_adv() {
"ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 ) "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 )
} }
whiptail_eval_adv_service_grafana() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Grafana for detailed monitoring?" 8 78
local exitstatus=$?
EVALGRAFANA=$exitstatus
}
whiptail_eval_adv_service_osquery() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable OSquery for client monitoring?" 8 78
local exitstatus=$?
EVALOSQUERY=$exitstatus
}
whiptail_eval_adv_service_wazuh() {
whiptail --title "Eval Advanced Setup" --yesno "Would you like to enable Wazuh for client monitoring?" 8 78
local exitstatus=$?
EVALWAZUH=$exitstatus
}
whiptail_eval_adv_warning() { whiptail_eval_adv_warning() {
whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78 whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 78
} }
@@ -1349,23 +1344,6 @@ whiptail_master_adv_service_brologs() {
"x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 ) "x509" "x.509 Logs" ON 3>&1 1>&2 2>&3 )
} }
whiptail_master_adv_service_grafana() {
echo "blah"
}
whiptail_master_adv_service_osquery() {
#MOSQ=$()
echo "blah"
}
whiptail_master_adv_service_wazuh() {
echo "blah"
}
whiptail_network_notice() { whiptail_network_notice() {
whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 78 whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Hit YES to continue." 8 78
@@ -1484,6 +1462,14 @@ whiptail_setup_complete() {
} }
whiptail_setup_failed() {
whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78
install_cleanup
exit
}
whiptail_shard_count() { whiptail_shard_count() {
SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \ SHARDCOUNT=$(whiptail --title "Security Onion Setup" --inputbox \
@@ -1602,6 +1588,8 @@ if (whiptail_you_sure); then
# Find out how to handle updates # Find out how to handle updates
whiptail_master_updates whiptail_master_updates
whiptail_enable_components
process_components
# Do Advacned Setup if they chose it # Do Advacned Setup if they chose it
if [ $MASTERADV == 'ADVANCED' ]; then if [ $MASTERADV == 'ADVANCED' ]; then
@@ -1609,9 +1597,6 @@ if (whiptail_you_sure); then
if [ $BROVERSION != 'SURICATA' ]; then if [ $BROVERSION != 'SURICATA' ]; then
whiptail_master_adv_service_brologs whiptail_master_adv_service_brologs
fi fi
whiptail_master_adv_service_osquery
whiptail_master_adv_service_grafana
whiptail_master_adv_service_wazuh
fi fi
# Last Chance to back out # Last Chance to back out
@@ -1635,60 +1620,91 @@ if (whiptail_you_sure); then
add_socore_user_master add_socore_user_master
# Install salt and dependencies # Install salt and dependencies
echo " ** Installing Salt and Dependencies **" {
sleep 0.5
echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
echo " ** Installing Salt and Dependencies **" >>~/sosetup.log
saltify >>~/sosetup.log 2>&1 saltify >>~/sosetup.log 2>&1
docker_install echo -e "XXX\n5\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
# Configure the Minion echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
echo " ** Configuring Minion **" echo " ** Configuring Minion **" >>~/sosetup.log
configure_minion master >>~/sosetup.log 2>&1 configure_minion master >>~/sosetup.log 2>&1
echo " ** Installing Salt Master **" >>~/sosetup.log
# Install the salt master
echo " ** Installing Salt Master **"
install_master >>~/sosetup.log 2>&1 install_master >>~/sosetup.log 2>&1
# Copy the data over
salt_master_directories >>~/sosetup.log 2>&1 salt_master_directories >>~/sosetup.log 2>&1
update_sudoers >>~/sosetup.log 2>&1
# Update sudoers file to allow keys and firewalls to be changed chown_salt_master >>~/sosetup.log 2>&1
update_sudoers es_heapsize >>~/sosetup.log 2>&1
ls_heapsize >>~/sosetup.log 2>&1
# Change perms on the master dir echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
chown_salt_master master_static >>~/sosetup.log 2>&1
echo "** Generating the master pillar **" >>~/sosetup.log
# Determine the ES Heap Size master_pillar >>~/sosetup.log 2>&1
es_heapsize echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
# Determine the Logstash Heap Size
ls_heapsize
# Set the static values
master_static
echo "** Generating the master pillar **"
master_pillar
# Do a checkin to push the key up # Do a checkin to push the key up
echo "** Pushing the key up to Master **" echo "** Pushing the key up to Master **" >>~/sosetup.log
salt_firstcheckin >>~/sosetup.log 2>&1 salt_firstcheckin >>~/sosetup.log 2>&1
# Accept the Master Key # Accept the Master Key
echo "** Accepting the key on the master **" echo "** Accepting the key on the master **" >>~/sosetup.log
accept_salt_key_local accept_salt_key_local >>~/sosetup.log 2>&1
echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
# Open the firewall # Open the firewall
echo "** Setting the initial firewall policy **" echo "** Setting the initial firewall policy **" >>~/sosetup.log
set_initial_firewall_policy set_initial_firewall_policy >>~/sosetup.log 2>&1
# Do the big checkin but first let them know it will take a bit. # Do the big checkin but first let them know it will take a bit.
salt_checkin_message echo -e "XXX\n40\nGenerating CA... \nXXX"
salt_checkin salt_checkin >>~/sosetup.log 2>&1
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
echo -e "XXX\n43\nInstalling Common Components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
echo -e "XXX\n45\nApplying firewall rules... \nXXX"
salt-call state.apply firewall >>~/sosetup.log 2>&1
salt-call state.apply master >>~/sosetup.log 2>&1
salt-call state.apply idstools >>~/sosetup.log 2>&1
echo -e "XXX\n40\nInstalling Redis... \nXXX"
salt-call state.apply redis >>~/sosetup.log 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n41\nInstalling MySQL... \nXXX"
salt-call state.apply mysql >>~/sosetup.log 2>&1
fi
echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
salt-call state.apply logstash >>~/sosetup.log 2>&1
salt-call state.apply kibana >>~/sosetup.log 2>&1
salt-call state.apply elastalert >>~/sosetup.log 2>&1
if [[ $WAZUH == '1' ]]; then
echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
salt-call state.apply wazuh >>~/sosetup.log 2>&1
fi
echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
salt-call state.apply filebeat >>~/sosetup.log 2>&1
salt-call state.apply utility >>~/sosetup.log 2>&1
salt-call state.apply schedule >>~/sosetup.log 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n79\nInstalling Fleet... \nXXX"
salt-call state.apply fleet >>~/sosetup.log 2>&1
salt-call state.apply launcher >>~/sosetup.log 2>&1
fi
echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
salt-call state.apply soctopus >>~/sosetup.log 2>&1
if [[ $THEHIVE == '1' ]]; then
echo -e "XXX\n87\nInstalling TheHive... \nXXX"
salt-call state.apply hive >>~/sosetup.log 2>&1
fi
echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
checkin_at_boot >>~/sosetup.log 2>&1
echo -e "XXX\n95\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
# Enable salt to run a checking when the service starts } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
checkin_at_boot GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
# We are done!
whiptail_setup_complete whiptail_setup_complete
else
whiptail_setup_failed
fi
fi fi
@@ -1721,23 +1737,47 @@ if (whiptail_you_sure); then
get_filesystem_root get_filesystem_root
get_filesystem_nsm get_filesystem_nsm
copy_ssh_key copy_ssh_key
set_initial_firewall_policy {
create_bond sleep 0.5
sensor_pillar echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
saltify set_initial_firewall_policy >>~/sosetup.log 2>&1
docker_install echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
configure_minion sensor create_bond >>~/sosetup.log 2>&1
copy_minion_pillar sensors echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
salt_firstcheckin sensor_pillar >>~/sosetup.log 2>&1
echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
saltify >>~/sosetup.log 2>&1
echo -e "XXX\n20\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
configure_minion sensor >>~/sosetup.log 2>&1
echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
copy_minion_pillar sensors >>~/sosetup.log 2>&1
echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
# Accept the Salt Key # Accept the Salt Key
accept_salt_key_remote accept_salt_key_remote >>~/sosetup.log 2>&1
# Do the big checkin but first let them know it will take a bit. echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
salt_checkin_message salt-call state.apply ca >>~/sosetup.log 2>&1
salt_checkin salt-call state.apply ssl >>~/sosetup.log 2>&1
checkin_at_boot echo -e "XXX\n35\nInstalling Core Components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
salt-call state.apply firewall >>~/sosetup.log 2>&1
echo -e "XXX\n50\nInstalling PCAP... \nXXX"
salt-call state.apply pcap >>~/sosetup.log 2>&1
echo -e "XXX\n60\nInstalling IDS components... \nXXX"
salt-call state.apply suricata >>~/sosetup.log 2>&1
echo -e "XXX\n80\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
checkin_at_boot >>~/sosetup.log 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete whiptail_setup_complete
else
whiptail_setup_failed
fi
fi fi
####################### #######################
@@ -1756,15 +1796,8 @@ if (whiptail_you_sure); then
# Snag the HOME_NET # Snag the HOME_NET
whiptail_homenet_master whiptail_homenet_master
# Ask about advanced mode
whiptail_eval_adv
if [ $EVALADVANCED == 'ADVANCED' ]; then
whiptail_eval_adv_warning whiptail_eval_adv_warning
whiptail_eval_adv_service_grafana whiptail_enable_components
whiptail_eval_adv_service_osquery
whiptail_eval_adv_service_wazuh
fi
# Set a bunch of stuff since this is eval # Set a bunch of stuff since this is eval
es_heapsize es_heapsize
@@ -1780,6 +1813,7 @@ if (whiptail_you_sure); then
NIDS=Suricata NIDS=Suricata
BROVERSION=ZEEK BROVERSION=ZEEK
CURCLOSEDAYS=30 CURCLOSEDAYS=30
process_components
whiptail_make_changes whiptail_make_changes
#eval_mode_hostsfile #eval_mode_hostsfile
generate_passwords generate_passwords
@@ -1795,29 +1829,107 @@ if (whiptail_you_sure); then
echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors" echo "**** Please set a password for socore. You will use this password when setting up other Nodes/Sensors"
echo "" echo ""
add_socore_user_master add_socore_user_master
create_bond {
saltify sleep 0.5
docker_install echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
install_master create_bond >>~/sosetup.log 2>&1
# Copy the data over echo -e "XXX\n1\nInstalling saltstack... \nXXX"
salt_master_directories saltify >>~/sosetup.log 2>&1
update_sudoers echo -e "XXX\n3\nInstalling docker... \nXXX"
# Change perms on the master dir docker_install >>~/sosetup.log 2>&1
chown_salt_master echo -e "XXX\n5\nInstalling master code... \nXXX"
install_master >>~/sosetup.log 2>&1
echo -e "XXX\n6\nCopying salt code... \nXXX"
salt_master_directories >>~/sosetup.log 2>&1
echo -e "XXX\n6\nupdating suduers... \nXXX"
update_sudoers >>~/sosetup.log 2>&1
echo -e "XXX\n7\nFixing some permissions... \nXXX"
chown_salt_master >>~/sosetup.log 2>&1
echo -e "XXX\n7\nCreating the static pillar... \nXXX"
# Set the static values # Set the static values
master_static master_static >>~/sosetup.log 2>&1
echo "** Generating the master pillar **" echo -e "XXX\n7\nCreating the master pillar... \nXXX"
master_pillar master_pillar >>~/sosetup.log 2>&1
configure_minion eval echo -e "XXX\n7\nConfiguring minion... \nXXX"
set_node_type configure_minion eval >>~/sosetup.log 2>&1
node_pillar echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
set_initial_firewall_policy set_node_type >>~/sosetup.log 2>&1
salt_firstcheckin echo -e "XXX\n7\nStorage node pillar... \nXXX"
accept_salt_key_local node_pillar >>~/sosetup.log 2>&1
salt_checkin_message echo -e "XXX\n8\nCreating firewall policies... \nXXX"
salt_checkin set_initial_firewall_policy >>~/sosetup.log 2>&1
checkin_at_boot echo -e "XXX\n10\nRegistering agent... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
echo -e "XXX\n11\nAccepting Agent... \nXXX"
accept_salt_key_local >>~/sosetup.log 2>&1
echo -e "XXX\n12\nRunning the SSL states... \nXXX"
salt_checkin >>~/sosetup.log 2>&1
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
echo -e "XXX\n15\nInstalling core components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
salt-call state.apply firewall >>~/sosetup.log 2>&1
echo -e "XXX\n25\nInstalling master components... \nXXX"
salt-call state.apply master >>~/sosetup.log 2>&1
salt-call state.apply idstools >>~/sosetup.log 2>&1
if [[ $OSQUERY == '1' ]]; then
salt-call state.apply mysql >>~/sosetup.log 2>&1
fi
echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
echo -e "XXX\n40\nInstalling Logstash... \nXXX"
salt-call state.apply logstash >>~/sosetup.log 2>&1
echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX"
salt-call state.apply kibana >>~/sosetup.log 2>&1
echo -e "XXX\n50\nInstalling pcap... \nXXX"
salt-call state.apply pcap >>~/sosetup.log 2>&1
echo -e "XXX\n52\nInstalling Suricata... \nXXX"
salt-call state.apply suricata >>~/sosetup.log 2>&1
echo -e "XXX\n54\nInstalling Zeek... \nXXX"
salt-call state.apply bro >>~/sosetup.log 2>&1
echo -e "XXX\n56\nInstalling curator... \nXXX"
salt-call state.apply curator >>~/sosetup.log 2>&1
echo -e "XXX\n58\nInstalling elastalert... \nXXX"
salt-call state.apply elastalert >>~/sosetup.log 2>&1
if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n60\nInstalling fleet... \nXXX"
salt-call state.apply fleet >>~/sosetup.log 2>&1
salt-call state.apply redis >>~/sosetup.log 2>&1
fi
if [[ $WAZUH == '1' ]]; then
echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
salt-call state.apply wazuh >>~/sosetup.log 2>&1
fi
echo -e "XXX\n85\nInstalling filebeat... \nXXX"
salt-call state.apply filebeat >>~/sosetup.log 2>&1
salt-call state.apply utility >>~/sosetup.log 2>&1
echo -e "XXX\n95\nInstalling misc components... \nXXX"
salt-call state.apply schedule >>~/sosetup.log 2>&1
salt-call state.apply soctopus >>~/sosetup.log 2>&1
if [[ $THEHIVE == '1' ]]; then
salt-call state.apply hive >>~/sosetup.log 2>&1
fi
echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
checkin_at_boot >>~/sosetup.log 2>&1
echo -e "XXX\n99\nVerifying Setup... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
if [ $OS == 'centos' ]; then
if [[ $GOODSETUP == '1' ]]; then
whiptail_setup_complete whiptail_setup_complete
else
whiptail_setup_failed
fi
else
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else
whiptail_setup_failed
fi
fi
fi fi
################### ###################
@@ -1857,6 +1969,46 @@ if (whiptail_you_sure); then
get_filesystem_root get_filesystem_root
get_filesystem_nsm get_filesystem_nsm
copy_ssh_key copy_ssh_key
{
sleep 0.5
echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1
echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
saltify >>~/sosetup.log 2>&1
echo -e "XXX\n20\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1
echo -e "XXX\n30\nInitializing Minion... \nXXX"
configure_minion node >>~/sosetup.log 2>&1
set_node_type >>~/sosetup.log 2>&1
node_pillar >>~/sosetup.log 2>&1
copy_minion_pillar nodes >>~/sosetup.log 2>&1
echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1
# Accept the Salt Key
accept_salt_key_remote >>~/sosetup.log 2>&1
echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
salt-call state.apply ca >>~/sosetup.log 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1
echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1
salt-call state.apply firewall >>~/sosetup.log 2>&1
echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
salt-call state.apply logstash >>~/sosetup.log 2>&1
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1
salt-call state.apply curator >>~/sosetup.log 2>&1
salt-call state.apply filebeat >>~/sosetup.log 2>&1
echo -e "XXX\n90\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1
checkin_at_boot >>~/sosetup.log 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete
else
whiptail_setup_failed
fi
set_initial_firewall_policy set_initial_firewall_policy
saltify saltify
docker_install docker_install